From 1a9700019fd8ef5ab915c7146ea47d6d0e93e845 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 12 Jan 2012 19:45:11 +0000
Subject: [PATCH] Add http-generator.nse by Michael Kohl.

---
 CHANGELOG                  |  4 ++++
 scripts/http-generator.nse | 49 ++++++++++++++++++++++++++++++++++++++
 scripts/script.db          |  1 +
 3 files changed, 54 insertions(+)
 create mode 100644 scripts/http-generator.nse

diff --git a/CHANGELOG b/CHANGELOG
index cdcc49ef6..1b16e713a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added http-generator.nse by Michael Kohl, which gets version
+  information for web applications that set the "generator" meta
+  element.
+
 o [NSE] Added the script broadcast-pppoe-discover that discovers PPPoE servers
   on the LAN using the PPPoE Discovery Protocol. [Patrik]
 
diff --git a/scripts/http-generator.nse b/scripts/http-generator.nse
new file mode 100644
index 000000000..40f73589d
--- /dev/null
+++ b/scripts/http-generator.nse
@@ -0,0 +1,49 @@
+description = [[
+Displays the contents of the "generator" meta tag if there is one.
+]]
+
+author = "Michael Kohl"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery", "safe"}
+
+---
+-- @usage
+-- nmap -p 80,443 --script http-generator <host>
+-- @output
+-- PORT    STATE SERVICE
+-- 80/tcp  open  http
+-- |_http-generator: TYPO3 4.2 CMS
+-- 443/tcp open  https
+-- |_http-generator: TYPO3 4.2 CMS
+
+--- TODO:
+-- add arg for web path
+-- add arg for maximum number of redirects
+
+require('http')
+require('shortport')
+
+portrule = shortport.http
+
+action = function(host, port)
+   local response, loc, generator
+   -- Worst case: <meta name=Generator content="Microsoft Word 11">
+   local pattern = '<meta name="?generator"? content="([^\"]*)" ?/?>'
+
+   -- make pattern case-insensitive
+   pattern = pattern:gsub("%a", function (c)
+               return string.format("[%s%s]", string.lower(c),
+                                              string.upper(c))
+             end)
+
+   response = http.get(host, port, '/')
+
+   -- deals with only one redirect
+   if response['status-line']:lower():match("^http/1.1 30[12]") then
+      loc = response.header['location']
+      response = http.get_url(loc)
+   end
+
+   return response.body:match(pattern)
+
+end
diff --git a/scripts/script.db b/scripts/script.db
index fdecf20ba..9989ea106 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -106,6 +106,7 @@ Entry { filename = "http-email-harvest.nse", categories = { "discovery", "safe",
 Entry { filename = "http-enum.nse", categories = { "discovery", "intrusive", "vuln", } }
 Entry { filename = "http-favicon.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-form-brute.nse", categories = { "brute", "intrusive", } }
+Entry { filename = "http-generator.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-google-malware.nse", categories = { "discovery", "external", "malware", "safe", } }
 Entry { filename = "http-grep.nse", categories = { "discovery", "safe", } }
 Entry { filename = "http-headers.nse", categories = { "discovery", "safe", } }