diff --git a/nselib/data/http-default-accounts-fingerprints.lua b/nselib/data/http-default-accounts-fingerprints.lua
index 574d3cba1..d82e6df76 100644
--- a/nselib/data/http-default-accounts-fingerprints.lua
+++ b/nselib/data/http-default-accounts-fingerprints.lua
@@ -817,6 +817,59 @@ table.insert(fingerprints, {
end
})
+table.insert(fingerprints, {
+ -- Version 1.1, 1.1 SP7
+ name = "EFI Fiery Webtools",
+ category = "printer",
+ paths = {
+ {path = "/"}
+ },
+ target_check = function (host, port, path, response)
+ return response.status == 200
+ and response.header["content-location"]
+ and response.header["content-location"]:find("^redirect%.html%.")
+ and response.body
+ and response.body:lower():find('content="0;url=wt2parser.cgi?home_', 1, true)
+ end,
+ login_combos = {
+ {username = "Administrator", password = ""},
+ {username = "Administrator", password = "Fiery.1"}
+ },
+ login_check = function (host, port, path, user, pass)
+ -- sessionId normally includes the client IP, not the target,
+ -- but this would be too revealing
+ local sessionid = host.ip
+ .. "_"
+ .. stdnse.clock_ms()
+ .. math.random(100000, 999999)
+ local encpass = stdnse.tohex(pass):gsub("..", "&#x%0;")
+ local header = {["Content-Type"]="text/xml", ["SOAPAction"]='""'}
+ local soapmsg = [[
+
+
+
+
+__SESS__
+
+0
+__PASS__
+30
+
+
+
+
+
+]]
+ -- username is not injected into the payload because it is implied
+ soapmsg = soapmsg:gsub("__%w+__", {__SESS__=sessionid, __PASS__=encpass})
+ local req = http_post_simple(host, port, url.absolute(path, "soap"),
+ {header=header}, soapmsg)
+ return req.status == 200
+ and req.body
+ and req.body:find('true', 1, true)
+ end
+})
+
table.insert(fingerprints, {
-- Version 3.6/4
name = "Lantronix ThinWeb Manager",