local http = require "http"
local table = require "table"
local url = require "url"
---
-- http-tools-fingerprints.lua
-- This file contains fingerprint data for http-devframework.nse
--
-- STRUCTURE:
-- * name - Descriptive name
-- * rapidDetect - Callback function that is called in the beginning
-- of detection process. It takes the host and port of the target website as
-- arguments.
-- * consumingDetect - Callback function that is called for each
-- spidered page. It takes the body of the response (HTML source code) and the
-- requested path as arguments.
---
tools = { Django = { rapidDetect = function(host, port)
-- Check if the site gives that familiar Django admin login page.
response = http.get(host, port, "/admin/")
if response.body then
if string.find(response.body, "Log in | Django site admin") or
string.find(response.body, "this_is_the_login_form") or
string.find(response.body, "csrfmiddlewaretoken") then
return "Django detected. Found Django admin login page on /admin/"
end
end
-- In Django, the cookie sessionid is being set when you log in
-- and forms will probably set a cookie called csrftoken.
for _, c in pairs(response.cookies) do
if c.name == "csrftoken" then
return "Django detected. Found sessionid cookie which means the contrib.auth package for authentication is enabled."
elseif c.name == "sessionid" then
return "Django detected. Found csrftoken cookie."
end
end
-- See if DEBUG mode still happens to be true.
response = http.get(host, port, "/random404page/")
if response.body then
if string.find(response.body, "DEBUG = True") then
return "Django detected. Found Django error page on /random404page/"
end
end
end,
consumingDetect = function(page, path)
if page then
if string.find(page, "csrfmiddlewaretoken") then
return "Django detected. Found csrfmiddlewaretoken on " .. path
end
if string.find(page, "id=\"id_") then
return "Django detected. Found id_ preffix in id attribute name on " .. path
end
if string.find(page, "%-TOTAL%-FORMS") or string.find(page, "%-DELETE") then
return "Django detected. Found -TOTAL-FORMS and -DELETE hidden inputs, which means there is a Django formset on " .. path
end
end
end
},
RubyOnRails = { rapidDetect = function(host, port)
response = http.get(host, port, "/")
-- Check for Mongrel or Passenger in the "Server" or "X-Powered-By" header
for _, h in ipairs(response.rawheader) do
if (string.find(h, "X%-Powered%-By") or
string.find(h, "Server")) and
(string.find(h, "[Mm][Oo][Nn][Gg][Rr][Ee][Ll]") or
string.find(h, "[Pp][Aa][Ss][Ss][Ee][Nn][Gg][Ee][Rr]")) then
return "RoR detected. Found 'Passenger' or 'Mongrel' in the headers sent by the server."
end
end
-- /rails/info/propertires shows project info when in development mode
response = http.get(host, port, "/rails/info/properties")
if response.body then
if string.find(response.body, "Ruby version") then
return "RoR detected. Found properties file on /rails/info/properties/"
end
end
-- Make up a bad path and match the error page
response = http.get(host, port, "/random404page/")
if response.body then
if string.find(response.body, "Routing Error") then
return "RoR detected. Found RoR routing error page on /random404page/"
end
end
end,
consumingDetect = function(page, path)
-- Check the source and look for csrf patterns.
if page then
if string.find(page, "csrf%-param") or string.find(page, "csrf%-token") then
return "RoR detected. Found csrf field on" .. path
end
end
end
},
ASPdotNET = { rapidDetect = function(host, port)
response = http.get(host, port, "/")
-- Look for an ASP.NET header.
for _, h in ipairs(response.rawheader) do
if (string.find(h, "X%-AspNet%-Version") or
string.find(h, "ASP%.NET")) then
return "ASP.NET detected. Found related header."
end
end
for _, c in pairs(response.cookies) do
if c.name == "aspnetsessionid" then
return "ASP.NET detected. Found aspnetsessionid cookie."
end
end
end,
consumingDetect = function(page, path)
-- Check the source and look for common traces.
if page then
if string.find(page, " __VIEWSTATE") or
string.find(page, "__EVENT") or
string.find(page, "__doPostBack") or
string.find(page, "aspnetForm") or
string.find(page, "ctl00_") then
return "ASP.NET detected. Found common traces on" .. path
end
end
end
},
CodeIgniter = { rapidDetect = function(host, port)
-- Match default error page.
