wormclaude 1.0.183 → 1.0.184

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/theme.js CHANGED
@@ -16,4 +16,4 @@ export const theme = {
16
16
  synType: '#a78bfa', // tip/sınıf adları, sabitler
17
17
  synProp: '#e0e0e0', // özellik/anahtar adları
18
18
  };
19
- export const VERSION = '1.0.183';
19
+ export const VERSION = '1.0.184';
package/dist/tools.js CHANGED
@@ -776,10 +776,22 @@ async function execOne(call, hooks) {
776
776
  return { ok: false, args, output: `[ALREADY-SCANNED] full scan "${target}" already ran — findings are above. Do NOT call SecurityScan again; summarize the results in text.` };
777
777
  }
778
778
  try {
779
- const { runPentest } = await import('./pentest.js');
779
+ const { runPentest, fetchPtTools } = await import('./pentest.js');
780
780
  const all = [];
781
- let rpt = `Tam kapsamlı tarama — ${target}${_auth ? ' (authenticated / login-arkası oturum enjekte edildi)' : ''}${_loginNote}\n`;
782
- for (const _t of ['recon', 'xss', 'sqli']) {
781
+ // PROFESYONEL KAPSAM: çekirdek (recon+dirscan+xss+sqli) + sunucudaki TÜM şablon tarayıcıları
782
+ // (SSRF/XXE/SSTI/LFI/LDAP/open-redirect/CRLF/graphql/exposed-files/waf-detect …). /fullscan ile aynı.
783
+ const _steps = ['recon', 'dirscan', 'xss', 'sqli'];
784
+ try {
785
+ const _pt = await fetchPtTools(cfg());
786
+ for (const tm of ((_pt && _pt.templates) || [])) {
787
+ if (tm && tm.id && !_steps.includes(String(tm.id)))
788
+ _steps.push(String(tm.id));
789
+ }
790
+ }
791
+ catch { }
792
+ let rpt = `Tam kapsamlı tarama — ${target}${_auth ? ' (authenticated / login-arkası — oturum enjekte edildi)' : ''}${_loginNote}\n${_steps.length} tarayıcı koşuluyor (recon+dirscan+xss+sqli + şablonlar).\n`;
793
+ let _wafSeen = false;
794
+ for (const _t of _steps) {
783
795
  if (hooks?.signal?.aborted) {
784
796
  rpt += `\n[STOPPED] kullanıcı durdurdu (Esc) — kalan taramalar atlandı.`;
785
797
  break;
@@ -789,29 +801,43 @@ async function execOne(call, hooks) {
789
801
  if (o?.ok) {
790
802
  const ff = o.report?.findings || [];
791
803
  all.push(...ff.map((x) => ({ ...x, scan: _t })));
792
- rpt += `\n[${_t}] ${ff.length ? ff.length + ' bulgu' : 'temiz'}` + (o.report?.target ? ` (${o.report.target})` : '');
804
+ if (ff.some((x) => /waf|firewall|cloudflare|akamai|imperva/i.test(JSON.stringify(x))))
805
+ _wafSeen = true;
806
+ rpt += `\n[${_t}] ${ff.length ? ff.length + ' bulgu' : 'temiz'}`;
793
807
  }
794
808
  else {
795
809
  const rsn = o?.reason || o?.plan?.reason || 'error';
796
- rpt += `\n[${_t}] çalışmadı: ${rsn}`;
797
810
  if (rsn === 'trust_required') {
798
- rpt += ' — Doğrulanmış Araştırmacı (seviye 3+) gerekir.';
811
+ rpt += `\n[${_t}] çalışmadı: ${rsn} — Doğrulanmış Araştırmacı (seviye 3+) gerekir.`;
799
812
  break;
800
813
  }
814
+ rpt += `\n[${_t}] ${rsn === 'invalid_target' ? 'atlandı (param yok)' : 'çalışmadı: ' + rsn}`;
801
815
  }
802
816
  }
803
817
  catch (e) {
804
818
  rpt += `\n[${_t}] hata: ${e?.message || e}`;
805
819
  }
806
820
  }
807
- rpt += `\n\nToplam ${all.length} bulgu.`;
821
+ // no_params spam'ini tekille (her inject tarayıcı bir tane ekliyor)
822
+ const _np = all.filter((f) => f.note === 'no_params');
823
+ for (let i = all.length - 1; i >= 0; i--)
824
+ if (all[i].note === 'no_params')
825
+ all.splice(i, 1);
826
+ if (_np.length)
827
+ all.push({ type: 'info', severity: 'info', url: target, note: 'no_params',
828
+ evidence: `${_np.length} enjeksiyon tarayıcısı test edilebilir GET parametresi bulamadı — girdiler POST form/login-arkası/JS-üretimli olabilir.` });
829
+ const _sev = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
830
+ all.sort((a, b) => (_sev[a.severity] ?? 9) - (_sev[b.severity] ?? 9));
831
+ if (_wafSeen || /cloudflare|akamai|imperva/i.test(rpt)) {
832
+ rpt += `\n\n⚠️ WAF/CDN tespit edildi — payload'lar filtrelenmiş olabilir; "temiz" sonuçlar KESİN değil. Kesin sonuç için origin sunucuya (CDN arkası) doğrudan tara.`;
833
+ }
834
+ rpt += `\n\nToplam ${all.length} bulgu (${_steps.length} tarayıcı).`;
808
835
  if (all.length)
809
- rpt += '\n' + all.slice(0, 60).map((x) => ' ' + JSON.stringify(x)).join('\n');
810
- rpt += `\n[full-done] recon+xss+sqli all ran. Do NOT call SecurityScan again — report the findings to the user in text (summary + prioritized fixes), in their language.`;
836
+ rpt += '\n' + all.slice(0, 80).map((x) => ' ' + JSON.stringify(x)).join('\n');
837
+ rpt += `\n[full-done] comprehensive scan (${_steps.length} scanners) ran. Do NOT call SecurityScan again — report the findings to the user in text (severity-ordered summary + prioritized fixes), in their language.`;
811
838
  const _now = Date.now();
812
839
  _scanCache.set(_fk, { out: rpt, t: _now });
813
- // Alt tarama tiplerini de cache'le → full sonrası model tek tek recon/xss/sqli çağıramaz (gereksiz tekrar).
814
- for (const _t of ['recon', 'xss', 'sqli'])
840
+ for (const _t of ['recon', 'xss', 'sqli', 'dirscan'])
815
841
  _scanCache.set(_t + '|' + target.toLowerCase() + _authTag, { out: rpt, t: _now });
816
842
  return { ok: true, output: rpt, args };
817
843
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "wormclaude",
3
- "version": "1.0.183",
3
+ "version": "1.0.184",
4
4
  "description": "WormClaude CLI - uncensored security+code assistant (ink TUI, Claude-style)",
5
5
  "type": "module",
6
6
  "bin": {