Showing preview only (4,748K chars total). Download the full file or copy to clipboard to get everything.
Repository: 1N3/Sn1per
Branch: master
Commit: 68282e0bcb71
Files: 291
Total size: 4.5 MB
Directory structure:
gitextract_f31pf8ur/
├── .github/
│ └── workflows/
│ ├── build-push-ghcr.yml
│ └── semgrep.yml
├── CHANGELOG.md
├── Dockerfile
├── Dockerfile.blackarch
├── LICENSE.md
├── README.md
├── bin/
│ ├── github-subdomains.py
│ ├── http-default-accounts-fingerprints-nndefaccts.lua
│ ├── nmap-bootstrap.xsl
│ ├── pyText2pdf.py
│ ├── report.py
│ ├── samrdump.py
│ ├── slack.sh
│ ├── waybackrobots.py
│ ├── waybackurls.py
│ ├── webscreenshot.js
│ ├── webscreenshot.py
│ └── zap-scan.py
├── conf/
│ ├── bug_bounty_full_brute
│ ├── bug_bounty_max_javascript_files
│ ├── bug_bounty_quick
│ ├── bug_bounty_quick_port_80_443_only
│ ├── deep_active_recon
│ ├── default
│ ├── fast_service_portscan
│ ├── super_stealth_mode
│ ├── super_stealth_mode_OSINT
│ ├── web_mode_all_plugins
│ ├── webpwn_only
│ ├── webpwn_only_metasploit_disabled
│ └── zap_only_webscan
├── docker-compose-blackarch.yml
├── docker-compose.yml
├── install.sh
├── loot/
│ └── README.md
├── modes/
│ ├── airstrike.sh
│ ├── bruteforce.sh
│ ├── discover.sh
│ ├── flyover.sh
│ ├── fullportonly.sh
│ ├── fullportscan.sh
│ ├── javascript-analysis.sh
│ ├── massportscan.sh
│ ├── massvulnscan.sh
│ ├── massweb.sh
│ ├── masswebscan.sh
│ ├── normal.sh
│ ├── normal_webporthttp.sh
│ ├── normal_webporthttps.sh
│ ├── nuke.sh
│ ├── osint.sh
│ ├── osint_stage_2.sh
│ ├── recon.sh
│ ├── sc0pe-active-webscan.sh
│ ├── sc0pe-network-scan.sh
│ ├── sc0pe-passive-webscan.sh
│ ├── sc0pe.sh
│ ├── static-grep-search.sh
│ ├── stealth.sh
│ ├── vulnscan.sh
│ ├── web.sh
│ ├── web_autopwn.sh
│ ├── webporthttp.sh
│ ├── webporthttps.sh
│ └── webscan.sh
├── pro/
│ └── notepad.html
├── sn1per.desktop
├── sniper
├── sniper.conf
├── templates/
│ ├── active/
│ │ ├── AWS_S3_Public_Bucket_Listing.sh
│ │ ├── ApPHP_MicroBlog_Remote_Code_Execution_Vulnerability.sh
│ │ ├── Apache_Solr_Scanner.sh
│ │ ├── Apache_Tomcat_Scanner.sh
│ │ ├── AvantFAX_LOGIN_Detected.sh
│ │ ├── CVE-2018-13379_-_Fortigate_Pulse_Connect_Secure_Directory_Traversal.sh
│ │ ├── CVE-2019-11510_-_Pulse_Connect_Secure_SSL_VPN_Arbitrary_File_Read.sh
│ │ ├── CVE-2019-11580_-_Atlassian_Crowd_Data_Center_Unauthenticated_RCE.sh
│ │ ├── CVE-2019-11581_-_Jira_Template_Injection.sh
│ │ ├── CVE-2019-1653_-_Cisco_RV320_RV326_Configuration_Disclosure.sh
│ │ ├── CVE-2019-16662_-_rConfig_3.9.2_Remote_Code_Execution.sh
│ │ ├── CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution.sh
│ │ ├── CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution_Bypass.sh
│ │ ├── CVE-2019-17558_-_Apache_Solr_RCE.sh
│ │ ├── CVE-2019-19719_Tableau_Server_DOM_XSS.py
│ │ ├── CVE-2019-19781_-_Citrix_ADC_Directory_Traversal.sh
│ │ ├── CVE-2019-19908_-_phpMyChat-Plus_XSS.sh
│ │ ├── CVE-2019-5418_-_Rail_File_Content_Disclosure.sh
│ │ ├── CVE-2019-6340_-_Drupal8_REST_RCE_SA-CORE-2019-003.disabled
│ │ ├── CVE-2019-7192_-_QNAP_Pre-Auth_Root_RCE.sh
│ │ ├── CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_1.sh
│ │ ├── CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_2.sh
│ │ ├── CVE-2019-8451_Jira_SSRF_1.sh
│ │ ├── CVE-2019-8451_Jira_SSRF_2.sh
│ │ ├── CVE-2019-8451_Jira_SSRF_3.sh
│ │ ├── CVE-2019-8451_Jira_SSRF_4.sh
│ │ ├── CVE-2019-8903_-_Totaljs_Unathenticated_Directory_Traversal.sh
│ │ ├── CVE-2019-8982_-_Wavemaker_Studio_6.6_LFI_SSRF.sh
│ │ ├── CVE-2020-0618_-_Remote_Code_Execution_SQL_Server_Reporting_Services.sh
│ │ ├── CVE-2020-10204_-_Sonatype_Nexus_Repository_RCE.sh
│ │ ├── CVE-2020-1147_-_Remote_Code_Execution_in_Microsoft_SharePoint_Server.sh
│ │ ├── CVE-2020-11530_-_Wordpress_Chop_Slider_3_Plugin_SQL_Injection.sh
│ │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal.sh
│ │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_2.sh
│ │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_3.sh
│ │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_4.sh
│ │ ├── CVE-2020-12271_-_Sophos_XG_Firewall_Pre-Auth_SQL_Injection.sh
│ │ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_1.sh
│ │ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_2.sh
│ │ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_3.sh
│ │ ├── CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_1.sh
│ │ ├── CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_2.sh
│ │ ├── CVE-2020-14181_-_User_Enumeration_Via_Insecure_Jira_Endpoint.sh
│ │ ├── CVE-2020-14815_-_Oracle_Business_Intelligence_Enterprise_DOM_XSS.sh
│ │ ├── CVE-2020-15129_-_Open_Redirect_In_Traefik.sh
│ │ ├── CVE-2020-15920_-_Mida_eFramework_Unauthenticated_RCE.sh
│ │ ├── CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh
│ │ ├── CVE-2020-2034_-_PAN-OS_GlobalProtect_OS_Command_Injection.sh
│ │ ├── CVE-2020-2096_-_Jenkins_Gitlab_Hook_XSS.sh
│ │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_1.sh
│ │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_2.sh
│ │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_3.sh
│ │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_4.sh
│ │ ├── CVE-2020-2140_-_Jenkin_AuditTrailPlugin_XSS.sh
│ │ ├── CVE-2020-24223_-_Mara_CMS_7.5_Reflective_XSS.sh
│ │ ├── CVE-2020-25213_-_WP_File_Manager_File_Upload.sh
│ │ ├── CVE-2020-2551_-_Unauthenticated_Oracle_WebLogic_Server_Remote_Code_Execution.sh
│ │ ├── CVE-2020-2555_-_WebLogic_Server_Deserialization_RCE.sh
│ │ ├── CVE-2020-3187_-_Citrix_Unauthenticated_File_Deletion.sh
│ │ ├── CVE-2020-3452_-_Cisco_ASA-FTD_Arbitrary_File_Reading_Vulnerability.sh
│ │ ├── CVE-2020-5284_-_Next_JS_Limited_Path_Traversal.sh
│ │ ├── CVE-2020-5405_-_Spring_Directory_Traversal_1.sh
│ │ ├── CVE-2020-5405_-_Spring_Directory_Traversal_2.sh
│ │ ├── CVE-2020-5405_-_Spring_Directory_Traversal_3.sh
│ │ ├── CVE-2020-5412_-_Full-read_SSRF_in_Spring_Cloud_Netflix.sh
│ │ ├── CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_1.sh
│ │ ├── CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_2.sh
│ │ ├── CVE-2020-5902_-_F5_BIG-IP_XSS.sh
│ │ ├── CVE-2020-6287_-_Create_an_Administrative_User_in_SAP_NetWeaver_AS_JAVA.sh
│ │ ├── CVE-2020-7048_-_WP_Database_Reset_3.15_Unauthenticated_Database_Reset.sh
│ │ ├── CVE-2020-7209_-_LinuxKI_Toolset_6.01_Remote_Command_Execution.sh
│ │ ├── CVE-2020-7246_-_qdPM_Authenticated_Remote_Code_Execution.sh
│ │ ├── CVE-2020-7473_Citrix_ShareFile_StorageZones.disabled
│ │ ├── CVE-2020-8115_-_Revive_Adserver_XSS.py
│ │ ├── CVE-2020-8115_-_Revive_Adserver_XSS.sh
│ │ ├── CVE-2020-8163_-_Rails_5.0.1_Remote_Code_Execution.sh
│ │ ├── CVE-2020-8191_-_Citrix_ADC_NetScaler_Gateway_Reflected_XSS.sh
│ │ ├── CVE-2020-8193_-_Citrix_Unauthenticated_LFI.sh
│ │ ├── CVE-2020-8194_-_Citrix_ADC_NetScaler_Gateway_Reflected_Code_Injection.sh
│ │ ├── CVE-2020-8209_-_Citrix_XenMobile_Server_Path_Traversal.sh
│ │ ├── CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Config_Password_Disclosure.sh
│ │ ├── CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Path_Traversal.sh
│ │ ├── CVE-2020-8512_-_IceWarp_WebMail_XSS.sh
│ │ ├── CVE-2020-8772_-_IfiniteWP_Client_1.9.4.5_Authentication_Bypass_1.sh
│ │ ├── CVE-2020-8982_-_Citrix_ShareFile_StorageZones_Unauthenticated_Arbitrary_File_Read.sh
│ │ ├── CVE-2020-9047_-_exacqVision_Web_Service_Remote_Code_Execution.sh
│ │ ├── CVE-2020-9054_-_ZyXEL_NAS_Remote_Code_Execution.sh
│ │ ├── CVE-2020-9484_-_Apache_Tomcat_RCE_by_deserialization.sh
│ │ ├── CVE-2020-9757_-_SEOmatic_3.3.0_Server-Side_Template_Injection.sh
│ │ ├── Cisco_VPN_Login_Scanner.sh
│ │ ├── Cisco_VPN_Scanner.sh
│ │ ├── Citrix-Access-Gateway_Detected.sh
│ │ ├── Citrix_VPN_Scanner.sh
│ │ ├── Citrix_VPN_Scanner_2.sh
│ │ ├── Clear-text_Communications_HTTP.sh
│ │ ├── Clickjacking.sh
│ │ ├── Common_Status_File_Scanner_1.sh
│ │ ├── Common_Status_File_Scanner_2.sh
│ │ ├── Common_Status_File_Scanner_3.sh
│ │ ├── Confluence_Scanner.sh
│ │ ├── Contact_Form_7_Wordpress_Plugin_Found_1.sh
│ │ ├── Contact_Form_7_Wordpress_Plugin_Found_2.sh
│ │ ├── Directory_Listing_Enabled.sh
│ │ ├── Drupal_Install_Found.sh
│ │ ├── Drupal_Scanner_1.sh
│ │ ├── Drupal_Scanner_2.sh
│ │ ├── Drupal_Scanner_3.sh
│ │ ├── Drupal_User_Login.sh
│ │ ├── Drupal_Version_Disclosure.sh
│ │ ├── F5_BIG-IP_Scanner.sh
│ │ ├── F5_BIG-IP_Scanner_2.sh
│ │ ├── Fortigate_Pulse_Connect_Secure_Scanner.sh
│ │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected.sh
│ │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_1.sh
│ │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_2.sh
│ │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_3.sh
│ │ ├── Frontpage_Service_Password_Disclosure.sh
│ │ ├── Git_Config_Detected.sh
│ │ ├── JK_Status_Manager.sh
│ │ ├── Jaspersoft_Detected.sh
│ │ ├── Jenkins_Scanner.sh
│ │ ├── Jetty_Version_Disclosure.sh
│ │ ├── Jira_Scanner_1.sh
│ │ ├── Jira_Scanner_2.sh
│ │ ├── Jira_Scanner_3.sh
│ │ ├── Jolokia_Version_Disclosure.sh
│ │ ├── Joomla_Scanner_1.sh
│ │ ├── Joomla_Scanner_2.sh
│ │ ├── Joomla_Version_Disclosure.sh
│ │ ├── Laraval_Environment_File_Found.sh
│ │ ├── MS_SQL_Reporting_Server_Scanner_1.sh
│ │ ├── MS_SQL_Reporting_Server_Scanner_2.sh
│ │ ├── Magento_2.3.0_SQL_Injection.sh
│ │ ├── Mailman_Version_Disclosure.sh
│ │ ├── MobileIron_Login_1.sh
│ │ ├── MobileIron_Login_2.sh
│ │ ├── MobileIron_Login_3.sh
│ │ ├── PHP_Composer_Disclosure.sh
│ │ ├── PHP_Info.sh
│ │ ├── Palo_Alto_GlobalProtect_PAN-OS_Portal_Scanner.sh
│ │ ├── PulseSecure_VPN_Detected.sh
│ │ ├── RabbitMQ_Management_Default_Credentials.sh
│ │ ├── RabbitMQ_Management_Interface_Detected.sh
│ │ ├── Robots.txt_Detected.sh
│ │ ├── SAP_NetWeaver_AS_JAVA_LM_Configuration_Wizard_Detection.sh
│ │ ├── SQLiteManager_Scanner_1.sh
│ │ ├── Sitemap.xml_Detected.sh
│ │ ├── SolarWinds_Orion_Default_Credentials_1.sh
│ │ ├── SolarWinds_Orion_Default_Credentials_2.sh
│ │ ├── SolarWinds_Orion_Panel.sh
│ │ ├── TeamQuest_Login_Found.sh
│ │ ├── Telerik_File_Upload_Web_UI.sh
│ │ ├── Tiki_Wiki_CMS_Groupware_Scanner.sh
│ │ ├── Unauthenticated_Jenkins_Dashboard_Detected.sh
│ │ ├── VMware_vCenter_Unauthenticated_Arbitrary_File_Read.sh
│ │ ├── Weak_Authentication_Scanner.sh
│ │ ├── WebLogic_Scanner.sh
│ │ ├── Web_Config_Detected.sh
│ │ ├── Weblogic_Application_Server_Detected.sh
│ │ ├── Wordpres_Scanner_1.sh
│ │ ├── Wordpres_Scanner_2.sh
│ │ ├── Wordpres_Scanner_3.sh
│ │ ├── Wordpress_WP-File-Manager_Version_Detected.sh
│ │ ├── XSS.py
│ │ ├── cPanel_Login_Found.sh
│ │ ├── cPanel_Login_Found_2.sh
│ │ └── phpMyAdmin_Scanner_1.sh
│ └── passive/
│ ├── network/
│ │ ├── CVE-2018-15473_-_OpenSSH_Username_Enumeration.sh
│ │ ├── Default_Credentials_BruteX.sh
│ │ ├── Default_Credentials_NMap.sh
│ │ ├── Interesting_Domain_Found.sh
│ │ ├── Lack_of_SPF_DNS_Record.sh
│ │ ├── Possible_Takeover_Detected.sh
│ │ ├── SMB_Info_Disclosure.sh
│ │ ├── SMBv1_Enabled.sh
│ │ ├── SSH_Version_Disclosure.sh
│ │ ├── Subjack_Takeover_Detected.sh
│ │ ├── Subover_Takeover_Detected.sh
│ │ └── recursive/
│ │ ├── Component_With_Known_Vulnerabilities_-_NMap.sh
│ │ └── Interesting_Ports_Found.sh
│ └── web/
│ ├── Autocomplete_Enabled.sh
│ ├── CORS_Policy_-_Allow-Credentials_Enabled.sh
│ ├── CORS_Policy_-_Allow-Origin_Wildcard.sh
│ ├── CSP_Not_Enforced.sh
│ ├── Clear-text_Communications_HTTP.sh
│ ├── Clickjacking.sh
│ ├── Drupal_Detected.sh
│ ├── Expired_SSL_Certificate.sh
│ ├── Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh
│ ├── Insecure_Cookie_-_HTTPOnly_Not_Set.sh
│ ├── Insecure_Cookie_-_Secure_Not_Set.sh
│ ├── Insecure_SSL_TLS_Connection.sh
│ ├── Insecure_SSL_TLS_Connection_CN_Mismatch.sh
│ ├── Interesting_Title_Found.sh
│ ├── Server_Header_Disclosure.sh
│ ├── Strict_Tranposrt_Security_Not_Enforced.sh
│ ├── Trace_Method_Enabled.sh
│ ├── X-Powered-By_Header_Found.sh
│ └── recursive/
│ ├── Arachni_Vulnerability_Scan.disabled
│ ├── Arachni_Vulnerability_Scan_-_HTTP.sh
│ ├── Arachni_Vulnerability_Scan_-_HTTPS.sh
│ ├── Nikto_Vulnerability_Scan-HTTP.sh
│ ├── Nikto_Vulnerability_Scan-HTTPS.sh
│ ├── Nuclei_Vulnerability_Scan_-_HTTP.sh
│ ├── Nuclei_Vulnerability_Scan_-_HTTPS.sh
│ ├── OWASP_Zap_Scan_-_HTTP.sh
│ ├── OWASP_Zap_Scan_-_HTTPS.sh
│ ├── Wordpress_Vulnerability_Scan_-_HTTPS_1.sh
│ ├── Wordpress_Vulnerability_Scan_-_HTTPS_2.sh
│ ├── Wordpress_Vulnerability_Scan_-_HTTP_1.sh
│ └── Wordpress_Vulnerability_Scan_-_HTTP_2.sh
├── uninstall.sh
└── wordlists/
├── altdns.txt
├── domains-default.txt
├── domains-quick.txt
├── vhosts.txt
├── web-brute-common.txt
├── web-brute-exploits.txt
├── web-brute-full.txt
├── web-brute-stealth.txt
└── web-brute-vulnerabilities.txt
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/workflows/build-push-ghcr.yml
================================================
name: Build and Push
on:
push:
branches:
- main
- development
- feat*
tags:
- "v*"
pull_request:
branches:
- master
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
docker-build:
permissions:
contents: read
packages: write
runs-on: ubuntu-latest
steps:
- name: Setting environment variables
run: |
echo "repo_name=${{ env.IMAGE_NAME }}" >> $GITHUB_ENV
- uses: actions/checkout@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ env.REGISTRY}}/${{ env.repo_name }}
flavor: latest=true
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
- name: Login to image repository
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v3
with:
context: .
file: Dockerfile
push: ${{ github.ref_type == 'tag' || github.ref_name == 'main' || startsWith(github.ref_name, 'feat-')}}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
================================================
FILE: .github/workflows/semgrep.yml
================================================
on:
workflow_dispatch: {}
pull_request: {}
push:
branches:
- main
- master
paths:
- .github/workflows/semgrep.yml
schedule:
# random HH:MM to avoid a load spike on GitHub Actions at 00:00
- cron: 2 23 * * *
name: Semgrep
jobs:
semgrep:
name: semgrep/ci
runs-on: ubuntu-20.04
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@v3
- run: semgrep ci
================================================
FILE: CHANGELOG.md
================================================
## CHANGELOG:
* v9.2 - Added Tomba.io API integration via OSINT mode (Credit: @benemohamed)
* v9.2 - Fixed issue with gau tool not installing and updated GAU setting in confs
* v9.2 - Updated python2 to python3
* v9.2 - Removed Slurp tool
* v9.2 - Added BlackArch Dockerfile (Credit: @AnonymousWP)
* v9.2 - Updated DockerFile to latest Kali release (Credit: @AnonymousWP)
* v9.1 - Fixed issue with dirsearch installation/command syntax update
* v9.1 - Updated Nuclei sc0pe templates
* v9.1 - Fixed issue with Nuclei sc0pe parsers not working
* v9.1 - Fixed issue with GAU installer/commmand not working
* v9.1 - Fixed issue with passive URL fetching
* v9.1 - Fixed issue with nuclei not being installed
* v9.1 - Removed error in hackertarget URL fetching
* v9.1 - Added dnsutils to installer to fix missing deps
* v9.1 - Fixed issue with gau in webscan modes not running
* v9.1 - Updated subfinder to latest version
* v9.1 - Added new email spoofing security checks to OSINT mode (-o)
* v9.1 - Removed spoofcheck.py
* v9.1 - Updated timeout settings for curl which was causing sockets/scans to hang
* v9.1 - Fixed issue with Nuclei symlink missing in installer
* v9.1 - Fixed issue with Nuclei sc0pe parser not parsing results correctly
* v9.1 - Fixed issue with Dirsearch not running due to invalid command settings
* v9.1 - Fixed issue with Nuclei templates not being installed
* v9.1 - Fixed issue with enum4linux command not being installed
* v9.1 - Fixed HackerTarget API integration
* v9.1 - Fixed issue with ping command not being installed
* v9.1 - Fixed issue with carriage returns in conf
* v9.1 - Fixed issue with DNS resolution in 'discover' mode scans causing duplicate hosts
* v9.1 - Fixed issue with bruteforce running automatically due to changes in conf file
* v9.1 - Added verbose scan notifications for disabled conf options
* v9.1 - Updated default aux mode options in default sniper.conf
* v9.0 - Added Fortinet FortiGate SSL VPN Panel Detected sc0pe template
* v9.0 - Added CVE-2020-17519 - Apache Flink Path Traversal sc0pe template
* v9.0 - Added RabbitMQ Management Interface Detected sc0pe template
* v9.0 - Added CVE-2020-29583 Zyxel SSH Hardcoded Credentials via BruteX
* v9.0 - Removed vulnscan NMap CSV updates/downloads to save space/bandwidth
* v9.0 - Added Nuclei sc0pe parser
* v9.0 - Added Nuclei vulnerability scanner
* v9.0 - Added Wordpress WPScan sc0pe vulnerability parser
* v9.0 - Fixed issue with wrong WPscan API key command
* v9.0 - Added CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal sc0pe template
* v9.0 - Renamed AUTO_VULNSCAN setting to "VULNSCAN" in sniper.conf to perform vulnerability scans via 'normal' mode
* v8.9 - Tuned sniper.conf around performance for all scans and recon modes
* v8.9 - Added out of scope options to config
* v8.9 - Added automatic HTTP/HTTPS web scans and vulnerability scans to 'normal' mode
* v8.9 - Added SolarWinds Orion Panel Default Credentials sc0pe template
* v8.9 - Added SolarWinds Orion Panel sc0pe template
* v8.9 - Fixed issue with UDP port scans not working
* v8.9 - Fixed issue with theHarvester not running on Kali 2020.4
* v8.9 - Added WPScan API support
* v8.9 - Added CVE-2020-8209 - XenMobile-Citrix Endpoint Management Config Password Disclosure sc0pe template
* v8.9 - Added CVE-2020-8209 - XenMobile-Citrix Endpoint Management Path Traversal sc0pe template
* v8.9 - Removed verbose error for chromium on Ubuntu
* v8.9 - Added CVE-2020-8209 - Citrix XenMobile Server Path Traversal sc0pe template
* v8.9 - Fixed F+ in CSP Not Enforced sc0pe template
* v8.9 - Added CVE-2020-14815 - Oracle Business Intelligence Enterprise DOM XSS sc0pe template
* v8.9 - Fixed issue with dnscan not working in Kali 2020.3
* v8.9 - Fixed issue with screenshots not working in Ubuntu 2020
* v8.9 - Added Frontpage Service Password Disclosure sc0pe template
* v8.9 - Removed Yasuo tool
* v8.8 - Fixed issue with webscreenshot on Kali 2020.3+
* v8.8 - Fixed error in install.sh for theharvester sym link
* v8.8 - Fixed issue with flyover mode not capturing web screenshots
* v8.8 - Added automatic 'flyover' scans of all discovered domains for 'recon' mode
* v8.8 - Added static grep searching rules of all URL's and sub-domains (see sniper.conf for details)
* v8.8 - Added verbose status logging to flyover mode showing HTTP status/redirect/title, etc.
