# z0scan **Repository Path**: jiuzero/z0scan ## Basic Information - **Project Name**: z0scan - **Description**: Security tools for web vulnerability detection. | 一款兼具本地式与分布式优势、插件外部动态化导入并致力于Web黑盒漏洞探索的轻量级主被动扫描器. - **Primary Language**: Python - **License**: GPL-2.0 - **Default Branch**: main - **Homepage**: https://jiuzero.github.io - **GVP Project**: No ## Statistics - **Stars**: 15 - **Forks**: 7 - **Created**: 2025-02-10 - **Last Updated**: 2026-01-02 ## Categories & Tags **Categories**: security-dev **Tags**: python3, red-teaming, vulnerability-scanner, security-tools, vulnerability ## README ![z0scan](https://socialify.git.ci/JiuZero/z0scan/image?description=1&font=Raleway&language=1&logo=https%3A%2F%2Fraw.githubusercontent.com%2FJiuZero%2Fz0scan%2Frefs%2Fheads%2Fmain%2Fdoc%2Flogo.png&owner=1&pattern=Solid&theme=Auto)

English • 指南 • 下载 • 更新日志

## 😘 致谢

_威零安全
_{蓝剑实验室}
_ZAC安全
_奉天安全
_隼目安全
_HackTwo
_神农Sec
_棉花糖

_风铃Sec
_银遁安全
_{X黑手网络}
_Sec探索者
_雪山盟
_夜组安全
_星落安全
_Cyber-Tools

--- ## ✨ 核心特性

🔍 安全检测

指纹与扫描插件联动 - WAF嗅探、指纹信息识别指导插件扫描

分布式与本地式一体化 - 灵活适应不同的扫描与情景需求

第三方绑定 - ObserverWard指纹检测、Nuclei POCs精准切入

高自定义插件系统 - 可外部扩展并动态导入的插件系统

无头爬虫支持 - 联动Crawlergo实现

🌐 部署架构

开源与部署 - 基于Python3开源、支持Docker部署、发行版开箱即用

高性能 - 采用Nuitka编译、Rust跨语言

可集成性 - API开放、允许用户自由集成扫描

完全跨平台 - 支持Windows、Linux、MacOS等系统

📊 数据处理

复杂参数解析 - 支持Json、XML和伪静态参数解析

二级参数解析 - 支持解析GET、POST参数的值作为新参数并自动解码

数据存储 - 通过SQLite3提供数据存储支持

💡 智能验证

AI驱动的JS敏感信息后验证 - 智能校验JavaScript中的敏感数据

--- ## 🚀 安装 📢 请务必花一点时间阅读此文档，有助于你快速熟悉Z0SCAN！ ### ✔ 发行版本获取发布版本：[下载](https://github.com/JiuZero/z0scan/releases) - 想要构建适合您环境的可执行文件？请参阅：[指南](https://jiuzero.github.io/tags/z0scan/) ### ✔ 克隆安装 > [!Note] > 国内码云：https://gitee.com/JiuZero/z0scan ```bash git clone https://github.com/JiuZero/z0scan cd z0scan pip install -r requirements.txt python3 z0.py help ``` ### ✔ 容器安装 ```bash git clone https://github.com/JiuZero/z0scan docker build -t z0scan . docker run z0scan # python3 z0.py help ``` ## 📝 使用示例 ### Ling - 可视化 ![示例](doc/example3.png) - 请前往 Ling 的 [项目主页](https://github.com/JiuZero/Ling) 获取她 > [!WARNING] > Ling 不包含 z0scan 核心, 需本地存在可用的 z0 可执行文件或脚本 ### z0 - 命令行 > [!Note] > Crawlergo无头爬虫、ObserverWard+Nuclei联动 - 需要配置Crawlergo或(ObserverWard与nuclei)到环境变量中，参阅：[指南](https://jiuzero.github.io/tags/z0scan/) ### ✔ 被动扫描 > [!Note] > HTTPS支持 - 启动z0scan被动扫描，然后在浏览器中访问 http://z0scan.ca 下载证书并信任它被动扫描的默认配置（将浏览器流量转发到端口5920）： ``` z0 scan -s 127.0.0.1:5920 ``` ![示例](doc/example0.png) 常用推荐配置： ``` z0 scan -s 127.0.0.1:5920 --risk 0,1,2,3 --level 2 --disable cmdi,unauth ``` 控制台界面 ![示例](doc/example4.png) ### ✔ 主动扫描主动扫描的默认配置： ``` # 通过Burp/Yakit请求流量的主动化被动扫描（推荐） z0 scan -s 127.0.0.1:5920 ``` ![示例](doc/example1.png) ``` # 直接检测 z0 scan -u https://example.com/?id=1 # 从URL列表进行批量检测 z0 scan -f