wormclaude 1.0.183 → 1.0.184
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/theme.js +1 -1
- package/dist/tools.js +37 -11
- package/package.json +1 -1
package/dist/theme.js
CHANGED
package/dist/tools.js
CHANGED
|
@@ -776,10 +776,22 @@ async function execOne(call, hooks) {
|
|
|
776
776
|
return { ok: false, args, output: `[ALREADY-SCANNED] full scan "${target}" already ran — findings are above. Do NOT call SecurityScan again; summarize the results in text.` };
|
|
777
777
|
}
|
|
778
778
|
try {
|
|
779
|
-
const { runPentest } = await import('./pentest.js');
|
|
779
|
+
const { runPentest, fetchPtTools } = await import('./pentest.js');
|
|
780
780
|
const all = [];
|
|
781
|
-
|
|
782
|
-
|
|
781
|
+
// PROFESYONEL KAPSAM: çekirdek (recon+dirscan+xss+sqli) + sunucudaki TÜM şablon tarayıcıları
|
|
782
|
+
// (SSRF/XXE/SSTI/LFI/LDAP/open-redirect/CRLF/graphql/exposed-files/waf-detect …). /fullscan ile aynı.
|
|
783
|
+
const _steps = ['recon', 'dirscan', 'xss', 'sqli'];
|
|
784
|
+
try {
|
|
785
|
+
const _pt = await fetchPtTools(cfg());
|
|
786
|
+
for (const tm of ((_pt && _pt.templates) || [])) {
|
|
787
|
+
if (tm && tm.id && !_steps.includes(String(tm.id)))
|
|
788
|
+
_steps.push(String(tm.id));
|
|
789
|
+
}
|
|
790
|
+
}
|
|
791
|
+
catch { }
|
|
792
|
+
let rpt = `Tam kapsamlı tarama — ${target}${_auth ? ' (authenticated / login-arkası — oturum enjekte edildi)' : ''}${_loginNote}\n${_steps.length} tarayıcı koşuluyor (recon+dirscan+xss+sqli + şablonlar).\n`;
|
|
793
|
+
let _wafSeen = false;
|
|
794
|
+
for (const _t of _steps) {
|
|
783
795
|
if (hooks?.signal?.aborted) {
|
|
784
796
|
rpt += `\n[STOPPED] kullanıcı durdurdu (Esc) — kalan taramalar atlandı.`;
|
|
785
797
|
break;
|
|
@@ -789,29 +801,43 @@ async function execOne(call, hooks) {
|
|
|
789
801
|
if (o?.ok) {
|
|
790
802
|
const ff = o.report?.findings || [];
|
|
791
803
|
all.push(...ff.map((x) => ({ ...x, scan: _t })));
|
|
792
|
-
|
|
804
|
+
if (ff.some((x) => /waf|firewall|cloudflare|akamai|imperva/i.test(JSON.stringify(x))))
|
|
805
|
+
_wafSeen = true;
|
|
806
|
+
rpt += `\n[${_t}] ${ff.length ? ff.length + ' bulgu' : 'temiz'}`;
|
|
793
807
|
}
|
|
794
808
|
else {
|
|
795
809
|
const rsn = o?.reason || o?.plan?.reason || 'error';
|
|
796
|
-
rpt += `\n[${_t}] çalışmadı: ${rsn}`;
|
|
797
810
|
if (rsn === 'trust_required') {
|
|
798
|
-
rpt +=
|
|
811
|
+
rpt += `\n[${_t}] çalışmadı: ${rsn} — Doğrulanmış Araştırmacı (seviye 3+) gerekir.`;
|
|
799
812
|
break;
|
|
800
813
|
}
|
|
814
|
+
rpt += `\n[${_t}] ${rsn === 'invalid_target' ? 'atlandı (param yok)' : 'çalışmadı: ' + rsn}`;
|
|
801
815
|
}
|
|
802
816
|
}
|
|
803
817
|
catch (e) {
|
|
804
818
|
rpt += `\n[${_t}] hata: ${e?.message || e}`;
|
|
805
819
|
}
|
|
806
820
|
}
|
|
807
|
-
|
|
821
|
+
// no_params spam'ini tekille (her inject tarayıcı bir tane ekliyor)
|
|
822
|
+
const _np = all.filter((f) => f.note === 'no_params');
|
|
823
|
+
for (let i = all.length - 1; i >= 0; i--)
|
|
824
|
+
if (all[i].note === 'no_params')
|
|
825
|
+
all.splice(i, 1);
|
|
826
|
+
if (_np.length)
|
|
827
|
+
all.push({ type: 'info', severity: 'info', url: target, note: 'no_params',
|
|
828
|
+
evidence: `${_np.length} enjeksiyon tarayıcısı test edilebilir GET parametresi bulamadı — girdiler POST form/login-arkası/JS-üretimli olabilir.` });
|
|
829
|
+
const _sev = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
|
|
830
|
+
all.sort((a, b) => (_sev[a.severity] ?? 9) - (_sev[b.severity] ?? 9));
|
|
831
|
+
if (_wafSeen || /cloudflare|akamai|imperva/i.test(rpt)) {
|
|
832
|
+
rpt += `\n\n⚠️ WAF/CDN tespit edildi — payload'lar filtrelenmiş olabilir; "temiz" sonuçlar KESİN değil. Kesin sonuç için origin sunucuya (CDN arkası) doğrudan tara.`;
|
|
833
|
+
}
|
|
834
|
+
rpt += `\n\nToplam ${all.length} bulgu (${_steps.length} tarayıcı).`;
|
|
808
835
|
if (all.length)
|
|
809
|
-
rpt += '\n' + all.slice(0,
|
|
810
|
-
rpt += `\n[full-done]
|
|
836
|
+
rpt += '\n' + all.slice(0, 80).map((x) => ' ' + JSON.stringify(x)).join('\n');
|
|
837
|
+
rpt += `\n[full-done] comprehensive scan (${_steps.length} scanners) ran. Do NOT call SecurityScan again — report the findings to the user in text (severity-ordered summary + prioritized fixes), in their language.`;
|
|
811
838
|
const _now = Date.now();
|
|
812
839
|
_scanCache.set(_fk, { out: rpt, t: _now });
|
|
813
|
-
|
|
814
|
-
for (const _t of ['recon', 'xss', 'sqli'])
|
|
840
|
+
for (const _t of ['recon', 'xss', 'sqli', 'dirscan'])
|
|
815
841
|
_scanCache.set(_t + '|' + target.toLowerCase() + _authTag, { out: rpt, t: _now });
|
|
816
842
|
return { ok: true, output: rpt, args };
|
|
817
843
|
}
|