Search Syntax Guide General Rules ● Search scope covers devices (IPv4, IPv6) and websites (domain names). ● When entering a search string, the system will match the keywords in 'global' mode, covering content from various protocols such as HTTP, SSH, FTP, etc. ● The search string is case-insensitive and will be matched after segmentation. Use == for precise matching and strict restriction of search syntax case sensitivity. ● Please use quotation marks for search strings (e.g., "Cisco System"). Use \ for escape if needed (e.g., "a\"b", portinfo\(\)). Search Logic Operations SearchLogic Description Example = Search for assets containing keywords title="knownsec" == Precise search, exact match (case title=="knownsec" sensitive), supports empty values || Logical OR service="ssh" || service="http" && Logical AND device="router" && after="2020-01-01" != Logical NOT country="US" && subdivisions!="new york" () Priority grouping (country="US" && port!=80) || (country="US" && title!="404 Not Found") * Fuzzy search title="google*" Geographical Location Search Filter Description Tips country="CN" Search for country assets Input country abbreviations or names, e.g. country="china" subdivisions="beijing" Search for assets in administrative Input in English region city="changsha" Search for city assets Input in English Certificate Search Filter Description Tips ssl="google" Search for assets with string Used for product/company name in SSL certificate ssl.cert.fingerprint="..." Search for certificate fingerprint ssl.chain_count=3 Search for SSL chain count assets ssl.cert.alg="SHA256-RSA" Search for signature algorithms ssl.cert.issuer.cn="pbx.wildix.com" Search for issuer common name ssl.cert.pubkey.rsa.bits=2048 Search RSA public key bits ssl.cert.pubkey.type="RSA" Search certificate public key type ssl.cipher.version="TLSv1.3" Search encryption suite version ssl.version="TLSv1.3" Search SSL version ssl.cert.subject.cn="example.com" Search certificate subject common name ssl.jarm="..." Search by JARM fingerprint ssl.ja3s=... Search by JA3S fingerprint IP or Domain Name Search Filter Description Tips ip="8.8.8.8" Search for specific IPv4 address cidr="52.2.254.36/24" Search for C-class IP range org="Stanford University" Search for organization assets asn=42893 Search for ASN related assets port=80 Search for assets on port 80 domain="baidu.com" Search for domain/subdomain assets http.header.server="Nginx" Search by HTTP header server http.header.status_code="200" Search by HTTP status code http.body="document" Search by HTML body content Fingerprint Search Filter Description Tips app="Cisco ASA SSL VPN" Search for Cisco ASA-SSL-VPN devices service="ssh" Search for specific service protocol http, ftp, ssh, telnet, etc. device="router" Search for device type router, switch, storage-misc, etc. os="RouterOS" Search for operating system industry="government" Search for industry type product="Cisco" Search for product/component info protocol="TCP" Search by transmission protocol is_honeypot="True" Filter honeypot assets Time Filters Filter Description Tips after="2020-01-01" && port="50050" Search after specific date before="2020-01-01" && port="50050" Search before specific date Other Filters Filter Description Tips dig="baidu.com 220.181.38.148" Search for assets with dig content vul.cve="CVE-2021-44228" Search for assets with CVE iconhash="f3418a44..." Search by icon MD5 hash Google icon filehash="0b5ce08..." Search by parsed file data hash e.g., Gitlab is_bugbounty=true Filter bug bounty assets is_changed=true Filter assets changed within 7 days is_new=true Filter newly discovered assets within 7 days API Document Update time:2024-12-04 ZoomEye provides a powerful and flexible RESTful API for network research enthusiasts, developers, and security geeks, enabling seamless access to platform resources, automating network exploration, and building a wide range of application scenarios, With the ZoomEye API, you can: ① Automate Asset Discovery Perform bulk searches of global network devices, services, and systems to create a comprehensive map of network assets. ② Manage and Integrate Attack Surfaces Leverage the API to seamlessly integrate network asset data into existing attack surface management platform, enabling precise identification and reduction of exposure risks. ③ Real-time Monitoring and Threat Alerts Continuously track sensitive assets exposed on the internet and detect potential risks in real-time. ④ Customized Data Analysis and Tool Development Use ZoomEye’s rich dataset to develop custom tools, such as IoT security validation utilities, vulnerability scanning plugins, and threat intelligence analysis systems. ⑤ Generate Visualized Reports Automatically extract data to generate asset or risk reports, empowering informed and effective security