Home
Scalpel is a command line scanner that can deeply parse parameters in HTTP requests to generate more accurate http messages based on Poc. Currently, HTTP passive proxy mode is supported for scanning. Users can customize POC, and we can also expose the POC repository on Github.
This tool is only for legally authorized security testing and research behavior, do not scan unauthorized targets. If you do anything illegal in the process of using this tool, you will bear the corresponding consequences and we will not bear any legal or joint and several liability. If you need to test the availability of this tool, please build your own target environment.
In order to avoid malicious use, all poc included in this project are theoretical judgments of vulnerabilities, there is no vulnerability exploitation process, and real attacks and vulnerabilities will not be launched against the target.
Before installing and using this tool, you must read carefully and fully understand the terms and conditions. Restrictions, exemption clauses or other terms related to your material rights and interests may be highlighted in the form of bold, underlining and so on. Your use or your acceptance of this Agreement in any other express or implied manner shall be deemed to have been read and agreed to by you.
The detection module is constantly updated to support the detection of more vulnerabilities.
-
CVE
-
XSS
-
SQL injection
-
Command / code injection
-
CRLF injection
-
A series of vulnerabilities in seeyou software
-
Springboot series vulnerabilities
-
Thinkphp series vulnerabilities
-
...
Scalpel supports depth parameter injection, which has a powerful data parsing and mutation algorithm. It can parse common data formats (json, xml, form, etc.) into tree structure, and then mutate the tree according to the rules in poc, including the mutation of leaf nodes and tree structure. After the mutation is complete, the tree structure is restored to the original data format.
To solve the problem in the process of HTTP application vulnerability Fuzz, the traditional "plaintext parameter transfer mode of form" gradually turns into "complex, nested-coded parameter transfer", which can not directly inject or replace the parameter content and can not go deep into the underlying vulnerability trigger point.
Scalpel uses proxy mode for passive scanning, taking the Windows system as an example:
.\scalpel-windows-amd64.exe poc -l 127.0.0.1:8888 -f poc.yaml -o vuln.html
For more information on downloading, running and configuring Scalpel, please see Wiki
The compilation of POC
See the POC Authoring Guide for details.https://github.com/StarCrossPortal/scalpel/wiki/POC%E7%BC%96%E5%86%99%E6%8C%87%E5%8D%97
Contribution to the POC
Contributors submit a POC to the github repository in the form of PR. Please search the repository's poc folder and Github Pull request before submitting to ensure that the POC has not been submitted.
reference
Currently scalpel has integrated 100+ vulnerability POC
| Category | CVE Number | Vulnerability Name | Support |
|---|---|---|---|
| CVE(2022) | CVE-2022-0540 | Jira authentication bypasses vulnerability | ✔ |
| CVE (2022) | CVE-2022-22954 | VMware Workspace One Access SSTIRCE vulnerability | ✔ |
| CVE (2022) | CVE-2022-26134 | Confluence OGNLRCE vulnerability | ✔ |
| CVE (2022) | CVE-2022-34590 | SQL injection vulnerability of hospital management system | ✔ |
| CVE (2022) | CVE-2022-35151 | KK File View v4.1.0 contains multiple cross-site scripting (XSS) vulnerabilities | ✔ |
| CVE (2022) | CVE-2022-35413 | Wapples hard-coded vulnerability | ✔ |
| CVE(2022) | CVE-2022-35914 | GLPI injection vulnerability | ✔ |
| CVE (2022) | CVE-2022-36642 | Telos Alliance Omnia MPX Node Information Disclosure Vulnerability | ✔ |
| CVE (2022) | CVE-2022-36883 | Jenkins Authentication Bypass Vulnerability | ✔ |
| CVE (2022) | CVE-2022-37299 | Shirne CMS controller.php directory traversal vulnerability | ✔ |
| CVE (2021) | CVE-2021-26086 | Atlassian Jira Server File Reading Vulnerability | ✔ |
| CVE (2021) | CVE-2021-29622 | Prometheus redirection vulnerability | ✔ |
| CVE (2021) | CVE-2021-30497 | Avalanche directory traversal vulnerability | ✔ |
