itskartik001/vulnscanx_v2

# ⚡ VulnScanX ``` ██╗ ██╗██╗ ██╗██╗ ███╗ ██╗███████╗ ██████╗ █████╗ ███╗ ██╗██╗ ██╗ ██║ ██║██║ ██║██║ ████╗ ██║██╔════╝██╔════╝██╔══██╗████╗ ██║╚██╗██╔╝ ██║ ██║██║ ██║██║ ██╔██╗ ██║███████╗██║ ███████║██╔██╗ ██║ ╚███╔╝ ╚██╗ ██╔╝██║ ██║██║ ██║╚██╗██║╚════██║██║ ██╔══██║██║╚██╗██║ ██╔██╗ ╚████╔╝ ╚██████╔╝███████╗██║ ╚████║███████║╚██████╗██║ ██║██║ ╚████║██╔╝ ██╗ ╚═══╝ ╚═════╝ ╚══════╝╚═╝ ╚═══╝╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝ v2.0 ``` [](https://python.org) [](https://flask.palletsprojects.com) [](https://owasp.org) [](LICENSE) ## ⚠️ 法律免责声明 ## 🏗️ 架构 ``` vulnscanx/ │ ├── core/ # Engine layer │ ├── engine.py # VulnScanEngine — orchestrator, thread pool, progress │ ├── config.py # Payloads, settings, severity levels, constants │ ├── models.py # Finding + ScanResult dataclasses │ └── template_engine.py # YAML template parser & executor (Nuclei-inspired) │ ├── modules/ │ ├── recon/ # Reconnaissance modules │ │ ├── subdomain.py # DNS brute-force + CT log mining (crt.sh) │ │ ├── dns_lookup.py # A/MX/NS/TXT/SOA + zone transfer + SPF/DMARC │ │ ├── whois_lookup.py # WHOIS + domain expiry detection │ │ └── dir_bruteforce.py# HTTP directory/file brute-force │ │ │ └── vuln/ # Vulnerability modules │ ├── xss_scanner.py # Reflected XSS (GET/POST) + DOM XSS sink detection │ ├── sqli_scanner.py # Error-based + Time-based + Boolean-based SQLi │ ├── headers_check.py # Security headers + TLS + info disclosure │ ├── port_scanner.py # TCP port scan with service fingerprinting │ └── dir_traversal.py # Path traversal / LFI with OS signature matching │ ├── templates/ # YAML scanning templates (Nuclei-compatible syntax) │ ├── xss-reflected.yaml │ ├── sqli-error-based.yaml │ ├── sqli-time-based.yaml │ ├── missing-security-headers.yaml │ └── open-redirect.yaml │ ├── ai/ # AI/ML analysis layer │ ├── classifier.py # Random Forest severity classifier (scikit-learn) │ └── explainer.py # Human-readable vulnerability explanations │ ├── reports/ # Report generation │ ├── json_reporter.py # Structured JSON output │ ├── html_reporter.py # Self-contained styled HTML report │ ├── pdf_reporter.py # PDF via WeasyPrint │ ├── sarif_reporter.py # SARIF 2.1 for GitHub Code Scanning │ └── report_manager.py # Report facade │ ├── cli/ │ └── main.py # argparse CLI — vulnscanx scan [opts] │ ├── web/ │ ├── app.py # Flask API + dashboard server │ └── templates/ │ └── dashboard.html # Full-featured real-time web dashboard │ ├── utils/ │ ├── logger.py # Colorized console + JSON file logging │ ├── rate_limiter.py # Token bucket rate limiter │ └── helpers.py # URL normalization, injection, parsing │ └── tests/ # pytest test suite ├── test_models.py ├── test_helpers.py └── test_classifier.py ``` ## 🚀 安装说明 ### Kali Linux (推荐) ``` # 克隆 git clone https://github.com/yourusername/vulnscanx.git cd vulnscanx # 创建虚拟环境 python3 -m venv venv source venv/bin/activate # 安装依赖 pip install -r requirements.txt # 安装为 CLI 工具 pip install -e . # 验证 vulnscanx version ``` ### Docker ``` docker build -t vulnscanx . docker run -p 5000:5000 vulnscanx web ``` ## 💻 CLI 用法 ### 基础扫描 ``` # 全面扫描（所有模块） vulnscanx scan https://example.com # 快速扫描（headers + ports + xss） vulnscanx scan https://example.com --type quick # 仅侦察 vulnscanx scan https://example.com --type recon # 仅漏洞评估 vulnscanx scan https://example.com --type vuln ``` ### 高级选项 ``` # 显式指定模块 vulnscanx scan https://example.com --modules xss,sqli,headers,ports # 自定义线程 + 代理 (Burp Suite) vulnscanx scan https://example.com --threads 20 --proxy http://127.0.0.1:8080 # 所有输出格式 vulnscanx scan https://example.com --output html,json,pdf,sarif # 带认证会话 vulnscanx scan https://example.com --cookie "session=abc123; auth=xyz" vulnscanx scan https://example.com --header "Authorization: Bearer TOKEN" # 带 YAML 模板 vulnscanx scan https://example.com --with-templates # 禁用 AI 分析（更快） vulnscanx scan https://example.com --no-ai # Verbose 模式 vulnscanx scan https://example.com --verbose ``` ### 模板管理 ``` # 列出所有模板 vulnscanx templates --list ``` ## 🌐 Web Dashboard ``` # 启动 Web 服务器 python web/app.py # 导航至 http://localhost:5000 ``` **Dashboard 功能：** - 输入任何目标 URL 并选择扫描类型 - 开启/关闭单个模块 - 调整线程数 (5–50) - 显示当前模块的实时进度条 - 具有严重程度筛选功能的实时发现结果表 - 交互式发现卡片（点击展开详情） - 每项发现对应的 AI 解释面板 - 图表：严重程度分布 + 风险评分仪表 - 终端风格的扫描日志 - 下载报告：JSON / HTML / PDF / SARIF - 包含状态和风险评分的扫描历史记录 ### REST API ``` # 启动扫描 POST /api/scan { "target": "https://example.com", "scan_type": "full", "modules": ["xss", "sqli", "headers"], "threads": 10, "ai_analysis": true } # 轮询状态 GET /api/scan/{scan_id}/status # 获取 findings GET /api/scan/{scan_id}/findings?severity=HIGH # 下载报告 GET /api/scan/{scan_id}/report/html → HTML report GET /api/scan/{scan_id}/report/json → JSON data GET /api/scan/{scan_id}/report/sarif → SARIF 2.1 GET /api/scan/{scan_id}/report/pdf → PDF # 停止扫描 POST /api/scan/{scan_id}/stop # 列出所有扫描 GET /api/scans ``` ## 🔍 模块参考 | 模块 | 类型 | 检测内容 | OWASP | |---|---|---|---| | `subdomain` | Recon | CT log 子域名 + DNS 暴力破解 | A01 | | `dns` | Recon | DNS 记录、区域传送、SPF/DMARC | A02 | | `whois` | Recon | 注册信息、过期时间 | A01 | | `dirbrute` | Recon | 隐藏文件/目录 (`.env`, `.git`, `admin`) | A01 | | `ports` | Vuln | 开放端口、服务指纹识别 | A02 | | `headers` | Vuln | 缺失的安全请求头、TLS 检查 | A02 | | `xss` | Vuln | 反射型 XSS (GET/POST)、DOM 污染点 | A03 | | `sqli` | Vuln | 报错/时间/布尔型 SQLi | A03 | | `traversal` | Vuln | 路径遍历 / LFI | A01 | ## 📝 YAML 模板 模板存放在 `templates/` 目录下。可创建自定义模板： ``` id: my-custom-check name: My Custom Vulnerability Check author: YourName severity: high description: Detects a custom vulnerability pattern category: Injection cwe: CWE-78 owasp: A03:2025 cvss: 8.0 tags: - custom - injection payloads: - "'; ls -la #" - "| cat /etc/passwd" match: type: contains_any values: - "root:x:0:0" - "total " remediation: | Sanitize all user input. Use parameterized commands. references: - https://owasp.org ``` 支持的匹配类型：`contains_any`、`regex_any`、`response_time`、`response_header` ## 📊 输出示例 ``` ====================================================== SCAN SUMMARY | Target: http://testphp.vulnweb.com ====================================================== CRITICAL : 3 HIGH : 7 MEDIUM : 12 LOW : 4 INFO : 8 ------------------------------------------------------ TOTAL : 34 findings RISK : 8.7/10 DURATION : 47.3s ====================================================== 📋 Reports generated: [JSON] reports/output/vulnscanx_testphp_20250421_143021.json [HTML] reports/output/vulnscanx_testphp_20250421_143021.html ``` ## 🤖 AI 分析 `VulnClassifier` 使用 scikit-learn 的 RandomForestClassifier 重新评估严重程度： - 特征提取：CVSS 分数、类别哈希、参数存在情况、payload 类型 - 在未经训练时回退到基于规则的启发式算法 - `VulnExplainer` 生成结构化解释，包括：漏洞是什么、现实世界影响、攻击者场景、CVSS 背景 ## 🔬 运行测试 ``` python -m pytest tests/ -v python -m pytest tests/ --cov=. --cov-report=html ``` ## 🛡️ OWASP Top 10 2025 覆盖范围 | ID | 类别 | 模块 | |---|---|---| | A01:2025 | 失效的访问控制 (Broken Access Control) | `subdomain`, `dirbrute`, `traversal` | | A02:2025 | 安全配置错误 (Security Misconfiguration) | `headers`, `ports`, `dns` | | A03:2025 | 软件供应链失败 (Software Supply Chain Failures) | Templates | | A04:2025 | 加密失败 (Cryptographic Failures) | `headers` (TLS 检查) | | A05:2025 | 注入 (Injection) | `xss`, `sqli`, `traversal` | | A07:2025 | 身份验证失败 (Authentication Failures) | `dirbrute` (admin 面板), `headers` | ## 🤝 贡献指南 1. Fork → `feature/your-feature` 2. 在 `modules/vuln/` 或 `modules/recon/` 中添加模块 3. 继承 `BaseModule`，实现 `run() -> List[Finding]` 4. 在 `templates/` 中添加 YAML 模板 5. 在 `tests/` 中编写测试 6. 提交包含描述的 PR *专为安全专业人士打造。请负责任地进行扫描。*

标签：Apex, CISA项目, Clickjacking, DOE合作, Flask, OWASP Top 10, Python, Red Team, URL评分, Web漏洞扫描器, XSS, 反取证, 安全规则引擎, 安全评估, 无后门, 机器学习, 漏洞情报, 点击劫持, 网络安全, 网络测绘, 请求拦截, 跨站脚本攻击, 逆向工具, 隐私保护, 黑盒测试