【应用漏扫】Xray
2023-2-27 00:3:27 Author: 利刃信安攻防实验室(查看原文) 阅读量:306 收藏

【应用漏扫】Xray

Xray是一款针对Web应用程序的自动化安全测试工具,可帮助用户快速识别和修复Web应用程序的安全漏洞。该工具基于GO语言开发,可在Windows、Linux和macOS等操作系统上运行。

功能:

1.支持多种Web应用程序安全测试技术:包括黑盒、灰盒和白盒测试技术,支持常见的OWASP Top 10漏洞检测,如SQL注入、跨站点脚本(XSS)、无效身份验证等。

2.提供用户友好的Web界面:可帮助用户轻松地使用Xray扫描Web应用程序并分析扫描结果。

3.支持自定义漏洞检测规则:用户可以根据自己的需要自定义漏洞检测规则,并将其添加到Xray的漏洞库中,以更好地适应不同的应用场景。

4.提供自动化测试工具集成:可与多种开发和测试工具集成,例如Jenkins、GitLab等。

用法:

1.安装和配置:用户需要下载并安装Xray,同时配置相关环境变量和Python库。Xray提供了详细的安装和配置说明,用户可以参考文档进行操作。

2.创建任务:用户可以通过Web界面创建扫描任务,并设置相关参数,例如扫描目标、扫描范围、漏洞检测规则等。

3.运行扫描:用户可以运行创建的任务,Xray将自动执行扫描,并在扫描结束后生成报告。

4.分析报告:用户可以通过Web界面查看扫描结果报告,并进行分析和评估。

技巧:

1.针对特定漏洞进行测试:用户可以根据自己的需要选择性地扫描特定漏洞,以提高测试效率。

2.使用自定义漏洞检测规则:用户可以根据自己的应用场景,添加自定义漏洞检测规则,以提高测试准确性。

3.集成测试工具:用户可以将Xray与其他测试工具集成,以便更好地实现自动化测试。

总结:

Xray是一款强大的Web应用程序安全测试工具,支持多种漏洞检测技术和自定义漏洞检测规则。用户可以根据自己的需要,灵活设置和执行扫描任务,并使用Xray提供的报告和分析工具,快速发现和解决Web应用程序的安全漏洞。

官网地址

https://xray.cool/

下载地址

https://download.xray.cool/

更新日志

https://stack.chaitin.com/tool/detail?id=1

工具功能

新的检测模块将不断添加

  • 添加burp的history导出文件转yml脚本的功能

  • log4j2-rce的检测

  • 为自定义脚本(gamma)添加格式化时间戳函数

  • 为自定义脚本(gamma)添加进制转换函数

  • 为自定义脚本(gamma)添加sha,hmacsha函数

  • 为自定义脚本(gamma)添加url全字符编码函数

  • XSS漏洞检测 (key: xss)

    利用语义分析的方式检测XSS漏洞

  • SQL 注入检测 (key: sqldet)

    支持报错注入、布尔注入和时间盲注等

  • 命令/代码注入检测 (key: cmd-injection)

    支持 shell 命令注入、PHP 代码执行、模板注入等

  • 目录枚举 (key: dirscan)

    检测备份文件、临时文件、debug 页面、配置文件等10余类敏感路径和文件

  • 路径穿越检测 (key: path-traversal)

    支持常见平台和编码

  • XML 实体注入检测 (key: xxe)

    支持有回显和反连平台检测

  • poc 管理 (key: phantasm)

    默认内置部分常用的 poc,用户可以根据需要自行构建 poc 并运行。文档:https://docs.xray.cool/#/guide/poc

  • 文件上传检测 (key: upload)

    支持常见的后端语言

  • 弱口令检测 (key: brute-force)

    社区版支持检测 HTTP 基础认证和简易表单弱口令,内置常见用户名和密码字典

  • jsonp 检测 (key: jsonp)

