漏洞描述
OpenSearch Dashboard is a visualization and management tool for OpenSearch. This template detects instances that are accessible without authentication, potentially exposing sensitive data and system information.
opensearch-dashboard-unauth: OpenSearch Dashboard - Unauth Access
PoC代码[已公开]
id: opensearch-dashboard-unauth
info:
name: OpenSearch Dashboard - Unauth Access
author: ritikchaddha
severity: high
description: |
OpenSearch Dashboard is a visualization and management tool for OpenSearch. This template detects instances that are accessible without authentication, potentially exposing sensitive data and system information.
reference:
- https://opensearch.org/docs/latest/dashboards/index/
metadata:
verified: true
max-request: 1
shodan-query: title:"OpenSearch"
fofa-query: title="OpenSearch"
tags: opensearch,dashboard,misconfig,unauth
http:
- raw:
- |
GET /app/home#/ HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "/ui/fonts/source_sans_3/SourceSans3"
- "font-family: 'Source Code Pro"
- "OpenSearch"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022008def57e6d413afc9f0b42f2e82746a8a1b25eb28e7f77b97099cdb80322124a022100c390400117a9208556791b7f1b19107ed5616f71efd1026540e7922019d6fe8a:922c64590222798bb761d5b6d8e72950