opencode-api-security-testing 2.1.0 → 2.1.1

package/core/skill_executor_v3.py

@@ -0,0 +1,704 @@
+"""
+SKILL 执行器 v3.0 - 配置驱动执行
+
+根据 SKILL.md v3.0 定义的 vulnerability_detection_config 执行检测：
+1. SQL 注入检测
+2. 未授权访问检测  
+3. 越权访问检测
+4. 敏感信息泄露检测
+5. API 版本发现
+6. 路径遍历检测
+7. 认证绕过检测
+8. 暴力破解检测
+9. CORS 配置错误检测
+10. 云存储安全检测
+
+认证上下文支持:
+- Bearer Token
+- JWT
+- Session Cookie
+"""
+
+import sys
+sys.path.insert(0, '/workspace/skill-play/API-Security-Testing-Optimized')
+
+from core.prerequisite import prerequisite_check
+from core.api_parser import APIEndpointParser
+from core.cloud_storage_tester import CloudStorageTester
+
+
+class SKILLExecutorV3:
+    """SKILL 执行器 v3.0 - 配置驱动"""
+    
+    def __init__(self, target: str):
+        self.target = target
+        self.session = None
+        self.playwright_available = False
+        self.browser_type = None
+        
+        # 资产发现结果
+        self.parser = None
+        self.js_files = []
+        self.static_endpoints = []
+        self.dynamic_endpoints = []
+        self.hooked_endpoints = []
+        self.parent_paths = {}
+        
+        # API前缀
+        self.api_prefix = None
+        self.api_prefix_sources = {}
+        
+        # 认证上下文
+        self.auth_context = {
+            'type': None,
+            'token': None,
+            'cookies': None,
+            'logged_in': False
+        }
+        
+        # 测试结果
+        self.vulnerabilities = []
+        self.cloud_findings = []
+        
+        # 决策状态
+        self.site_type = None
+        self.has_real_api = False
+        self.has_dynamic_endpoints = False
+        self.html_fallback_all = False
+    
+    def run(self):
+        """执行 SKILL 流程 v3.0"""
+        print("=" * 70)
+        print("  API Security Testing Skill v3.0 - 配置驱动执行")
+        print("=" * 70)
+        print(f"  目标: {self.target}")
+        print()
+        
+        # ========== 阶段 0: 前置检查 ==========
+        print("[阶段 0] 前置检查")
+        print("-" * 50)
+        self._check_prerequisites()
+        
+        # ========== 阶段 1: 资产发现 ==========
+        print("\n[阶段 1] 资产发现")
+        print("-" * 50)
+        
+        self._static_analysis()
+        self._detect_site_type()
+        self._probe_parent_paths()
+        
+        if self.site_type in ['modern_spa', 'jquery_spa'] and self.playwright_available:
+            self._dynamic_analysis()
+        
+        if self.playwright_available and (self.has_real_api or self.has_dynamic_endpoints):
+            self._api_hook()
+        
+        # ========== 阶段 2: 漏洞检测 (配置驱动) ==========
+        print("\n[阶段 2] 漏洞检测")
+        print("-" * 50)
+        
+        self._update_decision_state()
+        
+        if self.has_real_api or self.has_dynamic_endpoints:
+            self._run_vulnerability_tests()
+        else:
+            if self.html_fallback_all:
+                self._report_nginx_fallback()
+        
+        # ========== 阶段 3: 云存储测试 ==========
+        print("\n[阶段 3] 云存储测试")
+        print("-" * 50)
+        self._cloud_storage_test()
+        
+        # ========== 阶段 4: 报告 ==========
+        print("\n[阶段 4] 报告")
+        print("-" * 50)
+        self._generate_report()
+        
+        return self._get_result()
+    
+    def _check_prerequisites(self):
+        """前置检查"""
+        self.playwright_available, self.browser_type, can_proceed = prerequisite_check()
+        
+        if can_proceed:
+            import requests
+            self.session = requests.Session()
+            self.session.headers.update({'User-Agent': 'Mozilla/5.0'})
+            print("  [OK] 前置检查通过")
+        else:
+            print("  [FAIL] 前置检查失败")
+    
+    def _static_analysis(self):
+        """静态分析"""
+        self.parser = APIEndpointParser(self.target, self.session)
+        
+        self.js_files = self.parser.discover_js_files()
+        print(f"  JS 文件: {len(self.js_files)}")
+        
+        self.static_endpoints = self.parser.parse_js_files(self.js_files)
+        print(f"  静态端点: {len(self.static_endpoints)}")
+        
+        for ep in self.static_endpoints[:5]:
+            print(f"    {ep.method} {ep.path}")
+    
+    def _detect_site_type(self):
+        """判断站点类型"""
+        html = self.session.get(self.target, timeout=10).text.lower()
+        
