|
|
|
|
📢 请务必花一点时间阅读此文档,有助于你快速熟悉Z0SCAN!
获取发布版本:下载
- 想要构建适合您环境的可执行文件?请参阅:指南
Note
国内码云:https://gitee.com/JiuZero/z0scan
git clone https://github.com/JiuZero/z0scan
cd z0scan
pip install -r requirements.txt
python3 z0.py helpgit clone https://github.com/JiuZero/z0scan
docker build -t z0scan .
docker run z0scan
# python3 z0.py help
- 请前往 Ling 的 项目主页 获取她
Warning
Ling 不包含 z0scan 核心, 需本地存在可用的 z0 可执行文件或脚本
Note
Crawlergo无头爬虫、ObserverWard+Nuclei联动 - 需要配置Crawlergo或(ObserverWard与nuclei)到环境变量中,参阅:指南
Note
HTTPS支持 - 启动z0scan被动扫描,然后在浏览器中访问 http://z0scan.ca 下载证书并信任它
被动扫描的默认配置(将浏览器流量转发到端口5920):
z0 scan -s 127.0.0.1:5920
常用推荐配置:
z0 scan -s 127.0.0.1:5920 --risk 0,1,2,3 --level 2 --disable cmdi,unauth
控制台界面
主动扫描的默认配置:
# 通过Burp/Yakit请求流量的主动化被动扫描(推荐)
z0 scan -s 127.0.0.1:5920
# 直接检测
z0 scan -u https://example.com/?id=1
# 从URL列表进行批量检测
z0 scan -f urls.txt
# 爬虫并检测
z0 scan -u https://example.com/?id=1 --crawler
# 从URL列表中依次爬虫并检测
z0 scan -f urls.txt --crawler
- 更多详细信息,请参阅:文档
| 插件名称 | 功能描述 | 风险等级 |
|---|---|---|
| cmdi | Command Execution | 3 |
| cmdi-blind | Command Execution | 3 |
| codei-asp | ASP Code Execution | 3 |
| codei-java | Java Code Injection Vulnerability Scanner (EL/SpEL/OGNL) | 3 |
| codei-php | PHP Code Execution | 3 |
| cors-passive | CORS Vulnerability (Passive Analysis) | 1 |
| crlf_1 | CRLF Vulnerability Detection | 2 |
| fileinclude | File Include | 2 |
| jndi-error | JNDI Injection Vulnerability Scanner | 3 |
| jsonp | Jsonp Sensitive Information Leak & Jacking | 1 |
| ldap-error | Error-based LDAP Injection | 2 |
| leakpwd-page-passive | Weak Password on Login Page | 2 |
| objectdese | Deserialization Parameter Analysis | 3 |
| other-captcha-bypass | Frontend Captcha Bypass Detection | 0 |
| other-fastjson-blind | fastjson-blind | 2 |
| other-json-error | other-json-error | 2 |
| other-webdav-passive | WebDAV Service Passive Detection | 0 |
| redirect | Redirect Vulnerability | 1 |
| redos | Regular Expression Denial of Service (ReDoS) Vulnerability Scanner | -1 |
| sensi-backup_1 | Backup File Detection (File-based) | 1 |
| sensi-editfile | Editor Backup File Leak Detection | 1 |
| sensi-js | JS Sensitive Information Leak (with AI Context Validation) | 0 |
| sensi-php-realpath | PHP Real Path Discovery | 0 |
| sensi-retirejs | Outdated JS Component Detection | -1 |
| sensi-sourcecode | Source Code Disclosure Detection | 1 |
| sensi-viewstate | Unencrypted VIEWSTATE Discovery | 0 |
| sqli-bool | SQL Boolean-based Blind Injection | 2 |
| sqli-dnslog | sqli-dnslog | 2 |
| sqli-error | SQL Error-based Injection | 2 |
| sqli-time | SQL Time-based Blind Injection | 2 |
| ssrf | SSRF plugin detects server-side request forgery vulnerabilities via crafted payloads. | 2 |
| ssti | SSTI Vulnerability Detection | 3 |
| ssti-angularjs | AngularJS Client-Side Template Injection Detector | 2 |
| unauth | Unauthorized Access Vulnerability | 2 |
| webpack | Webpack Source Code Leak | 1 |
| xpathi-error | Error-based XPATH Injection | 2 |
| xss | JS Semantic-based XSS Scanning | 1 |
| xxe | XXE plugin detects XML external entity injection vulnerabilities via malicious payloads. | 3 |
| xxe-blind | Blind XXE plugin detects out-of-band data exfiltration. | 3 |
| 插件名称 | 功能描述 | 风险等级 |
|---|---|---|
| dirlisting | Directory browsing vulnerability (Directory-based) | 2 |
| sensi-backup_2 | Backup File Of Each Folder (Directory-based) | 1 |
| sensi-files | Sensitive File Leak (e.g., phpinfo, .git) | 1 |
| sensi-frontpage | FrontPage configuration information discloure | 1 |
| upload-oss | Detect the vulnerability of uploading arbitrary files to OSS | 3 |
| 插件名称 | 功能描述 | 风险等级 |
|---|---|---|
| clickjacking | Clickjacking Vulnerability Scanner | -1 |
| cors-active | CORS Vulnerability (Active Detection) | 2 |
| crlf_3 | CRLF Line Injection Vulnerability (Domain-based) | 2 |
| dns-zonetransfer | DNS Zone Transfer Vulnerability | 1 |
| hosti | Host Header Injection Detection | 1 |
| idea-parse | Idea Parse | 1 |
| listing | Listing | 2 |
| oss-takeover | OSS Bucket Takeover | 3 |
| sensi-backup_3 | Backup File Detection (Domain-based) | 1 |
| sensi-baseline | Check for version leak on response | -1 |
| sensi-errorpage | Leak information in Error Page | 0 |
| smuggling | Request Smuggling Vulnerability | 3 |
| unauth-webdav-active | WebDAV authentication bypass vulnerability, | 1 |
| upload-put | PUT-based Arbitrary File Upload | 3 |
| xss-flash | Flash SWF XSS | 1 |
| xss-net | .NET XSS | 1 |
| xst | XST Vulnerability Detection | -1 |
| 插件名称 | 功能描述 |
|---|---|
| leakpwd-activemq | Weak Password on ActiveMQ |
| leakpwd-mssql | Weak Password on MSSQL Server |
| leakpwd-mysql | Weak Password on MySQL Server |
| leakpwd-postgresql | Weak Password on PostgreSQL Server |
| leakpwd-redis | Weak Password on Redis Server |
| leakpwd-smb | Weak Password on SMB Server |
| leakpwd-ssh | Weak Password on SSH Server |
| other-ftp-anonymous | FTP anonymous Login |
| rce-javarmi | Check the JavaRMI RCE |
| rce-solr | Apache Solr RCE via Velocity |
| unauth-docker | Docker Unauthorized Access |
| unauth-elastic | Elasticsearch Unauthorized Access |
| unauth-jenkins | Jenkins Unauthorized Access |
| unauth-ldaps | Ldaps Unauthorized Access |
| unauth-memcache | Memcache Unauthorized Access |
| unauth-mongodb | Mongodb Unauthorized Access |
| unauth-resis | Redis Unauthorized Access |
| unauth-rsync | Rsync Unauthorized Access |
| unauth-solr | Apache Solr Unauthorized Access |
| unauth-zookeeper | Zookeeper Unauthorized access |
- 高三在校,项目不定期维护更新QAQ
- 欢迎大师傅们向我申请协作位吖~
|
|
|
|
