-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathreadme.txt
253 lines (219 loc) · 10.9 KB
/
readme.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
"# xray"
搬运
来源:https://cyberarsenal.org/
常用命令
xray webscan --listen 127.0.0.1:7777 -ho name.html
git clone -b 1.9.4forwindows http://github.com/coff1/xray.git
git clone -b 1.9.4forlinux http://github.com/coff1/xray.git
git clone -b 1.9.3forwindows http://github.com/coff1/xray.git
XRAY Web Vulnerability Scanner Linux amd64 -Zen
"A comprehensive security assessment tool that supports common web security
issue scanning and custom poc"
INSTRUCTIONS
This is a cracked command line tool that does not require installation. However,
there are a lot of options and for best results you should learn a little about
it and properly configure it for your needs. Here is some of my top advice:
0. License file not needed. You can optionally add one and it'll work too.
1. Minor point, but you have to run the tool at least once to generate the default
config file and the certificates. It does this automatically. When you see the
error just run it a second time to see usage instructions.
2. You get better results when you use the browser crawler than with the basic one.
This is a Pro feature but with the crack you are good to go. You need "rad"
(included) and chrome (you need to install it if you haven't). To use this power
you just specify "--browser" then the URL, and xray will use chrome headless to
crawl the target.
SPECIAL LINUX CHROME INFORMATION: If your linux install is like mine, you will
have a problem with chrome not wanting to run as root unless you bypass the
sandbox. Doesn't make a lick of sense to me, and there is probably a great
solution, but the only thing I know to do is edit the bash file to change then
chrome is called such that it includes the --no-sandbox parameter.
Depending on where your chrome is, maybe edit this /usr/bin/google-chrome
so that the line has --no-sandbox, like this (example only!)
exec -a "$0" "$HERE/chrome" "$@" --user-data-dir --no-sandbox
3. There are a lot of security checks that require the target to be able to
connect back out to you. It is the only way those bugs can be tested (the
target web server needs to connect somewhere - sometimes this can be a dedicated
collector like what burpsuite or nuclei use, but here it is a server you run
as part of xray). In order to enable all those exploit checks you need to set
the reverse server IP in the config file. If you don't, xray will tell you
what modules it had to disable because they require the reverse server. If
you run xray on a vps (you should) then this is the publicly accessible IP interface.
read the docs and edit the yaml file. If you are using a firewall make sure you
set a rule to allow access to the port.
4. Make sure you specify an output format. There is html (looks nice but requires
javascript wtf), json (text but needs parsing), and webhooks. Otherwise you just
get spew on the console and have to catch messages as they fly by. OH, and
there is *still* no --text-output like the docs claim. Hasn't been for awhile.
5. Take care if you are scanning sites that matter to you - in default without
changing the settings I scanned a strong vps (nginx webserver) which had 4 cores
and 24gb ram and the scan pegged all four of the cpu's at near 100% (nginx was
fine it was mysql mostly) anyway point is you can accidentally dos a server so
if you are doing professional work or bug bounty you probably want to dial this
back a little and not flood the target off the net. Warning issued.
I guess that's it. When this first came out I found zeroday RCE with it -
some of the checks are pretty good. Others will give you some false positives
