vulnerability-check The simple script to perform Vulnerability Assessment

This simple script uses open source software (nmap, vFeed and DPE) and performs almost same task as Nessus or AVDS.


Debian/Ubuntu required packages:

$ sudo apt-get install nmap python2.7 php5-cli php5-sqlite -y
$ git clone
$ git clone && cd vFeed/ && python && cd ..
$ mkdir dpe && cd dpe && wget && python -u && cd ../vulnerability-check/

vulnerability check

$ nmap -sV -oX scanme.xml
$ php vc.php ../vFeed/vfeed.db ../dpe/dpe_db.xml scanme.xml
(C) 2013 Adam Ziaja <>
The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.
The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.
$ php vc.php ../vFeed/vfeed.db ../dpe/dpe_db.xml
(C) 2013 Adam Ziaja <>
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
username=admin password=axis2

(username and password from CVE-2010-0219)

[button size=medium style=round color=red align=none url=]Download[/button]

Tool submitted by Adam Ziaja (Author itself)



NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"