souleyez 2.17.0__py3-none-any.whl → 2.23.0__py3-none-any.whl

souleyez/__init__.py

@@ -1 +1 @@
-__version__ = '2.17.0'
+__version__ = '2.23.0'

souleyez/core/tool_chaining.py

@@ -423,6 +423,21 @@ class ChainRule:
                                     result = True
                                     break
 
+            elif cond_type == 'svc_version':
+                # Simple version string match (e.g., 'svc_version:2.3.4')
+                # Matches if any service has this exact version string
+                # Useful when nmap doesn't detect product name
+                services = context.get('services', [])
+                for service in services:
+                    svc_version = (
+                        service.get('version', '') or
+                        service.get('service_version', '') or
+                        ''
+                    )
+                    if svc_version and cond_value.lower() in svc_version.lower():
+                        result = True
+                        break
+
         # Apply negation if needed
         return not result if negated else result
 
@@ -731,13 +746,16 @@ class ToolChaining:
                 args_template=['-a', '{target}'],
                 description='SMB service detected, enumerating shares and users (runs after CrackMapExec)'
             ),
+            # DISABLED: smbmap has upstream pickling bug with impacket (affects all versions)
+            # Use crackmapexec/netexec --shares instead (rule #10 above)
             ChainRule(
                 trigger_tool='nmap',
                 trigger_condition='service:smb',
                 target_tool='smbmap',
                 priority=7,
+                enabled=False,  # Disabled due to impacket pickling bug
                 args_template=['-H', '{target}'],
-                description='SMB service detected, mapping shares'
+                description='SMB service detected, mapping shares (DISABLED - use netexec)'
             ),
         ])
 
@@ -1143,13 +1161,16 @@ class ToolChaining:
         #     )
         # )
 
+        # DISABLED: smbmap has upstream pickling bug - won't produce results
         # Writable SMB shares found → check for exploitability
+        # TODO: Add rule triggering from crackmapexec writable shares detection
         self.rules.append(
             ChainRule(
                 trigger_tool='smbmap',
                 trigger_condition='has:writable_shares',
                 target_tool='msf_auxiliary',
                 priority=10,
+                enabled=False,  # Disabled - smbmap broken
                 args_template=['auxiliary/scanner/smb/smb_version'],
                 description='Writable SMB shares found, checking for vulnerabilities'
             )
@@ -1908,28 +1929,42 @@ class ToolChaining:
 
         # vsftpd 2.3.4 backdoor (CVE-2011-2523)
         # Triggers backdoor shell on port 6200 when username contains :)
+        # Match FTP service with version 2.3.4 (nmap often shows just "ftp" + "2.3.4")
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:vsftpd 2.3.4',
+                trigger_condition='service:ftp & svc_version:2.3.4',
                 target_tool='msf_exploit',
                 priority=10,
                 args_template=['exploit/unix/ftp/vsftpd_234_backdoor'],
-                description='vsftpd 2.3.4 detected - BACKDOOR AVAILABLE (CVE-2011-2523)',
+                description='FTP 2.3.4 detected - checking for vsftpd backdoor (CVE-2011-2523)',
                 category=CATEGORY_CTF
             )
         )
 
         # Samba 3.0.x usermap_script RCE (CVE-2007-2447)
         # Command injection in username field
+        # Match SMB service with version starting with 3 (nmap shows "3.X" or "3.0.x")
+        self.rules.append(
+            ChainRule(
+                trigger_tool='nmap',
+                trigger_condition='service:smb & svc_version:3.',
+                target_tool='msf_exploit',
+                priority=10,
+                args_template=['exploit/multi/samba/usermap_script'],
+                description='Samba 3.x detected - checking for usermap_script RCE (CVE-2007-2447)',
+                category=CATEGORY_CTF
+            )
+        )
+        # Also match netbios-ssn service (common nmap detection for SMB)
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:Samba 3.0',
+                trigger_condition='service:netbios-ssn & svc_version:3.',
                 target_tool='msf_exploit',
                 priority=10,
                 args_template=['exploit/multi/samba/usermap_script'],
-                description='Samba 3.0.x detected - usermap_script RCE available (CVE-2007-2447)',
+                description='Samba 3.x detected (netbios-ssn) - checking for usermap_script RCE (CVE-2007-2447)',
                 category=CATEGORY_CTF
             )
         )
@@ -2132,14 +2167,15 @@ class ToolChaining:
         )
 
