Jenkins Master Post

攻击Jenkins的文章合集

远程代码执行技术

• http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html 通过操纵构建步骤获取RCE

• https://medium.com/@uranium238/shodan-jenkins-to-get-rces-on-servers-6b6ec7c960e2 使用终端插件获取RCE

插件管理

• https://sharadchhetri.com/2018/12/02/managing-jenkins-plugins/ Jenkins插件管理入门

漏洞利用

• https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html 以下插件存在漏洞：

  • Pipeline: Declarative Plugin 1.3.4及以下版本
  • Pipeline: Groovy Plugin 2.61及以下版本
  • Script Security Plugin 1.49及以下版本

  博客文章说明：此问题已在Jenkins 2.121.1 LTS版本（2.132 weekly）中修复。

• http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html CVE-2019-1003000 (https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266)

反序列化漏洞

• https://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/Jenkins
• https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream CVE-2015-8103 & CVE-2016-0792

CVE-2017-1000353 PoC

• https://github.com/nixawk/labs/tree/master/CVE-2017-1000353
• https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353
• https://www.twistlock.com/2017/06/18/jenkins-java-deserialization/

CVE-2018-1999002（Windows）任意文件读取

• https://cloud.tencent.com/developer/article/1165414
• https://github.com/anntsmart/CVE

在Jenkins 2.132及更早版本、2.121.1及更早版本的Stapler Web框架中存在任意文件读取漏洞。在Windows下，可以通过../遍历不存在的目录，但在Linux下不行。因此该漏洞可以在Windows下读取任何文件。在Linux下，需要在Jenkins插件目录中有一个包含_的目录。

系统滥用和凭证提取

• https://www.crowdstrike.com/blog/your-jenkins-belongs-to-us-now-abusing-continuous-integration-systems/

• https://www.n00py.io/2017/01/compromising-jenkins-and-extracting-credentials/ 解密credentials.xml

• https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/ Jenkins、Windows、PowerShell

安全漏洞分析

• https://securitynews.sonicwall.com/xmlpost/jenkins-ci-server-at-risk-high-risk-vulnerbaility/
• https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/
• https://www.cyberark.com/threat-research-blog/tripping-the-jenkins-main-security-circuit-breaker-an-inside-look-at-two-jenkins-security-vulnerabilities/

CVE-2018-1999001 畸形请求移动config.xml文件，重启后任何人都可以登录 - 结合DoS（CVE-2018-1999043）强制重启

受影响版本：

• Jenkins weekly 2.132及以下
• Jenkins LTS 2.121.1及以下

CG相关文章

• https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-new-exploits-pt1.html Jenkins 2.137及以下版本的用户名枚举

• https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-200-cve-2015-5323-poc.html Jenkins - SECURITY-200 / CVE-2015-5323 PoC（管理员可获取其他用户的API令牌）

• https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-180cve-2015-1814-poc.html Jenkins - SECURITY-180/CVE-2015-1814 PoC（强制令牌更改）

• https://carnal0wnage.attackresearch.com/2019/02/jenkins-decrypting-credentialsxml.html 解密Jenkins credentials.xml

• https://carnal0wnage.attackresearch.com/2019/03/jenkins-cve-2018-1000600-poc.html Jenkins - CVE-2018-1000600 GitHub插件中的SSRF漏洞

• https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-exploits-pt2-cve.html Jenkins - CVE-2019-1003000 第一部分

• https://carnal0wnage.attackresearch.com/2019/03/jenkins-messing-with-exploits-pt3-cve.html Jenkins - CVE-2019-1003000 第二部分 - Orange Tsai漏洞利用

• https://carnal0wnage.attackresearch.com/2019/03/jenkins-identify-ip-addresses-of-nodes.html Jenkins - 识别节点的IP地址