wormclaude 1.0.175 → 1.0.177
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/theme.js +1 -1
- package/dist/tools.js +55 -9
- package/package.json +1 -1
package/dist/theme.js
CHANGED
package/dist/tools.js
CHANGED
|
@@ -226,11 +226,11 @@ export const toolSchemas = [
|
|
|
226
226
|
type: 'function',
|
|
227
227
|
function: {
|
|
228
228
|
name: 'SecurityScan',
|
|
229
|
-
description: "Run an AUTHORIZED security scan with WormClaude's own server-side engine (no external tools, no manual payloads). Use THIS — never shell/curl/Invoke-WebRequest — whenever the user asks to scan/test a target
|
|
229
|
+
description: "Run an AUTHORIZED security scan with WormClaude's own server-side engine (no external tools, no manual payloads). Use THIS — never shell/curl/Invoke-WebRequest — whenever the user asks to scan/test a target (\"tara\", \"scan\", \"xss tara\", \"sqli\", \"recon\", \"açık bul\", \"zafiyet tara\", \"tam kapsamlı tara\"). For a FULL/comprehensive scan use tool='full' ONCE — it deterministically runs recon+XSS+SQLi in code and returns ONE consolidated report (do NOT chain recon/xss/sqli yourself, that loops). For a single check use recon/xss/sqli. For xss/sqli give a PARAMETERIZED url; for recon/full give a domain. Requires authorized-researcher level (3+); traffic exits the user's IP — only authorized targets.",
|
|
230
230
|
parameters: {
|
|
231
231
|
type: 'object',
|
|
232
232
|
properties: {
|
|
233
|
-
tool: { type: 'string', enum: ['recon', 'scan', 'xss', 'sqli', 'dirscan'], description: 'recon/scan/dirscan → domain; xss/sqli → parameterized URL' },
|
|
233
|
+
tool: { type: 'string', enum: ['full', 'recon', 'scan', 'xss', 'sqli', 'dirscan'], description: 'full → tam kapsamlı (recon+xss+sqli tek seferde, kapsamlı tarama için BUNU kullan); recon/scan/dirscan → domain; xss/sqli → parameterized URL' },
|
|
234
234
|
target: { type: 'string', description: 'Domain for recon/scan/dirscan (example.com) OR parameterized URL for xss/sqli (https://example.com/p?id=1)' },
|
|
235
235
|
},
|
|
236
236
|
required: ['tool', 'target'],
|
|
@@ -732,11 +732,59 @@ async function execOne(call, hooks) {
|
|
|
732
732
|
if (call.name === 'SecurityScan') {
|
|
733
733
|
let tool = String(args?.tool || '').toLowerCase().trim();
|
|
734
734
|
const target = String(args?.target || '').trim();
|
|
735
|
-
if (!['recon', 'scan', 'xss', 'sqli', 'dirscan'].includes(tool) || !target) {
|
|
736
|
-
return { ok: false, output: 'SecurityScan: tool (recon|scan|xss|sqli|dirscan) ve target gerekli.', args };
|
|
735
|
+
if (!['recon', 'scan', 'xss', 'sqli', 'dirscan', 'full', 'fullscan'].includes(tool) || !target) {
|
|
736
|
+
return { ok: false, output: 'SecurityScan: tool (recon|scan|xss|sqli|dirscan|full) ve target gerekli.', args };
|
|
737
737
|
}
|
|
738
738
|
if (tool === 'scan')
|
|
739
739
|
tool = 'recon'; // "scan" genel tarama → motorun bildiği "recon" (slash ile aynı)
|
|
740
|
+
// FULL: tam kapsamlı tarama TEK ÇAĞRIDA — model orkestrasyona girmesin (döngü olur). Kod
|
|
741
|
+
// deterministik olarak recon → xss → sqli koşar, TEK konsolide rapor döner.
