Share
## https://sploitus.com/exploit?id=C347A41F-D8DF-5047-AF98-E8721E43B124
[](https://www.python.org/)
[](https://owasp.org/)
[](LICENSE)
[](https://www.eccouncil.org/)
[](/)
[](/)
```
โโโโโโโ โโโ โโโ โโโโโโโ โโโโโโโโ โโโโโโโ โโโโโโ โโโโ โโโโโโโ โโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโ โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโโโโ โโโโโโโโโ โโโโโโโโ
โโโโโโโโโโโ โโโโโโ โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโโโโโโโ โโโโโโโโโโโโโโโโโ โโโ
โโโโโโโ โโโโโโโ โโโโโโโ โโโโโโโโ โโโโโโโโโโ โโโโโโ โโโโโโโโ โโโโโโโโโโโโโโโโ โโโ
```
### *The Ultimate PHP Web Security Scanner for Bug Bounty & Penetration Testing*
> โ ๏ธ **For authorized security testing only.** Use responsibly.
---
## ๐ Table of Contents
- [Overview](#-overview)
- [Key Features](#-key-features)
- [Scanner Modules](#-scanner-modules)
- [Architecture](#-architecture)
- [Installation](#-installation)
- [Usage](#-usage)
- [Authentication](#-authentication)
- [PHP Exploitation Module](#-php-exploitation-module)
- [Payment Bypass Module](#-payment-bypass-module)
- [Report Generation](#-report-generation)
- [Target Analysis](#-target-analysis)
- [OWASP Coverage](#-owasp-coverage)
- [Legal Disclaimer](#-legal-disclaimer)
- [Author](#-author)
---
## ๐ Overview
**BugScanner** is a professional-grade, modular Python web vulnerability scanner engineered for **bug bounty hunters**, **penetration testers**, and **security researchers**. Built specifically around the **OWASP Top 10 (2021)** framework, it combines automated detection with deep PHP-specific exploitation capabilities.
Unlike generic scanners, BugScanner is **source-intelligence driven** โ it can parse target JavaScript and HTML source files to extract exact API endpoints, response codes, and parameter names, then surgically craft tests against the real attack surface instead of guessing blindly.
```
Target JS/HTML Analysis โ API Surface Map โ Surgical Exploitation โ HackerOne-Grade Report
```
**Designed for:**
- EC-Council Bug Bounty Course assignments
- HackerOne / Bugcrowd submissions
- CTF Lab environments
- Authorized penetration testing engagements
---
## โจ Key Features
| Feature | Description |
|--------|-------------|
| ๐ง **Source Intelligence** | Parse JS/HTML to extract real API endpoints and response codes |
| ๐ **Auto Authentication** | Auto-detects login forms, CSRF tokens, handles PHP response codes |
| ๐ **12 Scan Modules** | Full OWASP Top 10 coverage + PHP-specific + Payment Bypass |
| ๐ **Dual Reports** | Professional PDF + Markdown in HackerOne/Bugcrowd format |
| ๐ฏ **CVSS 3.1 Scoring** | Every finding gets a CVSS vector and numerical score |
| ๐ **Race Condition Engine** | Multi-threaded parallel request firing for timing attacks |
| ๐พ **DB Dump Module** | UNION SQLi, LOAD_FILE, INTO OUTFILE, phpMyAdmin brute force |
| ๐ **Webshell Detection** | Probes 20+ shell paths + upload bypass attempts |
| ๐ช **Crypto Payment Bypass** | Business logic tests sourced directly from site JS |
| ๐ **JWT Attacks** | alg:none, 23 weak secrets, kid path traversal |
| ๐ก **SSRF Probing** | AWS/GCP/Azure metadata, internal network |
| ๐ **Scope Validation** | Blocks RFC-1918 IPs, validates target domain |
---
## ๐งฉ Scanner Modules
Click to expand full module details
### Core OWASP Modules
| Module Key | Name | OWASP | CWE | Techniques |
|-----------|------|-------|-----|------------|
| `xxe` | XML External Entity | A4:2021 | CWE-611 | Classic, OOB, SVG, SOAP, blind |
| `sqli` | SQL Injection | A3:2021 | CWE-89 | Error-based, time-based, boolean-blind, UNION (5 DB signatures) |
| `xss` | Cross-Site Scripting | A3:2021 | CWE-79 | 18 reflected payloads, stored, header, DOM sinks |
