Vidoc logo

Module library

All modulesVisit vidocsecurity.com
Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Start for free

ghost takeover detection

By kannthu

High
Vidoc logoVidoc Module
#takeover#ghost
Description

Ghost Takeover Detection

What is the "Ghost Takeover Detection" module?

The "Ghost Takeover Detection" module is designed to detect potential takeover vulnerabilities in the Ghost software. Ghost is a popular content management system (CMS) used for creating and managing websites and blogs. This module focuses on identifying misconfigurations or vulnerabilities that could allow unauthorized individuals to take control of a Ghost instance.

This module has a severity level of high, indicating that the identified vulnerabilities could have a significant impact on the security and functionality of the affected Ghost installations.

The original author of this module is pdteam.

Impact

If a Ghost takeover vulnerability is present and exploited, an attacker could gain unauthorized access to the affected Ghost instance. This could lead to various malicious activities, such as modifying or deleting content, injecting malicious code, or compromising user data. It is crucial to address any identified vulnerabilities promptly to prevent potential security breaches.

How does the module work?

The "Ghost Takeover Detection" module utilizes HTTP request templates and matching conditions to identify potential takeover vulnerabilities in Ghost instances. It performs a series of checks to determine if the target Ghost installation exhibits any signs of misconfiguration or vulnerability.

One of the matching conditions used by this module is the comparison of the host IP address with the actual IP address of the target. If they do not match, it suggests a potential misconfiguration.

Additionally, the module checks for the presence of the specific header "offline.ghost.org" in the HTTP request. If this header is found, it indicates a potential vulnerability.

Furthermore, the module verifies if the HTTP response status code is 302 (Found). If this condition is met, it suggests a potential vulnerability.

By combining these matching conditions, the module can identify instances of Ghost that may be susceptible to takeover attacks.

Example HTTP Request:

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3

Matching Conditions:

- Host IP address must not match the actual IP address of the target. - The HTTP request must contain the header "offline.ghost.org". - The HTTP response status code must be 302 (Found).

By analyzing these conditions, the module can determine if a Ghost instance is potentially vulnerable to takeover attacks.

Module preview

Concurrent Requests (0)
Passive global matcher
dsl: Host != ipand
word: offline.ghost.organd
status: 302
On match action
Report vulnerability