vansh-builds/BugHunterX

GitHub: vansh-builds/BugHunterX

BugHunterX 是一个基于Bash的高级侦察框架，通过集成多工具链自动化漏洞赏金侦察，解决手动操作繁琐的问题。

Stars: 2 | Forks: 0

``` ██████╗ ██╗ ██╗ ██████╗ ██╗ ██╗██╗ ██╗███╗ ██╗████████╗███████╗██████╗ ██╗ ██╗ ██╔══██╗██║ ██║██╔════╝ ██║ ██║██║ ██║████╗ ██║╚══██╔══╝██╔════╝██╔══██╗╚██╗██╔╝ ██████╔╝██║ ██║██║ ███╗███████║██║ ██║██╔██╗ ██║ ██║ █████╗ ██████╔╝ ╚███╔╝ ██╔══██╗██║ ██║██║ ██║██╔══██║██║ ██║██║╚██╗██║ ██║ ██╔══╝ ██╔══██╗ ██╔██╗ ██████╔╝╚██████╔╝╚██████╔╝██║ ██║╚██████╔╝██║ ╚████║ ██║ ███████╗██║ ██║██╔╝ ██╗ ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝ ``` # BugHunterX v3.0 ### 高级漏洞赏金侦察框架 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Bash](https://img.shields.io/badge/Made%20with-Bash-1f425f.svg)](https://www.gnu.org/software/bash/) [![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20Termux-blue.svg)]() [![Author](https://img.shields.io/badge/Author-vansh--builds-red.svg)](https://github.com/vansh-builds) **⚠️ 仅限授权漏洞赏金项目和渗透测试使用。未经授权的使用是非法的。**

## 📌 什么是 BugHunterX？ BugHunterX 是一个基于 Bash 的漏洞赏金自动化框架，它在一个目标域上运行 **11个连续阶段** 的侦察和漏洞扫描。BugHunterX 不再需要手动逐个运行工具，而是将它们全部串联起来，将一个工具的输出传递给下一个工具，并在最后生成一份完整的结构化报告。它是为那些希望自动化重复侦察阶段，从而专注于手动漏洞利用和报告编写的漏洞赏金猎人而构建的。 ## ✨ 功能特性 - 🔍 **被动侦察** — WHOIS, DNS, ASN, Shodan, Censys, crt.sh, Wayback, GAU - 🌐 **子域名枚举** — Subfinder, Amass, Assetfinder, PureDNS 暴力破解, AlterX 置换 - 🟢 **活动主机检测** — httpx 指纹识别, WAF 检测, CDN 检测, 截屏 - 🔌 **端口扫描** — Naabu 快速扫描 + Nmap 服务/版本检测 - 📂 **端点发现** — Katana, Hakrawler, GoSpider, FFUF 目录/虚拟主机/API 暴力破解 - 🟨 **JavaScript 分析** — jsluice, getJS, 正则表达式密钥搜寻, 源映射检测 - 🎯 **参数发现** — Arjun, x8, GF 模式分类 - 💀 **子域名接管** — Subzy, Subjack, 手动 CNAME 检查 - 🐛 **漏洞扫描** — XSS, SQLi, SSRF, LFI, SSTI, Open Redirect, CORS, Host Header, CRLF, JWT, GraphQL, IDOR, Prototype Pollution - ☢️ **Nuclei CVE 扫描** — 关键/高/中 + 9个基于标签的模板组 - 📊 **自动生成报告** — 完整的结构化文本报告 + 带有严重性卡片的交互式 HTML 报告 ## 🛠️ 使用的工具 | 分类 | 工具 | |----------|-------| | 子域名 | subfinder, amass, assetfinder, dnsx, puredns, alterx, shuffledns | | 活动检测 | httpx, httprobe, cdncheck, wafw00f | | 端口扫描 | naabu, nmap | | 爬取 | katana, gospider, hakrawler, waybackurls, gau, gauplus | | 模糊测试 | ffuf, gobuster | | 参数 | arjun, x8, gf, qsreplace, uro | | JavaScript | getJS, jsluice, mantra | | 漏洞扫描 | dalfox, kxss, gxss, sqlmap, crlfuzz, corsme, ppmap, interactsh-client | | 接管 | subzy, subjack | | 密钥 | trufflehog, gitleaks, s3scanner | | CVE 扫描 | nuclei | | OSINT | uncover, asnmap, tlsx, cvemap | | 实用工具 | anew, unfurl, notify, mapcidr | ## 📋 系统要求 | 要求 | 版本 | |-------------|---------| | 操作系统 | Kali Linux / Ubuntu / Parrot / Termux | | Go | 1.21+ | | Python | 3.8+ | | Bash | 4.0+ | | 工具 | git, curl, wget, jq, nmap, whois | ## 🚀 安装 ### Kali Linux / Ubuntu / Parrot ``` # 步骤 1 — 安装系统依赖 sudo apt update && sudo apt install -y git golang-go python3 python3-pip curl wget jq nmap whois dnsutils bc # 步骤 2 — 克隆仓库 git clone https://github.com/vansh-builds/bughunterx.git cd bughunterx # 步骤 3 — 授予执行权限 chmod +x bughunterx.sh # 步骤 4 — 安装所有工具（仅需一次） ./bughunterx.sh # 当菜单出现时 → 输入 6 → 按下回车键 # 此操作将安装 40 多个 Go 工具、Python 工具、字典及 nuclei 模板 # 首次运行需耗时 10-20 分钟 ``` ### Termux (Android) ``` # 步骤 1 — 安装系统依赖 pkg update && pkg install -y git golang python curl wget jq nmap whois dnsutils bc # 步骤 2 — 克隆仓库 git clone https://github.com/vansh-builds/bughunterx.git cd bughunterx # 步骤 3 — 授予执行权限 chmod +x bughunterx.sh # 步骤 4 — 安装所有工具 ./bughunterx.sh # 当菜单出现时 → 输入 6 → 按下回车键 ``` ### 单行命令安装 (Kali) ``` sudo apt update && sudo apt install -y git golang-go python3 python3-pip curl wget jq nmap whois && git clone https://github.com/vansh-builds/bughunterx.git && cd bughunterx && chmod +x bughunterx.sh && ./bughunterx.sh ``` ## 📖 使用说明 ``` cd bughunterx ./bughunterx.sh ``` 您将看到此菜单： ``` [1] Full Scan — All 11 phases (Recommended) [2] Quick Recon — Subdomain + Live hosts + Headers [3] Vuln Scan Only — Recon + all vuln checks + nuclei [4] JS Analysis Only — JavaScript secrets + endpoints [5] Subdomain Takeover — Takeover check only [6] Install All Tools — Install all dependencies [7] Exit ``` ### 示例 — 完整扫描 ``` ./bughunterx.sh Type I_HAVE_PERMISSION to confirm authorization: I_HAVE_PERMISSION Select Scan Mode: 1 Target domain: example.com ``` ### 添加 API 密钥（可选但推荐）打开 `bughunterx.sh` 并在顶部填入您的 API 密钥以获得更好的结果： ``` SECURITYTRAILS_API="your_key_here" SHODAN_API="your_key_here" VIRUSTOTAL_API="your_key_here" CHAOS_API="your_key_here" ``` | API | 免费额度 | 获取地址 | |-----|-----------|-----------| | SecurityTrails | 每月50次查询 | securitytrails.com | | Shodan | 有限免费额度 | shodan.io | | VirusTotal | 每天500次请求 | virustotal.com | | Chaos | 研究人员免费 | chaos.projectdiscovery.io | ## 📁 输出结构 ``` ~/bugbounty_results/example.com_20240519_143022/ │ ├── 📄 BUGHUNTERX_REPORT.txt ← Full text report ├── 🌐 BUGHUNTERX_REPORT.html ← Interactive HTML report (open in browser) │ ├── findings/ │ ├── ALL_FINDINGS.txt ← Every finding in one file │ ├── CRITICAL.txt ← Critical severity only │ ├── HIGH.txt ← High severity only │ ├── MEDIUM.txt │ └── LOW.txt / INFO.txt │ ├── subdomains/ │ ├── MASTER_SUBDOMAINS.txt ← All unique subdomains found │ ├── passive/ ← Per-tool passive results │ ├── brute/ ← Bruteforce results │ └── permutations/ ← AlterX permutation results │ ├── live/http/ │ ├── live_urls.txt ← All