+        frontend = 'Unknown'
+        if 'vue' in html: frontend = 'Vue.js'
+        elif 'react' in html: frontend = 'React'
+        elif 'jquery' in html: frontend = 'jQuery'
+        
+        if len(self.js_files) == 0:
+            self.site_type = 'pure_html'
+        elif frontend == 'Unknown':
+            self.site_type = 'modern_spa'
+        else:
+            self.site_type = 'modern_spa'
+        
+        print(f"  站点类型: {self.site_type}")
+    
+    def _probe_parent_paths(self):
+        """父路径探测"""
+        self.parent_paths = self.parser.probe_parent_paths()
+        
+        json_api_count = sum(1 for p in self.parent_paths.values() if p.get('is_api'))
+        print(f"  父路径: {len(self.parent_paths)}, JSON API: {json_api_count}")
+        
+        if json_api_count > 0:
+            self.has_real_api = True
+    
+    def _dynamic_analysis(self):
+        """动态分析"""
+        print("  [动态分析] 启动 Playwright...")
+        try:
+            from core.dynamic_api_analyzer import DynamicAPIAnalyzer
+            from urllib.parse import urlparse
+            
+            analyzer = DynamicAPIAnalyzer(self.target)
+            results = analyzer.analyze_full()
+            
+            count = len(results.get('endpoints', []))
+            print(f"  [动态分析] 发现 {count} 个端点")
+            
+            self.dynamic_endpoints = results.get('endpoints', [])
+            
+            # 从动态端点提取 API 前缀
+            target_host = urlparse(self.target).netloc
+            for ep in self.dynamic_endpoints:
+                ep_path = ep.get('path', '')
+                # 跳过非API资源文件
+                if any(ext in ep_path.lower() for ext in ['.js', '.css', '.png', '.jpg', '.html', '.svg']):
+                    continue
+                if ep_path.startswith('http'):
+                    ep_host = urlparse(ep_path).netloc
+                    ep_path_only = urlparse(ep_path).path
+                    if ep_host == target_host:
+                        parts = ep_path_only.strip('/').split('/')
+                        if len(parts) >= 2:
+                            potential_prefix = '/' + '/'.join(parts[:2])
+                            if potential_prefix not in ['/login', '/logout']:
+                                self.api_prefix = potential_prefix
+                                print(f"  [API Prefix] from dynamic: {self.api_prefix}")
+                                break
+            
+            # 从静态端点推断API前缀（备选方案）
+            if not self.api_prefix and self.static_endpoints:
+                # 静态端点如 /sys/user/getUserInfo 说明有 /sys/ 路径
+                # 需要推断完整的API前缀
+                static_paths = [ep.path for ep in self.static_endpoints[:10]]
+                
+                # 提取静态端点的共同前缀
+                common_prefix = ''
+                if static_paths:
+                    parts_list = [p.strip('/').split('/') for p in static_paths if p.startswith('/')]
+                    if parts_list:
+                        # 找共同的前两个路径段
+                        if len(parts_list[0]) >= 2:
+                            prefix_parts = [parts_list[0][0], parts_list[0][1]]
+                            common_prefix = '/' + '/'.join(prefix_parts)
+                
+                # 如果目标URL有子路径，尝试使用子路径作为API前缀
+                from urllib.parse import urlparse
+                target_path = urlparse(self.target).path.strip('/')
+                if target_path:
+                    # 目标URL的子路径可能是API前缀（如 /ipark-admin -> /ipark）
+                    target_base = target_path.replace('-admin', '').replace('-api', '')
+                    if target_base and not target_base.startswith('_'):
+                        self.api_prefix = '/' + target_base
+                    else:
+                        self.api_prefix = '/' + target_path.split('/')[0]
+                else:
+                    self.api_prefix = common_prefix or ''
+                
+                print(f"  [API Prefix] inferred: {self.api_prefix}")
+            
+            if count > 0:
+                self.has_dynamic_endpoints = True
+                
+        except Exception as e:
+            print(f"  [动态分析] 失败: {e}")
+    
+    def _api_hook(self):
+        """API Hook - 尝试获取认证上下文"""
+        print("  [API Hook] 尝试获取认证上下文...")
