yarx

An awesome reverse engine for xray poc

View on GitHub

Yarx comes from the reverse spelling of x-r-a-y, and it can fully automatically generate a Server that satisfies the rules according to xray’s yaml poc rules. Scanning the server with xray will get a dozen of corresponding vulnerabilities.

yarx-core

Feature

Try with xray

./xray webscan --plugins phantasm --html-output yarx.html --url https://yarx.koalr.me

running

After a few second, you will get a vulnerablity report like that: report.html

Installation

Usage

USAGE:
   yarx [global options] [arguments...]

GLOBAL OPTIONS:
   --pocs value, -p value    load pocs from this dir
   --listen value, -l value  the http server listen address (default: "127.0.0.1:7788")
   --root value, -r value    load files form this directory if the requested path is not found

   --verbose, -V             verbose mode, which is  equivalent to --log-level debug (default: false)
   --help, -h                show help (default: false)

Example:

# Create an http server on port 8080 to simulate all vulnerabilities in the pocs folder
./yarx -p ./pocs -l 0.0.0.0:8080

# Same as above but use the file in the `./www/html` folder when the request path doesn't match any poc
./yarx -p ./pocs -l 0.0.0.0:8080 -r ./www/html

running

You can use the pocs folder of this repository, or use the https://github.com/chaitin/xray/tree/master/pocs folder of the official xray repository directly. This repository simply removes the temporarily unsupported pocs, which make no difference with the official repo except that they may print a little error message at runtime, and I will periodically sync the data to add more verified pocs.

Of course, you can load your own pocs.

Development

Yarx can also be used as a go package

yr := &yarx.Yarx{}
// err := yr.Parse([]byte("poc-data"))
err := yr.ParseFile("/path/to/a/yaml/poc")
if err != nil {
    panic(err)
}

// Each successfully loaded poc corresponds to a MutationChain
// The rule in a poc corresponds to a MutationRule
chains := yr.Chains()
rules := yr.Rules()
...

// Generate the http handler for the above rule with one click
handler := yr.HTTPHandler()

// event handler
handler.OnRuleMatch(func(e *yarx.ScanEvent) {
})
handler.OnPocMatch(func(e *yarx.ScanEvent) {
    fmt.Println(e.RemoteAddr)
    fmt.Println(e.Request)
    fmt.Println(e.Response)
    fmt.Println(e.PocMatched)
    fmt.Println(e.RuleMatched)
})

// launch the http server
http.ListenAndServe(handler, "127.0.0.1:7788")

Errors Explanation

Yarx may encounter errors when parsing pocs, those pocs will not be loaded into the final http service, do not worry about that and basically the errors are these types of problems.

If you encounter other types of errors, you can submit an issue with the yaml poc and the details of the error, and I will deal with it as soon as possible.

Roadmap