{"id":13936763,"url":"https://github.com/fengxuangit/Fox-scan","last_synced_at":"2025-07-19T22:31:51.975Z","repository":{"id":97375489,"uuid":"64734899","full_name":"fengxuangit/Fox-scan","owner":"fengxuangit","description":"Fox-scan is a initiative and passive SQL Injection vulnerable Test tools.","archived":false,"fork":false,"pushed_at":"2016-10-06T14:50:05.000Z","size":2274,"stargazers_count":403,"open_issues_count":0,"forks_count":240,"subscribers_count":25,"default_branch":"master","last_synced_at":"2024-08-08T23:24:26.275Z","etag":null,"topics":["mitmproxy","passive","sqlmap"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fengxuangit.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2016-08-02T07:31:26.000Z","updated_at":"2024-07-09T16:15:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"16f84d09-9aae-40de-aac0-91f9c4c81c76","html_url":"https://github.com/fengxuangit/Fox-scan","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fengxuangit%2FFox-scan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fengxuangit%2FFox-scan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fengxuangit%2FFox-scan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fengxuangit%2FFox-scan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fengxuangit","download_url":"https://codeload.github.com/fengxuangit/Fox-scan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226686730,"owners_count":17666928,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["mitmproxy","passive","sqlmap"],"created_at":"2024-08-07T23:02:58.362Z","updated_at":"2024-11-27T04:31:25.762Z","avatar_url":"https://github.com/fengxuangit.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"#Fox-scan\n\nFox-scan is a initiative and passive SQL Injection vulnerable Test tools.\nuse for penetration testing!\n\nFoxscan 是一个款基于SQLMAP的主动和被动资源发现的漏洞扫描工具,在设置浏览器代理后访问目标网站即可获取浏览器访问的链接,并且进行简单的爬虫获取链接,去除一些静态文件和第三方网站后，放入sqlmap中进行检测。\n\n##INSTALl\n###Environment\n```\nsqlmap\npython 2.7 \nFlask\nmultiprocessing\nmitmproxy\ntornado\nrequests\nBeautifulSoup 4.2.0\n```\n\n###Settings\n配置项目根目录下config.xml\n    \n    \u003croot\u003e\n        \u003cmysql\u003e\n        \u003chost\u003e127.0.0.1\u003c/host\u003e\n        \u003cusername\u003eroot\u003c/username\u003e\n        \u003cpassword\u003e123480\u003c/password\u003e\n        \u003cport\u003e3306\u003c/port\u003e\n        \u003cdatabase\u003efoxscan\u003c/database\u003e\n        \u003ccharset\u003eutf8\u003c/charset\u003e\n    \u003c/mysql\u003e\n    \u003csqlmap\u003e\n        http://127.0.0.1:8775 \n    \u003c/sqlmap\u003e\n    \u003ctypelist\u003e\n        \u003cwhitelist\u003e.php,.asp,.aspx,.jsp,.jspx\u003c/whitelist\u003e\n        \u003cblacklist\u003e\n          .ico,.flv,.js,.css,.jpg,.png,.jpeg,.gif,.pdf,.ss3,.txt,.rar,.zip,.avi,.mp4,.swf,.wmi,.exe,.mpeg\n         \u003c/blacklist\u003e\n    \u003c/typelist\u003e\n    \u003c/root\u003e\n\nsqlmap标签为你的sqlmap地址,typelist类型设置为黑名单和白名单设置,用于爬虫用。