+        try:
+            from core.api_interceptor import APIInterceptor
+            
+            interceptor = APIInterceptor(self.target)
+            results = interceptor.hook_all_apis()
+            
+            # 分析认证相关请求
+            for req in results.get('requests', [])[:20]:
+                if '/login' in req.get('url', '').lower():
+                    print(f"  [认证] 发现登录请求")
+                    break
+                    
+        except Exception as e:
+            print(f"  [API Hook] 失败: {e}")
+    
+    def _update_decision_state(self):
+        """更新决策状态"""
+        json_api_count = sum(1 for p in self.parent_paths.values() if p.get('is_api'))
+        dynamic_count = len(self.dynamic_endpoints)
+        
+        self.has_real_api = json_api_count > 0 or dynamic_count > 0
+        self.has_dynamic_endpoints = dynamic_count > 0
+        
+        self.html_fallback_all = (
+            len(self.parent_paths) > 0 and 
+            json_api_count == 0 and 
+            dynamic_count == 0
+        )
+        
+        print(f"  has_real_api: {self.has_real_api}")
+        print(f"  has_dynamic_endpoints: {self.has_dynamic_endpoints}")
+    
+    def _run_vulnerability_tests(self):
+        """漏洞测试 - 遵循 SKILL.md 配置执行"""
+        
+        all_endpoints = self._merge_all_endpoints()
+        sorted_endpoints = self._sort_by_priority(all_endpoints)
+        
+        print(f"  [漏洞检测] 总端点: {len(sorted_endpoints)}")
+        
+        # ===== 高优先级检测 =====
+        print("\n  [高优先级] SQL注入检测...")
+        self._test_sql_injection(sorted_endpoints)
+        
+        print("\n  [高优先级] 认证绕过检测...")
+        self._test_auth_bypass(sorted_endpoints)
+        
+        print("\n  [高优先级] 越权访问检测...")
+        self._test_privilege_escalation(sorted_endpoints)
+        
+        # ===== 中优先级检测 =====
+        print("\n  [中优先级] 未授权访问检测...")
+        self._test_unauthorized_access(sorted_endpoints)
+        
+        print("\n  [中优先级] 敏感信息泄露检测...")
+        self._test_sensitive_data(sorted_endpoints)
+        
+        print("\n  [中优先级] 路径遍历检测...")
+        self._test_path_traversal(sorted_endpoints)
+        
+        print("\n  [中优先级] CORS配置错误检测...")
+        self._test_cors_misconfiguration(sorted_endpoints)
+        
+        # ===== 低优先级检测 =====
+        print("\n  [低优先级] API版本发现...")
+        self._test_api_version_discovery()
+        
+        # 深度Fuzzing
+        print("\n  [深度测试] API Fuzzing...")
+        self._run_deep_fuzz_test(sorted_endpoints)
+        
+        print(f"\n  [漏洞检测] 完成，发现 {len(self.vulnerabilities)} 个问题")
+    
+    def _merge_all_endpoints(self):
+        """合并所有端点"""
+        all_endpoints = []
+        seen = set()
+        
+        for ep in self.static_endpoints:
+            key = f"{ep.method}:{ep.path}"
+            if key not in seen:
+                seen.add(key)
+                all_endpoints.append({
+                    'path': ep.path,
+                    'method': ep.method,
+                    'source': 'static'
+                })
+        
+        for ep in self.dynamic_endpoints:
+            key = f"{ep.get('method', 'GET')}:{ep.get('path', '')}"
+            if key not in seen and ep.get('path'):
+                seen.add(key)
+                all_endpoints.append({
+                    'path': ep.get('path'),
+                    'method': ep.get('method', 'GET'),
+                    'source': 'dynamic'
+                })
+        
+        for ep in self.hooked_endpoints:
+            key = f"{ep.get('method', 'GET')}:{ep.get('path', '')}"
+            if key not in seen and ep.get('path'):
+                seen.add(key)
+                all_endpoints.append({
+                    'path': ep.get('path'),
+                    'method': ep.get('method', 'GET'),
+                    'source': 'hooked'
+                })
+        
+        return all_endpoints
+    
+    def _sort_by_priority(self, endpoints):
+        """按优先级排序"""
+        priority_map = {'high': 0, 'medium': 1, 'low': 2}
+        
+        def get_priority(ep):
+            path = ep['path'].lower()
+            if any(p in path for p in ['/auth/', '/login', '/oauth', '/admin', '/user/delete', '/user/export']):
+                return 'high'
+            if any(p in path for p in ['/api/', '/system/', '/config/', '/manage/']):
+                return 'medium'
+            return 'low'
+        
+        for ep in endpoints:
+            ep['priority'] = get_priority(ep)
+        
