Sc0pe Templates

For anyone interested in writing or porting existing exploits over to Sc0pe, the process is super simple. First, you will need to create a new template.sh file under /usr/share/sniper/templates/active/ for active scanners and /usr/share/sniper/templates/passive/ for passive scanners. You can now copy an existing template to rename or create a new file with the following format:

AUTHOR='@xer0dayz'
VULN_NAME='Apache Solr Detected'
URI='/'
METHOD='GET'
MATCH='Solr Admin'
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

Passive scanners use grep regex matching of any local file to determine vulnerability detection and use the following format:

AUTHOR='@xer0dayz'
VULN_NAME='CORS Policy - Allow-Credentials Enabled'
FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt"
MATCH='Access-Control-Allow-Credentials: true'
SEVERITY='P4 - LOW'
GREP_OPTIONS='-i'
SEARCH='positive'
SECONDARY_COMMANDS=''

One thing to note is that when saving template.sh file you created, be sure to not use spaces in the files (ie. CORS Policy – Allow-Credentials Enabled.sh). Instead, use underscores like “CORS_Policy_-_Allow-Credentials_Enabled.sh”.

Once your new template is created, all you need to do is run a scan. For active checks, you can choose from ‘normal’, ‘web’, ‘vulnscan’, ‘webporthttp’ and ‘webporthttps’ as well as any of the mass scan modes (ie. massweb, etc.). All other modes will only use passive scan modules to detect vulnerabilities.