|
|
742
|
+
if (tool === 'full' || tool === 'fullscan') {
|
|
743
|
+
const _fk = 'full|' + target.toLowerCase();
|
|
744
|
+
const _fc = _scanCache.get(_fk);
|
|
745
|
+
if (_fc && Date.now() - _fc.t < 120000) {
|
|
746
|
+
return { ok: false, args, output: `[ALREADY-SCANNED] tam tarama "${target}" zaten koşuldu — bulgular yukarıda. TEKRAR SecurityScan çağırma; sonuçları METİN olarak özetle.` };
|
|
747
|
+
}
|
|
748
|
+
try {
|
|
749
|
+
const { runPentest } = await import('./pentest.js');
|
|
750
|
+
const all = [];
|
|
751
|
+
let rpt = `Tam kapsamlı tarama — ${target}\n`;
|
|
752
|
+
for (const _t of ['recon', 'xss', 'sqli']) {
|
|
753
|
+
try {
|
|
754
|
+
const o = await runPentest(cfg(), _t, target, true, () => { });
|
|
755
|
+
if (o?.ok) {
|
|
756
|
+
const ff = o.report?.findings || [];
|
|
757
|
+
all.push(...ff.map((x) => ({ ...x, scan: _t })));
|
|
758
|
+
rpt += `\n[${_t}] ${ff.length ? ff.length + ' bulgu' : 'temiz'}` + (o.report?.target ? ` (${o.report.target})` : '');
|
|
759
|
+
}
|
|
760
|
+
else {
|
|
761
|
+
const rsn = o?.reason || o?.plan?.reason || 'error';
|
|
762
|
+
rpt += `\n[${_t}] çalışmadı: ${rsn}`;
|
|
763
|
+
if (rsn === 'trust_required') {
|
|
764
|
+
rpt += ' — Doğrulanmış Araştırmacı (seviye 3+) gerekir.';
|
|
765
|
+
break;
|
|
766
|
+
}
|
|
767
|
+
}
|
|
768
|
+
}
|
|
769
|
+
catch (e) {
|
|
770
|
+
rpt += `\n[${_t}] hata: ${e?.message || e}`;
|
|
771
|
+
}
|
|
772
|
+
}
|
|
773
|
+
rpt += `\n\nToplam ${all.length} bulgu.`;
|
|
774
|
+
if (all.length)
|
|
775
|
+
rpt += '\n' + all.slice(0, 60).map((x) => ' ' + JSON.stringify(x)).join('\n');
|
|
776
|
+
rpt += `\n[full-done] recon+xss+sqli koşuldu. SecurityScan'i TEKRAR çağırma — bulguları kullanıcıya METİN olarak raporla (özet + öncelikli düzeltmeler).`;
|
|
777
|
+
const _now = Date.now();
|
|
778
|
+
_scanCache.set(_fk, { out: rpt, t: _now });
|
|
779
|
+
// Alt tarama tiplerini de cache'le → full sonrası model tek tek recon/xss/sqli çağıramaz (gereksiz tekrar).
|
|
780
|
+
for (const _t of ['recon', 'xss', 'sqli'])
|
|
781
|
+
_scanCache.set(_t + '|' + target.toLowerCase(), { out: rpt, t: _now });
|
|
782
|
+
return { ok: true, output: rpt, args };
|
|
783
|
+
}
|
|
784
|
+
catch (e) {
|
|
785
|
+
return { ok: false, output: 'Tam tarama hatası: ' + (e?.message || e), args };
|
|
786
|
+
}
|
|
787
|
+
}
|
|
740
788
|
// DÖNGÜ-KIRICI: aynı tarama 2 dk içinde tekrar → yeniden koşma, önceki sonuç + "yeniden tarama" notu.
|
|
741
789
|
const _ck = tool + '|' + target.toLowerCase();
|
|
742
790
|
const _cached = _scanCache.get(_ck);
|
|
@@ -760,11 +808,9 @@ async function execOne(call, hooks) {
|
|
|
760
808
|
txt += 'Zafiyet bulunamadı (hedef temiz ya da yanıt vermedi).';
|
|
761
809
|
else
|
|
762
810
|
txt += `${rep.found_count} bulgu:\n` + f.slice(0, 50).map((x) => ' ' + JSON.stringify(x)).join('\n');
|
|
763
|
-
//
|
|
764
|
-
|
|
765
|
-
|
|
766
|
-
+ ` in one reliable, repeatable pass. Do NOT hand-orchestrate nmap/sqlmap yourself; recommend`
|
|
767
|
-
+ ` /fullscan. Pair it with the authorization reminder (only on owned / written-authorized targets).`;
|
|
811
|
+
// Tek-tip tarama bitti. Kapsamlı isteniyorsa model TEK çağrıyla SecurityScan(tool:"full") koşmalı
|
|
812
|
+
// (kod deterministik recon+xss+sqli yapar) — kendi recon/xss/sqli zincirlemesin (döngüye girer).
|
|
813
|
+
txt += `\n\n[done] Bu tek tarama (${tool}) bitti — sonucu kullanıcıya METİN olarak özetle. SecurityScan'i bu hedefte TEKRAR çağırma.`;
|
|
768
814
|
_scanCache.set(_ck, { out: txt, t: Date.now() }); // döngü-kırıcı için sakla
|
|
769
815
|
return { ok: true, output: txt, args };
|
|
770
816
|
}
|