+        return sorted(endpoints, key=lambda x: priority_map.get(x.get('priority'), 2))
+    
+    def _build_url(self, path):
+        """构建完整URL"""
+        from urllib.parse import urlparse
+        
+        if path.startswith('http'):
+            return urlparse(path).path, {}
+        
+        base = self.target.split('?')[0].rstrip('/')
+        
+        # 添加 API 前缀
+        if self.api_prefix and not path.startswith('/personnelWeb') and not path.startswith('/api'):
+            if path.startswith('/users') or path.startswith('/system') or path.startswith('/menu'):
+                path = '/' + self.api_prefix.split('/')[1] + path
+        
+        return base + path, {}
+    
+    # ===== 漏洞检测方法 =====
+    
+    def _test_sql_injection(self, endpoints):
+        """SQL 注入检测 - SKILL.md 配置"""
+        payloads = [
+            "' OR '1'='1",
+            "' OR '1'='1' --",
+            "' OR '1'='1' #",
+            "1' OR '1'='1",
+        ]
+        params = ['id', 'page', 'pageNum', 'pageSize', 'userId']
+        error_patterns = [
+            'sql syntax', 'sql error', 'mysql', 'oracle', 'sqlite',
+            'sqlstate', 'postgresql', 'syntax error', 'microsoft sql'
+        ]
+        
+        tested = 0
+        for ep in endpoints[:30]:
+            path = ep['path']
+            method = ep.get('method', 'GET')
+            
+            base_url, _ = self._build_url(path)
+            
+            for param in params:
+                for payload in payloads[:2]:
+                    try:
+                        if method == 'POST':
+                            r = self.session.post(base_url, json={param: payload}, timeout=5)
+                        else:
+                            r = self.session.get(f"{base_url}?{param}={payload}", timeout=5)
+                        
+                        tested += 1
+                        ct = r.headers.get('Content-Type', '').lower()
+                        if 'text/html' in ct:
+                            continue
+                        
+                        text_lower = r.text.lower()
+                        if any(p in text_lower for p in error_patterns):
+                            self.vulnerabilities.append({
+                                'type': 'SQL Injection',
+                                'severity': 'CRITICAL',
+                                'endpoint': path,
+                                'param': param,
+                                'payload': payload,
+                                'evidence': 'SQL error detected'
+                            })
+                            print(f"    [!] SQL注入: {path} ({param})")
+                            break
+                    except:
+                        pass
+                
+                if any(v['endpoint'] == path for v in self.vulnerabilities):
+                    break
+        
+        print(f"    测试了 {tested} 个请求")
+    
+    def _test_auth_bypass(self, endpoints):
+        """认证绕过检测 - SKILL.md 配置"""
+        login_endpoints = [ep for ep in endpoints if '/login' in ep['path'].lower() or '/auth' in ep['path'].lower()]
+        
+        if not login_endpoints:
+            print("    未发现登录端点，跳过")
+            return
+        
+        print(f"    发现 {len(login_endpoints)} 个认证端点")
+        
+        # 测试空token
+        for ep in login_endpoints[:3]:
+            path = ep['path']
+            base_url, _ = self._build_url(path)
+            
+            try:
+                # 空token
+                r = self.session.post(base_url, json={}, timeout=5)
+                if r.status_code == 200 and 'token' not in r.text.lower():
+                    print(f"    [可疑] {path} 空payload返回200")
+            except:
+                pass
+    
+    def _test_privilege_escalation(self, endpoints):
+        """越权访问检测 - SKILL.md 配置"""
+        # 测试低权限 token 访问高权限资源
+        admin_paths = ['/admin', '/system/admin', '/manage']
+        
+        for ep in endpoints:
+            path = ep['path'].lower()
+            if any(p in path for p in admin_paths):
+                base_url, _ = self._build_url(ep['path'])
+                try:
+                    r = self.session.get(base_url, timeout=5)
+                    if r.status_code == 200:
+                        self.vulnerabilities.append({
+                            'type': 'Vertical Privilege Escalation',
+                            'severity': 'HIGH',
+                            'endpoint': ep['path'],