live URLs │ ├── httpx_full.json ← Full httpx fingerprint data │ └── status_200/301/403... ← URLs grouped by HTTP code │ ├── ports/ │ ├── naabu/open_ports.txt ← Open ports │ └── nmap/nmap_detailed.txt ← Nmap service scan │ ├── endpoints/ │ ├── ALL_URLS_DEDUPED.txt ← All discovered URLs deduplicated │ └── admin/admin_panels.txt ← Admin/login panels found │ ├── js/ │ ├── files/js_list.txt ← All JS files found │ ├── secrets/all_secrets.txt ← Hardcoded secrets found in JS │ └── sourcemaps/ ← Exposed source maps │ └── vulnerabilities/ ├── xss/ ← XSS findings ├── sqli/ ← SQLi findings ├── ssrf/ ← SSRF findings ├── lfi/ ← LFI findings ├── cors/ ← CORS findings ├── subdomain_takeover/ ← Takeover findings ├── cve/ ← Nuclei CVE findings └── secrets/ ← AWS/cloud secrets ``` ## 🔍 扫描阶段 | 阶段 | 名称 | 功能描述 | |-------|------|-------------| | 1 | 被动侦察 | WHOIS, DNS记录, 区域传送, SPF/DMARC, ASN, crt.sh, Shodan, Wayback, Google/GitHub dorking | | 2 | 子域名枚举 | Subfinder + Amass + Assetfinder 被动枚举, PureDNS 暴力破解, AlterX 置换, dnsx 解析 | | 3 | 活动主机 | httpx 完整指纹识别, WAF 检测, CDN 检查, 截屏, 标记有趣子域名 | | 4 | 端口扫描 | Naabu 前1000端口快速扫描, Nmap -sV -sC 服务检测, 危险服务告警 | | 5 | 端点发现 | Katana/Hakrawler/GoSpider 爬取, FFUF 目录/备份/API/虚拟主机暴力破解, 敏感文件检查, 管理面板发现 | | 6 | JS分析 | JS文件收集, jsluice URL/密钥提取, 15种正则表达式密钥模式, 源映射检测 | | 7 | 参数发现 | Arjun + x8 隐藏参数, 使用 GF 模式将所有URL分类到漏洞桶中 | | 8 | 子域名接管 | Subzy + Subjack + 手动检查14个云提供商的CNAME记录 | | 9 | 漏洞扫描 | XSS (kxss+dalfox), SQLi (sqlmap), SSRF, Open Redirect, CRLF, CORS, Host Header, LFI, SSTI, GraphQL, IDOR, JWT | | 10 | Nuclei | 关键/高/中 + 9个标签组: CVE, exposure, misconfig, sqli/xss/lfi/rce, takeover, panel, GraphQL, JWT, cloud | | 11 | 报告 | 文本报告 + 带有严重性卡片、可折叠发现、活动主机表格的交互式HTML报告 | ## 📸 报告预览 HTML报告包含： - 严重性仪表板（关键/高/中/低/信息计数） - 统计信息（子域名、活动主机、端点、开放端口） - 所有发现均以可折叠卡片形式呈现（关键和高严重性自动展开） - 每个发现的概念验证和curl命令 - 每个漏洞的修复建议 - 带有状态码和技术栈的活动主机表格 - 手动测试清单 ## ⚙️ 配置 | 变量 | 默认值 | 描述 | |----------|---------|-------------| | `THREADS` | 50 | httpx/ffuf 的并发线程数 | | `RATE_LIMIT` | 150 | 每秒请求数 | | `INTERACTSH_SERVER` | oast.pro | 用于盲SSRF/XSS的OOB服务器 | ## ⚠️ 法律免责声明 ``` This tool is for authorized bug bounty programs and penetration testing only. The author is not responsible for any misuse or damage caused by this tool. Always obtain written permission before testing any target. Unauthorized use violates the Computer Fraud and Abuse Act (CFAA) and equivalent laws in your country. ``` ## 👤 作者 **vansh-builds** - GitHub: [@vansh-builds](https://github.com/vansh-builds) ## ⭐ 支持如果这个工具帮助您发现了漏洞 —— 请在仓库点个⭐！

标签：CTI, ESC6, MISP, Termux, 侦察框架, 多阶段流程, 安全测试, 工具集成, 应用安全, 授权安全测试, 攻击性安全, 日志审计, 网络安全, 自动化报告, 运行时操纵, 逆向工具, 隐私保护