Share
## https://sploitus.com/exploit?id=D9272EE8-A38C-5B7F-8ADC-99B929ACB844
# Ruoyi-Scan β€” RuoYi-specific vulnerability scanning tool

> **2026-07-18 Route Adjustment**: The project has shifted from using a β€œmulti-CMS scanner” to focusing on **RuoYi optimization**. Plugin-based architecture, with three-state determination (CONFIRMED/SAFE/UNKNOWN), support for batch scanning and reports in multiple formats.  
> **Author**: Xueshan Passenger  
> **Version**: 1.0.0  
> **Technology Stack**: Python 3 + `requests`, command-line tools, console color output  

---

## Project Overview

A legally licensed **RuoYi-specific vulnerability scanner** with a plugin-based architecture. Supports three-state determination (CONFIRMED/SAFE/UNKNOWN), batch scanning, and reports in various formats.  
- **Author**: Xueshan Passenger  
- **Version**: 1.0.0  
- **Technology Stack**: Python 3 + `requests`, command-line tools, console color output  

---

## Current Features

| Module | Description |
|-------|-------|
| `plugins/ruoyi/` | 16 RuoYi POCs (core, optimization-focused) |
| `plugins/spring/` | 14 Spring Boot POCs (synergy-related, closely related to RuoYi ecosystem) |
| `plugins/common/` | General vulnerability packages (backup files like .git/.env/ and CORS settings; no dependency on CMS fingerprints) |
| Fingerprint Identification | Favicon hash, feature paths, keywords on login pages; data-driven approach |
| Batch Scanning | `-f targets.txt`: Batch report generation |
| Reports | HTML (SVG charts)/JSON/CSV/PDF/Word/Excel (optional dependency reduction) |
| Concurrency Limitation | ThreadPoolExecutor + token bucket mechanism (sleep during non-concurrency; no degradation) |
| Three-State Determination | Never mark as SAFE for network anomalies |
| WAF Bypass | 11 bypass strategies (L1 deformation/L2 encoding/L3 protocol/L4 direct connection to origin server) + three-state determination protection matrix + strategy success rate tracking (D7) |
| Web API | FastAPI REST + WebSocket real-time updates + Alpine.js console (D9, `--serve` mode) |

---

## Quick Start

```bash
# Install dependencies
pip install -r requirements.txt

# Single-target vulnerability scanning
python main.py -p http://target:8080/

# Batch scanning
python main.py -f targets.txt -p --report ./reports

# Manually specify CMS (skipping fingerprint identification)
python main.py -p http://target:8080/ --cms ruoyi

# Comprehensive scanning (directory scanning + vulnerability detection + login brute-force attack)
python main.py -u http://target:8080/

# Generate full-format reports (HTML/JSON/CSV/PDF/Word/Excel)
python main.py -p http://target:8080/ --report ./reports --report-format all

# Close duplicate reports
python main.py -p http://target:8080/ --report ./reports --no-dedup

# Execute vulnerability exploitation chains (D6)
python main.py --chain ruoyi_sql_to_rce -u http://target:8080/
python main.py --chain list  # List available chains

# WAF Bypass (D7, detecting automatically enabled WAF)
python main.py -p http://target:8080/ --bypass-waf auto   # Automatic mode (default)
python main.py -p http://target:8080/ --bypass-waf on     # Force WAF bypass
python main.py -p http://target:8080/ --bypass-waf off    # Disable bypass

# Web API Service (D9, start HTTP API + WebSocket + Web console)
python main.py --serve                              # Default: 0.0.0.0:8000
python main.py --serve --host 127.0.0.1 --port 9000 # Custom address and port
# After starting:
#   http://host:port/         Web console
#   http://host:port/docs     OpenAPI documentation
#   ws://host:port/ws/scan/{task_id}  WebSocket real-time events
```

**CLI Parameters**:
`-h` Help / `-u` Comprehensive scanning / `-m` Directory scanning / `-p` Vulnerability detection / `-l` Login brute-force attack / `-f` Batch processing / `--cms` Specify CMS (ruoyi/spring) / `--threads` Concurrency level / `--rate` Speed limit / `--proxy` Proxy settings / `--report` Report directory / `--report-format` Report format (html/json/csv/pdf/docx/xlsx, comma-separated, all=all) / `--no-dedup` Disable deduplication / `--chain` Execute vulnerability exploitation chains / `--chain-list` List available chains / `--bypass-waf` WAF bypass strategies (auto/on/off, default auto) / `--portscan` Port scanning / `--ports` Custom ports / `--passive` Passive proxy mode / `--passive-host` Proxy listening address / `--passive-port` Proxy listening port / `--serve` Start Web API service / `--host` Listening address / `--port` Listening port / `--timeout` Timeout / `--debug` Debug mode / `--pass-level` Password dictionary level (top100/top1000/full)

