From ac8ec3c76590fef0db268e8ba40435baceaeb5e3 Mon Sep 17 00:00:00 2001
From: Abhay Kumar Gupta <abhayetwup123@gmail.com>
Date: Fri, 14 Jul 2023 18:40:23 +0530
Subject: [PATCH 1/2] Update geoserver-default-login.yaml

---
 .../geoserver/geoserver-default-login.yaml          | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/http/default-logins/geoserver/geoserver-default-login.yaml b/http/default-logins/geoserver/geoserver-default-login.yaml
index 1dd06c0e540..06682299647 100644
--- a/http/default-logins/geoserver/geoserver-default-login.yaml
+++ b/http/default-logins/geoserver/geoserver-default-login.yaml
@@ -1,5 +1,4 @@
 id: geoserver-default-login
-
 info:
   name: Geoserver Default Admin Login
   author: For3stCo1d
@@ -11,10 +10,10 @@ info:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
     cvss-score: 8.3
     cwe-id: CWE-522
-  metadata:
-    max-request: 1
-    fofa-query: app="GeoServer"
-  tags: geoserver,default-login
+metadata:
+  max-request: 1
+  fofa-query: app="GeoServer"
+tags: geoserver,default-login
 
 http:
   - raw:
@@ -43,3 +42,7 @@ http:
       - type: status
         status:
           - 302
+
+      - type: status
+        status:
+          - 200

From 5c46eddb19fdfd216a4cfb044fb14d505bf0835d Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Fri, 21 Jul 2023 18:10:29 +0530
Subject: [PATCH 2/2] updated matchers,req,info

---
 .../geoserver/geoserver-default-login.yaml    | 35 ++++++++++---------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/http/default-logins/geoserver/geoserver-default-login.yaml b/http/default-logins/geoserver/geoserver-default-login.yaml
index 06682299647..9a123456c04 100644
--- a/http/default-logins/geoserver/geoserver-default-login.yaml
+++ b/http/default-logins/geoserver/geoserver-default-login.yaml
@@ -1,7 +1,8 @@
 id: geoserver-default-login
+
 info:
-  name: Geoserver Default Admin Login
-  author: For3stCo1d
+  name: Geoserver Admin - Default Login
+  author: For3stCo1d,professorabhay,ritikchaddha
   severity: high
   description: Geoserver default admin credentials were discovered.
   reference:
@@ -10,10 +11,11 @@ info:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
     cvss-score: 8.3
     cwe-id: CWE-522
-metadata:
-  max-request: 1
-  fofa-query: app="GeoServer"
-tags: geoserver,default-login
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: app="GeoServer"
+  tags: geoserver,default-login
 
 http:
   - raw:
@@ -24,6 +26,10 @@ http:
 
         username={{user}}&password={{pass}}
 
+      - |
+        GET /geoserver/web/ HTTP/1.1
+        Host: {{Hostname}}
+
     attack: pitchfork
     payloads:
       user:
@@ -31,18 +37,13 @@ http:
       pass:
         - geoserver
 
-    matchers-condition: and
+    host-redirects: true
+    max-redirects: 2
+    cookie-reuse: true
     matchers:
       - type: dsl
         dsl:
-          - "contains(tolower(location), '/geoserver/web')"
-          - "!contains(tolower(location), 'error=true')"
+          - "contains(tolower(location_1), '/geoserver/web') && contains(body_2, '<span>admin</span>')"
+          - "!contains(tolower(location_1), 'error=true')"
+          - 'status_code_1 == 302'
         condition: and
-
-      - type: status
-        status:
-          - 302
-
-      - type: status
-        status:
-          - 200