Re: [NSE] Xplico addition to http-default-accounts-fingerprints

[Paulino Calderon <paulino () calderonpale com>]

Hey,
Sorry for the late response. I’ve tested your patch and the new signature. Commited in r32991.

Cheers.

On Mar 24, 2014, at 1:06 PM, nnposter () users sourceforge net wrote:

> The following patch adds a fingerprint for Xplico(*) web UI to
> http-default-accounts-fingerprints.lua. Tested with versions 0.7 and
> 1.0.1.
>
> I am also including a patch for Cacti fingerprint. I have already
> posted it once(**) but for some reason it has not been committed.
>
>
> * http://www.xplico.org/
> ** http://seclists.org/nmap-dev/2013/q3/415
>
>
> Cheers,
> nnposter
>
>
>
> Patch against revision 32784 follows:
>
> --- nselib/data/http-default-accounts-fingerprints.lua.orig   2014-03-24 12:03:48.100601400 -0600
> +++ nselib/data/http-default-accounts-fingerprints.lua        2014-03-11 21:45:51.853623100 -0600
> @@ -87,7 +87,13 @@
>     {path = "/cacti/"}
>   },
>   target_check = function (host, port, path, response)
> -    return response.status == 200
> +    -- true if the response is HTTP/200 and sets cookie "Cacti"
> +    if response.status == 200 then
> +      for _, ck in ipairs(response.cookies or {}) do
> +        if ck.name:lower() == "cacti" then return true end
> +      end
> +    end
> +    return false
>   end,
>   login_combos = {
>     {username = "admin", password = "admin"}
> @@ -98,6 +104,45 @@
> })
>
> table.insert(fingerprints, {
> +  name = "Xplico",
> +  category = "web",
> +  paths = {
> +    {path = "/users/login"}
> +  },
> +  target_check = function (host, port, path, response)
> +    -- true if the response is HTTP/200 and sets cookie "Xplico"
> +    if response.status == 200 then
> +      for _, ck in ipairs(response.cookies or {}) do
> +        if ck.name:lower() == "xplico" then return true end
> +      end
> +    end
> +    return false
> +  end,
> +  login_combos = {
> +    {username = "admin", password = "xplico"},
> +    {username = "xplico", password = "xplico"}
> +  },
> +  login_check = function (host, port, path, user, pass)
> +    -- harvest all hidden fields from the login form
> +    local req1 = http.get(host, port, path, {no_cache=true, redirect_ok = false})
> +    if req1.status ~= 200 then return false end
> +    local html = req1.body and req1.body:match('<form%s+action%s*=%s*"/users/login".->(.-)</form>')
> +    if not html then return false end
> +    local form = {}
> +    for n, v in html:gmatch('<input%s+type%s*=%s*"hidden"%s+name%s*=%s*"(.-)"%s+value%s*=%s*"(.-)"') do
> +      form[n] = v
> +    end
> +    -- add username and password to the form and submit it
> +    form["data[User][username]"] = user
> +    form["data[User][password]"] = pass
> +    local req2 = http.post(host, port, path, {no_cache=true, cookies=req1.cookies}, nil, form)
> +    if req2.status ~= 302 then return false end
> +    local loc = req2.header["location"]
> +    return loc and (loc:match("/admins$") or loc:match("/pols/index$"))
> +  end
> +})
> +
> +table.insert(fingerprints, {
>   name = "Apache Tomcat",
>   category = "web",
>   paths = {
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/