DavidJara1998/VulnHunter

# VulnHunter — 深度 Web 漏洞扫描器 ``` __ __ _ _ _ _ \ \ / / | | | | | | | | \ V / ___ | |_ __ | |_| |_ _ _ __ | |_ ___ _ __ > < / _ \| | '_ \| _ | | | | '_ \| __/ _ \ '__| / . \| (_) | | | | | | | | |_| | | | | || __/ | /_/ \_\\___/|_|_| |_\_| |_/\__,_|_| |_|\__\___|_| Deep Web Vulnerability Scanner v1.0 ``` ## 它的独特之处 大多数扫描器需要你手动提供测试参数。VulnHunter **首先会爬取目标**，自动发现所有页面和表单，然后测试它找到的每一个参数。 你只需提供一个域名，剩下的交给它来完成。 ## 检测到的漏洞 | 类型 | 技术 | 严重程度 | |------|-----------|----------| | SQL 注入 (基于报错) | 响应中的错误特征 | CRITICAL | | SQL 注入 (基于时间盲注) | SLEEP() 延迟检测 | CRITICAL | | XSS (反射型) | 响应中的 Payload 回显 | HIGH | | 本地文件包含 (LFI) | 路径遍历 + 文件特征 | CRITICAL | | 命令注入 | 响应中的 OS 命令输出 | CRITICAL | | 开放重定向 | Location 标头劫持 | MEDIUM | 已在 **GET 参数**和 **POST 表单**上进行了测试。 ## 安装 ``` git clone https://github.com/DavidJara1998/VulnHunter.git cd VulnHunter pip install -r requirements.txt ``` **要求：** Python 3.8+ ## 使用方法 ``` # 全面扫描 — 抓取 + 测试所有内容 python vulnhunter.py http://target.com # 导出 HTML 报告 python vulnhunter.py http://target.com --output html # 直接测试特定 URL（跳过爬虫） python vulnhunter.py http://target.com --no-crawl --extra-url "http://target.com/page.php?id=1" # 同时导出 HTML 和 JSON python vulnhunter.py http://target.com --output both # 自定义超时（适用于基于时间的 SQLi） python vulnhunter.py http://target.com --timeout 15 ``` ### 标志 ``` url Target base URL --no-crawl Skip crawler --extra-url URL Add a specific URL with params to test --output {html,json,both} Export report --timeout Request timeout in seconds (default: 10) ``` ## 输出示例 ``` [*] Target: http://testphp.vulnweb.com === MODULE 1: CRAWLER === [*] Crawling: http://testphp.vulnweb.com (max 60 pages, depth 3) [+] Crawl complete: 34 pages visited 12 URLs with parameters found 5 forms found === MODULE 2: VULNERABILITY SCANNER === [*] Testing 12 URLs and 5 forms... [!] 6 vulnerability/ies found: [CRITICAL] SQL Injection (Error-based) URL: http://testphp.vulnweb.com/artists.php?artist=1' Param: artist (GET) Payload: ' Evidence: you have an error in your sql syntax [CRITICAL] SQL Injection (Time-based Blind) URL: http://testphp.vulnweb.com/listproducts.php?cat=1'+AND+SLEEP(5)-- Param: cat (GET) Payload: ' AND SLEEP(5)-- Evidence: Response delayed 5.3s (expected ~5s sleep) [CRITICAL] Local File Inclusion (LFI) URL: http://testphp.vulnweb.com/showimage.php?file=../../etc/passwd Param: file (GET) Payload: ../../../../../../etc/passwd Evidence: Signature found: root:x: [HIGH] XSS (Reflected) URL: http://testphp.vulnweb.com/search.php?test= Param: test (GET) Payload: Evidence: Payload reflected unencoded in response [HIGH] XSS (Reflected) — POST form URL: http://testphp.vulnweb.com/login.php Param: uname (POST) Payload: "> Evidence: Payload reflected unencoded in response [MEDIUM] Open Redirect URL: http://testphp.vulnweb.com/redirect.php?url=http://evil.com Param: url (GET) Payload: http://evil.com Evidence: Redirect to: http://evil.com ------------------------------ SCAN SUMMARY ----------------------------------- Severity Type Parameter Method CRITICAL SQL Injection (Error-based) artist GET CRITICAL SQL Injection (Time-based Blind) cat GET CRITICAL Local File Inclusion (LFI) file GET HIGH XSS (Reflected) test GET HIGH XSS (Reflected) uname POST MEDIUM Open Redirect url GET [!] CRITICAL: 3 [!] HIGH: 2 [!] MEDIUM: 1 ``` ## 工作原理 ### 爬虫 - 访问基础 URL 并跟踪同域下的所有链接 - 从 URL 中发现 GET 参数，从 HTML 中发现 POST 表单 - 深度限制：3 层 | 页面限制：60 页 - 自动提取表单输入、action 和 method ### SQL 注入 - **基于报错：** 为每个参数注入 6 个 payload，并检查响应中是否包含数据库错误特征（MySQL、PostgreSQL、MSSQL、Oracle、SQLite、DB2） - **基于时间盲注：** 注入 `' AND SLEEP(5)--` 并测量响应时间——用于捕获不显示错误的 SQL 注入 ### XSS (反射型) - 测试 6 个 payload，包括 `