Home
Scalpel is a command line scanner that can deeply parse parameters in http requests to generate more accurate http messages based on poc. Currently, http passive proxy mode is supported for scanning. Users can customize POC, and we can also expose the POC repository on Github.
This tool is only for legally authorized security testing and research behavior, do not scan unauthorized targets. If you do anything illegal in the process of using this tool, you will bear the corresponding consequences and we will not bear any legal or joint and several liability. If you need to test the availability of this tool, please build your own target environment.
In order to avoid malicious use, all poc included in this project are theoretical judgments of vulnerabilities, there is no vulnerability exploitation process, and real attacks and vulnerabilities will not be launched against the target.
Before installing and using this tool, you must read carefully and fully understand the terms and conditions. Restrictions, exemption clauses or other terms related to your material rights and interests may be highlighted in the form of bold, underlining and so on. Your use or your acceptance of this Agreement in any other express or implied manner shall be deemed to have been read and agreed to by you.
The detection module is constantly updated to support the detection of more vulnerabilities.
-
CVE
-
XSS
-
SQL injection
-
Command / code injection
-
CRLF injection
-
A series of vulnerabilities in seeyou software
-
Springboot series vulnerabilities
-
Thinkphp series vulnerabilities
-
...
Scalpel supports depth parameter injection, which has a powerful data parsing and mutation algorithm. It can parse common data formats (json, xml, form, etc.) into tree structure, and then mutate the tree according to the rules in poc, including the mutation of leaf nodes and tree structure. After the mutation is complete, the tree structure is restored to the original data format.
To solve the problem in the process of HTTP application vulnerability Fuzz, the traditional "plaintext parameter transfer mode of Form form" gradually turns into "complex, nested-coded parameter transfer", which can not directly inject or replace the parameter content and can not go deep into the underlying vulnerability trigger point.
Scalpel uses proxy mode for passive scanning, taking the Windows system as an example:
.\scalpel-windows-amd64.exe poc -l 127.0.0.1:8888 -f poc.yaml -o vuln.html
For more information on downloading, running and configuring Scalpel, please see Wiki
The compilation of POC
See the POC Authoring Guide for details.https://github.com/StarCrossPortal/scalpel/wiki/POC%E7%BC%96%E5%86%99%E6%8C%87%E5%8D%97
Contribution to the POC
Contributors submit a POC to the github repository in the form of PR. Please search the repository's poc folder and Github Pull request before submitting to ensure that the POC has not been submitted.
reference
Currently scalpel has integrated 100+ vulnerability POC
| category | CVE | Name of vulnerability | support |
|---|---|---|---|
| CVE(2022) | CVE-2022-0540 | Jira authentication bypasses vulnerability | ✔ |
| CVE(2022) | CVE-2022-22954 | VMware Workspace ONE Access SSTI RCE vulnerability | ✔ |
| CVE(2022) | CVE-2022-26134 | Confluence OGNL RCE vulnerability | ✔ |
