0609d246f3
adds more future proofing to implementation
2023-06-21 14:19:24 +01:00
18ddd72285
Update jenkins login scanner to work with newer versions
2023-06-06 11:54:55 +01:00
0dcfe72614
Use the standard Linux stager
2022-09-13 16:10:48 -04:00
5e04ece15b
Support newer versions of Jenkins
...
This retains backwards compatibility
2022-09-13 15:08:23 -04:00
324fb69735
Resolve rubocop issues
2022-08-25 14:41:30 -04:00
8a79128ac4
Switch to using Rex::RandomIdentifier
2022-08-25 14:37:37 -04:00
2e8e15e338
Fail back to the old method using error handling
...
Tested successfully on docker image tags:
* Jenkins 1.565 (pushed 2015-11-14)
* Jenkins 2.60.3 (pushed 2018-07-17)
Tested unsuccessfully on docker image tags:
* Jenkins 2.346.3 (pushed 2022-08-10)
Issue is that login is broken because the URI changed from
j_acegi_security_check to j_spring_security_check.
2022-08-25 14:06:47 -04:00
3d13dab11e
Update jenkins_script_console.rb
2022-07-06 19:08:38 +02:00
5db741550b
Update jenkins_script_console.rb
...
Modern Java disabled the sun.misc.BASE64Decoder class so exploit will fail on any newer version of Jenkins.
The java.util.Base64 class should be used now; the change has been confirmed to work with the latest version of Jenkins (the current exploit silently fails).
2022-07-06 15:16:01 +02:00
30809787c4
Convert disclosure dates to iso8601
2020-10-02 21:00:37 +01:00
cf9b94a964
Set needs_cleanup flag for exploits that need it
...
The `needs_cleanup` flag needs to be set per-module when an exploit
needs an interactive session to clean up. Some `FileDropper` exploits
need additional cleanup to what the mixin provides, but since all
`FileDropper`s already mark themselves as needing cleanup those are not
covered here. A few of these could potentially be refactored to use the
original exploitation method to clean up or to compile the list of
files/commands to clean up ahead of time, but that is out of the scope
of this fix.
2019-08-02 10:23:53 -05:00
caf76a6555
Add applicable notes to my exploit modules
2018-10-27 20:54:14 -04:00
d9fc99ec4a
Correct false negative post_auth? status
2018-08-09 23:34:03 -05:00
7e860571ae
fix bug where api_token auth was being used without token being set
2017-08-09 12:30:26 -04:00
9bb102d72d
add jenkins v2 cookie support
2017-08-09 12:29:31 -04:00
6300758c46
use https for metaploit.com links
2017-07-24 06:26:21 -07:00
58cd432120
Added docs, minor code tweak to remove duplication.
2017-06-19 17:35:41 -05:00
49d998f7d9
catch invalid tokens
2017-06-15 21:45:29 -04:00
f4ffade406
add ability to specify API token instead of password
2017-06-15 21:05:53 -04:00
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
ccce361768
Remove accidentally included debug output
2016-10-29 18:46:51 -04:00
fa7cbf2c5a
Fix the jenkins exploit module for new versions
2016-10-29 18:19:14 -04:00
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
2016-03-07 13:19:55 -06:00
666ae14259
change Metasploit3 class names
2016-03-07 09:56:58 +01:00
b02c762b93
Grab zeroSteiner's module/jenkins-cmd branch
2016-01-22 10:17:32 -06:00
dc5e9a1d0a
Support CSRF token in the Jenkins aux cmd module
2015-11-22 17:51:27 -05:00
04d622b69b
Cleanup Jenkins-CI module titles and option descriptions
2015-09-04 10:25:51 -07:00
b2c401696b
Add certutil support.
...
Tested while landing #5736
2015-09-03 14:24:37 -05:00
1e6a1f6d05
Revert "Fix spec like I shoulda done before landing #5736 "
...
This reverts commit 956c8e550d
2015-09-03 14:18:55 -05:00
b4547711f3
Add certutil support.
...
Tested while landing #5736
2015-09-03 13:27:10 -05:00
8c5890d506
more fixes
2015-04-16 21:56:42 +02:00
f886ab6f97
Land #4020 , Jenkins-CI CSRF token support
2014-10-20 19:03:24 -04:00
005baa7f7e
Retry the script page request to get the token
...
After logging in to Jenkins the script console page
needs to be requested again to get the CSRF token.
2014-10-19 14:04:16 -04:00
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
4c2ae1a753
Fix jenkins when CSRF is enabled
2014-10-14 19:33:23 -05:00
748589f56a
Make cmdstager flavor explicit or from info
...
Every module that uses cmdstager either passes the flavor
as an option to the execute_cmdstager function or relies
on the module / target info now.
2014-06-28 17:40:49 -04:00
870fa96bd4
Allow quotes in CmdStagerFlavor metadata
2014-06-27 08:34:56 -04:00
91e2e63f42
Add CmdStagerFlavor to metadata
2014-06-27 08:34:55 -04:00
7ced5927d8
Use One CMDStagermixin
2014-06-27 08:34:55 -04:00
ae25c300e5
Initial attempt to unify the command stagers.
2014-06-27 08:34:55 -04:00
df4b832019
Resolved some more Set-Cookie warnings
2014-05-13 22:56:12 +02:00
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
0acb170ee8
Bug #8419 - Added platform info missing on exploits
2013-10-08 22:41:50 -04:00
41e4375e43
Retab modules
2013-08-30 16:28:54 -05:00
6c1ba9c9c9
Switch to Failure vs Exploit::Failure
2013-08-15 14:14:46 -05:00
2160718250
Fix file header comment
...
[See #1555 ]
2013-03-07 17:53:19 -06:00
cgranleese-r7