Vulnerability scanning cannot be performed when running xray with web basic crawler
pebalap opened this issue · comments
[INFO] 2024-01-23 14:53:31 [default:entry.go:226] Loading config file from config.yaml
Enabled plugins: [sqldet xss]
[INFO] 2024-01-23 14:53:34 [default:dispatcher.go:444] processing GET https://simpus.jombangkab.go.id
No results(vulns or subdomains) found, html report will not be generated
[] All pending requests have been scanned
[] scanned: 1, pending: 0, requestSent: 8, latency: 49.67ms, failedRatio: 0.00%
[INFO] 2024-01-23 14:53:35 [controller:dispatcher.go:573] controller released, task done
wahid@PC-Cctv:~$ ./xray_linux_amd64 ws --basic-crawler --url https://simpus.jombangkab.go.id --plugins sqldet,xss --htm
l-output airp.html
____ .___. __. ..
\ / /_ __ \ / _ \ _ | |
\ / | _ / / /\ \ / | |
/ \ | | / | \ _ |
_/\ \ || /_| / / _____/
_/ _/ _/ /
Version: 1.9.11/eb0c331d/COMMUNITY
[INFO] 2024-01-23 14:53:54 [default:entry.go:226] Loading config file from config.yaml
[!] Warning: you should use --html-output, --webhook-output or --json-output to persist your scan result
[INFO] 2024-01-23 14:53:56 [basic-crawler:basic_crawler.go:138] allowed domains: [ *.]
[INFO] 2024-01-23 14:53:56 [basic-crawler:basic_crawler.go:139] disallowed domains: [google github *.gov.cn *.edu.cn chaitin *.xray.cool]
[WARN] 2024-01-23 14:53:56 [default:webscan.go:287] disable these plugins as that's not an advanced version, [shiro struts thinkphp fastjson]
Enabled plugins: [redirect xss brute-force cmd-injection path-traversal sqldet xxe xstream baseline upload jsonp dirscan ssrf phantasm crlf-injection]
[INFO] 2024-01-23 14:53:57 [phantasm:phantasm.go:185] 819 pocs have been loaded (debug level will show more details)
These plugins will be disabled as reverse server is not configured, check out the reference to fix this error.
Ref: https://docs.xray.cool/#/configration/reverse
Plugins:
poc-go-apache-log4j2-rce
poc-go-weblogic-cve-2023-21839
poc-yaml-apache-druid-kafka-rce
poc-yaml-apache-spark-rce-cve-2022-33891
poc-yaml-dlink-cve-2019-16920-rce
poc-yaml-dotnetnuke-cve-2017-0929-ssrf
poc-yaml-drawio-cve-2022-1713-ssrf
poc-yaml-full-read-ssrf-in-spring-cloud-netflix
poc-yaml-ghostscript-cve-2018-19475-rce
poc-yaml-gitlab-cve-2021-22214-ssrf
poc-yaml-httpd-ssrf-cve-2021-40438
poc-yaml-jenkins-cve-2018-1000600
poc-yaml-jira-cve-2019-11581
poc-yaml-jira-ssrf-cve-2019-8451
poc-yaml-keycloak-cve-2020-10770-ssrf
poc-yaml-kibana-cve-2019-7609-rce
poc-yaml-landray-oa-datajson-rce
poc-yaml-lg-n1a1-nas-cnnvd-201607-467-rce
poc-yaml-mongo-express-cve-2019-10758
poc-yaml-oracle-ebs-cve-2018-3167-ssrf
poc-yaml-pandorafms-cve-2019-20224-rce
poc-yaml-php-imap-cve-2018-19518-rce
poc-yaml-ruanhong-oa-xxe
poc-yaml-saltstack-cve-2020-16846
poc-yaml-solr-cve-2017-12629-xxe
poc-yaml-spiderflow-save-remote-command-execute
poc-yaml-spring-cloud-gateway-cve-2022-22947-rce
poc-yaml-supervisord-cve-2017-11610
poc-yaml-wavlink-cve-2020-13117-rce
poc-yaml-weblogic-cve-2017-10271
poc-yaml-yongyou-nc-iupdateservice-xxe
poc-yaml-zoho-manageengine-adaudit-plus-cve-2022-28219-xxe
ssrf/ssrf/default
xstream/Arbitrary-File-Deletion/CVE-2020-26259
xstream/Arbitrary-File-Deletion/CVE-2021-21343
xstream/DoS/CVE-2021-21341
xstream/DoS/CVE-2021-21348
xstream/DoS/CVE-2021-39140
xstream/RCE(LDAP)/CVE-2021-21344
xstream/RCE(LDAP)/CVE-2021-39141
xstream/RCE(LDAP)/CVE-2021-39146
xstream/RCE/CVE-2013-7285
xstream/RCE/CVE-2020-26217
xstream/RCE/CVE-2021-21345
xstream/RCE/CVE-2021-21346
xstream/RCE/CVE-2021-21347
xstream/RCE/CVE-2021-21350
xstream/RCE/CVE-2021-21351
xstream/RCE/CVE-2021-39139
xstream/RCE/CVE-2021-39144
xstream/RCE/CVE-2021-39145
xstream/RCE/CVE-2021-39147
xstream/RCE/CVE-2021-39148
xstream/RCE/CVE-2021-39149
xstream/RCE/CVE-2021-39151
xstream/RCE/CVE-2021-39153
xstream/RCE/CVE-2021-39154
xstream/SSRF/CVE-2020-26258
xstream/SSRF/CVE-2021-21342
xstream/SSRF/CVE-2021-21349
xstream/SSRF/CVE-2021-39150
xstream/SSRF/CVE-2021-39152
xxe/xxe/blind
[INFO] 2024-01-23 14:53:57 [basic-crawler:basic_crawler.go:78] crawler stopped
[INFO] 2024-01-23 14:53:57 [controller:dispatcher.go:553] wait for reverse server finished
[INFO] 2024-01-23 14:54:00 [controller:dispatcher.go:573] controller released, task done
read the documentation, you can't use both --basic-crawler, and --url arguments same time.
just use : $./xray_linux_amd64 ws --basic-crawler https://simpus.jombangkab.go.id/ --plugins sqldet,xss --html-output airp.html