工具介绍
兼具本地式与分布式优势、针对大类通用型Web漏洞、插件外部动态化导入的轻量级主被动扫描器

工具功能

工具使用
Ling - 可视化

z0 - 命令行
✔ 被动扫描
被动扫描的默认配置(将浏览器流量转发到端口5920):
z0 scan -s 127.0.0.1:5920

常用推荐配置:
z0 scan -s 127.0.0.1:5920 --risk 0,1,2,3 --level 2 --disable cmdi,unauth
被动扫描控制台界面

✔ 主动扫描
主动扫描的默认配置:
# 通过Burp/Yakit请求流量启动主动检测(推荐)
z0 scan -s 127.0.0.1:5920

# 直接检测
z0 scan -u https://example.com/?id=1
# 从URL列表进行批量检测
z0 scan -f urls.txt

🔖 插件列表
- PerPage
| Plugin Name | Description | Risk |
|---|---|---|
| sqli-bool | SQL Boolean-based Blind Injection | 2 |
| sqli-time | SQL Time-based Blind Injection | 2 |
| sqli-error | SQL Error-based Injection | 2 |
| codei-asp | ASP Code Execution | 3 |
| codei-php | PHP Code Execution | 3 |
| cmdi | Command Execution | 3 |
| other-objectdese | Deserialization Parameter Analysis | 3 |
| sensi-js | JS Sensitive Information Leak | 0 |
| sensi-jsonp | Jsonp Sensitive Information Leak | 1 |
| sensi-php-realpath | PHP Real Path Discovery | 0 |
| redirect | Redirect Vulnerability | 1 |
| sensi-webpack | Webpack Source Code Leak | 1 |
| other-webdav-passive | WebDAV Service Passive Detection | 1 |
| xpathi-error | Error-based XPATH Injection | 2 |
| trave-path | Path Traversal | 2 |
| sensi-backup_1 | Backup File Detection (File-based) | 1 |
| sensi-viewstate | Unencrypted VIEWSTATE Discovery | 0 |
| xss | JS Semantic-based XSS Scanning | 1 |
| crlf_1 | CRLF Vulnerability Detection | 2 |
| cors-passive | CORS Vulnerability (Passive Analysis) | 2 |
| unauth | Unauthorized Access Vulnerability | 2 |
| leakpwd-page-passive | Weak Password on Login Page | 2 |
| sensi-editfile | Editor Backup File Leak | 1 |
| sensi-sourcecode | Source Code Leak | 1 |
| captcha-bypass | CAPTCHA Bypass | 0 |
| sensi-retirejs | Outdated JS Component Detection | -1 |
| ssti | SSTI Vulnerability Detection | 3 |
| ssti-angularjs | AngularJS Client-Side Template Injection Detector | 2 |
| ssrf | SSRF plugin detects server-side request forgery vulnerabilities via crafted payloads. | 2 |
| xxe | XXE plugin detects XML external entity injection vulnerabilities via malicious payloads. | 3 |
| xxe-blind | Blind XXE plugin detects out-of-band data exfiltration. | 3 |
| codei-java | Java Code Injection Vulnerability Scanner (EL/SpEL/OGNL) | 3 |
| other-redos | Regular Expression Denial of Service (ReDoS) Vulnerability Scanner | -1 |
| other-jndi-error | JNDI Injection Vulnerability Scanner | 3 |
- PerDir
| Plugin Name | Description | Risk |
|---|---|---|
| sensi-backup_2 | Backup File Scan (Directory-based) | 1 |
| trave-list_2 | Directory Listing | 2 |
| sensi-files | Sensitive File Leak (e.g., phpinfo, .git) | 1 |
| upload-oss | OSS Bucket Arbitrary File Upload | 2 |
| sensi-frontpage | FrontPage Configuration Leak | 1 |
- PerDomain
| Plugin Name | Description | Risk |
|---|---|---|
| sensi-errorpage | Error Page Sensitive Information Leak | 0 |
| xss-net | .NET Universal XSS | 1 |
| other-dns-zonetransfer | DNS Zone Transfer Vulnerability | 1 |
| xss-flash | Flash Universal XSS | 1 |
| other-idea-parse | Idea Directory Parsing | 1 |
| other-xst | XST Vulnerability Detection | -1 |
| other-webdav-active | WebDAV Service Discovery | 1 |
| upload-put | PUT-based Arbitrary File Upload | 3 |
| sensi-backup_3 | Backup File Detection (Domain-based) | 1 |
| cors-active | CORS Vulnerability (Active Detection) | 2 |
| crlf_3 | CRLF Line Injection Vulnerability | 2 |
| other-hosti | Host Header Injection Detection | 1 |
| other-oss-takeover | OSS Bucket Takeover Vulnerability | 3 |
| sensi-iis-shortname | IIS Short Filename Vulnerability | 0 |
| other-clickjacking | Clickjacking Vulnerability | -1 |
| other-baseline | Service Version Leak | -1 |
| other-smuggling | Request Smuggling Vulnerability | 3 |
| trave-list_3 | Directory Listing | 2 |
- PerHost
| Plugin Name | Description |
|---|---|
| leakpwd-mssql | Weak Password on MSSQL Server |
| leakpwd-mysql | Weak Password on MySQL Server |
| leakpwd-postgresql | Weak Password on PostgreSQL Server |
| leakpwd-redis | Weak Password on Redis Server |
| leakpwd-smb | Weak Password on SMB Server |
| other-ftp-anonymous | FTP anonymous Login |
| other-solr-rce | Apache Solr RCE via Velocity |
| unauth-docker | Docker Unauthorized Access |
| unauth-jenkins | Jenkins Unauthorized Access |
| unauth-memcached | Memcached Unauthorized Access |
| unauth-mongodb | Mongodb Unauthorized Access |
| unauth-resis | Redis Unauthorized Access |
| unauth-rsync | Rsync Unauthorized Access |
| unauth-solr | Apache Solr Unauthorized Access |
| unauth-zookeeper | Zookeeper Unauthorized access |
工具下载
https://github.com/JiuZero/z0scan