    检测包含敏感信息可以被跨域读取的 jsonp 接口

  • ssrf 检测 (key: ssrf)

    ssrf 检测模块,支持常见的绕过技术和反连平台检测

  • 基线检查 (key: baseline)

    检测低 SSL 版本、缺失的或错误添加的 http 头等

  • 任意跳转检测 (key: redirect)

    支持 HTML meta 跳转、30x 跳转等

  • CRLF 注入 (key: crlf-injection)

    检测 HTTP 头注入,支持 query、body 等位置的参数

  • Struts2 系列漏洞检测 (高级版,key: struts)

    检测目标网站是否存在Struts2系列漏洞,包括s2-016、s2-032、s2-045等常见漏洞

  • Thinkphp系列漏洞检测 (高级版,key: thinkphp)

    检测ThinkPHP开发的网站的相关漏洞

更新内容

插件更新

  1. 添加XStream扫描插件,支持列表如下(该插件需开启反连平台)

    • CVE-2021-21344

    • CVE-2021-21345

    • CVE-2021-39141

    • CVE-2021-39144

    • ...(共29个插件)

  2. fastjson插件支持cve-2022-25845的检测

POC编写/执行更新

  1. 新增警告信息,师傅们可以根据警告信息删除检测插件创建的文件等

  2. 支持在GET,HEAD,OPTION时添加body

  3. 添加compare version函数,可以对匹配出的版本进行对比

  4. 添加html实体编码/解码函数

  5. 添加java反序列化函数

  6. 添加hex/hexDecode函数

优化内容

  1. 优化了反连平台漏洞捕获逻辑,提高了命中率

  2. 优化了 poc lint 变得更人性化

  3. yaml脚本支持获取rmi反连平台的链接,具体使用请参考官方文档

  4. 优化了Struts2检测模块,添加反连确认,减少误报漏报

修复POC

规则优化,规则弱

poc-yaml-drawio-cve-2022-1713-ssrf
poc-yaml-h3c-cvm-upload-file-upload
poc-yaml-iis-cve-2017-7269
poc-yaml-74cms-sqli-cve-2020-22209
poc-yaml-reporter-file-read
poc-yaml-wanhu-ezoffice-documentedit-sqli
poc-yaml-joomla-cve-2017-8917-sqli
poc-yaml-iis-cve-2017-7269
poc-yaml-emerge-e3-cve-2019-7256
poc-yaml-alibaba-nacos-v1-auth-bypass
poc-yaml-wanhu-ezoffice-documentedit-sqli
poc-yaml-magicflow-gateway-main-xp-file-read
poc-yaml-gitblit-cve-2022-31268
poc-yaml-phpstudy-nginx-wrong-resolve
poc-yaml-confluence-cve-2022-26138
poc-yaml-metinfo-lfi-cnvd-2018-13393
poc-yaml-zabbix-cve-2019-17382
poc-yaml-wordpress-paypal-pro-cve-2020-14092-sqli
poc-yaml-vite-cnvd-2022-44615
poc-yaml-phpmyadmin-cve-2018-12613-file-inclusion
poc-yaml-zabbix-cve-2022-23134
poc-yaml-ametys-cms-cve-2022-26159

优化删除(功能与xray的通用插件重复)

poc-yaml-nexusdb-cve-2020-24571-path-traversal
poc-yaml-specoweb-cve-2021-32572-fileread
poc-yaml-tvt-nvms-1000-file-read-cve-2019-20085
poc-yaml-zyxel-vmg1312-b10d-cve-2018-19326-path-traversal

新增无害化处理

poc-yaml-fanruan-v9-file-upload
poc-yaml-h3c-cvm-upload-file-upload
poc-yaml-seeyon-unauthorized-fileupload
poc-yaml-thinkcmf-write-shell
poc-yaml-wanhu-oa-officeserver-file-upload
poc-yaml-weaver-oa-workrelate-file-upload
poc-yaml-yonyou-grp-u8-file-upload
poc-yaml-yonyou-nc-file-accept-upload
poc-yaml-yonyou-u8c-file-upload
poc-yaml-zhiyuan-oa-wpsassistservlet-file-upload