| CVE(2022) | CVE-2022-34590 | Hospital Management System SQL injection vulnerability | ✔ |
| CVE(2022) | CVE-2022-35151 | kkFileView v4.1.0 包含多个跨站点脚本 (XSS) 漏洞 | ✔ |
| CVE(2022) | CVE-2022-35413 | WAPPLES 硬编码漏洞 | ✔ |
| CVE(2022) | CVE-2022-35914 | GLPI 注入漏洞 | ✔ |
| CVE(2022) | CVE-2022-36642 | Telos Alliance Omnia MPX Node 信息泄露漏洞 | ✔ |
| CVE(2022) | CVE-2022-36883 | Jenkins 身份验证绕过漏洞 | ✔ |
| CVE(2022) | CVE-2022-37299 | Shirne CMS controller.php 目录遍历漏洞 | ✔ |
| CVE(2021) | CVE-2021-26086 | Atlassian Jira server文件读取漏洞 | ✔ |
| CVE(2021) | CVE-2021-29622 | Prometheus 重定向漏洞 | ✔ |
| CVE(2021) | CVE-2021-30497 | Avalanche 目录遍历漏洞 | ✔ |
| CVE(2021) | CVE-2021-33807 | Cartadis Gespage 目录遍历漏洞 | ✔ |
| CVE(2021) | CVE-2021-34473 | Microsoft Exchange Server 远程代码执行漏洞 | ✔ |
| CVE(2021) | CVE-2021-35380 | Solari di Udine TermTalk Server 目录遍历漏洞 | ✔ |
| CVE(2021) | CVE-2021-35464 | ForgeRock AM 服务器 Java 反序列化漏洞 | ✔ |
| CVE(2021) | CVE-2021-35587 | Oracle Access Manager 身份验证绕过漏洞 | ✔ |
| CVE(2021) | CVE-2021-37538 | SmartDataSoft SmartBlog for PrestaShop SQL 注入漏洞 | ✔ |
| CVE(2021) | CVE-2021-37704 | PhpFastCache 信息泄露漏洞 | ✔ |
| CVE(2021) | CVE-2021-39211 | GLPI 信息泄露漏洞 | ✔ |
| CVE(2021) | CVE-2021-39226 | Grafana 漏洞 | ✔ |
| CVE(2021) | CVE-2021-39327 | BulletProof Security WordPress信息泄露漏洞 | ✔ |
| CVE(2021) | CVE-2021-40149 | E1 Zoom信息泄露漏洞 | ✔ |
| CVE(2021) | CVE-2021-40859 | Auerswald COMpact 5500R后门漏洞 | ✔ |
| CVE(2021) | CVE-2021-40875 | Gurock TestRail感信息泄露漏洞 | ✔ |
| CVE(2021) | CVE-2021-41192 | Redash 伪造会话漏洞 | ✔ |
| CVE(2021) | CVE-2021-41266 | Minio身份验证绕过漏洞 | ✔ |
| CVE(2021) | CVE-2021-41381 | Payara Micro Community目录遍历漏洞 | ✔ |
| CVE(2021) | CVE-2021-41649 | PuneethReddyHC SQL注入漏洞 | ✔ |
| CVE(2021) | CVE-2021-43496 | Clustering目录遍历漏洞 | ✔ |
| CVE(2021) | CVE-2021-43798 | Grafana目录遍历漏洞 | ✔ |
| CVE(2021) | CVE-2021-44077 | Zoho远程代码执行漏洞 | ✔ |
| CVE(2021) | CVE-2021-44152 | Reprise RLM越权漏洞 | ✔ |
| CVE(2021) | CVE-2021-44427 | Rosario 学生信息系统SQL 注入漏洞 | ✔ |
| CVE(2021) | CVE-2021-44515 | Zoho远程代码执行漏洞 | ✔ |
| CVE(2021) | CVE-2021-44529 | Ivanti EPM 云服务设备RCE漏洞 | ✔ |
| CVE(2021) | CVE-2021-46381 | D-Link DAP-1620目录遍历漏洞 | ✔ |
| CVE(2021) | CVE-2021-46417 | Franklin Fueling Systems Colibr信息泄露漏洞 | ✔ |
| CVE(2021) | CVE-2021-46422 | Telesquare SDT-CW3B1命令注入漏洞 | ✔ |
| CVE(2020) | CVE-2020-12478 | eamPass 注入漏洞 | ✔ |
| CVE(2020) | CVE-2020-13700 | WordPress acf-to-rest-api 信息泄露漏洞 | ✔ |
| CVE(2020) | CVE-2020-13937 | Apache Kylin 安全漏洞 | ✔ |
| CVE(2020) | CVE-2020-14181 | Atlassian Jira 信息泄露漏洞 | ✔ |
| CVE(2020) | CVE-2020-14408 | Agentejo Cockpit 跨站脚本漏洞 | ✔ |
| CVE(2020) | CVE-2020-15148 | Yii 代码问题漏洞 | ✔ |
| CVE(2020) | CVE-2020-35338 | Mobile Viewpoint Wireless Multiplex Terminal 信任管理问题漏洞 | ✔ |
| CVE(2020) | CVE-2020-35476 | OpenTSDB 命令注入漏洞 | ✔ |
| CVE(2020) | CVE-2020-35489 | Wordpress contact-form-7 代码问题漏洞 | ✔ |
| CVE(2020) | CVE-2020-35736 | Liftoff GateOne 路径遍历漏洞 | ✔ |
| CVE(2020) | CVE-2020-36112 | Projectworlds Online Book Store Project In Php SQL注入漏洞 | ✔ |
| CVE(2020) | CVE-2020-36289 | Atlassian JIRA Server 和 Atlassian JIRA Data Center 信息泄露漏洞 | ✔ |
| CVE(2020) | CVE-2020-26948 | Emby Server 代码问题漏洞 | ✔ |
| CVE(2020) | CVE-2020-27361 | Akkadian Provisioning Manager 安全漏洞 | ✔ |
| CVE(2020) | CVE-2020-27467 | Lfi-ProcessWire Cms 路径遍历漏洞 | ✔ |
