Xray POC 编写指南<\/h1>

1. YAML 基础<\/h2>
Xray POC 使用 YAML 格式编写，具有以下特点：<\/p>
大小写敏感<\/li>
使用 #<\/code> 号进行注释<\/li>
使用缩进表示层级关系（不允许使用 Tab，必须使用空格）<\/li>
<\/ul>
文件命名格式为：组件-编号-漏洞类型.yml<\/code>，例如：node-cve-2017-14849-fileread.yml<\/code><\/p>
2. POC 基本结构<\/h2>
2.1 基本信息部分<\/h3>
# 基本信息<\/span>
<\/span><\/span>name<\/span>: poc-yaml-test <\/span> # POC名称，格式为 poc-yaml-<组件名>-<漏洞编号>-<漏洞类型><\/span>
<\/span><\/span>manual<\/span>: true<\/span>         # 区分是否手工编写<\/span>
<\/span><\/span><\/code><\/pre>2.2 脚本部分<\/h3>
全局变量设置<\/h4>
set<\/span>:
<\/span><\/span>  randInt0<\/span>: randomInt(1000, 9999)    <\/span> # 生成1000-9999的随机整数<\/span>
<\/span><\/span>  randStr1<\/span>: randomLowercase(10)      <\/span> # 生成10位随机小写字母字符串<\/span>
<\/span><\/span><\/code><\/pre>通信协议<\/h4>
transport<\/span>: http <\/span> # 支持 http\/tcp\/udp<\/span>
<\/span><\/span><\/code><\/pre>3. 规则(rules)编写<\/h2>
3.1 基本规则结构<\/h3>
rules<\/span>:
<\/span><\/span>  r1<\/span>:
<\/span><\/span>    request<\/span>:
<\/span><\/span>      method<\/span>: GET   <\/span> # 请求方法<\/span>
<\/span><\/span>      path<\/span>: "\/"<\/span>      # 请求路径<\/span>
<\/span><\/span>    
<\/span><\/span>    # 判断规则是否命中<\/span>
<\/span><\/span>    expression<\/span>: |
<\/span><\/span><\/span>      <\/span>      response.status == 200 && response.body.bcontains(b"example")<\/span>
<\/span><\/span>    
<\/span><\/span>    # 从响应包获取数据<\/span>
<\/span><\/span>    output<\/span>:
<\/span><\/span>      search<\/span>: |
<\/span><\/span><\/span>        <\/span>        r'(?P<info>\|.*\|)'.bsubmatch(response.raw)'<\/span>
<\/span><\/span>      info<\/span>: search["info"]<\/span>
<\/span><\/span><\/code><\/pre>3.2 expression 表达式<\/h3>
常用匹配方式：<\/p>
response.status == 200                   <\/span> # 匹配状态码<\/span>
<\/span><\/span>"zbx_session"<\/span> in response.headers        <\/span> # 匹配Header<\/span>
<\/span><\/span>response.body.bcontains(b"verify_string")<\/span> # 匹配Body内容<\/span>
<\/span><\/span>
<\/span><\/span># 匹配MD5加密值<\/span>
<\/span><\/span>expression<\/span>: response.body.bcontains(bytes(md5(string(randNum))))<\/span>
<\/span><\/span><\/code><\/pre>3.3 搜索字符<\/h3>
search<\/span>: |
<\/span><\/span><\/span>  <\/span>  "\"verify_string\":\"(?P<token>\\w+)\""<\/span>.bsubmatch(response.body)<\/span>
<\/span><\/span><\/code><\/pre>4. 规则执行顺序<\/h2>
expression<\/span>:
<\/span><\/span>  r1()                    <\/span> # 执行单个规则<\/span>
<\/span><\/span>  r1() && r2()            <\/span> # 全部规则命中时返回true<\/span>
<\/span><\/span>  r1() || r2()            <\/span> # 任一规则命中时返回true<\/span>
<\/span><\/span>  r1() || (r2() && r3())  <\/span> # r1命中，或者r2、r3同时命中<\/span>
<\/span><\/span><\/code><\/pre>5. 高级功能<\/h2>
5.1 output 全局变量<\/h3>
注意：不同规则中的 search 变量会互相覆盖，正确做法是为每个规则使用不同的变量名：<\/p>
r0<\/span>:
<\/span><\/span>  output<\/span>:
<\/span><\/span>    r0search<\/span>: "?P<info>\\w+"<\/span>.bsubmatch(response.body) <\/span>
<\/span><\/span>    info1<\/span>: r0search["info"]<\/span>
<\/span><\/span>r1<\/span>:
<\/span><\/span>  output<\/span>:
<\/span><\/span>    r1search<\/span>: "?P<info>\\w+"<\/span>.bsubmatch(response.body) <\/span>
<\/span><\/span>    info2<\/span>: r1search["info"]<\/span>
<\/span><\/span><\/code><\/pre>5.2 跟随跳转<\/h3>
follow_redirects<\/span>: false<\/span>  # 默认true，设置为false不跟随30X跳转<\/span>
<\/span><\/span><\/code><\/pre>5.3 payload 载荷<\/h3>
payloads<\/span>:
<\/span><\/span>  payloads<\/span>:
<\/span><\/span>    ping<\/span>:
<\/span><\/span>      cmd<\/span>: r"ping test.com"<\/span>
<\/span><\/span>    curl<\/span>:
<\/span><\/span>      cmd<\/span>: r"curl test.com"<\/span>
<\/span><\/span><\/code><\/pre>5.4 反连平台<\/h3>
set<\/span>:
<\/span><\/span>  reverse<\/span>: newReverse()<\/span>
<\/span><\/span>  reverseURL<\/span>: reverse.url<\/span>
<\/span><\/span>
<\/span><\/span>rules<\/span>:
<\/span><\/span>  r1<\/span>:
<\/span><\/span>    request<\/span>:
<\/span><\/span>      method<\/span>: POST<\/span>
<\/span><\/span>      path<\/span>: "\/xxx\/{{reverseURL}}"<\/span>
<\/span><\/span>    expression<\/span>: |
<\/span><\/span><\/span>      <\/span>      reverse.wait(5) <\/span> # 等待5秒检查是否收到反连<\/span>
<\/span><\/span><\/code><\/pre>6. 调试与测试<\/h2>
6.1 Xray 调试<\/h3>
# 格式检测<\/span>
<\/span><\/span>xray poclint --script poc-yaml-xxx.yml
<\/span><\/span>
<\/span><\/span># 功能调试（通过Burp查看请求）<\/span>
<\/span><\/span>xray --log-level debug webscan --url http:\/\/example.com -p .\/poc-yaml-xxx.yml
<\/span><\/span><\/code><\/pre>6.2 Gamma 工具<\/h3>
# 语法检查<\/span>
<\/span><\/span>gamma lint --script xxx.yml
<\/span><\/span>
<\/span><\/span># 运行测试<\/span>
<\/span><\/span>gamma run --target "http:\/\/xxx.com"<\/span> --script xxx.yml
<\/span><\/span>
<\/span><\/span># 调试模式<\/span>
<\/span><\/span>GAMMA_LOG_LEVEL=<\/span>debug .\/gamma run --no-cache --target "http:\/\/xxx.com"<\/span> --script xxx.yml
<\/span><\/span>
<\/span><\/span># 搭配Burp调试<\/span>
<\/span><\/span>gamma run --target "http:\/\/xxx.com"<\/span> --script xxx.yml --http-proxy http:\/\/127.0.0.1:8080
<\/span><\/span><\/code><\/pre>7. 辅助工具<\/h2>