urls.txt # 爬虫并检测 z0 scan -u https://example.com/?id=1 --crawler # 从URL列表中依次爬虫并检测 z0 scan -f urls.txt --crawler ``` ![示例](doc/example2.png) - 更多详细信息，请参阅：[文档](https://jiuzero.github.io/tags/z0scan/) --- ## 🔖 插件列表 ### 页面级扫描插件 (PerPage) | 插件名称 | 功能描述 | 风险等级 | |:--------:|:--------:|:--------:| | cmdi | Command Execution | 3 | | cmdi-blind | Command Execution | 3 | | codei-asp | ASP Code Execution | 3 | | codei-java | Java Code Injection Vulnerability Scanner (EL/SpEL/OGNL) | 3 | | codei-php | PHP Code Execution | 3 | | cors-passive | CORS Vulnerability (Passive Analysis) | 1 | | crlf_1 | CRLF Vulnerability Detection | 2 | | fileinclude | File Include | 2 | | jndi-error | JNDI Injection Vulnerability Scanner | 3 | | jsonp | Jsonp Sensitive Information Leak & Jacking | 1 | | ldap-error | Error-based LDAP Injection | 2 | | leakpwd-page-passive | Weak Password on Login Page | 2 | | objectdese | Deserialization Parameter Analysis | 3 | | other-captcha-bypass | Frontend Captcha Bypass Detection | 0 | | other-fastjson-blind | fastjson-blind | 2 | | other-json-error | other-json-error | 2 | | other-webdav-passive | WebDAV Service Passive Detection | 0 | | redirect | Redirect Vulnerability | 1 | | redos | Regular Expression Denial of Service (ReDoS) Vulnerability Scanner | -1 | | sensi-backup_1 | Backup File Detection (File-based) | 1 | | sensi-editfile | Editor Backup File Leak Detection | 1 | | sensi-js | JS Sensitive Information Leak (with AI Context Validation) | 0 | | sensi-php-realpath | PHP Real Path Discovery | 0 | | sensi-retirejs | Outdated JS Component Detection | -1 | | sensi-sourcecode | Source Code Disclosure Detection | 1 | | sensi-viewstate | Unencrypted VIEWSTATE Discovery | 0 | | sqli-bool | SQL Boolean-based Blind Injection | 2 | | sqli-dnslog | sqli-dnslog | 2 | | sqli-error | SQL Error-based Injection | 2 | | sqli-time | SQL Time-based Blind Injection | 2 | | ssrf | SSRF plugin detects server-side request forgery vulnerabilities via crafted payloads. | 2 | | ssti | SSTI Vulnerability Detection | 3 | | ssti-angularjs | AngularJS Client-Side Template Injection Detector | 2 | | unauth | Unauthorized Access Vulnerability | 2 | | webpack | Webpack Source Code Leak | 1 | | xpathi-error | Error-based XPATH Injection | 2 | | xss | JS Semantic-based XSS Scanning | 1 | | xxe | XXE plugin detects XML external entity injection vulnerabilities via malicious payloads. | 3 | | xxe-blind | Blind XXE plugin detects out-of-band data exfiltration. | 3 | ### 目录级扫描插件 (PerDir) | 插件名称 | 功能描述 | 风险等级 | |:--------:|:--------:|:--------:| | dirlisting | Directory browsing vulnerability (Directory-based) | 2 | | sensi-backup_2 | Backup File Of Each Folder (Directory-based) | 1 | | sensi-files | Sensitive File Leak (e.g., phpinfo, .git) | 1 | | sensi-frontpage | FrontPage configuration information discloure | 1 | | upload-oss | Detect the vulnerability of uploading arbitrary files to OSS | 3 | ### 域名级扫描插件 (PerDomain) | 插件名称 | 功能描述 | 风险等级 | |:--------:|:--------:|:--------:| | clickjacking | Clickjacking Vulnerability Scanner | -1 | | cors-active | CORS Vulnerability (Active Detection) | 2 | | crlf_3 | CRLF Line Injection Vulnerability (Domain-based) | 2 | | dns-zonetransfer | DNS Zone Transfer Vulnerability | 1 | | hosti | Host Header Injection Detection | 1 | | idea-parse | Idea Parse | 1 | | listing | Listing | 2 | | oss-takeover | OSS Bucket Takeover | 3 | | sensi-backup_3 | Backup File Detection (Domain-based) | 1 | | sensi-baseline | Check for version leak on response | -1 | | sensi-errorpage | Leak information in Error Page | 0 | | smuggling | Request Smuggling Vulnerability | 3 | | unauth-webdav-active | WebDAV authentication bypass vulnerability, | 1 | | upload-put | PUT-based Arbitrary File Upload | 3 | | xss-flash | Flash SWF XSS | 1 | | xss-net | .NET XSS | 1 | | xst | XST Vulnerability Detection | -1 | ### 主机级扫描插件 (PerHost) | 插件名称 | 功能描述 | |:--------:|:--------:| | leakpwd-activemq | Weak Password on ActiveMQ | | leakpwd-mssql | Weak Password on MSSQL Server | | leakpwd-mysql | Weak Password on MySQL Server | | leakpwd-postgresql | Weak Password on PostgreSQL Server | | leakpwd-redis | Weak Password on Redis Server | | leakpwd-smb | Weak Password on SMB Server | | leakpwd-ssh | Weak Password on SSH Server | | other-ftp-anonymous | FTP anonymous Login | | rce-javarmi | Check the JavaRMI RCE | | rce-solr | Apache Solr RCE via Velocity | | unauth-docker | Docker Unauthorized Access | | unauth-elastic | Elasticsearch Unauthorized Access | | unauth-jenkins | Jenkins Unauthorized Access | | unauth-ldaps | Ldaps Unauthorized Access | | unauth-memcache | Memcache Unauthorized Access | | unauth-mongodb | Mongodb Unauthorized Access | | unauth-resis | Redis Unauthorized Access | | unauth-rsync | Rsync Unauthorized Access | | unauth-solr | Apache Solr Unauthorized Access | | unauth-zookeeper | Zookeeper Unauthorized access | --- ## 🔀 工作流程 ![流程图](doc/lct.png) --- ## 🔗 联系 - 高三在校，项目不定期维护更新QAQ - 欢迎大师傅们向我申请协作位吖~

公众号

90Safe

微信

JiuZer1

QQ

1703417187

QQ交流群

1058256508

--- ## 🍀 贡献 ![Alt](https://repobeats.axiom.co/api/embed/9c54ad12caa9f9b34f4da6bca8090f388f3538d0.svg "Repobeats analytics image") --- ## 💖 星标趋势 [![Star History Chart](https://api.star-history.com/svg?repos=JiuZero/z0scan&type=Date)](https://star-history.com/#JiuZero/z0scan&Date)

_威零安全	_{蓝剑实验室}	_ZAC安全	_奉天安全	_隼目安全	_HackTwo	_神农Sec	_棉花糖
_风铃Sec	_银遁安全	_{X黑手网络}	_Sec探索者	_雪山盟	_夜组安全	_星落安全	_Cyber-Tools