* v8.8 - Added integration for Port Scanner Add-on for Sn1per Professional
* v8.8 - Added enhanced scanning of all unique dynamic URL's via InjectX fuzzer
* v8.8 - Added CVE-2020-25213 - WP File Manager File Upload sc0pe template
* v8.8 - Added cPanel Login Found sc0pe template
* v8.8 - Added Wordpress WP-File-Manager Version Detected sc0pe template
* v8.8 - Added VMware vCenter Unauthenticated Arbitrary File Read sc0pe template
* v8.8 - Added PHP Composer Disclosure sc0pe template
* v8.8 - Added Git Config Disclosure sc0pe template
* v8.8 - Added updated NMap vulscan DB files
* v8.8 - Added CVE-2020-9047 - exacqVision Web Service Remote Code Execution sc0pe template
* v8.8 - Removed UDP port scan settings/options and combined with full portscan ports
* v8.8 - Added CVE-2019-8442 - Jira Webroot Directory Traversal sc0pe template
* v8.8 - Added CVE-2020-2034 - PAN-OS GlobalProtect OS Command Injection sc0pe template
* v8.8 - Added CVE-2020-2551 - Unauthenticated Oracle WebLogic Server Remote Code Execution sc0pe template
* v8.8 - Added CVE-2020-14181 - User Enumeration Via Insecure Jira Endpoint sc0pe template
* v8.8 - Added Smuggler HTTP request smuggling detection
* v8.8 - Added CVE-2020-0618 - Remote Code Execution SQL Server Reporting Services sc0pe template
* v8.8 - Added CVE-2020-5412 - Full-read SSRF in Spring Cloud Netflix sc0pe template
* v8.8 - Added Jaspersoft Detected sc0pe template
* v8.8 - Added improved dirsearch exclude options to all web file/dir searches
* v8.8 - Fixed naming conflict for theharvester
* v8.8 - Created backups of all NMap HTML reports for fullportonly scans
* v8.8 - Added line limit to GUA URL's displayed in console
* v8.7 - Added AvantFAX LOGIN Detected sc0pe template
* v8.7 - Updated web file bruteforce lists
* v8.7 - Added updated Slack API integration/notifications
* v8.7 - Added Arachni, Nikto, Nessus, NMap + 20 passive sc0pe vulnerability parsers
* v8.7 - Added CVE-2020-15129 - Open Redirect In Traefik sc0pe template
* v8.7 - Added MobileIron Login sc0pe template
* v8.7 - Added Revive Adserver XSS sc0pe template
* v8.7 - Added IceWarp Webmail XSS sc0pe template
* v8.7 - Added Mara CMS v7.5 XSS sc0pe template
* v8.7 - Added Administrative Privilege Escalation in SAP NetWeaver sc0pe template
* v8.7 - Added Magento 2.3.0 SQL Injection sc0pe template
* v8.7 - Added CVE-2020-15920 - Unauthenticated RCE at Mida eFramework sc0pe template
* v8.7 - Added CVE-2019-7192 - QNAP Pre-Auth Root RCE sc0pe template
* v8.7 - Added CVE-2020-10204 - Sonatype Nexus Repository RCE sc0pe template
* v8.7 - Added CVE-2020-13167 - Netsweeper WebAdmin unixlogin.php Python Code Injection sc0pe template
* v8.7 - Added CVE-2020-2140 - Jenkin AuditTrailPlugin XSS sc0pe template
* v8.7 - Added CVE-2020-7209 - LinuxKI Toolset 6.01 Remote Command Execution sc0pe template
* v8.7 - Added CVE-2019-16662 - rConfig 3.9.2 Remote Code Execution sc0pe template
* v8.7 - Added Sitemap.xml Detected sc0pe template
* v8.7 - Added Robots.txt Detected sc0pe template
* v8.7 - Added AWS S3 Public Bucket Listing sc0pe template
* v8.7 - Fixed logic error in stealth mode recon scans not running
* v8.7 - Added CVE-2020-7048 - WP Database Reset 3.15 Unauthenticated Database Reset sc0pe template
* v8.7 - Fixed F- detection in Wordpress Sc0pe templates
* v8.7 - Added CVE-2020-11530 - Wordpress Chop Slider 3 Plugin SQL Injection sc0pe template
* v8.7 - Added CVE-2019-11580 - Atlassian Crowd Data Center Unauthenticated RCE sc0pe template
* v8.7 - Added CVE-2019-16759 - vBulletin 5.x 0-Day Pre-Auth Remote Command Execution Bypass sc0pe template
* v8.6 - Added new Sn1per configuration flow that allows persistent user configurations and API key transfer
* v8.6 - Updated port lists to remove duplicate ports error and slim down list
* v8.6 - Updated PHP to 7.4
* v8.6 - Added CVE-2020-12720 - vBulletin Unauthenticaed SQLi
* v8.6 - Added CVE-2020-9757 - SEOmatic < 3.3.0 Server-Side Template Injection
* v8.6 - Added CVE-2020-1147 - Remote Code Execution in Microsoft SharePoint Server
* v8.6 - Added CVE-2020-3187 - Citrix Unauthenticated File Deletion
* v8.6 - Added CVE-2020-8193 - Citrix Unauthenticated LFI
* v8.6 - Added CVE-2020-8194 - Citrix ADC & NetScaler Gateway Reflected Code Injection
* v8.6 - Added CVE-2020-8982 - Citrix ShareFile StorageZones Unauthenticated Arbitrary File Read
* v8.6 - Added CVE-2020-9484 - Apache Tomcat RCE by deserialization
* v8.6 - Added Cisco VPN scanner template
* v8.6 - Added Tiki Wiki CMS scanner template
* v8.6 - Added Palo Alto PAN OS Portal scanner template
* v8.6 - Added SAP NetWeaver AS JAVA LM Configuration Wizard Detection
* v8.6 - Added delete task workspace function to remove running tasks
* v8.6 - Added CVE-2020-3452 - Cisco ASA/FTD Arbitrary File Reading Vulnerability Sc0pe template
* v8.6 - Updated theharvester command to exclude github-code search
* v8.6 - Updated theharvester installer to v3.1
* v8.6 - Added urlscan.io API to OSINT mode (-o)
* v8.6 - Added OpenVAS package to install.sh
* v8.6 - Added Palo Alto GlobalProtect PAN-OS Portal Sc0pe template
* v8.6 - Fixed issue with Javascript downloader downloading localhost files instead of target
* v8.6 - Added CVE-2020-5902 F5 BIG-IP RCE sc0pe template
* v8.6 - Added CVE-2020-5902 F5 BIG-IP XSS sc0pe template
* v8.6 - Added F5 BIG-IP detection sc0pe template
* v8.6 - Added interesting ports sc0pe template
* v8.6 - Added components with known vulnerabilities sc0pe template
* v8.6 - Added server header disclosure sc0pe template
* v8.6 - Added SMBv1 enabled sc0pe template
* v8.6 - Removed verbose comment from stealth scan
* v8.5 - Added manual installer for Metasploit
* v8.5 - Added Phantomjs manual installer
* v8.5 - Added sc0pe template to check for default credentials via BruteX
* v8.5 - Added fullportscans to all 'web' mode scans to ensure full port coverage
* v8.5 - Fixed issue with 2nd stage OSINT scans not running
* v8.5 - Added port values to sc0pe engine to define port numbers
* v8.5 - Fixed issue with LinkFinder not working
* v8.5 - Fixed issue with Javascript link parser
* v8.5 - Added phantomjs dependency to fix webscreenshots on Ubuntu
* v8.5 - Added http-default-accounts NMap NSE to check for default web credentials
* v8.5 - Fixed several issues with install.sh to resolve deps on Ubuntu and Kali 2020.2
* v8.5 - Removed larger wordlists to reduce install size of Sn1per
* v8.5 - Added 20+ new active/passive sc0pe templates
* v8.5 - Fixed issue with installer on latest Kali and Docker builds
* v8.5 - Fixed custom installer for Arachni
* v8.5 - Fixed Dockerfile with updated Kali image (CC. @stevemcilwain)
* v8.4 - Added project "Sc0pe" active/passive vulnerability scanner
* v8.4 - Added 68 new active sc0pe templates
* v8.4 - Added 14 new passive sc0pe templates
* v8.4 - Added OWASP ZAP API integration
* v8.4 - Added 8 new Sn1per configuration templates (see /usr/share/sniper/conf/)
* v8.4 - Added Gau (https://github.com/lc/gau)
* v8.4 - Added rapiddns subdomain retrieval
* v8.4 - Updated web content wordlists
* v8.4 - Improved efficiency of 'web' and 'recon' mode scans
* v8.4 - Disabled legacy Metasploit web exploits (check Sn1per conf to re-enable)
* v8.4 - Fixed issue with dirsearch asterisk being used incorrectly
* v8.4 - Fixed issue with airstrike mode not updated Sn1per Professional v8.0 host list
* v8.4 - Fixed issue with webtech re.error: invalid group reference 1 at position 130
* v8.3 - Added Github subdomain retrieval (requires API key/conf options enabled)
* v8.3 - Added NMAP_OPTIONS setting to sniper.conf to configure optional NMap scan settings
* v8.3 - Added option to specify custom Sn1per configuration via (-c) switch
* v8.3 - Created several custom config files to select from, including: bug_bounty_quick, bug_bounty_max_javascript, super_stealth_mode, webpwn_only + more
* v8.3 - Added workspace --export option to backup/export a workspace
* v8.3 - Added flyover mode tuning options to sniper.conf
* v8.3 - Added GitGraber automated Github leak search (https://github.com/hisxo/gitGraber)
* v8.3 - Added static Javascript parsing for sub-domains, URL's, path relative links and comments
* v8.3 - Added js-beautifier
* v8.3 - Added LinkFinder Javascript link finder (https://github.com/GerbenJavado/LinkFinder)
* v8.3 - Added fprobe HTTP probe checker (https://github.com/theblackturtle/fprobe)
* v8.3 - Added Cisco RV320 and RV325 Unauthenticated Remote Code Execution CVE-2019-1653 MSF exploit
* v8.3 - Improved performance of 'stealth' and 'recon' modes
* v8.3 - Updated default port lists
* v8.3 - Improved performance of all port scans
* v8.3 - Added fix for missing Amass package
* v8.3 - Added sniper.conf options for OPENVAS_HOST and OPENVAS_PORT selection for remote instances
* v8.3 - Improved 'vulnscan' mode via OpenVAS to scan the same asset multiple times with improved error handling
* v8.2 - Added root priv check to sniper script to run
* v8.2 - Added NMap port change notifications via Slack
* v8.2 - Fixed issue with firefox not loading on Kali Linux 2020.1
* v8.2 - Fixed issue with Masswebscan mode not working
* v8.2 - Added Rails file exposure exploit CVE-2019-5418
* v8.2 - Updated wordlist selections to fingerprint common vulnerable applications
* v8.2 - Added h8mail compromised credentials check to OSINT (-o) mode
* v8.2 - Added Kali start menu app & icon for Sn1per
* v8.2 - Added check for insecure SSL/TLS connections
* v8.2 - Added NMAP_OPTIONS setting in ~/.sniper.conf to configure optional NMap settings
* v8.2 - Fixed issue with ManageEngine MSF exploit payload
* v8.2 - Added Spyse sub-domain enumeration tool (https://github.com/zeropwn/spyse.py)
* v8.2 - Fixed issue with Subjack (open /src/github.com/haccer/subjack/fingerprints.json: no such file or directory)
* v8.1 - Added Citrix Gateway Arbitary Code Execution CVE-2019-19781 vulnerability detection
* v8.1 - Added Pulse Secure VPN Arbitrary File Disclosure CVE-2019-11510 exploit
* v8.1 - Added --data-length=50 for NMap IPS evasion
* v8.1 - Removed NMap vulscan script due to F+ results
* v8.1 - Fixed issue with CRT.SH sub-domain retrieval
* v8.1 - Updated Kali Linux keyring package
* v8.1 - Fixed "[: ==: unary operator expected" in all code
* v8.1 - Updated Sn1per Professional autoload settings
* v8.1 - Updated web brute force wordlists
* v8.1 - Removed null and debug errors from passive spider API output
* v8.1 - Updated Commoncrawl index repo
* v8.1 - Updated DockerFile repository
* v8.1 - Fixed issue with -dh flag to delete host with Sn1per Pro v8.0
* v8.1 - Fixed issue with subfinder missing
* v8.1 - Fixed issue with 7zip missing
* v8.1 - Added check for Ubuntu to install.sh automatically
* v8.0 - Added ASnip tool to retrieve ASN's via 'recon' mode
* v8.0 - Added Shodan sub-domain lookup
* v8.0 - Added script timeout flag for NMap scripts
* v8.0 - Fixed issue with dnsenum getting stuck on gathering dns info stage
* v8.0 - Added option to force upgrade/install.sh without user prompt (ie. ./install.sh force)
* v8.0 - Fixed issue with theHarvester package on Ubuntu systems
* v8.0 - Fixed error "[: ==: unary operator expected" in all modes
* v8.0 - Added net-tools package for Ubuntu OS deps
* v7.4 - Added LDAP anomyous search to port 389/tcp checks (Shoutout @D0rkerDevil)
* v7.4 - Added Java RMI dump registry scan checks and exploits to port 8001/tcp (Shoutout @D0rkerDevil)
* v7.4 - Added CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure MSF module
* v7.4 - Added virtualhost scanning via web mode
* v7.4 - Added Gobuster
* v7.4 - Addd URLCrazy DNS alterations check to OSINT mode
* v7.4 - Added Ultratools Whois Lookups to OSINT mode
* v7.4 - Added Email-Format.com Email Retreival to OSINT mode
* v7.4 - Added Metasploit OSINT email retrieval to OSINT mode
* v7.4 - Added Hackertarget URL API retrieval to web modes
* v7.4 - Fixed error in massvulnscan mode
* v7.4 - Fixed issue with webscreenshot.py not running
* v7.4 - Added reverse whois DNS search via AMass
* v7.4 - Added MassDNS IP's to master sorted IP list
* v7.4 - Fixed issue with MassDNS installation
* v7.4 - Fixed bad path with DNSGen
* v7.4 - Fixed issue with AMass not running
* v7.4 - Improved performance of AltDNS/DNSgen/MassDNS retrieval
* v7.4 - Changed webscreenshot.py setting to use chrome browser and increased timeout
* v7.4 - Fixed issue with missing xmlstarlet package for OpenVAS scans
* v7.4 - Improved active web spider URL consolidation
* v7.3 - Added CVE-2019-15107 Webmin <= 1.920 - Unauthenticated RCE MSF exploit
* v7.3 - Added massdns plugin
* v7.3 - Added altdns plugin
* v7.3 - Added dnsgen plugin
* v7.3 - Updated web file/dir wordlists from public exploits and honeypots
* v7.3 - Added time stamps to all commands
* v7.3 - Removed CloudFront from domain hijacking checks
* v7.3 - Removed snmp-brute.nse script due to scan issues
* v7.3 - Fixed issue with discover scan workspace names
* v7.3 - Fixed issue with DockerFile (sed: can't read /usr/bin/msfdb: No such file or directory)
* v7.3 - Fixed issue with installer on docker not having pip installed
* v7.3 - Fixed issue with port 161 not being referenced correctly in scans
* v7.2 - Added experimental OpenVAS API integration
* v7.2 - Improved Burpsuite 2.x API integration with vuln reporting
* v7.2 - Added hunter.io API integration to recon mode scans
* v7.2 - Added Cisco IKE Key Disclosure MSF exploit
* v7.2 - Added JBoss MSF vuln scanner module
* v7.2 - Added Apache CouchDB RCE MSF exploit
* v7.2 - Added IBM Tivoli Endpoint Manager POST Query Buffer Overflow exploit
* v7.2 - Added Java RMI MSF scanner
* v7.2 - New scan mode "vulnscan"
* v7.2 - New scan mode "massportscan"
* v7.2 - New scan mode "massweb"
* v7.2 - New scan mode "masswebscan"
* v7.2 - New scan mode "massvulnscan"
* v7.2 - Added additional Slack API notification settings
* v7.2 - Improved NMap port detection and scan modes
* v7.2 - Fixed issue with Censys API being enabled by default
* v7.2 - Fixed verbose errors in subjack/subover tools
* v7.2 - Fixed issue with NMap http scripts not working
* v7.1 - Added BlueKeep CVE-2019-0708 MSF scanner
* v7.1 - Added automatic workspace generation for single target scans
* v7.1 - Added new slack.sh API integration script
* v7.1 - Added differential Slack notifications for new domains, new URL's and various scan outputs
* v7.1 - Added vulners and vulscan NMap scripts
* v7.1 - Added installer and support for Debian, Parrot and Ubuntu OS (install_debian.sh) (CC. @imhaxormad)
* v7.1 - Fixed various issues with the DockerFile
* v7.1 - Fixed/added Metasploit LHOST/LPORT values to all exploits based on sniper.conf settings
* v7.1 - Fixed issue with Amass/Golang 1.11 not installing correctly
* v7.0 - Added "webscan" mode for automated Burpsuite 2.x and Arachni web application scans only
* v7.0 - Added Slack API notifications (Disabled by default..check ~/.sniper.conf)
* v7.0 - Added new command switch to add daily, weekly or monthly sniper scheduled scans... check README
* v7.0 - Added scheduled scan tasks command switch (Needs additional configuration to setup... check README)
* v7.0 - Added Axis2 authenticated deployer MSF exploit
* v7.0 - Added Axis2 login brute force module
* v7.0 - Added subjack tool to check for subdomain hijacking
* v7.0 - Added sorted IP lists under $LOOT_DIR/ips/ips-all-sorted.txt
* v7.0 - Added subnet retrieval for all 'recon' mode scans under $LOOT_DIR/nmap/subnets-$TARGET.txt
* v7.0 - Added Webscreenshot.py and disabled cutycapt from default config
* v7.0 - Added Gobuster (Disabled by default..check ~/.sniper.conf)
* v7.0 - Fixed issue with SubOver not working due to bad path
* v7.0 - Fixed issue with flyover mode running 2x
* v6.3 - Added Drupal RESET Unserialize RCE CVE-2019-6340
* v6.2 - Added Glassfish Admin traversal MSF exploit
* v6.2 - Added ElasticSearch Java Injection MSF RCE exploit
* v6.2 - Added WebTech web fingerprinting tool
* v6.2 - Added censys subdomain retrieval and API key config
* v6.2 - Added project sonar sub-domain retrieval
* v6.2 - Added command switch to remove workspace (-d)
* v6.2 - Added command switch to remove host (-dh)
* v6.2 - Added DockerFile to run Sn1per in Docker (CC. Hariom Vashisth <hariom.devops@gmail.com>)
* v6.2 - Changed option to automatically import all NMap XML's into Metasploit's DB
* v6.2 - Changed option to automatically load Sn1per Professional's report when scans complete
* v6.2 - Added config option to enable/disable subdomain hijacking checks in sniper.conf
* v6.2 - Fixed issue with sniper --list command having invalid reference
* v6.2 - Fixed issue with theharvester not running
* v6.1 - Added automated web scanning via Burpsuite Pro 2.x API for all 'web' mode scans
* v6.1 - Added Waybackmachine URL retrieval to all web scans
* v6.1 - Converted all exploits to Metasploit
* v6.1 - Added configuration options to set LHOST/LPORT for all Metasploit exploits in sniper.conf
* v6.1 - Added improved web brute forcing dictionaries for all scan modes
* v6.1 - Added individual logging for all tools under the loot directory
* v6.1 - Added new sniper.conf options to enabled/disable all plugins and change settings per user
* v6.1 - Fixed issue with CMSMap install/usage
* v6.1 - Fixed issue with WPScan gem dependency missing (public_suffix)
* v6.1 - Fixed timeout setting in cutycapt
* v6.1 - Fixed issue with theharvester not running correctly
* v6.1 - Fixed issue with Amass not running due to invalid command line options in latest release
* v6.1 - Fixed issue with Sn1per Professional notepad.html missing
* v6.1 - Cleaned up plugins and install dependencies list
* v6.0 - Improved scan options for discover mode scans
* v6.0 - Fixed issue with pip3 dependency package missing
* v6.0 - Removed iceweasel from install.sh to fix apt error
* v5.9 - Fixed issue with auto updates not notifying users of updates
* v5.8 - Fixed issue with subfinder not working due to lack of wordlist switch
* v5.8 - Fixed missing osint directory/file paths
* v5.7 - Added libSSH auth bypass scanner CVE-2018-10933
* v5.7 - Added HTTP PUT method RCE MSF exploit
* v5.7 - Added sniper.conf scan configuration file to customize sniper environments by user
* v5.7 - Added modular scan mode source files
* v5.7 - Updated wordlists for improved performance and results
* v5.7 - Fixed issue with DNScan using an invalid path
* v5.6 - Changed automatic report generation to "ON" for Sn1per Pro users
* v5.5 - Added new multi-threaded high speed "flyover" mode added
* v5.5 - Added new scan status mode via (sniper --status) command
* v5.5 - Apache Struts CVE-2018-11776 RCE exploit
* v5.5 - Added Android Insecure ADB RCE auto exploit
* v5.5 - Added Apache Tomcat CVE-2017-12617 RCE exploit
* v5.5 - Added Oracle WebLogic WLS-WSAT Component Deserialisation RCE CVE-2017-10271 MSF exploit
* v5.5 - Added BlackWidow web application scanner with INJECTX fuzzer
* v5.5 - Added CVE-2018-15473 SSH user enumeration script
* v5.5 - Minor wordlist updates for web file brute forcing
* v5.4 - Updated Golang in install.sh
* v5.3 - Updated AMass repo in install.sh
* v5.3 - Removed CloudFail
* v5.3 - Fixed issue with subfinder missing brute force list
* v5.3 - Fixed issue with invalid dnsscan reference
* v5.2 - Added SubOver subdomain takeover scanner
* v5.2 - Added Subfinder subdomain enumeration tool
* v5.2 - Added Amass subdomain enumeration tool
* v5.2 - Added configurable modules/plugins to sniper script
* v5.2 - Added MS17-010 SMB Etternal Blue MSF exploit
* v5.2 - Added MSF Postgresql login scanner
* v5.2 - Added passive web spider
* v5.2 - Added WebDav metasploit aux modules
* v5.2 - Added NetBIOS NMap/MSF enumeration
* v5.2 - Added SMB MSF enumeration
* v5.2 - Added NSF MSF enumeration
* v5.2 - Added SSH MSF enumeration
* v5.2 - Added BadBlue Passthru MSF exploit
* v5.2 - Added SMB GPP MSF aux module
* v5.2 - Added Intel AMT MSF scanner
* v5.2 - Added MySQL MSF scanner
* v5.2 - Added MS03-026 DCOM RCE MSF exploit
* v5.2 - Added VNC no auth MSF scanner
* v5.2 - Added FTP MSF version scanner
* v5.2 - Added FTP anonymous access MSF scanner
* v5.2 - Added MS12-020 RDP MSF scanner
* v5.2 - Added MS10-061 Spoolss MSF exploit
* v5.2 - Added MS15-034 Sys Memory Dump MSF exploit
* v5.2 - Added MS06-040 Netapi MSF exploit
* v5.2 - Added MS05-039 PNP MSF exploit
* v5.2 - Added MS12-020 Max Channels RDP scanner
* v5.2 - Added JBoss status MSF scanner
* v5.2 - Added Apache Struts 2 REST Plugin XStream RCE check
* v5.2 - Added Apache Tomcat UTF8 Traversal MSF exploit
* v5.2 - Added Apache OPTIONS Bleed MSF exploit
* v5.2 - Added HP ILO Auth Bypass MSF exploit
* v5.2 - Added Jooma Comfields SQL injection MSF exploit
* v5.1 - Added dnscan to install.sh and updated sniper references which were broken
* v5.1 - Changed default brute force list for dnscan to improve performance of scans
* v5.1 - Removed CloudHunter and SubOver references (CC. 爱上平顶山)
* v5.0 - Added Sn1per Pro reporting interface (see https://sn1persecurity.com for more details)
* v5.0 - Added GPON Router RCE auto exploit
* v5.0 - Added Cloudapp.net Azure subdomain takeover check
* v5.0 - Added Cisco ASA Directory Traversal auto exploit (CVE-2018-0296)
* v5.0 - Added Wig Web Information Gatherer
* v5.0 - Added Dirsearch with custom dirsearch wordlists (quick, normal, full)
* v5.0 - Fixed bug in installer/upgrade which copied the local dir contents to the install dir
* v5.0 - Improved scan performance while taking web screenshots
* v5.0 - Fixed repo issue with Slurp (Shoutz to @ifly53e)
* v5.0 - Fixed issues with wrong ports listed in port scans (Shoutz to @ifly53e)
* v5.0 - Minor code fixes and typos corrected (Shoutz to @ifly53e)
* v5.0 - Updated "discover" mode scans for improved performance
* v4.5 - Added Apache Struts 2 CVE-2017-9805 and CVE-2017-5638 detection
* v4.5 - Added dirsearch web/file brute forcing
* v4.5 - Added smart file/directory brute forcing to all scan modes.
* v4.5 - Added subdomain brute force scan option to Sublist3r scan.
* v4.4 - Fixed issue with sniper nuke and airstrike modes not running.
* v4.4 - Added improved SNMP checks via NMap/Metasploit.
* v4.4 - Resolved dependency issue for nfs-common package.
* v4.4 - Fixed bug in sniper -fp command switch.
* v4.3 - Fixed bug in version info.
* v4.2 - Fixed bad merge in 4.1 causing sniper to break.
* v4.1 - Fixed a few bugs with various command line switches for airstrike and nuke modes.
* v4.1 - Fixed issue with path relative file inclusion via the -f flag. You can now include just the local filename (sniper -f targets.txt).
* v4.0 - Added new command switch options for all sniper scans (see --help for details)
* v4.0 - Added HTML formatted report for all workspaces to display screenshots, headers, reports and open ports
* v4.0 - Added optional scan options such as --recon, --osint, --fullportonly --bruteforce, etc. to selectively enable scan modules. (see --help for details)
* v4.0 - Improved Yasou scan options to include existing NMap XML files
* v4.0 - Added automatic HTML/TXT/PDF reporting for all scans by default
* v4.0 - Updated default workspace directory to store all loot files by $TARGET name or $WORKSPACE alias
* v4.0 - Added screenshot and header retrieval to loot storage
* v4.0 - Updated NMAP SMB enum script
* v3.0 - Improved performance of various sniper modes
* v3.0 - Added Aquatone domain flyover tool
* v3.0 - Added slurp S3 public AWS scanner
* v3.0 - Updated Sub-domain hijacking site list
* v3.0 - Changed look and feel of console output to help readability
* v3.0 - Added online/offline check to implement changes to scans when in online vs. offline mode
* v2.9 - New improved fullportonly scan mode
* v2.9 - Added online check to see if there's an active internet connection
* v2.9 - Changed default browser to firefox to clear up errors in loot commmand
* v2.9 - Created uninstall.sh script to uninstall sniper
* v2.9 - Removed automatic workspace creation per scan
* v2.9 - Added curl timeout in update command to fix lag
* v2.9 - Fixed minor NMap UDP scan flag issue
* v2.9 - Added Metagoofil
* v2.9 - Updated theharvester scan options to include more results
* v2.8 - Improved discovery mode scan performance and output
* v2.8 - Improved fullportonly scan performance
* v2.8 - Improved startup performance options
* v2.8 - Added Cansina web/file brute force tool
* v2.8 - Added webporthttp and webporthttps modes
* v2.8 - Added custerd software enumeration tool
* v2.7 - Fixed issue with sniper update command and install.sh not running
* v2.7 - Fixed errors with GooHak
* v2.7 - Fixed syntax errors in sniper conditional statements
* v2.7 - Added CloudFail
* v2.7 - Fixed issue with [: ==: unary operator expected errors
* v2.6 - Added Blackarch Linux support
* v2.6 - Added $BROWSER variable to set default browser
* v2.5g - Updated README with update command
* v2.5f - Fixes for various bugs reported and fixed by @ifly53e (https://github.com/1N3/Sn1per/pull/89)
* v2.5e - Fixed issue with port 3128/tcp checks (CC. @ifly53e)
* v2.5d - Added searchsploit option for (-v) to search all terms (CC. @ifly53e)
* v2.5c - Added various improvements to 'discover' mode scans
* v2.5b - Removed NMap script checks for 'fullportonly' mode
* v2.5a - Added auto-updates to check and download new versions
* v2.5a - Fixed issue with install.sh to resolve pip aha error
* v2.5a - Added libxml2-utils to install.sh to meet dependencies
* v2.5 - Added HTML report generation via sniper 'loot' command
* v2.5 - Added automatic NMap searchsploit integration to find exploits
* v2.5 - Added various improvements to Sn1per discovery scan mode
* v2.5 - Fixed issue with IIS BoF NMap script (CC. ifly53e)
* v2.4f - Fixed issue with upper NMap port range(CC. DaveW)
* v2.4e - Added NMap no ping switch to all scans
* v2.4d - Fixed issue with rpcinfo install script
* v2.4d - Fixed issue with Arachni install script
* v2.4c - Added loot and $TARGET sanity checks (CC. @menzow)
* v2.4b - Fixed issue with discovery scan output file (CC. @ifly53e)
* v2.4b - Fixed issue with Intel AMT RCE port list
* v2.4a - Added all NMap script checks via 'fullportonly' mode
* v2.4a - Added JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Metasploit exploit
* v2.4a - Added Java RMI RCE NMap/Metasploit detection
* v2.4a - Added INTEL-SA-00075 (Intel AMT) vulnerability NMap script
* v2.4 - Added detection for open X11 servers
* v2.4 - Added IIS6 Win2k3 RCE NMap script
* v2.4 - Added option to disable Google Hacking queries via Firefox
* v2.3d - Fixed issue with loot command
* v2.3c - Added Apache Struts 2 RCE NMap script
* v2.3c - Added Apache Struts 2 RCE NMap exploit
* v2.3b - Changed NMap scan options to exclude ping sweeps (-P0)
* v2.3a - Fixed minor issue with MSSQL NMap script command (CC. @helo86)
* v2.3 - Fixed minor issues with missing $TARGET definitions for NMap (CC. @helo86)
* v2.2f - Added various optimizations and minor code fixes
* v2.2e - Changed NMap scan options (removed -P0 flag)
* v2.2d - Added MongoDB checks
* v2.2d - Improved NMap scanning options
* v2.2c - Added CouchDB checks
* v2.2c - Updated Sub-domain takeover list
* v2.2b - Added fullportonly mode to do exclusive full port scans
* v2.2b - Fixed minor issue with Metasploit Pro not starting
* v2.2b - Fixed minor issue with sniper loot command
* v2.2a - Fixed minor issue with loot function
* v2.2 - Added auto Metasploit Pro & Zenmap GUI integration
* v2.2 - Added Sn1per workspaces to loot directory
* v2.1d - Added crt.sh sub-domain check
* v2.1d - Removed blank screenshots from loot directory
* v2.1c - Fixed issue with install.sh install directories
* v2.1b - Added automatic Metasploit NMap xml imports for loot directory
* v2.1b - Removed Zenmap
* v2.1a - Separated Arachni reports for port 80/443/tcp
* v2.1a - Fixed NMap full port scan options
* v2.1 - Added Arachni with auto HTML web reporting (web mode only)
* v2.1 - Added full NMap detailed port scans
* v2.1 - Added port 4443/tcp checks
* v2.1 - Added META tag scans for web apps
* v2.1 - Removed Uniscan from web mode
* v2.1 - Removed SQLMap from web mode
* v2.0b - Added help option --help
* v2.0a - Fixed issue with ssh-audit
* v2.0a - Fixed issue with 'discover' mode
* v2.0 - Updated sub-domain takeover list
* v2.0 - Improved scan performance for stealth, airstrike and discover modes
* v2.0 - Removed jexboss due to clear screen issue with output
* v2.0 - Auto loot directory sorting for all tools
* v2.0 - Updated install.sh package list
* v1.9c - Enabled BruteX automated brute force attacks
* v1.9b - Fixed MSSQL port 1433/tcp port scan check (@hacktrack)
* v1.9a - Removed testssl script from stealth mode scans
* v1.9 - Added Ubuntu docker image for Sn1per (@menzow)
* v1.9 - Added automatic loot directory sorting for all modes
* v1.9 - Added MSSQL port 1433/tcp checks
* v1.9 - Added SNMP port 162/tcp checks (@hexageek)
* v1.9 - Added nslookup to install.sh
* v1.9 - Fixed install.sh dependency duplicates
* v1.8c - Added -A option to all NMap port scans
* v1.8c - Fixed install.sh permission issue
* v1.8c - Fixed install.sh cleanup options
* v1.8c - Added ssh-audit
* v1.8c - Added install directory (/usr/share/sniper/) to install script for universal access
* v1.8c - Fixed issue with Metasploit SSH scans
* v1.8c - Added auto-update to install.sh to automatically pull latest github release
* v1.8b - Fixed bug with NMap UDP scan options
* v1.8b - Fixed install.sh dependencies
* v1.8b - Fixed jexboss options
* v1.8a - Updated sub-domain hijack list of domains (CC: th3gundy)
* v1.8 - Added sub-domain hijack scans for all sub-domains
* v1.8 - Added auto explort of all sub-domains to /domains directory
* v1.8 - Added additional stealth and airstrike checks for port 80 and 443
* v1.8 - Fixed issue with theHarvester not working with google
* v1.7g - Added email security/spoofing checks
* v1.7f - Added Zenmap XML auto-imports
* v1.7f - Added ClamAV RCE Nmap script
* v1.7e - Fixed minor issue with airstrike and nuke mode
* v1.7e - Fixed minor issues with discover mode
* v1.7e - Added minor cosmetic improvements to reports
* v1.7e - Disabled automatic brute forcing by default
* v1.7e - Added automatic brute force setting in script vars
* v1.7d - Added sslyze
* v1.7d - Added 'discover' mode for full subnet scans
* v1.7d - Added verbosity to scan tasks to separate sub-tasks better
* v1.7c - Added plain text reporting
* v1.7c - Improved loot directory structure and sorting
* v1.7b - Fixed issue with airstrike mode not scanning correctly
* v1.7b - Improved passive recon performance
* v1.7a - Improved NMap http scan performance
* v1.7a - Removed joomscan due to verbosity issues
* v1.7 - Added uniscan web vulnerability scanner
* v1.7 - Added joomscan Joomla scanner
* v1.7 - Improved web scan performance
* v1.7 - Fixed issue with inurlbr output
* v1.7 - Added remote desktop viewing for RDP connections
* v1.7 - Added experimental Metasploit exploit for Apache Struts RCE (CVE-2016-3081)
* v1.6e - Added reporting option for nobrute mode (CC. @mero01)
* v1.6e - Improved SMB scan performance/optimization added
* v1.6d - Improved NMap scan performance options
* v1.6d - Added xprobe2 OS finger printing tool
* v1.6d - Added jexbos JBoss autopwn
* v1.6d - Merged fix for theharvester package (CC. @RubenRocha)
* v1.6d - Merged fix for SuperMicroScanner (CC. @mero01)
* v1.6c - Add report mode for web scans
* v1.6c - Fixed issues with Sublist3r and theharvester
* v1.6c - Added Shocker Shellshock exploitation scanner
* v1.6b - Added Sublist3r sub-domain brute tool
* v1.6b - Added cutycapt web screenshot util
* v1.6a - Added improvements to recon phase
* v1.6a - Fixed small issue with 3rd party extension
* v1.6a - Various improvements to overall optimization of scans
* v1.6a - Added new "web" mode for full web application scans
* v1.6 - Added 4 new modes including: stealth, port, airstrike and nuke
* v1.6 - Added Java de-serialization scanner
* v1.6 - Added reporting option to output to console and text file for all scans
* v1.6 - Added option to set Sn1per full path for universal command line access
* v1.6 - Added in DirBuster for web file brute forcing
* v1.6 - Fixed issue with sderr errors in TheHarvester
* v1.5e - Removed shodan command line tool due to issues
* v1.5e - Fixed wafwoof installation in kali 2.0
* v1.5d - Fixed minor issues with port 513/tmp and 514/tcp checks
* v1.5c - Fixed issue which broke link to sniper directory
* v1.5b - Added Squid Proxy checks port 3128/tcp
* v1.5b - Fixed shodan setup options in install.sh
* v1.5b - Fixed syntax error with theHarvester in install.sh
* v1.5a - Fixed syntax error with port 8081 checks
* v1.5a - Added Arachni integration
* v1.5a - Added vsftpd, proftpd, mysql, unrealircd auto exploits
* v1.5 - Added Metasploit scan and auto-exploit modules
* v1.5 - Added additional port checks
* v1.5 - Added full TCP/UDP NMap XML output
* v1.5 - Auto tune scan for either IP or hostname/domain
* v1.4h - Added auto IP/domain name scan configurations
* v1.4g - Added finger enumeration scripts
* v1.4g - Fixed nmap -p 445 target issue
* v1.4g - Fixed smtp-enum target issue
* v1.4f - Fixed BruteX directory bug
* v1.4e - Fixed reported errors install.sh
* v1.4e - Added auto-upgrade option to install.sh for existing Sn1per installs
* v1.4d - Fixed missing rake gem install dependency
* v1.4c - Reordered 3rd party extensions
* v1.4b - Fixed install.sh executable references
* v1.4b - Fixed Yasou dependencies in install.sh
* v1.4b - Fixed minor issues with BruteX loot directory
* v1.4 - Added Yasou for automatic web form brute forcing
* v1.4 - Added MassBleed for SSL vulnerability detection
* v1.4 - Added Breach-Miner for detection of breached accounts
* v1.4 - Fixed minor errors with nmap
* v1.4 - Removed debug output from goohak from displaying on console
================================================
FILE: Dockerfile
================================================
FROM docker.io/kalilinux/kali-rolling:latest
LABEL org.label-schema.name='Sn1per - Kali Linux' \
org.label-schema.description='Automated pentest framework for offensive security experts' \
org.label-schema.usage='https://github.com/1N3/Sn1per' \
org.label-schema.url='https://github.com/1N3/Sn1per' \
org.label-schema.vendor='https://sn1persecurity.com' \
org.label-schema.schema-version='1.0' \
org.label-schema.docker.cmd.devel='docker run --rm -ti xer0dayz/sniper' \
MAINTAINER="@xer0dayz"
RUN echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" > /etc/apt/sources.list && \
echo "deb-src http://http.kali.org/kali kali-rolling main contrib non-free" >> /etc/apt/sources.list
ENV DEBIAN_FRONTEND noninteractive
RUN set -x \
&& apt -yqq update \
&& apt -yqq full-upgrade \
&& apt clean
RUN apt install --yes metasploit-framework
RUN sed -i 's/systemctl status ${PG_SERVICE}/service ${PG_SERVICE} status/g' /usr/bin/msfdb && \
service postgresql start && \
msfdb reinit
WORKDIR /usr/src/app
RUN apt --yes install git bash
RUN git clone https://github.com/1N3/Sn1per.git \
&& cd Sn1per \
&& ./install.sh \
&& sniper -u force
CMD ["sniper"]
================================================
FILE: Dockerfile.blackarch
================================================
FROM docker.io/blackarchlinux/blackarch:latest
# Upgrade system
RUN pacman -Syu --noconfirm
# Install sn1per from official repository
RUN pacman -Sy sn1per --noconfirm
CMD ["sn1per"]
================================================
FILE: LICENSE.md
================================================
## LICENSE:
Sn1per Community Edition End User License Agreement (EULA)
Sn1perSecurity LLC grants you the right to download, use, and distribute in part or in whole Sn1per Community Edition (also referred to as “Project”, “Code”, “Software”, “Sn1per”, “Product”), provided the following terms and conditions are met:
(1) You agree to give credit to the original author @xer0dayz and link back to https://sn1persecurity.com (Sn1perSecurity LLC)
(2) You may not rename or rebrand the Project.
