yf-exam is a multi-role online training and examination system. The system integrates functions such as user management, role management, department management, question bank management, test question management, test question import and export, test management, online test, and wrong question training. The process is perfect. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication.
Vulnerability details
login
com.yf.exam.modules.sys.user.controller#login()
Follow up the interface
com.yf.exam.modules.sys.user.service#lgion()
View the implementation class of the interface
com.yf.exam.modules.sys.user.service.impl#login()
First check whether the account exists, then check whether it is disabled, then check whether it is a password, and generate a token after passing.
You can see that it is generated using jwt. Then fill token, id.
com.yf.exam.ability.shiro.jwt#sign()
Here you can see that the payload is username, data, and the token is valid for 24 hours. jwt-key is encrypted username, follow up.
com.yf.exam.ability.shiro.jwt#encryptSecret()
Here you can see that the jwt-key is to take the md5 value twice. The jwt-key is generated based on the user name and remains unchanged for the current month, so it is very easy to forge.
TEST
Simulate admin login at around 13:44
Use poc to generate jwt
Import jwt and try to log in
After the import is refreshed, it successfully enters the background.
Description
yf-exam is a multi-role online training and examination system. The system integrates functions such as user management, role management, department management, question bank management, test question management, test question import and export, test management, online test, and wrong question training. The process is perfect. The program uses a fixed JWT key, and the stored key uses username format characters. Any user who logged in within 24 hours. A token can be forged with his username to bypass authentication.
Vulnerability details
login
Follow up the interface
View the implementation class of the interface
First check whether the account exists, then check whether it is disabled, then check whether it is a password, and generate a token after passing.
You can see that it is generated using jwt. Then fill token, id.
Here you can see that the payload is username, data, and the token is valid for 24 hours. jwt-key is encrypted username, follow up.
Here you can see that the jwt-key is to take the md5 value twice. The jwt-key is generated based on the user name and remains unchanged for the current month, so it is very easy to forge.
TEST
Simulate admin login at around 13:44
Use poc to generate jwt
Import jwt and try to log in
After the import is refreshed, it successfully enters the background.
poc
The text was updated successfully, but these errors were encountered: