[NSE] Xplico addition to http-default-accounts-fingerprints

[nnposter () users sourceforge net]

The following patch adds a fingerprint for Xplico(*) web UI to
http-default-accounts-fingerprints.lua. Tested with versions 0.7 and
1.0.1.

I am also including a patch for Cacti fingerprint. I have already
posted it once(**) but for some reason it has not been committed.


* http://www.xplico.org/
** http://seclists.org/nmap-dev/2013/q3/415


Cheers,
nnposter



Patch against revision 32784 follows:

--- nselib/data/http-default-accounts-fingerprints.lua.orig     2014-03-24 12:03:48.100601400 -0600
+++ nselib/data/http-default-accounts-fingerprints.lua  2014-03-11 21:45:51.853623100 -0600
@@ -87,7 +87,13 @@
     {path = "/cacti/"}
   },
   target_check = function (host, port, path, response)
-    return response.status == 200
+    -- true if the response is HTTP/200 and sets cookie "Cacti"
+    if response.status == 200 then
+      for _, ck in ipairs(response.cookies or {}) do
+        if ck.name:lower() == "cacti" then return true end
+      end
+    end
+    return false
   end,
   login_combos = {
     {username = "admin", password = "admin"}
@@ -98,6 +104,45 @@
 })
 
 table.insert(fingerprints, {
+  name = "Xplico",
+  category = "web",
+  paths = {
+    {path = "/users/login"}
+  },
+  target_check = function (host, port, path, response)
+    -- true if the response is HTTP/200 and sets cookie "Xplico"
+    if response.status == 200 then
+      for _, ck in ipairs(response.cookies or {}) do
+        if ck.name:lower() == "xplico" then return true end
+      end
+    end
+    return false
+  end,
+  login_combos = {
+    {username = "admin", password = "xplico"},
+    {username = "xplico", password = "xplico"}
+  },
+  login_check = function (host, port, path, user, pass)
+    -- harvest all hidden fields from the login form
+    local req1 = http.get(host, port, path, {no_cache=true, redirect_ok = false})
+    if req1.status ~= 200 then return false end
+    local html = req1.body and req1.body:match('<form%s+action%s*=%s*"/users/login".->(.-)</form>')
+    if not html then return false end
+    local form = {}
+    for n, v in html:gmatch('<input%s+type%s*=%s*"hidden"%s+name%s*=%s*"(.-)"%s+value%s*=%s*"(.-)"') do
+      form[n] = v
+    end
+    -- add username and password to the form and submit it
+    form["data[User][username]"] = user
+    form["data[User][password]"] = pass
+    local req2 = http.post(host, port, path, {no_cache=true, cookies=req1.cookies}, nil, form)
+    if req2.status ~= 302 then return false end
+    local loc = req2.header["location"]
+    return loc and (loc:match("/admins$") or loc:match("/pols/index$"))
+  end
+})
+
+table.insert(fingerprints, {
   name = "Apache Tomcat",
   category = "web",
   paths = {
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/