rails-admin-dashboard-exposure: RailsAdmin Dashboard Exposure

日期: 2026-02-03 | 影响软件: 未知 | POC: 已公开

漏洞描述

Detected RailsAdmin dashboard was exposed without proper authentication, allowing unauthorized access to data management interface.

PoC代码[已公开]

id: rails-admin-dashboard-exposure

info:
  name: RailsAdmin Dashboard Exposure
  author: 0x_Akoko
  severity: high
  description: |
    Detected RailsAdmin dashboard was exposed without proper authentication, allowing unauthorized access to data management interface.
  reference:
    - https://github.com/railsadminteam/rails_admin
  metadata:
    max-request: 2
    verified: true
    shodan-query: http.html:"RailsAdmin"
    fofa-query: body="RailsAdmin"
  tags: rails,admin,exposure,misconfig,panel

http:
  - method: GET
    path:
      - "{{BaseURL}}/admin"
      - "{{BaseURL}}/rails_admin"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "Settings</a>", "rails_admin_sidebar", "rails_admin_content")'
          - '!contains_any(body, "Sign in", "Log in", "login_form", "devise")'
        condition: and
# digest: 490a00463044022077631f1c54ebe40ea2edbc3a4d5838cd6d800ad3aa58a214d84d294515a1105b02201969fb584763c0c14145bf82f86787a5d96b555c12eacf3f5a31f5302abda661:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/exposed-panels/rails-admin-dashboard-exposure.yaml