(3) You agree not to create any product or service from any par of the Code from this Project, paid or free.
(4) You agree not to re-license the Code.
(5) You may not use the Code for illegal or nefarious purposes, which violates any laws (in your jurisdiction, the jurisdiction in which the Software is running, the jurisdiction in which the Software is targeting, and the United States of America).
(6) You agree not to scan a target in a manner that is considered unlawful, illegal, or that you do not have explicit permission to do so.
This Software is provided as-is without warranty. Sn1perSecurity LLC, its creators and staff take no liability for consequential damages to the maximum extent permitted by all applicable laws. In no event shall Sn1perSecurity LLC or any person be liable for any consequential, reliance, incidental, special, direct or indirect damages whatsoever (including without limitation, damages for loss of business profits, business interruption, loss of business information, personal injury, or any other loss) arising out of or in connection with the use or inability to use this Product, even if Sn1perSecurity LLC has been advised of the possibility of such damages.
Sn1perSecurity LLC does not guarantee any functionality or performance of Sn1per Community Edition. Sn1perSecurity LLC does not warrant that the Code will be maintained and in good working order, or that the Software will meet your requirements, be uninterrupted, or error free, or that any errors in the Software will be corrected.
The Software code, name, and logos are owned by Sn1perSecurity LLC and protected by the United States of America and the state of Arizona copyright and/or patent laws of international treaty provisions. All rights reserved.
Sn1perSecurity LLC reserves the right to change the licensing terms at any time, without advance notice. Sn1perSecurity LLC reserves the right to terminate your license at any time.
If any provision of this EULA is determined to be unlawful, void, or unenforceable, such provision shall nonetheless be enforceable to the fullest extent permitted by applicable law, and the unenforceable portion shall be deemed to be severed from this EULA. Such determination shall not affect the validity and enforceability of any remaining provisions.
Failure of Sn1perSecurity LLC to exercise or enforce any right or provision of this EULA does not constitute a waiver of such right or provision.
Any ambiguities in the interpretation of this EULA shall not be construed against the drafting party/parties.
Download, use, distribution (in part or in whole) of this Project/Code constitutes your acceptance of the Sn1per Community Edition EULA. If at any time you are not in agreement or cannot meet any part of this EULA, you should immediately cease use of the Project by removing/uninstalling all copies from all locations.
For any questions concerning this EULA, please submit a GitHub issue with your question: https://github.com/1N3/Sn1per
================================================
FILE: README.md
================================================
[](https://sn1persecurity.com)
[](https://github.com/1N3/Sn1per/releases)
[](https://github.com/1N3/Sn1per/issues)
[](https://github.com/1N3/Sn1per/)
[](https://github.com/1N3/Sn1per/)
[](https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fdeveloper.twitter.com%2Fen%2Fdocs%2Ftwitter-for-websites%2Ftweet-button%2Foverview&ref_src=twsrc%5Etfw&text=Sn1per%20-%20Automated%20Pentest%20Recon%20Scanner&tw_p=tweetbutton&url=https%3A%2F%2Fgithub.com%2F1N3%2FSn1per)
[](https://twitter.com/intent/follow?screen_name=xer0dayz)
[[Website](https://sn1persecurity.com/wordpress/)] [[Blog](https://sn1persecurity.com/wordpress/blog/)] [[Shop](https://sn1persecurity.com/wordpress/shop)] [[Documentation](https://sn1persecurity.com/wordpress/documentation/)] [[Demo](https://www.youtube.com/c/Sn1perSecurity/videos)] [[Find Out More](https://sn1persecurity.com/wordpress/external-attack-surface-management-with-sn1per/)]
## Attack Surface Management Platform
### Discover hidden assets and vulnerabilities in your environment
#### [[Find out more](https://sn1persecurity.com/wordpress/shop)]
[](https://sn1persecurity.com/)
## The ultimate pentesting toolkit
Integrate with the leading commercial and open source vulnerability scanners to scan for the latest CVEs and vulnerabilities.
[](https://sn1persecurity.com/)
### Automate the most powerful tools
Security tools are expensive and time-consuming, but with Sn1per, you can save time by automating the execution of these open source and commercial tools to discover vulnerabilities across your entire attack surface.
[](https://sn1persecurity.com/)
### Find what you can't see
Hacking is a problem that's only getting worse. But, with Sn1per, you can find what you can’t see—hidden assets and vulnerabilities in your environment.
[](https://sn1persecurity.com/)
### Discover and prioritize risks in your organization
Sn1per is a next-generation information gathering tool that provides automated, deep, and continuous security for organizations of all sizes.
[](https://sn1persecurity.com/)
### See Sn1per in action
[](https://www.youtube.com/c/Sn1perSecurity/videos)
### News
- #### [Introducing SILENTCHAIN AI Community Edition v1.1.3](https://sn1persecurity.com/wordpress/sn1per-se-v11-released/)
- #### [🔥 Sn1per SE v11.0 Now Available – Major Refactor, New Tools, Faster Recon, Smarter Resumes](https://sn1persecurity.com/wordpress/sn1per-se-v11-released/)
- #### [🔐 Sn1per Enterprise v20250522 Released – Next-Level Offensive Security & Vulnerability Scanning](https://sn1persecurity.com/wordpress/sn1per-enterprise-v20250522-released/)
- #### [Sn1per Enterprise Released!](https://sn1persecurity.com/wordpress/sn1per-enterprise-released/)
- #### [Sn1per Professional v10.0 Released!](https://sn1persecurity.com/wordpress/sn1per-professional-v10-released/)
## Kali/Ubuntu/Debian/Parrot Linux Install
```
git clone https://github.com/1N3/Sn1per
cd Sn1per
bash install.sh
```
## AWS AMI (Free Tier) VPS Install
[](https://aws.amazon.com/marketplace/pp/prodview-rmloab6wnymno)
To install Sn1per using an AWS EC2 instance:
1. Go to <https://aws.amazon.com/marketplace/pp/prodview-rmloab6wnymno> and click the “Continue to Subscribe” button
2. Click the “Continue to Configuration” button
3. Click the “Continue to Launch” button
4. Login via SSH using the public IP of the new EC2 instance
## Docker Install
[](https://hub.docker.com/r/sn1persecurity/sn1per)
### Kali Linux-based Sn1per
1. Run the Docker Compose file
```bash
sudo docker compose up
```
1. Run the container
```bash
sudo docker run --privileged -it sn1per-kali-linux /bin/bash
```
### BlackArch-based Sn1per
1. Run the Docker Compose file
```bash
sudo docker compose -f docker-compose-blackarch.yml up
```
1. Run the container
```bash
sudo docker run --privileged -it sn1per-blackarch /bin/bash
```
## Usage
```
[*] NORMAL MODE
sniper -t <TARGET>
[*] NORMAL MODE + OSINT + RECON
sniper -t <TARGET> -o -re
[*] STEALTH MODE + OSINT + RECON
sniper -t <TARGET> -m stealth -o -re
[*] DISCOVER MODE
sniper -t <CIDR> -m discover -w <WORSPACE_ALIAS>
[*] SCAN ONLY SPECIFIC PORT
sniper -t <TARGET> -m port -p <portnum>
[*] FULLPORTONLY SCAN MODE
sniper -t <TARGET> -fp
[*] WEB MODE - PORT 80 + 443 ONLY!
sniper -t <TARGET> -m web
[*] HTTP WEB PORT MODE
sniper -t <TARGET> -m webporthttp -p <port>
[*] HTTPS WEB PORT MODE
sniper -t <TARGET> -m webporthttps -p <port>
[*] HTTP WEBSCAN MODE
sniper -t <TARGET> -m webscan
[*] ENABLE BRUTEFORCE
sniper -t <TARGET> -b
[*] AIRSTRIKE MODE
sniper -f targets.txt -m airstrike
[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED
sniper -f targets.txt -m nuke -w <WORKSPACE_ALIAS>
[*] MASS PORT SCAN MODE
sniper -f targets.txt -m massportscan
[*] MASS WEB SCAN MODE
sniper -f targets.txt -m massweb
[*] MASS WEBSCAN SCAN MODE
sniper -f targets.txt -m masswebscan
[*] MASS VULN SCAN MODE
sniper -f targets.txt -m massvulnscan
[*] PORT SCAN MODE
sniper -t <TARGET> -m port -p <PORT_NUM>
[*] LIST WORKSPACES
sniper --list
[*] DELETE WORKSPACE
sniper -w <WORKSPACE_ALIAS> -d
[*] DELETE HOST FROM WORKSPACE
sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh
[*] GET SNIPER SCAN STATUS
sniper --status
[*] LOOT REIMPORT FUNCTION
sniper -w <WORKSPACE_ALIAS> --reimport
[*] LOOT REIMPORTALL FUNCTION
sniper -w <WORKSPACE_ALIAS> --reimportall
[*] LOOT REIMPORT FUNCTION
sniper -w <WORKSPACE_ALIAS> --reload
[*] LOOT EXPORT FUNCTION
sniper -w <WORKSPACE_ALIAS> --export
[*] SCHEDULED SCANS
sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly
[*] USE A CUSTOM CONFIG
sniper -c /path/to/sniper.conf -t <TARGET> -w <WORKSPACE_ALIAS>
[*] UPDATE SNIPER
sniper -u|--update
```
## Modes
- **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.
- **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.
- **FLYOVER:** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).
- **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
- **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.
- **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
- **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
- **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
- **MASSPORTSCAN:** Runs a "fullportonly" scan on multiple targets specified via the "-f" switch.
- **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
- **MASSWEB:** Runs "web" mode scans on multiple targets specified via the "-f" switch.
- **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.
- **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.
- **WEBSCAN:** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.
- **MASSWEBSCAN:** Runs "webscan" mode scans of multiple targets specified via the "-f" switch.
- **VULNSCAN:** Launches a OpenVAS vulnerability scan.
- **MASSVULNSCAN:** Launches a "vulnscan" mode scans on multiple targets specified via the "-f" switch.
## Help Topics
- [x] [Plugins & Tools](https://github.com/1N3/Sn1per/wiki/Plugins-&-Tools)
- [x] [Scheduled Scans](https://github.com/1N3/Sn1per/wiki/Scheduled-Scans)
- [x] [Sn1per Configuration Options](https://github.com/1N3/Sn1per/wiki/Sn1per-Configuration-Options)
- [x] [Sn1per Configuration Templates](https://github.com/1N3/Sn1per/wiki/Sn1per-Configuration-Templates)
- [x] [Sc0pe Templates](https://github.com/1N3/Sn1per/wiki/Sc0pe-Templates)
## Integration Guides
- [x] [Github API integration](https://github.com/1N3/Sn1per/wiki/Github-API-Integration)
- [x] [Burpsuite Professional 2.x integration](https://github.com/1N3/Sn1per/wiki/Burpsuite-Professional-2.x-Integration)
- [x] [OWASP ZAP integration](https://github.com/1N3/Sn1per/wiki/OWASP-ZAP-Integration)
- [x] [Shodan API integration](https://github.com/1N3/Sn1per/wiki/Shodan-Integration)
- [x] [Censys API integration](https://github.com/1N3/Sn1per/wiki/Censys-API-Integration)
- [x] [Hunter.io API integration](https://github.com/1N3/Sn1per/wiki/Hunter.io-API-Integration)
- [x] [Metasploit integration](https://github.com/1N3/Sn1per/wiki/Metasploit-Integration)
- [x] [Nessus integration](https://github.com/1N3/Sn1per/wiki/Nessus-Integration)
- [x] [OpenVAS API integration](https://github.com/1N3/Sn1per/wiki/OpenVAS-Integration)
- [x] [GVM 21.x integration](https://github.com/1N3/Sn1per/wiki/GVM-21.x-Integration)
- [x] [Slack API integration](https://github.com/1N3/Sn1per/wiki/Slack-API-Integration)
- [x] [WPScan API integration](https://github.com/1N3/Sn1per/wiki/WPScan-API-Integration)
## License & Legal Agreement
For license and legal information, refer to the [LICENSE.md](https://github.com/1N3/Sn1per/blob/master/LICENSE.md) file in this repository.
## Purchase Sn1per Professional
To obtain a Sn1per Professional license, go to <https://sn1persecurity.com>.
External attack surface management, Attack surface monitoring, Attack Surface Management Platform, Attack Surface Management Solutions, Vulnerability management, Threat intelligence, Cybersecurity risk assessment, Security posture assessment, Digital footprint analysis, Attack surface mapping, Web application security, Network security, Infrastructure security, Cloud security, Third-party risk management, Incident response, Penetration testing, Asset discovery, Patch management, Security scanning, Firewall configuration, Intrusion detection system, Security awareness training, Data breach prevention, Web server security, Endpoint security, Phishing protection, Vulnerability assessment, Network security, Web application testing, Ethical hacking, Security assessment, Information security, Red teaming, Cybersecurity testing, Pen testing tools, Exploitation techniques, Wireless network testing, Social engineering, Security auditing, Incident response, Intrusion detection, Firewall testing, Security assessment methodology, Risk assessment, Security controls, Web vulnerability scanning, Password cracking, Security testing services, Security architecture, System hardening, Network reconnaissance, Red teaming, Penetration testing, Cybersecurity, Vulnerability assessment, Attack simulation, Threat intelligence, Risk assessment, Security testing, Adversarial tactics, Incident response, Security assessment, Network security, Defensive measures, Security controls, Social engineering, Exploitation techniques, Security awareness, Defensive strategies, Risk mitigation, Blue teaming, Security operations, Intrusion detection, Security frameworks, Cyber defense, Information security
================================================
FILE: bin/github-subdomains.py
================================================
#!/usr/bin/python3.5
# I don't believe in license.
# You can do whatever you want with this program.
import os
import sys
import re
import time
import requests
import random
import argparse
from functools import partial
from colored import fg, bg, attr
from multiprocessing.dummy import Pool
TOKENS_FILE = os.path.dirname(os.path.realpath(__file__))+'/.tokens'
def githubApiSearchCode( search, page ):
headers = {"Authorization":"token "+random.choice(t_tokens)}
url = 'https://api.github.com/search/code?s=indexed&type=Code&o=desc&q=' + search + '&page=' + str(page)
# print(url)
try:
r = requests.get( url, headers=headers, timeout=5 )
json = r.json()
return json
except Exception as e:
print( "%s[-] error occurred: %s%s" % (fg('red'),e,attr(0)) )
return False
def getRawUrl( result ):
raw_url = result['html_url'];
raw_url = raw_url.replace( 'https://github.com/', 'https://raw.githubusercontent.com/' )
raw_url = raw_url.replace( '/blob/', '/' )
return raw_url;
def readCode( regexp, source, result ):
url = getRawUrl( result )
code = doGetCode( url )
# print(code)
if code:
matches = re.findall( regexp, code )
if matches:
for sub in matches:
# print(sub)
sub = sub[0].replace('2F','').lower().strip()
if len(sub) and not sub in t_history:
t_history.append( sub )
sys.stdout.write( "%s" % sub )
if source:
sys.stdout.write( "\t-> %s" % result['html_url'] )
sys.stdout.write( "\n" )
def doGetCode( url ):
# print( url )
try:
r = requests.get( url, timeout=5 )
except Exception as e:
sys.stdout.write( "%s[-] error occurred: %s%s\n" % (fg('red'),e,attr(0)) )
return False
return r.text
parser = argparse.ArgumentParser()
parser.add_argument( "-t","--token",help="auth token (required)" )
parser.add_argument( "-d","--domain",help="domain you are looking for (required)" )
parser.add_argument( "-e","--extend",help="also look for <dummy>example.com", action="store_true" )
parser.add_argument( "-s","--source",help="display first url where subdomains are found", action="store_true" )
parser.parse_args()
args = parser.parse_args()
t_tokens = []
if args.token:
t_tokens = args.token.split(',')
else:
if os.path.isfile(TOKENS_FILE):
fp = open(TOKENS_FILE,'r')
t_tokens = fp.read().split("\n")
fp.close()
if not len(t_tokens):
parser.error( 'auth token is missing' )
if args.source:
_source = True
else:
_source = False
if args.domain:
_domain = args.domain
else:
parser.error( 'domain is missing' )
t_history = []
page = 1
_search = '"' + _domain + '"'
### this is a test, looks like we got more result that way
import tldextract
t_host_parse = tldextract.extract( _domain )
_search = '"' + t_host_parse.domain + '"'
# print( t_host_parse )
# exit()
###
# egrep -io "[0-9a-z_\-\.]+\.([0-9a-z_\-]+)?`echo $h|awk -F '.' '{print $(NF-1)}'`([0-9a-z_\-\.]+)?\.[a-z]{1,5}"
if args.extend:
# _regexp = r'[0-9a-zA-Z_\-\.]+' + _domain.replace('.','\.')
_regexp = r'([0-9a-z_\-\.]+\.([0-9a-z_\-]+)?'+t_host_parse.domain+'([0-9a-z_\-\.]+)?\.[a-z]{1,5})'
else:
_regexp = r'(([0-9a-zA-Z_\-\.]+)\.' + _domain.replace('.','\.')+')'
# print(_regexp)
# for page in range(1,10):
while True:
time.sleep( 1 )
t_json = githubApiSearchCode( _search, page )
# print(t_json)
page = page + 1
if not t_json or 'documentation_url' in t_json or not 'items' in t_json or not len(t_json['items']):
break
pool = Pool( 30 )
pool.map( partial(readCode,_regexp,_source), t_json['items'] )
pool.close()
pool.join()
================================================
FILE: bin/http-default-accounts-fingerprints-nndefaccts.lua
================================================
--[[
This file is part of NNdefaccts, an alternate fingerprint dataset for
Nmap script http-default-accounts.
NNdefaccts is Copyright (c) 2012-2019 by nnposter
(nnposter /at/ users.sourceforge.net, <https://github.com/nnposter>)
NNdefaccts is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or (at your option)
any later version.
NNdefaccts is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.
You should have received a copy of the GNU General Public License along
with this program. If not, see <http://www.gnu.org/licenses/>.
Note that NNdefaccts is licensed separately from Nmap. By obtaining
a custom license for Nmap you are not automatically entitled to modify or
distribute the NNdefaccts dataset to the same extent as Nmap itself and,
conversely, licensing NNdefaccts does not cover Nmap. For details, see
<https://github.com/nnposter/nndefaccts/COPYING>.
You can obtain the latest version of the dataset from its public repository
at <https://github.com/nnposter/nndefaccts/>.
To report bugs and other problems, contribute patches, request a feature,
provide generic feedback, etc., please see instructions posted at
<https://github.com/nnposter/nndefaccts/README.md>.
]]
local base64 = require "base64"
local http = require "http"
local json = require "json"
local math = require "math"
local os = require "os"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
local url = require "url"
local have_openssl, openssl = pcall(require, "openssl")
local have_rand, rand = pcall(require, "rand")
local have_stringaux, stringaux = pcall(require, "stringaux")
local have_tableaux, tableaux = pcall(require, "tableaux")
---
-- http-default-accounts-fingerprints-nndefaccts.lua
-- This file contains fingerprint data for http-default-accounts.nse
--
-- STRUCTURE:
-- * <code>name</code> - Descriptive name
-- * <code>cpe</code> - Official CPE Dictionary entry (optional)
-- * <code>category</code> - Category
-- * <code>login_combos</code> - Table of default credential pairs
---- * <code>username</code>
---- * <code>password</code>
-- * <code>paths</code> - Table of likely locations (paths) of the target
-- * <code>target_check</code> - Validation function of the target
-- (optional but highly recommended)
-- * <code>login_check</code> - Login function of the target
---
---
-- Backwards compatibility provisions for library rand
---
if not have_rand then
rand = {}
end
if not rand.random_string then
rand.random_string = stdnse.generate_random_string
end
---
-- Generates a random alphanumeric string.
--
-- @param len Length of the output string.
-- @return A random string consisting of letters and digits
---
local function random_alnum (len)
return rand.random_string(len, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")
end
---
-- Generates a random hexadecimal string.
--
-- @param len Length of the output string.
-- @return A random string consisting of hexadecimal digits
---
local function random_hex (len)
return rand.random_string(len, "0123456789abcdef")
end
---
-- Backwards compatibility provisions for library stringaux
---
if not have_stringaux then
stringaux = {}
end
if not stringaux.ipattern then
stringaux.ipattern = stdnse.generate_case_insensitive_pattern
end
---
-- Backwards compatibility provisions for library tableaux
---
if not have_tableaux then
tableaux = {}
end
if not tableaux.tcopy then
tableaux.tcopy =
function (tbl)
local clone = {}
for k,v in pairs(tbl) do
clone[k] = type(v) == "table" and tableaux.tcopy(v) or v
end
return clone
end
end
if not tableaux.contains then
tableaux.contains = stdnse.contains
end
---
-- Requests given path using http.get() but disabling cache and redirects.
-- @param host The host to connect to
-- @param port The port to connect to
-- @param path The path to retrieve
-- @param options [optional] A table of HTTP request options
-- @return A response table (see library http.lua for description)
---
local function http_get_simple (host, port, path, options)
local opts = tableaux.tcopy(options or {})
opts.bypass_cache = true
opts.no_cache = true
opts.redirect_ok = false
return http.get(host, port, path, opts)
end
---
-- Requests given path using http.post() but disabling cache and redirects.
-- (The current implementation of http.post() does not use either; this is
-- a defensive wrapper to guard against future problems.)
-- @param host The host to connect to
-- @param port The port to connect to
-- @param path The path to retrieve
-- @param options [optional] A table of HTTP request options
-- @param postdata A string or a table of data to be posted
-- @return A response table (see library http.lua for description)
---
local function http_post_simple (host, port, path, options, postdata)
local opts = tableaux.tcopy(options or {})
opts.no_cache = true
opts.redirect_ok = false
return http.post(host, port, path, opts, nil, postdata)
end
---
-- Requests given path using http_post_simple() with the body formatted as
-- Content-Type multipart/form-data.
-- @param host The host to connect to
-- @param port The port to connect to
-- @param path The path to retrieve
-- @param options [optional] A table of HTTP request options
-- @param postdata A table of data to be posted
-- @return A response table (see library http.lua for description)
---
local function http_post_multipart (host, port, path, options, postdata)
local boundary = ("-"):rep(20)
.. math.random(1000000, 9999999)
.. math.random(1000000, 9999999)
local opts = tableaux.tcopy(options or {})
opts.header = opts.header or {}
opts.header["Content-Type"] = "multipart/form-data; boundary=" .. boundary
if type(postdata) ~= "table" then
return {status = nil,
["status-line"] = "POST data must be a table",
header = {},
rawheader = {}}
end
boundary = "--" .. boundary
local body = {}
for k, v in pairs(postdata) do
table.insert(body, boundary)
table.insert(body, ('Content-Disposition: form-data; name="%s"'):format(k))
table.insert(body, "")
table.insert(body, v)
end
table.insert(body, boundary .. "--")
table.insert(body, "")
return http_post_simple (host, port, path, opts, table.concat(body, "\r\n"))
end
---
-- Requests given path using native HTTP authentication.
-- @param host Host table
-- @param port Port table
-- @param path Path to request
-- @param user HTTP authentication username
-- @param pass HTTP authentication password
-- @param digest true: digest auth, false: basic auth, "any": try to detect
-- @return True if login in was successful
---
local function try_http_auth (host, port, path, user, pass, digest)
if digest == "any" then
local resp = http_get_simple(host, port, path)
local auth = (resp.header["www-authenticate"] or ""):lower():match("^%w+")
if not auth then return end
digest = auth == "digest"
end
local creds = {username = user, password = pass, digest = digest}
local resp = http_get_simple(host, port, path, {auth=creds})
return resp.status and not (resp.status >= 400 and resp.status <= 405)
end
---
-- Returns authentication realm advertised in an HTTP response
-- @param response HTTP response object, such as a result from http.get()
-- @return realm found in response header WWW-Authenticate
-- (or nil if not present)
---
local function http_auth_realm (response)
local auth = response.header["www-authenticate"] or ""
-- NB: "OEM Netcam" devices lack the closing double quote
return auth:match('%srealm%s*=%s*"([^"]*)')
end
---
-- Tests whether an HTTP response sets a named cookie with a given value
-- @param response a standard HTTP response object
-- @param name a case-insensitive cookie name that must be set
-- @param pattern to validate the cookie value
-- @return cookie value if such a cookie is found
---
local function get_cookie (response, name, pattern)
name = name:lower()
for _, ck in ipairs(response.cookies or {}) do
if ck.name:lower() == name and (not pattern or ck.value:find(pattern)) then
return ck.value
end
end
return false
end
---
-- Parses an HTML tag and returns parsed attributes
-- @param html a string representing HTML tag. It is expected that the first
-- and last characters are angle brackets.
-- @return table of attributes with their names converted to lowercase
---
local function parse_tag (html)
local attrs = {}
local _, pos = html:find("^<%f[%w][%w-]+[^%w-]")
while true do
local attr, equal
_, pos, attr, equal = html:find("%f[%w]([%w-]+)%s*(=?)%s*", pos)
if not pos then break end
local oldpos = pos + 1
if equal == "=" then
local c = html:sub(oldpos, oldpos)
if c == "\"" or c == "'" then
oldpos = oldpos + 1
pos = html:find(c, oldpos, true)
else
pos = html:find("[%s>]", oldpos)
end
if not pos then break end
else
pos = oldpos
end
attrs[attr:lower()] = html:sub(oldpos, pos - 1)
end
return attrs
end
---
-- Searches given HTML string for an element tag that meets given attribute
-- critera and returns its position and all its attributes
-- @param html a string representing HTML test
-- @param elem an element to search for (for example "img" or "div")
-- @param criteria a table of attribute names and corresponding patterns,
-- for example {id="^secret$"}. The patterns are treated as case-insensitive.
-- (optional)
-- @param init a string position from which to start searching (optional)
-- @return position of the opening angle bracket of the found tag or nil
-- @return position of the closing angle bracket of the found tag or nil
-- @return table of tag attributes with their names converted to lowercase
---
local function find_tag (html, elem, criteria, init)
local icrit = {}
for cnam, cptn in pairs(criteria or {}) do
icrit[cnam:lower()] = stringaux.ipattern(cptn)
end
local tptn = stringaux.ipattern("<" .. elem:gsub("%-", "%%-") .. "%f[%s/>].->")
local start
local stop = init
while true do
start, stop = html:find(tptn, stop)
if not start then break end
local attrs = parse_tag(html:sub(start, stop))
local found = true
for cnam, cptn in pairs(icrit) do
local cval = attrs[cnam]
if not (cval and cval:find(cptn)) then
found = false
break
end
end
if found then return start, stop, attrs end
end
return
end
---
-- Searches given HTML string for an element tag that meets given attribute
-- critera and returns all its attributes
-- @param html a string representing HTML test
-- @param elem an element to search for (for example "img" or "div")
-- @param criteria a table of attribute names and corresponding patterns,
-- for example {id="^secret$"}. The patterns are treated as case-insensitive.
