版本指纹最佳实践

name: chaitin-xray
transport: http

detail:
  fingerprint:
    cpe: cpe:2.3:a:chaitin:xray
    version: '{{version}}'

rules:
  get_icon_hash:
    request:
      method: GET
      path: /
      follow_redirects: false
    expression: faviconHash(response.getIconContent()) == 938617678
  get_version:
    request:
      method: POST
      path: /api/graphql/
      headers:
        Content-Type: application/json
      body: |-
        {"query":"query WebVersion {webVersion}"}
    expression: response.body_string.contains("webVersion")
    output:
      search: |
        r'"webVersion":"(?P<version>[\w\.\-]+?)"'.submatch(response.body_string)
      version: search['version']

expression: get_icon_hash() && (get_version() || true)

name: e-business_suite
transport: http
detail:
  fingerprint:
    cpe: oracle:e-business_suite
    version: '{{version}}'
rules:
  index_contains:
    expression: response.body_string.contains('E-Business Suite Home Page Redirect')
  v0:
    request:
      method: GET
      path: /OA_HTML/SNO_version.txt
    expression: response.body_string.contains('FULL=')
    output:
      search: |
        'FULL=(?P<version>[0-9\\.]+?)'.submatch(response.body_string)
      version: search['version']
  v1:
    request:
      method: GET
      path: /OA_HTML/login.js
    expression: |
      "(?i)Version (?P<version>[\\w\\.]+?)".matches(response.body_string)
    output:
      search: |
        "(?i)Version (?P<version>[\\w\\.]+?)".submatch(response.body_string)
      version: search['version']
expression: index_contains() && (v0() || v1() || true)

name: vbulletin
transport: http
detail:
  fingerprint:
    cpe: vbulletin:vbulletin
    version: '{{version}}'
rules:
  kw_in_body:
    request:
      cache: true
      method: GET
      path: /
    expression: |-
      response.body_string.contains('content="vBulletin') ||
      response.body_string.contains("Powered by vBulletin") ||
      response.body_string.contains("vbulletin_css") && response.body_string.contains("vbulletin_md5")
    output:
      search: |-
        'content="vBulletin (?P<version>[0-9\\.]+?)'.submatch(response.body_string)
expression: kw_in_body()