From 965aaf89ff1b6dfd60cbbbeea35314fe0ebd2d30 Mon Sep 17 00:00:00 2001
From: Muhammad Abdullah <mabdullah22@gmail.com>
Date: Mon, 12 Jun 2023 15:12:48 +0500
Subject: [PATCH 1/2] Add Netman Default Login

Add a template for default login on Riello UPS NetMan 204. Attacker can access to UPS and attacker can manipulate the UPS settings to disrupt the onsite systems.
---
 contributors.json                             | 10 ++++
 .../Riello/netman204-default-login.yaml       | 46 +++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 http/default-logins/Riello/netman204-default-login.yaml

diff --git a/contributors.json b/contributors.json
index abd26306fc..d63b99eb8c 100644
--- a/contributors.json
+++ b/contributors.json
@@ -1378,6 +1378,16 @@
             "website": "https://the-empire.systems",
             "email": ""
         }
+    },
+    {
+        "author": "mabdullah22",
+        "links": {
+            "github": "https://www.github.com/maabdullah22",
+            "twitter": "https://twitter.com/0x416264",
+            "linkedin": "",
+            "website": "",
+            "email": ""
+        }
     }
 
 ]
diff --git a/http/default-logins/Riello/netman204-default-login.yaml b/http/default-logins/Riello/netman204-default-login.yaml
new file mode 100644
index 0000000000..f573862ef0
--- /dev/null
+++ b/http/default-logins/Riello/netman204-default-login.yaml
@@ -0,0 +1,46 @@
+id: Netman204-default-login
+
+info:
+  name: Riello UPS NetMan 204 Network Card - Default Login
+  author: mabdullah22
+  severity: high
+  description: Default logins on Riello UPS NetMan 204 is used. Attacker can access to UPS and attacker can manipulate the UPS settings to disrupt the onsite systems.
+  reference:
+    - https://www.riello-ups.com/
+  metadata:
+    verified: true
+    shodan-query: title:"Netman"
+    censys-query: services.http.response.body:"Netman204"
+  tags: default-login,Netman-204-login
+
+requests:
+  - raw:
+      - |
+        GET /cgi-bin/login.cgi?username={{username}}&password={{password}} HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
+        X-Requested-With: XMLHttpRequest
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-US,en;q=0.9
+
+    attack: pitchfork
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        part: body
+        words:
+          - '"response": "ok",'
+          - '"message": "Welcome."'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+

From 954388c2c45d34abe044c9f64c313ac6d7ca4f0d Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Mon, 12 Jun 2023 16:42:33 +0530
Subject: [PATCH 2/2] Update and rename netman204-default-login.yaml to
 netman-default-login.yaml

---
 .../netman-default-login.yaml}                   | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)
 rename http/default-logins/{Riello/netman204-default-login.yaml => riello/netman-default-login.yaml} (59%)

diff --git a/http/default-logins/Riello/netman204-default-login.yaml b/http/default-logins/riello/netman-default-login.yaml
similarity index 59%
rename from http/default-logins/Riello/netman204-default-login.yaml
rename to http/default-logins/riello/netman-default-login.yaml
index f573862ef0..e9d4fcd0c3 100644
--- a/http/default-logins/Riello/netman204-default-login.yaml
+++ b/http/default-logins/riello/netman-default-login.yaml
@@ -1,27 +1,25 @@
-id: Netman204-default-login
+id: netman-default-login
 
 info:
   name: Riello UPS NetMan 204 Network Card - Default Login
   author: mabdullah22
   severity: high
-  description: Default logins on Riello UPS NetMan 204 is used. Attacker can access to UPS and attacker can manipulate the UPS settings to disrupt the onsite systems.
+  description: |
+    Default logins on Riello UPS NetMan 204 is used. Attacker can access to UPS and attacker can manipulate the UPS settings to disrupt the onsite systems.
   reference:
     - https://www.riello-ups.com/
   metadata:
-    verified: true
+    verified: "true"
     shodan-query: title:"Netman"
     censys-query: services.http.response.body:"Netman204"
-  tags: default-login,Netman-204-login
+    max-request: 1
+  tags: default-login,netman
 
 requests:
   - raw:
       - |
         GET /cgi-bin/login.cgi?username={{username}}&password={{password}} HTTP/1.1
         Host: {{Hostname}}
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
-        X-Requested-With: XMLHttpRequest
-        Accept-Encoding: gzip, deflate
-        Accept-Language: en-US,en;q=0.9
 
     attack: pitchfork
     payloads:
@@ -32,7 +30,6 @@ requests:
 
     matchers-condition: and
     matchers:
-
       - type: word
         part: body
         words:
@@ -43,4 +40,3 @@ requests:
       - type: status
         status:
           - 200
-