def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = None
if domain:
resp = t.http_request(domain, port, headers={'Origin':'null'})
else:
resp = t.http_request(ip, port, headers={'Origin':'null'})
if resp is None:
return
if 'Access-Control-Allow-Origin' in resp.headers and resp.headers['Access-Control-Allow-Origin'] == 'null':
self.rule_details = 'Remote Server accepted a NULL origin. Header used: "Origin: null"'
rds.store_vuln({
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
payload = '%0d%0aset-cookie:foo=inserted_by_vulnscannerflask'
resp = t.http_request(ip,
port,
follow_redirects=False,
uri='/' + payload)
if resp is None:
return
if 'set-cookie' in resp.headers and 'inserted_by_vulnscannerflask' in resp.headers[
'set-cookie']:
self.rule_details = 'Identified CRLF Injection by inserting a Set-Cookie header'
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
module = p.get_module()
domain = p.get_domain()
if 'http' not in module:
return
resp = None
for uri in self.uris:
resp = t.http_request(ip, port, uri=uri)
if resp:
for match in ('C=N;O=D', 'Index of /'):
if match in resp.text:
self.rule_details = 'Found Open Directory at {}'.format(uri)
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
break
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = None
for uri in self.uris:
resp = t.http_request(ip, port, uri=uri + '/.git/HEAD')
if resp and resp.text.startswith('ref:'):
self.rule_details = 'Identified a git repository at {}'.format(
resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
t = Triage()
c = ConfParser(conf)
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if not 'F5 BIG-IP' in product or not 'BigIP' in product:
return
resp = t.http_request(ip, port, uri='/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd')
if resp is None:
return
if 'root:x:0:0' in resp.text:
self.rule_details = 'F5 BIGIP Vulnerability - CVE-2020-5902'
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/xmlrpc.php')
if resp is None:
return
if resp.status_code == 405:
self.rule_details = 'Server Allows XMLRPC Connections'
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip,
port,
follow_redirects=False,
headers={'X-Forwarded-Host': 'www.nerve.local'})
if resp is None:
return
if 'Location' in resp.headers and resp.headers[
'Location'] == 'www.nerve.local':
self.rule_details = 'Server Redirected to an Arbitrary Location'
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = None
for uri in self.uris:
resp = t.http_request(ip, port, uri=uri + '/.git/HEAD')
if resp and resp.text.startswith('ref:'):
self.rule_details = 'Git Path: {}'.format(uri)
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/xmlrpc.php')
if resp is not None and resp.status_code == 405:
self.rule_details = 'Server responded to a GET request at /xmlrpc.php with status code: 405'
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
p = ScanParser(port, values)
t = Triage()
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port)
for _, val in self.rule_match_string.items():
app_title = val['title']
for match in val['match']:
if resp and t.string_in_headers(resp, match):
self.rule_details = 'Exposed {} at {}'.format(
app_title, resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
break
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
module = p.get_module()
domain = p.get_domain()
if 'http' not in module:
return
for uri, values in self.rule_match_string.items():
app_title = values['title']
resp = t.http_request(ip, port, uri=uri)
if resp is not None:
for match in values['match']:
if match in resp.text:
self.rule_details = 'Laravel Misconfiguration - {} at {}'.format(
app_title, resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, follow_redirects=False,
headers={'X-Forwarded-Host':'112000as0az7s62s9d7.com',
'Host': '112000as0az7s62s9d7.com'})
if resp:
if 'Location' in resp.headers and '112000as0az7s62s9d7.com' in resp.headers['Location']:
self.rule_details = 'Host header injection'
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/')
if resp is None:
return
for app, val in self.rule_match_string.items():
app_title = val['title']
for match in val['match']:
if match in resp.text:
self.rule_details = 'Identified a default page: {} Indicator: "{}" ({})'.format(
resp.url, match, app_title)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = None
for uri in self.uris:
resp = t.http_request(ip, port, uri=uri + '/.idea/workspace.xml')
if resp:
for match in self.rule_match_string:
if match in resp.text:
self.rule_details = 'Found Intelli IDEA files at {}/.idea/workspace.xml'.format(
uri)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
for uri in self.rule_doc_roots:
resp = t.http_request(ip, port, uri=uri)
if resp is not None and resp.status_code == 401:
if 'WWW-Authenticate' in resp.headers:
header = resp.headers['WWW-Authenticate']
if header.startswith('Basic'):
self.rule_details = '{} at {}'.format(
self.rule_confirm, uri)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/_vti_inf.html')
if not resp:
return
if 'Content-Length' in resp.headers and resp.headers['Content-Length'] == '247':
self.rule_details = 'Exposed FrontPage at {}'.format(resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port)
if resp is None:
return
powered_by_headers = ['X-Powered-By', 'X-AspNet-Version']
for poweredby_header in powered_by_headers:
result = t.string_in_headers(resp, poweredby_header)
if result:
self.rule_details = 'Server is set with "{}" Headers'.format(poweredby_header)
rds.store_vuln({
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/.svn/text-base')
if resp and 'Index of /' in resp.text:
self.rule_details = 'SVN Repository exposed at {}'.format(resp.url)
rds.store_vuln({
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_confirm':self.rule_confirm,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' in module:
for uri, values in self.rule_match_string.items():
app_name = values['app']
app_title = values['title']
resp = t.http_request(ip, port, uri=uri)
