wormclaude 1.0.194 → 1.0.195
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands.js +1 -0
- package/dist/theme.js +1 -1
- package/dist/tools.js +17 -7
- package/dist/tui.js +10 -0
- package/package.json +1 -1
package/dist/commands.js
CHANGED
|
@@ -60,6 +60,7 @@ export const COMMANDS = [
|
|
|
60
60
|
{ name: '/dirscan', desc: '[seviye 3+] dizin/içerik keşfi (yönetim/api/yedek/sızıntı yolları): /dirscan <alan>' },
|
|
61
61
|
{ name: '/report', desc: 'son taramadan profesyonel pentest raporu üret (CVSS/etki/çözüm, dosyaya yazar)' },
|
|
62
62
|
{ name: '/fullscan', desc: '[seviye 3+] tam kapsamlı DETERMİNİSTİK tarama: recon+XSS+SQLi tek komutta: /fullscan <hedef>' },
|
|
63
|
+
{ name: '/pentest', desc: 'OTONOM çoklu-yüzey pentest (web+network+OSINT+cloud → tek rapor): /pentest <domain>' },
|
|
63
64
|
{ name: '/audit', desc: 'kaynak kod güvenlik denetimi (SAST — sır/açık/CVE, yerel): /audit [klasör]' },
|
|
64
65
|
{ name: '/jwt', desc: 'JWT token güvenlik analizi (alg=none/zayıf-secret/expiry/claim, yerel): /jwt <token>' },
|
|
65
66
|
{ name: '/spray', desc: 'login formuna parola-spray (yetkili test, trust 3+): /spray <login-url> [kullanıcı]' },
|
package/dist/theme.js
CHANGED
package/dist/tools.js
CHANGED
|
@@ -230,7 +230,7 @@ export const toolSchemas = [
|
|
|
230
230
|
parameters: {
|
|
231
231
|
type: 'object',
|
|
232
232
|
properties: {
|
|
233
|
-
tool: { type: 'string', enum: ['full', 'recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloudscan', 'spray', 'defaultcreds'], description: 'full → tam kapsamlı web taraması; recon/scan/dirscan/portscan/osint/cloudscan → domain/host/şirket; xss/sqli/idor → parameterized URL. portscan = TCP port/servis. osint = DNS + e-posta güvenliği (SPF/DMARC). cloudscan = açık bulut bucket keşfi (S3/GCP/Azure). spray = login formuna parola-spray (target = login URL, username param ile; "parola dene"/"spray"/"brute" denince, trust 3+). defaultcreds = login\'e varsayılan kimlikler (admin/admin vb.) dene (target = login URL, trust 3+)' },
|
|
233
|
+
tool: { type: 'string', enum: ['auto', 'full', 'recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloudscan', 'spray', 'defaultcreds'], description: 'auto → OTONOM çoklu-yüzey pentest (web full + network portscan + OSINT + cloud bucket, hepsi tek raporda; "pentest yap"/"tam denetle"/"her şeyi tara"/"otonom" denince — domain/host); full → tam kapsamlı web taraması; recon/scan/dirscan/portscan/osint/cloudscan → domain/host/şirket; xss/sqli/idor → parameterized URL. portscan = TCP port/servis. osint = DNS + e-posta güvenliği (SPF/DMARC). cloudscan = açık bulut bucket keşfi (S3/GCP/Azure). spray = login formuna parola-spray (target = login URL, username param ile; "parola dene"/"spray"/"brute" denince, trust 3+). defaultcreds = login\'e varsayılan kimlikler (admin/admin vb.) dene (target = login URL, trust 3+)' },
|
|
234
234
|
target: { type: 'string', description: 'Domain for recon/scan/dirscan (example.com) OR parameterized URL for xss/sqli (https://example.com/p?id=1)' },
|
|
235
235
|