         # ProFTPD mod_copy (CVE-2015-3306) - file copy without auth
+        # Match FTP service with version 1.3.x (common ProFTPD versions)
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:ProFTPD 1.3',
+                trigger_condition='service:ftp & svc_version:1.3',
                 target_tool='msf_exploit',
                 priority=8,
                 args_template=['exploit/unix/ftp/proftpd_modcopy_exec'],
-                description='ProFTPD 1.3.x detected - checking for mod_copy RCE (CVE-2015-3306)',
+                description='FTP 1.3.x detected - checking for ProFTPD mod_copy RCE (CVE-2015-3306)',
                 category=CATEGORY_CTF
             )
         )
@@ -4160,6 +4196,40 @@ class ToolChaining:
                         if len(app_databases) > db_limit:
                             logger.info(f"SQLMap auto-chaining limited to first {db_limit} of {len(app_databases)} application databases")
 
+                # === Post-exploitation chain rules (is_dba, file_read, os_cmd) ===
+                # Check for post-exploitation flags and fire appropriate chain rules
+                is_dba = parse_results.get('is_dba', False)
+                file_read_success = parse_results.get('file_read_success', False)
+                os_command_success = parse_results.get('os_command_success', False)
+
+                if is_dba or file_read_success or os_command_success:
+                    from souleyez.log_config import get_logger
+                    logger = get_logger(__name__)
+
+                    # Build context with post-exploitation flags using injectable_url
+                    post_exploit_context = {
+                        'target': injectable_url,  # Use the correct injectable URL
+                        'tool': tool,
+                        'is_dba': is_dba,
+                        'file_read_success': file_read_success,
+                        'os_command_success': os_command_success,
+                        'post_data': post_data,  # Preserve POST data for subsequent commands
+                    }
+
+                    if is_dba:
+                        logger.info(f"SQLMap: DBA access confirmed! Evaluating post-exploitation chains...")
+                    if file_read_success:
+                        logger.info(f"SQLMap: File read successful! Evaluating file read chains...")
+                    if os_command_success:
+                        logger.info(f"SQLMap: OS command execution successful!")
+
+                    # Evaluate chain rules - this will fire rules like has:is_dba
+                    commands = self.evaluate_chains(tool, post_exploit_context)
+                    if commands:
+                        logger.info(f"SQLMap: Matched {len(commands)} post-exploitation chain rule(s)")
+                        job_ids.extend(self._enqueue_commands(commands, tool, engagement_id, injectable_url, parent_job_id=job.get('id')))
+                # === END Post-exploitation chain rules ===
+
                 return job_ids
             # === END SQLMap special handling ===
 
@@ -4877,6 +4947,28 @@ class ToolChaining:
                         if not endpoint_url:
                             continue
 
+                        # === Filter out non-injectable files ===
+                        path_lower = endpoint_url.lower()
+                        filename = path_lower.split('/')[-1] if '/' in path_lower else path_lower
+
+                        # Skip Apache/nginx config files
+                        if filename.startswith('.ht') or filename.startswith('.nginx'):
+                            logger.debug(f"Skipping config file: {endpoint_url}")
+                            continue
+
+                        # Skip static files that can't have SQL injection
+                        static_extensions = (
+                            '.html', '.htm', '.txt', '.css', '.js', '.json',
+                            '.xml', '.svg', '.png', '.jpg', '.jpeg', '.gif',
+                            '.ico', '.woff', '.woff2', '.ttf', '.eot',
+                            '.pdf', '.doc', '.docx', '.xls', '.xlsx',
+                            '.bak', '.old', '.backup', '.swp', '.orig',
+                            '.map', '.md', '.rst', '.log'
+                        )
+                        if any(filename.endswith(ext) for ext in static_extensions):
+                            logger.debug(f"Skipping static file: {endpoint_url}")
+                            continue
+
                         # === SQLMap for testable endpoints ===
                         if status_code in testable_statuses and created_sqlmap_jobs < max_sqlmap_jobs:
                             # For API endpoints without parameters, add test parameters

souleyez/detection/validator.py

@@ -156,8 +156,10 @@ class DetectionValidator:
         job_command = _reconstruct_command(job)
         # Use started_at or finished_at for execution time
         executed_at = job.get('started_at') or job.get('finished_at') or job.get('created_at')
-        # Job is successful if status is 'done'
-        success = job.get('status') == 'done'
+        # Job ran successfully if status is done, no_results, or warning
+        # (all of these sent network traffic that should be detectable by SIEM)
+        job_status = job.get('status', '')
+        success = job_status in ('done', 'no_results', 'warning')
 