新增POC 96个

poc-yaml-ruijie-fileupload-fileupload-rce
poc-yaml-eweaver-oa-mecadminaction-sqlexec
poc-yaml-xxl-job-default-password
poc-yaml-wordpress-plugin-superstorefinder-ssf-social-action-php-sqli
poc-yaml-magento-config-disclosure-info-leak
poc-yaml-ukefu-cnvd-2021-18305-file-read
poc-yaml-ukefu-cnvd-2021-18303-ssrf
poc-yaml-eweaver-eoffice-mainselect-info-leak
poc-yaml-linksys-cnvd-2014-01260
poc-yaml-wordpress-welcart-ecommerce-cve-2022-41840-path-traversal
poc-yaml-jeesite-userfiles-path-traversal
poc-yaml-yongyou-nc-iupdateservice-xxe
poc-yaml-v-sol-olt-platform-unauth-config-download
poc-yaml-ibm-websphere-portal-hcl-cve-2021-27748-ssrf
poc-yaml-yonyou-nc-uapws-db-info-leak
poc-yaml-yonyou-nc-service-info-leak
poc-yaml-yongyou-nc-cloud-fs-sqli
poc-yaml-finecms-filedownload
poc-yaml-weaver-eoffice-userselect-unauth
poc-yaml-fortinet-cve-2022-40684-auth-bypass
poc-yaml-dapr-dashboard-cve-2022-38817-unauth
poc-yaml-wordpress-zephyr-project-manager-cve-2022-2840-sqli
poc-yaml-jira-cve-2022-39960-unauth
poc-yaml-qnap-cve-2022-27593-fileupload
poc-yaml-wordpress-all-in-one-video-gallery-cve-2022-2633-lfi
poc-yaml-atlassian-bitbucket-archive-cve-2022-36804-remote-command-exec
poc-yaml-wordpress-simply-schedule-appointments-cve-2022-2373-unauth
poc-yaml-zoho-manageengine-opmanager-cve-2022-36923
poc-yaml-red-hat-freeipa-cve-2022-2414-xxe
poc-yaml-wavlink-cve-2022-2488-rce
poc-yaml-wavlink-cve-2022-34045-info-leak
poc-yaml-wordpress-shareaholic-cve-2022-0594-info-leak
poc-yaml-wordpress-wp-stats-manager-cve-2022-33965-sqli
poc-yaml-opencart-newsletter-custom-popup-sqli
poc-yaml-wordpress-events-made-easy-cve-2022-1905-sqli
poc-yaml-wordpress-kivicare-cve-2022-0786-sqli
poc-yaml-wordpress-cve-2022-1609-rce
poc-yaml-solarview-compact-cve-2022-29303-rce
poc-yaml-wordpress-arprice-lite-cve-2022-0867-sqli
poc-yaml-wordpress-fusion-cve-2022-1386-ssrf
poc-yaml-wordpress-nirweb-cve-2022-0781-sqli
poc-yaml-wordpress-metform-cve-2022-1442-info-leak
poc-yaml-wordpress-mapsvg-cve-2022-0592-sqli
poc-yaml-wordpress-badgeos-cve-2022-0817-sqli
poc-yaml-wordpress-daily-prayer-time-cve-2022-0785-sqli
poc-yaml-wordpress-woo-product-table-cve-2022-1020-rce
poc-yaml-wordpress-documentor-cve-2022-0773-sqli
poc-yaml-wordpress-multiple-shipping-address-woocommerce-cve-2022-0783-sqli
poc-yaml-gitlab-cve-2022-1162-hardcoded-password
poc-yaml-thinkphp-cve-2022-25481-info-leak
poc-yaml-wordpress-cve-2022-0591-ssrf
poc-yaml-wordpress-simple-link-directory-cve-2022-0760-sqli
