CVE-2023-33243 PoC — STARFACE 安全漏洞

Source

https://github.com/RedTeamPentesting/CVE-2023-33243

Associated Vulnerability

Title:STARFACE 安全漏洞 (CVE-2023-33243)
Description:RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.

Description

PoC for login with password hash in STARFACE

Readme

# Proof of Concept for Login with Password Hash in STARFACE (CVE-2023-33243)

Details are described in our
[advisory](https://www.redteam-pentesting.de/advisories/rt-sa-2022-004).

In the corresponding [blog
post](https://blog.redteam-pentesting.de/2023/storing-passwords/) the
vulnerability CVE-2023-33243 is used as an example to describe how we generally
approach the analysis of authentication mechanisms and identify misconceptions
we encounter during our pentest engagements.

## Dependencies

Install Python libraries [requests](https://github.com/psf/requests) and
[click](https://github.com/pallets/click).

## Usage

```
python3 login.py --url [URL] --login [Login ID] --pwhash [SHA512 Password Hash]
```

File Snapshot


 [4.0K]  /data/pocs/f97c0e7d077117eb7371f72ebcc3c909ec6a1db7
├── [1.0K]  LICENSE
├── [3.0K]  login.py
└── [ 716]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!