Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create CVE-2017-1000353.yaml #11191

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Create CVE-2017-1000353.yaml #11191

wants to merge 2 commits into from

Conversation

hnd3884
Copy link
Contributor

@hnd3884 hnd3884 commented Nov 11, 2024
edited
Loading

/claim #11185

Jenkins Unauthenticated Remote Code Execution

Template / PR Information

Provide full url of Jenkins like below

nuclei -u http://192.168.180.1:8000 -t nuclei.yaml

The template exploit unsafe deserialization and execute command curl https://{{interactsh-url}} so use interactsh protocol as matcher

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

POC
image

Additional References:

@hnd3884
Create CVE-2017-1000353.yaml
0b117c1 
Jenkins Unauthenticated Remote Code Execution
@algora-pbc algora-pbc bot mentioned this pull request Nov 11, 2024
Open
1 task
@algora-pbc Algora PBC
Copy link

algora-pbc bot commented Nov 11, 2024

👉 To complete your submission, sign up on Algora, link your Github account and submit the data for your PR.

@DhiyaneshGeek DhiyaneshGeek self-assigned this Nov 12, 2024
@GeorginaReeder
Copy link

Thanks so much for your contribution @hnd3884 ! :)

@princechaddha
Copy link
Member

@hnd3884, thank you so much for sharing this template with the community and contributing to this project 🍻

Can you confirm if this CVE can’t be written using HTTP/TCP + helpers or the JS protocol? We avoid adding code templates for CVEs that can be achieved using HTTP, TCP, or JavaScript, as such templates are blocked by default and won’t produce results. Therefore, we prioritize creating templates with other protocols unless exceptions are made.

@hnd3884
Copy link
Contributor Author

hnd3884 commented Nov 18, 2024

Dear @princechaddha,

The reason i think it could not be written using HTTP/TCP + helpers or the JS protocol is that we have to prepare serialized data with complex steps (find index, , and the serialized payload also can not be generated by builtin ysoserial tool. The exploit steps are as same as CVE-2016-9299, with different gadget chain https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2016/CVE-2016-9299.yaml . I tried both http and tcp and i'm not farmiliar with javascript

@hnd3884
Copy link
Contributor Author

hnd3884 commented Nov 18, 2024

When i tried to use two tcp request, It work perfectly if i specify interact url and manually check for dns request. But when i use {{interactsh-url}} to auto detect using interact protocol, nuclei keeps return missing compiled operators for 'hex-byte-request' template

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@DhiyaneshGeek DhiyaneshGeek

Labels
🙋 Bounty claim
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hnd3884 @GeorginaReeder @princechaddha @DhiyaneshGeek