(in previous versions - dunno about this one yet;)
example usage basic scan without rad/chrome:
./xray ws --basic http://example.com --html-output example.html
example usage with rad/chrome:
./xray ws --browser https://www.ai.mil/ --json-output algorithmicwarfare.json
changelog for 1.9.4 (translated from chinese)
Update details
plugin update
Add the XStream scanning plug-in , the support list is as follows (the plug-in needs to open the anti-connection platform)
CVE-2021-21344
CVE-2021-21345
CVE-2021-39141
CVE-2021-39144
...(total 29 plugins)
The fastjson plugin supports cve-2022-25845 the detection of
POC writing/execution update
Added a warning message, masters can delete files created by the detection plug-in according to the warning message
Support adding body when GET, HEAD, OPTION
Add the compare version function to compare the matched versions
Add html entity encoding / decoding functions
Add java deserialization function
Add hex / hexDecode function
optimize content
Optimized the vulnerability capture logic of the anti-connection platform and improved the hit rate
Optimized poc lint to become more user-friendly
The yaml script supports obtaining the link of the rmi anti-connection platform, please refer to the official document for specific usage
Optimized the Struts2 detection module, added reverse connection confirmation, and reduced false positives and negatives
Fix POC
Optimized rules, weak rules
poc-yaml-drawio-cve-2022-1713-ssrf
poc-yaml-h3c-cvm-upload-file-upload
poc-yaml-iis-cve-2017-7269
poc-yaml-74cms-sqli-cve-2020-22209
poc-yaml-reporter-file-read
poc-yaml-wanhu-ezoffice-documentedit-sqli
poc-yaml-joomla-cve-2017-8917-sqli
poc-yaml-iis-cve-2017-7269
poc-yaml-emerge-e3-cve-2019-7256
poc-yaml-alibaba-nacos-v1-auth-bypass
poc-yaml-wanhu-ezoffice-documentedit-sqli
poc-yaml-magicflow-gateway-main-xp-file-read
poc-yaml-gitblit-cve-2022-31268
poc-yaml-phpstudy-nginx-wrong-resolve
poc-yaml-confluence-cve-2022-26138
poc-yaml-metinfo-lfi-cnvd-2018-13393
poc-yaml-zabbix-cve-2019-17382
poc-yaml-wordpress-paypal-pro-cve-2020-14092-sqli
poc-yaml-vite-cnvd-2022-44615
poc-yaml-phpmyadmin-cve-2018-12613-file-inclusion
poc-yaml-zabbix-cve-2022-23134
poc-yaml-ametys-cms-cve-2022-26159
Optimized deletion (duplication of functions with xray's general plugin)
poc-yaml-nexusdb-cve-2020-24571-path-traversal
poc-yaml-specoweb-cve-2021-32572-fileread
poc-yaml-tvt-nvms-1000-file-read-cve-2019-20085
poc-yaml-zyxel-vmg1312-b10d-cve-2018-19326-path-traversal
Add harmless treatment
poc-yaml-fanruan-v9-file-upload
poc-yaml-h3c-cvm-upload-file-upload
poc-yaml-seeyon-unauthorized-fileupload
poc-yaml-thinkcmf-write-shell
poc-yaml-wanhu-oa-officeserver-file-upload
poc-yaml-weaver-oa-workrelate-file-upload
poc-yaml-yonyou-grp-u8-file-upload
poc-yaml-yonyou-nc-file-accept-upload
poc-yaml-yonyou-u8c-file-upload
poc-yaml-zhiyuan-oa-wpsassistservlet-file-upload
Added 96 POCs
poc-yaml-ruijie-fileupload-fileupload-rce
poc-yaml-eweaver-oa-mecadminaction-sqlexec
poc-yaml-xxl-job-default-password
poc-yaml-wordpress-plugin-superstorefinder-ssf-social-action-php-sqli
poc-yaml-magento-config-disclosure-info-leak
poc-yaml-ukefu-cnvd-2021-18305-file-read
poc-yaml-ukefu-cnvd-2021-18303-ssrf
poc-yaml-eweaver-eoffice-mainselect-info-leak
poc-yaml-linksys-cnvd-2014-01260
poc-yaml-wordpress-welcart-ecommerce-cve-2022-41840-path-traversal
poc-yaml-jeesite-userfiles-path-traversal
poc-yaml-yongyou-nc-iupdateservice-xxe
poc-yaml-v-sol-olt-platform-unauth-config-download
poc-yaml-ibm-websphere-portal-hcl-cve-2021-27748-ssrf
poc-yaml-yonyou-nc-uapws-db-info-leak
poc-yaml-yonyou-nc-service-info-leak
poc-yaml-yongyou-nc-cloud-fs-sqli
poc-yaml-finecms-filedownload
poc-yaml-weaver-eoffice-userselect-unauth
