{"id":14670990,"url":"https://github.com/4ra1n/poc-runner","last_synced_at":"2025-07-21T07:36:00.270Z","repository":{"id":255656311,"uuid":"847692663","full_name":"4ra1n/poc-runner","owner":"4ra1n","description":"Small \u0026 Fast Vulnerability Scanner Engine based on XRAY YAML Rule | 基于 XRAY YAML 规则的超轻量快速漏洞扫描引擎 | 可执行文件体积仅 2 MB","archived":false,"fork":false,"pushed_at":"2024-09-12T05:30:03.000Z","size":3755,"stargazers_count":114,"open_issues_count":2,"forks_count":12,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-09-12T18:59:34.310Z","etag":null,"topics":["poc","security","vulnerability","vulnerability-detection","vulnerability-scanner","web-security","web-vulnerability-scanner"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/4ra1n.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.MD","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-26T11:11:36.000Z","updated_at":"2024-09-12T13:10:57.000Z","dependencies_parsed_at":"2024-09-06T15:35:58.478Z","dependency_job_id":"df51c74f-c86d-4b05-853e-1ad72077d8c9","html_url":"https://github.com/4ra1n/poc-runner","commit_stats":null,"previous_names":["4ra1n/poc-runner"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4ra1n%2Fpoc-runner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4ra1n%2Fpoc-runner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4ra1n%2Fpoc-runner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4ra1n%2Fpoc-runner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/4ra1n","download_url":"https://codeload.github.com/4ra1n/poc-runner/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223780075,"owners_count":17201287,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["poc","security","vulnerability","vulnerability-detection","vulnerability-scanner","web-security","web-vulnerability-scanner"],"created_at":"2024-09-12T04:00:47.534Z","updated_at":"2024-11-09T02:46:46.145Z","avatar_url":"https://github.com/4ra1n.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# poc-runner\n\n[CHANGE LOG](CHANGELOG.MD)\n\n\u003cimg alt=\"gitleaks badge\" src=\"https://img.shields.io/badge/protected%20by-gitleaks-blue\"\u003e\n\n![](https://img.shields.io/github/downloads/4ra1n/poc-runner/total)\n![](https://img.shields.io/github/v/release/4ra1n/poc-runner)\n\n![](https://github.com/4ra1n/poc-runner/workflows/golang%20build/badge.svg)\n![](https://github.com/4ra1n/poc-runner/workflows/golang%20check/badge.svg)\n![](https://github.com/4ra1n/poc-runner/workflows/gitleaks%20check/badge.svg)\n![](https://github.com/4ra1n/poc-runner/workflows/truffle%20check/badge.svg)\n\n[前往下载](https://github.com/4ra1n/poc-runner/releases)\n\n## DESC\n\n[![asciicast](https://asciinema.org/a/675489.svg)](https://asciinema.org/a/675489)\n\nXRAY POC RUNNER (Open Source Version)\n\n这是一个 `XRAY` 的 `YAML` 开源执行器(虽然网上已经有很多个开源实现了)\n\n可执行文件体积 **非常小**(例如 `windows-amd64` 仅 `2 MB`)\n\n主要特性:\n\n- 完全开源(所有代码开源不存在闭源二进制文件)\n- 无需复杂的 `yaml` 配置文件且命令行参数尽可能简化\n- 完全不使用 `google/cel` 库(使用底层 `antlr` 实现更轻量的表达式解析)\n- 完全不使用 `net/http` 库(使用 `net.Dial` 从零实现 `raw http client`)\n\n反连内置了 `dnslog.cn` 和 `projectdiscovery/interactsh` 无需配置直接使用\n\n注意:本项目 **不提供** 任何 `POC` 