adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
89d07c472a883fff3554cc5ea9b1c9ea97488fe6
metasploit-gs/documentation/modules/exploit/linux/http/jenkins_cli_deserialization.md
T
Shelby Pace 89d07c472a add documentation
2020-09-09 18:55:23 -05:00

940 B
Raw Blame History

Vulnerable Application

An unauthenticated Java object deserialization vulnerability exists in the CLI component found in Jenkins versions v2.56 and below.

Installation

Vulnerable version of Jenkins can be downloaded from here. Additionally, a jdk will need to be installed on the target system.

To start Jenkins, navigate to the location of the downloaded war file and execute: java -jar <jenkins-file>.war. To test if Jenkins is properly working, the CLI component can be accessed by navigating to http://localhost:8080/cli.

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: exploit/linux/http/jenkins_cli_deserialization
  4. Do: set RHOST <ip>
  5. Do: run
  6. You should get a shell.

Options

No options

Scenarios

Version and OS

Reference in New Issue View Git Blame Copy Permalink