This repository contains a Python script that exploits a critical vulnerability (CVE-2024-23897) in Jenkins, leading to arbitrary file read and remote code execution (RCE). This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the target Jenkins server, potentially compromising the entire system.
Before you can use this exploit, you will need to ensure that you have the following prerequisites installed:
- Python 3 or later
- The
requestslibrary - The
argparselibrary - The
coloramalibrary - The
concurrent.futureslibrary
You can install these dependencies using the following commands:
pip install requests
pip install argparse
pip install colorama
pip install concurrent.futures
To use this exploit, simply clone this repository and run the CVE-2024-23897.py script. You can specify the following options:
-u, --url: The target Jenkins URL.-f, --filename: The file containing a list of target URLs or IPs.-t, --threads: The number of threads to use for concurrent execution.-o, --output: The output file to save successful responses.-c, --command: The command to execute on the target system.
For example, to exploit a single target with the URL http://example.com, you would run the following command:
python CVE-2024-23897.py -u http://example.com
To exploit multiple targets from a file called targets.txt, you would run the following command:
python CVE-2024-23897.py -f targets.txt
You can also specify the number of threads to use for concurrent execution using the -t option. For example, to use 10 threads, you would run the following command:
python CVE-2024-23897.py -t 10
If you want to save the successful responses to a file, you can specify the output file using the -o option.
References: @h4x0r-dz