[Vulnerability] sqle JWT_SECRET AND Valid credentials HardCoded #3186
Description
版本信息(Version)
≤4.2511.0
问题描述(Describe)
sqle 存在硬编码的JWT鉴权密钥以及合法有效的JWT凭证
sqle contains a hard-coded JWT authentication key and a valid JWT credential.
截图或日志(Log)
https://github.com/actiontech/sqle/blob/main/sqle/utils/jwt.go#L9
如何复现(To Reproduce)
- 对于默认JWT密钥的问题,该系统只要部署之后,这里的JWT加密密钥就是[]byte("secret"),我们可以通过在线资源来验证这一点
Regarding the default JWT key, once the system is deployed, the JWT encryption key will be []byte("secret"). This can be verified using online resources.
同时我们可以修改jwt的payload发现仅仅使用了id进行校验,我们知道管理员的uid为700200
所以我们可以自己伪造jwt
Furthermore, we can modify the JWT payload and find that it only uses the ID for verification. We know that the administrator's UID is 700200, so we can forge the JWT ourselves.
成功访问了,然后我们再试一下硬编码在仓库的凭证
Access was successful. Now let's try the hard-coded credentials in the repository.
var defaultDMSToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjMyNzI0MjEzNTMsImlzcyI6ImFjdGlvbnRlY2ggZG1zIiwidWlkIjoiNzAwMjAxIn0.45o27vHjHWslarkbovAim6oir3QlrvSDDuzfpGTn6Dk"
也是有效的,通过这个漏洞可以直接接管后台
It is also effective; this vulnerability allows direct takeover of the backend.
