kong-manager-exposure: Kong Manager OSS/Admin - Exposure

日期: 2025-08-01 | 影响软件: Kong Manager OSS | POC: 已公开

漏洞描述

Exposed Kong Manager (OSS/Admin) interface accessible without authentication.

PoC代码[已公开]

id: kong-manager-exposure

info:
  name: Kong Manager OSS/Admin - Exposure
  author: Krishna Jaishwal
  severity: medium
  description: |
    Exposed Kong Manager (OSS/Admin) interface accessible without authentication.
  reference:
    - http://github.com/Kong/kong-manager
  metadata:
    max-request: 1
    verified: true
    shodan-query: title:"Kong Manager"
  tags: kong,manager,misconfig,exposure,discovery

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: dsl
        dsl:
          - "contains_any(body,'Kong Manager OSS','Kong Admin','kconfig.js')"
          - 'contains(content_type, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100bc1fb3278ca23d3ac6002227b0a38e0aa15ff4815ed2c5d0916d1ce4607d97d1022100ff7229eb8d1dfaebf7d00f634a99ef02e08f814095e913cce0a3a3784fb69d67:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/exposed-panels/kong-manager-exposure.yaml