Xray说明
Xray是一款功能强大的安全评估工具,支持主动、被动多种扫描方式,支持常见web漏洞的自动化测试,可以灵活定义POC,功能丰富,调用简单,支持多种操作系统。
Xray破解使用
小编提供的xray1.9.3是封装破解好的,大家直接实用就可以
相关命令说明
| 命令 | 说明 |
|---|---|
| webscan | xray核心功能,用来发现探测Web漏洞 |
| servicescan | 服务扫描功能 用来探测服务漏洞 |
| poclint | 检测poc是否符合规范 |
| reverse | 启动单独的盲打平台服务 |
| genca | 用于快速生成一个根证书,主要用于被动代理扫描HTTPS流量时用到 |
| upgrade | 检查新版本并自动升级 |
| version | 版本信息 |
| help | 显示命令列表或一个命令的帮助 |
| subdomain | 子域名扫描 高级本才有的命令 |
代理模式:代理可以与 burpsuite 等其他软件联动使用。
指定插件扫描
#仅加载一个指定插件--plugins xxe#加载多个插件--plugins xss,xxe,dirscan
指定POC扫描
# 只加载一个 POC, 精准匹配--plugins phantasm --poc poc-yaml-thinkphp5-controller-rce# 加载内置的所有带 `thinkphp` 的 POC--plugins phantasm --poc "*thinkphp*"# 加载本地 `/home/test/pocs/` 目录所有的 POC:--plugins phantasm --poc "/home/test/pocs/*"# 加载 `/home/test/pocs/` 下包含 thinkphp 的 POC--plugins phantasm --poc "/home/test/pocs/*thinkphp*"
基本使用方法
- 使用基本爬虫对爬虫爬取的链接进行爬取和扫描,寻找
http://example.com网站的漏洞,并输出到vuln.html
xray.exe webscan --basic-crawler http://example.com --html-output vuln.html
- 只扫描单个 URL,不使用爬虫
xray.exe webscan --url http://example.com/?a=b --html-output single-url.html
- 手动指定此运行的插件。默认情况下,将启用所有内置插件。您可以使用以下命令指定为此扫描启用哪些插件,如下命令注入和sql注入插件。
xray.exe webscan --plugins cmd-injection,sqldet --url http://example.com --html-output 1.html xray.exe webscan --plugins cmd-injection,sqldet --listen 127.0.0.1:7777 --html-output 1.html
Xray1.9.4版本新增内容
插件更新
添加XStream扫描插件,支持列表如下(该插件需开启反连平台) CVE-2021-21344 CVE-2021-21345 CVE-2021-39141 CVE-2021-39144 ...(共29个插件) fastjson插件支持cve-2022-25845的检测 POC编写/执行更新 新增警告信息,师傅们可以根据警告信息删除检测插件创建的文件等 支持在GET,HEAD,OPTION时添加body 添加compare version函数,可以对匹配出的版本进行对比 添加html实体编码/解码函数 添加java反序列化函数 添加hex/hexDecode函数 优化内容 优化了反连平台漏洞捕获逻辑,提高了命中率 优化了 poc lint 变得更人性化 yaml脚本支持获取rmi反连平台的链接,具体使用请参考官方文档 优化了Struts2检测模块,添加反连确认,减少误报漏报
修复POC
规则优化,规则弱 poc-yaml-drawio-cve-2022-1713-ssrf poc-yaml-h3c-cvm-upload-file-upload poc-yaml-iis-cve-2017-7269 poc-yaml-74cms-sqli-cve-2020-22209 poc-yaml-reporter-file-read poc-yaml-wanhu-ezoffice-documentedit-sqli poc-yaml-joomla-cve-2017-8917-sqli poc-yaml-iis-cve-2017-7269 poc-yaml-emerge-e3-cve-2019-7256 poc-yaml-alibaba-nacos-v1-auth-bypass poc-yaml-wanhu-ezoffice-documentedit-sqli poc-yaml-magicflow-gateway-main-xp-file-read poc-yaml-gitblit-cve-2022-31268 poc-yaml-phpstudy-nginx-wrong-resolve poc-yaml-confluence-cve-2022-26138 poc-yaml-metinfo-lfi-cnvd-2018-13393 poc-yaml-zabbix-cve-2019-17382 poc-yaml-wordpress-paypal-pro-cve-2020-14092-sqli poc-yaml-vite-cnvd-2022-44615 poc-yaml-phpmyadmin-cve-2018-12613-file-inclusion poc-yaml-zabbix-cve-2022-23134 poc-yaml-ametys-cms-cve-2022-26159 优化删除(功能与xray的通用插件重复) poc-yaml-nexusdb-cve-2020-24571-path-traversal poc-yaml-specoweb-cve-2021-32572-fileread poc-yaml-tvt-nvms-1000-file-read-cve-2019-20085 poc-yaml-zyxel-vmg1312-b10d-cve-2018-19326-path-traversal 新增无害化处理 poc-yaml-fanruan-v9-file-upload poc-yaml-h3c-cvm-upload-file-upload poc-yaml-seeyon-unauthorized-fileupload poc-yaml-thinkcmf-write-shell poc-yaml-wanhu-oa-officeserver-file-upload poc-yaml-weaver-oa-workrelate-file-upload poc-yaml-yonyou-grp-u8-file-upload poc-yaml-yonyou-nc-file-accept-upload poc-yaml-yonyou-u8c-file-upload poc-yaml-zhiyuan-oa-wpsassistservlet-file-upload