poc-yaml-wordpress-ti-woocommerce-wishlist-cve-2022-0412-sqli
poc-yaml-wordpress-notificationx-cve-2022-0349-sqli
poc-yaml-wordpress-page-views-count-cve-2022-0434-sqli
poc-yaml-wordpress-masterstudy-lms-cve-2022-0441-unauth
poc-yaml-wordpress-seo-cve-2021-25118-info-leak
poc-yaml-wordpress-perfect-survey-cve-2021-24762-sqli
poc-yaml-wordpress-asgaros-forum-cve-2021-24827-sqli
poc-yaml-tcexam-cve-2021-20114-info-leak
poc-yaml-wordpress-woocommerce-cve-2021-32789-sqli
poc-yaml-wordpress-profilepress-cve-2021-34621-unauth
poc-yaml-wordpress-wp-statistics-cve-2021-24340-sqli
poc-yaml-voipmonitor-cve-2021-30461-rce
poc-yaml-rocket-chat-cve-2021-22911-nosqli
poc-yaml-pega-infinity-cve-2021-27651-unauth
poc-yaml-wordpress-modern-events-calendar-lite-cve-2021-24146-info-leak
poc-yaml-afterlogic-webmail-cve-2021-26294-path-traversal
poc-yaml-wavlink-cve-2020-13117-rce
poc-yaml-prestashop-cve-2021-3110-sqli
poc-yaml-cockpit-cve-2020-35847-nosqli
poc-yaml-cockpit-cve-2020-35848-nosqli
poc-yaml-keycloak-cve-2020-10770-ssrf
poc-yaml-prestashop-cve-2020-26248-sqli
poc-yaml-wordpress-paypal-pro-cve-2020-14092-sqli
poc-yaml-microstrategy-cve-2020-11450-info-leak
poc-yaml-adobe-experience-manager-cve-2019-8086-xxe
poc-yaml-blogengine-net-cve-2019-10717-path-traversal
poc-yaml-dotcms-cve-2018-17422-url-redirection
poc-yaml-php-proxy-cve-2018-19458-fileread
poc-yaml-circarlife-scada-cve-2018-16671-info-leak
poc-yaml-circarlife-scada-cve-2018-16670-info-leak
poc-yaml-circarlife-scada-cve-2018-16668-info-leak
poc-yaml-dotnetnuke-cve-2017-0929-ssrf
poc-yaml-orchid-core-vms-cve-2018-10956-path-traversal
poc-yaml-circarlife-scada-cve-2018-12634-info-leak
poc-yaml-nuuo-nvrmini2-cve-2018-11523-upload
poc-yaml-jolokia-cve-2018-1000130-code-injection
poc-yaml-fiberhome-cve-2017-15647-path-traversal
poc-yaml-opendreambox-cve-2017-14135-rce
poc-yaml-sap-cve-2017-12637-fileread
poc-yaml-glassfish-cve-2017-1000029-lfi
poc-yaml-boa-cve-2017-9833-fileread
poc-yaml-mantisbt-cve-2017-7615-unauth
poc-yaml-wordpress-cve-2017-5487-info-leak
poc-yaml-thinkcmf-cve-2018-19898-sqli

使用手册

https://docs.xray.cool/#/tutorial/webscan_proxy

具体命令

./xray_darwin_amd64 webscan --listen 127.0.0.1:7777 --html-output xray-testphp.html


文章来源: http://mp.weixin.qq.com/s?__biz=MzU1Mjk3MDY1OA==&mid=2247500749&idx=4&sn=152d84b9cd6883ac1be5601c70062f9b&chksm=fbfb7300cc8cfa169250ebd999332b2eb3daea2734e52fd1e7466b9279a764a12ca4f787e133#rd
如有侵权请联系:admin#unsafe.sh