mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-03 19:34:53 -07:00
3a289a3ac4
add recon modules for self-hosted databases whose http interface is reachable without credentials: clickhouse runs arbitrary sql because the default user has an empty password, confirmed here by reading the server version through the http interface, and the open-source dgraph alpha has no authentication so its /health endpoint discloses the cluster while /query and /admin read and drop all data; a clickhouse that requires a password returns 403 and an alpha behind an authenticating proxy returns 401 and neither is flagged.