-- (optional)
-- @param init a string position from which to start searching (optional)
-- @return table of tag attributes with their names converted to lowercase
---
local function get_tag (html, elem, criteria, init)
local start, stop, attrs = find_tag(html, elem, criteria, init)
return attrs
end
---
-- Builds an iterator function that searches given HTML string for element tags
-- that meets given attribute critera
-- @param html a string representing HTML test
-- @param elem an element to search for (for example "img" or "div")
-- @param criteria a table of attribute names and corresponding patterns,
-- for example {id="^secret$"}. The patterns are treated as case-insensitive.
-- (optional)
-- @param init a string position from which to start searching (optional)
-- @return iterator
---
local function get_tags (html, elem, criteria)
local init = 0
return function ()
local _, attrs
_, init, attrs = find_tag(html, elem, criteria, (init or #html) + 1)
return attrs
end
end
---
-- Searches given HTML string for an element tag that meets given attribute
-- critera and returns inner HTML of the corresponding element
-- (Nested elements of the same type are not supported.)
-- @param html a string representing HTML test
-- @param elem an element to search for (for example "div" or "title")
-- @param criteria a table of attribute names and corresponding patterns,
-- for example {id="^secret$"}. The patterns are treated as case-insensitive.
-- (optional)
-- @param init a string position from which to start searching (optional)
-- @return inner HTML
---
local function get_tag_html (html, elem, criteria, init)
local _, start, attrs = find_tag(html, elem, criteria, init)
if not start then return end
start = start + 1
local stop = html:find(stringaux.ipattern("</" .. elem:gsub("%-", "%%-") .. "[%s>]"), start)
return stop and html:sub(start, stop - 1) or nil
end
---
-- Searches given HTML string for a meta refresh tag and returns the target URL
-- @param html a string representing HTML test
-- @param criteria a pattern to validate the extracted target URL
-- for example {id="^secret$"}. The patterns are treated as case-insensitive.
-- (optional)
-- @param init a string position from which to start searching (optional)
-- @return table of tag attributes with their names converted to lowercase
---
local function get_refresh_url (html, criteria)
local refresh = get_tag(html, "meta", {["http-equiv"]="^refresh$", content="^0;%s*url="})
if not refresh then return end
local url = refresh.content:match("=(.*)")
return url:find(stringaux.ipattern(criteria)) and url or nil
end
---
-- Generates default scheme, host, and port components for a parsed URL.
--
-- This filter function generates the scheme, host, and port components from
-- the standard <code>host</code> and <code>port</code> script objects. These
-- components can then be passed onto function <code>url.build</code>.
--
-- As an example, the following code generates a URL for path "/test/"
-- on the current host and port:
-- <code>
-- local testurl = url.build(url_build_defaults(host, port, {path = "/test/"}))
-- </code>
-- or, alternatively, when not used as a filter:
-- <code>
-- local parsed = url_build_defaults(host, port)
-- parsed.path = "/test/"
-- local testurl = url.build(parsed)
-- </code>
--
-- @param host The host the URL is intended for.
-- @param port The port the URL is intended for.
-- @param parsed Parsed URL, as typically returned by <code>url.parse</code>,
-- or nil. The table can be be missing the scheme, host, and port components.
-- @return A clone of the parsed URL, with any missing scheme, host, and port
-- components added.
-- @see url.parse
-- @see url.build
---
local function url_build_defaults (host, port, parsed)
local parts = tableaux.tcopy(parsed or {})
parts.host = parts.host or stdnse.get_hostname(host, port)
parts.scheme = parts.scheme or shortport.ssl(host, port) and "https" or "http"
if not parts.port and port.number ~= url.get_default_port(parts.scheme) then
parts.port = port.number
end
return parts
end
---
-- Encodes a string to make it safe for embedding into XML/HTML.
--
-- @param s The string to be encoded.
-- @return A string with unsafe characters encoded
---
local function xmlencode (s)
return s:gsub("%W", function (c) return ("&#x%x;"):format(c:byte()) end)
end
---
-- Decodes an XML-encoded string.
--
-- @param s The string to be decoded.
-- @return A string with XML encoding stripped off
---
local function xmldecode (s)
local refmap = {amp = "&", quot = "\"", apos = "'", lt ="<", gt = ">"}
return s:gsub("&.-;",
function (e)
local r = e:sub(2,-2)
if r:find("^#x%x%x$") then
return stdnse.fromhex(r:sub(3))
end
return refmap[r]
end)
end
---
-- Performs URL encoding of all characters in a string.
--
-- @param s The string to be encoded.
-- @return A URL-encoded string
---
local function urlencode_all (s)
return s:gsub(".", function (c) return ("%%%02x"):format(c:byte()) end)
end
---
-- Decodes a base64-encoded string safely, catching any decoding errors.
--
-- @param s The string to be decoded.
-- @return A decoded string or nil if the input is invalid
---
local function b64decode (s)
local status, out = pcall(base64.dec, s)
return status and out or nil
end
fingerprints = {}
---
--WEB
---
table.insert(fingerprints, {
name = "Ansible AWX",
cpe = "cpe:/a:ansible:tower",
category = "web",
paths = {
{path = "/api/"}
},
target_check = function (host, port, path, response)
if not (response.status == 200
and get_cookie(response, "csrftoken", "^%w+$")
and response.body
and response.body:find("AWX REST API", 1, true)) then
return false
end
local jstatus, jout = json.parse(response.body)
return jstatus and jout.description == "AWX REST API"
end,
login_combos = {
{username = "admin", password = "password"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if resp1.status ~= 200 then return false end
local token = get_cookie(resp1, "csrftoken")
if not token then return false end
local form = {username=user,
password=pass,
next=path}
local header = {["X-CSRFToken"]=token}
local resp2 = http_post_simple(host, port, url.absolute(path, "login/"),
{cookies=resp1.cookies, header=header}, form)
return resp2.status == 302
and resp2.header["location"] == path
and get_cookie(resp2, "userLoggedIn") == "true"
end
})
table.insert(fingerprints, {
name = "Cacti",
cpe = "cpe:/a:cacti:cacti",
category = "web",
paths = {
{path = "/"},
{path = "/cacti/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and (get_cookie(response, "Cacti") or get_cookie(response, "CactiEZ"))
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local form = {action="login",
login_username=user,
login_password=pass}
local resp = http_post_simple(host, port, url.absolute(path, "index.php"),
nil, form)
return resp.status == 302
and (resp.header["location"] or ""):find("/", 1, true)
end
})
table.insert(fingerprints, {
name = "Zabbix",
cpe = "cpe:/a:zabbix:zabbix",
category = "web",
paths = {
{path = "/zabbix/"}
},
target_check = function (host, port, path, response)
return response.status == 200 and get_cookie(response, "zbx_sessionid")
end,
login_combos = {
{username = "admin", password = "zabbix"}
},
login_check = function (host, port, path, user, pass)
local form = {request="",
name=user,
password=pass,
enter="Sign in"}
local resp = http_post_simple(host, port, url.absolute(path, "index.php"),
nil, form)
return resp.status == 302 and resp.header["location"] == "dashboard.php"
end
})
table.insert(fingerprints, {
name = "Xplico",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 302 and get_cookie(response, "Xplico")
end,
login_combos = {
{username = "admin", password = "xplico"},
{username = "xplico", password = "xplico"}
},
login_check = function (host, port, path, user, pass)
local lurl = url.absolute(path, "users/login")
local resp1 = http_get_simple(host, port, lurl)
if not (resp1.status == 200 and resp1.body) then return false end
local html = get_tag_html(resp1.body, "form", {action="/users/login$"})
if not html then return false end
local form = {}
for input in get_tags(html, "input", {type="^hidden$", name="", value=""}) do
form[input.name] = input.value
end
form["data[User][username]"] = user
form["data[User][password]"] = pass
local resp2 = http_post_simple(host, port, lurl,
{cookies=resp1.cookies}, form)
local loc = resp2.header["location"] or ""
return resp2.status == 302
and (loc:find("/admins$") or loc:find("/pols/index$"))
end
})
table.insert(fingerprints, {
name = "ExtraHop Web UI",
category = "web",
paths = {
{path = "/extrahop/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("csrfmiddlewaretoken", 1, true)
and response.body:lower():find("<title>extrahop login", 1, true)
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200 and resp1.body) then return false end
local token = get_tag(resp1.body, "input", {type="^hidden$", name="^csrfmiddlewaretoken$", value=""})
if not token then return false end
local form = {[token.name]=token.value,
next=path,
username=user,
password=pass}
local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path}))}
local resp2 = http_post_simple(host, port, path,
{cookies=resp1.cookies, header=header}, form)
return resp2.status == 302
and (resp2.header["location"] or ""):sub(-#path) == path
end
})
table.insert(fingerprints, {
name = "Nagios",
cpe = "cpe:/a:nagios:nagios",
category = "web",
paths = {
{path = "/"},
{path = "/nagios/"}
},
target_check = function (host, port, path, response)
return http_auth_realm(response) == "Nagios Access"
end,
login_combos = {
{username = "nagiosadmin", password = "nagios"},
{username = "nagiosadmin", password = "nagiosadmin"},
{username = "nagiosadmin", password = "PASSW0RD"},
{username = "nagiosadmin", password = "CactiEZ"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "ManageEngine OpManager 10/11",
cpe = "cpe:/a:zohocorp:manageengine_opmanager",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
if not (response.status == 200
and response.body
and response.body:find("%Wwindow%.location%.href%s*=%s*(['\"])[^'\"]-/LoginPage%.do%1")) then
return false
end
local resp = http_get_simple(host, port, url.absolute(path, "LoginPage.do"))
return resp.status == 200
and resp.body
and resp.body:find("ManageEngine", 1, true)
and resp.body:lower():find("<title>%s*manageengine opmanager%s*</title>")
and get_tag(resp.body, "form", {action="/jsp/login%.do$"})
end,
login_combos = {
{username = "IntegrationUser", password = "plugin"},
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, url.absolute(path, "LoginPage.do"))
if resp1.status ~= 200 then return false end
local form2 = {clienttype="html",
isCookieADAuth="",
domainName="NULL",
authType="localUserLogin",
webstart="",
ScreenWidth=1024,
ScreenHeight=768,
loginFromCookieData="",
userName=user,
password=pass,
uname=""}
local resp2 = http_post_simple(host, port,
url.absolute(path, "jsp/Login.do"),
{cookies=resp1.cookies}, form2)
return (resp2.status == 200 or resp2.status == 302)
and get_cookie(resp2, "OPUTILSTICKET", "^%x+$")
end
})
table.insert(fingerprints, {
name = "ManageEngine OpManager 12",
cpe = "cpe:/a:zohocorp:manageengine_opmanager",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("ManageEngine", 1, true)
and response.body:lower():find("<title>%s*manageengine opmanager%s*</title>")
and get_tag(response.body, "form", {action="^j_security_check%f[;\0]"})
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if resp1.status ~= 200 then return false end
local form2 = {AUTHRULE_NAME="Authenticator",
clienttype="html",
ScreenWidth=1024,
ScreenHeight=768,
loginFromCookieData="false",
ntlmv2="false",
j_username=user,
j_password=pass,
domainNameAD="Authenticator",
uname=""}
local resp2 = http_post_simple(host, port,
url.absolute(path, "j_security_check"),
{cookies=resp1.cookies}, form2)
return resp2.status == 303
and (resp2.header["location"] or ""):sub(-#path) == path
end
})
table.insert(fingerprints, {
name = "ntopng",
cpe = "cpe:/a:ntop:ntopng",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local loc = response.header["location"] or ""
if not (response.status == 302
and loc:find("/lua/login.lua?referer=", 1, true)
and get_cookie(response, "session") == "") then
return false
end
local resp = http_get_simple(host, port, loc)
return resp.status == 200
and resp.body
and resp.body:find("ntopng", 1, true)
and resp.body:lower():find("<title>welcome to ntopng</title>", 1, true)
and get_tag(resp.body, "form", {action="/authorize%.html$"})
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local form = {user=user,
password=pass,
referer=host.name .. path}
local resp = http_post_simple(host, port,
url.absolute(path, "authorize.html"),
nil, form)
return resp.status == 302
and resp.header["location"] == path
and get_cookie(resp, "user") == user
end
})
table.insert(fingerprints, {
name = "OpenNMS",
cpe = "cpe:/a:opennms:opennms",
category = "web",
paths = {
{path = "/login.jsp"},
{path = "/opennms/login.jsp"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("OpenNMS", 1, true)
and response.body:lower():find("<title>%s*opennms web console%s*</title>")
and get_tag(response.body, "input", {name="^j_username$"})
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "rtc", password = "rtc"}
},
login_check = function (host, port, path, user, pass)
local form = {j_username=user,
j_password=pass,
j_usergroups="",
Login=""}
local resp = http_post_simple(host, port,
url.absolute(path, "j_spring_security_check"),
nil, form)
return resp.status == 302
and (resp.header["location"] or ""):find("/index%.jsp%f[?\0]")
end
})
table.insert(fingerprints, {
name = "SevOne NMS",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and get_cookie(response, "SEVONE")
and response.body
and response.body:lower():find("<title>sevone nms - network manager", 1, true)
end,
login_combos = {
{username = "Admin", password = "SevOne"},
{username = "SevOneStats", password = "n3v3rd13"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200 and resp1.body) then return false end
local token = resp1.body:match("GlobalData%.Utilities%.Xsrf%.setToken%(%s*['\"](%x+)")
if not token then return false end
local form = {login=user,
passwd=pass,
browser="mozilla",
version=52,
tzString=os.date("!%a %b %d %Y %H:%M:%S GMT+0000"),
check_tz=0}
local refpath = url.absolute(path, "doms/login/index.php")
local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=refpath})),
["X-CSRFToken"]=token}
local resp2 = http_post_simple(host, port,
url.absolute(refpath, "processLogin.php"),
{cookies=resp1.cookies, header=header}, form)
if not (resp2.status == 200 and resp2.body) then return false end
local jstatus, jout = json.parse(resp2.body)
return jstatus and (jout.status == 0 or jout.status == -3)
end
})
table.insert(fingerprints, {
name = "Device42 Appliance Manager",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 302 and get_cookie(response, "d42amid")
end,
login_combos = {
{username = "d42admin", password = "default"}
},
login_check = function (host, port, path, user, pass)
local lurl = url.absolute(path, "accounts/login/")
local resp1 = http_get_simple(host, port, lurl .. "?next=" .. path)
if not (resp1.status == 200 and resp1.body) then return false end
local form = {csrfmiddlewaretoken=get_cookie(resp1, "d42amid_csrftoken"),
username=user,
password=pass,
next=path}
local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=lurl}))}
local resp2 = http_post_simple(host, port, lurl,
{cookies=resp1.cookies, header=header}, form)
return resp2.status == 302
and (resp2.header["location"] or ""):sub(-#path) == path
end
})
table.insert(fingerprints, {
name = "Grafana",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 302 and get_cookie(response, "grafana_sess")
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local header = {["Accept"]="application/json, text/plain, */*",
["Content-Type"]="application/json;charset=utf-8"}
local jin = {user=user, email="", password=pass}
json.make_object(jin)
local resp = http_post_simple(host, port, url.absolute(path, "login"),
{header=header}, json.generate(jin))
return resp.status == 200 and get_cookie(resp, "grafana_user") == user
end
})
table.insert(fingerprints, {
name = "Apache Ambari",
cpe = "cpe:/a:apache:ambari",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find(">Ambari<", 1, true)
and response.body:lower():find("<title>ambari</title>", 1, true)
and get_tag(response.body, "script", {src="^javascripts/app%.js$"})
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "api/v1/users/admin"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "Cloudera Manager",
cpe = "cpe:/a:cloudera:cloudera_manager",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and get_cookie(response, "CLOUDERA_MANAGER_SESSIONID")
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local form = {j_username=user,
j_password=pass,
returnUrl="",
submit=""}
local resp = http_post_simple(host, port,
url.absolute(path, "j_spring_security_check"),
nil, form)
return resp.status == 302
and (resp.header["location"] or ""):find("/cmf/postLogin%f[?\0]")
end
})
table.insert(fingerprints, {
name = "OpenDaylight",
cpe = "cpe:/a:opendaylight:opendaylight",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and get_cookie(response, "JSESSIONID", "^%x+$")
and response.body
and response.body:find("OpenDaylight", 1, true)
and response.body:lower():find("<title>opendaylight ", 1, true)
and get_tag(response.body, "form", {action="^j_security_check%f[;\0]"})
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if resp1.status ~= 200 then return false end
local resp2 = http_post_simple(host, port,
url.absolute(path, "j_security_check"),
{cookies=resp1.cookies},
{j_username=user, j_password=pass})
return resp2.status == 302
and (resp2.header["location"] or ""):find(path, -#path, true)
end
})
table.insert(fingerprints, {
name = "OrientDB Studio",
cpe = "cpe:/a:orientdb:orientdb",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("OrientDB", 1, true)
and get_tag(response.body, "meta", {content="^OrientDB Studio$"})
and get_refresh_url(response.body, "/studio/index%.html$")
end,
login_combos = {
{username = "reader", password = "reader"},
{username = "writer", password = "writer"},
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, url.absolute(path, "listDatabases"))
if not (resp1.status == 200 and resp1.body) then return false end
local jstatus, jout = json.parse(resp1.body)
if not (jstatus and type(jout.databases) == "table") then return false end
for _, db in ipairs(jout.databases) do
if try_http_auth(host, port,
url.absolute(path, "connect/" .. url.escape(db)),
user, pass, false) then
return true
end
end
return false
end
})
table.insert(fingerprints, {
name = "RockMongo",
cpe = "cpe:/a:rockmongo:rockmongo",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local loc = response.header["location"] or ""
if not (response.status == 302
and loc:find("/index.php?action=login.index", 1, true)) then
return false
end
local resp = http_get_simple(host, port, loc)
return resp.status == 200
and resp.body
and resp.body:find("RockMongo", 1, true)
and resp.body:lower():find("<title>rockmongo</title>")
and get_tag(resp.body, "select", {name="^host$"})
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local form = {more=0,
host=0,
username=user,
password=pass,
db="",
lang="en_us",
expire=3}
local resp = http_post_simple(host, port,
url.absolute(path, "index.php?action=login.index&host=0"),
nil, form)
return resp.status == 302
and (resp.header["location"] or ""):find("?action=admin.index", 1, true)
and get_cookie(resp, "ROCK_LANG", "^[%a_]+$")
end
})
table.insert(fingerprints, {
name = "Sambar Server",
cpe = "cpe:/a:sambar:sambar_server",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and (response.header["server"] or ""):find("^SAMBAR%f[%s\0]")
end,
login_combos = {
{username = "admin", password = ""},
{username = "anonymous", password = ""},
{username = "billy-bob", password = ""}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "session/login"),
user, pass, true)
end
})
table.insert(fingerprints, {
name = "WebLogic Server Console",
cpe = "cpe:/a:bea:weblogic_server",
category = "web",
paths = {
{path = "/console/"}
},
target_check = function (host, port, path, response)
return response.status == 302
and (response.header["location"] or ""):find("/console/login/LoginForm%.jsp%f[;\0]")
end,
login_combos = {
{username = "weblogic", password = "weblogic"},
{username = "weblogic", password = "weblogic1"},
{username = "weblogic", password = "welcome1"},
{username = "weblogic", password = "password"},
{username = "system", password = "Passw0rd"},
{username = "system", password = "password"},
{username = "operator", password = "Passw0rd"},
{username = "operator", password = "password"},
{username = "monitor", password = "Passw0rd"},
{username = "monitor", password = "password"},
{username = "oraclesystemuser", password = "Passw0rd"},
{username = "oraclesystemuser", password = "password"}
},
login_check = function (host, port, path, user, pass)
local form = {j_username=user,
j_password=pass,
j_character_encoding="UTF-8"}
local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path}))}
local resp = http_post_simple(host, port,
url.absolute(path, "j_security_check"),
{header=header}, form)
if not (resp.status >= 200 and resp.status <= 399) then return false end
if resp.status == 302
and (resp.header["location"] or ""):find("/console/login/LoginForm%.jsp$") then
return false
end
return true
end
})
table.insert(fingerprints, {
name = "WebSphere Community Edition Console",
cpe = "cpe:/a:ibm:websphere_application_server",
category = "web",
paths = {
{path = "/console/"}
},
target_check = function (host, port, path, response)
return response.status == 302
and (response.header["location"] or ""):find("/portal%f[/].-/Welcome%f[?\0]")
end,
login_combos = {
{username = "system", password = "manager"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
local resource = resp1.header["location"]
if not (resp1.status == 302 and resource) then return false end
local respath = resource:match("%f[/]/%f[^/].*"):gsub("/%.%f[/]", "")
local resp2 = http_get_simple(host, port, respath)
if resp2.status ~= 200 then return false end
local form3 = {j_username=user,
j_password=pass,
submit="Login"}
local resp3 = http_post_simple(host, port,
url.absolute(respath, "j_security_check"),
{cookies=resp2.cookies}, form3)
return resp3.status == 302
and (resp3.header["location"] or ""):find(respath, 1, true)
end
})
table.insert(fingerprints, {
name = "JBoss EAP Admin Console",
cpe = "cpe:/a:redhat:jboss_enterprise_application_platform",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("/admin-console/", 1, true)
and get_tag(response.body, "a", {href="/admin%-console/$"})
and response.body:lower():find("<title>welcome to jboss", 1, true)
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local curl = url.absolute(path, "admin-console/")
local resp1 = http_get_simple(host, port,
url.absolute(curl, "secure/summary.seam"))
local lurl = resp1.header["location"]
if not (resp1.status == 302 and lurl) then return false end
local lpath = lurl:match("%f[/]/%f[^/].*")
local resp2 = http_get_simple(host, port, lpath)
if resp2.status ~= 200 then return false end
local form3 = {login_form="login_form",
["login_form:name"]=user,
["login_form:password"]=pass,
["login_form:submit"]="Login",
["javax.faces.ViewState"]="j_id1"}
local resp3 = http_post_simple(host, port, lpath:gsub("[;?].*$", ""),
{cookies=resp1.cookies}, form3)
return resp3.status == 302
and (resp3.header["location"] or ""):find("/admin-console/secure/summary.seam?conversationId=", 1, true)
end
})
table.insert(fingerprints, {
name = "JBoss JMX Console",
cpe = "cpe:/a:redhat:jboss_enterprise_application_platform",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("/jmx-console/", 1, true)
and get_tag(response.body, "a", {href="/jmx%-console/$"})
and response.body:lower():find("<title>welcome to jboss", 1, true)
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "jmx-console/"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "JBoss Web Console",
cpe = "cpe:/a:redhat:jboss_enterprise_web_platform",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("/web-console/", 1, true)
and get_tag(response.body, "a", {href="/web%-console/$"})
and response.body:lower():find("<title>welcome to jboss", 1, true)
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "web-console/"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "Apache Tomcat Manager",
cpe = "cpe:/a:apache:tomcat",
category = "web",
paths = {
{path = "/manager/html/"},
{path = "/manager/status/"},
{path = "/tomcat/manager/html/"},
{path = "/tomcat/manager/status/"},
{path = "/cognos_express/manager/html/"}
},
target_check = function (host, port, path, response)
return http_auth_realm(response) == "Tomcat Manager Application"
end,
login_combos = {
{username = "tomcat", password = "tomcat"},
{username = "admin", password = "admin"},
{username = "admin", password = ""},
{username = "admin", password = "tomcat"},
{username = "ADMIN", password = "ADMIN"},
{username = "ovwebusr", password = "OvW*busr1"},
{username = "j2deployer", password = "j2deployer"},
{username = "cxsdk", password = "kdsxc"},
{username = "xampp", password = "xampp"},
{username = "QCC", password = "QLogic66"},
{username = "fhir", password = "FHIRDefaultPassword"},
{username = "username", password = "password"},
{username = "username1", password = "password"},
{username = "pippo", password = "paperino"},
{username = "topolino", password = "minnie"},
{username = "root", password = "vagrant"},
{username = "tomcat", password = "s3cret"},
{username = "root", password = "owaspbwa"},
{username = "admin", password = "owaspbwa"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Apache Tomcat Host Manager",
cpe = "cpe:/a:apache:tomcat",
category = "web",
paths = {
{path = "/host-manager/html/"},
{path = "/host-manager/text/"},
{path = "/tomcat/host-manager/html/"},
{path = "/tomcat/host-manager/text/"}
},
target_check = function (host, port, path, response)
return http_auth_realm(response) == "Tomcat Host Manager Application"
end,
login_combos = {
{username = "tomcat", password = "tomcat"},
{username = "admin", password = "admin"},
{username = "admin", password = ""},
{username = "ADMIN", password = "ADMIN"},
{username = "xampp", password = "xampp"},
{username = "QCC", password = "QLogic66"},
{username = "fhir", password = "FHIRDefaultPassword"},
{username = "username", password = "password"},
{username = "pippo", password = "paperino"},
{username = "root", password = "vagrant"},
{username = "tomcat", password = "s3cret"},
{username = "root", password = "owaspbwa"},
{username = "admin", password = "owaspbwa"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Apache ActiveMQ",
cpe = "cpe:/a:apache:activemq",
category = "web",
paths = {
{path = "/admin/"}
},
target_check = function (host, port, path, response)
return http_auth_realm(response) == "ActiveMQRealm"
end,
login_combos = {
{username = "user", password = "user"},
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Pivotal RabbitMQ",
cpe = "cpe:/a:pivotal_software:rabbitmq",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("RabbitMQ", 1, true)
and response.body:lower():find("<title>rabbitmq management</title>", 1, true)
and get_tag(response.body, "div", {id="^outer$"})
end,
login_combos = {
{username = "guest", password = "guest"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "api/whoami"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "OSGi Management Console",
category = "web",
paths = {
{path = "/system/console"},
{path = "/lc/system/console"}
},
target_check = function (host, port, path, response)
return http_auth_realm(response) == "OSGi Management Console"
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "karaf", password = "karaf"},
{username = "smx", password = "smx"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Apache Axis2",
cpe = "cpe:/a:apache:axis2",
category = "web",
paths = {
{path = "/axis2/axis2-admin/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("Axis2", 1, true)
and response.body:lower():find("<title>login to axis2 :: administration page</title>", 1, true)
end,
login_combos = {
{username = "admin", password = "axis2"}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port, url.absolute(path, "login"), nil,
{userName=user,password=pass,submit=" Login "})
return resp.status == 200
and get_tag(resp.body or "", "a", {href="^axis2%-admin/logout$"})
end
})
table.insert(fingerprints, {
name = "Apache Ofbiz",
cpe = "cpe:/a:apache:ofbiz",
category = "web",
paths = {
{path = "/webtools/"}
},
target_check = function (host, port, path, response)
local loc = response.header["location"] or ""
if not (response.status == 302
and loc:find(url.absolute(path, "control/main"), 1, true)) then
return false
end
local resp = http_get_simple(host, port, loc)
return resp.status == 200
and resp.body
and resp.body:find(url.absolute(loc, "checkLogin"), 1, true)
and resp.body:lower():find("powered by%s+<a%f[%s][^>]-%shref%s*=%s*['\"]https?://ofbiz%.apache%.org%W")
end,
login_combos = {
{username = "admin", password = "ofbiz"}
},
login_check = function (host, port, path, user, pass)
local form = {USERNAME=user,
PASSWORD=pass,
JavaScriptEnabled="Y"}
local resp = http_post_simple(host, port,
url.absolute(path, "control/login"),
nil, form)
return resp.status == 200
and get_cookie(resp, path:match("/([^/]+)/$") .. ".autoUserLoginId") == user
end
})
table.insert(fingerprints, {
name = "Opencast Matterhorn",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local loc = response.header["location"] or ""
if not (response.status == 302
and loc:find("/login%.html%f[;\0]")
and get_cookie(response, "JSESSIONID", "^%w+$")) then
return false
end
local resp = http_get_simple(host, port, loc)
return resp.status == 200
and resp.body
and resp.body:find("Matterhorn", 1, true)
and resp.body:lower():find("<title>opencast matterhorn ", 1, true)
and get_tag(resp.body, "form", {action="/j_spring_security_check$"})
end,
login_combos = {
{username = "admin", password = "opencast"}
},
login_check = function (host, port, path, user, pass)
local form = {j_username=user,
j_password=pass,
submit="Login"}
local resp = http_post_simple(host, port,
url.absolute(path, "j_spring_security_check"),
nil, form)
return resp.status == 302
and (resp.header["location"] or ""):find("/welcome%.html$")
and get_cookie(resp, "JSESSIONID", "^%w+$")
end
})
table.insert(fingerprints, {
name = "Opencast",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 302
and (response.header["location"] or ""):find("/admin%-ng/login%.html%f[;\0]")
and get_cookie(response, "JSESSIONID", "^%w+$")
end,
login_combos = {
{username = "admin", password = "opencast"}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port,
url.absolute(path, "admin-ng/j_spring_security_check"),
nil, {j_username=user, j_password=pass})
return resp.status == 302
and (resp.header["location"] or ""):find("/admin%-ng/index%.html$")
and get_cookie(resp, "JSESSIONID", "^%w+$")
end
})
table.insert(fingerprints, {
name = "Plumtree Portal",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 302
and (response.header["location"] or ""):find("/portal/server%.pt$")
end,
login_combos = {
{username = "Administrator", password = ""}
},
login_check = function (host, port, path, user, pass)
local form = {in_hi_space="Login",
in_hi_spaceID="0",
in_hi_control="Login",
in_hi_dologin="true",
in_tx_username=user,
in_pw_userpass=pass,
in_se_authsource=""}
local resp = http_post_simple(host, port,
url.absolute(path, "portal/server.pt"),
nil, form)
return resp.status == 302
and (resp.header["location"] or ""):find("/portal/server%.pt[;?]")