decision-making. Base URLs: https://api.zoomeye.ai Email: API Support Authentication ZoomEye-API supports API-KEY authentication, Each account will find the API-KEY string at the bottom of its profile page. Just fill in the string into the API-KEY field of ZoomEye-API. You can get the API-KEY from https://www.zoomeye.ai/profile User Get user information, subscription details and current points. POST /v2/userinfo Code samples # Bash curl -X POST https://api.zoomeye.ai/v2/userinfo -H "API-KEY: $YOUR_API_KEY" Example responses { "code": 60000, "message": "success", "data": { "username": "abc", "email": "user@example.com", "phone": "+1234567890", "created_at": "2023-01-15T08:00:00Z", "subscription": { "plan": "Premium", "end_date": "2024-01-20T00:00:00Z", "points": "30000", "zoomeye_points": "10000000" } } } Response field description Name Type Description code integer Response code message string Response message data object User information and subscription details username string Username email string User email phone string User phone number created_at string(date-time) user creation time subscription object subscription information plan string subscription plan end_date string(date-time) subscription end date points string Available General Points, You can also see it from https://www.zoomeye.ai/profile/record zoomeye_points string Available ZoomEye-Points, You can also see it from https://www.zoomeye.ai/profile/record Asset Search Get network asset information based on query conditions. POST /v2/search Code samples # Bash curl -X POST 'https://api.zoomeye.ai/v2/search' -H "API-KEY: $YOUR_API_KEY" \ -H 'content-type: application/json' \ -d '{ "qbase64": "dGl0bGU9ImNpc2NvIHZwbiIK", "page": 1 }' Parameters Field Name Type Required Description qbase64 string true Base64 encoded query string. For more, refer to Related references. fields string false The fields to return, separated by commas. Default: ip, port, domain, update_time. For more, refer to Response field description sub_type string false Data type, supports v4, v6, and web. Default is v4. page integer false View asset page number pagesize integer false Number of records per page, default is 10, maximum is 10,000. facets string false Statistical items, separated by commas if there are multiple. Supports country, subdivisions, city, product, service, device, OS, and port. ignore_cache boolean false Whether to ignore the cache. false, supported by Business plan and above. Example responses { "code": 60000, "message": "success", "total": 163139107, "query": "title=\"cisco vpn\"", "data": [ { "url": "https://1.1.1.1:443", "ssl.jarm": "29d29d15d29d29d00029d29d29d29dea0f89a2e5fb09e4d8e099befed92cfa", "ssl.ja3s": "45094d08156d110d8ee97b204143db14", "iconhash_md5": "f3418a443e7d841097c714d69ec4bcb8", "robots_md5": "0b5ce08db7fb8fffe4e14d05588d49d9", "security_md5": "0b5ce08db7fb8fffe4e14d05588d49d9", "ip": "1.1.1.1", "domain": "www.google.com", "hostname": "SPACEX", "os": "windows", "port": 443, "service": "https", "title": [ "GoogleGoogle appsGoogle Search" ], "version": "1.1.0", "device": "webcam", "rdns": "c01031-001.cust.wallcloud.ch", "product": "OpenSSD", "header": "HTTP/1.1 302 Found Location: https://www.google.com/?gws_rd=ssl Cache-Control: private...", "header_hash": "27f9973fe57298c3b63919259877a84d", "body": "HTTP/1.1 302 Found Location: https://www.google.com/?gws_rd=ssl Cache-Control: private...", "body_hash": "84a18166fde3ee7e7c974b8d1e7e21b4", "banner": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3", "update_time": "2024-07-03T14:34:10", "header.server.name": "nginx", "header.server.version": "1.8.1", "continent.name": "Europe", "country.name": "Germany", "province.name": "Hesse", "city.name": "Frankfurt", "lon": "118.753262", "lat": "32.064838", "isp.name": "aviel.ru", "organization.name": "SERVISFIRST BANK", "zipcode": "210003", "idc": 0, "honeypot": 0, "asn": 4837, "protocol": "tcp", "ssl": "SSL Certificate Version: TLS 1.2 CipherSuit: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256...", "primary_industry": "Finance", "sub_industry": "bank", "rank": 60 } ] } Response field description The query interface supports a large number of fields, such as ip, port, domain, update_time, etc. Field Name Type Description Permission ip string IP address (used when the web asset is incomplete) All users domain string Domain All users url string Full URL of the asset (for web assets) All users ssl.jarm string SSL JARM fingerprint All users ssl.ja3s string SSL JA3S fingerprint All users iconhash_md5 string MD5 value of the icon image Professional plan and above robots_md5 string MD5 value of the robots.txt file Business plan and above security_md5 string MD5 value of the security settings file Business plan and above hostname string Hostname information All users os