Xray POC 辅助编写工具<\/a><\/li>
Xray POC 生成工具<\/a><\/li>
<\/ol>
8. 完整示例<\/h2>
# 基本信息<\/span>
<\/span><\/span>name<\/span>: poc-yaml-test<\/span>
<\/span><\/span>manual<\/span>: true<\/span>
<\/span><\/span>
<\/span><\/span># 脚本部分<\/span>
<\/span><\/span>set<\/span>:
<\/span><\/span>  randInt0<\/span>: randomInt(1000, 9999)<\/span>
<\/span><\/span>  randStr1<\/span>: randomLowercase(10)<\/span>
<\/span><\/span>
<\/span><\/span>transport<\/span>: http<\/span>
<\/span><\/span>
<\/span><\/span>rules<\/span>:
<\/span><\/span>  r1<\/span>:
<\/span><\/span>    request<\/span>:
<\/span><\/span>      method<\/span>: GET<\/span>
<\/span><\/span>      path<\/span>: "\/"<\/span>
<\/span><\/span>    expression<\/span>: |
<\/span><\/span><\/span>      <\/span>      response.status == 200 && response.body.bcontains(b"example")<\/span>
<\/span><\/span>    output<\/span>:
<\/span><\/span>      search<\/span>: |
<\/span><\/span><\/span>        <\/span>        r'(?P<info>\|.*\|)'.bsubmatch(response.raw)'<\/span>
<\/span><\/span>      info<\/span>: search["info"]<\/span>
<\/span><\/span>
<\/span><\/span>expression<\/span>:
<\/span><\/span>  r1()<\/span>
<\/span><\/span>
<\/span><\/span># 信息部分<\/span>
<\/span><\/span>detail<\/span>:
<\/span><\/span>  author<\/span>: Chaitin(https:\/\/chaitin.com\/)<\/span>
<\/span><\/span>  links<\/span>:
<\/span><\/span>    - https:\/\/docs.xray.cool\/<\/span>
<\/span><\/span><\/code><\/pre>9. 参考文档<\/h2>

Xray 官方文档<\/a><\/li>
CEL 语法文档<\/a><\/li>
<\/ul>
Xray POC 编写指南<\/h1>

2.2 脚本部分<\/h3>

3. 规则(rules)编写<\/h2>

5. 高级功能<\/h2>

6. 调试与测试<\/h2>

9. 参考文档<\/h2> Xray 官方文档<\/a><\/li> CEL 语法文档<\/a><\/li> <\/ul>

9. 参考文档<\/h2>

Xray 官方文档<\/a><\/li>
CEL 语法文档<\/a><\/li> <\/ul>
