projectdiscovery · pussycat0x · May 16, 2025 · Apr 24, 2025 · Apr 24, 2025 · Apr 24, 2025
diff --git a/http/default-logins/LOYETC_PLC_defaul_password.yaml b/http/default-logins/LOYETC_PLC_defaul_password.yaml
@@ -0,0 +1,30 @@
+id: loytec-default-password
+
+info:
+  name: Loytec PLC Default Password testing
+  author: biero-el-corridor
+  severity: high
+  tags: loytec
+
+requests:
+  - raw:
+    - |
+      POST /webui/login HTTP/2
+      Host: {{Hostname}}
+      X-Create-Session: 1
+      Content-Type: application/x-www-form-urlencoded
+      Content-Length: 32
+
+      username=admin&password=loytec4u&login=Login
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+
+      - type: word
+        words:
+          - '"sessUser":"admin","loggedIn":true}'
+        part: body
diff --git a/http/default-logins/OSASI_default_credential.yaml b/http/default-logins/OSASI_default_credential.yaml
@@ -0,0 +1,29 @@
+id: OSASI-default-password
+
+info:
+  name: OSASI PLC Default Password testing
+  author: biero-el-corridor
+  severity: high
+  tags: OSASI,default_password
+  description: |
+    Can be found with the Shodan query. 
+  metadata:
+    shodan-query: http.favicon.hash:-268676052
+
+requests:
+  - raw:
+    - |
+      POST /users/login HTTP/1.1
+      Host: {{Hostname}}
+      Content-Length: 77
+      Origin: http://{{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+      Referer: http://{{Hostname}}/users/login
+      Connection: keep-alive
+
+      _method=POST&data%5BUser%5D%5Bloginid%5D=1234&data%5BUser%5D%5Bpasswd%5D=1234
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 302
diff --git a/http/default-logins/SIEMENS_SIMATIC_HMI_Miniweb_default_password.yaml b/http/default-logins/SIEMENS_SIMATIC_HMI_Miniweb_default_password.yaml
@@ -0,0 +1,28 @@
+id: SIEMENS-SIMATIC-HMI-Miniweb-defualt-password
+
+info:
+  name: Siemens Simatic HMI MiniWeb PLC Default Password testing
+  author: biero-el-corridor
+  severity: high
+  tags: siemens,default_password
+  metadata:
+    max-request: 2
+    vendor: siemens
+  tags: ICS,siemens,default_password
+
+requests:
+  - raw:
+    - |
+      POST /FormLogin HTTP/1.1
+      Host: {{Hostname}}
+      X-Create-Session: 1
+      Content-Type: application/x-www-form-urlencoded
+      Content-Length: 74
+
+      Login=Administrator&Redirection=%2FTemplates%2FLoginpage.html&Password=100
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
diff --git a/http/default-logins/WAGO_default_password_web_panel.yaml b/http/default-logins/WAGO_default_password_web_panel.yaml
@@ -0,0 +1,30 @@
+id: WAGO_Web_based_Management_default_password
+
+info:
+  name: WAGO Web based Management default password
+  author: biero-el-corridor
+  severity: high
+  tags: wago,default_password
+  description: |
+      Can be found with the Shodan query. 
+  metadata: 
+    shodan-query: "title:"WAGO Ethernet Web-based Management"
+
+requests:
+  - raw:
+    - |
+      POST /wbm/login.php HTTP/1.1
+      Host: {{Hostname}}
+      Content-Length: 38
+      X-Requested-With: XMLHttpRequest
+      Origin: http://{{Hostname}}
+      Referer: http://{{Hostname}}/wbm/index.php
+      Connection: keep-alive
+
+      {"username":"admin","password":"wago"}
+
+    matchers:
+      - type: word
+        words:
+          - '"username":"admin","isDefaultPW":"1"'
+        part: body
diff --git a/http/exposed-panels/CAE_Monitoring_page.yaml b/http/exposed-panels/CAE_Monitoring_page.yaml
@@ -0,0 +1,30 @@
+id: CAE_Monitoring_page
+
+info:
+  name: Find CAE monitoring web panel
+  author: biero-el-corridor
+  severity: low
+  description: |
+    Can be found with the Shodan query. 
+  metadata: 
+    shodan-query: http.favicon.hash:-268676052
+
+http:
+  - method: GET
+    path:
+      - "http://{{Host}}/index.html"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+      - type: word
+        words: 
+          - "cae.it"
+        part: body
+        condition: and
+      - type: word
+        words: 
+          - "CAE S.p.A."
+        part: body
diff --git a/http/exposed-panels/ETIC_telecom_router_login_page.yaml b/http/exposed-panels/ETIC_telecom_router_login_page.yaml
@@ -0,0 +1,24 @@
+id: custom_http_template
+info:
+  name: Find ETIC telecom web panel
+  author: biero-el-corridor
+  severity: info
+
+http:
+  - method: GET
+
+    path:
+      - "{{Host}}:4433/login.htm"
+      - "{{Host}}:8080/login.htm"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+
+      - type: word
+        words: 
+          - "Please identify yourself"
+        part: body
+
diff --git a/http/exposed-panels/ETIC_telecom_unprotected_admin_panel.yaml b/http/exposed-panels/ETIC_telecom_unprotected_admin_panel.yaml
@@ -0,0 +1,19 @@
+id: find-unprotected-ETIC-login-page
+info:
+  name: Find ETIC telecom unprotected web panel.