string Operating system information All users port integer Port number All users service string Provided application protocol (e.g., HTTP, SSH) All users title list Webpage title All users version string Component version information All users device string Device name All users rdns string Reverse DNS information All users product string Product component information All users header string HTTP response header information All users header_hash string Hash calculated from HTTP response header Professional plan and above banner string Service banner information All users body string HTML Body content Business plan and above body_hash string Hash calculated from the HTML body Professional plan and above update_time string Asset update time All users header.server.name string Server name in the HTTP response header All users continent.name string Name of the continent All users country.name string Name of the country All users province.name string Name of the province All users city.name string Name of the city All users isp.name string ISP name All users organization.name string Organization name All users zipcode integer Postal code All users idc string Is it an IDC (0 for no, 1 for yes) All users lon string Geolocation longitude All users lat string Geolocation latitude All users asn string Autonomous System Number All users protocol string Transport layer protocol (e.g., TCP, UDP) All users honeypot integer Is it a honeypot (0 for no, 1 for yes) All users ssl string SSL x509 certificate information All users primary_industry string Primary industry information Business plan and above sub_industry string Sub-industry information Business plan and above rank integer Asset importance ranking, the higher the score, the Business plan and more above important. Related references base64 encoding conversion Convert the query condition to base64 encoding and pass it to the API as a qbase64 parameter. #bash echo 'title="knownsec"' | base64 Vulnerability Details Get detailed information about a specific vulnerability by its ID. GET /v2/vuldb/{id} Code samples # Bash curl -X GET 'https://api.zoomeye.ai/v2/vuldb/CVE-2023-46747' -H "API-KEY: $YOUR_API_KEY" Parameters Field Name Type Required Description id string true The unique identifier of the vulnerability,eg: CVE-xxxx-xxxxx,CNVD-xxxx-xxxxx,CNVD-xxxx-xxxxx Example responses { "code": 60000, "message": "success", "data": { "id": "67a1077ca01799a3170e9f5d", "title": "BIG-IP Configuration utility unauthenticated remote code execution vulnerability", "description": "Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated", "vul_type": [ "Unauthorized Access" ], "affected": [ { "vendor": "F5", "product": "BIG-IP", "version": "" } ], "references": [ { "url": "https://my.f5.com/manage/s/article/K000137353", "name": "", "tags": [ "vendor-advisory" ] }, { "url": "http://packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html", "name": "", "tags": [] }, { "url": "https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/", "name": "", "tags": [] }, { "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46747", "name": "", "tags": [] }, { "url": "https://www.cve.org/CVERecord?id=CVE-2023-46747", "name": "", "tags": [] }, { "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "name": "cisa", "tags": [ "cisa" ] } ], "severity": { "value": "critical", "source": "cvss_v31", "score": 9.8 }, "recommendation": [ { "type": "temp", "content": "1. Update to the latest version promptly.2. Implement strict access control mechanisms.3. Restrict access and filter user input.4. It is recommended to disable external entity resolution." } ], "cwe": [ { "cwe_id": "CWE-288", "description": " Authentication Bypass Using an Alternate Path or Channel" } ], "cvss": [ { "version": "3.1", "score": 9.8, "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "severity": "critical" } ], "cpes": [ "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_fraud_protection_services:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_container_ingress_services:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_automation_toolchain:*:*:*:*:*:*:*:*" ], "updated_at": "2025-06-24 06:38:34", "created_at": "2025-02-03 18:14:20", "cve": "CVE-2023-46747", "cnnvd": "", "published_at": "2023-10-26 20:04:53", "dork": "app=\"F5 BIG-IP load balancer\"" } } Response field description Name Type Description code integer Response code message string Response message data object Vulnerability details id string Unique identifier of the vulnerability title string Title of the vulnerability description string Detailed description of the vulnerability affected array Affected products information affected.vendor string Vendor name affected.product string Product name affected.version string Affected version references array Reference links references.url