         # Extract target IP from command (common patterns)
         target_ip = None

souleyez/docs/README.md

@@ -1,7 +1,7 @@
 # SoulEyez Documentation
 
-**Version:** 2.17.0
-**Last Updated:** January 4, 2026
+**Version:** 2.23.0
+**Last Updated:** January 7, 2026
 **Organization:** CyberSoul Security
 
 Welcome to the SoulEyez documentation! This documentation covers architecture, development, user guides, and operational information for the SoulEyez penetration testing platform.

souleyez/docs/user-guide/installation.md

@@ -40,12 +40,14 @@ pipx is the Python community's recommended way to install CLI applications. It h
 # One-time setup
 sudo apt install pipx
 pipx ensurepath
-source ~/.bashrc
+source ~/.bashrc    # Kali Linux: use 'source ~/.zshrc' instead
 
 # Install SoulEyez
 pipx install souleyez
 ```
 
+> **Kali Linux users:** Kali uses zsh by default. Use `source ~/.zshrc` instead of `source ~/.bashrc`
+
 On first run, SoulEyez will prompt you to install pentesting tools (nmap, sqlmap, gobuster, etc.).
 
 ```bash

souleyez/engine/background.py

@@ -711,7 +711,14 @@ def _run_rpc_exploit(cmd_spec: Dict[str, Any], log_path: str, jid: int = None, p
         )
 
         return 0
+    elif result.get('no_session'):
+        # Exploit ran but no session opened - this is "no results", not an error
+        # Return 1 but let parser set status to no_results
+        reason = result.get('reason', 'No session opened')
+        _append_worker_log(f"job {jid}: exploit completed - {reason}")
+        return 1
     else:
+        # True error (connection failed, RPC error, etc.)
         error = result.get('error', 'Unknown error')
         _append_worker_log(f"job {jid}: RPC exploit failed - {error}")
         return 1
@@ -1031,7 +1038,8 @@ def _is_true_error_exit_code(rc: int, tool: str) -> bool:
 
     # Tools that use non-zero exit codes for non-error conditions
     # Parser will determine the actual status based on output
-    tools_with_nonzero_success = ['gobuster', 'hydra', 'medusa']
+    # msf_exploit returns 1 when no session opened (exploit ran but target not vulnerable)
+    tools_with_nonzero_success = ['gobuster', 'hydra', 'medusa', 'msf_exploit']
 
     if tool.lower() in tools_with_nonzero_success:
         # Let parser determine status

souleyez/engine/result_handler.py

@@ -305,6 +305,8 @@ def parse_nmap_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Di
         # Import into database
         hm = HostManager()
         result = hm.import_nmap_results(engagement_id, parsed)
+        logger.info(f"Nmap import: {result['hosts_added']} hosts, {result['services_added']} services in engagement {engagement_id}")
+        logger.debug(f"Info scripts to process: {len(parsed.get('info_scripts', []))}")
 
         # Check for CVEs and common issues
         fm = FindingsManager()
@@ -436,11 +438,13 @@ def parse_nmap_job(engagement_id: int, log_path: str, job: Dict[str, Any]) -> Di
         for info in parsed.get('info_scripts', []):
             host_ip = info.get('host_ip')
             if not host_ip:
+                logger.warning(f"Info script missing host_ip: {info.get('script')}")
                 continue
 
             # Find host ID
             host = hm.get_host_by_ip(engagement_id, host_ip)
             if not host:
+                logger.warning(f"Host not found for info script: {host_ip} in engagement {engagement_id}")
                 continue
 
             host_id = host['id']

souleyez/integrations/siem/splunk.py

@@ -348,7 +348,15 @@ class SplunkSIEMClient(SIEMClient):
                 # HEC wraps in 'event' key, or data might be at top level
                 event_data = parsed.get('event', parsed) if isinstance(parsed, dict) else {}
             except (json_lib.JSONDecodeError, TypeError):
-                pass
+                # Try to extract embedded JSON from syslog lines
+                # Format: "Jan  7 14:23:38 host program {json...}"
+                import re
+                json_match = re.search(r'\{.*\}', raw_str)
+                if json_match:
+                    try:
+                        event_data = json_lib.loads(json_match.group())
+                    except (json_lib.JSONDecodeError, TypeError):
+                        pass
 
