summaryrefslogtreecommitdiffstats
path: root/nselib/data/http-devframework-fingerprints.lua
diff options
context:
space:
mode:
Diffstat (limited to 'nselib/data/http-devframework-fingerprints.lua')
-rw-r--r--nselib/data/http-devframework-fingerprints.lua440
1 files changed, 440 insertions, 0 deletions
diff --git a/nselib/data/http-devframework-fingerprints.lua b/nselib/data/http-devframework-fingerprints.lua
new file mode 100644
index 0000000..9effa7d
--- /dev/null
+++ b/nselib/data/http-devframework-fingerprints.lua
@@ -0,0 +1,440 @@
+local http = require "http"
+local string = require "string"
+local table = require "table"
+
+---
+-- http-devframework-fingerprints.lua
+-- This file contains fingerprint data for http-devframework.nse
+--
+-- STRUCTURE:
+-- * <code>name</code> - Descriptive name
+-- * <code>rapidDetect</code> - Callback function that is called in the beginning
+-- of detection process. It takes the host and port of the target website as
+-- arguments.
+-- * <code>consumingDetect</code> - Callback function that is called for each
+-- spidered page. It takes the body of the response (HTML source code) and the
+-- requested path as arguments.
+---
+
+
+tools = { Django = { rapidDetect = function(host, port)
+
+ -- Check if the site gives that familiar Django admin login page.
+ local response = http.get(host, port, "/admin/")
+
+ if response.body then
+ if string.find(response.body, "Log in | Django site admin") or
+ string.find(response.body, "this_is_the_login_form") or
+ string.find(response.body, "csrfmiddlewaretoken") then
+ return "Django detected. Found Django admin login page on /admin/"
+ end
+ end
+
+ -- In Django, the cookie sessionid is being set when you log in
+ -- and forms will probably set a cookie called csrftoken.
+ if response.cookies then
+ for _, c in pairs(response.cookies) do
+ if c.name == "csrftoken" then
+ return "Django detected. Found sessionid cookie which means the contrib.auth package for authentication is enabled."
+ elseif c.name == "sessionid" then
+ return "Django detected. Found csrftoken cookie."
+ end
+ end
+ end
+
+ -- See if DEBUG mode still happens to be true.
+ response = http.get(host, port, "/random404page/")
+
+ if response.body then
+ if string.find(response.body, "<code>DEBUG = True</code>") then
+ return "Django detected. Found Django error page on /random404page/"
+ end
+ end
+
+ end,
+
+ consumingDetect = function(page, path)
+ if page then
+ if string.find(page, "csrfmiddlewaretoken") then
+ return "Django detected. Found csrfmiddlewaretoken on " .. path
+ end
+ if string.find(page, "id=\"id_") then
+ return "Django detected. Found id_ preffix in id attribute name on " .. path
+ end
+ if string.find(page, "%-TOTAL%-FORMS") or string.find(page, "%-DELETE") then
+ return "Django detected. Found -TOTAL-FORMS and -DELETE hidden inputs, which means there is a Django formset on " .. path
+ end
+ end
+ end
+ },
+
+ RubyOnRails = { rapidDetect = function(host, port)
+
+ local response = http.get(host, port, "/")
+
+ -- Check for Mongrel or Passenger in the "Server" or "X-Powered-By" header
+ for h, v in pairs(response.header) do
+ if h == "x-powered-by" or h == "server" then
+ local vl = v:lower()
+ local m = vl:match("mongrel") or vl:match("passenger")
+ if m then
+ return "RoR detected. Found '" .. m .. "' in " .. h .. " header sent by the server."
+ end
+ end
+ end
+
+ -- /rails/info/propertires shows project info when in development mode
+ response = http.get(host, port, "/rails/info/properties")
+
+ if response.body then
+ if string.find(response.body, "Ruby version") then
+ return "RoR detected. Found properties file on /rails/info/properties/"
+ end
+ end
+
+ -- Make up a bad path and match the error page
+ response = http.get(host, port, "/random404page/")
+
+ if response.body then
+ if string.find(response.body, "Routing Error") then
+ return "RoR detected. Found RoR routing error page on /random404page/"
+ end
+ end
+
+ end,
+
+ consumingDetect = function(page, path)
+
+ -- Check the source and look for csrf patterns.
+ if page then
+ if string.find(page, "csrf%-param") or string.find(page, "csrf%-token") then
+ return "RoR detected. Found csrf field on" .. path
+ end
+ end
+
+ end
+ },
+
+
+ ASPdotNET = { rapidDetect = function(host, port)
+
+ local response = http.get(host, port, "/")
+
+ -- Look for an ASP.NET header.
