mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-05 04:07:03 -07:00
3a289a3ac4
add recon modules for self-hosted databases whose http interface is reachable without credentials: clickhouse runs arbitrary sql because the default user has an empty password, confirmed here by reading the server version through the http interface, and the open-source dgraph alpha has no authentication so its /health endpoint discloses the cluster while /query and /admin read and drop all data; a clickhouse that requires a password returns 403 and an alpha behind an authenticating proxy returns 401 and neither is flagged.
42 lines
833 B
YAML
42 lines
833 B
YAML
# Dgraph Alpha API Exposure Detection Module
|
|
|
|
id: dgraph-api-exposure
|
|
info:
|
|
name: Dgraph Alpha API Exposure
|
|
author: sif
|
|
severity: medium
|
|
description: Detects a Dgraph Alpha whose unauthenticated health api leaks the cluster members and versions and serves read and admin apis
|
|
tags: [dgraph, graph-database, database, exposure, unauth, recon]
|
|
|
|
type: http
|
|
|
|
http:
|
|
method: GET
|
|
paths:
|
|
- "{{BaseURL}}/health"
|
|
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- '"instance"\s*:\s*"alpha"'
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "\"max_assigned\""
|
|
- "\"lastEcho\""
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: dgraph_version
|
|
part: body
|
|
regex:
|
|
- '"version"\s*:\s*"([^"]+)"'
|
|
group: 1
|