def check_rule(self, ip, port, values, conf):
t = Triage()
c = ConfParser(conf)
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if not 'F5 BIG-IP' in product or not 'BigIP' in product:
return
resp = t.http_request(ip, port, uri='/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd')
if resp is None:
return
if 'root:x:0:0' in resp.text:
self.rule_details = 'F5 BIGIP Vulnerability - CVE-2020-5902'
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' in module:
for uri, values in self.rule_match_string.items():
app_name = values['app']
app_title = values['title']
resp = t.http_request(ip, port, uri=uri)
if resp is not None:
for match in values['match']:
if match in resp.text:
self.rule_details = 'Exposed {} at {}'.format(
app_title, uri)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
break
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/.svn/text-base')
if resp and 'Index of /' in resp.text:
self.rule_details = 'SVN Repository exposed at {}'.format(resp.url)
rds.store_vuln({
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
if port in ssh_ports and t.is_ssh(ip, port):
output = t.run_cmd('ssh -o PreferredAuthentications=none -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o NoHostAuthenticationForLocalhost=yes user@"{}" -p "{}"'.format(ip, port))
if output and 'password' in str(output):
self.rule_details = p.get_product()
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
p = ScanParser(port, values)
t = Triage()
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port)
for app, val in self.rule_match_string.items():
app_name = val['app']
app_title = val['title']
for match in val['match']:
if resp and t.string_in_headers(resp, match):
self.rule_details = '{} - ({})'.format(app, app_title)
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = None
if domain:
resp = t.http_request(domain, port, headers={'Origin':'null'})
else:
resp = t.http_request(ip, port, headers={'Origin':'null'})
if resp is None:
return
if 'Access-Control-Allow-Origin' in resp.headers and resp.headers['Access-Control-Allow-Origin'] == 'null':
self.rule_details = 'Remote Server accepted a NULL origin. Header used: "Origin: null"'
rds.store_vuln({
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if port in ssh_ports and 'ssh' in module.lower():
output = t.run_cmd(
'ssh -o PreferredAuthentications=none -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o NoHostAuthenticationForLocalhost=yes user@"{}" -p "{}"'
.format(ip, port))
if output and 'password' in str(output):
self.rule_details = 'Server accepts passwords as an authentication option'
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
payload = '%0d%0aset-cookie:foo=inserted_by_vulnscannerflask'
resp = t.http_request(ip,
port,
follow_redirects=False,
uri='/' + payload)
if resp is None:
return
if 'set-cookie' in resp.headers and 'inserted_by_vulnscannerflask' in resp.headers[
'set-cookie']:
self.rule_details = 'Identified CRLF Injection by inserting a Set-Cookie header'
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/xmlrpc.php')
if resp is not None and resp.status_code == 405:
self.rule_details = 'Server responded to a GET request at /xmlrpc.php with status code: 405'
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
module = p.get_module()
domain = p.get_domain()
if 'http' not in module:
return
resp = None
for uri in self.uris:
resp = t.http_request(ip, port, uri=uri)
if resp:
for match in ('C=N;O=D', 'Index of /'):
if match in resp.text:
self.rule_details = 'Found Open Directory at {}'.format(uri)
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
break
return
def check_rule(self, ip, port, values, conf):
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if port != 6379 or module == 'redis':
return
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.sendall(b'INFO\n')
data = s.recv(1024)
if data and 'redis_version' in str(data):
self.rule_details = 'Redis is open and exposes the following: ..snip.. {} ..snip..'.format(
str(data)[0:100])
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
except:
pass
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
if port in ftp_ports:
self.rule_details = 'Open Port: {} ({})'.format(
port, ftp_ports[port])
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = None
for uri in self.uris:
resp = t.http_request(ip, port, uri=uri + '/.git/HEAD')
if resp and resp.text.startswith('ref:'):
self.rule_details = 'Identified a git repository at {}'.format(
resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
h = Helper()
p = ScanParser(port, values)
domain = p.get_domain()
known = False
for ports in known_ports:
if port in ports:
known = True
if not known:
self.rule_details = 'Server is listening on remote port: {} ({})'.format(
port, h.portTranslate(port))
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
cpe = p.get_cpe()
if not cpe:
return
if not c.get_cfg_allow_inet():
return
if 'http' not in module:
return