| CVE (2021) | CVE-2021-33807 | Carta Disgespage directory traversal vulnerability | ✔ |
| CVE (2021) | CVE-2021-34473 | Microsoft Exchange Server Remote Code Execution Vulnerability | ✔ |
| CVE (2021) | CVE-2021-35380 | Solari Di Udine Term Talk Server directory traversal vulnerability | ✔ |
| CVE (2021) | CVE-2021-35464 | Java deserialization vulnerability of Forge Rock AM server | ✔ |
| CVE (2021) | CVE-2021-35587 | Oracle Access Manager Authentication Bypass Vulnerability | ✔ |
| CVE (2021) | CVE-2021-37538 | SmartDatasoft Smart Blog for Prestashop SQL Injection Vulnerability | ✔ |
| CVE (2021) | CVE-2021-37704 | PhpFastCache Information Disclosure Vulnerability | ✔ |
| CVE(2021) | CVE-2021-39211 | GLPI Information Disclosure Vulnerability | ✔ |
| CVE (2021) | CVE-2021-39226 | Grafana vulnerability | ✔ |
| CVE (2021) | CVE-2021-39327 | Bullet Proof Security WordPress Information Disclosure Vulnerability | ✔ |
| CVE (2021) | CVE-2021-40149 | E1Zoom Information Disclosure Vulnerability | ✔ |
| CVE (2021) | CVE-2021-40859 | Auerswald Compact 5500r backdoor vulnerability | ✔ |
| CVE (2021) | CVE-2021-40875 | Gurock TestRail Senses Information Disclosure Vulnerability | ✔ |
| CVE (2021) | CVE-2021-41192 | Redash spoofing session vulnerability | ✔ |
| CVE (2021) | CVE-2021-41266 | Minio Authentication Bypass Vulnerability | ✔ |
| CVE (2021) | CVE-2021-41381 | Payara Microcommunity directory traversal vulnerability | ✔ |
| CVE (2021) | CVE-2021-41649 | Puneethreddyhc SQL injection vulnerability | ✔ |
| CVE (2021) | CVE-2021-43496 | Clustering directory traversal vulnerability | ✔ |
| CVE (2021) | CVE-2021-43798 | Grafana directory traversal vulnerability | ✔ |
| CVE(2021) | CVE-2021-44077 | Zoho Remote Code Execution Vulnerability | ✔ |
| CVE (2021) | CVE-2021-44152 | Reprise RLM ultra vires vulnerability | ✔ |
| CVE (2021) | CVE-2021-44427 | SQL Injection Vulnerability in Rosario Student Information System | ✔ |
| CVE(2021) | CVE-2021-44515 | Zoho Remote Code Execution Vulnerability | ✔ |
| CVE (2021) | CVE-2021-44529 | IV Anti EPM Cloud Service Device RCE Vulnerability | ✔ |
| CVE (2021) | CVE-2021-46381 | D-LINK DAP-1620 directory traversal vulnerability | ✔ |
| CVE (2021) | CVE-2021-46417 | Franklin Fueling Systems Coli BR Information Disclosure Vulnerability | ✔ |
| CVE (2021) | CVE-2021-46422 | Telesquare SDT-CW 3b1 command injection vulnerability | ✔ |
| CVE (2020) | CVE-2020-12478 | Eampass injection vulnerability | ✔ |
| CVE (2020) | CVE-2020-13700 | WordPress ACF-to-rest-API information disclosure vulnerability | ✔ |
| CVE (2020) | CVE-2020-13937 | Apache Kylin security vulnerability | ✔ |
| CVE (2020) | CVE-2020-14181 | Atlassian Jira Information Disclosure Vulnerability | ✔ |
| CVE (2020) | CVE-2020-14408 | Agent Jo Cockpit cross-site scripting vulnerability | ✔ |
| CVE(2020) | CVE-2020-15148 | Yii code problem vulnerability | ✔ |
| CVE (2020) | CVE-2020-35338 | Mobile View Point Wireless Multiplex Terminal Trust Management Vulnerability | ✔ |
| CVE (2020) | CVE-2020-35476 | OpenTS DB command injection vulnerability | ✔ |
| CVE (2020) | CVE-2020-35489 | WordPress Contact-Form-7 Code Problem Vulnerability | ✔ |
| CVE (2020) | CVE-2020-35736 | lift off gate one path traversal vulnerability | ✔ |
| CVE (2020) | CVE-2020-36112 | Project Worlds Online Book Store Project in PHP SQL Injection Vulnerability | ✔ |
| CVE (2020) | CVE-2020-36289 | Atlassian Jira Server and Atlassian JIRA Data Center Information Disclosure Vulnerability | ✔ |
| CVE (2020) | CVE-2020-26948 | Embry Server Code Problem Vulnerability | ✔ |
| CVE (2020) | CVE-2020-27361 | Akkadian Provisioning Manager Security Vulnerability | ✔ |
| CVE (2020) | CVE-2020-27467 | LFI-Process Wire CMS Path Traversing Vulnerability | ✔ |
| CVE(2020) | CVE-2020-27866 | Vulnerability of several Netgear products | ✔ |
| CVE (2020) | CVE-2020-27982 | IceWarp Mail Server cross-site scripting vulnerability | ✔ |
| CVE (2020) | CVE-2020-29395 | WordPress plugin cross-site scripting vulnerability | ✔ |
| CVE (2020) | CVE-2020-24312 | WordPress plugin mndpsingh287wp file manager information disclosure vulnerability | ✔ |