默认可以不用改。\n\n###DATABASE\n\n    CREATE DATABASE `foxscan` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;\n    \n    source foxscan.sql\n\n##Run\n\n 1 首先运行sqlmapapi.py\n \n  ```  \n  python sqlmapapi.py -s\n  ```\n\n 2 运行本程序WEB界面\n \n ```\n python views.py\n ```\n \n 3 打开浏览器输入控制台提示的访问地址(这里是http://127.0.0.1:8775) 在这里配置你的目标网站,sqlmap的地址,爬虫的过滤类型以及代理地址。 \n \n  1. \u003cstrong\u003e这里的Domain，即代表爬虫的时候不会获取这个根域名之外的网站链接,同一时刻只能添加一次目标\u003c/strong\u003e\n  2. \u003cstrong\u003e需要更改目标的话需要重新进入这个界面配置,但是会删除之前的所有在跑的任务\u003c/strong\u003e\n\n \n ![index1page](pics/index1.png)\n \n 4 在配置完任务信息后,可以进入到libs目录中,运行\n \n ```\n   python proxy.py 8081\n ```\n  启动本地代理服务器,然后再配置浏览器代理，即可达到被动扫描的效果\n  例如：\n  \n  ![vuln1](pics/vuln1.png)\n  \n  写了一个很简单的POST登录框。\n  控制台输出这样的字样后代表加入队列扫描\n  \n  ![vuln2](pics/vuln2.png)\n  \n  如果没有,说明是第三方网站或者访问的是静态文件资源,则不会加入到扫描队列中！\n\n\n 5 配置完成之后点击FUCK IT按钮,就会提示你成功添加一个目标,进入到任务详情页。\n 这里会显示说有在跑的任务,使用AJAX请求每3秒刷新一次。\n \n ![showtask1](pics/showtask1.png)\n \n \u003cstrong\u003e如果有成功的目标,就会显示为红色\u003c/strong\u003e\n\n ![successtask](pics/showtask2.png)\n \n 可以看到我们刚才的POST注入已经扫描完成。\n\n ![successtask2](pics/showtask3.png)\n \n 点击LOG按钮可以查看扫描日志。\n ![showlog](pics/showlog1.png)\n \n \n 6 程序会自动有一个异步非阻塞追踪线程,如果发现有成功的目标,就会把目标和payload防到`successlist` 表中\n\n\n 7 HTTPS资源获取 (2016/10/04)\n \n 这里使用libs/wyproxy.py脚本，这里是借鉴猪猪侠的代理工具简化开发了一下\u003ca href=\"https://github.com/ring04h/wyproxy\"\u003ehttps://github.com/ring04h/wyproxy\u003c/a\u003e\n \n 在此感谢猪哥的轮子\n \n 1. Mac OS X 安装配置 SSL 证书 并信任\n \n \t`$ wget https://raw.githubusercontent.com/fengxuangit/Fox-scan/master/libs/ssl/mitmproxy-ca.pem`\n \t\n 在Finder中双击运行mitmproxy-ca.pem\n\n 进入钥匙串访问工具, 选择mitmproxy的证书 \n \n ![key_manage](./pics/key_manager.png)\n\n  选择始终信任该证书, 即可生效, 便能成功捕捉所有HTTPS的流量 \n  \n ![key_trust](./pics/key_trust.png)\n \n 运行libs/wyproxy.py\n \n\t \tpython libs/wyproxy.py -p 8888\n \n ![https_cmd](./pics/https_cmd.png)\n \n 浏览器上添加公钥信任\n \n ![https_web](./pics/https1.png)\n \n 后台就会检测https的网页了\n \n ![https_scan](./pics/https_showtask.png)\n\n \n \n \n  \n##TODO \n 基本可以使用,但是还是有一些BUG。\n \n BUG:\n \n 1. AJAX刷新有时候不能正确实时展示。(fixed)\n 2. 代理功能有时候在数据库不支持长链接的情况下会报错(fixed)\n   \n 还有一些功能未能实现\n \n FEATURE:\n\n 1. 点击LOG,可以查看扫描日志 (done)\n 2. 添加PAYLOAD选项,可以查看到PAYLOAD(done)\n 3. 添加Command按钮,可以生成注入成功的sqlmap命令\n \n##CHANGELOG\n\n* \u003ca href=\"CHANGELOG.md\"\u003eCHANGELOG\u003c/a\u003e\n\n##License\n  \n \u003e + fengxuan - ***mOon Security Team***  2016/09/03\n\n  \n\n \n\n\n\n    \n    \n    \n    \n    \n    \n    \n  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffengxuangit%2FFox-scan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffengxuangit%2FFox-scan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffengxuangit%2FFox-scan/lists"}