+ for h, v in pairs(response.header) do
+ local vl = v:lower()
+ if h == "x-aspnet-version" or string.find(vl, "asp") then
+ return "ASP.NET detected. Found related header."
+ end
+ end
+
+ if response.cookies then
+ for _, c in pairs(response.cookies) do
+ if c.name == "aspnetsessionid" then
+ return "ASP.NET detected. Found aspnetsessionid cookie."
+ end
+ end
+ end
+ end,
+
+ consumingDetect = function(page, path)
+ -- Check the source and look for common traces.
+ if page then
+ if string.find(page, " __VIEWSTATE") or
+ string.find(page, "__EVENT") or
+ string.find(page, "__doPostBack") or
+ string.find(page, "aspnetForm") or
+ string.find(page, "ctl00_") then
+ return "ASP.NET detected. Found common traces on" .. path
+ end
+ end
+ end
+ },
+
+ CodeIgniter = { rapidDetect = function(host, port)
+
+ -- Match default error page.
+ local response = http.get(host, port, "/random404page/")
+
+ if response.body then
+ if string.find(response.body, "#990000") and
+ string.find(response.body, "404 Page Not Found") then
+ return "CodeIgniter detected. Found CodeIgniter default error page on /random404page/"
+ end
+ end
+
+ end,
+
+ consumingDetect = function(page, path)
+ return
+ end
+ },
+
+ CakePHP = { rapidDetect = function(host, port)
+
+
+ -- Find CAKEPHP header.
+ local response = http.get(host, port, "/")
+
+ for h, v in pairs(response.header) do
+ local vl = v:lower()
+ if string.find(vl, "cakephp") then
+ return "CakePHP detected. Found related header."
+ end
+ end
+
+ end,
+
+ consumingDetect = function(page, path)
+ return
+ end
+ },
+
+ Symfony = { rapidDetect = function(host, port)
+
+ -- Find Symfony header.
+ local response = http.get(host, port, "/")
+
+ for h, v in pairs(response.header) do
+ local vl = v:lower()
+ if string.find(vl, "symfony") then
+ return "Symfony detected. Found related header."
+ end
+ end
+
+ end,
+
+ consumingDetect = function(page, path)
+ return
+ end
+ },
+
+ Wordpress = { rapidDetect = function(host, port)
+
+ -- Check for common traces in the source code.
+ local response = http.get(host, port, "/")
+
+ if response.body then
+ if string.find(response.body, "content=[\"']WordPress") or
+ string.find(response.body, "wp%-content") then
+ return "Wordpress detected. Found common traces on /"
+ end
+ end
+
+ -- Check if the default login page exists.
+ response = http.get(host, port, "/wp%-login")
+
+ if response.status == "200" then
+ return "Wordpress detected. Found WP login page on /wp-login"
+ end
+ end,
+
+ consumingDetect = function(page, path)
+ if page then
+ if string.find(page, "content=[\"']WordPress") or
+ string.find(page, "wp%-content") then
+ return "Wordpress detected. Found common traces on " .. page
+ end
+ end
+ end
+ },
+
+ Joomla = { rapidDetect = function(host, port)
+
+
+ -- Check for common traces in the source code.
+ local response = http.get(host, port, "/")
+
+ if response.body then
+ if string.find(response.body, "content=[\"']Joomla!") then
+ return "Joomla detected. Found common traces on /"
+ end
+ end
+
+ -- Check if the default login page exists.
+ response = http.get(host, port, "/administrator")
+
+ if response.body and string.find(response.body, "Joomla") then
+ return "Joomla detected. Found Joomla login page on /administrator/"
+ end
+
+ end,
+
+ consumingDetect = function(page, path)
+ if page and string.find(page, "content=[\"']Joomla!") then
+ return "Joomla detected. Found common traces on " .. page
+ end
+ end
+ },
+
+ Drupal = { rapidDetect = function(host, port)
+
+ -- Check for common traces in the source code.
+ local response = http.get(host, port, "/")
+
+ if response.body then
+ if string.find(response.body, "content=[\"']Drupal") then
+ return "Drupal detected. Found common traces on /"
+ end
+ end
+ end,
+
+ consumingDetect = function(page, path)
+ if page and string.find(page, "content=[\"']Drupal") then
+ return "Drupal detected. Found common traces on " .. page
+ end
+ end
+ },
+
+ MediaWiki = { rapidDetect = function(host, port)
+
+ -- Check for common traces in the source code.