string Reference URL references.name string Reference name references.tags array Reference tags severity object Severity information severity.value string Severity level (low, medium, high, critical) severity.source string Source of severity assessment severity.score number Numerical severity score recommendation array Remediation recommendations recommendation.type string Type of recommendation (official, temp) recommendation.content string Recommendation content cwe array Common Weakness Enumeration information cwe.cwe_id string CWE identifier cwe.description string CWE description cvss array Common Vulnerability Scoring System information cvss.version string CVSS version cvss.score number CVSS score cvss.vector_string string CVSS vector string cvss.severity string CVSS severity level cpes array Common Platform Enumeration identifiers cnvd string China National Vulnerability Database identifier epss object Exploit Prediction Scoring System information epss.cve_id string CVE identifier epss.epss number EPSS score epss.percentile number EPSS percentile updated_at string Last update timestamp created_at string Creation timestamp cve string Common Vulnerabilities and Exposures identifier cnnvd string China National Vulnerability Database of Information Security identifier published_at string Publication timestamp Vulnerability Search Get vulnerability information based on query parameters. GET /v2/search/vuldb Code samples # Bash curl -X GET 'https://api.zoomeye.ai/v2/search/vuldb?search=tongda' -H "API-KEY: $YOUR_API_KEY" Parameters Field Name Type Required Description page_size integer false Number of items per page, default is 10, maximum is 100 page integer false Page number vendor string false Filter statistics by vendor name product string false Filter statistics by product name Example responses { "code": 60000, "message": "success", "data": [ { "id": "6855c7a135d67fe62542cf2c", "title": "Missing Authorization in GitLab", "description": "An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template.", "vul_type": [ "Unauthorized Access" ], "affected": [ { "vendor": "GitLab", "product": "GitLab", "version": "" } ], "references": [ { "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/428268", "name": "GitLab Issue #428268", "tags": [ "issue-tracking", "permissions-required" ] }, { "url": "https://hackerone.com/reports/2209702", "name": "HackerOne Bug Bounty Report #2209702", "tags": [ "technical-description", "exploit", "permissions-required" ] }, { "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5600", "name": "", "tags": [] }, { "url": "https://www.cve.org/CVERecord?id=CVE-2023-5600", "name": "", "tags": [] } ], "severity": { "value": "low", "source": "cvss_v31", "score": 3.1 }, "recommendation": [ { "type": "temp", "content": "1. Update to the latest version promptly.2. Implement strict access control mechanisms.3. Restrict access and filter user input.4. It is recommended to disable external entity resolution." } ], "cwe": [ { "cwe_id": "CWE-862", "description": " Missing Authorization" } ], "cvss": [ { "version": "3.1", "score": 3.1, "vector_string": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "severity": "low" } ], "cpes": [ "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" ], "cnvd": "", "epss": {}, "updated_at": "2025-06-20 19:52:09", "created_at": "2025-06-20 20:42:09", "cve": "CVE-2023-5600", "cnnvd": "", "published_at": "2025-06-20 19:31:08" } ], "total": 1185 } Response field description Field Name Type Description code integer Response code message string Response message data array Array of vulnerability information data[].id string Unique identifier of the vulnerability data[].title string Title of the vulnerability data[].description string Detailed description of the vulnerability data[].vul_type array Types of vulnerability data[].affected array Affected products information data[].affected[].vendor string Vendor name data[].affected[].product string Product name data[].affected[].version string Affected version data[].references array Reference links data[].references[].url string Reference URL data[].references[].name string Reference name data[].references[].tags array Reference tags data[].severity object Severity information data[].severity.value string Severity level (low, medium, high, critical) data[].severity.source string Source of severity assessment data[].severity.score number Numerical severity score data[].recommendation array Remediation recommendations data[].recommendation[].type string Type of recommendation (official, temp) data[].recommendation[].content string Recommendation content data[].cwe array Common Weakness Enumeration information data[].cwe[].cwe_id string CWE identifier data[].cwe[].description string CWE description data[].cvss array Common Vulnerability