Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-31007 PoC — eLabFTW 安全漏洞

Source
https://github.com/gregscharf/CVE-2022-31007-Python-POC
Associated Vulnerability
Title:eLabFTW 安全漏洞 (CVE-2022-31007)
Description:eLabFTW是一套开源的实验数据托管平台。该平台运行于Linux系统中,并支持存储多种对象。 eLabFTW 4.3.0之前版本存在安全漏洞,该漏洞源于应用的权限设置存在问题。具有管理员角色的经过身份验证的用户利用该漏洞在应用程序中为自己分配系统管理员权限,或创建新的系统管理员帐户。
Description
elabFTW < 4.1.0 - account lockout bypass and login brute force
Readme
Python automation of the following [write up](https://www.vicarius.io/blog/bypassing-account-lockout-on-elabftw-and-brute-force-login-cve-2022-31007) on an elabFTW account lockout bypass and login brute force that affects versions before 4.1.0.

Both scripts can be used against Proving Grounds Practice lab named Source, which is running a vulnerable version of elabFTW - a free and open source electronic lab notebook.

The account login requires an email address so a valid domain of any potential user needs to be known before brute forcing user names.

Once a valid account is found put that into the login brute force script.
File Snapshot

 [4.0K]  /data/pocs/7cb6ee39e7d87c41e21fec90f16180959555a1db
├── [1.4K]  elabFTW-login-bruteforce.py
├── [1003]  elabFTW-username-bruteforce.py
└── [ 633]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.