| `ssrf` | Server-Side Request Forgery | A10:2021 | CWE-918 | AWS/GCP/Azure metadata, internal network, webhooks |
| `idor` | Insecure Direct Object Reference | A1:2021 | CWE-639 | ID enumeration, mass assignment, API enumeration |
| `cmdi` | OS Command Injection | A3:2021 | CWE-78 | Shell metacharacters, time-based blind |
| `lfi` | Local File Inclusion | A5:2021 | CWE-22 | Traversal 2-6 deep, null bytes, double-encoding, PHP wrappers |
| `open_redirect` | Open Redirect | A10:2021 | CWE-601 | 10 bypass variants, form fields, JS DOM sinks |
| `headers` | Security Headers | A5:2021 | CWE-16 | 6 headers, CORS, cookies, 22 sensitive file paths |
| `jwt` | JWT / Broken Auth | A2:2021 | CWE-287 | alg:none, 23 weak secrets, claim manipulation, kid traversal |
### Specialized Modules
| Module Key | Name | OWASP | Key Tests |
|-----------|------|-------|-----------|
| `payment` | Crypto Payment / Balance Bypass | A1:2021 | 15 business-logic tests sourced from allinone.js |
| `php` | PHP-Specific Exploitation | A5:2021 | 13 PHP attack categories (see below) |
---
## ๐๏ธ Architecture
```
bugscanner/
โ
โโโ main.py # CLI entrypoint (Click + Rich)
โ
โโโ scanners/
โ โโโ base.py # BaseScanner + Finding dataclass
โ โโโ xxe.py # XML External Entity
โ โโโ sqli.py # SQL Injection
โ โโโ xss.py # Cross-Site Scripting
โ โโโ ssrf.py # Server-Side Request Forgery
โ โโโ idor.py # Insecure Direct Object Reference
โ โโโ cmdi.py # OS Command Injection
โ โโโ lfi.py # Local File Inclusion
โ โโโ open_redirect.py # Open Redirect
โ โโโ headers.py # Security Headers & Misconfig
โ โโโ jwt_check.py # JWT / Broken Authentication
โ โโโ payment_bypass.py # Crypto Payment Bypass (site-tuned)
โ โโโ php_specific.py # PHP Exploitation Suite
โ
โโโ utils/
โ โโโ auth.py # AuthManager: form/JSON/basic/CSRF
โ โโโ http_client.py # Shared requests.Session wrapper
โ โโโ scope.py # Target scope & IP validation
โ โโโ logger.py # Rich logging setup
โ
โโโ reporter/
โ โโโ generator.py # PDF (ReportLab) + Markdown generator
โ โโโ templates/
โ โโโ report.md.j2 # Jinja2 Markdown template
โ โโโ report.html.j2 # Jinja2 HTMLโPDF template
โ
โโโ Target/ # Drop target JS/HTML here for analysis
โ โโโ allinone.js
โ โโโ ...
โ
โโโ reports/ # Generated reports land here
โโโ requirements.txt
โโโ README.md
```
---
## โ๏ธ Installation
### Prerequisites
- Python **3.10+**
- pip
### Quick Setup
```bash
# 1. Clone or download the tool
git clone https://github.com/yourusername/bugscanner.git
cd bugscanner
# 2. Install dependencies
pip install -r requirements.txt
# 3. Verify installation
python main.py list-modules
```
### Dependencies
```
requests>=2.31.0
beautifulsoup4>=4.12.0
lxml>=4.9.0
click>=8.1.0
rich>=13.0.0
Jinja2>=3.1.0
reportlab>=4.0.0
weasyprint>=60.0
```
---
## ๐ Usage
### Basic Scan
```bash
python main.py scan \
-t https://target.com \
--i-have-permission
```
### Full Authenticated Scan
```bash
python main.py scan \
-t https://target.com \
--i-have-permission \
-u your_username \
-p your_password \
--verbose
```
### Run Specific Modules
```bash
# PHP exploitation only
python main.py scan -t https://target.com --i-have-permission --modules php
# Payment bypass only
python main.py scan -t https://target.com --i-have-permission -u USER -p PASS --modules payment
# Combined high-value modules
python main.py scan -t https://target.com --i-have-permission -u USER -p PASS \
--modules php payment sqli lfi --verbose
```
### Test Authentication First
```bash
python main.py test-login \
-t https://target.com \
-u your_username \
-p your_password
```
### List All Modules
```bash
python main.py list-modules
```
### All CLI Options
```
Options:
-t, --target TEXT Target URL (required)
--i-have-permission Confirm authorization (required)
-m, --modules CHOICE Modules to run (default: all)
