Share
## https://sploitus.com/exploit?id=D9272EE8-A38C-5B7F-8ADC-99B929ACB844
# Ruoyi-Scan β RuoYi-specific vulnerability scanning tool
> **2026-07-18 Route Adjustment**: The project has shifted from using a βmulti-CMS scannerβ to focusing on **RuoYi optimization**. Plugin-based architecture, with three-state determination (CONFIRMED/SAFE/UNKNOWN), support for batch scanning and reports in multiple formats.
> **Author**: Xueshan Passenger
> **Version**: 1.0.0
> **Technology Stack**: Python 3 + `requests`, command-line tools, console color output
---
## Project Overview
A legally licensed **RuoYi-specific vulnerability scanner** with a plugin-based architecture. Supports three-state determination (CONFIRMED/SAFE/UNKNOWN), batch scanning, and reports in various formats.
- **Author**: Xueshan Passenger
- **Version**: 1.0.0
- **Technology Stack**: Python 3 + `requests`, command-line tools, console color output
---
## Current Features
| Module | Description |
|-------|-------|
| `plugins/ruoyi/` | 16 RuoYi POCs (core, optimization-focused) |
| `plugins/spring/` | 14 Spring Boot POCs (synergy-related, closely related to RuoYi ecosystem) |
| `plugins/common/` | General vulnerability packages (backup files like .git/.env/ and CORS settings; no dependency on CMS fingerprints) |
| Fingerprint Identification | Favicon hash, feature paths, keywords on login pages; data-driven approach |
| Batch Scanning | `-f targets.txt`: Batch report generation |
| Reports | HTML (SVG charts)/JSON/CSV/PDF/Word/Excel (optional dependency reduction) |
| Concurrency Limitation | ThreadPoolExecutor + token bucket mechanism (sleep during non-concurrency; no degradation) |
| Three-State Determination | Never mark as SAFE for network anomalies |
| WAF Bypass | 11 bypass strategies (L1 deformation/L2 encoding/L3 protocol/L4 direct connection to origin server) + three-state determination protection matrix + strategy success rate tracking (D7) |
| Web API | FastAPI REST + WebSocket real-time updates + Alpine.js console (D9, `--serve` mode) |
---
## Quick Start
```bash
# Install dependencies
pip install -r requirements.txt
# Single-target vulnerability scanning
python main.py -p http://target:8080/
# Batch scanning
python main.py -f targets.txt -p --report ./reports
# Manually specify CMS (skipping fingerprint identification)
python main.py -p http://target:8080/ --cms ruoyi
# Comprehensive scanning (directory scanning + vulnerability detection + login brute-force attack)
python main.py -u http://target:8080/
# Generate full-format reports (HTML/JSON/CSV/PDF/Word/Excel)
python main.py -p http://target:8080/ --report ./reports --report-format all
# Close duplicate reports
python main.py -p http://target:8080/ --report ./reports --no-dedup
# Execute vulnerability exploitation chains (D6)
python main.py --chain ruoyi_sql_to_rce -u http://target:8080/
python main.py --chain list # List available chains
# WAF Bypass (D7, detecting automatically enabled WAF)
python main.py -p http://target:8080/ --bypass-waf auto # Automatic mode (default)
python main.py -p http://target:8080/ --bypass-waf on # Force WAF bypass
python main.py -p http://target:8080/ --bypass-waf off # Disable bypass
# Web API Service (D9, start HTTP API + WebSocket + Web console)
python main.py --serve # Default: 0.0.0.0:8000
python main.py --serve --host 127.0.0.1 --port 9000 # Custom address and port
# After starting:
# http://host:port/ Web console
# http://host:port/docs OpenAPI documentation
# ws://host:port/ws/scan/{task_id} WebSocket real-time events
```
**CLI Parameters**:
`-h` Help / `-u` Comprehensive scanning / `-m` Directory scanning / `-p` Vulnerability detection / `-l` Login brute-force attack / `-f` Batch processing / `--cms` Specify CMS (ruoyi/spring) / `--threads` Concurrency level / `--rate` Speed limit / `--proxy` Proxy settings / `--report` Report directory / `--report-format` Report format (html/json/csv/pdf/docx/xlsx, comma-separated, all=all) / `--no-dedup` Disable deduplication / `--chain` Execute vulnerability exploitation chains / `--chain-list` List available chains / `--bypass-waf` WAF bypass strategies (auto/on/off, default auto) / `--portscan` Port scanning / `--ports` Custom ports / `--passive` Passive proxy mode / `--passive-host` Proxy listening address / `--passive-port` Proxy listening port / `--serve` Start Web API service / `--host` Listening address / `--port` Listening port / `--timeout` Timeout / `--debug` Debug mode / `--pass-level` Password dictionary level (top100/top1000/full)