and get_cookie(resp, "plloginoccured") == "true"
end
})
table.insert(fingerprints, {
name = "GLPI",
cpe = "cpe:/a:glpi-project:glpi",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("GLPI", 1, true)
and response.body:lower():find("<title>glpi ", 1, true)
and get_tag(response.body, "input", {name="^login_name$"})
end,
login_combos = {
{username = "glpi", password = "glpi"},
{username = "tech", password = "tech"},
{username = "post-only", password = "postonly"},
{username = "normal", password = "normal"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200 and resp1.body) then return false end
local token = get_tag(resp1.body, "input", {type="^hidden$", name="^_glpi_csrf_token$", value=""})
if not token then return false end
local form2 = {login_name=user,
login_password=pass,
submit="Post",
[token.name]=token.value}
local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path}))}
local resp2 = http_post_simple(host, port, url.absolute(path, "login.php"),
{cookies=resp1.cookies, header=header}, form2)
return resp2.status == 200
and (resp2.body or ""):find("%Wwindow%.location%s*=%s*(['\"])[^'\"]-/front/[%w.]+%.php%1")
end
})
table.insert(fingerprints, {
name = "OTRS",
cpe = "cpe:/a:otrs:otrs",
category = "web",
paths = {
{path = "/otrs/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("OTRS", 1, true)
and response.body:find(url.absolute(path, "index.pl"), 1, true)
and get_tag(response.body, "input", {name="^requestedurl$"})
end,
login_combos = {
{username = "root@localhost", password = "root"},
{username = "root@localhost", password = "changeme"}
},
login_check = function (host, port, path, user, pass)
local form = {Action="Login",
RequestedURL="",
Lang="en",
TimeOffset=0,
User=user,
Password=pass}
local resp = http_post_simple(host, port, url.absolute(path, "index.pl"),
nil, form)
return resp.status == 302
and get_cookie(resp, "OTRSAgentInterface", "^%w+$")
end
})
table.insert(fingerprints, {
name = "Ilias (var.1)",
cpe = "cpe:/a:ilias:ilias",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 302
and get_cookie(response, "ilClientId")
and (response.header["location"] or ""):find("%f[^/\0]login%.php%?.*%f[^?&]client_id=")
end,
login_combos = {
{username = "root", password = "homer"}
},
login_check = function (host, port, path, user, pass)
local resp0 = http_get_simple(host, port, path)
local furl = (resp0.header["location"] or ""):gsub("^https?://[^/]*", "")
if not (resp0.status == 302 and furl:find("%f[^/\0]login%.php%?")) then
return false
end
furl = url.absolute(path, furl)
local resp1 = http_get_simple(host, port, furl, {cookies=resp0.cookies})
if not (resp1.status == 200 and resp1.body) then return false end
local frm = get_tag(resp1.body, "form", {name="^formlogin$", action="[?&;]client_id="})
if not frm then return false end
local form = {username=user,
password=pass,
["cmd[doStandardAuthentication]"]="Anmelden"}
local resp2 = http_post_simple(host, port,
url.absolute(furl, xmldecode(frm.action)),
{cookies=resp0.cookies}, form)
return resp2.status == 302
and (resp2.header["location"] or ""):find("/ilias%.php?%?")
end
})
table.insert(fingerprints, {
name = "Ilias (var.2)",
cpe = "cpe:/a:ilias:ilias",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 302
and get_cookie(response, "ilClientId")
and (response.header["location"] or ""):find("%f[^/\0]ilias%.php%f[?\0]")
end,
login_combos = {
{username = "root", password = "homer"}
},
login_check = function (host, port, path, user, pass)
local resp0 = http_get_simple(host, port, path)
if resp0.status ~= 302 then return false end
local form1 = {target="",
client_id=get_cookie(resp0, "ilClientId"),
cmd="force_login",
lang="en"}
local furl = url.absolute(path, "login.php?" .. url.build_query(form1))
local resp1 = http_get_simple(host, port, furl, {cookies=resp0.cookies})
if not (resp1.status == 200 and resp1.body) then return false end
local frm = get_tag(resp1.body, "form", {name="^formlogin$", action="[?&;]client_id="})
if not frm then return false end
local form = {username=user,
password=pass,
["cmd[doStandardAuthentication]"]="Anmelden"}
local resp2 = http_post_simple(host, port,
url.absolute(furl, xmldecode(frm.action)),
{cookies=resp0.cookies}, form)
return resp2.status == 302
and (resp2.header["location"] or ""):find("/ilias%.php?%?")
end
})
table.insert(fingerprints, {
name = "Jitamin",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 302
and (response.header["location"] or ""):find("%?controller=Auth/AuthController&action=login$")
and get_cookie(response, "JM_SID")
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "admin@admin.com", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local lurl = path .. "?controller=Auth/AuthController&action="
local resp1 = http_get_simple(host, port, lurl .. "login")
if not (resp1.status == 200 and resp1.body) then return false end
local token = get_tag(resp1.body, "input", {type="^hidden$", name="^csrf_token$", value=""})
if not token then return false end
local form = {[token.name]=token.value,
username=user,
password=pass}
local resp2 = http_post_simple(host, port, lurl .. "check",
{cookies=resp1.cookies}, form)
return resp2.status == 302
and (resp2.header["location"] or ""):find("%?controller=Dashboard/DashboardController&action=index$")
end
})
table.insert(fingerprints, {
name = "Kanboard",
cpe = "cpe:/a:kanboard:kanboard",
category = "web",
paths = {
{path = "/"},
{path = "/kanboard/"}
},
target_check = function (host, port, path, response)
return response.status == 302
and (response.header["location"] or ""):find("%?controller=AuthController&action=login$")
and get_cookie(response, "KB_SID")
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local lurl = path .. "?controller=AuthController&action="
local resp1 = http_get_simple(host, port, lurl .. "login")
if not (resp1.status == 200 and resp1.body) then return false end
local token = get_tag(resp1.body, "input", {type="^hidden$", name="^csrf_token$", value=""})
if not token then return false end
local form = {[token.name]=token.value,
username=user,
password=pass}
local resp2 = http_post_simple(host, port, lurl .. "check",
{cookies=resp1.cookies}, form)
return resp2.status == 302
and (resp2.header["location"] or ""):find("%?controller=DashboardController&action=show$")
end
})
table.insert(fingerprints, {
name = "RainLoop Webmail",
category = "web",
paths = {
{path = "/"},
{path = "/rainloop/"},
{path = "/webmail/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("rainloop/v/", 1, true)
and get_tag(response.body, "link", {href="^rainloop/v/%d[%d.]+%d/static/css/app%.min%.css%f[?\0]"})
end,
login_combos = {
{username = "admin", password = "12345"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path .. "?/AdminAppData")
if not (resp1.status == 200 and resp1.body) then return false end
local jstr = resp1.body:match('{[^{]*"Auth"%s*:.*"PluginsLink"%s*:[^}]*}')
local jstatus, jout = json.parse(jstr or "{}")
local token = jstatus and (jout.Token or jout.System and jout.System.token)
if not token then return false end
local form2 = {Login=user,
Password=pass,
Action="AdminLogin",
XToken=token}
local resp2 = http_post_simple(host, port, path .. "?/Ajax/&q[]=/0/",
{cookies = resp1.cookies}, form2)
if not (resp2.status == 200 and resp2.body) then return false end
jstatus, jout = json.parse(resp2.body)
return jstatus and jout.Action == "AdminLogin" and jout.Result
end
})
table.insert(fingerprints, {
name = "TeamPass",
cpe = "cpe:/a:teampass:teampass",
category = "web",
paths = {
{path = "/"},
{path = "/teampass/"},
{path = "/TeamPass/"}
},
target_check = function (host, port, path, response)
return have_openssl
and tableaux.contains(openssl.supported_ciphers(), "aes-256-ecb")
and tableaux.contains(openssl.supported_ciphers(), "aes-256-ctr")
and response.status == 200
and response.body
and response.body:find("TeamPass", 1, true)
and response.body:find("(['\"])sources/main%.queries%.php%1")
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200 and resp1.body) then return false end
local lurl = resp1.body:match("['\"]([^'\"]+)['\"]%s*,%s*{%s*type%s*:%s*['\"]identify_user['\"]")
local aespwd = resp1.body:match("%Wreturn%s+Aes%.Ctr%.encrypt%s*%(%s*%w+%s*,%s*['\"](.-)['\"]%s*,%s*256%s*%)")
or resp1.body:match("['\"]identify_user['\"]%s*,%s*data%s*:%s*prepareExchangedData%(%s*%w+%s*,%s*['\"]encode['\"]%s*,%s*['\"](.-)['\"]")
if not (lurl and aespwd) then return false end
aespwd = aespwd .. ("\0"):rep(32-#aespwd)
local aeskey = openssl.encrypt("aes-256-ecb", aespwd, nil, aespwd):sub(1, 16):rep(2)
local nonce = ("<I4"):pack(math.floor(stdnse.clock_ms() / 1000))
.. string.char(math.random(0, 255)):rep(4)
local randstr = random_alnum(10)
local jin = {login=user,
pw=pass,
duree_session="60",
screenHeight=tostring(math.random(480, 1024)),
randomstring=randstr}
json.make_object(jin)
local ctext = base64.enc(nonce .. openssl.encrypt("aes-256-ctr", aeskey, nonce .. ("\0"):rep(8), json.generate(jin)))
local resp2 = http_post_simple(host, port, url.absolute(path, lurl),
{cookies = resp1.cookies},
{type="identify_user",data=ctext})
if not (resp2.status == 200 and resp2.body) then return false end
local jstatus, jout = json.parse(resp2.body)
return jstatus and jout[1] and jout[1].value == randstr
end
})
table.insert(fingerprints, {
name = "CapeSoft TimeClock",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("TimeClock", 1, true)
and response.body:lower():find("<title>capesoft time clock web ", 1, true)
and response.body:lower():find("%Whref%s*=%s*(['\"])employees%.php%1")
end,
login_combos = {
{username = "9970", password = "password"}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port,
url.absolute(path, "employees.php"), nil,
{login=user,password=pass,action="Login"})
return resp.status == 200
and (resp.body or ""):find("%sclass%s*=%s*(['\"]?)logout%1[%s>]")
end
})
table.insert(fingerprints, {
name = "BeEF",
category = "web",
paths = {
{path = "/ui/authentication/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("BeEF", 1, true)
and response.body:lower():find("<title>beef authentication</title>", 1, true)
end,
login_combos = {
{username = "beef", password = "beef"}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port, url.absolute(path, "login"), nil,
{["username-cfrm"]=user, ["password-cfrm"]=pass})
return resp.status == 200
and (resp.body or ""):find("{%s*success%s*:%s*true%s*}")
end
})
table.insert(fingerprints, {
name = "Greenbone Security Assistant",
cpe = "cpe:/a:greenbone:greenbone_security_assistant",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
if not (response.status == 303
and loc:find("/login/login%.html$")) then
return false
end
local resp = http_get_simple(host, port, loc)
return resp.status == 200
and resp.body
and resp.body:find("Greenbone", 1, true)
and resp.body:lower():find("<title>greenbone security assistant</title>", 1, true)
and get_tag(resp.body, "form", {action="/omp$"})
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "sadmin", password = "changeme"}
},
login_check = function (host, port, path, user, pass)
local lurl = url.absolute(path, "omp")
local form = {cmd="login",
text=lurl.."?r=1",
login=user,
password=pass}
local resp = http_post_simple(host, port, lurl, nil, form)
return resp.status == 303
and (resp.header["location"] or ""):find("/omp%?.*%f[^?&]token=")
end
})
table.insert(fingerprints, {
name = "Sagitta Hashstack",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local lurl = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
if not (response.status == 302 and lurl:find("/login$")) then
return false
end
local resp = http_get_simple(host, port, lurl)
return resp.status == 200
and resp.body
and resp.body:find("hashstack", 1, true)
and resp.body:lower():find("<title>hashstack - login</title>", 1, true)
and get_tag(resp.body, "form", {class="^form%-signin$"})
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local header = {["Accept"]="application/json, text/plain, */*",
["Content-Type"]="application/json"}
local jin = {username=user, password=pass}
json.make_object(jin)
local resp = http_post_simple(host, port, url.absolute(path, "login"),
{header=header}, json.generate(jin))
return resp.status == 200 and get_cookie(resp, "sid", ".")
end
})
table.insert(fingerprints, {
name = "ZKSoftware WebServer",
category = "web",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.header["server"] == "ZK Web Server"
and response.body
and response.body:find("%Wlocation%.href%s*=%s*(['\"])[^'\"]-/csl/login%1")
end,
login_combos = {
{username = "administrator", password = "123456"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200) then return false end
local resp2 = http_post_simple(host, port, url.absolute(path, "csl/check"),
{cookies=resp1.cookies},
{username=user, userpwd=pass})
return resp2.status == 200
and get_tag(resp2.body or "", "frame", {src="/csl/menu$"})
end
})
table.insert(fingerprints, {
name = "ComfortableMexicanSofa",
category = "web",
paths = {
{path = "/admin/"}
},
target_check = function (host, port, path, response)
if not (response.status == 302 and response.body) then return false end
local loc = response.header["location"] or ""
local _, pos = loc:find(url.absolute(path, "sites/"), 1, true)
if not pos then return false end
loc = loc:sub(pos)
if not (loc == "/new" or loc:find("^/%d+/")) then return false end
for _, ck in ipairs(response.cookies or {}) do
if ck.name:find("_session$") then return ck.value:find("%-%-%x+$") end
end
return false
end,
login_combos = {
{username = "username", password = "password"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "sites/new"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "Hippo CMS",
category = "web",
paths = {
{path = "/"},
{path = "/cms/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("hippo-login", 1, true)
and get_tag(response.body, "input", {name="^id2_hf_0$"})
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "editor", password = "editor"},
{username = "author", password = "author"}
},
login_check = function (host, port, path, user, pass)
local lurl;
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200 and resp1.body) then return false end
local submit = get_tag(resp1.body, "input", {name="^:submit$", onclick=""})
if submit then
local qry = submit.onclick:match("=%s*wicketSubmitFormById%(['\"]id%d+['\"],%s*['\"](.-)['\"]")
if not qry then return false end
lurl = xmldecode(qry) .. "&random=" .. math.random()
else
local frm = get_tag(resp1.body, "form", {name="^signInForm$", action=""})
if not frm then return false end
lurl = frm.action
end
local form = {id2_hf_0="",
username=user,
password=pass,
locale="en",
[":submit"]="log in"}
local resp2 = http_post_simple(host, port, url.absolute(path, lurl),
{cookies=resp1.cookies}, form)
return resp2.status == 302
and (resp2.header["location"] or ""):sub(-#path) == path
end
})
---
--ROUTERS
---
table.insert(fingerprints, {
name = "Cisco IOS",
cpe = "cpe:/o:cisco:ios",
category = "routers",
paths = {
{path = "/"},
},
target_check = function (host, port, path, response)
local realm = http_auth_realm(response) or ""
return realm:gsub("_"," "):find("^level 15?%f[ ].* access$")
end,
login_combos = {
{username = "", password = ""},
{username = "cisco", password = "cisco"},
{username = "Cisco", password = "Cisco"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Cisco Small Business 200",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("/nikola_login.html", 1, true)
and response.body:lower():find("<title>switch</title>", 1, true)
end,
login_combos = {
{username = "cisco", password = "cisco"}
},
login_check = function (host, port, path, user, pass)
local form = {uname=user,
pwd2=base64.enc(pass),
language_selector="en-US",
err_flag=0,
err_msg="",
passpage="nikola_main2.html",
failpage="nikola_login.html",
submit_flag=0}
local resp = http_post_simple(host, port,
url.absolute(path, "nikola_login.html"),
nil, form)
return resp.status == 200 and get_cookie(resp, "SID", ".")
end
})
table.insert(fingerprints, {
name = "Cisco Linksys",
cpe = "cpe:/h:linksys:*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local realm = http_auth_realm(response) or ""
return realm:find("^Linksys %u[%u%d]+%s*$")
or realm:find("^WRT54GC%w*$")
or realm == "NR041"
end,
login_combos = {
{username = "", password = "admin"},
{username = "admin", password = "admin"},
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Cisco DPC3848VM",
cpe = "cpe:/h:cisco:dpc3848vm",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 302
and response.header["location"] == "Docsis_system.php"
end,
login_combos = {
{username = "user", password = ""},
{username = "", password = ""}
},
login_check = function (host, port, path, user, pass)
local form = {username_login=user,
password_login=pass,
LanguageSelect="en",
login="Log In"}
local resp = http_post_simple(host, port, url.absolute(path, "check.php"),
nil, form)
if not (resp.status == 200 and resp.body) then return false end
local lstatus = resp.body:match("%Wvar%s+login_status%s*=%s*(%-?%d+)")
return tonumber(lstatus or "99") <= 0
end
})
table.insert(fingerprints, {
name = "Cisco EPC3925",
cpe = "cpe:/h:cisco:epc3925",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("Docsis", 1, true)
and response.body:find("%Wwindow%.location%.href%s*=%s*(['\"])Docsis_system%.asp%1")
end,
login_combos = {
{username = "", password = ""}
},
login_check = function (host, port, path, user, pass)
local form = {username_login=user,
password_login=pass,
LanguageSelect="en",
Language_Submit="0",
login="Log In"}
local resp = http_post_simple(host, port,
url.absolute(path, "goform/Docsis_system"),
nil, form)
return resp.status == 302
and (resp.header["location"] or ""):find("/Quick_setup%.asp$")
end
})
table.insert(fingerprints, {
name = "Cisco Configuration Utility (var.1)",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and response.body
and response.body:find("cisco", 1, true)
and response.body:find("%Wfunction%s+en_value%s*%(")
and get_tag(response.body, "input", {name="^keep_name$"})
end,
login_combos = {
{username = "cisco", password = "cisco"}
},
login_check = function (host, port, path, user, pass)
pass = ("%s%02d"):format(pass, #pass)
pass = pass:rep(math.ceil(64 / #pass)):sub(1, 64)
local form = {submit_button="login",
keep_name=0,
enc=1,
user=user,
pwd=stdnse.tohex(openssl.md5(pass))}
local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"),
nil, form)
return resp.status == 200
and (resp.body or ""):find("%Wvar%s+session_key%s*=%s*(['\"])%x*%1%s*;")
end
})
table.insert(fingerprints, {
name = "Cisco Configuration Utility (var.2)",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and response.body
and response.body:find("cisco", 1, true)
and response.body:find("%Wfunction%s+en_value%s*%(")
and get_tag(response.body, "input", {name="^gui_action$"})
end,
login_combos = {
{username = "cisco", password = "cisco"}
},
login_check = function (host, port, path, user, pass)
pass = ("%s%02d"):format(pass, #pass)
pass = pass:rep(math.ceil(64 / #pass)):sub(1, 64)
local form = {submit_button="login",
submit_type="",
gui_action="",
wait_time=0,
change_action="",
enc=1,
user=user,
pwd=stdnse.tohex(openssl.md5(pass)),
sel_lang="EN"}
local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"),
nil, form)
return resp.status == 200
and get_tag(resp.body or "", "input", {name="^session_key$", value="^%x+$"})
end
})
table.insert(fingerprints, {
name = "Cisco Router Access",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and response.body
and response.body:find("%Wvar%s+nonce%s*=%s*(['\"])%x+%1")
and response.body:find("%Wfunction%s+en_value%s*%(")
and get_tag(response.body, "input", {name="^gui_action$"})
end,
login_combos = {
{username = "", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200 and resp1.body) then return false end
local nonce = resp1.body:match("%Wvar%s+nonce%s*=%s*['\"](%x+)['\"]")
if not nonce then return false end
pass = ("%s%02d"):format(pass, #pass)
pass = pass:rep(math.ceil(64 / #pass)):sub(1, 64)
pass = stdnse.tohex(openssl.md5(pass))
local wait_time = get_tag(resp1.body, "input", {name="^wait_time$"})
local form = {submit_button="login",
change_action="",
gui_action="Apply",
wait_time=wait_time and wait_time.value or "",
submit_type="",
http_username=user,
http_passwd=stdnse.tohex(openssl.md5(pass .. nonce))}
local resp2 = http_post_simple(host, port, url.absolute(path, "login.cgi"),
nil, form)
return resp2.status == 200
and (resp2.body or ""):find(";session_id=%x+%W")
end
})
table.insert(fingerprints, {
name = "Cisco IronPort",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 303
and (response.header["server"] or ""):find("^glass/%d+%.")
and (response.header["location"] or ""):find("/login%f[?\0]")
and get_cookie(response, "sid", "^%w+$")
end,
login_combos = {
{username = "admin", password = "ironport"}
},
login_check = function (host, port, path, user, pass)
local refpath = url.absolute(path, "default")
local form = {referrer=url.build(url_build_defaults(host, port, {path=refpath})),
screen="login",
username=user,
password=pass,
action="Login"}
local resp = http_post_simple(host, port, url.absolute(path, "login"),
nil, form)
return resp.status == 303
and (get_cookie(resp, "euq_authenticated", "^%w+$")
or get_cookie(resp, "authenticated", "^%w+$"))
end
})
table.insert(fingerprints, {
name = "Allied Telesis AR",
cpe = "cpe:/h:alliedtelesyn:cable_dsl_router_at-ar*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local realm = http_auth_realm(response) or ""
return realm:find("^Allied Telesis ")
or realm:find("^Allied Telesyn ")
or realm:find("^CentreCOM ")
end,
login_combos = {
{username = "manager", password = "friend"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "HP ProCurve Switch",
cpe = "cpe:/h:hp:procurve_switch",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and (response.header["server"] or ""):lower():find("^ehttp[/%s]")
and response.body
and response.body:find("ProCurve Switch", 1, true)
and (response.body:find("%Wdocument%.location%s*=%s*(['\"])home%.html%1")
or get_tag(response.body, "frame", {src="^nctabs%.html$"}))
end,
login_combos = {
{username = "", password = ""}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port,
url.absolute(path, "security/web_access.html"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "Huawei USG",
cpe = "cpe:/h:huawei:usg*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and get_cookie(response, "SESSIONID", "&Huawei")
end,
login_combos = {
{username = "admin", password = "Admin@123"},
{username = "audit-admin", password = "Admin@123"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
local cookie
for _, ck in ipairs(resp1.cookies or {}) do
if ck.name == "SESSIONID" then
cookie = "SESSIONID=" .. ck.value
if not ck.httponly then
cookie = cookie:match("^(.-)&")
end
break
end
end
if not (resp1.status == 200 and cookie) then return false end
local form = {["spring-security-redirect"]="",
password=pass,
language="en",
lang="English",
username=user,
platcontent=""}
local lurl = url.absolute(path, "default.html?dc=" .. math.floor(stdnse.clock_ms()))
local resp2 = http_post_simple(host, port, lurl, {cookies=cookie}, form)
return resp2.status == 200
and (resp2.body or ""):find("top.location.replace(localHref)", 1, true)
end
})
table.insert(fingerprints, {
name = "Moxa AirWorks",
category = "routers",
paths = {
{path = "/Login.asp"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and response.body
and response.body:find("Moxa AWK", 1, true)
and response.body:find("/webNonce%W")
and get_tag(response.body, "form", {action="/home%.asp$"})
end,
login_combos = {
{username = "admin", password = "root"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, url.absolute(path, "Login.asp"))
if not (resp1.status == 200 and resp1.body) then return false end
local pcookie = resp1.body:match("%Wfunction%s+SetCookie%W[^}]-theName%s*=%s*['\"](.-)[='\"]")
if not pcookie then return false end
local form2 = {user=user, time=math.floor(stdnse.clock_ms())}
local url2 = url.absolute(path, "webNonce?" .. url.build_query(form2))
local resp2 = http_get_simple(host, port, url2,
{cookies={{name=pcookie, value=""}}})
if not (resp2.status == 200 and resp2.body) then return false end
local cpass = stdnse.tohex(openssl.md5(pass .. resp2.body))
local form3 = {Username=user,
Password="",
["Submit.x"]=0,
["Submit.y"]=0}
local resp3 = http_post_simple(host, port, url.absolute(path, "home.asp"),
{cookies={{name=pcookie, value=cpass}}},
form3)
return resp3.status == 200
and get_tag(resp3.body or "", "frame", {src="^main%.asp$"})
end
})
table.insert(fingerprints, {
name = "Moxa EDR (var.1)",
cpe = "cpe:/o:moxa:edr_g903_firmware",
category = "routers",
paths = {
{path = "/Login.asp"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and response.body
and response.body:find("Moxa EDR", 1, true)
and response.body:find(">iGenSel2%((['\"])Username%1")
and response.body:find("%Wdocument%.getElementById%(%s*(['\"])Username%1%s*%)%.value%s*%+%s*(['\"]):%2")
end,
login_combos = {
{username = "admin", password = ""},
{username = "user", password = ""}
},
login_check = function (host, port, path, user, pass)
local cpass = stdnse.tohex(openssl.md5(#pass > 0 and pass or "NULL"))
local cookies = {{name="admin:EDR", value=(user=="admin" and cpass or "")},
{name="user:EDR", value=(user=="user" and cpass or "")}}
local form1 = {Username=user,
Password=pass,
["Submit.x"]=0,
["Submit.y"]=0}
local resp1 = http_post_simple(host, port, url.absolute(path, "init.asp"),
{cookies=cookies}, form1)
if resp1.status~=200 then return false end
local resp2 = http_get_simple(host, port, url.absolute(path, "index.asp"),
{cookies=cookies})
return resp2.status == 200
and get_tag(resp2.body or "", "frame", {src="^name%.asp$"})
end
})
table.insert(fingerprints, {
name = "Moxa EDR (var.2)",
cpe = "cpe:/o:moxa:edr_g903_firmware",
category = "routers",
paths = {
{path = "/Login.asp"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and response.body
and response.body:find("Moxa EDR", 1, true)
and response.body:find(">iGenSel2%((['\"])Username%1")
and response.body:find("%Wdocument%.getElementById%(%s*(['\"])Username%1%s*%)%.value%s*;")
end,
login_combos = {
{username = "admin", password = ""},
{username = "user", password = ""}
},
login_check = function (host, port, path, user, pass)
local cuser = #user > 0 and user or "unknown"
local cpass = #pass > 0 and pass or "NULL"
local cookies = {{name="NAME", value=url.escape(cuser)},
{name="PASSWORD", value=stdnse.tohex(openssl.md5(cpass))}}
local form1 = {Username=user,
Password=pass,
["Submit.x"]=0,
["Submit.y"]=0}
local resp1 = http_post_simple(host, port, url.absolute(path, "init.asp"),
{cookies=cookies}, form1)
if resp1.status~=200 then return false end
local resp2 = http_get_simple(host, port, url.absolute(path, "home.asp"),
{cookies=cookies})
return resp2.status == 200
and get_tag(resp2.body or "", "frame", {src="^name%.asp$"})
end
})
table.insert(fingerprints, {
name = "Moxa EDR (var.3)",
cpe = "cpe:/o:moxa:edr_g903_firmware",
category = "routers",
paths = {
{path = "/Login.asp"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and response.body
and response.body:find("Moxa EDR", 1, true)
and response.body:find("%Wdocument%.getElementById%(%s*(['\"])InputPassword%1%s*%)%.action%s*=%s*(['\"])[^'\"]-/init%.asp%2")
