Vulners
Lucene search
Splunk Web Detection
| Source | Link |
|---|---|
| splunk | www.splunk.com/en_us/software.html |
#TRUSTED 119d69412efa3a8310e6830ecf044c7cf2fdd143d9a7c86f5042db1901df927094ef9ea66a239e2c4de207b987fcb52866327dd0bff680edb2cfe682d8783b9c70f07023ce14f7a5b9271e0a018a0e61b1fe723bac4eebbd0a1a1323fa54ea9c01c26e7da86550e95646ec7086265f8817d6e25711164566e382ce1d6b95cc4bc192b84ea6351f8bc0719942cded983d88b0b4b01fe09f873c0e670190f2339d5a499be2d84838092e7daf97101e6147310195046d0073459eb280162a3344f130b68330af7f40d16ad4a73ef923a99e00e98c66b525537b0f2441e48ed95297f478d34bec13c6be97afdf0d7b4ecdb8358af685dd6ca2798db9cf76e64e37ff8e9c38247893921d0e997fe96210e456d1106cf3853f0812f0447a81dce723601bce30c1b1e97c4e6765ad795f64a9de12ba4a4badd68e1dbf6a227f3ca66045e2236b93494256ee7eb0c6f947ca6404e317fc402b29b58f96ba25acb1407eb1b61352f712973513c4f629699bd2dfb027d673e8ab35f21a29d624bce3efef1254adb936c114ebbf417cc7ea8b06bd0a224015213f6b8be8fb50cce2c167a3db6e2021304e6006ad713fa46b2e18760db021cf1a27822895408db94aa88770193a33db905ecc3ac932e27d4b5bfcdcc6b177493ca89ae9e0768ebf14bfb2772e9b8cf73842c425ce47aba4195e3a6e2eaa9db36c7bf32de1a3fdc88e12786263
#TRUST-RSA-SHA256 31d25119a13ef590b2c3ead3fdbb5f21c5d61f4c1e49b341ae1d0246e1ee2c7dea82df355a1d0abe5c37bf61340891976a3aae9fa5baee142076da55972551d36d0df3eca1abf70c51e2c369a1876cb20894b2ba1b1efb52d7e5972cb5d3e2de760f96ec212e78e39357ba6d384f1f7c76c7567dfb60f9444c5c3f3f43f62a9f7ddb161c6baad08f224a6cf26e4c4ed43b0c70b994f7f1b2eab2c61792025541cfe2a17e990a6bb9fb63427b4e5be3359be84575485779e27a1323fa8f41446993b532ef8441c91158b13320c35fb4d9e0581595c7ddd644f7ce453905248fdafbb85fe013d8164c2fff2cb3aef7a962d14642d8f1fd13f59553e2b314ff78009e412311f7c6d70a7c23b0c0831f852b459eeac3bb9691a876003cc635742f4abd9679d28d65eccdc16168afd8fcb481e71fed491f33b1f14c6a850cb36d2f6a253682709a155b3a06f19098b247b0cddbfec2ade690ddb1dba45327382898219f739560c142e6860eaceb4e604e6224199283c2292ce9ee8218c8017d6043f4aea6c7c600c2f92ba9866c546b1e1dc472466cf248f668b0cb4ef00a1d3c636606c650fa292bc19ec9cb8ae5aa3e9d69c7bc1854bc76a5c9e1ab7882efe94cfc04fa9dd95a936587823a4c60fcc53349193e92687c40888b050b743a4139e4e7583fb51e30a1fe51addaff5ed7147fb10fecdada95b1028fd6720a4d3402fb03
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(47619);
script_version("1.27");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/29");
script_xref(name:"IAVT", value:"0001-T-0723");
script_name(english:"Splunk Web Detection");
script_set_attribute(attribute:"synopsis", value:
"An infrastructure monitoring tool is running on the remote host.");
script_set_attribute(attribute:"description", value:
"The web interface for Splunk is running on the remote host. Splunk is
a search, monitoring, and reporting tool for system administrators.
Note that HTTP Basic Authentication credentials may be required to retrieve version information
for some recent Splunk releases.");
script_set_attribute(attribute:"see_also", value:"https://www.splunk.com/en_us/software.html");
script_set_attribute(attribute:"solution", value:"n/a");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:splunk:splunk");
script_set_attribute(attribute:"asset_inventory", value:"True");
script_set_attribute(attribute:"asset_inventory_category", value:"software_enumeration");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2010-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("splunkd_detect.nasl");
script_require_ports("Services/www", 8000);
exit(0);
}
include("http.inc");
include("install_func.inc");
include("spad_log_func.inc");
var app = "Splunk";
var port = get_http_port(default:8000, embedded:TRUE);
var dir = '/';
var build = FALSE;
var version = UNKNOWN_VER;
var license = FALSE;
var tries, res;