+  author: biero-el-corridor
+  severity: high
+
+http:
+  - method: GET
+
+    path:
+      - "https://{{Host}}:4433/cgi?method=get_menu"
+      - "https://{{Host}}:433/cgi?method=get_menu"
+      - "http://{{Host}}:80/cgi?method=get_menu"
+      - "http://{{Host}}:8080/cgi?method=get_menu"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
diff --git a/http/exposed-panels/Moxa_vpn_router_login_page.yaml b/http/exposed-panels/Moxa_vpn_router_login_page.yaml
@@ -0,0 +1,36 @@
+id: Moxa_vpn_router_login_page
+
+info:
+  name: Find Moxa VPN router login pages
+  author: biero-el-corridor
+  severity: low
+  description: |
+    Can be found with the Shodan query. 
+  metadata:
+    shodan-query: http.favicon.hash:-234487373
+
+http:
+  - method: GET
+    path:
+      - "http://{{Host}}/Login.asp"
+      - "https://{{Host}}/Login.asp"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+      - type: word
+        words: 
+          - "Moxa"
+        part: body
+        condition: and
+      - type: word
+        words: 
+          - "Username : "
+        part: body
+        condition: and
+      - type: word
+        words: 
+          - "Password : "
+        part: body
diff --git a/http/exposed-panels/OSASI_login_page.yaml b/http/exposed-panels/OSASI_login_page.yaml
@@ -0,0 +1,25 @@
+id: OSASI_login_page
+
+info:
+  name: find up OSASI login panel
+  author: biero-el-corridor
+  severity: low
+  description: |
+    Can be found with the Shodan query.
+  metadata:
+    shodan-query: http.favicon.hash:-1887636248
+
+http:
+  - method: GET
+    path:
+      - "http://{{Host}}/users/login"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+      - type: word
+        words: 
+          - "/img/osasil_logo_f.png"
+        part: body
diff --git a/http/exposed-panels/SIEMENS_SIMATIC_HMI_Miniweb_panel.yaml b/http/exposed-panels/SIEMENS_SIMATIC_HMI_Miniweb_panel.yaml
@@ -0,0 +1,25 @@
+id: Detect_SIEMENS_SIMATIC_HMI_Miniweb_login_panel
+
+info:
+  name: Find up SIEMENS_SIMATIC_HMI_Miniweb_login_panel
+  author: biero-el-corridor
+  severity: low
+  metadata:
+    max-request: 2
+    vendor: siemens
+  tags: ICS,siemens
+
+
+http:
+  - method: GET
+    path:
+      - "http://{{Host}}/StatusDetails.html"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+      - type: dsl
+        dsl:
+          - "contains(body,'linke Spalte Navigationsbereich')"
diff --git a/http/exposed-panels/Siemens_LOGO_login_page.yaml b/http/exposed-panels/Siemens_LOGO_login_page.yaml
@@ -0,0 +1,26 @@
+id: Detect_Siemens_LOGO_8_PLC
+
+info:
+  name: Find up Siemens Logo! 8 Web panel
+  author: biero-el-corridor
+  severity: low
+  metadata:
+    max-request: 2
+    vendor: siemens
+    product: siemens_LOGO!
+  tags: ICS,siemens 
+
+http:
+  - method: GET
+    path:
+      - "{{Hostname}}/logo_login.shtm?!App-Language="
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+      - type: word
+        part: body
+          - "ReadMe OSS"
diff --git a/http/exposed-panels/WAGO_web_based_management_panel.yaml b/http/exposed-panels/WAGO_web_based_management_panel.yaml
@@ -0,0 +1,27 @@
+id: WAGO_web_based_management_panel
+
+info:
+  name: Find WAGO web based management panel
+  author: biero-el-corridor
+  severity: low
+  tags: wago,monitoring_panel
+  description: |
+      Can be found with the Shodan query
+  metadata:
+    shodan-query:"title:"WAGO Ethernet Web-based Management"
+http:
+  - method: GET
+    path:
+      - "{{Host}}/wbm/index.php"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+
+      - type: word
+        words: 
+          - "Web-based Management"
+        part: body
diff --git a/network/detection/Allen-Bradley/Allen_Bradley_CompactLogix_enip-cip_detect.yaml b/network/detection/Allen-Bradley/Allen_Bradley_CompactLogix_enip-cip_detect.yaml
@@ -0,0 +1,31 @@
+id: Allen_Bradley_CompactLogix_enip-cip_detect
+
+info:
+  name: Allen_Bradley_CompactLogix_enip-cip_detected
+  author: biero-el-corridor
+  severity: info
+  description: |
+    detect Allen Bradley CompactLogix series via enip-cip protocol use the -resp flag to see the model of PLC (see resp part of the template).
+  metadata:
+    max-request: 2
+    vendor: Allen_Bradley
+    product: CompactLogix_series
+    shodan-query: port:44818 "Vendor ID: Rockwell Automation/Allen-Bradley"
+  tags: ICS,Allen_Bradley,CompactLogix_series
+
+tcp:
+  - host:
+      - "{{Host}}:44818"
+    inputs:
+      - data: "630000000000000000000000000000000000000000000000"
+        type: hex
+        read: 200
+        name: info
+
+    read-size: 1024
+    matchers-condition: or
+    matchers:
+      - type: binary
+        part: info
+        binary:
+          - "313736392d" # 1769- (1769-L23: Built-in I/O || 1769-L24ER: With expansion capabilities || 1769-L30ER: Higher performance || 1769-L35ER: High-end version)