if resp is not None:
for match in values['match']:
if match in resp.text:
self.rule_details = 'Exposed {} at {}'.format(
app_title, uri)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
break
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
if port != 10043:
return
resp = t.http_request(
ip,
port,
uri=
'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'
)
if resp is None:
return
if 'var fgt_lang =' in resp.text:
self.rule_details = 'Fortinet SSL VPN CVE-2018-13379 Vulnerability at {}'.format(
resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
p = ScanParser(port, values)
t = Triage()
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port)
for app, val in self.rule_match_string.items():
app_name = val['app']
app_title = val['title']
for match in val['match']:
if resp and t.string_in_headers(resp, match):
self.rule_details = '{} - ({})'.format(app, app_title)
js_data = {
'ip':ip,
'port':port,
'domain':domain,
'rule_id':self.rule,
'rule_sev':self.rule_severity,
'rule_desc':self.rule_description,
'rule_details':self.rule_details,
'rule_mitigation':self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
if not domain:
return
resp = t.http_request(domain, port)
if resp is None:
return
if resp.status_code == 404 and 'NoSuchBucket' in resp.text:
self.rule_details = 'S3 Takeover at {}'.format(domain)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = t.http_request(ip, port, uri='/wp-content/uploads/')
if resp and 'Index of /wp-content/uploads' in resp.text:
self.rule_details = 'Found Uploads Directory at {}'.format(
resp.url)
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if module == 'http' or port in http_ports:
resp = t.http_request(ip, port, follow_redirects=False)
if resp:
form = self.contains_password_form(resp.text)
if form:
if not resp.url.startswith('https://'):
self.rule_details = 'Login Page over HTTP'
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
module = p.get_module()
domain = p.get_domain()
if 'http' in module:
resp = t.http_request(ip,
port,
uri='/server.js',
follow_redirects=False)
if resp is None:
return
for i in self.rule_match_string:
if i in resp.text:
self.rule_details = 'Identified a NodeJS Leakage Indicator: {}'.format(
i)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
c = ConfParser(conf)
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if 'http' not in module:
return
resp = t.http_request(ip, port)
if resp is None:
return
server_header = resp.headers.get('Server', None)
if not server_header or 'nginx' not in server_header.lower():
return
content_length = resp.headers.get('Content-Length', 0)
bytes_length = int(content_length) + 623
content_length = "bytes=-%d,-9223372036854%d" % (bytes_length,
776000 - bytes_length)
resp = t.http_request(ip, port, headers={'Range': content_length})
if resp is None:
return
if resp.status_code == 206 and 'Content-Range' in resp.text:
self.rule_details = 'Nginx Integer Overflow'
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if 'http' not in module:
return
resp = None
random_origin = self.randomize_origin()
if domain:
resp = t.http_request(domain,
port,
headers={'Origin': random_origin})
else:
resp = t.http_request(ip, port, headers={'Origin': random_origin})
if resp is None:
return
if 'Access-Control-Allow-Origin' in resp.headers and resp.headers[
'Access-Control-Allow-Origin'] == random_origin:
self.rule_details = 'Header used: "Origin: {}"'.format(
random_origin)
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
def check_rule(self, ip, port, values, conf):
t = Triage()
c = ConfParser(conf)
p = ScanParser(port, values)
module = p.get_module()
domain = p.get_domain()
if not c.get_cfg_allow_bf():
return
if 'http' not in module:
return
usernames = c.get_cfg_usernames() + known_users
passwords = c.get_cfg_passwords() + known_weak
for uri in self.rule_doc_roots:
resp = t.http_request(ip, port, uri=uri)
if resp is not None and resp.status_code == 401:
if 'WWW-Authenticate' in resp.headers and resp.headers[
'WWW-Authenticate'].startswith('Basic'):
for username in usernames:
for password in passwords:
auth_attempt = requests.get(resp.url,
auth=HTTPBasicAuth(
username,
password))
if auth_attempt is not None and auth_attempt.status_code == 200:
self.rule_details = 'Basic Authentication Credentials are set to {}:{} at {}'.format(
username, password, uri)
rds.store_vuln({
'ip':
ip,
'port':
port,
'domain':
domain,
'rule_id':
self.rule,
'rule_sev':
self.rule_severity,
'rule_desc':
self.rule_description,
'rule_confirm':
self.rule_confirm,
'rule_details':
self.rule_details,
'rule_mitigation':
self.rule_mitigation
})
return
def check_rule(self, ip, port, values, conf):
c = ConfParser(conf)
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
product = p.get_product()
if 'http' not in module:
return
resp = None
if domain:
resp = t.http_request(domain, port)
else:
resp = t.http_request(ip, port)
if resp is None:
return
for header, value in resp.headers.items():
if header.lower(
) == 'access-control-allow-origin' and value == '*':
self.rule_details = 'Access-Control-Allow-Origin is set to: *'
js_data = {
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
}
rds.store_vuln(js_data)
return
return
def check_rule(self, ip, port, values, conf):
t = Triage()
p = ScanParser(port, values)
domain = p.get_domain()
module = p.get_module()
if 'http' not in module:
return
resp = None
if domain:
resp = t.http_request(domain, port)
else:
resp = t.http_request(ip, port)
if resp is None:
return
for header, value in resp.headers.items():
if header.lower(
) == 'access-control-allow-origin' and value == '*':
self.rule_details = 'Server responded with an HTTP Response Header of Access-Control-Allow-Origin: *'
rds.store_vuln({
'ip': ip,
'port': port,
'domain': domain,
'rule_id': self.rule,
'rule_sev': self.rule_severity,
'rule_desc': self.rule_description,
'rule_confirm': self.rule_confirm,
'rule_details': self.rule_details,
'rule_mitigation': self.rule_mitigation
})
return
return
