search

CsEnox / CVE-2021-22911

Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1
56 stars 8 forks source link

binascii.Error: Non-base32 digit found #2

Open ashishgajjar90 opened 3 years ago

ashishgajjar90 commented 3 years ago

Trying to run this POC in a test environment with Rocket Chat..and I keep running into the issue below when the script receives the password reset token for the admin account

[+] Got token : j3ldATrC6nBzTVg4rr_JAgDGCta36nt8fFIF6-wxHYX Traceback (most recent call last): File "/Tools/CVE-2021-22911/exploit.py", line 155, in code = oathtool.generate_otp(secret) File "/usr/local/lib/python3.9/dist-packages/oathtool/init.py", line 59, in generate_otp key = base64.b32decode(pad(clean(key)), casefold=True) File "/usr/lib/python3.9/base64.py", line 231, in b32decode raise binascii.Error('Non-base32 digit found') from None binascii.Error: Non-base32 digit found

Is there something I'm missing, or not understanding with this error? Or is there an issue with the exploit code?

CsEnox commented 3 years ago

There is no 2fa secret key, so the admin account isnt protected by 2fa .

ashishgajjar90 commented 3 years ago

So at that point, does it mean that the admin account password has been reset? Let me attach the full output, hopefully it will make more sense then... rocket_exploit.txt

CsEnox commented 3 years ago

Nope the exploit wasn't able to change the password. You have to modify the exploit to not use the 2fa code