if t.has_cves(cpe):
self.rule_details = 'List of Vulnerabilities for this version: https://nvd.nist.gov/vuln/search/results?cpe_version={}'.format(
cpe)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if module == 'http' or port in http_ports:
resp = t.http_request(ip, port, follow_redirects=False)
if resp:
form = self.contains_password_form(resp.text)
if form:
if not resp.url.startswith('https://'):
self.rule_details = 'Login Page over HTTP'
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
module = p.get_module()
domain = p.get_domain()
if 'http' in module:
resp = t.http_request(ip,
port,
uri='/server.js',
follow_redirects=False)
if resp is None:
return
for i in self.rule_match_string:
if i in resp.text:
self.rule_details = 'Identified a NodeJS Leakage Indicator: {}'.format(
i)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
for uri in self.rule_doc_roots:
resp = t.http_request(ip, port, uri=uri)
if resp is not None and resp.status_code == 401:
if 'WWW-Authenticate' in resp.headers:
header = resp.headers['WWW-Authenticate']
if header.startswith('Basic'):
self.rule_details = '{} at {}'.format(
self.rule_confirm, uri)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/_vti_inf.html')
if not resp:
return
if 'Content-Length' in resp.headers and resp.headers['Content-Length'] == '247':
self.rule_details = 'Exposed FrontPage at {}'.format(resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/')
if resp is None:
return
for app, val in self.rule_match_string.items():
app_title = val['title']
for match in val['match']:
if match in resp.text:
self.rule_details = 'Identified a default page: {} Indicator: "{}" ({})'.format(
resp.url, match, app_title)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/wp-content/uploads/')
if resp and 'Index of /wp-content/uploads' in resp.text:
self.rule_details = 'Found Uploads Directory at {}'.format(
resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
p = ScanParser(port, values)
t = Triage()
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port)
for _, val in self.rule_match_string.items():
app_title = val['title']
for match in val['match']:
if resp and t.string_in_headers(resp, match):
self.rule_details = 'Exposed {} at {}'.format(
app_title, resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
break
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if not c.get_cfg_allow_bf():
return
if port != 21 or 'ftp' not in module:
return
usernames = c.get_cfg_usernames() + known_users
passwords = c.get_cfg_passwords() + known_weak
for username in usernames:
for password in passwords:
if self.ftp_attack(ip, username, password):
self.rule_details = 'FTP Server Credentials are set to: {}:{}'.format(username, password)
rds.store_vuln({
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = None
for uri in self.uris:
resp = t.http_request(ip, port, uri=uri + '/.idea/workspace.xml')
if resp:
for match in self.rule_match_string:
if match in resp.text:
self.rule_details = 'Found Intelli IDEA files at {}/.idea/workspace.xml'.format(
uri)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
if not domain:
return
resp = t.http_request(domain, port)
if resp is None:
return
if resp.status_code == 404 and 'NoSuchBucket' in resp.text:
self.rule_details = 'S3 Takeover at {}'.format(domain)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
h = Helper()
p = ScanParser(port, values)
domain = p.get_domain()
known = False
for ports in known_ports:
if port in ports:
known = True
if not known:
self.rule_details = 'Open Port: {} ({})'.format(
port, h.portTranslate(port))
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
if port != 10043:
return
resp = t.http_request(
ip,
port,
uri=
'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'
)
if resp is None:
return
if 'var fgt_lang =' in resp.text:
self.rule_details = 'Fortinet SSL VPN CVE-2018-13379 Vulnerability at {}'.format(
resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
p = ScanParser(port, values)
domain = p.get_domain()
if port in self.rule_match_port:
try:
ftp = FTP(ip)
res = ftp.login()
if res:
if '230' in res or 'user logged in' in res or 'successful' in res:
self.rule_details = 'FTP with Anonymous Access Enabled'
rds.store_vuln({
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
})
except:
pass
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
module = p.get_module()
domain = p.get_domain()
if 'http' not in module:
return
for uri, values in self.rule_match_string.items():
app_title = values['title']
resp = t.http_request(ip, port, uri=uri)
if resp is not None:
for match in values['match']:
if match in resp.text:
self.rule_details = 'Laravel Misconfiguration - {} at {}'.format(
app_title, resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/xmlrpc.php')
if resp is None:
return
if resp.status_code == 405:
self.rule_details = 'Server Allows XMLRPC Connections'
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