规则文件(仅提供执行引擎)\n\n`POC` 仓库: https://github.com/chaitin/xray/tree/master/pocs\n\n\u003e 仅供个人学习和研究使用,请勿用于非法用途\n\n## Quick Start\n\n基础使用 `poc-runner -r [poc].yml -t [target]`\n\n![](img/001.png)\n\n加入 `-debug` 打印所有请求响应\n\n![](img/002.png)\n\n加入 `-proxy` 参数启动代理\n\n![](img/003.png)\n\n`HTML` 报告页面\n\n![](img/005.png)\n\n## 反连\n\n默认使用 `dnslog.cn` 作为反连\n\n你可以使用 `-reverse interact.sh` 指定使用 `projectdiscovery/interactsh`\n\n![](img/006.png)\n\n由于网络原因,建议搭配代理使用\n\n```shell\n./poc-runner -r [poc].yml -t http://target -reverse interact.sh -proxy socks5://127.0.0.1:10808\n```\n\n## API\n\nGet\n\n```shell\ngo get github.com/4ra1n/poc-runner/api@0.1.2\n```\n\nExample\n\n```go\npackage main\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\n\t\"github.com/4ra1n/poc-runner/api\"\n)\n\nvar poc = `name: poc-yaml-test\ntransport: http\nset:\n rand: randomInt(200000000, 210000000)\nrules:\n r0:\n request:\n cache: true\n method: POST\n path: /test\n headers:\n Content-Type: text/xml\n body: test\n follow_redirects: false\n expression: response.status == 404\nexpression: r0()`\n\nfunc main() {\n\tctx := context.Background()\n\trunner, err := api.NewPocRunner(ctx)\n\tif err != nil {\n\t\treturn\n\t}\n\treport, err := runner.Run([]byte(poc), \"https://example.com\")\n\tif err != nil {\n\t\treturn\n\t}\n\tfmt.Println(report)\n}\n```\n\nAdvance Example\n\n```go\nfunc main() {\n\tctx := context.Background()\n\t// NEW ADVANCE POC RUNNER\n\trunner, err := NewPocRunnerEx(\n\t\tctx, // CONTEXT\n\t\t\"socks5://127.0.0.1:10808\", // SOCKS PROXY\n\t\ttime.Second*10, // TIMEOUT\n\t\ttrue, // DEBUG MODE\n\t\t\"dnslog.cn\", // REVERSE CONFIG (dnslog.cn | interact.sh)\n\t\tlog.DebugLevel, // LOG LEVEL\n\t)\n\tif err != nil {\n\t\treturn\n\t}\n\t// RUN POC\n\treport, err := runner.Run([]byte(poc), \"https://example.com\")\n\tif err != nil {\n\t\treturn\n\t}\n\tfmt.Println(report)\n}\n```\n\n## BUILD\n\nWINDOWS: 参考 `build.bat`\n\nLINUX: 参考 `.github/build.yml`\n\n## CONTRIBUTE\n\nThank you for your interest in contributing to the poc-runner project\n\n欢迎师傅们贡献 `poc-runner` 项目,所有 `PR` 都会经过 `CODE REVIEW`\n\n注意:请尽量不要引入第三方库,尽可能使用标准库实现功能,本项目的宗旨是轻量\n\n## SUPPORT\n\ntype\n\n| yaml type | golang type | support version |\n|:----------|:--------------------|:----------------|\n| int | int | 0.0.1 |\n| string | string | 0.0.1 |\n| bool | bool | 0.0.1 |\n| bytes | \\[\\]byte | 0.0.1 |\n| map | map\\[string\\]string | 0.0.1 |\n| object | interface | 0.0.1 |\n\nresponse variables\n\n| name | type | support version |\n|:----------------------|:-------|:----------------|\n| response.status | int | 0.0.1 |\n| response.headers | map | 0.0.1 |\n| response.content_type | string | 0.0.1 |\n| response.body | bytes | 0.0.1 |\n| response.body_string | string | 0.0.1 |\n\nstring function\n\n| name | args | return | support version |\n|:----------|:-------|:-------|:----------------|\n| bsubmatch | bytes | map | 0.0.1 |\n| submatch | string | map | 0.0.1 |\n| bmatches | string | map | 0.0.1 |\n| matches | string | map | 0.0.1 |\n| contains | string | bool | 0.0.1 |\n| icontains | string | bool | 0.0.1 |\n\nbytes function\n\n| name | args | return | support