local http = require "http"
local table = require "table"
local url = require "url"
---
-- http-default-accounts-fingerprints.lua
-- This file contains fingerprint data for http-default-accounts.nse
--
-- STRUCTURE:
-- * name
- Descriptive name
-- * category
- Category
-- * login_combos
---- * username
- Default username
---- * password
- Default password
-- * paths
- Paths table containing the possible location of the target
-- * target_check
- Validation function of the target (optional)
-- * login_check
- Login function of the target
--
-- TODO: Update the functionality of target_check
to differentiate
-- between valid HTTP/200 and a custom error page.
---
---
-- Requests given path using basic authentication.
-- @param host Host table
-- @param port Port table
-- @param path Path to request
-- @param user Username for Basic Auth
-- @param pass Password for Basic Auth
-- @param digest_auth Digest Authentication
-- @return True if login in was successful
---
local function try_http_basic_login(host, port, path, user, pass, digest_auth)
local credentials = {username = user, password = pass, digest = digest_auth}
local req = http.get(host, port, path, {no_cache=true, auth=credentials, redirect_ok = false})
if req.status and req.status ~= 401 and req.status ~= 403 then
return true
end
return false
end
---
-- Tries to login with a http post, if the FAIL string is not found
-- we assume login in was successful
-- @param host Host table
-- @param port Port table
-- @param target Target file
-- @param failstr String shown when login in fails
-- @param params Post parameters
-- @param follow_redirects True if you want redirects to be followed
-- @return True if login in was successful
---
local function try_http_post_login(host, port, path, target, failstr, params, follow_redirects)
local req = http.post(host, port, url.absolute(path, target), {no_cache=true}, nil, params)
if not req.status then return false end
local status = tonumber(req.status) or 0
if follow_redirects and ( status > 300 and status < 400 ) then
req = http.get(host, port, url.absolute(path, req.header.location), { no_cache = true, redirect_ok = false })
end
if req.status and req.status ~= 404 and not(http.response_contains(req, failstr)) then
return true
end
return false
end
---
-- Returns authentication realm advertised in an HTTP response
-- @param response HTTP response object, such as a result from http.get()
-- @return realm found in response header WWW-Authenticate
-- (or nil if not present)
---
local function http_auth_realm(response)
local auth = response.header["www-authenticate"] or ""
return auth:match('%srealm="([^"]*)')
end
fingerprints = {}
---
--WEB
---
table.insert(fingerprints, {
name = "Cacti",
category = "web",
paths = {
{path = "/cacti/"}
},
target_check = function (host, port, path, response)
-- true if the response is HTTP/200 and sets cookie "Cacti"
if response.status == 200 then
for _, ck in ipairs(response.cookies or {}) do
if ck.name:lower() == "cacti" then return true end
end
end
return false
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_post_login(host, port, path, "index.php", "Invalid User Name/Password", {action="login", login_username=user, login_password=pass}, false)
end
})
table.insert(fingerprints, {
name = "Xplico",
category = "web",
paths = {
{path = "/users/login"}
},
target_check = function (host, port, path, response)
-- true if the response is HTTP/200 and sets cookie "Xplico"
if response.status == 200 then
for _, ck in ipairs(response.cookies or {}) do
if ck.name:lower() == "xplico" then return true end
end
end
return false
end,
login_combos = {
{username = "admin", password = "xplico"},
{username = "xplico", password = "xplico"}
},
login_check = function (host, port, path, user, pass)
-- harvest all hidden fields from the login form
local req1 = http.get(host, port, path, {no_cache=true, redirect_ok = false})
if req1.status ~= 200 then return false end
local html = req1.body and req1.body:match('