From 73579ef3bb082b2a87e9d3e59bb8e24bf444a424 Mon Sep 17 00:00:00 2001 From: savik Date: Sat, 20 Jan 2024 02:13:01 -0300 Subject: [PATCH 1/2] Create node-red-default-login.yaml --- .../node-red/node-red-default-login.yaml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 http/default-logins/node-red/node-red-default-login.yaml diff --git a/http/default-logins/node-red/node-red-default-login.yaml b/http/default-logins/node-red/node-red-default-login.yaml new file mode 100644 index 0000000000..1d61514c40 --- /dev/null +++ b/http/default-logins/node-red/node-red-default-login.yaml @@ -0,0 +1,44 @@ +id: node-red-default-login + +info: + name: Node-Red - Default Login + author: savik + severity: critical + description: | + Allows to perform RCE. + reference: + - https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/ + metadata: + max-request: 1 + tags: default-login,node-red-dashboard + +http: + - raw: + + - | + POST /auth/token HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded;charset=UTF-8 + Accept: application/json, text/plain, */* + + client_id=node-red-editor&grant_type=password&scope=&username={{username}}&password={{password}} + + attack: pitchfork + payloads: + username: + - admin + password: + - password + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'access_token' + - 'expires_in' + condition: and + + - type: status + status: + - 200 From 0140c442ef894770ca4fff90f7c40e40c567b864 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Sun, 21 Jan 2024 12:22:05 +0530 Subject: [PATCH 2/2] additional matcher updated template with additional matcher, metadata and description --- ...-login.yaml => nodered-default-login.yaml} | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) rename http/default-logins/node-red/{node-red-default-login.yaml => nodered-default-login.yaml} (65%) diff --git a/http/default-logins/node-red/node-red-default-login.yaml b/http/default-logins/node-red/nodered-default-login.yaml similarity index 65% rename from http/default-logins/node-red/node-red-default-login.yaml rename to http/default-logins/node-red/nodered-default-login.yaml index 1d61514c40..ae186b3a0b 100644 --- a/http/default-logins/node-red/node-red-default-login.yaml +++ b/http/default-logins/node-red/nodered-default-login.yaml @@ -1,25 +1,25 @@ -id: node-red-default-login +id: nodered-default-login info: name: Node-Red - Default Login author: savik severity: critical description: | - Allows to perform RCE. + Allows attacker to log in and execute RCE on the Node-Red panel using the default credentials. reference: - https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/ metadata: max-request: 1 - tags: default-login,node-red-dashboard + verified: true + shodan-query: http.favicon.hash:321591353 + tags: default-login,node-red,dashboard http: - raw: - - | POST /auth/token HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded;charset=UTF-8 - Accept: application/json, text/plain, */* client_id=node-red-editor&grant_type=password&scope=&username={{username}}&password={{password}} @@ -35,10 +35,16 @@ http: - type: word part: body words: - - 'access_token' - - 'expires_in' + - 'access_token":' + - 'expires_in":' + - 'token_type":' condition: and + - type: word + part: header + words: + - 'application/json' + - type: status status: - 200