Fuel CMS - Default Admin Discovery

ID: fuelcms-default-login

Severity: high

Author: Adam Crosser

Tags: fuelcms,default-login,oss

Description

Fuel CMS default admin credentials were discovered.

YAML Source

id: fuelcms-default-login

info:
  name: Fuel CMS - Default Admin Discovery
  author: Adam Crosser
  severity: high
  description: Fuel CMS default admin credentials were discovered.
  reference:
    - https://docs.getfuelcms.com/general/security
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cwe-id: CWE-522
  metadata:
    max-request: 2
  tags: fuelcms,default-login,oss

http:
  - raw:
      - |
        GET /fuel/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /fuel/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user_name={{username}}&password={{password}}&Login=Login&forward=&ci_csrf_token_FUEL={{csrftoken}}

    attack: pitchfork
    payloads:
      username:
        - admin
      password:
        - admin

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "/fuel/dashboard"

      - type: regex
        part: header
        regex:
          - 'fuel_(.*)='

      - type: status
        status:
          - 302

    extractors:
      - type: regex
        part: body
        name: csrftoken
        internal: true
        group: 1
        regex:
          - 'id="ci_csrf_token_FUEL" value="([0-9a-z]+)" \/>'
# digest: 490a0046304402201d17096c8255afef6a9a016044e89b1081e183e0a6c446ca3d59a816d3b1bc8602205784b4bad4dd3cf97a00c336ff0c98eb3d0f5ba06610bf02bf3574a7c7827e9b:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/default-logins/fuelcms/fuelcms-default-login.yaml"

View on Github