         # Helper to get field from event_data first, then raw_result
         def get_field(*keys, default=''):
@@ -370,10 +378,15 @@ class SplunkSIEMClient(SIEMClient):
         rule_id = get_field('rule_id', 'rule_name', 'savedsearch_name', 'alert')
         rule_name = get_field('rule_name', 'search_name') or rule_id
 
-        # For plain log events (no alert fields), use sourcetype as category
+        # For plain log events (no alert fields), use event_type or sourcetype
         if not rule_id:
+            # Prefer Suricata event_type over generic sourcetype
+            event_type = get_field('event_type')
             sourcetype = raw_result.get('sourcetype', '')
-            if sourcetype:
+            if event_type:
+                rule_id = event_type
+                rule_name = f"Suricata: {event_type}"
+            elif sourcetype:
                 rule_id = sourcetype
                 rule_name = f"Log: {sourcetype}"
 
@@ -389,19 +402,53 @@ class SplunkSIEMClient(SIEMClient):
         if not source_ip:
             source_ip = raw_result.get('host', '')
 
-        # Extract description
+        # Extract description - try multiple sources
         description = get_field('description', 'signature', 'message')
+
+        # Suricata-specific: check nested alert object
+        if not description and event_data.get('alert'):
+            alert_obj = event_data['alert']
+            if isinstance(alert_obj, dict):
+                description = alert_obj.get('signature', alert_obj.get('category', ''))
+
+        # Suricata event_type with context
         if not description:
-            # Fallback: use event_type as description
             event_type = get_field('event_type', 'category')
             if event_type:
-                description = f"{event_type}: {get_field('action', default='detected')}"
-
-        # For plain log events, use snippet of _raw as description
+                # Add context based on event type
+                if event_type == 'dns' and event_data.get('dns'):
+                    dns = event_data['dns']
+                    rrname = dns.get('rrname', '') if isinstance(dns, dict) else ''
+                    description = f"DNS: {rrname}" if rrname else f"DNS query"
+                elif event_type == 'http' and event_data.get('http'):
+                    http = event_data['http']
+                    hostname = http.get('hostname', '') if isinstance(http, dict) else ''
+                    description = f"HTTP: {hostname}" if hostname else "HTTP request"
+                elif event_type == 'flow':
+                    app_proto = get_field('app_proto', default='')
+                    description = f"Flow: {app_proto}" if app_proto else "Network flow"
+                elif event_type == 'alert':
+                    description = "Suricata alert"
+                else:
+                    description = f"{event_type}: {get_field('action', default='detected')}"
+
+        # For plain log events, try to extract something useful from _raw
         if not description and raw_str:
-            # Clean up raw log and take first 150 chars
-            clean_raw = raw_str.replace('\n', ' ').strip()
-            description = clean_raw[:150] + ('...' if len(clean_raw) > 150 else '')
+            # Skip syslog header to get actual message
+            # Format: "Mon DD HH:MM:SS hostname program: message"
+            import re
+            # Try to extract message after "program:" or "program["
+            msg_match = re.search(r'^\w+\s+\d+\s+[\d:]+\s+\S+\s+\S+[:\[]\s*(.+)', raw_str)
+            if msg_match:
+                description = msg_match.group(1).strip()[:150]
+            else:
+                # Fallback: clean up raw log
+                clean_raw = raw_str.replace('\n', ' ').strip()
+                # Skip if it's just timestamps/IPs with no real content
+                if len(clean_raw) > 50:
+                    description = clean_raw[:150] + ('...' if len(clean_raw) > 150 else '')
+                else:
+                    description = clean_raw if clean_raw else 'No details available'
 
         # Extract MITRE info - check event_data first
         mitre_tactics = []

souleyez/main.py

@@ -173,7 +173,7 @@ def _check_privileged_tools():
 
