Xray扫描器
Xray扫描器下载:https://github.com/chaitin/xray
Xray是社区版漏洞扫描器,可以主动、被动扫描,自备盲打平台,灵活定义POC,支持Windows、MacOS、Linux操作系统
xray主动扫描:
直接调用,扫描指定的站点,–basic-crawler是爬取网页方式扫描
xray webscan --basic-crawler 网站 //use a basic spider to crawl the target and scan the results
例如:
xray webscan --basic-crawler https://www.baidu.com
不指定输出时,输出到控制台,可以指定输出json,jsp,html格式,–url是仅扫描一个url
例如:
xray webscan --url https://www.baidu.com --json-output report.json
或者更改成这些参数
--text-output //输出到文本文件
--json-output //输出到json
--html-output //输出到html
xray+crawlergo 被动扫描:
- 下载 xray, 下载 crawlergo
- 把 launcher.py 和 targets.txt 放在 crawlergo.exe 同目录下
- 配置好并启动 xray 被动扫描(脚本默认配置为 127.0.0.1:7777)若修改端口请同时修改launcher.py 文件中的proxies
- 配置好 launcher.py 的 cmd 变量中的 crawlergo 爬虫配置(主要是 chrome 路径改为本地路径), 默认为:
- 把目标 url 写进 targets.txt,一行一个 url
- 用 python3 运行 launcher.py ( XRAY 被动扫描为启动的状态 )
- 生成的 sub_domains.txt 为爬虫爬到的子域名, crawl_result.txt 为爬虫爬到的 url
首先监听端口
xray.exe webscan --listen 127.0.0.1:7777 --text-output proxy.txt
然后修改 运行python爬虫程序
xray+BurpSuite扫描
首先进行端口监听
PS C:\Users\Bai> xray ws --listen 127.0.0.1:7777 --html-output report.html
____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/
Version: 1.7.1/f725e41e/COMMUNITY
[INFO] 2021-06-02 10:19:53 [default:entry.go:198] Loading config file from config.yaml
[WARN] 2021-06-02 10:19:53 [default:webscan.go:222] disable these plugins as that's not an advanced version, [shiro struts thinkphp fastjson]
Enabled plugins: [xss brute-force dirscan ssrf sqldet upload crlf-injection path-traversal redirect baseline xxe phantasm cmd-injection jsonp]
[INFO] 2021-06-02 10:19:54 [phantasm:phantasm.go:170] 252 pocs have been loaded (debug level will show more details)
These plugins will be disabled as reverse server is not configured, check out the reference to fix this error.
Ref: https://docs.xray.cool/#/configration/reverse
Plugins:
poc-yaml-dlink-cve-2019-16920-rce
poc-yaml-jenkins-cve-2018-1000600
poc-yaml-jira-cve-2019-11581
poc-yaml-jira-ssrf-cve-2019-8451
poc-yaml-mongo-express-cve-2019-10758
poc-yaml-pandorafms-cve-2019-20224-rce
poc-yaml-ruijie-eg-rce
poc-yaml-saltstack-cve-2020-16846
poc-yaml-solr-cve-2017-12629-xxe
poc-yaml-supervisord-cve-2017-11610
poc-yaml-weblogic-cve-2017-10271
ssrf/ssrf/default
xxe/xxe/blind
[INFO] 2021-06-02 10:19:56 [collector:mitm.go:214] loading cert from D:\Program Files\Xray\xray\ca.crt and D:\Program Files\Xray\xray\ca.key
[INFO] 2021-06-02 10:19:56 [collector:mitm.go:269] starting mitm server at 127.0.0.1:7777
更改BurpSuite=》User options=》Upstream Proxy Servers=》Add 新增上游代理
更改本地代理,端口与浏览器代理对应
然后浏览网页,xray就会自动扫描web漏洞了
Xray+Rad扫描
首先开启xray监听
PS C:\Users\Bai> xray ws --listen 127.0.0.1:7777 --html-output report.html
____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/
Version: 1.7.1/f725e41e/COMMUNITY
[INFO] 2021-06-02 10:51:42 [default:entry.go:198] Loading config file from config.yaml
[WARN] 2021-06-02 10:51:42 [default:webscan.go:222] disable these plugins as that's not an advanced version, [fastjson struts shiro thinkphp]
Enabled plugins: [brute-force cmd-injection ssrf xss xxe redirect upload baseline crlf-injection jsonp phantasm dirscan path-traversal sqldet]
[INFO] 2021-06-02 10:51:42 [phantasm:phantasm.go:170] 252 pocs have been loaded (debug level will show more details)
These plugins will be disabled as reverse server is not configured, check out the reference to fix this error.
Ref: https://docs.xray.cool/#/configration/reverse
Plugins:
poc-yaml-dlink-cve-2019-16920-rce
poc-yaml-jenkins-cve-2018-1000600
poc-yaml-jira-cve-2019-11581
poc-yaml-jira-ssrf-cve-2019-8451
poc-yaml-mongo-express-cve-2019-10758
poc-yaml-pandorafms-cve-2019-20224-rce
poc-yaml-ruijie-eg-rce
poc-yaml-saltstack-cve-2020-16846
poc-yaml-solr-cve-2017-12629-xxe
poc-yaml-supervisord-cve-2017-11610
poc-yaml-weblogic-cve-2017-10271
ssrf/ssrf/default
xxe/xxe/blind
[INFO] 2021-06-02 10:51:45 [collector:mitm.go:214] loading cert from D:\Program Files\Xray\xray\ca.crt and D:\Program Files\Xray\xray\ca.key
[INFO] 2021-06-02 10:51:45 [collector:mitm.go:269] starting mitm server at 127.0.0.1:7777
然后使用rad命令进行网页爬取
PS C:\Users\Bai> rad -t http://www.qq.com -http-proxy 127.0.0.1:7777
██████╗ █████╗ ██████╗
██╔══██╗██╔══██╗██╔══██╗
██████╔╝███████║██║ ██║
██╔══██╗██╔══██║██║ ██║
██║ ██║██║ ██║██████╔╝
╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝
[Rad 0.4/ebbb3ce3]
Build: [2021-04-30] [linux/amd64] [RELEASE/__unknown__]
Compiler Version: go version go1.15.6 linux/amd64
[INFO] 2021-06-02 10:54:26 [rad:radium.go:212] use chrome at:C:\Program Files\Google\Chrome\Application\chrome.exe
GET http://www.qq.com/
GET https://www.qq.com/
GET https://imgcache.qq.com/qzone/biz/comm/js/qbs.js
GET https://imgcache.qq.com/qzone/biz/comm/js/
GET https://imgcache.qq.com/qzone/biz/comm/
GET https://imgcache.qq.com/qzone/biz/
GET https://imgcache.qq.com/qzone/
GET https://imgcache.qq.com/
GET https://qzone.qq.com/
GET https://h5.qzone.qq.com/proxy/domain/boss.qzone.qq.com/fcg-bin/fcg_zone_info
GET https://h5.qzone.qq.com/proxy/domain/boss.qzone.qq.com/fcg-bin/
GET https://h5.qzone.qq.com/proxy/domain/boss.qzone.qq.com/
GET https://h5.qzone.qq.com/proxy/domain/
GET https://h5.qzone.qq.com/proxy/
查看报告