+                            'evidence': 'Admin endpoint accessible'
+                        })
+                        print(f"    [!] 越权: {ep['path']}")
+                except:
+                    pass
+    
+    def _test_unauthorized_access(self, endpoints):
+        """未授权访问检测 - SKILL.md 配置"""
+        sensitive_patterns = ['/admin', '/user/list', '/user/export', '/config', '/system', '/manage']
+        
+        found = 0
+        for ep in endpoints:
+            path = ep['path'].lower()
+            if not any(p in path for p in sensitive_patterns):
+                continue
+            
+            base_url, _ = self._build_url(ep['path'])
+            try:
+                if ep.get('method') == 'POST':
+                    r = self.session.post(base_url, json={}, timeout=5)
+                else:
+                    r = self.session.get(base_url, timeout=5)
+                
+                found += 1
+                if r.status_code == 200:
+                    text_lower = r.text.lower()
+                    if any(k in text_lower for k in ['user', 'admin', 'password', 'email', 'phone']):
+                        self.vulnerabilities.append({
+                            'type': 'Unauthorized Access',
+                            'severity': 'HIGH',
+                            'endpoint': ep['path'],
+                            'evidence': 'Sensitive data exposed without auth'
+                        })
+                        print(f"    [!] 未授权: {ep['path']}")
+            except:
+                pass
+        
+        print(f"    测试了 {found} 个敏感端点")
+    
+    def _test_sensitive_data(self, endpoints):
+        """敏感信息泄露检测 - SKILL.md 配置"""
+        sensitive_fields = ['password', 'passwd', 'secret', 'token', 'api_key', 'jwt', 'private_key']
+        
+        for ep in endpoints[:20]:
+            base_url, _ = self._build_url(ep['path'])
+            try:
+                if ep.get('method') == 'POST':
+                    r = self.session.post(base_url, json={}, timeout=5)
+                else:
+                    r = self.session.get(base_url, timeout=5)
+                
+                if r.status_code == 200:
+                    text_lower = r.text.lower()
+                    for field in sensitive_fields:
+                        if f'"{field}"' in r.text or f'"{field.upper()}"' in r.text:
+                            self.vulnerabilities.append({
+                                'type': 'Sensitive Data Exposure',
+                                'severity': 'MEDIUM',
+                                'endpoint': ep['path'],
+                                'evidence': f'Contains field: {field}'
+                            })
+                            print(f"    [!] 敏感信息: {ep['path']} ({field})")
+                            break
+            except:
+                pass
+    
+    def _test_path_traversal(self, endpoints):
+        """路径遍历检测 - SKILL.md 配置"""
+        traversal_payloads = [
+            "../../../etc/passwd",
+            "..\\..\\..\\windows\\system32\\config\\sam",
+            "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd"
+        ]
+        
+        file_endpoints = [ep for ep in endpoints if any(p in ep['path'].lower() for p in ['/file', '/download', '/export', '/import'])]
+        
+        for ep in file_endpoints[:10]:
+            base_url, _ = self._build_url(ep['path'])
+            for payload in traversal_payloads[:1]:
+                try:
+                    r = self.session.get(f"{base_url}?path={payload}", timeout=5)
+                    if 'root:' in r.text or '/bin/bash' in r.text:
+                        self.vulnerabilities.append({
+                            'type': 'Path Traversal',
+                            'severity': 'HIGH',
+                            'endpoint': ep['path'],
+                            'payload': payload,
+                            'evidence': 'System file exposed'
+                        })
+                        print(f"    [!] 路径遍历: {ep['path']}")
+                except:
+                    pass
+    
+    def _test_cors_misconfiguration(self, endpoints):
+        """CORS配置错误检测 - SKILL.md 配置"""
+        for ep in endpoints[:10]:
+            base_url, _ = self._build_url(ep['path'])
+            try:
+                r = self.session.get(base_url, timeout=5)
+                cors_origin = r.headers.get('Access-Control-Allow-Origin', '')
+                cors_cred = r.headers.get('Access-Control-Allow-Credentials', '')