and not response.body:find("sysnotify_support", 1, true)
and response.body:find("%Wvar%s+rndN%s*=%s*%d+%s*;")
end,
login_combos = {
{username = "admin", password = "moxa"},
{username = "user", password = "moxa"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, url.absolute(path, "Login.asp"))
if not (resp1.status == 200 and resp1.body) then return false end
local nonce = resp1.body:match("%Wvar%s+rndN%s*=%s*(%d+)%s*;")
if not nonce then return false end
local cuser = #user > 0 and user or "unknown"
local cpass = pass .. nonce
local cookies = {{name="NAME", value=url.escape(cuser)},
{name="PASSWORD", value=stdnse.tohex(openssl.md5(cpass))}}
local form2 = {Username=user,
Password=pass,
["Submit.x"]=0,
["Submit.y"]=0}
local resp2 = http_post_simple(host, port, url.absolute(path, "init.asp"),
{cookies=cookies}, form2)
if resp2.status~=200 then return false end
local resp3 = http_get_simple(host, port, url.absolute(path, "home.asp"),
{cookies=cookies})
return resp3.status == 200
and get_tag(resp3.body or "", "frame", {src="^name%.asp$"})
end
})
table.insert(fingerprints, {
name = "Moxa EDR (var.4)",
category = "routers",
paths = {
{path = "/Login.asp"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and response.body
and response.body:find("Moxa EDR", 1, true)
and response.body:find("%Wdocument%.getElementById%(%s*(['\"])InputPassword%1%s*%)%.action%s*=%s*(['\"])[^'\"]-/init%.asp%2")
and not response.body:find("sysnotify_support", 1, true)
and not response.body:find("%Wvar%s+rndN%s*=%s*%d+%s*;")
end,
login_combos = {
{username = "admin", password = "moxa"},
{username = "user", password = "moxa"}
},
login_check = function (host, port, path, user, pass)
local cuser = #user > 0 and user or "unknown"
local cpass = #pass > 0 and pass or "NULL"
local cookies = {{name="NAME", value=url.escape(cuser)},
{name="PASSWORD", value=stdnse.tohex(openssl.md5(cpass))}}
local form1 = {Username=user,
Password=pass,
["Submit.x"]=0,
["Submit.y"]=0}
local resp1 = http_post_simple(host, port, url.absolute(path, "init.asp"),
{cookies=cookies}, form1)
if resp1.status~=200 then return false end
local resp2 = http_get_simple(host, port, url.absolute(path, "home.asp"),
{cookies=cookies})
return resp2.status == 200
and get_tag(resp2.body or "", "frame", {src="^name%.asp$"})
end
})
table.insert(fingerprints, {
name = "Moxa EDR (var.5)",
cpe = "cpe:/o:moxa:edr_g903_firmware",
category = "routers",
paths = {
{path = "/Login.asp"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and response.body
and response.body:find("Moxa EDR", 1, true)
and response.body:find("%Wdocument%.getElementById%(%s*(['\"])InputPassword%1%s*%)%.action%s*=%s*(['\"])[^'\"]-/init%.asp%2")
and response.body:find("sysnotify_support", 1, true)
end,
login_combos = {
{username = "admin", password = "moxa"},
{username = "user", password = "moxa"}
},
login_check = function (host, port, path, user, pass)
local cuser = #user > 0 and user or "unknown"
local cpass = #pass > 0 and pass or "NULL"
local cookies = {{name="sysnotify_support", value="yes"},
{name="sysnotify_loginStatus", value="initial"},
{name="lasttime", value=tostring(math.floor(stdnse.clock_ms()))},
{name="sessionID", value=tostring(math.random(1000000000, 4294967295))},
{name="NAME", value=url.escape(cuser)},
{name="PASSWORD", value=stdnse.tohex(openssl.md5(cpass))},
{name="AUTHORITY", value=""}}
local form = {Username=user,
Password=pass,
["Submit.x"]=0,
["Submit.y"]=0}
local resp = http_post_simple(host, port, url.absolute(path, "init.asp"),
{cookies=cookies}, form)
return resp.status == 200
and (resp.body or ""):find("%sonLoad%s*=%s*['\"]SetAuthorityCookie%(")
end
})
table.insert(fingerprints, {
name = "Ovislink AirLive (basic auth)",
cpe = "cpe:/h:ovislink:airlive_*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local realm = http_auth_realm(response) or ""
return realm:find("^AirLive ")
or realm:find("%f[%w]admin/airlive$")
or realm:find("%f[%w]airlive/airlive$")
end,
login_combos = {
{username = "admin", password = "airlive"},
{username = "airlive", password = "airlive"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Ovislink AirLive AP",
cpe = "cpe:/h:ovislink:airlive_*",
category = "routers",
paths = {
{path = "/index.asp"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("AirLive", 1, true)
and response.body:lower():find("<title>airlive [%w-]+</title>")
and response.body:lower():find("%shref%s*=%s*(['\"]?)sts_%w+%.asp%1[%s>]")
end,
login_combos = {
{username = "", password = "airlive"}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port,
url.absolute(path, "goform/asp_login"),
nil, {psw=pass})
return resp.status == 302
and (resp.header["location"] or ""):find("/sts_%w+%.asp$")
end
})
table.insert(fingerprints, {
name = "Ovislink AirLive WIAS (var.1)",
cpe = "cpe:/h:ovislink:airlive_*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("WIAS", 1, true)
and response.body:lower():find("<title>wias%-%d+%a</title>")
and get_tag(response.body, "form", {action="^check%.shtml$"})
and get_tag(response.body, "input", {name="^password$"})
end,
login_combos = {
{username = "admin", password = "airlive"}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port,
url.absolute(path, "check.shtml"),
nil, {username=user,password=pass})
return resp.status == 302
and resp.header["location"] == "home.shtml"
end
})
table.insert(fingerprints, {
name = "Ovislink AirLive WIAS (var.2)",
cpe = "cpe:/h:ovislink:airlive_*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("AirLive", 1, true)
and response.body:lower():find("<title>airlive wias%-%d+%a</title>")
and get_tag(response.body, "form", {action="^check%.shtml$"})
and get_tag(response.body, "input", {name="^adm_pwd$"})
end,
login_combos = {
{username = "admin", password = "airlive"}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port,
url.absolute(path, "check.shtml"),
nil, {adm_name=user,adm_pwd=pass})
return resp.status == 302
and resp.header["location"] == "home.shtml"
end
})
table.insert(fingerprints, {
name = "AirTies router",
cpe = "cpe:/h:airties:air_*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and get_refresh_url(response.body, "/js/%.js_check%.html$")
end,
login_combos = {
{username = "admin", password = ""}
},
login_check = function (host, port, path, user, pass)
local form = {redirect="",
self="",
user=user,
password=pass,
gonder="OK"}
local resp = http_post_simple(host, port,
url.absolute(path, "cgi-bin/login"),
nil, form)
return resp.status == 200
and get_cookie(resp, "AIRTIESSESSION", "^%x+$")
and get_refresh_url(resp.body or "", "/main%.html$")
end
})
table.insert(fingerprints, {
name = "Arris Touchstone",
cpe = "cpe:/a:arris:touchstone_*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("sta_wifi", 1, true)
and get_tag(response.body, "form", {action="^check%.php$"})
end,
login_combos = {
{username = "admin", password = "password"}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port, url.absolute(path, "check.php"),
nil, {username=user,password=pass})
return resp.status == 200
and get_cookie(resp, "PHPSESSID", "^%w+$")
and (resp.body or ""):find("%Wlocation%.href%s*=%s*(['\"])admin_password_change%.php%1")
end
})
table.insert(fingerprints, {
name = "ASUS TM router",
cpe = "cpe:/h:asus:tm-*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return (http_auth_realm(response) or ""):find("^TM%-%u[%u%d]+$")
end,
login_combos = {
{username = "admin", password = "password"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "ASUS router",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local realm = http_auth_realm(response)
if not realm then return false end
local type = realm:match("^(%u+)%-%u[%u%d]+$")
for t in ("DSL,EA,RP,RT,TM"):gmatch("%u+") do
if t == type then return true end
end
return false
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "ASUS RX3041",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return (http_auth_realm(response) or ""):find("^ *RX3041%f[ \0]")
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Belkin G Wireless Router",
cpe = "cpe:/h:belkin:f5d7234-4",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and response.body
and response.body:find("setup_top.htm", 1, true)
and response.body:find("status.stm", 1, true)
end,
login_combos = {
{username = "", password = ""}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port,
url.absolute(path, "cgi-bin/login.exe"), nil,
{totalMSec = stdnse.clock_ms()/1000,
pws = stdnse.tohex(openssl.md5(pass))})
return resp.status == 302
and (resp.header["location"] or ""):find("/index%.htm$")
end
})
table.insert(fingerprints, {
name = "Belkin/Arris 2307",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("isAPmode", 1, true)
and get_tag(response.body, "meta", {name="^description$", content="^%w+ 2307$"})
end,
login_combos = {
{username = "", password = ""}
},
login_check = function (host, port, path, user, pass)
local form = {page="",
logout="",
action="submit",
pws=base64.enc(pass),
itsbutton1="Submit",
h_language="en",
is_parent_window="1"}
local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"),
nil, form)
return resp.status == 200
and (resp.body or ""):find("index.html", 1, true)
end
})
table.insert(fingerprints, {
name = "D-Link DIR router (var.1)",
cpe = "cpe:/h:d-link:dir-*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and (response.header["server"] or ""):find(" DIR%-%d+")
and response.body
and response.body:find("AUTH.Login(", 1, true)
and response.body:find('%WOBJ%("loginusr"%)%.value%s*=%s*""')
and response.body:lower():find("<title>d%-link systems[^<]+ home</title>")
end,
login_combos = {
{username = "admin", password = ""}
},
login_check = function (host, port, path, user, pass)
local form = {REPORT_METHOD="xml",
ACTION="login_plaintext",
USER=user,
PASSWD=pass,
CAPTCHA=""}
local resp = http_post_simple(host, port, url.absolute(path, "session.cgi"),
{cookies="uid="..random_alnum(10)}, form)
return resp.status == 200
and (resp.body or ""):find("<RESULT>SUCCESS</RESULT>", 1, true)
end
})
table.insert(fingerprints, {
name = "D-Link DIR router (var.2)",
cpe = "cpe:/h:d-link:dir-*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and (response.header["server"] or ""):find(" DIR%-%d+")
and response.body
and response.body:find("AUTH.Login(", 1, true)
and response.body:find('%WOBJ%("loginusr"%)%.value%s*=%s*username%W')
and response.body:lower():find("<title>d%-link systems[^<]+ home</title>")
end,
login_combos = {
{username = "Admin", password = ""}
},
login_check = function (host, port, path, user, pass)
local form = {REPORT_METHOD="xml",
ACTION="login_plaintext",
USER=user,
PASSWD=pass,
CAPTCHA=""}
local resp = http_post_simple(host, port, url.absolute(path, "session.cgi"),
{cookies="uid="..random_alnum(10)}, form)
return resp.status == 200
and (resp.body or ""):find("<RESULT>SUCCESS</RESULT>", 1, true)
end
})
table.insert(fingerprints, {
name = "D-Link DIR router (var.3)",
cpe = "cpe:/h:d-link:dir-*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and (response.header["server"] or ""):find(" DIR%-%d+")
and response.body
and response.body:find("AUTH.Login_Hash(", 1, true)
and response.body:lower():find("<title>d%-link systems[^<]+ home</title>")
end,
login_combos = {
{username = "Admin", password = ""}
},
login_check = function (host, port, path, user, pass)
local url2 = url.absolute(path, "authentication.cgi")
local url1 = url2 .. "?captcha=&dummy=" .. math.floor(stdnse.clock_ms())
local resp1 = http_get_simple(host, port, url1)
if not (resp1.status == 200 and resp1.body) then return false end
local jstatus, jout = json.parse(resp1.body)
if not (jstatus and jout.uid and jout.challenge) then return false end
local auth = stdnse.tohex(openssl.hmac("MD5", pass, user .. jout.challenge))
local resp2 = http_post_simple(host, port, url2,
{cookies = "uid=" .. jout.uid},
{id=user, password=auth:upper()})
if not (resp2.status == 200 and resp2.body) then return false end
jstatus, jout = json.parse(resp2.body)
return jstatus and jout.status == "ok"
end
})
table.insert(fingerprints, {
name = "D-Link DIR-620",
cpe = "cpe:/h:d-link:dir-620",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("DIR-620", 1, true)
and response.body:lower():find("<title>dir-620</title>", 1, true)
and get_tag(response.body, "form", {action="^index%.cgi$"})
end,
login_combos = {
{username = "admin", password = "anonymous"}
},
login_check = function (host, port, path, user, pass)
local cookies = {{name="user_ip", value="127.0.0.1"},
{name="cookie_lang", value="rus"},
{name="client_login", value=user},
{name="client_password", value=pass}}
local resp = http_post_simple(host, port, url.absolute(path, "index.cgi"),
{cookies=cookies},
{v2="y",rs_type="html",auth="auth"})
return resp.status == 200
and (resp.body or ""):find("%sid%s*=%s*(['\"])v_firmware_value%1%s*>%d")
end
})
table.insert(fingerprints, {
name = "D-Link DIR router (basic auth)",
cpe = "cpe:/h:d-link:dir-*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return (http_auth_realm(response) or ""):find("%f[%w]DIR%-%d%d%d%f[%u\0]")
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "admin", password = ""}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "D-Link DSL router",
cpe = "cpe:/h:d-link:dsl-*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and (response.header["server"] or ""):find("^mini_httpd/%d+%.")
and response.body
and response.body:find("%Wwindow%.location%.href%s*=%s*(['\"])[^'\"]-/cgi%-bin/webproc%1")
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "admin", password = "password"},
},
login_check = function (host, port, path, user, pass)
local lurl = url.absolute(path, "cgi-bin/webproc")
local resp1 = http_get_simple(host, port, lurl)
if not (resp1.status == 200) then return false end
local form = {getpage="html/index.html",
errorpage="html/main.html",
["var:menu"]="setup",
["var:page"]="wizard",
["obj-action"]="auth",
[":username"]=user,
[":password"]=pass,
[":action"]="login",
[":sessionid"]=get_cookie(resp1, "sessionid")}
local resp2 = http_post_simple(host, port, lurl,
{cookies=resp1.cookies}, form)
return resp2.status == 302
and (resp2.header["location"] or ""):find("/cgi-bin/webproc?getpage=html/index.html&", 1, true)
end
})
table.insert(fingerprints, {
name = "D-Link DSL router (basic auth)",
cpe = "cpe:/h:d-link:dsl-*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return (http_auth_realm(response) or ""):find("^DSL%-%d%d%d%d?[BRU]%f[_\0]")
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "support", password = "support"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "D-Link DSL T router (basic auth)",
cpe = "cpe:/h:d-link:dsl-*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return (http_auth_realm(response) or ""):find("%f[^ \0]DSL%-%d%d%d%d?T$")
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "user", password = "user"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "TP-Link (basic auth)",
cpe = "cpe:/o:tp-link:lm_firmware",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 401
and (http_auth_realm(response) or ""):find("^TP%-LINK")
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "TP-Link (MD5 cookie)",
cpe = "cpe:/o:tp-link:lm_firmware",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return have_openssl
and response.status == 200
and (http_auth_realm(response) or ""):find("^TP%-LINK")
and response.body
and response.body:find("%spassword%s*=%s*hex_md5")
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local auth = base64.enc(user .. ":" .. stdnse.tohex(openssl.md5(pass)))
local cookie = "Authorization=" .. url.escape("Basic " .. auth)
local resp = http_get_simple(host, port,
url.absolute(path, "userRpm/LoginRpm.htm?Save=Save"),
{cookies=cookie})
return resp.status == 200
and (resp.body or ""):find(">window%.parent%.location%.href%s*=%s*(['\"])[^'\"]-/userRpm/Index%.htm%1")
end
})
table.insert(fingerprints, {
name = "TP-Link (plain cookie)",
cpe = "cpe:/o:tp-link:lm_firmware",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and (http_auth_realm(response) or ""):find("^TP%-LINK")
and response.body
and not response.body:find("%spassword%s*=%s*hex_md5")
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local auth = base64.enc(user .. ":" .. pass)
local cookie = "Authorization=" .. url.escape("Basic " .. auth)
local resp = http_get_simple(host, port, path, {cookies=cookie})
return resp.status == 200
and (resp.body or ""):find("%shref%s*=%s*(['\"])[^'\"]-/userRpm/LogoutRpm%.htm%1")
end
})
table.insert(fingerprints, {
name = "Comtrend NexusLink-5631",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return http_auth_realm(response) == "DSL Router"
end,
login_combos = {
{username = "apuser", password = "apuser"},
{username = "root", password = "12345"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "iBall Baton",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return (http_auth_realm(response) or ""):find("^iBall Baton ")
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "support", password = "support"},
{username = "user", password = "user"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Link-Net LW/LWH router",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
if not (response.status == 302
and (response.header["location"] or ""):find("/home%.asp$")) then
return false
end
local resp = http_get_simple(host, port,
url.absolute(path, "home.asp"))
return resp.status == 200
and resp.body
and resp.body:find("LINK-NET", 1, true)
and resp.body:find("%svendor%s*=%s*(['\"])LINK%-NET%1")
and resp.body:lower():find("[%s>]wireless router</title>")
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "internet/wan.asp"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "Planex Broad Lanner",
cpe = "cpe:/h:planex:brl-*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("Planex Communications", 1, true)
and get_tag(response.body, "meta", {content="^B%a%a%-04FM%a HTML"})
and get_tag(response.body, "frame", {src="^top%.htm$"})
end,
login_combos = {
{username = "", password = "password"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "top.htm"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "TrendChip ADSL Modem",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return http_auth_realm(response) == "ADSL Modem"
and (response.header["server"] or ""):find("^Boa/%d+%.")
and get_cookie(response, "SESSIONID", "^%x+$")
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "admin", password = "1234"},
{username = ("qwertyuiop"):rep(13):sub(1, 128),
password = ("1234567890"):rep(13):sub(1, 128)},
{username = "user3",
password = ("1234567890"):rep(13):sub(1, 128)},
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not resp1.status then return false end
local auth = {username = user, password = pass}
local resp2 = http_get_simple(host, port, path,
{auth=auth, cookies=resp1.cookies})
return resp2.status == 200
end
})
table.insert(fingerprints, {
name = "Westell",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 302
and (response.header["location"] or ""):find("/htmlV/PasswordChange%.asp$")
end,
login_combos = {
{username = "admin", password = "password"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port,
url.absolute(path, "htmlV/PasswordChange.asp"),
user, pass, true)
end
})
table.insert(fingerprints, {
name = "Yamaha RT 10.x",
cpe = "cpe:/o:yahama:rt*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local lurl = response.status == 200
and get_refresh_url(response.body or "", "/user/index[_%a]*.html$")
if not lurl then return false end
local resp = http_get_simple(host, port, lurl)
return (http_auth_realm(resp) or ""):find("^YAMAHA%-RT ")
end,
login_combos = {
{username = "", password = ""}
},
login_check = function (host, port, path, user, pass)
local resp = http_get_simple(host, port, path)
local lurl = resp.status == 200
and get_refresh_url(resp.body or "", "/user/index[_%a]*.html$")
if not lurl then return false end
return try_http_auth(host, port, lurl, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Yamaha RT 11.x",
cpe = "cpe:/o:yahama:rt*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return (http_auth_realm(response) or ""):find("^YAMAHA%-RT ")
end,
login_combos = {
{username = "", password = ""}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Yamaha SWX",
category = "routers",
paths = {
{path = "/login.html"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("Yamaha Corporation", 1, true)
and get_tag(response.body, "form", {action="/goform/authenticate%.json$"})
and get_tag(response.body, "input", {name="^URL$", value="/dashboard/index%.html$"})
end,
login_combos = {
{username="", password=""}
},
login_check = function (host, port, path, user, pass)
local form = {URL=url.absolute(path, "/dashboard/index.html"),
USER=user,
PASS=pass}
local resp = http_post_simple(host, port,
url.absolute(path, "goform/authenticate.json"),
nil, form)
if not (resp.status == 200 and resp.body) then return false end
local jstatus, jout = json.parse(resp.body)
return jstatus and jout.result == "SUCCESS"
end
})
table.insert(fingerprints, {
name = "Zoom ADSL X5",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 301
and (response.header["server"] or ""):find("^Nucleus/%d+%.")
and (response.header["location"] or ""):find("/hag/pages/home%.htm$")
end,
login_combos = {
{username = "admin", password = "zoomadsl"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "hag/pages/home.htm"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "ZTE F660",
cpe = "cpe:/h:zte:f660",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("ZTE", 1, true)
and response.body:lower():find("<title>f660</title>", 1, true)
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200 and resp1.body) then return false end
local ltoken = resp1.body:match("%WgetObj%(%s*['\"]Frm_Logintoken['\"]%s*%)%.value%s*=%s*['\"](%d+)['\"]%s*;")
if not ltoken then return false end
local form = {frashnum="",
action="login",
Frm_Logintoken=ltoken,
Username=user,
Password=pass}
local resp2 = http_post_simple(host, port, path, {cookies=resp1.cookies}, form)
return resp2.status == 302
and (resp2.header["location"] or ""):find("/start%.ghtml$")
end
})
table.insert(fingerprints, {
name = "ZTE ZXV10 I5xx",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("ZTE", 1, true)
and get_tag(response.body, "form", {name="^flogin$", action="^getpage%.gch%?pid=1001$"})
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200 and resp1.body) then return false end
local stime = resp1.body:match("%Wdocument%.getElementById%(%s*['\"]submittime['\"]%s*%)%.value%s*=%s*['\"](%d+)['\"]%s*;")
if not stime then return false end
local form = {submenu=-1,
menuPos=-1,
nosubmenu=1,
nextpage="welcome.gch",
nextgch="",
nextjs="welcome.js",
title="Come In to Configuration",
path="Welcome",
submittime=stime,
tUsername=user,
tPassword=pass}
local resp2 = http_post_simple(host, port,
url.absolute(path, "getpage.gch?pid=1001"),
nil, form)
return resp2.status == 200
and (resp2.body or ""):lower():find("<title>[^<]-configuration")
end
})
table.insert(fingerprints, {
name = "ZTE ZXV10 W300",
cpe = "cpe:/o:zte:zxv10_w300_firmware",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return (http_auth_realm(response) or ""):find("^ZXV10 W300$")
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "3Com OfficeConnect VPN Firewall",
cpe = "cpe:/h:3com:3cr870-95",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("3Com", 1, true)
and response.body:find("%Wtop%.document%.location%s*=%s*(['\"])[^'\"]-/default%.htm%1")
and get_tag(response.body, "meta", {["http-equiv"]="^3cnumber$"})
end,
login_combos = {
{username = "", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port,
url.absolute(path, "cgi-bin/admin?page=x"),
nil, {AdminPassword=pass,next=10,page="x"})
return resp.status == 200
and get_tag(resp.body or "", "input", {name="^tk$"})
end
})
table.insert(fingerprints, {
name = "Corega",
cpe = "cpe:/o:corega:cg-*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local realm = http_auth_realm(response) or ""
return realm:find("^CG%-%u*BAR")
or realm:find("^corega BAR ")
end,
login_combos = {
{username = "root", password = ""}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Netgear ProSafe Firewall FVS318",
cpe = "cpe:/h:netgear:fvs318",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.header["server"] == "Netgear"
and response.body
and get_tag(response.body, "frame", {src="^top%.html$"})
end,
login_combos = {
{username = "admin", password = "password"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "top.html"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "Netgear Router (legacy)",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return (http_auth_realm(response) or ""):find("^R[PT][13]1[14]$")
end,
login_combos = {
{username = "admin", password = "1234"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Netgear Router",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local realm = http_auth_realm(response) or ""
return realm:find("^NETGEAR %u+%d+[%w-]+%s*$")
or realm == "Netgear"
or realm == "FR114P"
end,
login_combos = {
{username = "admin", password = "password"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "Netgear ProSafe Plus Switch",
cpe = "cpe:/h:netgear:gs108*",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("loginTData", 1, true)
and response.body:lower():find("<title>netgear ", 1, true)
end,
login_combos = {
{username = "", password = "password"}
},
login_check = function (host, port, path, user, pass)
local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"),
nil, {password=pass})
return resp.status == 200 and get_cookie(resp, "GS108SID", ".")
end
})
table.insert(fingerprints, {
name = "Netgear Smart Switch",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("document.forms[0].pwd.focus();", 1, true)
and response.body:lower():find("%saction%s*=%s*(['\"])[^'\"]-/base/%w+_login%.html%1")
and response.body:lower():find("<title>netgear ", 1, true)
end,
login_combos = {
{username = "", password = "password"}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200 and resp1.body) then return false end
local lurl = resp1.body:match("['\"]([^'\"]-/base/%w+_login%.html)")
if not lurl then return false end
local button = lurl:find("main_login", 1, true) and "" or "_button"
local form = {pwd=pass,
["login" .. button .. ".x"]=0,
["login" .. button .. ".y"]=0,
err_flag=0,
err_msg=""}
local resp2 = http_post_simple(host, port, lurl, nil, form)
return resp2.status == 200 and get_cookie(resp2, "SID", ".")
end
})
table.insert(fingerprints, {
name = "Netgear Intelligent Edge",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("document.forms[0].uname.focus();", 1, true)
and response.body:lower():find("%saction%s*=%s*(['\"])[^'\"]-/base/%w+_login%.html%1")
and response.body:lower():find("<title>netgear ", 1, true)
end,
login_combos = {
{username = "admin", password = ""}
},
login_check = function (host, port, path, user, pass)
local resp1 = http_get_simple(host, port, path)
if not (resp1.status == 200 and resp1.body) then return false end
local lurl = resp1.body:match("['\"]([^'\"]-/base/%w+_login%.html)")
if not lurl then return false end
local form = {uname=user,
pwd=pass,
["login_button.x"]=0,
["login_button.y"]=0,
err_flag=0,
err_msg="",
submt=""}
local resp2 = http_post_simple(host, port, lurl, nil, form)
return resp2.status == 200 and get_cookie(resp2, "SID", ".")
