id: magnolia-default-login

info:
  name: Magnolia Default Login
  author: pussycat0x
  severity: high
  description: Mangnolia CMS default credentials were discovered.
  reference:
    - https://www.magnolia-cms.com/
  metadata:
    verified: "true"
    shodan-query: html:"Magnolia is a registered trademark"
  tags: magnolia,default-login

http:
  - raw:

      - |
        GET /.magnolia/admincentral HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /.magnolia/admincentral HTTP/1.1
        Host: {{Hostname}}
        Cookie: csrf={{csrf}};JSESSIONID={{session}}
        Content-Type: application/x-www-form-urlencoded
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}/.magnolia/admincentral

        mgnlUserId={{username}}&mgnlUserPSWD={{password}}&csrf={{csrf}}

      - |
        GET /.magnolia/admincentral/PUSH?v-uiId=1 HTTP/1.1
        Host: {{Hostname}}
        Cookie: csrf={{csrf}}; JSESSIONID={{session}}

    payloads:
      username:
        - superuser
      password:
        - superuser
    attack: pitchfork

    extractors:
      - type: kval
        name: csrf
        part: header
        internal: true
        kval:
          - csrf

      - type: kval
        name: session
        internal: true
        part: header
        kval:
          - JSESSIONID

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '"changes":'
          - '"resources":'
        condition: and

      - type: word
        part: header_3
        words:
          - 'application/json'

      - type: status
        status:
          - 200