Jenkins does not implement Authentication challenges.
By default, Jenkins responds with a HTTP 403 FORBIDDEN response, and does not include the `WWW-Authenticate` header.
This causes problems with the underlying http client, as this one expects the challenge to come forward and resend
the request with the auth header.
By changing the code to look for the HTTP 403 response, and setting the default URL to the correct login validation endpoint
Pro will have an easier time to investigate whether Jenkins can be bruteforced or not.
The original code checks for a 401 response only.
Overwriting the behavior for Jenkins allows us to handle this use-case properly and report the correct behavior.
A webpage exists that can be reached without authentication that
contains a hash that can be used to determine the approximate version of
gitlab running on the endpoint. This PR adds enhances our current GitLab
fingerprinting capabilities to include the aforementioned technique.
Since I was the one suggesting it in #18716, I kinda volunteered to implement
it. This improvement is based on [Censys's blogpost](https://censys.com/cve-2021-22205-it-was-a-gitlab-smash/)
on the topic, making use of the `/assets/application-….css` files that have
a unique name per gitlab versions.
The fingerprints were acquired with this bash script:
```bash
assetdir="/opt/gitlab/embedded/service/gitlab-rails/public/assets"
tags=$(curl "https://hub.docker.com/v2/repositories/gitlab/gitlab-ce/tags?page_size=100" | jq -r '.results[].name')
for tag in $tags; do
filename=$(docker run --quiet --rm -it --entrypoint "" gitlab/gitlab-ce:$tag ls $assetdir|egrep '^application-.*\.css' | grep -v \.gz | cut -d' ' -f1)
echo $tag,$filename
done
```
Co-authored-by: cgranleese-r7 <69522014+cgranleese-r7@users.noreply.github.com>
This adds an exploit for pgAdmin <= 8.3 which is a path traversal
vulnerability in the session management that allows a Python pickle
object to be loaded and deserialized. This also adds a new Python
deserialization gadget chain to execute the code in a new thread so the
target application doesn't block the HTTP request.
Writing file to disk working
working on linux
wip authentcaiton
Consolodated conf folders into one
Renamed conf1 to conf in msf data dir
Randomize the configuration name
Docs plus finishing touches
rubocop
Updated exploit file location
Removed unused external dir
Reduced conf folder
adeherdt-r7