cookie: { type: 'string', description: 'Optional. Session cookie for AUTHENTICATED / behind-login scanning, e.g. "sessionid=abc123; csrftoken=xyz". The user copies it from their logged-in browser (DevTools → Application → Cookies, or the Cookie request header). Sent only to the target from the user IP — never stored on the server. Provide it whenever the user wants to scan pages behind a login.' },
|
|
236
236
|
auth_header: { type: 'string', description: 'Optional. Authorization header value for token-based authenticated scanning, e.g. "Bearer eyJhbGci..." or "Basic dXNlcjpwYXNz". Use instead of / together with cookie when the site authenticates via a token header.' },
|
|
@@ -767,7 +767,7 @@ async function execOne(call, hooks) {
|
|
|
767
767
|
if (call.name === 'SecurityScan') {
|
|
768
768
|
let tool = String(args?.tool || '').toLowerCase().trim();
|
|
769
769
|
const target = String(args?.target || '').trim();
|
|
770
|
-
if (!['recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloud', 'cloudscan', 'spray', 'credspray', 'defaultcreds', 'full', 'fullscan'].includes(tool) || !target) {
|
|
770
|
+
if (!['recon', 'scan', 'xss', 'sqli', 'dirscan', 'idor', 'portscan', 'osint', 'cloud', 'cloudscan', 'spray', 'credspray', 'defaultcreds', 'full', 'fullscan', 'auto', 'pentest'].includes(tool) || !target) {
|
|
771
771
|
return { ok: false, output: 'SecurityScan: tool (recon|scan|xss|sqli|dirscan|full) ve target gerekli.', args };
|
|
772
772
|
}
|
|
773
773
|
if (tool === 'scan')
|
|
@@ -799,11 +799,14 @@ async function execOne(call, hooks) {
|
|
|
799
799
|
const _authTag = _auth ? '|auth' : '';
|
|
800
800
|
// FULL: tam kapsamlı tarama TEK ÇAĞRIDA — model orkestrasyona girmesin (döngü olur). Kod
|
|
801
801
|
// deterministik olarak recon → xss → sqli koşar, TEK konsolide rapor döner.
|
|
802
|
-
if (tool === 'full' || tool === 'fullscan') {
|
|
803
|
-
|
|
802
|
+
if (tool === 'full' || tool === 'fullscan' || tool === 'auto' || tool === 'pentest') {
|
|
803
|
+
// AUTO/PENTEST = otonom çoklu-yüzey: web (full) + network (portscan) + OSINT + cloud, TEK rapor.
|
|
804
|
+
// full = sadece web. İkisi de deterministik koşar (model orkestrasyona girip döngü yapmasın).
|
|
805
|
+
const _isAuto = tool === 'auto' || tool === 'pentest';
|
|
806
|
+
const _fk = (_isAuto ? 'auto|' : 'full|') + target.toLowerCase() + _authTag;
|
|
804
807
|
const _fc = _scanCache.get(_fk);
|
|
805
808
|
if (_fc && Date.now() - _fc.t < 120000) {
|
|
806
|
-
return { ok: false, args, output: `[ALREADY-SCANNED] full scan "${target}" already ran — findings are above. Do NOT call SecurityScan again; summarize the results in text.` };
|
|
809
|
+
return { ok: false, args, output: `[ALREADY-SCANNED] ${_isAuto ? 'autonomous pentest' : 'full scan'} "${target}" already ran — findings are above. Do NOT call SecurityScan again; summarize the results in text.` };
|
|
807
810
|
}
|
|
808
811
|
try {
|
|
809
812
|
const { runPentest, fetchPtTools } = await import('./pentest.js');
|
|
@@ -819,7 +822,12 @@ async function execOne(call, hooks) {
|
|
|
819
822
|
}
|
|
820
823
|
}
|
|
821
824
|
catch { }
|
|
822
|
-
|
|
825
|
+
// AUTO: web'in üstüne bağımsız yüzeyleri ekle (network + e-posta/DNS + bulut bucket).
