Sc0pe Templates

Project Sc0pe is the backbone of Sn1per's vulnerability scan engine and uses a modern template system based on bash, grep and curl to easily create vulnerability rules, detection and risk scoring criteria.

For anyone interested in writing or porting existing exploits over to Sc0pe, the process is simple. First, you will need to create a new template.sh file under /usr/share/sniper/templates/active/ for active scanners and /usr/share/sniper/templates/passive/ for passive scanners. You can now copy an existing template to rename or create a new file with the following format:

AUTHOR='@xer0dayz'
VULN_NAME='Apache Solr Detected'
URI='/'
METHOD='GET'
MATCH='Solr Admin'
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

Passive scanners use grep regex matching of any local file to determine vulnerability detection and use the following format:

AUTHOR='@xer0dayz'
VULN_NAME='CORS Policy - Allow-Credentials Enabled'
FILENAME="$LOOT_DIR/web/headers-htt*-$TARGET.txt"
MATCH='Access-Control-Allow-Credentials: true'
SEVERITY='P4 - LOW'
GREP_OPTIONS='-i'
SEARCH='positive'
SECONDARY_COMMANDS=''

One thing to note is that when saving template.sh file you created, be sure to not use spaces in the files (ie. CORS Policy – Allow-Credentials Enabled.sh). Instead, use underscores like “CORS_Policy_-_Allow-Credentials_Enabled.sh”.

Once your new template is created, all you need to do is run a scan. For active checks, you can choose from ‘normal’, ‘web’, ‘vulnscan’, ‘webporthttp’ and ‘webporthttps’ as well as any of the mass scan modes (ie. massweb, etc.). All other modes will only use passive scan modules to detect vulnerabilities.

Nuclei Templates

In addition to Sn1per's sc0pe templates, Nuclei templates are also leveraged if NUCLEI="1" is enabled via sniper.conf. Nuclei vulnerability templates are stored under /root/nuclei-templates/.