 
 @click.group()
-@click.version_option(version='2.17.0')
+@click.version_option(version='2.23.0')
 def cli():
     """SoulEyez - AI-Powered Pentesting Platform by CyberSoul Security"""
     from souleyez.log_config import init_logging

souleyez/parsers/smbmap_parser.py

@@ -49,16 +49,44 @@ def parse_smbmap_output(output: str, target: str = "") -> Dict[str, Any]:
                     'timestamp': str
                 },
                 ...
-            ]
+            ],
+            'smb_detected': bool,  # True if SMB service was detected
+            'hosts_count': int,    # Number of hosts serving SMB
+            'error': str           # Error message if tool crashed
         }
     """
     result = {
         'target': target,
         'status': None,
         'shares': [],
-        'files': []
+        'files': [],
+        'smb_detected': False,
+        'hosts_count': 0,
+        'error': None
     }
 
+    # Check for SMB detection (even if tool crashes later)
+    # [*] Detected 1 hosts serving SMB
+    smb_detected_match = re.search(r'\[\*\]\s*Detected\s+(\d+)\s+hosts?\s+serving\s+SMB', output)
+    if smb_detected_match:
+        result['smb_detected'] = True
+        result['hosts_count'] = int(smb_detected_match.group(1))
+
+    # Check for Python traceback (tool crash)
+    if 'Traceback (most recent call last):' in output:
+        # Extract error message from traceback
+        error_match = re.search(r'(?:Error|Exception).*?[\'"]([^\'"]+)[\'"]', output, re.DOTALL)
+        if error_match:
+            result['error'] = error_match.group(1)
+        else:
+            # Try to get the last line of the traceback
+            traceback_lines = output.split('Traceback (most recent call last):')[-1].strip().split('\n')
+            for line in reversed(traceback_lines):
+                line = line.strip()
+                if line and not line.startswith('File') and not line.startswith('raise'):
+                    result['error'] = line[:200]  # Limit length
+                    break
+
     lines = output.split('\n')
     in_share_table = False
     current_share = None

souleyez/parsers/sqlmap_parser.py

@@ -80,10 +80,15 @@ def parse_sqlmap_output(output: str, target: str = "") -> Dict[str, Any]:
     current_method = 'GET'
     current_post_data = None
 
+    # Track POST form URLs separately to prevent GET URL testing from overwriting them
+    # This fixes bug where chain rules get wrong URL when SQLMap tests multiple URLs
+    last_post_form_url = None
+    last_post_form_data = None
+
     for i, line in enumerate(lines):
         line = line.strip()
 
-        # Extract URL being tested
+        # Extract URL being tested (GET requests typically)
         if 'testing URL' in line:
             url_match = re.search(r"testing URL '([^']+)'", line)
             if url_match:
@@ -100,6 +105,9 @@ def parse_sqlmap_output(output: str, target: str = "") -> Dict[str, Any]:
                 current_url = url_match.group(2)
                 if current_url not in result['urls_tested']:
                     result['urls_tested'].append(current_url)
+                # Save POST form URL separately for later use
+                if current_method == 'POST':
+                    last_post_form_url = current_url
 
         # Extract POST data (appears after "POST http://..." line)
         # Format: "POST data: username=&password=&submit=Login"
@@ -107,6 +115,8 @@ def parse_sqlmap_output(output: str, target: str = "") -> Dict[str, Any]:
             post_data_match = re.search(r'^POST data:\s*(.+)$', line)
             if post_data_match:
                 current_post_data = post_data_match.group(1).strip()
+                # Associate POST data with the POST form URL
+                last_post_form_data = current_post_data
 
         # Handle resumed injection points from stored session
         # Pattern: "sqlmap resumed the following injection point(s) from stored session:"
@@ -129,15 +139,23 @@ def parse_sqlmap_output(output: str, target: str = "") -> Dict[str, Any]:
                     else:
                         method = current_method  # Use current context
 
+                    # For POST parameters, use the saved POST form URL instead of current_url
+                    if method == 'POST' and last_post_form_url:
+                        effective_url = last_post_form_url
+                        effective_post_data = last_post_form_data or current_post_data
+                    else:
+                        effective_url = current_url or target
+                        effective_post_data = current_post_data if method == 'POST' else None
+
                     # Mark as confirmed injection
                     result['sql_injection_confirmed'] = True
                     result['injectable_parameter'] = param
-                    result['injectable_url'] = current_url or target
+                    result['injectable_url'] = effective_url
                     result['injectable_method'] = method
 