+ local response = http.get(host, port, "/")
+
+ if response.body then
+ if string.find(response.body, "content=[\"']MediaWiki") or
+ string.find(response.body, "/mediawiki/") then
+ return "MediaWiki detected. Found common traces on /"
+ end
+ end
+ end,
+
+ consumingDetect = function(page, path)
+ if page and (string.find(page, "content=[\"']MediaWiki") or
+ string.find(page, "/mediawiki/")) then
+ return "MediaWiki detected. Found common traces on " .. page
+ end
+ end
+ },
+
+ ColdFusion = { rapidDetect = function(host, port)
+
+ local response = http.get(host, port, "/")
+
+ if response.cookies then
+ for _, c in pairs(response.cookies) do
+ if c.name == "cfid" or c.name == "cftoken" then
+ return "ColdFusion detected. Found " .. c.name .. " cookie."
+ end
+ end
+ end
+ end,
+
+ consumingDetect = function(page, path)
+ return
+ end
+ },
+
+ Broadvision = { rapidDetect = function(host, port)
+
+ local response = http.get(host, port, "/")
+
+ if response.cookies then
+ for _, c in pairs(response.cookies) do
+ if string.find(c.name, "bv_") then
+ return "Broadvision detected. Found " .. c.name .. " cookie."
+ end
+ end
+ end
+ end,
+
+ consumingDetect = function(page, path)
+ return
+ end
+ },
+
+ WebSphereCommerce = { rapidDetect = function(host, port)
+
+ local response = http.get(host, port, "/")
+
+ if response.cookies then
+ for _, c in pairs(response.cookies) do
+ if string.find(c.name, "wc_") then
+ return "WebSphere Commerce detected. Found " .. c.name .. " cookie."
+ end
+ end
+ end
+ end,
+
+ consumingDetect = function(page, path)
+ return
+ end
+ },
+
+ SPIP = { rapidDetect = function(host, port)
+
+ local response = http.get(host, port, "/")
+
+ if response and response.status == 200 then
+ local header_composed_by = response.header['composed-by']
+ -- Check in Composed-by header for the version
+ if header_composed_by ~= nil then
+ local version = string.match(header_composed_by, ('SPIP (%d+%.%d+%.%d+)'))
+ if version ~= nil then
+ return "Version of the SPIP install is " .. version
+ end
+ end
+ end
+ end,
+
+ consumingDetect = function(page, path)
+ return
+ end
+ },
+
+ Express = { rapidDetect = function(host, port)
+
+ local response = http.get(host, port, "/")
+
+ if response and response.status == 200 then
+ local header_x_powered_by = response.header['x-powered-by']
+ -- Check for 'X-Powered-By' Header
+ if header_x_powered_by == "Express" then
+ return string.format("Express detected. Found Express in X-Powered-By Header")
+ end
+ end
+ end,
+
+ consumingDetect = function(page, path)
+ return
+ end
+ },
+
+ Jenkins = { rapidDetect = function(host, port)
+
+ local response = http.get(host, port, "/")
+ local jenkins = {}
+
+ if response and ( response.status == 200 or response.status == 403 ) then
+ local header_x_jenkins = response.header['x-jenkins']
+ -- Check for 'X-Jenkins' Header
+ if header_x_jenkins ~= nil then
+ table.insert(jenkins, "Jenkins detected. Found Jenkins version " .. header_x_jenkins)
+ if response.header['x-hudson'] ~= nil then
+ table.insert(jenkins, "X-Hudson : " .. response.header['x-hudson'])
+ end
+ if response.header['x-hudson-cli-port'] ~= nil then
+ table.insert(jenkins, "X-Hudson-CLI-Port : " .. response.header['x-hudson-cli-port'])
+ end
+ if response.header['x-jenkins-cli-port'] ~= nil then
+ table.insert(jenkins, "X-Jenkins-CLI-Port : " .. response.header['x-jenkins-cli-port'])
+ end
+ if response.header['x-jenkins-cli2-port'] ~= nil then
+ table.insert(jenkins, "X-Jenkins-CLI2-Port : " .. response.header['x-jenkins-cli2-port'])
+ end
+ if response.header['x-jenkins-session'] ~= nil then
+ table.insert(jenkins, "X-Jenkins-Session : " .. response.header['x-jenkins-session'])
+ end
+ return jenkins
+ end
+ end
+ end,
+
+ consumingDetect = function(page, path)
+ return
+ end
+ },
+
+}
+
+