|
|
826
|
+
const _extraSurfaces = _isAuto ? ['portscan', 'osint', 'cloudscan'] : [];
|
|
827
|
+
for (const s of _extraSurfaces)
|
|
828
|
+
if (!_steps.includes(s))
|
|
829
|
+
_steps.push(s);
|
|
830
|
+
let rpt = `${_isAuto ? 'Otonom pentest (web+network+OSINT+cloud)' : 'Tam kapsamlı tarama'} — ${target}${_auth ? ' (authenticated / login-arkası — oturum enjekte edildi)' : ''}${_loginNote}\n${_steps.length} tarayıcı koşuluyor${_isAuto ? ' (web full + portscan + osint + cloudscan)' : ' (recon+dirscan+xss+sqli + şablonlar)'}.\n`;
|
|
823
831
|
let _wafSeen = false;
|
|
824
832
|
for (const _t of _steps) {
|
|
825
833
|
if (hooks?.signal?.aborted) {
|
|
@@ -901,7 +909,9 @@ async function execOne(call, hooks) {
|
|
|
901
909
|
rpt += `\n\nToplam ${all.length} bulgu (${_steps.length} tarayıcı${_subs && _subs.length ? ' + ' + _subs.length + ' alt-alan' : ''}).`;
|
|
902
910
|
if (all.length)
|
|
903
911
|
rpt += '\n' + all.slice(0, 80).map((x) => ' ' + JSON.stringify(x)).join('\n');
|
|
904
|
-
rpt +=
|
|
912
|
+
rpt += _isAuto
|
|
913
|
+
? `\n[auto-done] AUTONOMOUS multi-surface pentest ran (web full + network portscan + OSINT dns/email + cloud buckets, ${_steps.length} scanners${_subs && _subs.length ? ' + ' + _subs.length + ' subdomains' : ''}). Each finding has a "cvss" base score. Do NOT call SecurityScan again — write a PENTEST REPORT in the user's language: (1) executive summary (overall risk posture, count by severity), (2) findings grouped by SURFACE (web / network / email-DNS / cloud), severity-ordered, with CVSS, (3) prioritized remediation roadmap. Be concrete.`
|
|
914
|
+
: `\n[full-done] comprehensive scan (${_steps.length} scanners${_subs && _subs.length ? ' + ' + _subs.length + ' subdomains' : ''}) ran. Each finding has a "cvss" base score. Do NOT call SecurityScan again — report to the user in text: severity-ordered summary, include the CVSS score per finding, note subdomain findings, prioritized fixes, in their language.`;
|
|
905
915
|
const _now = Date.now();
|
|
906
916
|
_scanCache.set(_fk, { out: rpt, t: _now });
|
|
907
917
|
for (const _t of ['recon', 'xss', 'sqli', 'dirscan'])
|
package/dist/tui.js
CHANGED
|
@@ -836,6 +836,16 @@ export async function runTui() {
|
|
|
836
836
|
quit();
|
|
837
837
|
return;
|
|
838
838
|
}
|
|
839
|
+
// /pentest — OTONOM çoklu-yüzey pentest (web+network+OSINT+cloud); SecurityScan tool=auto
|
|
840
|
+
if (tok === '/pentest') {
|
|
841
|
+
const a = v.slice(tok.length).trim();
|
|
842
|
+
if (!a) {
|
|
843
|
+
printItem({ kind: 'note', text: 'Kullanım: /pentest <domain>' });
|
|
844
|
+
return;
|
|
845
|
+
}
|
|
846
|
+
runTurn(`SecurityScan aracıyla tool=auto, target=${a} çalıştır (otonom çoklu-yüzey pentest: web+network+OSINT+cloud). Sonra yüzey-bazlı yönetici pentest raporu yaz.`, v);
|
|
847
|
+
return;
|
|
848
|
+
}
|
|
839
849
|
// /audit — kaynak kod güvenlik denetimi (SAST, yerel); modele CodeAudit çağırt
|
|
840
850
|
if (tok === '/audit') {
|
|
841
851
|
const a = v.slice(tok.length).trim() || '.';
|