---
## Directory Structure
```
Ruoyi-Scan/
βββ main.py # CLI entry point
βββ config/settings.py # Global configuration
βββ core/ # Engine/routing/fingerprint/session/report/caching
βββ plugins/ # Plugin packages (ruoyi + spring + common)
βββ lib/ # Tool library (fingerprint features/HTTP/matchmaker/colors)
βββ data/ # Dictionary (ruoyi.txt/password.txt)
βββ lab/ # Training ground
β βββ server.py # RuoYi signature training ground
β βββ spring_server.py # Spring signature training ground
β βββ real-spring/ # Real Spring response training ground (automated with CI)
β βββ real-ruoyi/ # Real RuoYi 4.7.8 Java application
β βββ REAL-RUOYI.md # Real RuoYi verification report
β βββ REAL-SPRING.md # Real Spring verification report
β βββ VULN-REINTRODUCE.md # Guide for re-introducing RuoYi vulnerabilities
βββ tests/ # Unit tests + regression tests
βββ scripts/run_e2e.py # End-to-end verification script
βββ agents.md # AI coding constraints (highest priority)
βββ P0P1P2UpgradePlan.md # Deepening Ruoyi D1-D5 plan (currently valid)
βββ trae_prompt.md # Trae long-term task prompts (currently valid)
βββ DevelopmentPlan.md # Initial plugin refactoring plan (historical reference)
βββ SubsequentDevelopmentPlan.md # Early multi-CMS expansion plan (already deprecated)
```
---
## Deepening Ruoyi Roadmap (Starting July 18, 2026)
| Phase | Content | Priority |
|------|----------|---------|
| D4 | Automated acceptance for real-ruoyi + cycle-based verification of signature markers | High (building baseline) |
| D1 | Unlocking login chains (v4 Session + v5 JWT dual links) | High |
| D2 | Adapting to multiple versions (4.2 / 4.7 / v5) | High |
| D5 | Measuring false positive rate (10 non-Ruoyi sites, false positive rate < 5%) | High |
| D3 | Handling captcha (OCR/bypass/skip modes) | Medium |
| D8 | Improving reports (PDF/Word/Excel + result deduplication) | High (completed) |
| D6 | Arranging vulnerability exploitation chains (DAG topology + conditional branches + failure strategies) | High (completed) |
| D7 | Automatically bypassing WAF (11 policies + three-state decision-making matrix + success rate tracking) | High (completed) |
| D9 | Web API REST interfaces (FastAPI + WebSocket + Alpine.js console) | High (completed) |
See also [`P0P1P2UpgradePlan.md`](P0P1P2UpgradePlan.md). ---
---
## Testing
```bash
# Unit testing
python -m pytest tests/ -q
# Ruoyi plugin regression testing
python tests/regression_ruoyi.py
# Spring plugin regression testing
python tests/regression_spring.py
# Signature training ground comparison
LAB_MODE=vuln LAB_PORT=8090 python lab/server.py &
python main.py -p http://127.0.0.1:8090/ # Expect full CONFIRMED results
```
---
## Migrated Contents
The following CMS plugin packages were migrated to [`../cms-scan-extras/`](../cms-scan-extras/) on July 18, 2026, and are no longer maintained:
- `thinkphp` (12 POCs) + signature training ground + real PHP training ground + verification reports
- `weaver` (11 POCs) + signature training ground + regression testing
- `shiro` (7 POCs)
- `struts2` (8 POCs)
- `nuclei` bridge + `core/nuclei_adapter.py` + pyyaml dependencies
Reason for migration: POCs are broad and shallow; true hit rates are low, reducing the credibility of the project. See [`../cms-scan-extras/README.md`](../cms-scan-extras/README.md) for details. ---
---
## Security and Compliance
This tool is only used for security testing and research within the **authorized scope**. It must not be used on unauthorized targets. Plugins involved in exploitation only perform existence checks and do not cause actual damage. ---
---
## Documentation Navigation
- [`agents.md`](agents.md) β AI coding constraints (highest priority, must-read for Trae)
- [`P0P1P2UpgradePlan.md`](P0P1P2UpgradePlan.md) β Deepening Ruoyi D1-D5 plan (currently valid)
- [`trae_prompt.md`](trae_prompt.md) β Trae long-term task prompts (currently valid)
- [`lab/REAL-RUOYI.md`](lab/REAL-RUOYI.md) β Real RuoYi 4.7.8 verification report
- [`lab/REAL-SPRING.md`](lab/REAL-SPRING.md) β Real Spring verification report
- [`lab/VULN-REINTRODUCE.md`](lab/VULN-REINTRODUCE.md) β Guide for re-introducing RuoYi vulnerabilities
- [`DevelopmentPlan.md`](DevelopmentPlan.md) β Initial plugin refactoring plan (historical reference)
- [`SubsequentDevelopmentPlan.md`](SubsequentDevelopmentPlan.md) β Early multi-CMS expansion plan (already deprecated)