                     # Add vulnerability entry
                     result['vulnerabilities'].append({
-                        'url': current_url or target,
+                        'url': effective_url,
                         'parameter': param,
                         'vuln_type': 'sqli',
                         'injectable': True,
@@ -147,10 +165,10 @@ def parse_sqlmap_output(output: str, target: str = "") -> Dict[str, Any]:
 
                     # Collect injection point
                     injection_point = {
-                        'url': current_url or target,
+                        'url': effective_url,
                         'parameter': param,
                         'method': method,
-                        'post_data': current_post_data if method == 'POST' else None,
+                        'post_data': effective_post_data,
                         'techniques': []
                     }
                     if not any(
@@ -318,8 +336,17 @@ def parse_sqlmap_output(output: str, target: str = "") -> Dict[str, Any]:
                     )
 
                     if not already_added:
+                        # For POST parameters, use the saved POST form URL instead of current_url
+                        # This prevents bug where GET URL testing overwrites the correct POST form URL
+                        if param_method == 'POST' and last_post_form_url:
+                            effective_url = last_post_form_url
+                            effective_post_data = last_post_form_data or current_post_data
+                        else:
+                            effective_url = current_url or target
+                            effective_post_data = current_post_data if param_method == 'POST' else None
+
                         result['vulnerabilities'].append({
-                            'url': current_url or target,
+                            'url': effective_url,
                             'parameter': param,
                             'vuln_type': 'sqli',
                             'injectable': True,
@@ -332,17 +359,17 @@ def parse_sqlmap_output(output: str, target: str = "") -> Dict[str, Any]:
                         # Set confirmation flags
                         result['sql_injection_confirmed'] = True
                         result['injectable_parameter'] = param
-                        result['injectable_url'] = current_url or target
+                        result['injectable_url'] = effective_url
                         result['injectable_method'] = param_method  # GET, POST, etc.
-                        if param_method == 'POST' and current_post_data:
-                            result['injectable_post_data'] = current_post_data
+                        if param_method == 'POST' and effective_post_data:
+                            result['injectable_post_data'] = effective_post_data
 
                         # Collect ALL injection points for fallback
                         injection_point = {
-                            'url': current_url or target,
+                            'url': effective_url,
                             'parameter': param,
                             'method': param_method,
-                            'post_data': current_post_data if param_method == 'POST' else None,
+                            'post_data': effective_post_data,
                             'techniques': techniques
                         }
                         # Avoid duplicates
@@ -364,8 +391,18 @@ def parse_sqlmap_output(output: str, target: str = "") -> Dict[str, Any]:
             if param_match:
                 method = param_match.group(1) or current_method
                 param = param_match.group(2)
+
+                # For POST parameters, use the saved POST form URL instead of current_url
+                # This prevents bug where GET URL testing overwrites the correct POST form URL
+                if method == 'POST' and last_post_form_url:
+                    effective_url = last_post_form_url
+                    effective_post_data = last_post_form_data or current_post_data
+                else:
+                    effective_url = current_url or target
+                    effective_post_data = current_post_data if method == 'POST' else None
+
                 result['vulnerabilities'].append({
-                    'url': current_url or target,
+                    'url': effective_url,
                     'parameter': param,
                     'vuln_type': 'sqli',
                     'injectable': True,
@@ -376,17 +413,17 @@ def parse_sqlmap_output(output: str, target: str = "") -> Dict[str, Any]:
                 # Set confirmation flags
                 result['sql_injection_confirmed'] = True
                 result['injectable_parameter'] = param
-                result['injectable_url'] = current_url or target
+                result['injectable_url'] = effective_url
                 result['injectable_method'] = method
-                if method == 'POST' and current_post_data:
-                    result['injectable_post_data'] = current_post_data
+                if method == 'POST' and effective_post_data:
+                    result['injectable_post_data'] = effective_post_data
 
                 # Collect ALL injection points for fallback
                 injection_point = {
-                    'url': current_url or target,
+                    'url': effective_url,
                     'parameter': param,
                     'method': method,
-                    'post_data': current_post_data if method == 'POST' else None,
+                    'post_data': effective_post_data,
                     'techniques': []  # Technique details not available at this detection point
                 }
                 # Avoid duplicates