version |\n|:----------|:------|:-------|:----------------|\n| bcontains | bytes | bool | 0.0.1 |\n| icontains | bytes | bool | 0.0.1 |\n\nbuiltin function\n\n| name | args | return | support version |\n|:----------------|:---------------|:-------|:----------------|\n| bytes | string | bytes | 0.0.1 |\n| string | any | string | 0.0.1 |\n| substr | string,int,int | string | 0.0.1 |\n| sleep | int | bool | 0.0.1 |\n| randomInt | int,int | int | 0.0.1 |\n| randomLowercase | int | string | 0.0.1 |\n| randomUppercase | int | string | 0.0.1 |\n| md5 | string | string | 0.0.1 |\n| sha1 | string | string | 0.0.1 |\n| sha256 | string | string | 0.0.1 |\n| base64 | bytes\\|string | string | 0.0.1 |\n| urldecode | bytes\\|string | string | 0.0.1 |\n| get404Path | null | string | 0.0.1 |\n| newReverse | null | object | 0.0.1 |\n| print | object | bool | 0.1.0 |\n\nreverse variables\n\n| name | return | support version |\n|:---------------|:-------|:----------------|\n| reverse.url | string | 0.0.1 |\n| reverse.rmi | string | 0.0.1 |\n| reverse.ldap | string | 0.0.1 |\n| reverse.domain | string | 0.0.1 |\n\nreverse function\n\n| name | args | return | support version |\n|:-----|:-----|:-------|:----------------|\n| wait | int | bool | 0.0.1 |\n\n## TEST\n\n以下 `POC` 已在真实漏洞环境测试通过\n\n| plugin name | result | remark |\n|:-----------------------------------------------|:-------|:--------|\n| tomcat-cve-2017-12615-rce.yml | ✅ | / |\n| spring-cve-2016-4977.yml | ✅ | / |\n| apache-httpd-cve-2021-40438-ssrf.yml | ✅ | / |\n| apache-httpd-cve-2021-41773-path-traversal.yml | ✅ | / |\n| apache-http-cve-2021-41773-rce.yml | ✅ | / |\n| coldfusion-cve-2010-2861-lfi.yml | ✅ | / |\n| confluence-cve-2021-26084.yml | ✅ | / |\n| activemq-cve-2016-3088.yml | ✅ | / |\n| couchdb-cve-2017-12635.yml | ✅ | / |\n| discuz-wooyun-2010-080723.yml | ✅ | / |\n| docker-api-unauthorized-rce.yml | ✅ | / |\n| elasticsearch-cve-2014-3120.yml | ✅ | / |\n| elasticsearch-cve-2015-1427.yml | ✅ | / |\n| elasticsearch-cve-2015-5531.yml | ✅ | / |\n| jenkins-cve-2018-1000861-rce.yml | ✅ | / |\n| joomla-cve-2017-8917-sqli.yml | ✅ | / |\n| kibana-cve-2018-17246.yml | ✅ | / |\n| laravel-cve-2021-3129.yml | ✅ | / |\n| phpmyadmin-cve-2018-12613-file-inclusion.yml | ✅ | / |\n| solr-cve-2017-12629-xxe.yml | ✅ | reverse |\n| solr-cve-2019-0193.yml | ✅ | / |\n| weblogic-cve-2017-10271.yml | ✅ | reverse |\n| weblogic-cve-2019-2725.yml | ✅ | / |\n| weblogic-cve-2019-2729-1.yml | ✅ | / |\n| weblogic-cve-2019-2729-2.yml | ✅ | / |\n| weblogic-cve-2020-14750.yml | ✅ | / |\n| weblogic-ssrf.yml | ✅ | / |\n| zabbix-cve-2016-10134-sqli.yml | ✅ | / |\n\n## Star\n\n\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"https://api.star-history.com/svg?repos=4ra1n/poc-runner\u0026type=Date\" width=\"600\" height=\"400\" alt=\"Star History Chart\" valign=\"middle\"\u003e\n\n\u003c/div\u003e\n\n## THANKS\n\n部分代码参考: https://github.com/raylax/rayx\n\n感谢\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F4ra1n%2Fpoc-runner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F4ra1n%2Fpoc-runner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F4ra1n%2Fpoc-runner/lists"}