response = http.get(host, port, "/random404page/")
if string.find(response.body, "#990000") and
string.find(response.body, "404 Page Not Found") then
return "CodeIgniter detected. Found CodeIgniter default error page on /random404page/"
end
end,
consumingDetect = function(page, path)
return
end
},
CakePHP = { rapidDetect = function(host, port)
-- Find CAKEPHP header.
response = http.get(host, port, "/")
for _, h in ipairs(response.rawheader) do
if string.find(h, "CAKEPHP") then
return "CakePHP detected. Found related headers."
end
end
end,
consumingDetect = function(page, path)
return
end
},
Symfony = { rapidDetect = function(host, port)
-- Find Symfony header.
response = http.get(host, port, "/")
for _, h in ipairs(response.rawheader) do
if string.find(h, "symfony") then
return "Symfony detected. Found related headers."
end
end
end,
consumingDetect = function(page, path)
return
end
},
Wordpress = { rapidDetect = function(host, port)
-- Check for common traces in the source code.
response = http.get(host, port, "/")
if response.body then
if string.find(response.body, "content=[\"']WordPress") or
string.find(response.body, "wp%-content") then
return "Wordpress detected. Found common traces on /"
end
end
-- Check if the default login page exists.
response = http.get(host, port, "/wp%-login")
if response.status == "200" then
return "Wordpress detected. Found WP login page on /wp-login"
end
end,
consumingDetect = function(page, path)
if page then
if string.find(page, "content=[\"']WordPress") or
string.find(page, "wp-content") then
return "Wordpress detected. Found common traces on " .. page
end
end
end
},
Joomla = { rapidDetect = function(host, port)
-- Check for common traces in the source code.
response = http.get(host, port, "/")
if response.body then
if string.find(response.body, "content=[\"']Joomla!") then
return "Joomla detected. Found common traces on /"
end
end
-- Check if the default login page exists.
response = http.get(host, port, "/administrator")
if response.body and string.find(response.body, "Joomla") then
return "Joomla detected. Found Joomla login page on /administrator/"
end
end,
consumingDetect = function(page, path)
if page and string.find(page, "content=[\"']Joomla!") then
return "Joomla detected. Found common traces on " .. page
end
end
},
Drupal = { rapidDetect = function(host, port)
-- Check for common traces in the source code.
response = http.get(host, port, "/")
if response.body then
if string.find(response.body, "content=[\"']Drupal") then
return "Drupal detected. Found common traces on /"
end
end
end,
consumingDetect = function(page, path)
if page and string.find(page, "content=[\"']Drupal") then
return "Drupal detected. Found common traces on " .. page
end
end
},
MediaWiki = { rapidDetect = function(host, port)
-- Check for common traces in the source code.
response = http.get(host, port, "/")
if response.body then
if string.find(response.body, "content=[\"']MediaWiki") or
string.find(response.body, "/mediawiki/") then
return "MediaWiki detected. Found common traces on /"
end
end
end,
consumingDetect = function(page, path)
if page and string.find(page, "content=[\"']MediaWiki") or
string.find(page, "/mediawiki/") then
return "MediaWiki detected. Found common traces on " .. page
end
end
},
ColdFusion = { rapidDetect = function(host, port)
response = http.get(host, port, "/")
for _, c in pairs(response.cookies) do
if c.name == "cfid" or c.name == "cftoken" then
return "ColdFusion detected. Found " .. c.name .. " cookie."
end
end
end,
consumingDetect = function(page, path)
return
end
},
Broadvision = { rapidDetect = function(host, port)
response = http.get(host, port, "/")
for _, c in pairs(response.cookies) do
if string.find(c.name, "bv_") then
return "Broadvision detected. Found " .. c.name .. " cookie."
end
end
end,
consumingDetect = function(page, path)
return
end
},
WebSphereCommerce = { rapidDetect = function(host, port)
response = http.get(host, port, "/")
for _, c in pairs(response.cookies) do
if string.find(c.name, "wc_") then
return "WebSphere Commerce detected. Found " .. c.name .. " cookie."
end
end
end,
consumingDetect = function(page, path)
return
end
},
}