PHP script that detects if auth is required or not on Apache Splunk

syrius · November 8, 2018, 10:06pm

I am currently trying to do a PHP script that detects automatically if Apache Splunk authentication is required or not but I'm having a hard time since HTTP code 303 is always coming back, even if auth is required or not.

Here is the script so far;

<?php
/**
 * Apache Splunk script to verify if auth is required or not
 * Original Author: Damian HARt
 * Version : 1.0
 */
ini_set('memory_limit', '800M'); // Set ram limit
require('zebracurl.php');

if($argc === 3){
    $file = $argv[1];
    if(is_readable($file)){
        $handle = fopen($file, 'r');
        if ($handle){
            $i = 0;
            $curl = new Zebra_cURL();
            $line_id = 0;
            $total_lines = count_lines(__DIR__.DIRECTORY_SEPARATOR.$file);
            $url_to_check = array();
            $curl->threads = 100;
            $curl->option(array(CURLOPT_TIMEOUT => 20));
            echo 'Welcome in Apache Splunk detector'.PHP_EOL;
            echo '[!] Total lines to parse in '.$file.': '.$total_lines.PHP_EOL;
            echo '--------------------------------------------------------------------------------'.PHP_EOL;
            while (($uri = fgets($handle)) !== false){
                if (!empty($uri) ){
                    $url_to_check[] = trim($uri).':'.$argv[2].'/splunk/en-US/manager/search/apps/local';
                    if ($i === 99 || $line_id + 1 === $total_lines){
                        $curl->get($url_to_check, function($request){
                            if ($request->response[1] == CURLE_OK && $request->info['http_code'] === 200){
                                for ($_i = 0; $_i < count($request->headers['responses']); $_i++){
                                    $header_array = array_change_key_case($request->headers['responses'][$_i], CASE_LOWER);
                                    if (isset($header_array['Server'])){
                                        file_put_contents('results.txt', $request->info['original_url'].PHP_EOL,FILE_APPEND | LOCK_EX);
                                        echo '[+] '.$request->info['original_url'].PHP_EOL;
                                    }
                                }
                            }
                        });
                        $i = 0;
                        $url_to_check = array();
                    }
                }
                $i++;
                $line_id++;
            }
        } else {
            echo setColor('An error was occurred on file opening '.$config['input_file'], $with_color ? 'danger' : '').PHP_EOL;
            fclose($handle);
            unset($curl);
            die();
        }
        fclose($handle);
        unset($curl);
    }
}else { echo '[!] Usage: php splunk-detector.php LAN-IPs.txt 8000'; }

function count_lines($file){
    $total_lines = 0;
    if (file_exists($file)){
        $handle = fopen($file, "r");
        while (!feof($handle)){ if (fgets($handle) !== false) $total_lines += 1; }
        fclose($handle);
    } return $total_lines;
}

I am open to any solutions/suggestions as long as I can accomplish my goal.

Thanks

Neo · November 8, 2018, 10:11pm

How to you intend to determine "if Apache Splunk authentication is required or not" ?

syrius · November 9, 2018, 3:54pm

This is my question exactly; how to make the script detect if Apache Splunk authentication is required or not. So far, based on my research, we cannot detect it from HTTP code since all the time it returns an HTTP code 303. The only way I could detect if auth is required or not, is by some keyword in the source when auth is not required versus when auth is required.

Thanks

Corona688 · November 9, 2018, 4:28pm

303 is a redirect, presumably the page being redirected to tells you more than the redirect itself.

Neo · November 9, 2018, 8:28pm

So right now Apache Spunk has a web form based userid and password authentication system?

Whst exactly is the current authentication system?