---

## Directory Structure

```
Ruoyi-Scan/
β”œβ”€β”€ main.py                  # CLI entry point
β”œβ”€β”€ config/settings.py       # Global configuration
β”œβ”€β”€ core/                    # Engine/routing/fingerprint/session/report/caching
β”œβ”€β”€ plugins/                 # Plugin packages (ruoyi + spring + common)
β”œβ”€β”€ lib/                     # Tool library (fingerprint features/HTTP/matchmaker/colors)
β”œβ”€β”€ data/                    # Dictionary (ruoyi.txt/password.txt)
β”œβ”€β”€ lab/                     # Training ground
β”‚   β”œβ”€β”€ server.py            # RuoYi signature training ground
β”‚   β”œβ”€β”€ spring_server.py     # Spring signature training ground
β”‚   β”œβ”€β”€ real-spring/         # Real Spring response training ground (automated with CI)
β”‚   β”œβ”€β”€ real-ruoyi/          # Real RuoYi 4.7.8 Java application
β”‚   β”œβ”€β”€ REAL-RUOYI.md        # Real RuoYi verification report
β”‚   β”œβ”€β”€ REAL-SPRING.md       # Real Spring verification report
β”‚   └── VULN-REINTRODUCE.md  # Guide for re-introducing RuoYi vulnerabilities
β”œβ”€β”€ tests/                   # Unit tests + regression tests
β”œβ”€β”€ scripts/run_e2e.py       # End-to-end verification script
β”œβ”€β”€ agents.md                # AI coding constraints (highest priority)
β”œβ”€β”€ P0P1P2UpgradePlan.md        # Deepening Ruoyi D1-D5 plan (currently valid)
β”œβ”€β”€ trae_prompt.md           # Trae long-term task prompts (currently valid)
β”œβ”€β”€ DevelopmentPlan.md          # Initial plugin refactoring plan (historical reference)
└── SubsequentDevelopmentPlan.md  # Early multi-CMS expansion plan (already deprecated)
```

---

## Deepening Ruoyi Roadmap (Starting July 18, 2026)

| Phase | Content | Priority |
|------|----------|---------|
| D4 | Automated acceptance for real-ruoyi + cycle-based verification of signature markers | High (building baseline) |
| D1 | Unlocking login chains (v4 Session + v5 JWT dual links) | High |
| D2 | Adapting to multiple versions (4.2 / 4.7 / v5) | High |
| D5 | Measuring false positive rate (10 non-Ruoyi sites, false positive rate < 5%) | High |
| D3 | Handling captcha (OCR/bypass/skip modes) | Medium |
| D8 | Improving reports (PDF/Word/Excel + result deduplication) | High (completed) |
| D6 | Arranging vulnerability exploitation chains (DAG topology + conditional branches + failure strategies) | High (completed) |
| D7 | Automatically bypassing WAF (11 policies + three-state decision-making matrix + success rate tracking) | High (completed) |
| D9 | Web API REST interfaces (FastAPI + WebSocket + Alpine.js console) | High (completed) |

See also [`P0P1P2UpgradePlan.md`](P0P1P2UpgradePlan.md). ---

---

## Testing

```bash
# Unit testing
python -m pytest tests/ -q

# Ruoyi plugin regression testing
python tests/regression_ruoyi.py

# Spring plugin regression testing
python tests/regression_spring.py

# Signature training ground comparison
LAB_MODE=vuln LAB_PORT=8090 python lab/server.py &
python main.py -p http://127.0.0.1:8090/   # Expect full CONFIRMED results
```

---

## Migrated Contents

The following CMS plugin packages were migrated to [`../cms-scan-extras/`](../cms-scan-extras/) on July 18, 2026, and are no longer maintained:

- `thinkphp` (12 POCs) + signature training ground + real PHP training ground + verification reports
- `weaver` (11 POCs) + signature training ground + regression testing
- `shiro` (7 POCs)
- `struts2` (8 POCs)
- `nuclei` bridge + `core/nuclei_adapter.py` + pyyaml dependencies

Reason for migration: POCs are broad and shallow; true hit rates are low, reducing the credibility of the project. See [`../cms-scan-extras/README.md`](../cms-scan-extras/README.md) for details. ---

---

## Security and Compliance

This tool is only used for security testing and research within the **authorized scope**. It must not be used on unauthorized targets. Plugins involved in exploitation only perform existence checks and do not cause actual damage. ---

---

## Documentation Navigation

- [`agents.md`](agents.md) β€” AI coding constraints (highest priority, must-read for Trae)
- [`P0P1P2UpgradePlan.md`](P0P1P2UpgradePlan.md) β€” Deepening Ruoyi D1-D5 plan (currently valid)
- [`trae_prompt.md`](trae_prompt.md) β€” Trae long-term task prompts (currently valid)
- [`lab/REAL-RUOYI.md`](lab/REAL-RUOYI.md) β€” Real RuoYi 4.7.8 verification report
- [`lab/REAL-SPRING.md`](lab/REAL-SPRING.md) β€” Real Spring verification report
- [`lab/VULN-REINTRODUCE.md`](lab/VULN-REINTRODUCE.md) β€” Guide for re-introducing RuoYi vulnerabilities
- [`DevelopmentPlan.md`](DevelopmentPlan.md) β€” Initial plugin refactoring plan (historical reference)
- [`SubsequentDevelopmentPlan.md`](SubsequentDevelopmentPlan.md) β€” Early multi-CMS expansion plan (already deprecated)