| CVE (2020) | CVE-2020-24550 | Elastic Episerver Find input validation error vulnerability | ✔ |
| CVE (2020) | CVE-2020-24571 | Nexus QA Nexus DB path traversal vulnerability | ✔ |
| CVE (2020) | CVE-2020-24949 | PHP-Fusion security vulnerability | ✔ |
| CVE(2020) | CVE-2020-26073 | Cisco? SD-WAN vManage information disclosure vulnerability | ✔ |
| CVE (2020) | CVE-2020-26876 | WordPress security vulnerability | ✔ |
| CVE (2020) | CVE-2020-16139 | Cisco 7937g input validation error vulnerability | ✔ |
| CVE (2020) | CVE-2020-17453 | WSO2 Management Console cross-site scripting vulnerability | ✔ |
| CVE (2020) | CVE-2020-17519 | Apache Flink vulnerability | ✔ |
| CVE (2020) | CVE-2020-19625 | Sheila 1227 Gridx vulnerability | ✔ |
| CVE (2020) | CVE-2020-20300 | vulnerability of weiphp SQL injection | ✔ |
| CVE (2020) | CVE-2020-23015 | DEISO OPN Sense input validation error vulnerability | ✔ |
| CVE (2019) | CVE-2019-0230 | Apache Struts Remote Code Execution Vulnerability | ✔ |
| CVE (2019) | CVE-2019-2578 | Oracle Unauthorized Access Vulnerability | ✔ |
| CVE (2019) | CVE-2019-2588 | Oracle Fusion Middleware Unauthorized Access Vulnerability | ✔ |
| CVE (2019) | CVE-2019-3912 | Lab Key Server Community Edition Redirection Vulnerability | ✔ |
| CVE (2019) | CVE-2019-6715 | WordPress Arbitrary File Reading Vulnerability | ✔ |
| CVE(2019) | CVE-2019-8449 | Jira Information Disclosure Vulnerability | ✔ |
| CVE (2019) | CVE-2019-8903 | Total.js platform path traversal vulnerability | ✔ |
| CVE (2019) | CVE-2019-10092 | Apache HTTP Server cross-site scripting problem | ✔ |
| CVE (2019) | CVE-2019-10232 | Teclib GLPI SQL injection vulnerability | ✔ |
| CVE (2019) | CVE-2019-10717 | BlogEngine.NET directory traversal vulnerability | ✔ |
| CVE (2019) | CVE-2019-11248 | Kubernetes Healthz port public | ✔ |
| CVE(2019) | CVE-2019-11581 | Jira template injection vulnerability | ✔ |
| CVE (2019) | CVE-2019-12583 | zyxeluag, USG and ZyWall devices are not authorized to access | ✔ |
| CVE (2019) | CVE-2019-12962 | Vulnerability of Livezilla Server XSS | ✔ |
| CVE (2019) | CVE-2019-13101 | D-LINK DIR-600M Information Disclosure Vulnerability | ✔ |
| CVE (2019) | CVE-2019-13462 | Lansweeper SQL injection vulnerability | ✔ |
| CVE (2019) | CVE-2019-14322 | Pallets Werkzeug Error Handling Drive Name | ✔ |
| CVE (2019) | CVE-2019-14974 | SugarCRM Enterprise XSS Vulnerability | ✔ |
| CVE (2019) | CVE-2019-15858 | WordPress XSS Vulnerability | ✔ |
| CVE (2019) | CVE-2019-16313 | FW8 Router ROM Information Disclosure Vulnerability | ✔ |
| CVE (2019) | CVE-2019-16996 | METINFO 7.0.0 beta SQL injection vulnerability | ✔ |
| CVE (2019) | CVE-2019-17382 | Zabbix login bypass vulnerability | ✔ |
| CVE (2019) | CVE-2019-17418 | MetInfo SQL Injection Vulnerability | ✔ |
| CVE (2019) | CVE-2019-17503 | Kirona Dynamic Resource Scheduling (DRS) Information Disclosure Vulnerability | ✔ |
| CVE (2019) | CVE-2019-18393 | Ignite real-time OpenFire directory traversal vulnerability | ✔ |
| CVE (2019) | CVE-2019-18922 | AT-S107V.1.1.3 directory traversal vulnerability | ✔ |
| CVE (2019) | CVE-2019-19368 | Rumpus FTP Web XSS vulnerability | ✔ |
| CVE (2019) | CVE-2019-19781 | Citrix ADC and Gateway Directory Traversing Vulnerability | ✔ |
| CVE (2019) | CVE-2019-20085 | TVT NVMS-1000 device directory traversal vulnerability | ✔ |
| CVE (2019) | CVE-2019-20933 | Influx DB Authentication Bypass Vulnerability | ✔ |
| UFIDA | yongyou-ERP-NC- directory traversal vulnerability | ✔ | |
| UFIDA | Yong You-NC-RCE | ✔ | |
| UFIDA | yongyou- local file contains vulnerability | ✔ | |
| Spring Boot | Spring Boot-Actuators-Jolokia-XXE Vulnerability | ✔ | |
| Zhiyuan | Zhiyuan File Upload Vulnerability | ✔ | |
| Zhiyuan | Zhiyuan -oa-info-leak vulnerability | ✔ | |
| Ruijie | Ruijie Gateway Command Execution Vulnerability | ✔ | |
| ThinkPHP | thinkphp-509-information-disclosure | ✔ | |
| Universal | Arbitrary file reading vulnerability | ✔ |
The POC will be updated continuously
Thank you first of all for taking the time to make scalpel easier to use👍
If you have any false positives and other questions, you can give feedback in the following ways
- GitHub issue https://github.com/StarCrossPortal/scalpel/issues