end
})
table.insert(fingerprints, {
name = "Netgear Gigabit Enterprise Switch",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("/base/web_main.html", 1, true)
and response.body:lower():find("<title>netgear system login</title>", 1, true)
end,
login_combos = {
{username = "admin", password = ""}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, url.absolute(path, "base/web_main.html"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "PLANET Smart Gigabit Switch",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find(">Welcome to PLANET ", 1, true)
and get_tag(response.body, "form", {action="/pass$"})
end,
login_combos = {
{username = "", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local form = {password=pass,
x=0,
y=0}
local resp = http_post_simple(host, port, url.absolute(path, "pass"),
nil, form)
if not (resp.status == 200
and get_tag(resp.body or "", "frame", {src="/planet%.htm$"})) then
return false
end
http_get_simple(host, port, url.absolute(path, "logout?submit=Apply"))
return true
end
})
table.insert(fingerprints, {
name = "PLANET Managed Switch (var.1)",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local server = response.header["server"] or ""
return (http_auth_realm(response) or ""):find("^Loging?$")
and (server == "Vitesse Web Server"
or server == "WebServer")
and response.body
and response.body:find(">Authorization required to access this URL.<", 1, true)
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port, path, user, pass, false)
end
})
table.insert(fingerprints, {
name = "PLANET Managed Switch (var.2)",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
if not (response.status == 302
and loc:find("/default%.html$")) then
return false
end
local resp = http_get_simple(host, port, loc)
return resp.status == 200
and resp.body
and resp.body:find("1366X768", 1, true)
and resp.body:lower():find("<title>switch web management (1366x768 is recommended)</title>", 1, true)
and get_tag(resp.body, "form", {action="/goform/WebSetting%.html$"})
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
local form = {name=user,
pwd=pass,
app="login"}
local resp = http_post_simple(host, port,
url.absolute(path, "goform/WebSetting.html"),
nil, form)
return resp.status == 203
and resp.body
and get_tag(resp.body, "frame", {src="/frontboard%.html$"})
end
})
table.insert(fingerprints, {
name = "PLANET Managed Switch (var.3)",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("/cgi-bin/get.cgi?cmd=portlink&lg=", 1, true)
and get_tag(response.body, "frame", {src="/cgi%-bin/get%.cgi%?cmd=portlink&lg=%w+$"})
and response.body:lower():find("<title>managed switch</title>", 1, true)
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_auth(host, port,
url.absolute(path, "cgi-bin/get.cgi?cmd=portlink&lg=en"),
user, pass, false)
end
})
table.insert(fingerprints, {
name = "PLANET Wireless Router",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("PLANET Technology", 1, true)
and response.body:find("(['\"])dataCenter%.js%1")
and response.body:find("%Wauth_action%s*:%s*(['\"])login%1")
end,
login_combos = {
{username = "admin", password = "admin"},
{username = "admin", password = ""}
},
login_check = function (host, port, path, user, pass)
local form = {username=user,
password=base64.enc(pass:gsub("%s", "@")),
getPage="index.html",
action="Apply",
auth_action="login",
mode="AUTH",
_flg=0}
local resp = http_post_simple(host, port,
url.absolute(path, "postCenter.js"),
nil, form)
if not (resp.status == 200 and resp.body) then return false end
local jstatus, jout = json.parse(resp.body:gsub("'", "\""))
if not (jstatus and jout.result == "0") then return false end
http_get_simple(host, port, url.absolute(path, "login.html"))
return true
end
})
table.insert(fingerprints, {
name = "Rubytech chassis",
category = "routers",
paths = {
{path = "/"}
},
target_check = function (host, port, path, response)
return response.status == 200
and response.body
and response.body:find("fake_server.html", 1, true)
and get_tag(response.body, "form", {action="^fake_server%.html$"})
and get_tag(response.body, "input", {name="^textpass$"})
end,
login_combos = {
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, u
gitextract_f31pf8ur/
├── .github/
│ └── workflows/
│ ├── build-push-ghcr.yml
│ └── semgrep.yml
├── CHANGELOG.md
├── Dockerfile
├── Dockerfile.blackarch
├── LICENSE.md
├── README.md
├── bin/
│ ├── github-subdomains.py
│ ├── http-default-accounts-fingerprints-nndefaccts.lua
│ ├── nmap-bootstrap.xsl
│ ├── pyText2pdf.py
│ ├── report.py
│ ├── samrdump.py
│ ├── slack.sh
│ ├── waybackrobots.py
│ ├── waybackurls.py
│ ├── webscreenshot.js
│ ├── webscreenshot.py
│ └── zap-scan.py
├── conf/
│ ├── bug_bounty_full_brute
│ ├── bug_bounty_max_javascript_files
│ ├── bug_bounty_quick
│ ├── bug_bounty_quick_port_80_443_only
│ ├── deep_active_recon
│ ├── default
│ ├── fast_service_portscan
│ ├── super_stealth_mode
│ ├── super_stealth_mode_OSINT
│ ├── web_mode_all_plugins
│ ├── webpwn_only
│ ├── webpwn_only_metasploit_disabled
│ └── zap_only_webscan
├── docker-compose-blackarch.yml
├── docker-compose.yml
├── install.sh
├── loot/
│ └── README.md
├── modes/
│ ├── airstrike.sh
│ ├── bruteforce.sh
│ ├── discover.sh
│ ├── flyover.sh
│ ├── fullportonly.sh
│ ├── fullportscan.sh
│ ├── javascript-analysis.sh
│ ├── massportscan.sh
│ ├── massvulnscan.sh
│ ├── massweb.sh
│ ├── masswebscan.sh
│ ├── normal.sh
│ ├── normal_webporthttp.sh
│ ├── normal_webporthttps.sh
│ ├── nuke.sh
│ ├── osint.sh
│ ├── osint_stage_2.sh
│ ├── recon.sh
│ ├── sc0pe-active-webscan.sh
│ ├── sc0pe-network-scan.sh
│ ├── sc0pe-passive-webscan.sh
│ ├── sc0pe.sh
│ ├── static-grep-search.sh
│ ├── stealth.sh
│ ├── vulnscan.sh
│ ├── web.sh
│ ├── web_autopwn.sh
│ ├── webporthttp.sh
│ ├── webporthttps.sh
│ └── webscan.sh
├── pro/
│ └── notepad.html
├── sn1per.desktop
├── sniper
├── sniper.conf
├── templates/
│ ├── active/
│ │ ├── AWS_S3_Public_Bucket_Listing.sh
│ │ ├── ApPHP_MicroBlog_Remote_Code_Execution_Vulnerability.sh
│ │ ├── Apache_Solr_Scanner.sh
│ │ ├── Apache_Tomcat_Scanner.sh
│ │ ├── AvantFAX_LOGIN_Detected.sh
│ │ ├── CVE-2018-13379_-_Fortigate_Pulse_Connect_Secure_Directory_Traversal.sh
│ │ ├── CVE-2019-11510_-_Pulse_Connect_Secure_SSL_VPN_Arbitrary_File_Read.sh
│ │ ├── CVE-2019-11580_-_Atlassian_Crowd_Data_Center_Unauthenticated_RCE.sh
│ │ ├── CVE-2019-11581_-_Jira_Template_Injection.sh
│ │ ├── CVE-2019-1653_-_Cisco_RV320_RV326_Configuration_Disclosure.sh
│ │ ├── CVE-2019-16662_-_rConfig_3.9.2_Remote_Code_Execution.sh
│ │ ├── CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution.sh
│ │ ├── CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution_Bypass.sh
│ │ ├── CVE-2019-17558_-_Apache_Solr_RCE.sh
│ │ ├── CVE-2019-19719_Tableau_Server_DOM_XSS.py
│ │ ├── CVE-2019-19781_-_Citrix_ADC_Directory_Traversal.sh
│ │ ├── CVE-2019-19908_-_phpMyChat-Plus_XSS.sh
│ │ ├── CVE-2019-5418_-_Rail_File_Content_Disclosure.sh
│ │ ├── CVE-2019-6340_-_Drupal8_REST_RCE_SA-CORE-2019-003.disabled
│ │ ├── CVE-2019-7192_-_QNAP_Pre-Auth_Root_RCE.sh
│ │ ├── CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_1.sh
│ │ ├── CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_2.sh
│ │ ├── CVE-2019-8451_Jira_SSRF_1.sh
│ │ ├── CVE-2019-8451_Jira_SSRF_2.sh
│ │ ├── CVE-2019-8451_Jira_SSRF_3.sh
│ │ ├── CVE-2019-8451_Jira_SSRF_4.sh
│ │ ├── CVE-2019-8903_-_Totaljs_Unathenticated_Directory_Traversal.sh
│ │ ├── CVE-2019-8982_-_Wavemaker_Studio_6.6_LFI_SSRF.sh
│ │ ├── CVE-2020-0618_-_Remote_Code_Execution_SQL_Server_Reporting_Services.sh
│ │ ├── CVE-2020-10204_-_Sonatype_Nexus_Repository_RCE.sh
│ │ ├── CVE-2020-1147_-_Remote_Code_Execution_in_Microsoft_SharePoint_Server.sh
│ │ ├── CVE-2020-11530_-_Wordpress_Chop_Slider_3_Plugin_SQL_Injection.sh
│ │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal.sh
│ │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_2.sh
│ │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_3.sh
│ │ ├── CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_4.sh
│ │ ├── CVE-2020-12271_-_Sophos_XG_Firewall_Pre-Auth_SQL_Injection.sh
│ │ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_1.sh
│ │ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_2.sh
│ │ ├── CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_3.sh
│ │ ├── CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_1.sh
│ │ ├── CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_2.sh
│ │ ├── CVE-2020-14181_-_User_Enumeration_Via_Insecure_Jira_Endpoint.sh
│ │ ├── CVE-2020-14815_-_Oracle_Business_Intelligence_Enterprise_DOM_XSS.sh
│ │ ├── CVE-2020-15129_-_Open_Redirect_In_Traefik.sh
│ │ ├── CVE-2020-15920_-_Mida_eFramework_Unauthenticated_RCE.sh
│ │ ├── CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh
│ │ ├── CVE-2020-2034_-_PAN-OS_GlobalProtect_OS_Command_Injection.sh
│ │ ├── CVE-2020-2096_-_Jenkins_Gitlab_Hook_XSS.sh
│ │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_1.sh
│ │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_2.sh
│ │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_3.sh
│ │ ├── CVE-2020-2096_Jenkins_Gitlab_XSS_4.sh
│ │ ├── CVE-2020-2140_-_Jenkin_AuditTrailPlugin_XSS.sh
│ │ ├── CVE-2020-24223_-_Mara_CMS_7.5_Reflective_XSS.sh
│ │ ├── CVE-2020-25213_-_WP_File_Manager_File_Upload.sh
│ │ ├── CVE-2020-2551_-_Unauthenticated_Oracle_WebLogic_Server_Remote_Code_Execution.sh
│ │ ├── CVE-2020-2555_-_WebLogic_Server_Deserialization_RCE.sh
│ │ ├── CVE-2020-3187_-_Citrix_Unauthenticated_File_Deletion.sh
│ │ ├── CVE-2020-3452_-_Cisco_ASA-FTD_Arbitrary_File_Reading_Vulnerability.sh
│ │ ├── CVE-2020-5284_-_Next_JS_Limited_Path_Traversal.sh
│ │ ├── CVE-2020-5405_-_Spring_Directory_Traversal_1.sh
│ │ ├── CVE-2020-5405_-_Spring_Directory_Traversal_2.sh
│ │ ├── CVE-2020-5405_-_Spring_Directory_Traversal_3.sh
│ │ ├── CVE-2020-5412_-_Full-read_SSRF_in_Spring_Cloud_Netflix.sh
│ │ ├── CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_1.sh
│ │ ├── CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_2.sh
│ │ ├── CVE-2020-5902_-_F5_BIG-IP_XSS.sh
│ │ ├── CVE-2020-6287_-_Create_an_Administrative_User_in_SAP_NetWeaver_AS_JAVA.sh
│ │ ├── CVE-2020-7048_-_WP_Database_Reset_3.15_Unauthenticated_Database_Reset.sh
│ │ ├── CVE-2020-7209_-_LinuxKI_Toolset_6.01_Remote_Command_Execution.sh
│ │ ├── CVE-2020-7246_-_qdPM_Authenticated_Remote_Code_Execution.sh
│ │ ├── CVE-2020-7473_Citrix_ShareFile_StorageZones.disabled
│ │ ├── CVE-2020-8115_-_Revive_Adserver_XSS.py
│ │ ├── CVE-2020-8115_-_Revive_Adserver_XSS.sh
│ │ ├── CVE-2020-8163_-_Rails_5.0.1_Remote_Code_Execution.sh
│ │ ├── CVE-2020-8191_-_Citrix_ADC_NetScaler_Gateway_Reflected_XSS.sh
│ │ ├── CVE-2020-8193_-_Citrix_Unauthenticated_LFI.sh
│ │ ├── CVE-2020-8194_-_Citrix_ADC_NetScaler_Gateway_Reflected_Code_Injection.sh
│ │ ├── CVE-2020-8209_-_Citrix_XenMobile_Server_Path_Traversal.sh
│ │ ├── CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Config_Password_Disclosure.sh
│ │ ├── CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Path_Traversal.sh
│ │ ├── CVE-2020-8512_-_IceWarp_WebMail_XSS.sh
│ │ ├── CVE-2020-8772_-_IfiniteWP_Client_1.9.4.5_Authentication_Bypass_1.sh
│ │ ├── CVE-2020-8982_-_Citrix_ShareFile_StorageZones_Unauthenticated_Arbitrary_File_Read.sh
│ │ ├── CVE-2020-9047_-_exacqVision_Web_Service_Remote_Code_Execution.sh
│ │ ├── CVE-2020-9054_-_ZyXEL_NAS_Remote_Code_Execution.sh
│ │ ├── CVE-2020-9484_-_Apache_Tomcat_RCE_by_deserialization.sh
│ │ ├── CVE-2020-9757_-_SEOmatic_3.3.0_Server-Side_Template_Injection.sh
│ │ ├── Cisco_VPN_Login_Scanner.sh
│ │ ├── Cisco_VPN_Scanner.sh
│ │ ├── Citrix-Access-Gateway_Detected.sh
│ │ ├── Citrix_VPN_Scanner.sh
│ │ ├── Citrix_VPN_Scanner_2.sh
│ │ ├── Clear-text_Communications_HTTP.sh
│ │ ├── Clickjacking.sh
│ │ ├── Common_Status_File_Scanner_1.sh
│ │ ├── Common_Status_File_Scanner_2.sh
│ │ ├── Common_Status_File_Scanner_3.sh
│ │ ├── Confluence_Scanner.sh
│ │ ├── Contact_Form_7_Wordpress_Plugin_Found_1.sh
│ │ ├── Contact_Form_7_Wordpress_Plugin_Found_2.sh
│ │ ├── Directory_Listing_Enabled.sh
│ │ ├── Drupal_Install_Found.sh
│ │ ├── Drupal_Scanner_1.sh
│ │ ├── Drupal_Scanner_2.sh
│ │ ├── Drupal_Scanner_3.sh
│ │ ├── Drupal_User_Login.sh
│ │ ├── Drupal_Version_Disclosure.sh
│ │ ├── F5_BIG-IP_Scanner.sh
│ │ ├── F5_BIG-IP_Scanner_2.sh
│ │ ├── Fortigate_Pulse_Connect_Secure_Scanner.sh
│ │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected.sh
│ │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_1.sh
│ │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_2.sh
│ │ ├── Fortinet_FortiGate_SSL_VPN_Panel_Detected_3.sh
│ │ ├── Frontpage_Service_Password_Disclosure.sh
│ │ ├── Git_Config_Detected.sh
│ │ ├── JK_Status_Manager.sh
│ │ ├── Jaspersoft_Detected.sh
│ │ ├── Jenkins_Scanner.sh
│ │ ├── Jetty_Version_Disclosure.sh
│ │ ├── Jira_Scanner_1.sh
│ │ ├── Jira_Scanner_2.sh
│ │ ├── Jira_Scanner_3.sh
│ │ ├── Jolokia_Version_Disclosure.sh
│ │ ├── Joomla_Scanner_1.sh
│ │ ├── Joomla_Scanner_2.sh
│ │ ├── Joomla_Version_Disclosure.sh
│ │ ├── Laraval_Environment_File_Found.sh
│ │ ├── MS_SQL_Reporting_Server_Scanner_1.sh
│ │ ├── MS_SQL_Reporting_Server_Scanner_2.sh
│ │ ├── Magento_2.3.0_SQL_Injection.sh
│ │ ├── Mailman_Version_Disclosure.sh
│ │ ├── MobileIron_Login_1.sh
│ │ ├── MobileIron_Login_2.sh
│ │ ├── MobileIron_Login_3.sh
│ │ ├── PHP_Composer_Disclosure.sh
│ │ ├── PHP_Info.sh
│ │ ├── Palo_Alto_GlobalProtect_PAN-OS_Portal_Scanner.sh
│ │ ├── PulseSecure_VPN_Detected.sh
│ │ ├── RabbitMQ_Management_Default_Credentials.sh
│ │ ├── RabbitMQ_Management_Interface_Detected.sh
│ │ ├── Robots.txt_Detected.sh
│ │ ├── SAP_NetWeaver_AS_JAVA_LM_Configuration_Wizard_Detection.sh
│ │ ├── SQLiteManager_Scanner_1.sh
│ │ ├── Sitemap.xml_Detected.sh
│ │ ├── SolarWinds_Orion_Default_Credentials_1.sh
│ │ ├── SolarWinds_Orion_Default_Credentials_2.sh
│ │ ├── SolarWinds_Orion_Panel.sh
│ │ ├── TeamQuest_Login_Found.sh
│ │ ├── Telerik_File_Upload_Web_UI.sh
│ │ ├── Tiki_Wiki_CMS_Groupware_Scanner.sh
│ │ ├── Unauthenticated_Jenkins_Dashboard_Detected.sh
│ │ ├── VMware_vCenter_Unauthenticated_Arbitrary_File_Read.sh
│ │ ├── Weak_Authentication_Scanner.sh
│ │ ├── WebLogic_Scanner.sh
│ │ ├── Web_Config_Detected.sh
│ │ ├── Weblogic_Application_Server_Detected.sh
│ │ ├── Wordpres_Scanner_1.sh
│ │ ├── Wordpres_Scanner_2.sh
│ │ ├── Wordpres_Scanner_3.sh
│ │ ├── Wordpress_WP-File-Manager_Version_Detected.sh
│ │ ├── XSS.py
│ │ ├── cPanel_Login_Found.sh
│ │ ├── cPanel_Login_Found_2.sh
│ │ └── phpMyAdmin_Scanner_1.sh
│ └── passive/
│ ├── network/
│ │ ├── CVE-2018-15473_-_OpenSSH_Username_Enumeration.sh
│ │ ├── Default_Credentials_BruteX.sh
│ │ ├── Default_Credentials_NMap.sh
│ │ ├── Interesting_Domain_Found.sh
│ │ ├── Lack_of_SPF_DNS_Record.sh
│ │ ├── Possible_Takeover_Detected.sh
│ │ ├── SMB_Info_Disclosure.sh
│ │ ├── SMBv1_Enabled.sh
│ │ ├── SSH_Version_Disclosure.sh
│ │ ├── Subjack_Takeover_Detected.sh
│ │ ├── Subover_Takeover_Detected.sh
│ │ └── recursive/
│ │ ├── Component_With_Known_Vulnerabilities_-_NMap.sh
│ │ └── Interesting_Ports_Found.sh
│ └── web/
│ ├── Autocomplete_Enabled.sh
│ ├── CORS_Policy_-_Allow-Credentials_Enabled.sh
│ ├── CORS_Policy_-_Allow-Origin_Wildcard.sh
│ ├── CSP_Not_Enforced.sh
│ ├── Clear-text_Communications_HTTP.sh
│ ├── Clickjacking.sh
│ ├── Drupal_Detected.sh
│ ├── Expired_SSL_Certificate.sh
│ ├── Fortinet_FortiGate_SSL_VPN_Panel_Passive_Detection.sh
│ ├── Insecure_Cookie_-_HTTPOnly_Not_Set.sh
│ ├── Insecure_Cookie_-_Secure_Not_Set.sh
│ ├── Insecure_SSL_TLS_Connection.sh
│ ├── Insecure_SSL_TLS_Connection_CN_Mismatch.sh
│ ├── Interesting_Title_Found.sh
│ ├── Server_Header_Disclosure.sh
│ ├── Strict_Tranposrt_Security_Not_Enforced.sh
│ ├── Trace_Method_Enabled.sh
│ ├── X-Powered-By_Header_Found.sh
│ └── recursive/
│ ├── Arachni_Vulnerability_Scan.disabled
│ ├── Arachni_Vulnerability_Scan_-_HTTP.sh
│ ├── Arachni_Vulnerability_Scan_-_HTTPS.sh
│ ├── Nikto_Vulnerability_Scan-HTTP.sh
│ ├── Nikto_Vulnerability_Scan-HTTPS.sh
│ ├── Nuclei_Vulnerability_Scan_-_HTTP.sh
│ ├── Nuclei_Vulnerability_Scan_-_HTTPS.sh
│ ├── OWASP_Zap_Scan_-_HTTP.sh
│ ├── OWASP_Zap_Scan_-_HTTPS.sh
│ ├── Wordpress_Vulnerability_Scan_-_HTTPS_1.sh
│ ├── Wordpress_Vulnerability_Scan_-_HTTPS_2.sh
│ ├── Wordpress_Vulnerability_Scan_-_HTTP_1.sh
│ └── Wordpress_Vulnerability_Scan_-_HTTP_2.sh
├── uninstall.sh
└── wordlists/
├── altdns.txt
├── domains-default.txt
├── domains-quick.txt
├── vhosts.txt
├── web-brute-common.txt
├── web-brute-exploits.txt
├── web-brute-full.txt
├── web-brute-stealth.txt
└── web-brute-vulnerabilities.txt
SYMBOL INDEX (36 symbols across 7 files)
FILE: bin/github-subdomains.py
function githubApiSearchCode (line 21) | def githubApiSearchCode( search, page ):
function getRawUrl (line 35) | def getRawUrl( result ):
function readCode (line 42) | def readCode( regexp, source, result ):
function doGetCode (line 61) | def doGetCode( url ):
FILE: bin/pyText2pdf.py
class PyText2Pdf (line 79) | class PyText2Pdf(object):
method __init__ (line 82) | def __init__(self):
method parse_args (line 135) | def parse_args(self):
method writestr (line 247) | def writestr(self, str):
method convert (line 265) | def convert(self):
method writeheader (line 305) | def writeheader(self):
method startpage (line 373) | def startpage(self):
method endpage (line 424) | def endpage(self, streamStart):
method writepages (line 444) | def writepages(self):
method writerest (line 545) | def writerest(self):
function main (line 594) | def main():
FILE: bin/samrdump.py
class ListUsersException (line 28) | class ListUsersException(Exception):
class SAMRDump (line 31) | class SAMRDump:
method __init__ (line 38) | def __init__(self, protocols = None,
method dump (line 56) | def dump(self, addr):
method __fetchList (line 101) | def __fetchList(self, rpctransport):
FILE: bin/waybackrobots.py
function robots (line 7) | def robots(host):
function getpaths (line 18) | def getpaths(snapshot):
FILE: bin/waybackurls.py
function waybackurls (line 6) | def waybackurls(host, with_subs):
FILE: bin/webscreenshot.js
function renderAndExit (line 90) | function renderAndExit() {
function noop (line 100) | function noop() {}
function main (line 105) | function main() {
FILE: bin/webscreenshot.py
function init_worker (line 111) | def init_worker():
function kill_em_all (line 117) | def kill_em_all(signal, frame):
function shell_exec (line 124) | def shell_exec(url, command, options):
function filter_bad_filename_chars (line 180) | def filter_bad_filename_chars(filename):
function extract_all_matched_named_groups (line 193) | def extract_all_matched_named_groups(regex, match):
function entry_format_validator (line 210) | def entry_format_validator(line):
function parse_targets (line 227) | def parse_targets(options, arguments):
function craft_cmd (line 301) | def craft_cmd(url_and_options):
function take_screenshot (line 367) | def take_screenshot(url_list, options):
function main (line 394) | def main():
Condensed preview — 291 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (4,998K chars).
[
{
"path": ".github/workflows/build-push-ghcr.yml",
"chars": 1388,
"preview": "name: Build and Push\n\non:\n push:\n branches:\n - main\n - development\n - feat*\n tags:\n - \"v*\"\n "
},
{
"path": ".github/workflows/semgrep.yml",
"chars": 498,
"preview": "on:\n workflow_dispatch: {}\n pull_request: {}\n push:\n branches:\n - main\n - master\n paths:\n - .github/wo"
},
{
"path": "CHANGELOG.md",
"chars": 38045,
"preview": "## CHANGELOG:\n* v9.2 - Added Tomba.io API integration via OSINT mode (Credit: @benemohamed)\n* v9.2 - Fixed issue with ga"
},
{
"path": "Dockerfile",
"chars": 1242,
"preview": "FROM docker.io/kalilinux/kali-rolling:latest\n\nLABEL org.label-schema.name='Sn1per - Kali Linux' \\\n org.label-schema.d"
},
{
"path": "Dockerfile.blackarch",
"chars": 185,
"preview": "FROM docker.io/blackarchlinux/blackarch:latest\n\n# Upgrade system\nRUN pacman -Syu --noconfirm\n\n# Install sn1per from offi"
},
{
"path": "LICENSE.md",
"chars": 3494,
"preview": "## LICENSE:\nSn1per Community Edition End User License Agreement (EULA)\n\nSn1perSecurity LLC grants you the right to downl"
},
{
"path": "README.md",
"chars": 12771,
"preview": "[](https://sn1p"
},
{
"path": "bin/github-subdomains.py",
"chars": 3832,
"preview": "#!/usr/bin/python3.5\n\n# I don't believe in license.\n# You can do whatever you want with this program.\n\nimport os\nimport "
},
{
"path": "bin/http-default-accounts-fingerprints-nndefaccts.lua",
"chars": 391637,
"preview": "--[[\nThis file is part of NNdefaccts, an alternate fingerprint dataset for\nNmap script http-default-accounts.\n\nNNdefacct"
},
{
"path": "bin/nmap-bootstrap.xsl",
"chars": 15473,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!--\nNmap Bootstrap XSL\nCreative Commons BY-SA\nAndreas Hontzia (@honze_net)\n-->\n<"
},
{
"path": "bin/pyText2pdf.py",
"chars": 20038,
"preview": "#! /usr/bin/env python\n\"\"\"\n pyText2Pdf - Python script to convert plain text files into Adobe\n Acrobat PDF files with su"
},
{
"path": "bin/report.py",
"chars": 101,
"preview": "import pdfkit\npdfkit.from_url('/usr/share/sniper/loot/workspace/hulu/sniper-report.html', 'out.pdf')\n"
},
{
"path": "bin/samrdump.py",
"chars": 7434,
"preview": "#!/usr/bin/python\n# Copyright (c) 2003-2015 CORE Security Technologies\n#\n# This software is provided under under a sligh"
},
{
"path": "bin/slack.sh",
"chars": 632,
"preview": "#!/bin/bash\n# Slack API Integration script for Sn1per\n# By @xer0dayz - https://sn1persecurity.com\n#\n\nsource /usr/share/s"
},
{
"path": "bin/waybackrobots.py",
"chars": 1399,
"preview": "import requests\nimport re\nimport sys\nfrom multiprocessing.dummy import Pool\n\n\ndef robots(host):\n r = requests.get(\n "
},
{
"path": "bin/waybackurls.py",
"chars": 963,
"preview": "import requests\nimport sys\nimport json\n\n\ndef waybackurls(host, with_subs):\n if with_subs:\n url = 'http://web.a"
},
{
"path": "bin/webscreenshot.js",
"chars": 4798,
"preview": "/***\r\n# This file is part of webscreenshot.\r\n#\r\n# Copyright (C) 2014, Thomas Debize <tdebize at mail.com>\r\n# All rights "
},
{
"path": "bin/webscreenshot.py",
"chars": 18719,
"preview": "#!/usr/bin/env python\n# -*- coding: utf-8 -*-\n\n# This file is part of webscreenshot.\n#\n# Copyright (C) 2018, Thomas Deb"
},
{
"path": "bin/zap-scan.py",
"chars": 22611,
"preview": "#!/usr/bin/env python3\n\n'''\nThis script aims to be the most generic and the most explicit possible.\nIt works with OWASP "
},
{
"path": "conf/bug_bounty_full_brute",
"chars": 15888,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/bug_bounty_max_javascript_files",
"chars": 15889,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/bug_bounty_quick",
"chars": 15888,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/bug_bounty_quick_port_80_443_only",
"chars": 10940,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/deep_active_recon",
"chars": 15653,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/default",
"chars": 9754,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/fast_service_portscan",
"chars": 15935,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/super_stealth_mode",
"chars": 15827,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/super_stealth_mode_OSINT",
"chars": 15862,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/web_mode_all_plugins",
"chars": 15588,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/webpwn_only",
"chars": 15825,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/webpwn_only_metasploit_disabled",
"chars": 15523,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "conf/zap_only_webscan",
"chars": 15653,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "docker-compose-blackarch.yml",
"chars": 235,
"preview": "version: '3.9'\n\nx-logging: &default-logging\n options:\n max-size: \"40m\"\n max-file: \"10\"\n driver: json-file\n\nservi"
},
{
"path": "docker-compose.yml",
"chars": 227,
"preview": "version: '3.9'\n\nx-logging: &default-logging\n options:\n max-size: \"40m\"\n max-file: \"10\"\n driver: json-file\n\nservi"
},
{
"path": "install.sh",
"chars": 31521,
"preview": "#!/bin/bash\n# Cross-platform install script for Sn1per CE\n# Supports: Debian/Ubuntu, RHEL/CentOS/Fedora/Amazon Linux, Ar"
},
{
"path": "loot/README.md",
"chars": 113,
"preview": "# Sn1per - Automated Pentest Recon Scanner\n\n"
},
{
"path": "modes/airstrike.sh",
"chars": 4305,
"preview": "# AIRSTRIKE MODE #####################################################################################################\ni"
},
{
"path": "modes/bruteforce.sh",
"chars": 2406,
"preview": "if [[ \"$AUTO_BRUTE\" = \"1\" ]]; then\n echo \"sniper -t $TARGET -m $MODE --noreport $args\" >> $LOOT_DIR/scans/running_${TAR"
},
{
"path": "modes/discover.sh",
"chars": 6624,
"preview": "# DISCOVER MODE #####################################################################################################\nif"
},
{
"path": "modes/flyover.sh",
"chars": 12583,
"preview": "# FLYOVER MODE ######################################################################################################\nif"
},
{
"path": "modes/fullportonly.sh",
"chars": 7865,
"preview": "# FULLPORTONLY MODE\nif [[ \"$MODE\" = \"fullportonly\" ]]; then\n if [[ \"$REPORT\" = \"1\" ]]; then\n args=\"-t $TARGET\"\n i"
},
{
"path": "modes/fullportscan.sh",
"chars": 4575,
"preview": "if [[ \"$FULLNMAPSCAN\" = \"0\" ]]; then\n echo -e \"${OKGREEN}=============================================================="
},
{
"path": "modes/javascript-analysis.sh",
"chars": 5671,
"preview": " mkdir -p $LOOT_DIR/web/javascript/$TARGET 2> /dev/null\n cd $LOOT_DIR/web/javascript/$TARGET\n echo -e \"${"
},
{
"path": "modes/massportscan.sh",
"chars": 3857,
"preview": "# MASSWEB MODE #####################################################################################################\nif "
},
{
"path": "modes/massvulnscan.sh",
"chars": 4018,
"preview": "# MASSWEB MODE #####################################################################################################\nif "
},
{
"path": "modes/massweb.sh",
"chars": 3900,
"preview": "# MASSWEB MODE #####################################################################################################\nif "
},
{
"path": "modes/masswebscan.sh",
"chars": 2443,
"preview": "# MASSWEB MODE #####################################################################################################\nif "
},
{
"path": "modes/normal.sh",
"chars": 95984,
"preview": "# NORMAL SCAN #####################################################################################################\nif ["
},
{
"path": "modes/normal_webporthttp.sh",
"chars": 17576,
"preview": "wpif [[ \"$MODE\" = \"web\" ]]; then\n echo \"sniper -t $TARGET -m $MODE --noreport $args\" >> $LOOT_DIR/scans/running_${TARGE"
},
{
"path": "modes/normal_webporthttps.sh",
"chars": 17463,
"preview": "if [[ \"$MODE\" = \"web\" ]]; then\n echo \"sniper -t $TARGET -m $MODE --noreport $args\" >> $LOOT_DIR/scans/running_${TARGET}"
},
{
"path": "modes/nuke.sh",
"chars": 2527,
"preview": "# NUKE MODE #####################################################################################################\nif [[ "
},
{
"path": "modes/osint.sh",
"chars": 11328,
"preview": "if [[ \"$OSINT\" = \"1\" ]]; then\n\techo \"[sn1persecurity.com] •?((¯°·._.• Started Sn1per OSINT scan: $TARGET [$MODE] (`date "
},
{
"path": "modes/osint_stage_2.sh",
"chars": 2145,
"preview": " if [[ $SCAN_TYPE == \"DOMAIN\" ]] && [[ $OSINT == \"1\" ]]; then\n echo \"[sn1persecurity.com] •?((¯°·._.• Started Sn1per"
},
{
"path": "modes/recon.sh",
"chars": 25336,
"preview": "if [[ \"$RECON\" = \"1\" ]]; then\n echo \"[sn1persecurity.com] •?((¯°·._.• Started Sn1per recon scan: $TARGET [recon] (`date"
},
{
"path": "modes/sc0pe-active-webscan.sh",
"chars": 2178,
"preview": " for file in `ls $INSTALL_DIR/templates/active/*.sh 2> /dev/null`; do\n source $file\n OUTPUT"
},
{
"path": "modes/sc0pe-network-scan.sh",
"chars": 2389,
"preview": " echo -e \"${OKGREEN}====================================================================================${RESET}•x$"
},
{
"path": "modes/sc0pe-passive-webscan.sh",
"chars": 4289,
"preview": " for file in `ls $INSTALL_DIR/templates/passive/web/*.sh 2> /dev/null`; do\n source $file\n "
},
{
"path": "modes/sc0pe.sh",
"chars": 4768,
"preview": " echo \"====================================================================================\" | tee $LOOT_DIR/vulner"
},
{
"path": "modes/static-grep-search.sh",
"chars": 6163,
"preview": "if [[ $STATIC_GREP_SEARCH == \"1\" ]]; then\n echo -e \"${OKGREEN}====================================================="
},
{
"path": "modes/stealth.sh",
"chars": 42807,
"preview": "# STEALTH MODE #####################################################################################################\nif "
},
{
"path": "modes/vulnscan.sh",
"chars": 8453,
"preview": "# FULLPORTONLY MODE\nif [[ \"$MODE\" = \"vulnscan\" ]]; then\n if [[ \"$REPORT\" = \"1\" ]]; then\n args=\"-t $TARGET\"\n if [["
},
{
"path": "modes/web.sh",
"chars": 1087,
"preview": "# WEB MODE #############################################################################################################"
},
{
"path": "modes/web_autopwn.sh",
"chars": 39529,
"preview": "\n if [[ \"$MSF_LEGACY_WEB_EXPLOITS\" == \"1\" ]]; then\n echo -e \"${OKGREEN}================================="
},
{
"path": "modes/webporthttp.sh",
"chars": 37155,
"preview": "# WEBPORTHTTP MODE #####################################################################################################"
},
{
"path": "modes/webporthttps.sh",
"chars": 38590,
"preview": "# WEBPORTHTTPS MODE ####################################################################################################"
},
{
"path": "modes/webscan.sh",
"chars": 10679,
"preview": "if [[ \"$MODE\" = \"webscan\" ]]; then\n\techo -e \"$OKRED ____ $RESET\"\n\techo -e \"$OKRED ______"
},
{
"path": "pro/notepad.html",
"chars": 2331,
"preview": "<!DOCTYPE html>\n<html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=US-ASCII\">\n<title>Notepad App</t"
},
{
"path": "sn1per.desktop",
"chars": 277,
"preview": "[Desktop Entry]\nName=sn1per\nEncoding=UTF-8\nExec=bash-wrapper \"sudo sniper\"\nIcon=/usr/share/pixmaps/sn1per.png\nStartupNot"
},
{
"path": "sniper",
"chars": 27396,
"preview": "#!/bin/bash\n# + -- --=[Sn1per Community Edition by @xer0dayz\n# + -- --=[https://sn1persecurity.com\n# \n\nif [[ $EUID -ne 0"
},
{
"path": "sniper.conf",
"chars": 9819,
"preview": "INSTALL_DIR=\"/usr/share/sniper\"\nSNIPER_PRO=$INSTALL_DIR/pro.sh\nPLUGINS_DIR=\"$INSTALL_DIR/plugins\"\n\n# COLORS\nOKBLUE='\\033"
},
{
"path": "templates/active/AWS_S3_Public_Bucket_Listing.sh",
"chars": 204,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='AWS S3 Public Bucket Listing'\nURI=''\nMETHOD='GET'\nMATCH=\"listbucket\"\nSEVERITY='P5 - INFO'\n"
},
{
"path": "templates/active/ApPHP_MicroBlog_Remote_Code_Execution_Vulnerability.sh",
"chars": 298,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='ApPHP MicroBlog Remote Code Execution Vulnerability'\nURI='/index.php?b);phpinfo();echo(bas"
},
{
"path": "templates/active/Apache_Solr_Scanner.sh",
"chars": 197,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Apache Solr Detected'\nURI=''\nMETHOD='GET'\nMATCH=\"Solr\\ Admin\"\nSEVERITY='P5 - INFO'\nCURL_OP"
},
{
"path": "templates/active/Apache_Tomcat_Scanner.sh",
"chars": 260,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Apache Tomcat Detected'\nURI='/404_DOES_NOT_EXIST'\nMETHOD='GET'\nMATCH=\"Apache\\ Tomcat\\/[0-9"
},
{
"path": "templates/active/AvantFAX_LOGIN_Detected.sh",
"chars": 204,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='AvantFAX LOGIN Detected'\nURI=''\nMETHOD='GET'\nMATCH=\"AvantFAX\\ LOGIN\"\nSEVERITY='P5 - INFO'\n"
},
{
"path": "templates/active/CVE-2018-13379_-_Fortigate_Pulse_Connect_Secure_Directory_Traversal.sh",
"chars": 333,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2018-13379 - Fortigate Pulse Connect Secure Directory Traversal'\nURI='/remote/fgt_lang"
},
{
"path": "templates/active/CVE-2019-11510_-_Pulse_Connect_Secure_SSL_VPN_Arbitrary_File_Read.sh",
"chars": 332,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-11510 - Pulse Connect Secure SSL VPN Arbitrary File Read'\nURI='/dana-na/../dana/h"
},
{
"path": "templates/active/CVE-2019-11580_-_Atlassian_Crowd_Data_Center_Unauthenticated_RCE.sh",
"chars": 289,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-11580 - Atlassian Crowd Data Center Unauthenticated RCE'\nURI='/crowd/plugins/serv"
},
{
"path": "templates/active/CVE-2019-11581_-_Jira_Template_Injection.sh",
"chars": 279,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-11581 - Jira Template Injection'\nURI='/secure/ContactAdministrators!default.jspa'"
},
{
"path": "templates/active/CVE-2019-1653_-_Cisco_RV320_RV326_Configuration_Disclosure.sh",
"chars": 256,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-1653 - Cisco RV320 RV326 Configuration Disclosure'\nURI=\"/cgi-bin/config.exp\"\nMETH"
},
{
"path": "templates/active/CVE-2019-16662_-_rConfig_3.9.2_Remote_Code_Execution.sh",
"chars": 345,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-16662 - rConfig 3.9.2 Remote Code Execution'\nURI='/install/lib/ajaxHandlers/ajaxS"
},
{
"path": "templates/active/CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution.sh",
"chars": 429,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-16759 - vBulletin 5.x 0-Day Pre-Auth Remote Command Execution'\nURI='/'\nMETHOD='PO"
},
{
"path": "templates/active/CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution_Bypass.sh",
"chars": 438,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-16759 - vBulletin 5.x 0-Day Pre-Auth Remote Command Execution Bypass'\nURI='/ajax/"
},
{
"path": "templates/active/CVE-2019-17558_-_Apache_Solr_RCE.sh",
"chars": 657,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-17558 - Apache Solr RCE'\nURI='/solr/dovecot/select?q=1&&wt=velocity&v.template=cu"
},
{
"path": "templates/active/CVE-2019-19719_Tableau_Server_DOM_XSS.py",
"chars": 473,
"preview": "# Import any WebDriver class that you would usually import from\n# selenium.webdriver from the seleniumrequests module\nim"
},
{
"path": "templates/active/CVE-2019-19781_-_Citrix_ADC_Directory_Traversal.sh",
"chars": 252,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-19781 - Citrix ADC Directory Traversal'\nURI='/vpn/../vpns/cfg/smb.conf'\nMETHOD='G"
},
{
"path": "templates/active/CVE-2019-19908_-_phpMyChat-Plus_XSS.sh",
"chars": 318,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-19908 - phpMyChat-Plus XSS'\nURI=\"/plus/pass_reset.php?L=english&pmc_username=%22%"
},
{
"path": "templates/active/CVE-2019-5418_-_Rail_File_Content_Disclosure.sh",
"chars": 260,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-5418 - File Content Disclosure on Rails'\nURI=\"/../../../../../../../../etc/passwd"
},
{
"path": "templates/active/CVE-2019-6340_-_Drupal8_REST_RCE_SA-CORE-2019-003.disabled",
"chars": 594,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-6340 - Drupal8 REST RCE SA-CORE-2019-003'\nURI='/node/1?_format=hal_json'\nMETHOD='"
},
{
"path": "templates/active/CVE-2019-7192_-_QNAP_Pre-Auth_Root_RCE.sh",
"chars": 255,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-7192 - QNAP Pre-Auth Root RCE'\nURI='/photo/p/api/video.php'\nMETHOD='GET'\nMATCH=\"\\"
},
{
"path": "templates/active/CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_1.sh",
"chars": 303,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-8442 - Jira Webroot Directory Traversal 1'\nURI=\"/s/anything/_/META-INF/maven/com."