# nb: the service will restart if webmirror.nasl successfully accesses
# /services/server/control/restart so we try several times waiting
# for it to come back up.
for (tries=5; tries>0; tries--)
{
res = http_send_recv3(
method : 'GET',
item : dir,
port : port,
add_headers : make_array("User-Agent", "Nessus"),
follow_redirect: 2
);
if (!isnull(res)) break;
sleep(5);
}
dbg::detailed_log(
lvl:1,
src:SCRIPT_NAME,
msg:'\n\nHTTP Response ' +
'\n\nResponse Code: ' + res[0] +
'\n\nHeaders: ' + res[1] +
'\n\nBody: ' + res[2] + '\n\n');
if (isnull(res)) audit(AUDIT_RESP_NOT,port,"a HTTP GET request",code:1);
if (
('<b>Login to Splunk</b>' >< res[2] && '<h2><b>Welcome to Splunk</b></h2' >< res[2]) ||
(
'<meta name="author" content="Splunk Inc."' >< res[2] &&
"Splunk.util.normalizeBoolean('" >< res[2] &&
pgrep(pattern:"Login *-", string:res[2]) &&
pgrep(pattern:'<p class="footer">© [0-9-]+ Splunk Inc. Splunk', string:res[2])
) ||
# 3.x
(
'<title>Splunk' >< res[2] && 'layerid="splunksMenu"' >< res[2] &&
'href="http://www.splunk.com">Splunk Inc' >< res[2]
) ||
# 4.0.x
(
'<meta name="author" content="Splunk Inc."' >< res[2] &&
pgrep(pattern:'<p class="footer">© [0-9-]+ Splunk Inc. Splunk', string:res[2]) &&
'class="splButton-primary"' >< res[2]
) ||
# 6.2.x-8.x
(
'<meta name="author" content="Splunk Inc."' >< res[2] &&
'<script type="text/json" id="splunkd-partials">' >< res[2]
)
)
{
if ('"licenseType": ' >< res[2] || '"license_labels":' >< res[2] || '"product_type":' >< res[2])
{
if ('"licenseType": "free"' >< res[2])
license = "Free";
else if ('"license_labels":["Splunk Free' >< res[2])
license = "Free";
else if ('"licenseType": "pro"' >< res[2])
license = "Enterprise";
else if ('"license_labels":["Splunk Enterprise' >< res[2])
license = "Enterprise";
else if ('"product_type":"enterprise"' >< res[2])
license = "Enterprise";
else if ('"license_labels":["Splunk Light' >< res[2])
license = "Light";
else if ('"product_type":"lite' >< res[2])
license = "Light";
else if ('"license_labels":["Splunk Forwarder' >< res[2])
license = "Forwarder";
}
# Check if we can get the version...
var regex = "Login *- *Splunk ([0-9.]+) *(\(([0-9]+)\))?</title>";
var line = pgrep(pattern:regex,string:res[2]);
if (line)
{
var matches = pregmatch(pattern:regex,string:line);
if (matches)
{
version = matches[1];
if (matches[3]) build = matches[3];
}
}
if (version == UNKNOWN_VER)
{
regex = ">© [0-9-]+ Splunk Inc. Splunk ([0-9.]+) *(build ([0-9]+).)?</p>";
line = pgrep(pattern:regex,string:res[2]);
if (line)
{
matches = pregmatch(pattern:regex,string:line);
if (matches)
{
version = matches[1];
if (matches[3]) build = matches[3];
}
}
}
if (version == UNKNOWN_VER)
{
regex = '<div id="footer" versionNumber="([0-9.]+)" *(buildNumber="([0-9]+)")? *installType="prod"';
line = pgrep(pattern:regex,string:res[2]);
if (line)
{
matches = pregmatch(pattern:regex, string:line);
if (matches)
{
version = matches[1];
if (matches[3]) build = matches[3];
}
}
}
if (version == UNKNOWN_VER)
{
regex = '"build":"?([a-f0-9]+)"?,.*,"version":"([0-9.]+)"';
line = pgrep(pattern:regex,string:res[2]);
if (line)
{
matches = pregmatch(pattern:regex, string:line);
if (matches)
{
version = matches[2];
if (matches[1]) build = matches[1];
}
}
}
# >6.6.x
if (version == UNKNOWN_VER)
{
regex = '"version":"([0-9.]+)"';
line = pgrep(pattern:regex,string:res[2]);
if (line)
{
matches = pregmatch(pattern:regex, string:line);
if (matches)
{
version = matches[1];
}
}
}
# 8.x version can be pulled from /en-US/help
if (version == UNKNOWN_VER)
{
res = http_send_recv3(
port:port,
method:'GET',
item:'/en-US/help',
follow_redirect: 0,
exit_on_fail:FALSE
);