新增POC 96个
poc-yaml-ruijie-fileupload-fileupload-rce poc-yaml-eweaver-oa-mecadminaction-sqlexec poc-yaml-xxl-job-default-password poc-yaml-wordpress-plugin-superstorefinder-ssf-social-action-php-sqli poc-yaml-magento-config-disclosure-info-leak poc-yaml-ukefu-cnvd-2021-18305-file-read poc-yaml-ukefu-cnvd-2021-18303-ssrf poc-yaml-eweaver-eoffice-mainselect-info-leak poc-yaml-linksys-cnvd-2014-01260 poc-yaml-wordpress-welcart-ecommerce-cve-2022-41840-path-traversal poc-yaml-jeesite-userfiles-path-traversal poc-yaml-yongyou-nc-iupdateservice-xxe poc-yaml-v-sol-olt-platform-unauth-config-download poc-yaml-ibm-websphere-portal-hcl-cve-2021-27748-ssrf poc-yaml-yonyou-nc-uapws-db-info-leak poc-yaml-yonyou-nc-service-info-leak poc-yaml-yongyou-nc-cloud-fs-sqli poc-yaml-finecms-filedownload poc-yaml-weaver-eoffice-userselect-unauth poc-yaml-fortinet-cve-2022-40684-auth-bypass poc-yaml-dapr-dashboard-cve-2022-38817-unauth poc-yaml-wordpress-zephyr-project-manager-cve-2022-2840-sqli poc-yaml-jira-cve-2022-39960-unauth poc-yaml-qnap-cve-2022-27593-fileupload poc-yaml-wordpress-all-in-one-video-gallery-cve-2022-2633-lfi poc-yaml-atlassian-bitbucket-archive-cve-2022-36804-remote-command-exec poc-yaml-wordpress-simply-schedule-appointments-cve-2022-2373-unauth poc-yaml-zoho-manageengine-opmanager-cve-2022-36923 poc-yaml-red-hat-freeipa-cve-2022-2414-xxe poc-yaml-wavlink-cve-2022-2488-rce poc-yaml-wavlink-cve-2022-34045-info-leak poc-yaml-wordpress-shareaholic-cve-2022-0594-info-leak poc-yaml-wordpress-wp-stats-manager-cve-2022-33965-sqli poc-yaml-opencart-newsletter-custom-popup-sqli poc-yaml-wordpress-events-made-easy-cve-2022-1905-sqli poc-yaml-wordpress-kivicare-cve-2022-0786-sqli poc-yaml-wordpress-cve-2022-1609-rce poc-yaml-solarview-compact-cve-2022-29303-rce poc-yaml-wordpress-arprice-lite-cve-2022-0867-sqli poc-yaml-wordpress-fusion-cve-2022-1386-ssrf poc-yaml-wordpress-nirweb-cve-2022-0781-sqli poc-yaml-wordpress-metform-cve-2022-1442-info-leak poc-yaml-wordpress-mapsvg-cve-2022-0592-sqli poc-yaml-wordpress-badgeos-cve-2022-0817-sqli poc-yaml-wordpress-daily-prayer-time-cve-2022-0785-sqli poc-yaml-wordpress-woo-product-table-cve-2022-1020-rce poc-yaml-wordpress-documentor-cve-2022-0773-sqli poc-yaml-wordpress-multiple-shipping-address-woocommerce-cve-2022-0783-sqli poc-yaml-gitlab-cve-2022-1162-hardcoded-password poc-yaml-thinkphp-cve-2022-25481-info-leak poc-yaml-wordpress-cve-2022-0591-ssrf poc-yaml-wordpress-simple-link-directory-cve-2022-0760-sqli poc-yaml-wordpress-ti-woocommerce-wishlist-cve-2022-0412-sqli poc-yaml-wordpress-notificationx-cve-2022-0349-sqli poc-yaml-wordpress-page-views-count-cve-2022-0434-sqli poc-yaml-wordpress-masterstudy-lms-cve-2022-0441-unauth poc-yaml-wordpress-seo-cve-2021-25118-info-leak poc-yaml-wordpress-perfect-survey-cve-2021-24762-sqli poc-yaml-wordpress-asgaros-forum-cve-2021-24827-sqli poc-yaml-tcexam-cve-2021-20114-info-leak