-u, --username TEXT Login username
-p, --password TEXT Login password
--login-url TEXT Explicit login URL (auto-detected if omitted)
--auth-type CHOICE auto|form|json|basic (default: auto)
-o, --output TEXT Report output directory (default: ./reports)
--timeout INTEGER HTTP timeout in seconds (default: 10)
--threads INTEGER Concurrent threads (default: 5)
--cookies TEXT Manual cookie string (e.g. 'PHPSESSID=abc')
--headers-extra TEXT Extra headers as JSON string
--depth INTEGER Crawl depth (default: 2)
--no-pdf Skip PDF generation
--format CHOICE pdf|markdown|both (default: both)
-v, --verbose Verbose output
```
---
## ๐ Authentication
BugScanner includes a fully automatic authentication pipeline:
```
1. Auto-detect login URL (scans common paths + LOGIN_URL_PATTERNS)
2. Parse login form โ extract field names + CSRF tokens
3. Submit credentials via form POST / JSON / Basic Auth
4. Evaluate response (body text, status code, redirect, JSON token)
5. Apply session cookies + auth headers to ALL subsequent scanner requests
```
### PHP Site-Specific Authentication
For PHP sites returning single-character response codes (e.g., `'5'` = success):
```bash
python main.py scan \
-t https://php-target.com \
--i-have-permission \
--auth-type form \
--login-url /login.php?login \
-u YOUR_USERNAME \
-p YOUR_PASSWORD
```
The auth engine recognizes these response codes automatically:
| Code | Meaning |
|------|---------|
| `5` | Login success |
| `3` | No such account |
| `0` | IP rate-limited |
| `1` | Username rate-limited |
---
## ๐ PHP Exploitation Module
The `php` module targets 13 attack categories specific to PHP applications:
```bash
python main.py scan -t https://target.com --i-have-permission --modules php --verbose
```
### What It Tests
| # | Test | Severity | Description |
|---|------|----------|-------------|
| 1 | **PHPInfo Exposure** | HIGH | Probes 6 phpinfo paths, extracts PHP version |
| 2 | **Version Header Disclosure** | LOW | X-Powered-By / Server header leak |
| 3 | **Sensitive File Exposure** | CRITICAL | 50+ paths: `.env`, `config.php`, `database.sql`, `.git`, backups |
| 4 | **DB Admin Panel Discovery** | CRITICAL | phpMyAdmin, Adminer, SQLiteManager (15 paths) |
| 5 | **Pre-existing Web Shells** | CRITICAL | 20+ known shell signatures (c99, r57, WSO, b374k) |
| 6 | **PHP Error Mode** | MEDIUM | Triggers errors to expose file paths and stack traces |
| 7 | **PHP Object Injection** | CRITICAL | Unserialize gadget chain detection |
| 8 | **Remote File Inclusion** | CRITICAL | data:// wrapper RFI with execution verification |
| 9 | **LFI + PHP Filter Wrappers** | CRITICAL | `php://filter/base64-encode` to read PHP source files |
| 10 | **SQL Injection โ DB Dump** | CRITICAL | UNION, error-based, `LOAD_FILE()`, `INTO OUTFILE` |
| 11 | **phpMyAdmin Default Creds** | CRITICAL | Tests 9 default credential pairs |
| 12 | **Server-Side Template Injection** | CRITICAL | Twig, Smarty, ERB expression evaluation |
| 13 | **Webshell Upload** | CRITICAL | Extension bypass, Content-Type spoofing, null byte, .htaccess |
### PHP Filter Wrapper โ Read Source Code
```
GET /index.php?page=php://filter/convert.base64-encode/resource=config.php
โ Base64 blob โ decoded PHP source with DB credentials
```
### MySQL File Operations via SQLi
```sql
-- Read server files (requires FILE privilege)
' UNION SELECT LOAD_FILE('/etc/passwd'),2,3-- -
' UNION SELECT LOAD_FILE('/var/www/html/config.php'),2,3-- -
-- Write webshell (requires write permission on webroot)
' UNION SELECT '' INTO OUTFILE '/var/www/html/x.php'-- -
```
---
## ๐ฐ Payment Bypass Module
The `payment` module was purpose-built for PHP e-commerce / crypto deposit sites, with tests reverse-engineered directly from real JavaScript source analysis.
```bash
python main.py scan -t https://target.com --i-have-permission -u USER -p PASS \
--modules payment --verbose
```
### 15 Business Logic Tests
| # | Test | Priority | Vector |
|---|------|----------|--------|
| 1 | **Payment Type Enumeration** | HIGH | `GET /money_add.php?type=0/-1/999` |
| 2 | **Force-Confirm Order (IDOR)** | ๐ด CRITICAL | `GET /money_view.php?check_order=` |
| 3 | **Cross-User Order Takeover** | ๐ด CRITICAL | Sequential order ID enumeration |
| 4 | **Fake Transaction Hash** | CRITICAL | Submit fake LTC/BTC hash to deposit endpoint |
| 5 | **Amount Parameter Injection** | MEDIUM | `amount=9999` alongside payment type |
| 6 | **Direct Balance Manipulation** | CRITICAL | `/info.php?set_balance=9999` |
| 7 | **Quick Buy with Zero Balance** | CRITICAL | `POST /cc_buy.php?buy_one` |
| 8 | **Basket Buy with Low Balance** | CRITICAL | `GET /cc_basket.php?buy` |
| 9 | **Bulk Cart Duplicate IDs** | MEDIUM | Send same `id[]` 20ร in one request |
| 10 | **Transaction History IDOR** | HIGH | `get_history=0/all/'` |
| 11 | **Purchased Card IDOR** | CRITICAL | `get_card=` |
| 12 | **Card Data IDOR** | CRITICAL | `get_card_data=` without purchase |
| 13 | **Password Change No-Auth** | CRITICAL | `POST /ch_password.php` with empty/wrong password |
| 14 | **Race Condition** | CRITICAL | 10 parallel `check_order` requests |
| 15 | **Session Cookie Flags** | MEDIUM | PHPSESSID HttpOnly/Secure/SameSite audit |
---
## ๐ Report Generation
Every scan automatically produces two professional reports:
```
reports/
โโโ bugscanner_target.com_20240324_143052/
โโโ report.pdf โ Professional PDF with cover page
โโโ report.md โ Markdown for Bugcrowd/HackerOne submission
```
Each finding includes:
- **Title** and **Severity** (CRITICAL / HIGH / MEDIUM / LOW / INFO)
- **CVSS 3.1 Score** and **Vector String**
- **OWASP Category** and **CWE Reference**
- **Proof of Concept** โ exact URL, parameter, payload
- **Evidence** โ response excerpts confirming the vulnerability
- **Impact** โ real-world exploitation scenario
- **Remediation** โ specific fix with code examples
---
## ๐ฌ Target Analysis
Drop the target website's JS/HTML files into the `Target/` folder to enable **source intelligence mode**. BugScanner extracts:
- All AJAX endpoint URLs and HTTP methods
- POST field names and expected response codes
- Client-side validation logic (to bypass server-side)
- DOM XSS sinks (`.html()`, `.append()` with server data)
**Endpoints extracted from EC-Council CVV HUB training target:**
```
POST /login.php?login response: '5'=ok, '3'=no-acct, '0'=ip-ban
GET /info.php?get_balance returns: "0,91" comma-decimal format
GET /money_add.php?type= type 5 = USDT min $50
GET /money_view.php?check_order= HIGH VALUE: returns '1' = payment confirmed
POST /cc_buy.php?buy_one response: 3=bought, 2=low-bal, 0=err
GET /cc_basket.php?buy response: '3'=bought
POST /ch_password.php returns new auto-generated password!