| CVE(2020) | CVE-2020-27866 | 多款Netgear产品授权问题漏洞 | ✔ |
| CVE(2020) | CVE-2020-27982 | IceWarp Mail Server 跨站脚本漏洞 | ✔ |
| CVE(2020) | CVE-2020-29395 | WordPress plugin 跨站脚本漏洞 | ✔ |
| CVE(2020) | CVE-2020-24312 | WordPress plugin mndpsingh287 WP File Manager 信息泄露漏洞 | ✔ |
| CVE(2020) | CVE-2020-24550 | Elastic EpiServer Find 输入验证错误漏洞 | ✔ |
| CVE(2020) | CVE-2020-24571 | NexusQA NexusDB 路径遍历漏洞 | ✔ |
| CVE(2020) | CVE-2020-24949 | PHP-Fusion 安全漏洞 | ✔ |
| CVE(2020) | CVE-2020-26073 | Cisco?SD-WAN vManage 信息泄露漏洞 | ✔ |
| CVE(2020) | CVE-2020-26876 | WordPress 安全漏洞 | ✔ |
| CVE(2020) | CVE-2020-16139 | Cisco 7937G 输入验证错误漏洞 | ✔ |
| CVE(2020) | CVE-2020-17453 | WSO2 Management Console 跨站脚本漏洞 | ✔ |
| CVE(2020) | CVE-2020-17519 | Apache Flink 安全漏洞 | ✔ |
| CVE(2020) | CVE-2020-19625 | sheila1227 gridx 安全漏洞 | ✔ |
| CVE(2020) | CVE-2020-20300 | Weiphp SQL注入漏洞 | ✔ |
| CVE(2020) | CVE-2020-23015 | Deciso OPNsense 输入验证错误漏洞 | ✔ |
| CVE(2019) | CVE-2019-0230 | Apache Struts远程代码执行漏洞 | ✔ |
| CVE(2019) | CVE-2019-2578 | Oracle 未授权访问漏洞 | ✔ |
| CVE(2019) | CVE-2019-2588 | Oracle Fusion Middleware未授权访问漏洞 | ✔ |
| CVE(2019) | CVE-2019-3912 | LabKey Server Community Edition重定向漏洞 | ✔ |
| CVE(2019) | CVE-2019-6715 | WordPress 任意文件读取漏洞 | ✔ |
| CVE(2019) | CVE-2019-8449 | Jira 信息泄露漏洞 | ✔ |
| CVE(2019) | CVE-2019-8903 | Total.js 平台路径遍历漏洞 | ✔ |
| CVE(2019) | CVE-2019-10092 | Apache HTTP Server跨站点脚本问题 | ✔ |
| CVE(2019) | CVE-2019-10232 | Teclib GLPI SQL 注入漏洞 | ✔ |
| CVE(2019) | CVE-2019-10717 | BlogEngine.NET 目录遍历漏洞 | ✔ |
| CVE(2019) | CVE-2019-11248 | Kubernetes healthz 端口公开 | ✔ |
| CVE(2019) | CVE-2019-11581 | Jira 模板注入漏洞 | ✔ |
| CVE(2019) | CVE-2019-12583 | Zyxel UAG、USG 和 ZyWall设备未授权访问 | ✔ |
| CVE(2019) | CVE-2019-12962 | LiveZilla Server XSS漏洞 | ✔ |
| CVE(2019) | CVE-2019-13101 | D-Link DIR-600M 信息泄露漏洞 | ✔ |
| CVE(2019) | CVE-2019-13462 | Lansweeper SQL 注入漏洞 | ✔ |
| CVE(2019) | CVE-2019-14322 | Pallets Werkzeug 错误处理驱动器名称 | ✔ |
| CVE(2019) | CVE-2019-14974 | SugarCRM Enterprise XSS漏洞 | ✔ |
| CVE(2019) | CVE-2019-15858 | WordPress XSS漏洞 | ✔ |
| CVE(2019) | CVE-2019-16313 | fw8 Router ROM 信息泄露漏洞 | ✔ |
| CVE(2019) | CVE-2019-16996 | Metinfo 7.0.0beta SQL 注入漏洞 | ✔ |
| CVE(2019) | CVE-2019-17382 | Zabbix 登录绕过漏洞 | ✔ |
| CVE(2019) | CVE-2019-17418 | MetInfo SQL 注入漏洞 | ✔ |
| CVE(2019) | CVE-2019-17503 | Kirona 动态资源调度 (DRS)信息泄露漏洞 | ✔ |
| CVE(2019) | CVE-2019-18393 | Ignite Realtime Openfire 目录遍历漏洞 | ✔ |
| CVE(2019) | CVE-2019-18922 | AT-S107 V.1.1.3 目录遍历漏洞 | ✔ |
| CVE(2019) | CVE-2019-19368 | Rumpus FTP Web XSS漏洞 | ✔ |
| CVE(2019) | CVE-2019-19781 | Citrix ADC 和网关 目录遍历漏洞 | ✔ |
| CVE(2019) | CVE-2019-20085 | TVT NVMS-1000 设备 目录遍历漏洞 | ✔ |
| CVE(2019) | CVE-2019-20933 | InfluxDB 身份验证绕过漏洞 | ✔ |
| 用友 | yongyou-ERP-NC-目录遍历漏洞 | ✔ | |
| 用友 | yongyou-nc-RCE | ✔ | |
| 用友 | yongyou-本地文件包含漏洞 | ✔ | |
| springboot | springboot-actuators-jolokia-xxe漏洞 | ✔ | |
| 致远 | 致远文件上传漏洞 | ✔ | |
| 致远 | 致远-oa-info-leak漏洞 | ✔ | |
| 锐捷 | 锐捷网关命令执行漏洞 | ✔ | |
| ThinkPHP | thinkphp-509-information-disclosure | ✔ | |
| 通用 | 任意文件读取漏洞 | ✔ |
The POC will be updated continuously
Thank you first of all for taking the time to make scalpel easier to use👍
If you have any false positives and other questions, you can give feedback in the following ways
1、GitHub issue:https://github.com/StarCrossPortal/scalpel/issues
2、Wechat:
