Simple use of Xray scanner


Introduction to Xray

  Xray It is a powerful security assessment tool (official website address:, Xray community is a free white hat tool platform launched by Changting technology. At present, Xray vulnerability scanner and radius crawler tool are available in the community. In August 2020, the rad browser crawler was released, and the advanced version of Xray deeply integrated rad. The tools mainly involved in this paper are at the end of the document. This article mainly explains the following functions of the tool in detail:Subdomain name scanningcommonwebVulnerability detectionService Vulnerability DetectionReptile detectionSpecial detection capabilityXraylinkage

1.Download address

Xray is a single file binary file, five dependencies, and does not need to be installed. It can be used directly after downloading

Xray (scanner) tool address:

RAD TOOL address:

2.In the comparison of the official home page, you can see the main differences between the community version and the community advanced version

① Domain name scanning function ② some special vulnerability detection ③ advanced version deep integration rad

3.xraySimple architecture

Xray is mainly composed of its simple framework. On the whole, tools such as scanner are roughly composed of three parts: source processing, vulnerability detection and result output.And how to use it wellxrayIt lies in the selection and configuration of vulnerability detection function, because this part is the core function of the engine, which is used to process the standardized requests generated by the previous source processing part. Users can enable plug-ins, configure parameters of scanning plug-ins, configure HTTP related parameters, etc. With these three parts in mind when using Xray, all command-line usage looks simple.

The basic syntax consists of three main parameters:【xray Select vulnerability detection typeSource addressResult output]

4.Install CAcertificate

Advanced Xray basic use – PowerShell is recommended. It is used in Xray directory for the first time,

Use command.\xray_windows_amd64.exe genca, you can generate CA certificates and how to detect HTTPS traffic.

After Xray is started for the first time, config. Is generated in the current directory YML configuration file, which can be referenced

5.Simple parameter description

use .\xray_windows_amd64.exe –hCommand to view parameter help.

Most of them can be understood. The following four parameters are mainly used. Of course, others can be tried one by one.


Webscan, ws} used to detect web vulnerabilities, is also the core function of Xray

Servicescan, ss} is used to detect service vulnerabilities

Subdomain, sd# subdomain scanning, special commands for advanced version


–Config file load configuration file (default: “config. Yaml”)

1、 Common vulnerability detection

Webscan in Xray is the core use of the tool. In order to detect the website Web vulnerability detection module, it supports the detection of general vulnerabilities such as SQL injection, XSS, command execution and file inclusion. It can be used for the first timexray ws –hView parameters.

1.Test awvsTarget website

.\xray_windows_amd64.exe ws –url –html-output 1.html

2.Configure agent

The basic architecture in the proxy mode is that the scanner, as an intermediary, first forwards the traffic as it is, and returns the server response to the browser and other clients. Both ends of the communication think they have a direct dialogue with each other, record the traffic, and then modify the parameters and resend the request for scanning.

When the proxy mode is used for scanning, the switchyomega plug-in of Google browser is selected here. The of HTTP is configured in the plug-in, which can be used in the Xray command line mode.


.\xray_windows_amd64.exe ws –listen –html-output testphp.html



The results are the same as 1 Html is the same, but the output folder name is different.

2、 Subdomain name scanning

Note: this function is only available in advanced edition.Find subadmin in the configuration file, and the parameter allow in it_ In recursion, you can choose whether to recursively detect subdomain names in max_ recursion_ Set the recursion depth in the depth parameter. The default is allow_ If recurrence is false, you can modify the parameter value according to the actual situation. Here, is used Com.


.\xray_windows_amd64.exe sd –text-output baudusubdomain.txt



The blasting speed is very fast. I ran 487 secondary domain names in 30 seconds. Choose Ctrl + C to pause and choose a DMP at will baidu. COM, go to the browser to visit it. It does exist and will jump to 。

Modify profile parameter test

  allow_recursion: true

  max_recursion_depth: 3

Command:.\xray_windows_amd64.exe sd -t –text-output baidusub3.txt


The scanning speed is really fast. Test leads preonline baidu. COM,, proving that the page exists.


It is more practical than wydomain, subdomains brute and other tools. The advanced version of Xray is recommended for information collection.

3、 Reptile detection

.\xray_windows_amd64.exe ws –basic-crawler –html-output scan.html, the effect is average, and the effect is better when combined with rad. See for detailsXray and rad linkage

4、 Service Vulnerability Detection

The most common type of Xray is web scanning. Its detection capability will be gradually developed for service scanning. At present, there is only one tomcat-cve-2020-1938 AJP protocol to detect POC for any file. At present, the parameter configuration is relatively simple, and only two input methods are supported:

1.Fast detection of single target

  .\xray_windows_amd64.exe servicescan –target

2.Batch check test fileGoals in, one target per line, with ports (servicescan is abbreviated as SS)

  .\xray_windows_amd64.exe ss –target-file test.file

Including test The format of file is one service per line, such as

3.The output of the report only supports JSON、webhookAnd HTMLThere are three types of files, and text is not supported


4.General syntax: \xray_ windows_ amd64. exe ss –target –json-output test. json

If you want to sweep edu Cn should be removed from here.


5、 Special detection capability

The advanced version of Xray supports one click detection of high-risk historical vulnerabilities in struts, fastjson, ThinkPHP, Shiro and other frameworks. In this test, search springboot on fofa to test and demonstrate the spring framework exposed on the public network:


Select any springboot system to test and open ithttp://xxxx/login


.\xray_windows_amd64.exe ws -u http://xxx/login –html-output xxx.html

It can be found that the website has Shiro vulnerability, and the key is fcq + / xw488hmtcd + cmj3aq = =. The tool continues to test


It can be seen that Shiro vulnerability really exists.

6、 Xray linkage

1、 Xray and burp linkage

Xray and burp are linked, that is, the agent’s agent. This configuration is only effective for the HTTP agent itself and does not take effect for the requests sent by vulnerability scanning. If the configured listen when starting Xray is, upstream_ Proxy {is , the browser sets the proxy to , the overall data flow is as follows:

If you want to detect vulnerabilities that will not affect the agent’s own configuration, please refer to the following steps:

Let’s start the demonstration: first Xray establish the monitoring of webscan. The proxy port between my browser and burpsuite is 8080.

.\xray_windows_amd64.exe webscan –listen –html-output proxy.html

Use Google grammar lottery to test a website in Taiwan:

Enter burpsuite, open the user Options tab, find the upstream proxy server settings, and click Add to add the upstream proxy and scope. Destination host can use * to match multiple arbitrary strings,? Matches a single arbitrary string, andFill in the address of the upstream agentxrayListening address

Proxy intercept is off, and then use burp proxy in Google browser or FoxyProxy in Firefox browser.

When the browser suspends the burp agent of 8080, the crawler packet sent by the browser to burpsuite will be transmitted to Xray for detection.

After running for about 10 seconds, two vulnerabilities were found, one phpMyAdmin background path leak and time blind injection. The following test:

python -u “” -p ID –batch –technique B –random-agent –level 3 –risk 2 –dbs

It can be seen that phpMyAdmin and SQL injection exist, but the test is not time blind injection, but Boolean blind injection. The above figure shows the database information, TW is also China, so there is no further test, but only proves the feasibility of the tool.

2、 Linkage between Xray and rad

Xray itself can also perform crawler testing in.\xray_windows_amd64.exe ws –h, you can view help

However, Xray community has developed a better rad tool for crawlers. Rad address:

After downloading, put the two rad files in the same level directory of Xray. Rad is used this time_ config. YML default settings test

Select any TW web site

Directly use the advanced version of Xray to execute the crawler + scan command. The crawling speed is very fast, which makes people feel very secure, even if they don’t sweep out any sensitive information.

.\xray_windows_amd64.exe webscan –browser-crawler –html-output twtest.html

summary: due to the limited space, the advanced usage of Xray has not been explained in detail. Students who need further research can refer to the official Xray documents for further research( )。


Two main tools:

XrayCommunity Edition:

radTool address


Special statement:

Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article shall be borne by the user himself, and I will not bear any responsibility for this.

The author has the right to revise and interpret this article. If you want to reprint or disseminate this article, you must ensure the integrity of this article, including all contents such as copyright notice. Without the permission of the author, the content of this article shall not be modified or increased or decreased arbitrarily, and it shall not be used for commercial purposes in any way. Do not use it illegally, for learning reference only

Recommended Today

Explanation of websocket heartbeat reconnection

Recently, websocket has been used in the development of applet. The applet provides corresponding native API, which is different from H5 API. Therefore, some mature class libraries of popular H5 are difficult to use, and the native API has some defects, so it implements a set of heartbeat reconnection mechanism by itself. First, let’s briefly […]