poc-yaml-fortinet-cve-2022-40684-auth-bypass
poc-yaml-dapr-dashboard-cve-2022-38817-unauth
poc-yaml-wordpress-zephyr-project-manager-cve-2022-2840-sqli
poc-yaml-jira-cve-2022-39960-unauth
poc-yaml-qnap-cve-2022-27593-fileupload
poc-yaml-wordpress-all-in-one-video-gallery-cve-2022-2633-lfi
poc-yaml-atlassian-bitbucket-archive-cve-2022-36804-remote-command-exec
poc-yaml-wordpress-simply-schedule-appointments-cve-2022-2373-unauth
poc-yaml-zoho-manageengine-opmanager-cve-2022-36923
poc-yaml-red-hat-freeipa-cve-2022-2414-xxe
poc-yaml-wavlink-cve-2022-2488-rce
poc-yaml-wavlink-cve-2022-34045-info-leak
poc-yaml-wordpress-shareaholic-cve-2022-0594-info-leak
poc-yaml-wordpress-wp-stats-manager-cve-2022-33965-sqli
poc-yaml-opencart-newsletter-custom-popup-sqli
poc-yaml-wordpress-events-made-easy-cve-2022-1905-sqli
poc-yaml-wordpress-kivicare-cve-2022-0786-sqli
poc-yaml-wordpress-cve-2022-1609-rce
poc-yaml-solarview-compact-cve-2022-29303-rce
poc-yaml-wordpress-arprice-lite-cve-2022-0867-sqli
poc-yaml-wordpress-fusion-cve-2022-1386-ssrf
poc-yaml-wordpress-nirweb-cve-2022-0781-sqli
poc-yaml-wordpress-metform-cve-2022-1442-info-leak
poc-yaml-wordpress-mapsvg-cve-2022-0592-sqli
poc-yaml-wordpress-badgeos-cve-2022-0817-sqli
poc-yaml-wordpress-daily-prayer-time-cve-2022-0785-sqli
poc-yaml-wordpress-woo-product-table-cve-2022-1020-rce
poc-yaml-wordpress-documentor-cve-2022-0773-sqli
poc-yaml-wordpress-multiple-shipping-address-woocommerce-cve-2022-0783-sqli
poc-yaml-gitlab-cve-2022-1162-hardcoded-password
poc-yaml-thinkphp-cve-2022-25481-info-leak
poc-yaml-wordpress-cve-2022-0591-ssrf
poc-yaml-wordpress-simple-link-directory-cve-2022-0760-sqli
poc-yaml-wordpress-ti-woocommerce-wishlist-cve-2022-0412-sqli
poc-yaml-wordpress-notificationx-cve-2022-0349-sqli
poc-yaml-wordpress-page-views-count-cve-2022-0434-sqli
poc-yaml-wordpress-masterstudy-lms-cve-2022-0441-unauth
poc-yaml-wordpress-seo-cve-2021-25118-info-leak
poc-yaml-wordpress-perfect-survey-cve-2021-24762-sqli
poc-yaml-wordpress-asgaros-forum-cve-2021-24827-sqli
poc-yaml-tcexam-cve-2021-20114-info-leak
poc-yaml-wordpress-woocommerce-cve-2021-32789-sqli
poc-yaml-wordpress-profilepress-cve-2021-34621-unauth
poc-yaml-wordpress-wp-statistics-cve-2021-24340-sqli
poc-yaml-voipmonitor-cve-2021-30461-rce
poc-yaml-rocket-chat-cve-2021-22911-nosqli
poc-yaml-pega-infinity-cve-2021-27651-unauth
poc-yaml-wordpress-modern-events-calendar-lite-cve-2021-24146-info-leak
poc-yaml-afterlogic-webmail-cve-2021-26294-path-traversal
poc-yaml-wavlink-cve-2020-13117-rce
poc-yaml-prestashop-cve-2021-3110-sqli
poc-yaml-cockpit-cve-2020-35847-nosqli
poc-yaml-cockpit-cve-2020-35848-nosqli
poc-yaml-keycloak-cve-2020-10770-ssrf
poc-yaml-prestashop-cve-2020-26248-sqli
poc-yaml-wordpress-paypal-pro-cve-2020-14092-sqli
poc-yaml-microstrategy-cve-2020-11450-info-leak
poc-yaml-adobe-experience-manager-cve-2019-8086-xxe
poc-yaml-blogengine-net-cve-2019-10717-path-traversal
poc-yaml-dotcms-cve-2018-17422-url-redirection
poc-yaml-php-proxy-cve-2018-19458-fileread
poc-yaml-circarlife-scada-cve-2018-16671-info-leak
poc-yaml-circarlife-scada-cve-2018-16670-info-leak
poc-yaml-circarlife-scada-cve-2018-16668-info-leak
poc-yaml-dotnetnuke-cve-2017-0929-ssrf
poc-yaml-orchid-core-vms-cve-2018-10956-path-traversal
poc-yaml-circarlife-scada-cve-2018-12634-info-leak
poc-yaml-nuuo-nvrmini2-cve-2018-11523-upload
poc-yaml-jolokia-cve-2018-1000130-code-injection
poc-yaml-fiberhome-cve-2017-15647-path-traversal
poc-yaml-opendreambox-cve-2017-14135-rce
poc-yaml-sap-cve-2017-12637-fileread
poc-yaml-glassfish-cve-2017-1000029-lfi
poc-yaml-boa-cve-2017-9833-fileread
poc-yaml-mantisbt-cve-2017-7615-unauth
poc-yaml-wordpress-cve-2017-5487-info-leak
poc-yaml-thinkcmf-cve-2018-19898-sqli
enjoy!