From 965aaf89ff1b6dfd60cbbbeea35314fe0ebd2d30 Mon Sep 17 00:00:00 2001
From: Muhammad Abdullah <mabdullah22@gmail.com>
Date: Mon, 12 Jun 2023 15:12:48 +0500
Subject: [PATCH] Add Netman Default Login

Add a template for default login on Riello UPS NetMan 204. Attacker can access to UPS and attacker can manipulate the UPS settings to disrupt the onsite systems.
---
 contributors.json                             | 10 ++++
 .../Riello/netman204-default-login.yaml       | 46 +++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 http/default-logins/Riello/netman204-default-login.yaml

diff --git a/contributors.json b/contributors.json
index abd26306fc7..d63b99eb8ce 100644
--- a/contributors.json
+++ b/contributors.json
@@ -1378,6 +1378,16 @@
             "website": "https://the-empire.systems",
             "email": ""
         }
+    },
+    {
+        "author": "mabdullah22",
+        "links": {
+            "github": "https://www.github.com/maabdullah22",
+            "twitter": "https://twitter.com/0x416264",
+            "linkedin": "",
+            "website": "",
+            "email": ""
+        }
     }
 
 ]
diff --git a/http/default-logins/Riello/netman204-default-login.yaml b/http/default-logins/Riello/netman204-default-login.yaml
new file mode 100644
index 00000000000..f573862ef02
--- /dev/null
+++ b/http/default-logins/Riello/netman204-default-login.yaml
@@ -0,0 +1,46 @@
+id: Netman204-default-login
+
+info:
+  name: Riello UPS NetMan 204 Network Card - Default Login
+  author: mabdullah22
+  severity: high
+  description: Default logins on Riello UPS NetMan 204 is used. Attacker can access to UPS and attacker can manipulate the UPS settings to disrupt the onsite systems.
+  reference:
+    - https://www.riello-ups.com/
+  metadata:
+    verified: true
+    shodan-query: title:"Netman"
+    censys-query: services.http.response.body:"Netman204"
+  tags: default-login,Netman-204-login
+
+requests:
+  - raw:
+      - |
+        GET /cgi-bin/login.cgi?username={{username}}&password={{password}} HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
+        X-Requested-With: XMLHttpRequest
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-US,en;q=0.9
+
+    attack: pitchfork
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        part: body
+        words:
+          - '"response": "ok",'
+          - '"message": "Welcome."'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+