},
{
"path": "templates/active/CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_2.sh",
"chars": 310,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-8442 - Jira Webroot Directory Traversal 2'\nURI=\"/s/anything/_/META-INF/maven/com."
},
{
"path": "templates/active/CVE-2019-8451_Jira_SSRF_1.sh",
"chars": 319,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-8451 Jira SSRF 1'\nURI=\"/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1"
},
{
"path": "templates/active/CVE-2019-8451_Jira_SSRF_2.sh",
"chars": 324,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-8451 Jira SSRF 2'\nURI=\"/jira/plugins/servlet/gadgets/makeRequest?url=https://127."
},
{
"path": "templates/active/CVE-2019-8451_Jira_SSRF_3.sh",
"chars": 324,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-8451 Jira SSRF 3'\nURI=\"/wiki/plugins/servlet/gadgets/makeRequest?url=https://127."
},
{
"path": "templates/active/CVE-2019-8451_Jira_SSRF_4.sh",
"chars": 330,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-8451 Jira SSRF 4'\nURI=\"/confluence/plugins/servlet/gadgets/makeRequest?url=https:"
},
{
"path": "templates/active/CVE-2019-8903_-_Totaljs_Unathenticated_Directory_Traversal.sh",
"chars": 333,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-8903 - Totaljs - Unathenticated Directory Traversal'\nURI=\"/.%2e/.%2e/.%2e/.%2e/.%"
},
{
"path": "templates/active/CVE-2019-8982_-_Wavemaker_Studio_6.6_LFI_SSRF.sh",
"chars": 293,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2019-8982 - Wavemaker Studio 6.6 LFI/SSRF'\nURI=\"/wavemaker/studioService.download?meth"
},
{
"path": "templates/active/CVE-2020-0618_-_Remote_Code_Execution_SQL_Server_Reporting_Services.sh",
"chars": 287,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-0618 - Remote Code Execution SQL Server Reporting Services'\nURI=\"/ReportServer/Pa"
},
{
"path": "templates/active/CVE-2020-10204_-_Sonatype_Nexus_Repository_RCE.sh",
"chars": 475,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-10204 - Sonatype Nexus Repository RCE'\nURI=\"/extdirect\"\nMETHOD='POST'\nMATCH=\"1787"
},
{
"path": "templates/active/CVE-2020-1147_-_Remote_Code_Execution_in_Microsoft_SharePoint_Server.sh",
"chars": 396,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-1147 - Remote Code Execution in Microsoft SharePoint Server'\nURI=\"/_layouts/15/li"
},
{
"path": "templates/active/CVE-2020-11530_-_Wordpress_Chop_Slider_3_Plugin_SQL_Injection.sh",
"chars": 314,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-11530 - Wordpress Chop Slider 3 Plugin SQL Injection'\nURI='/wp-content/plugins/ch"
},
{
"path": "templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal.sh",
"chars": 331,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal'\nURI=\"/wp-admin/admin-aja"
},
{
"path": "templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_2.sh",
"chars": 343,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 2'\nURI=\"/wordpress/wp-adm"
},
{
"path": "templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_3.sh",
"chars": 333,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 3'\nURI=\"/wp-admin/admin-a"
},
{
"path": "templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_4.sh",
"chars": 343,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 4'\nURI=\"/wordpress/wp-adm"
},
{
"path": "templates/active/CVE-2020-12271_-_Sophos_XG_Firewall_Pre-Auth_SQL_Injection.sh",
"chars": 283,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-12271 - Sophos XG Firewall Pre-Auth SQL Injection'\nURI='/userportal/webpages/myac"
},
{
"path": "templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_1.sh",
"chars": 535,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 1'\nURI=\"/ajax/api/content_infraction/getInd"
},
{
"path": "templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_2.sh",
"chars": 539,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 2'\nURI=\"/vb5/ajax/api/content_infraction/ge"
},
{
"path": "templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_3.sh",
"chars": 609,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 3'\nURI=\"/vb5/ajax/api/content_infraction/ge"
},
{
"path": "templates/active/CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_1.sh",
"chars": 540,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-13167 - Netsweeper WebAdmin unixlogin.php Python Code Injection 1'\nURI=\"/webadmin"
},
{
"path": "templates/active/CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_2.sh",
"chars": 269,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-13167 - Netsweeper WebAdmin unixlogin.php Python Code Injection 2'\nURI=\"/webadmin"
},
{
"path": "templates/active/CVE-2020-14181_-_User_Enumeration_Via_Insecure_Jira_Endpoint.sh",
"chars": 297,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-14181 - User Enumeration Via Insecure Jira Endpoint'\nURI=\"/secure/ViewUserHover.j"
},
{
"path": "templates/active/CVE-2020-14815_-_Oracle_Business_Intelligence_Enterprise_DOM_XSS.sh",
"chars": 352,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-14815 - Oracle Business Intelligence Enterprise DOM XSS'\nURI='/bi-security-login/"
},
{
"path": "templates/active/CVE-2020-15129_-_Open_Redirect_In_Traefik.sh",
"chars": 305,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-15129 - Open Redirect In Traefik'\nURI='/'\nMETHOD='GET'\nMATCH=\"<a href=\\\"https://g"
},
{
"path": "templates/active/CVE-2020-15920_-_Mida_eFramework_Unauthenticated_RCE.sh",
"chars": 303,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-15920 - Mida eFramework Unauthenticated RCE'\nURI='/PDC/ajaxreq.php?PARAM=127.0.0."
},
{
"path": "templates/active/CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh",
"chars": 287,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-17519 - Apache Flink Path Traversal'\nURI=\"/jobmanager/logs/..%252f..%252f..%252f."
},
{
"path": "templates/active/CVE-2020-2034_-_PAN-OS_GlobalProtect_OS_Command_Injection.sh",
"chars": 268,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-2034 - PAN-OS GlobalProtect OS Command Injection'\nURI='/global-protect/login.esp'"
},
{
"path": "templates/active/CVE-2020-2096_-_Jenkins_Gitlab_Hook_XSS.sh",
"chars": 278,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-2096 - Jenkins Gitlab Hook XSS'\nURI=\"/gitlab/build_now%3Csvg/onload=alert(1337)%3"
},
{
"path": "templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_1.sh",
"chars": 276,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 1'\nURI=\"/git/build_now/a'\\\">%3Csvg/onload=alert(1337)%3E\""
},
{
"path": "templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_2.sh",
"chars": 284,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 2'\nURI=\"/jenkins/git/build_now/a'\\\">%3Csvg/onload=alert(1"
},
{
"path": "templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_3.sh",
"chars": 279,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 3'\nURI=\"/gitlab/build_now/a'\\\">%3Csvg/onload=alert(1337)%"
},
{
"path": "templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_4.sh",
"chars": 287,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 4'\nURI=\"/jenkins/gitlab/build_now/a'\\\">%3Csvg/onload=aler"
},
{
"path": "templates/active/CVE-2020-2140_-_Jenkin_AuditTrailPlugin_XSS.sh",
"chars": 320,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-2140 - Jenkin AuditTrailPlugin XSS'\nURI=\"/descriptorByName/AuditTrailPlugin/regex"
},
{
"path": "templates/active/CVE-2020-24223_-_Mara_CMS_7.5_Reflective_XSS.sh",
"chars": 285,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-24223 - Mara CMS 7.5 Reflective XSS'\nURI='/contact.php?theme=%3Csvg/onload=alert("
},
{
"path": "templates/active/CVE-2020-25213_-_WP_File_Manager_File_Upload.sh",
"chars": 290,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-25213 - WP File Manager File Upload'\nURI=\"/wp-content/plugins/wp-file-manager/rea"
},
{
"path": "templates/active/CVE-2020-2551_-_Unauthenticated_Oracle_WebLogic_Server_Remote_Code_Execution.sh",
"chars": 321,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-2551 - Unauthenticated Oracle WebLogic Server Remote Code Execution'\nURI='/consol"
},
{
"path": "templates/active/CVE-2020-2555_-_WebLogic_Server_Deserialization_RCE.sh",
"chars": 257,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-2555 - WebLogic Server Deserialization RCE'\nURI=\"/console/login/LoginForm.jsp\"\nME"
},
{
"path": "templates/active/CVE-2020-3187_-_Citrix_Unauthenticated_File_Deletion.sh",
"chars": 259,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-3187 - Citrix Unauthenticated File Deletion'\nURI=\"/+CSCOE+/session_password.html\""
},
{
"path": "templates/active/CVE-2020-3452_-_Cisco_ASA-FTD_Arbitrary_File_Reading_Vulnerability.sh",
"chars": 383,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-3452 - Cisco ASA/FTD Arbitrary File Reading Vulnerability'\nURI='/+CSCOT+/translat"
},
{
"path": "templates/active/CVE-2020-5284_-_Next_JS_Limited_Path_Traversal.sh",
"chars": 282,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-5284 - Next JS Limited Path Traversal'\nURI=\"/_next/static/../server/pages-manifes"
},
{
"path": "templates/active/CVE-2020-5405_-_Spring_Directory_Traversal_1.sh",
"chars": 356,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-5405 - Spring Directory Traversal 1'\nURI=\"/a/a/..%252f..%252f..%252f..%252f..%252"
},
{
"path": "templates/active/CVE-2020-5405_-_Spring_Directory_Traversal_2.sh",
"chars": 361,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-5405 - Spring Directory Traversal 2'\nURI=\"/a/a/..%252f..%252f..%252f..%252f..%252"
},
{
"path": "templates/active/CVE-2020-5405_-_Spring_Directory_Traversal_3.sh",
"chars": 361,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-5405 - Spring Directory Traversal 2'\nURI=\"/a/a/..%252f..%252f..%252f..%252f..%252"
},
{
"path": "templates/active/CVE-2020-5412_-_Full-read_SSRF_in_Spring_Cloud_Netflix.sh",
"chars": 297,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-5412 - Full-read SSRF in Spring Cloud Netflix'\nURI=\"/proxy.stream?origin=http://b"
},
{
"path": "templates/active/CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_1.sh",
"chars": 303,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-5902 - F5 BIG-IP Remote Code Execution 1'\nURI='/tmui/login.jsp/..;/tmui/system/us"
},
{
"path": "templates/active/CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_2.sh",
"chars": 302,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-5902 - F5 BIG-IP Remote Code Execution 2'\nURI='/tmui/login.jsp/..;/tmui/locallb/w"
},
{
"path": "templates/active/CVE-2020-5902_-_F5_BIG-IP_XSS.sh",
"chars": 303,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-5902 - F5 BIG-IP XSS'\nURI='/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=%3Cs"
},
{
"path": "templates/active/CVE-2020-6287_-_Create_an_Administrative_User_in_SAP_NetWeaver_AS_JAVA.sh",
"chars": 819,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-6287 - Create an Administrative User in SAP NetWeaver AS JAVA'\nURI=\"/CTCWebServic"
},
{
"path": "templates/active/CVE-2020-7048_-_WP_Database_Reset_3.15_Unauthenticated_Database_Reset.sh",
"chars": 367,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-7048 - WP Database Reset 3.15 Unauthenticated Database Reset'\nURI='/wp-admin/admi"
},
{
"path": "templates/active/CVE-2020-7209_-_LinuxKI_Toolset_6.01_Remote_Command_Execution.sh",
"chars": 350,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-7209 - LinuxKI Toolset 6.01 Remote Command Execution'\nURI=\"/linuxki/experimental/"
},
{
"path": "templates/active/CVE-2020-7246_-_qdPM_Authenticated_Remote_Code_Execution.sh",
"chars": 234,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-7246 - qdPM Authenticated Remote Code Execution'\nURI=\"/\"\nMETHOD='GET'\nMATCH='qdPM"
},
{
"path": "templates/active/CVE-2020-7473_Citrix_ShareFile_StorageZones.disabled",
"chars": 271,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-7473 Citrix ShareFile StorageZones Unauthenticated Access'\nURI=\"/UploadTest.aspx\""
},
{
"path": "templates/active/CVE-2020-8115_-_Revive_Adserver_XSS.py",
"chars": 456,
"preview": "# Import any WebDriver class that you would usually import from\n# selenium.webdriver from the seleniumrequests module\nim"
},
{
"path": "templates/active/CVE-2020-8115_-_Revive_Adserver_XSS.sh",
"chars": 323,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8115 - Revive Adserver XSS'\nURI=\"/www/delivery/afr.php?refresh=10000&\\\")',1000000"
},
{
"path": "templates/active/CVE-2020-8163_-_Rails_5.0.1_Remote_Code_Execution.sh",
"chars": 272,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8163 - Rails < 5.0.1 Remote Code Execution'\nURI='/?system(%27echo+$((1%2B1787568)"
},
{
"path": "templates/active/CVE-2020-8191_-_Citrix_ADC_NetScaler_Gateway_Reflected_XSS.sh",
"chars": 459,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8191 - Citrix ADC & NetScaler Gateway Reflected XSS'\nURI=\"/menu/stapp\"\nMETHOD='PO"
},
{
"path": "templates/active/CVE-2020-8193_-_Citrix_Unauthenticated_LFI.sh",
"chars": 560,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8193 - Citrix Unauthenticated LFI'\nURI=\"/pcidss/report?type=allprofiles&sid=login"
},
{
"path": "templates/active/CVE-2020-8194_-_Citrix_ADC_NetScaler_Gateway_Reflected_Code_Injection.sh",
"chars": 447,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8194 - Citrix ADC & NetScaler Gateway Reflected Code Injection'\nURI=\"/menu/guiw?n"
},
{
"path": "templates/active/CVE-2020-8209_-_Citrix_XenMobile_Server_Path_Traversal.sh",
"chars": 283,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8209 - Citrix XenMobile Server Path Traversal'\nURI=\"/jsp/help-sb-download.jsp?sbF"
},
{
"path": "templates/active/CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Config_Password_Disclosure.sh",
"chars": 346,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8209 - XenMobile-Citrix Endpoint Management Config Password Disclosure'\nURI='/jsp"
},
{
"path": "templates/active/CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Path_Traversal.sh",
"chars": 296,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8209 - XenMobile-Citrix Endpoint Management Path Traversal'\nURI='/jsp/help-sb-dow"
},
{
"path": "templates/active/CVE-2020-8512_-_IceWarp_WebMail_XSS.sh",
"chars": 305,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8512 - IceWarp WebMail XSS'\nURI=\"/webmail/?color=%22%3E%3Csvg/onload=alert(docume"
},
{
"path": "templates/active/CVE-2020-8772_-_IfiniteWP_Client_1.9.4.5_Authentication_Bypass_1.sh",
"chars": 409,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8772 - InfiniteWP Client 1.9.4.5 - Authentication Bypass 1'\nURI='/wp-admin/'\nMETH"
},
{
"path": "templates/active/CVE-2020-8982_-_Citrix_ShareFile_StorageZones_Unauthenticated_Arbitrary_File_Read.sh",
"chars": 361,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-8982 - Citrix ShareFile StorageZones Unauthenticated Arbitrary File Read'\nURI=\"/X"
},
{
"path": "templates/active/CVE-2020-9047_-_exacqVision_Web_Service_Remote_Code_Execution.sh",
"chars": 612,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-9047 - exacqVision Web Service Remote Code Execution'\nURI=\"/version.web\"\nMETHOD='"
},
{
"path": "templates/active/CVE-2020-9054_-_ZyXEL_NAS_Remote_Code_Execution.sh",
"chars": 279,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-9054 - ZyXEL NAS Remote Code Execution'\nURI=\"/cgi-bin/weblogin.cgi?username=admin"
},
{
"path": "templates/active/CVE-2020-9484_-_Apache_Tomcat_RCE_by_deserialization.sh",
"chars": 332,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-9484 - Apache Tomcat RCE by deserialization'\nURI=\"/index.jsp\"\nMETHOD='GET'\nMATCH="
},
{
"path": "templates/active/CVE-2020-9757_-_SEOmatic_3.3.0_Server-Side_Template_Injection.sh",
"chars": 304,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='CVE-2020-9757 - SEOmatic < 3.3.0 Server-Side Template Injection'\nURI=\"/actions/seomatic/me"
},
{
"path": "templates/active/Cisco_VPN_Login_Scanner.sh",
"chars": 220,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Cisco VPN Login Detected'\nURI='/+CSCOE+/logon.html'\nMETHOD='GET'\nMATCH=\"CSCO_Format\"\nSEVER"
},
{
"path": "templates/active/Cisco_VPN_Scanner.sh",
"chars": 210,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Cisco VPN Detected'\nURI='/+CSCOE+/win.js'\nMETHOD='GET'\nMATCH=\"CSCO_WebVPN\"\nSEVERITY='P5 - "
},
{
"path": "templates/active/Citrix-Access-Gateway_Detected.sh",
"chars": 228,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Citrix-Access-Gateway Detected'\nURI='/vpn/index.html'\nMETHOD='GET'\nMATCH='Netscaler Gatewa"
},
{
"path": "templates/active/Citrix_VPN_Scanner.sh",
"chars": 218,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Citrix VPN Detected'\nURI='/vpn/index.html'\nMETHOD='GET'\nMATCH=\"Netscaler\\ Gateway\"\nSEVERIT"
},
{
"path": "templates/active/Citrix_VPN_Scanner_2.sh",
"chars": 212,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Citrix VPN Detected 2'\nURI='/vpn/index.html'\nMETHOD='GET'\nMATCH=\"NetScaler \"\nSEVERITY='P5 "
},
{
"path": "templates/active/Clear-text_Communications_HTTP.sh",
"chars": 185,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Clear-Text Protocol - HTTP'\nURI='/'\nMETHOD='GET'\nMATCH='200 OK'\nSEVERITY='P2 - HIGH'\nCURL_"
},
{
"path": "templates/active/Clickjacking.sh",
"chars": 200,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Clickjacking'\nURI='/'\nMETHOD='GET'\nMATCH='X-Frame-Options'\nSEVERITY='P4 - LOW'\nCURL_OPTS=\""
},
{
"path": "templates/active/Common_Status_File_Scanner_1.sh",
"chars": 251,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Common Status File Detected 1'\nURI='/.perf'\nMETHOD='GET'\nMATCH=\"Current\\ Time|nginx\\ vhost"
},
{
"path": "templates/active/Common_Status_File_Scanner_2.sh",
"chars": 259,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Common Status File Detected 2'\nURI='/server-status'\nMETHOD='GET'\nMATCH=\"Current\\ Time|ngin"
},
{
"path": "templates/active/Common_Status_File_Scanner_3.sh",
"chars": 257,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Common Status File Detected 3'\nURI='/status.html'\nMETHOD='GET'\nMATCH=\"Current\\ Time|nginx\\"
},
{
"path": "templates/active/Confluence_Scanner.sh",
"chars": 217,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Atlassian Confluence Detected'\nURI='/'\nMETHOD='GET'\nMATCH=\"Atlassian\\ Confluence\"\nSEVERITY"
},
{
"path": "templates/active/Contact_Form_7_Wordpress_Plugin_Found_1.sh",
"chars": 298,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Contact Form 7 Wordpress Plugin Found 1'\nURI=\"/wp-content/plugins/drag-and-drop-multiple-f"
},
{
"path": "templates/active/Contact_Form_7_Wordpress_Plugin_Found_2.sh",
"chars": 308,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Contact Form 7 Wordpress Plugin Found 2'\nURI=\"/wordpress/wp-content/plugins/drag-and-drop-"
},
{
"path": "templates/active/Directory_Listing_Enabled.sh",
"chars": 222,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Directory Listing Enabled'\nURI='/'\nMETHOD='GET'\nMATCH=\"Index\\ of|To\\ Parent\\ Directory\"\nSE"
},
{
"path": "templates/active/Drupal_Install_Found.sh",
"chars": 240,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Drupal Install Found'\nURI='/install.php?profile=default'\nMETHOD='GET'\nMATCH='Choose langua"
},
{
"path": "templates/active/Drupal_Scanner_1.sh",
"chars": 195,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Drupal Detected 1'\nURI='/'\nMETHOD='GET'\nMATCH=\"drupal\\.org\"\nSEVERITY='P5 - INFO'\nCURL_OPTS"
},
{
"path": "templates/active/Drupal_Scanner_2.sh",
"chars": 202,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Drupal Detected 3'\nURI='/drupal/'\nMETHOD='GET'\nMATCH=\"drupal\\.org\"\nSEVERITY='P5 - INFO'\nCU"
},
{
"path": "templates/active/Drupal_Scanner_3.sh",
"chars": 200,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Drupal Detected 2'\nURI='/blog/'\nMETHOD='GET'\nMATCH=\"drupal\\.org\"\nSEVERITY='P5 - INFO'\nCURL"
},
{
"path": "templates/active/Drupal_User_Login.sh",
"chars": 223,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Drupal User Login'\nURI='/user/login?destination=/'\nMETHOD='GET'\nMATCH='user-login-form'\nSE"
},
{
"path": "templates/active/Drupal_Version_Disclosure.sh",
"chars": 235,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Drupal Version Disclosure'\nURI='/core/install.php?profile=default'\nMETHOD='GET'\nMATCH='sit"
},
{
"path": "templates/active/F5_BIG-IP_Scanner.sh",
"chars": 201,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='F5 BIG-IP Detected'\nURI='/'\nMETHOD='GET'\nMATCH='<title>F5 BIG-IP'\nSEVERITY='P5 - INFO'\nCUR"
},
{
"path": "templates/active/F5_BIG-IP_Scanner_2.sh",
"chars": 217,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='F5 BIG-IP Detected 2'\nURI='/tmui/login.jsp'\nMETHOD='GET'\nMATCH='<title>F5 BIG-IP'\nSEVERITY"
},
{
"path": "templates/active/Fortigate_Pulse_Connect_Secure_Scanner.sh",
"chars": 245,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Fortigate Pulse Connect Secure Detected'\nURI='/remote/login?lang=en'\nMETHOD='GET'\nMATCH='<"
},
{
"path": "templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected.sh",
"chars": 245,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Fortinet FortiGate SSL VPN Panel Detected'\nURI='/remote/login?lang=en'\nMETHOD='GET'\nMATCH="
},
{
"path": "templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_1.sh",
"chars": 247,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 1'\nURI='/remote/login?lang=en'\nMETHOD='GET'\nMATC"
},
{
"path": "templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_2.sh",
"chars": 253,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 2'\nURI=':10443/remote/login?lang=en'\nMETHOD='GET"
},
{
"path": "templates/active/Fortinet_FortiGate_SSL_VPN_Panel_Detected_3.sh",
"chars": 252,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Fortinet FortiGate SSL VPN Panel Detected 3'\nURI=':4443/remote/login?lang=en'\nMETHOD='GET'"
},
{
"path": "templates/active/Frontpage_Service_Password_Disclosure.sh",
"chars": 234,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Frontpage Service Password Disclosure'\nURI='/_vti_pvt/service.pwd'\nMETHOD='GET'\nMATCH=' Fr"
},
{
"path": "templates/active/Git_Config_Detected.sh",
"chars": 209,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Git Config Detected 1'\nURI='/.git/config'\nMETHOD='GET'\nMATCH=\"\\[core\\]\"\nSEVERITY='P3 - MED"
},
{
"path": "templates/active/JK_Status_Manager.sh",
"chars": 212,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='JK Status Manager'\nURI='/jkstatus/'\nMETHOD='GET'\nMATCH=\"JK\\ Status\\ Manager\"\nSEVERITY='P5 "
},
{
"path": "templates/active/Jaspersoft_Detected.sh",
"chars": 227,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Jaspersoft Detected'\nURI='/jasperserver/login.html?error=1'\nMETHOD='GET'\nMATCH=\"Jaspersoft"
},
{
"path": "templates/active/Jenkins_Scanner.sh",
"chars": 208,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Jenkins Detected'\nURI='/login?from=%2F'\nMETHOD='GET'\nMATCH=\"\\[Jenkins\\]\"\nSEVERITY='P5 - IN"
},
{
"path": "templates/active/Jetty_Version_Disclosure.sh",
"chars": 215,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Jetty Version Disclosure Detected'\nURI='/'\nMETHOD='GET'\nMATCH='Powered by Jetty'\nSEVERITY="
},
{
"path": "templates/active/Jira_Scanner_1.sh",
"chars": 230,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Jira Detected 1'\nURI='/secure/Dashboard.jspa'\nMETHOD='GET'\nMATCH='Project Management Softw"
},
{
"path": "templates/active/Jira_Scanner_2.sh",
"chars": 235,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Jira Detected 2'\nURI='/jira/secure/Dashboard.jspa'\nMETHOD='GET'\nMATCH='Project Management "
},
{
"path": "templates/active/Jira_Scanner_3.sh",
"chars": 248,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Jira Detected'\nURI='/secure/ContactAdministrators!default.jspa'\nMETHOD='GET'\nMATCH='Projec"
},
{
"path": "templates/active/Jolokia_Version_Disclosure.sh",
"chars": 218,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Jolokia Version Disclosure'\nURI='/jolokia/version'\nMETHOD='GET'\nMATCH=\"\\\"agent\\\"\\:\"\nSEVERI"
},
{
"path": "templates/active/Joomla_Scanner_1.sh",
"chars": 201,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Joomla Detected 1'\nURI='/'\nMETHOD='GET'\nMATCH='content=\"Joomla! '\nSEVERITY='P5 - INFO'\nCUR"
},
{
"path": "templates/active/Joomla_Scanner_2.sh",
"chars": 208,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Joomla Detected 1'\nURI='/joomla/'\nMETHOD='GET'\nMATCH='content=\"Joomla! '\nSEVERITY='P5 - IN"
},
{
"path": "templates/active/Joomla_Version_Disclosure.sh",
"chars": 248,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Joomla Version Disclosure'\nURI='/administrator/manifests/files/joomla.xml'\nMETHOD='GET'\nMA"
},
{
"path": "templates/active/Laraval_Environment_File_Found.sh",
"chars": 280,
"preview": "AUTHOR='@xer0dayz'\nVULN_NAME='Laraval Environment File Found'\nURI='/.env'\nMETHOD='GET'\nMATCH=\"DB_PASSWORD|REDIS_PASSWORD"
}
]
// ... and 91 more files (download for full content)
About this extraction
This page contains the full source code of the 1N3/Sn1per GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 291 files (4.5 MB), approximately 1.2M tokens, and a symbol index with 36 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.