+                
+                if cors_origin == '*' and cors_cred == 'true':
+                    self.vulnerabilities.append({
+                        'type': 'CORS Misconfiguration',
+                        'severity': 'MEDIUM',
+                        'endpoint': ep['path'],
+                        'evidence': 'Allow-Origin: * with Allow-Credentials: true'
+                    })
+                    print(f"    [!] CORS错误: {ep['path']}")
+                elif cors_origin == '*':
+                    print(f"    [低] CORS宽松: {ep['path']} (Origin: *)")
+            except:
+                pass
+    
+    def _test_api_version_discovery(self):
+        """API版本发现 - SKILL.md 配置"""
+        version_paths = ['/v1', '/v2', '/v3', '/api/v1', '/api/v2', '/swagger', '/swagger-ui', '/api-docs']
+        target_base = self.target.split('?')[0].rstrip('/')
+        
+        for vp in version_paths:
+            try:
+                r = self.session.get(target_base + vp, timeout=3, allow_redirects=False)
+                if r.status_code in [200, 301, 302]:
+                    print(f"    [发现] {vp} -> {r.status_code}")
+            except:
+                pass
+    
+    def _run_deep_fuzz_test(self, endpoints):
+        """深度Fuzzing测试"""
+        from core.api_fuzzer import APIfuzzer
+        
+        fuzzer = APIfuzzer(session=self.session)
+        
+        api_paths = []
+        for ep in endpoints:
+            from urllib.parse import urlparse
+            path = ep['path']
+            if path.startswith('http'):
+                path = urlparse(path).path
+            api_paths.append(path)
+        
+        fuzz_targets = fuzzer.generate_parent_fuzz_targets(api_paths, max_per_parent=30)
+        print(f"    生成 {len(fuzz_targets)} 个Fuzz目标")
+        
+        base_url = self.target.split('?')[0].rstrip('/')
+        results = fuzzer.fuzz_paths(base_url, fuzz_targets[:100], timeout=3.0)
+        
+        alive = fuzzer.get_alive_endpoints()
+        print(f"    存活端点: {len(alive)}")
+    
+    def _report_nginx_fallback(self):
+        """报告 nginx fallback"""
+        self.vulnerabilities.append({
+            'type': 'Backend API Unreachable / nginx fallback',
+            'severity': 'HIGH',
+            'evidence': '后端API服务不可达'
+        })
+    
+    def _cloud_storage_test(self):
+        """云存储测试"""
+        tester = CloudStorageTester(self.target)
+        tester.session = self.session
+        findings, storage_url = tester.full_test(self.target)
+        
+        print(f"  云存储: {storage_url or 'N/A'}, 发现: {len(findings)}")
+        self.cloud_findings = findings
+    
+    def _generate_report(self):
+        """生成报告"""
+        print("\n" + "=" * 50)
+        print("  测试完成 v3.0")
+        print("=" * 50)
+        print(f"  站点类型: {self.site_type}")
+        print(f"  静态端点: {len(self.static_endpoints)}")
+        print(f"  动态端点: {len(self.dynamic_endpoints)}")
+        print(f"  API Prefix: {self.api_prefix}")
+        
+        # 按严重性分组统计
+        critical = [v for v in self.vulnerabilities if v['severity'] == 'CRITICAL']
+        high = [v for v in self.vulnerabilities if v['severity'] == 'HIGH']
+        medium = [v for v in self.vulnerabilities if v['severity'] == 'MEDIUM']
+        
+        print(f"\n  漏洞统计:")
+        print(f"    CRITICAL: {len(critical)}")
+        print(f"    HIGH: {len(high)}")
+        print(f"    MEDIUM: {len(medium)}")
+        
+        if self.vulnerabilities:
+            print(f"\n  发现的问题:")
+            for v in self.vulnerabilities[:10]:
+                print(f"    [{v['severity']}] {v['type']}: {v.get('endpoint', 'N/A')}")
+    
+    def _get_result(self):
+        """获取结果"""
+        return {
+            'target': self.target,
+            'site_type': self.site_type,
+            'endpoints': {
+                'static': len(self.static_endpoints),
+                'dynamic': len(self.dynamic_endpoints),
+                'hooked': len(self.hooked_endpoints),
+                'merged': len(self._merge_all_endpoints()),
+            },
+            'api_prefix': self.api_prefix,
+            'vulnerabilities': self.vulnerabilities,
+            'cloud_findings': self.cloud_findings,
+        }
+
+
+if __name__ == "__main__":
+    import sys
+    
+    target = sys.argv[1] if len(sys.argv) > 1 else "http://49.65.100.160:6004/"
+    
+    executor = SKILLExecutorV3(target)
+    result = executor.run()
+    
+    print("\n\n结果:")
+    print(result)