dbg::detailed_log(
lvl:1,
src:SCRIPT_NAME,
msg:'\n\n8.x version can be pulled from /en-US/help' +
'\n\nResponse Code: ' + res[0] +
'\n\nHeaders: ' + res[1] +
'\n\nBody: ' + res[2] + '\n\n');
matches = pregmatch(string:res[2], pattern:'var args.*?versionNumber": "(\\d+\\.\\d+\\.\\d+).*?product": "([^"]+)"');
if (!empty_or_null(matches))
{
version = matches[1];
if(!license) license = matches[2];
}
}
# Attempt to authenticate if version is still not found
if (version == UNKNOWN_VER)
{
# try login to get the version
var username = get_kb_item(http::KB_USERNAME);
var password = get_kb_item(http::KB_PASSWORD);
if (!empty_or_null(username) && !empty_or_null(password))
{
http::cookiejar::init();
res = http_send_recv3(
port:port,
method:'GET',
item:'/',
follow_redirect:2,
exit_on_fail:FALSE
);
dbg::detailed_log(
lvl:1,
src:SCRIPT_NAME,
msg:'\n\nProduct version not found on the home page "/". Now trying to retrieve it on a page after user authentication.' +
'\n\nResponse Code: ' + res[0] +
'\n\nHeaders: ' + res[1] +
'\n\nBody: ' + res[2] + '\n\n');
if (res[0] =~ '^HTTP/[0-9.]+ +200')
{
var pattern = "Set-Cookie:\s+cval=(\d+)";
var match = pregmatch(pattern:pattern, string:res[1]);
if (!empty_or_null(match) && !empty_or_null(match[1]))
{
var cval = match[1];
var data = 'cval=' + cval + '&username=' + username + '&password=' + password + '&return_to=/en-GB/&set_has_logged_in=false';
res = http_send_recv3(
port:port,
method:'POST',
item:'/en-GB/account/login',
data:data,
exit_on_fail:FALSE
);
dbg::detailed_log(
lvl:1,
src:SCRIPT_NAME,
msg:'\n\nNow performing user authentication ({"status": 0} indicates a success):' +
'\n\nResponse Code: ' + res[0] +
'\n\nHeaders: ' + res[1] +
'\n\nBody: ' + res[2] + '\n\n');
if (res[0] =~ '^HTTP/[0-9.]+ +200')
{
res = http_send_recv3(
port:port,
method:'GET',
item:'/en-US/app/launcher/home',
follow_redirect:3,
exit_on_fail:FALSE
);
dbg::detailed_log(
lvl:1,
src:SCRIPT_NAME,
msg:'\n\nUser has successfully autheticated, try to retrieve the product version from response:' +
'\n\nResponse Code: ' + res[0] +
'\n\nHeaders: ' + res[1] +
'\n\nBody: ' + res[2] + '\n\n');
pattern = '"version":[ ]+"((?:\\d\\.)+\\d)"';
match = pregmatch(pattern:pattern, string:res[2]);
if (!empty_or_null(match) && !empty_or_null(match[1]))
{
version = match[1];
dbg::detailed_log(lvl:1, src:SCRIPT_NAME, msg:'Product version ' + version + ' found (after user authentication).');
}
}
}
}
}
}
# Check if the version was found in the Management API
if (version == UNKNOWN_VER)
{
# get_single_install() exits if the app is not installed
# Make that call conditional so we can still report for installs with UNKNOWN_VER
var api_mgt_port = get_kb_item('Splunk/ManagementAPI/port');
if (!empty_or_null(api_mgt_port))
var api_install = get_single_install(app_name:"Splunk", port:api_mgt_port, webapp:TRUE);
if(!empty_or_null(api_install))
version = api_install['version'];
}
if (version !~ "^[0-9.]+$")
version = UNKNOWN_VER;
# Normalize version to X.Y.Z, ie : 4.1 denotes 4.1.0
if(version =~ "^[0-9]+\.[0-9]+$")
version += ".0";
var extranp = make_array("isapi", FALSE,"isweb", TRUE);
var extra = make_array("Web interface", TRUE);
if (license)
extra["License"] = license;
if (build)
extra["Build"] = build;
register_install(
vendor : "Splunk",
product : "Splunk",
app_name : app,
port : port,
version : version,
path : dir,
extra : extra,
extra_no_report : extranp,
webapp : TRUE,
cpe : "cpe:/a:splunk:splunk"
);
report_installs(app_name:app, port:port);
}
else
{
audit (AUDIT_WEB_APP_NOT_INST, app, port);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Sep 2025 00:00Current
5.6Medium risk
Vulners AI Score5.6