From 464d0308b353784c2adace955cbd3e5f6109577b Mon Sep 17 00:00:00 2001 From: adoering Date: Mon, 1 Nov 2021 11:12:02 -0500 Subject: [PATCH] Adding default web install application check and supporting templates --- .../default-apache-install-all-versions.yaml | 22 ++++++++++++++ technologies/default-detect-generic.yaml | 29 +++++++++++++++++++ ...web-application-installation-workflow.yaml | 29 +++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 technologies/apache/default-apache-install-all-versions.yaml create mode 100644 technologies/default-detect-generic.yaml create mode 100644 workflows/detect-default-web-application-installation-workflow.yaml diff --git a/technologies/apache/default-apache-install-all-versions.yaml b/technologies/apache/default-apache-install-all-versions.yaml new file mode 100644 index 0000000000..c41c24c985 --- /dev/null +++ b/technologies/apache/default-apache-install-all-versions.yaml @@ -0,0 +1,22 @@ +id: default-apache-test-all +info: + name: Apache HTTP Server Test Page + author: andydoering + description: Detects default installations of apache (not just apache2 or installations on CentOS) + severity: info + tags: tech,apache + reference: https://www.shodan.io/search?query=http.title%3A%22Apache+Default%22%2C%22Apache+HTTP+Server+Test%22%2C%22Apache2+It+works%22 +requests: + - method: GET + path: + - '{{BaseURL}}' + matchers: + - type: regex # type of the extractor + part: body # part of the response (header,body,all) + regex: + - ".*?Apache(|\\d+) .*?(Default|Test).*?" + + - type: regex # type of the extractor + part: body # part of the response (header,body,all) + regex: + - "(Default|Test).*? Apache(|\\d+).*?" \ No newline at end of file diff --git a/technologies/default-detect-generic.yaml b/technologies/default-detect-generic.yaml new file mode 100644 index 0000000000..951027e95c --- /dev/null +++ b/technologies/default-detect-generic.yaml @@ -0,0 +1,29 @@ +id: default-detect-generic +info: + name: Default Web Application Detection + author: andydoering + description: Catch-all for detecting default installations of web applications using common phrases found in default install pages + severity: info + tags: tech,default + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: or + matchers: + + - type: word + words: + - "Default" + part: body + + - type: word + words: + - "Welcome to" + part: body + + - type: status + status: + - 200 \ No newline at end of file diff --git a/workflows/detect-default-web-application-installation-workflow.yaml b/workflows/detect-default-web-application-installation-workflow.yaml new file mode 100644 index 0000000000..f3d4bf2a06 --- /dev/null +++ b/workflows/detect-default-web-application-installation-workflow.yaml @@ -0,0 +1,29 @@ +id: default-detect + +info: + name: Default Web Application Detection + author: andydoering + description: Detects default installations of web applications + severity: info + tags: tech,default,apache,xampp,iis,azure,asp,nginx,lighttpd,django,oracle,ibm + +requests: + - method: GET + path: + - "{{BaseURL}}" + +workflows: + - template: technologies/apache/default-apache-install-all-versions.yaml + - template: technologies/apache/xampp-default-page.yaml + - template: technologies/microsoft/default-iis7-page.yaml + - template: technologies/microsoft/default-windows-server-page.yaml + - template: technologies/microsoft/default-microsoft-azure-page.yaml + - template: technologies/default-asp.net-page.yaml + - template: technologies/nginx/default-nginx-page.yaml + - template: technologies/lighttpd-default.yaml + - template: technologies/default-django-page.yaml + - template: exposures/files/drupal-install.yaml + - template: technologies/oracle/default-oracle-application-page.yaml + - template: technologies/ibm-http-server.yaml + - template: technologies/lighttpd-default.yaml + - template: technologies/default-detect-generic.yaml \ No newline at end of file