Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-42442 PoC — JumpServer session replays download without authentication

Source
https://github.com/tarimoe/blackjump
Associated Vulnerability
Title:JumpServer session replays download without authentication (CVE-2023-42442)
Description:JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed. Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).
Description
JumpServer 堡垒机未授权综合漏洞利用, CVE-2023-42442 / CVE-2023-42820 Exploit
Readme
## blackjump

[中文](https://github.com/tarimoe/blackjump/) | [English](https://github.com/tarimoe/blackjump/blob/main/README_en.md)

> 免责声明: 本工具仅面向合法授权的企业安全建设行为,在使用本工具进行检测时,<b>您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。请勿对非授权目标使用</b>。
> 
> 如您在使用本工具的过程中存在任何非法行为,<b>您需自行承担相应后果,我们将不承担任何法律及连带责任</b>。


JumpServer 堡垒机综合漏洞利用
- [x] 未授权任意用户密码重置 (CVE-2023-42820)
- [x] 未授权一键下载所有操作录像 (CVE-2023-42442)
- [x] 未授权任意命令执行漏洞 (RCE 2021)

## 安装
```bash
python3 -m pip install -r requirements.txt
```

## 使用指南
+ CVE-2023-42820: 如果知道目标的用户名和邮箱可以指定 `--user` 和 `--email` 参数
```bash
python3 blackjump.py reset https://vulerability
```
![img.png](img/img.png)

+ CVE-2023-42442: `output/` 目录下的 `<uuid4>.tar` 文件扔进 <u>[jumpserver播放器播放即可](https://github.com/jumpserver/VideoPlayer/releases)</u> 
```bash
python3 blackjump.py dump https://vulerability
```
![img_1.png](img/img_1.png)e

+ RCE
```shell
python3 blackjump.py rce http(s)://vulerability
```
![img.png](img/img_2.png)

+ 帮助
```bash
python3 blackjump.py {reset,dump,rce} -h
```

## 参考
1. https://github.com/Veraxy00/Jumpserver-EXP (RCE 2021 漏洞在其基础上优化部分情况命令执行失败或获取不到资产问题)
File Snapshot

 [4.0K]  /data/pocs/0b80da2fdbb4d282f3e5de4ad2cb292327a9e023
├── [ 26K]  blackjump.py
├── [4.0K]  img
│   ├── [ 65K]  img_1.png
│   ├── [125K]  img_2.png
│   └── [ 39K]  img.png
├── [1.0K]  LICENSE
├── [1.6K]  README_en.md
├── [1.5K]  README.md
└── [  50]  requirements.txt

1 directory, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →