strapi-admin-installer: Strapi Admin - Installer

漏洞描述

PoC代码[已公开]

id: strapi-admin-installer

info:
  name: Strapi Admin - Installer
  author: dhiyaneshDk
  severity: critical
  description: |
    Strapi Admin Registration enabled was detected.
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"Welcome to your Strapi app" html:"create an administrator"
  tags: misconfig,exposure,strapi,install,vuln

http:
  - method: GET
    path:
      - '{{BaseURL}}'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Welcome to your Strapi app"
          - "Click to create the first administration"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a004730450220297f982ede460fcec6d779699d8317ce8512097144df64daa86f1d2dec729e6802210096a7ff9b6c41b5f17d1408a1a0b4c51dbd367bd090d8cb0ebbfaba3b3427a7ed:922c64590222798bb761d5b6d8e72950

相关漏洞推荐

• 天锐绿盘云文档安全管理平台 /lddsm/service/../admin/config/findConfigForPage.do SQL 注入漏洞
• 天锐绿盘云文档安全管理平台 /lddsm/service/../admin/bfclConfig/findForPage.do SQL 注入漏洞
• Tplay-cms /admin/common/upload 文件上传漏洞
• Fortinet FortiWeb /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi 权限绕过漏洞（CVE-2025-64446/CVE-2025-58034）
• Fortinet FortiWeb /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi 权限绕过漏洞（CVE-2025-64446）
• 天锐绿盘云文档管理系统 /lddsm/main/auth.do/../../admin/activiti/uploadFile.do 文件上传漏洞
• 百易云资产管理运营系统 /adminx/project.save.php SQL 注入漏洞
• WordPress WooCommerce Designer Pro 插件 /wp-admin/admin-ajax.php wcdp_save_canvas_design_ajax 文件上传漏洞（CVE-2025-6440）
• POC churchcrm-installer: ChurchCRM - Setup Exposure
• WordPress Events Manager /wp-admin/admin-ajax.php SQL 注入漏洞（CVE-2025-6970）
• FreePBX /admin/ajax.php brand SQL 注入漏洞（CVE-2025-57819）
• Trinity Audio /wp-content/plugins/trinity-audio/admin/inc/phpinfo.php 信息泄露漏洞（CVE-2025-9196）
• Wordpress Plugin Depicter /wp-admin/admin-ajax.php depicter-lead-list SQL 注入漏洞（CVE-2025-2011）