```
---
## ๐ OWASP Coverage
```
OWASP Top 10 (2021) โ 10/10 โโโโโโโโโโโโโโโโโโโโ 100%
A1 Broken Access Control โโโโโโโโโโโโโโโโโโโโ IDOR, Payment Bypass, PHP Auth
A2 Cryptographic Failures โโโโโโโโโโโโโโโโโโโโ JWT Attacks, Session Flags
A3 Injection โโโโโโโโโโโโโโโโโโโโ SQLi, XSS, CMDi, XXE, RFI, SSTI
A4 Insecure Design โโโโโโโโโโโโโโโโโโโโ Payment Business Logic Testing
A5 Security Misconfiguration โโโโโโโโโโโโโโโโโโโโ Headers, PHPInfo, DB Admin Panels
A6 Vulnerable Components โโโโโโโโโโโโโโโโโโโโ PHP Version Detection, CVE Mapping
A7 Auth Failures โโโโโโโโโโโโโโโโโโโโ JWT, Default Creds, PW Bypass
A8 Data Integrity Failures โโโโโโโโโโโโโโโโโโโโ PHP Object Injection / Unserialize
A9 Logging & Monitoring โโโโโโโโโโโโโโโโโโโโ Error Mode & Debug Exposure
A10 SSRF โโโโโโโโโโโโโโโโโโโโ Cloud Metadata, Internal Network
```
---
## ๐ก Advanced Tips
```bash
# Use manually grabbed browser cookies
python main.py scan -t https://target.com --i-have-permission \
--cookies "PHPSESSID=abc123def456"
# Add custom headers (e.g. bypass WAF, internal routing)
python main.py scan -t https://target.com --i-have-permission \
--headers-extra '{"X-Forwarded-For": "127.0.0.1"}'
# Maximum coverage attack
python main.py scan -t https://target.com --i-have-permission \
-u admin -p password \
--modules php payment sqli lfi idor headers jwt \
--verbose --format both --output ./my_reports
```
---
## โ๏ธ Legal Disclaimer
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ AUTHORIZED USE ONLY โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ โ
โ โ Bug bounty programs with explicit written scope โ
โ โ CTF (Capture The Flag) lab environments โ
โ โ Systems you own or have written permission to test โ
โ โ EC-Council course lab environments โ
โ โ
โ โ Unauthorized scanning of third-party systems โ
โ โ Any use violating computer fraud laws (CFAA/CMA) โ
โ โ Malicious exploitation of discovered vulns โ
โ โ
โ The author assumes NO LIABILITY for misuse. โ
โ Unauthorized use is a criminal offense worldwide. โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
---
## ๐จโ๐ป Author & Signature
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ โโโโ โโโโโโโ โโโโโโ โโโ โโโโโโ โโโโ โโโโโโโโ โโโโ โ
โ โโโโโ โโโโโโโโ โโโโโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโ โโโโโ โ
โ โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โโโ โโโ โโโโโโโโโโโโโโโ โโโโโโ โโโโโโ โโโ โโโโโโ โโโ โโโ โ
โ โโโ โโโ โโโโโโโ โโโ โโโโโโ โโโโโโ โโโโโโ โโโ โ
โ โ
โ โโโโโโโโ โโโโโโ โโโโโโโโโโโ โโโโโโ โโโโ โโโ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโ โ
โ โโโโโโ โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโ โโโ โ
โ โโโโโโ โโโโโโโโโโโ โโโโ โโโโโโโโโโโโโโโโโโ โ
โ โโโ โโโ โโโโโโ โโโ โโโ โโโโโโ โโโโโโ โ
โ โโโ โโโ โโโโโโ โโโ โโโ โโโโโโ โโโโโ โ
โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ โ
โ Muhammad Faizan โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ Cybersecurity Researcher โ
โ Bug Bounty Hunter โ
โ EC-Council Bug Bounty Student โ
โ โ
โ ๐ง faizzyhon@gmail.com โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
[](mailto:faizzyhon@gmail.com)
[](https://www.eccouncil.org/)
[](/)
---
```
โโโโโโโ โโโ โโโโโโโ โโโโโโโโ โโโโโโโ โโโ โโโโโโโ โโโโโโโโโโโโโโโ โโโ
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโโโโโโโโโโโโโโ โโโโ
โโโโโโโโโโโโโโ โโโโ โโโโโโ โโโ โโโโโโ โโโโโโโโโ โโโ โโโ โโโโโโโ
โโโโโโโโโโโโโโ โโโ โโโโโโ โโโ โโโโโโ โโโโโโโโโโโโโ โโโ โโโโโ
โโโโโโโโโโโโโโโโโโโโ โโโ โโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโ โโโ
โโโโโโโ โโโ โโโโโโโ โโโ โโโโโโโ โโโโโโโ โโโ โโโโโ โโโ โโโ
"The quieter you become, the more you can hear."
โ hack the planet ๐ โ
```
---
*Engineered with ๐ฅ passion for cybersecurity*
*EC-Council Bug Bounty Course โ 2024*
**ยฉ 2024 Muhammad Faizan โ All Rights Reserved**
*โญ If this tool helped you find a bug, drop a star!*