poc-yaml-wordpress-woocommerce-cve-2021-32789-sqli poc-yaml-wordpress-profilepress-cve-2021-34621-unauth poc-yaml-wordpress-wp-statistics-cve-2021-24340-sqli poc-yaml-voipmonitor-cve-2021-30461-rce poc-yaml-rocket-chat-cve-2021-22911-nosqli poc-yaml-pega-infinity-cve-2021-27651-unauth poc-yaml-wordpress-modern-events-calendar-lite-cve-2021-24146-info-leak poc-yaml-afterlogic-webmail-cve-2021-26294-path-traversal poc-yaml-wavlink-cve-2020-13117-rce poc-yaml-prestashop-cve-2021-3110-sqli poc-yaml-cockpit-cve-2020-35847-nosqli poc-yaml-cockpit-cve-2020-35848-nosqli poc-yaml-keycloak-cve-2020-10770-ssrf poc-yaml-prestashop-cve-2020-26248-sqli poc-yaml-wordpress-paypal-pro-cve-2020-14092-sqli poc-yaml-microstrategy-cve-2020-11450-info-leak poc-yaml-adobe-experience-manager-cve-2019-8086-xxe poc-yaml-blogengine-net-cve-2019-10717-path-traversal poc-yaml-dotcms-cve-2018-17422-url-redirection poc-yaml-php-proxy-cve-2018-19458-fileread poc-yaml-circarlife-scada-cve-2018-16671-info-leak poc-yaml-circarlife-scada-cve-2018-16670-info-leak poc-yaml-circarlife-scada-cve-2018-16668-info-leak poc-yaml-dotnetnuke-cve-2017-0929-ssrf poc-yaml-orchid-core-vms-cve-2018-10956-path-traversal poc-yaml-circarlife-scada-cve-2018-12634-info-leak poc-yaml-nuuo-nvrmini2-cve-2018-11523-upload poc-yaml-jolokia-cve-2018-1000130-code-injection poc-yaml-fiberhome-cve-2017-15647-path-traversal poc-yaml-opendreambox-cve-2017-14135-rce poc-yaml-sap-cve-2017-12637-fileread poc-yaml-glassfish-cve-2017-1000029-lfi poc-yaml-boa-cve-2017-9833-fileread poc-yaml-mantisbt-cve-2017-7615-unauth poc-yaml-wordpress-cve-2017-5487-info-leak poc-yaml-thinkcmf-cve-2018-19898-sqli
burp联动技巧
代理模式:代理可以与 burpsuite 等其他软件联动使用。
- 生成Xray的证书,并将生成的证书导入浏览器中
xray.exe genca
C:\Users\bai\Desktop\>xray.exe genca ____ ___.________. ____. _____.___. \ \/ /\_ __ \ / _ \ \__ | | \ / | _ _/ / /_\ \ / | | / \ | | \/ | \ \____ | \___/\ \ |____| /\____|_ / / _____/ \_/ \_/ \_/ \/ Version: 1.9.3/b3165028/COMMUNITY-ADVANCED CA certificate ca.crt and key ca.key generated
如上就会在本目录生成ca.crt和ca.key两个文件,把crt导入浏览器,运行如下命令进行监听
xray.exe webscan --listen 127.0.0.1:7777 --html-output test.html
输入来源
-
--listen: 启动一个被动代理服务器作为输入,如--listen 127.0.0.1:7777 -
--basic-crawler: 启用一个基础爬虫作为输入, 如--basic-crawler http://example.com -
--url-file: 批量从文件中读取URL -
--url: 用于快速测试单个URL,不带爬虫,默认为「GET」请求 -
--data:指定 data,同时变为POST请求 -
--raw-request: 加载一个原始的 HTTP 请求并用于扫描,类似于sqlmap -r
输出格式
--json-output: 将结果输出到一个 json 文件中,输出是JSON格式的结构化数据--html-output: 将结果输出为 html 报告--webhook-output: 将结果发送到一个地址,输出是JSON格式的结构化数据,需要自己搭建一个Web服务器,接收到xray发送的漏洞信息
工具来源:棉花糖安全圈
免责声明:
1.本站上传的源码,均为平台购买,作者提供,网友推荐,互联网平台整理而来,请下载后24小时内删除。如有需要,请购买正版.
2.请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。
3.站内资源若侵犯了您的合法权益,请指出本站立即改正。
4.上述内容仅供学习参考及技术交流之用,未经相关的知识产权权利人同意,用户不得进行商业使用。
5.保姆式服务,百分百售后!
1.本站上传的源码,均为平台购买,作者提供,网友推荐,互联网平台整理而来,请下载后24小时内删除。如有需要,请购买正版.
2.请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。
3.站内资源若侵犯了您的合法权益,请指出本站立即改正。
4.上述内容仅供学习参考及技术交流之用,未经相关的知识产权权利人同意,用户不得进行商业使用。
5.保姆式服务,百分百售后!
评论(2)
百度网盘中的压缩包解压密码为空
有偿找大佬帮忙,合法,事后必重谢!