Scoring System information data[].cvss[].version string CVSS version data[].cvss[].score number CVSS score data[].cvss[].vector_string string CVSS vector string data[].cvss[].severity string CVSS severity level data[].cpes array Common Platform Enumeration identifiers data[].cnvd string China National Vulnerability Database identifier data[].epss object Exploit Prediction Scoring System information data[].updated_at string Last update timestamp data[].created_at string Creation timestamp data[].cve string Common Vulnerabilities and Exposures identifier data[].cnnvd string China National Vulnerability Database of Information Security identifier data[].published_at string Publication timestamp total integer Total number of vulnerabilities matching the query Bugbounty Asset Search Get bugbounty network asset information based on query conditions. POST /v2/bugbounty Code samples # Bash curl -X POST 'https://api.zoomeye.ai/v2/bugbounty' -H "API-KEY: $YOUR_API_KEY" \ -H 'content-type: application/json' \ -d '{ "qbase64": "dGl0bGU9ImNpc2NvIHZwbiIK", "page": 1 }' Parameters Field Name Type Required Description qbase64 string true Base64 encoded query string. For more, refer to Related references. fields string false The fields to return, separated by commas. Default: ip,port,domain,update_time,bugbounty.source,is_new,is_changed. For more, refer to Response field description sub_type string false Data type, supports v4, v6, and web. Default is v4. page integer false View asset page number facets string false Statistical items, separated by commas if there are multiple. Supports country, subdivisions, city, product, service, device, OS, and port. ignore_cache boolean false Whether to ignore the cache. false, supported by Business plan and above. Example responses { "code": 60000, "message": "success", "query": "bugbounty.source = hackerone", "total": 38641, "data": [ { "current": { "update_time": "2025-07-15T18:36:12.102579", "port": 443, "ip": "23.210.26.134", "header": "HTTP/1.1 404 Not Found\r\nContent-Type: text/html;charset=utf-8\r\nContent-Language: en...", "domain": "api.dyson.ch", "is_changed": true }, "previous": { "update_time": "2025-07-15T18:20:04.804647", "port": 443, "ip": "23.210.216.156", "header": "HTTP/1.1 404 Not Found\r\nContent-Type: text/html;charset=utf-8\r\nContent-Language: en...", "domain": "api.dyson.ch", "is_changed": true }, "changed": { "ip": true, "header": true } } ], "facets": {} } Response field description The query interface supports a large number of fields, such as ip, port, domain, update_time, etc. Field Name Type Description current string Latest information previous string Previous information changed string Changing information domain string Domain url string Full URL of the asset (for web assets) ssl.jarm string SSL JARM fingerprint ssl.ja3s string SSL JA3S fingerprint iconhash_md5 string MD5 value of the icon image robots_md5 string MD5 value of the robots.txt file security_md5 string MD5 value of the security settings file hostname string Hostname information os string Operating system information port integer Port number service string Provided application protocol (e.g., HTTP, SSH) title list Webpage title version string Component version information device string Device name rdns string Reverse DNS information product string Product component information header string HTTP response header information header_hash string Hash calculated from HTTP response header banner string Service banner information body string HTML Body content body_hash string Hash calculated from the HTML body update_time string Asset update time header.server.name string Server name in the HTTP response header continent.name string Name of the continent country.name string Name of the country province.name string Name of the province city.name string Name of the city isp.name string ISP name organization.name string Organization name zipcode integer Postal code idc string Is it an IDC (0 for no, 1 for yes) lon string Geolocation longitude lat string Geolocation latitude asn string Autonomous System Number protocol string Transport layer protocol (e.g., TCP, UDP) honeypot integer Is it a honeypot (0 for no, 1 for yes) ssl string SSL x509 certificate information primary_industry string Primary industry information sub_industry string Sub-industry information rank integer Asset importance ranking, the higher the score, the more important. bugbounty.source string Bugbounty source is_new string Indicates whether the domain is newly discovered as part of bugbounty data is_changed string Indicates whether the bugbounty domain information has been updated Related references base64 encoding conversion Convert the query condition to base64 encoding and pass it to the API as a qbase64 parameter. #bash echo 'title="knownsec"' | base64