兼具本地式与分布式优势、针对大类通用型Web漏洞、插件外部动态化导入的轻量级主被动扫描器

工具介绍

兼具本地式与分布式优势、针对大类通用型Web漏洞、插件外部动态化导入的轻量级主被动扫描器

工具功能

工具使用

Ling – 可视化

z0 – 命令行

✔ 被动扫描

被动扫描的默认配置（将浏览器流量转发到端口5920）：

z0 scan -s 127.0.0.1:5920   

常用推荐配置：

z0 scan -s 127.0.0.1:5920 --risk 0,1,2,3 --level 2 --disable cmdi,unauth   

被动扫描控制台界面

✔ 主动扫描

主动扫描的默认配置：

# 通过Burp/Yakit请求流量启动主动检测（推荐）   z0 scan -s 127.0.0.1:5920   

# 直接检测   z0 scan -u https://example.com/?id=1   # 从URL列表进行批量检测   z0 scan -f urls.txt   

🔖 插件列表

• PerPage

Plugin Name	Description	Risk
sqli-bool	SQL Boolean-based Blind Injection	2
sqli-time	SQL Time-based Blind Injection	2
sqli-error	SQL Error-based Injection	2
codei-asp	ASP Code Execution	3
codei-php	PHP Code Execution	3
cmdi	Command Execution	3
other-objectdese	Deserialization Parameter Analysis	3
sensi-js	JS Sensitive Information Leak	0
sensi-jsonp	Jsonp Sensitive Information Leak	1
sensi-php-realpath	PHP Real Path Discovery	0
redirect	Redirect Vulnerability	1
sensi-webpack	Webpack Source Code Leak	1
other-webdav-passive	WebDAV Service Passive Detection	1
xpathi-error	Error-based XPATH Injection	2
trave-path	Path Traversal	2
sensi-backup_1	Backup File Detection (File-based)	1
sensi-viewstate	Unencrypted VIEWSTATE Discovery	0
xss	JS Semantic-based XSS Scanning	1
crlf_1	CRLF Vulnerability Detection	2
cors-passive	CORS Vulnerability (Passive Analysis)	2
unauth	Unauthorized Access Vulnerability	2
leakpwd-page-passive	Weak Password on Login Page	2
sensi-editfile	Editor Backup File Leak	1
sensi-sourcecode	Source Code Leak	1
captcha-bypass	CAPTCHA Bypass	0
sensi-retirejs	Outdated JS Component Detection	-1
ssti	SSTI Vulnerability Detection	3
ssti-angularjs	AngularJS Client-Side Template Injection Detector	2
ssrf	SSRF plugin detects server-side request forgery vulnerabilities via crafted payloads.	2
xxe	XXE plugin detects XML external entity injection vulnerabilities via malicious payloads.	3
xxe-blind	Blind XXE plugin detects out-of-band data exfiltration.	3
codei-java	Java Code Injection Vulnerability Scanner (EL/SpEL/OGNL)	3
other-redos	Regular Expression Denial of Service (ReDoS) Vulnerability Scanner	-1
other-jndi-error	JNDI Injection Vulnerability Scanner	3

• PerDir

Plugin Name	Description	Risk
sensi-backup_2	Backup File Scan (Directory-based)	1
trave-list_2	Directory Listing	2
sensi-files	Sensitive File Leak (e.g., phpinfo, .git)	1
upload-oss	OSS Bucket Arbitrary File Upload	2
sensi-frontpage	FrontPage Configuration Leak	1

• PerDomain

Plugin Name	Description	Risk
sensi-errorpage	Error Page Sensitive Information Leak	0
xss-net	.NET Universal XSS	1
other-dns-zonetransfer	DNS Zone Transfer Vulnerability	1
xss-flash	Flash Universal XSS	1
other-idea-parse	Idea Directory Parsing	1
other-xst	XST Vulnerability Detection	-1
other-webdav-active	WebDAV Service Discovery	1
upload-put	PUT-based Arbitrary File Upload	3
sensi-backup_3	Backup File Detection (Domain-based)	1
cors-active	CORS Vulnerability (Active Detection)	2
crlf_3	CRLF Line Injection Vulnerability	2
other-hosti	Host Header Injection Detection	1
other-oss-takeover	OSS Bucket Takeover Vulnerability	3
sensi-iis-shortname	IIS Short Filename Vulnerability	0
other-clickjacking	Clickjacking Vulnerability	-1
other-baseline	Service Version Leak	-1
other-smuggling	Request Smuggling Vulnerability	3
trave-list_3	Directory Listing	2

• PerHost

Plugin Name	Description
leakpwd-mssql	Weak Password on MSSQL Server
leakpwd-mysql	Weak Password on MySQL Server
leakpwd-postgresql	Weak Password on PostgreSQL Server
leakpwd-redis	Weak Password on Redis Server
leakpwd-smb	Weak Password on SMB Server
other-ftp-anonymous	FTP anonymous Login
other-solr-rce	Apache Solr RCE via Velocity
unauth-docker	Docker Unauthorized Access
unauth-jenkins	Jenkins Unauthorized Access
unauth-memcached	Memcached Unauthorized Access
unauth-mongodb	Mongodb Unauthorized Access
unauth-resis	Redis Unauthorized Access
unauth-rsync	Rsync Unauthorized Access
unauth-solr	Apache Solr Unauthorized Access
unauth-zookeeper	Zookeeper Unauthorized access

工具获取

https://github.com/JiuZero/z0scan

文章来源：夜组安全