CVE-2019-20933 PoC — Influxdata InfluxDB 授权问题漏洞

Source

https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933

Associated Vulnerability

Title:Influxdata InfluxDB 授权问题漏洞 (CVE-2019-20933)
Description:Influxdata Influxdata InfluxDB是美国Influxdata公司的一个基于Go开发的时序性数据库。 Influxdata InfluxDB 1.7.6之前版本存在安全漏洞，该漏洞源于在服务httpd处理程序的身份验证功能中，有一个身份验证绕过漏洞。因为JWT令牌可能有一个空的SharedSecret(又名shared secret)。

Description

InfluxDB CVE-2019-20933 vulnerability exploit

Readme

# InfluxDB Exploit CVE-2019-20933

Exploit for InfluxDB CVE-2019-20933 vulnerability, InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).
Exploit check if server is vulnerable, then it tries to get a remote query shell. It has built in a username bruteforce service.

## Installation
```
git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git
cd InfluxDB-Exploit-CVE-2019-20933
pip install -r requirements.txt
```

## Usage
```
python __main__.py
```

File Snapshot


 [4.0K]  /data/pocs/d9093fa6dba5b97b0fa692e086ad7898e103c10b
├── [5.6K]  __main__.py
├── [ 619]  README.md
├── [  33]  requirements.txt
└── [  44]  users.txt

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!