1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
1
+
# JenkinsCommonBugs
2
+
3
+
## Introduction
4
+
What would you do if you came across a website that uses Jenkins?
5
+
6
+
## How to Detect
7
+
Usually in the HTTP response there is a header like this `X-Jenkins`
8
+
9
+
1. Find the related CVE by checking jenkins version
10
+
* How to find the jenkins version
11
+
12
+
By checking the response header `X-Jenkins`, sometimes the version is printed there. If you found outdated jenkins version, find the exploit at [pwn_jenkins](https://github.com/gquere/pwn_jenkins)
13
+
14
+
Some example CVE:
15
+
- Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
3
16
4
17
Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload.
5
18
Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py):
3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002)
22
-
23
-
Original RCE vulnerability [here](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html), full exploit [here](https://github.com/petercunha/jenkins-rce).
24
-
25
34
Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc).
Try to request to `https://example.com/secure/Dashboard.jspa` and then check the source code. You will find this line `<meta name="ajs-version-number" content="8.20.9">` so 8.20.9 is the version jira. If you found outdated jira version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-3578/product_id-8170/Atlassian-Jira.html)
* Full Path Exploit : http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
4
-
* Affected versions : Before 4.8.28 and 5.x before 5.6.3
1
+
# Laravel Common Bugs
2
+
3
+
## Introduction
4
+
What would you do if you came across a website that uses Laravel?
5
+
6
+
## How to Detect
7
+
Usually in the HTTP response there is a header like this `Set-Cookie: laravel_session=`
8
+
9
+
1. Find the related CVE by checking laravel version
10
+
* How to find the laravel version
11
+
12
+
By checking the composer file in `https://example.com/composer.json`, sometimes the version is printed there. If you found outdated laravel version, find the CVEs at [CVEDetails](https://www.cvedetails.com/vulnerability-list/vendor_id-16542/product_id-38139/Laravel-Laravel.html)
What would you do if you came across a website that uses Nginx?
5
+
6
+
## How to Detect
7
+
Usually in the HTTP response there is a header like this `Server: nginx`
8
+
9
+
1. Find the related CVE by checking nginx version
10
+
* How to find the nginx version
11
+
12
+
By checking the response header or using 404 page, sometimes the version is printed there. If you found outdated nginx version, find the CVEs at [CVE Details](https://www.cvedetails.com/vulnerability-list/vendor_id-315/product_id-101578/F5-Nginx.html)
What would you do if you came across a website that uses WordPress?
5
5
6
+
## How to Detect
7
+
If you visit `https://target.com` and see the source code, you will see the links to themes and plugins from WordPress. Or you can visit `https://target.com/wp-login.php`, it is the WordPress login admin page
8
+
6
9
1. Find the related CVE by checking the core, plugins, and theme version