# Dalton Vulnerability Test# $Id: http_login.nasl 2837 2016-03-11 09:19:51Z be

1. # Dalton Vulnerability Test
2. # $Id: http_login.nasl 2837 2016-03-11 09:19:51Z benallard $
3.  
4.  
5. tag_summary = "This script logs onto a web server through a login page and
6. stores the authentication / session cookie.";
7.  
8. if(description)
9. {
10. script_id(11149);
11. script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
12. script_version("$Revision: 2837 $");
13. script_tag(name:"last_modification", value:"$Date: 2016-03-11 10:19:51 +0100 (Fri, 11 Mar 2016) $");
14. script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
15. script_tag(name:"cvss_base", value:"0.0");
16.  
17. name = "HTTP login page";
18. script_name(name);
19.  
20. summary = "Log through HTTP page";
21. script_summary(summary);
22.  
23. script_category(ACT_GATHER_INFO); # Has to run after find_service
24. script_tag(name:"qod_type", value:"remote_banner");
25.  
26. script_copyright("This script is Copyright (C) 2002 Michel Arboi");
27. family = "Settings";
28. script_family(family);
29.  
30. # We first visit this page to get a cookie, just in case
31. script_add_preference(name:"Login page :", type: "entry", value: "/");
32. # Then we submit the username & password to the right form
33. script_add_preference(name:"Login form :", type: "entry", value: "");
34. # Here, we allow some kind of variable substitution.
35. script_add_preference(name:"Login form fields :", type: "entry",
36. value:"user=%USER%&pswrd=%PASS%");
37. script_dependencies("httpver.nasl", "logins.nasl");
38. script_require_ports("Services/www", 80);
39. script_tag(name : "summary" , value : tag_summary);
40. exit(0);
41. }
42.  
43. include("http_func.inc");
44.  
45. # The script code starts here
46.  
47. http_login = "xyz";
48. http_pass = "xyz";
49. http_login_form = "/deepi-web/login.xhtml";
50. http_login_page = "/deepi-web/login.xhtml";
51. http_login_fields = "user=%USER%&pswrd=%PASS%";
52.  
53. if (! http_login_form) exit(0);
54. if (! http_login_fields) exit(0);
55.  
56. if (http_login)
57. {
58. http_login_fields = ereg_replace(string: http_login_fields,
59. pattern: "%USER%", replace: http_login);
60. }
61. if (http_pass)
62. {
63. http_login_fields = ereg_replace(string: http_login_fields,
64. pattern: "%PASS%", replace: http_pass);
65. }
66.  
67. port = get_http_port(default:443);
68.  
69. if(! get_port_state(port)) exit(0);
70.  
71. soc = http_open_socket(port);
72. if (! soc) exit(0);
73.  
74. cookie1="";
75. referer="";
76. if (http_login_page)
77. {
78. req = http_get(port: port, item: http_login_page);
79. send(socket: soc, data: req);
80. r = http_recv_headers2(socket:soc);
81. #r2 = recv(socket: soc, length: 1024);
82. close(soc);
83. soc = http_open_socket(port);
84. if (! soc) exit(0);
85. cookies = egrep(pattern: "Set-Cookie2? *:", string: r);
86. if (cookies)
87. {
88. cookie1 = ereg_replace(string: cookies,
89. pattern: "^Set-Cookie", replace: "Cookie");
90. c = ereg_replace(string: cookie1,
91. pattern: "^Cookie2? *: *", replace: "");
92. #display("First cookie = ", c);
93. }
94. trp = get_port_transport(port);
95. if (trp > 1) referer = "Referer: https://";
96. else referer = "Referer: http://";
97. referer = string(referer, get_host_name());
98. if (((trp == 1) && (port != 80)) || ((trp > 1) && (port != 443)))
99. referer = string(referer, ":", port);
100. if (ereg(pattern: "^[^/]", string: http_login_page))
101. referer = string(referer, "/");
102. referer = string(referer, http_login_page, "\r\n");
103. }
104.  
105.  
106. req = http_post(port: port, item: http_login_form, data: http_login_fields);
107. req = ereg_replace(string: req, pattern: "Content-Length: ",
108. replace: string("Content-Type: application/x-www-form-urlencoded\r\n",
109. referer, cookie1, "Content-Length: ") );
110. send(socket:soc, data:req);
111. r = http_recv_headers2(socket:soc);
112. close(soc);
113.  
114. h = split(r);
115.  
116. foreach r (h) {
117. # Failed - permission denied or bad gateway or whatever
118. if (egrep(pattern: "HTTP/[019.]+ +[45][0-9][0-9]", string: r)) exit(0);
119.  
120. if (r =~ "^Set-Cookie")
121. {
122. if(!first_cookie) {
123. cookies_string += ereg_replace(string: r, pattern: "^Set-Cookie", replace: "Cookie");
124. cookies_string = chomp(cookies_string);
125. first_cookie = TRUE;
126. } else {
127. cookies_string += ereg_replace(string: r, pattern: "^Set-Cookie:", replace: ";");
128. cookies_string = chomp(cookies_string);
129. }
130.  
131. # set_kb_item(name: string("/tmp/http/auth/", port), value: cookies);
132. ##set_kb_item(name: "http/auth", value: cookies);
133. c = ereg_replace(string: cookies,
134. pattern: "^Cookie2? *: *", replace: "");
135. # display("Authentication cookie = ", c);
136. }
137. else if (cookie1)
138. {
139. set_kb_item(name: string("/tmp/http/auth/", port), value: cookie1);
140. # display("Trying to use session cookie\n");
141. }
142.  
143. }
144.  
145. if(cookies_string) {
146. set_kb_item(name: string("/tmp/http/auth/", port), value: cookies_string);
147. }