souleyez 2.17.0__tar.gz → 2.28.0__tar.gz

{souleyez-2.17.0 → souleyez-2.28.0}/BETA_README.md

@@ -1,5 +1,11 @@
 # SoulEyez Beta Program
 
+[![CI](https://github.com/cyber-soul-security/souleyez/actions/workflows/python-ci.yml/badge.svg)](https://github.com/cyber-soul-security/souleyez/actions/workflows/python-ci.yml)
+[![codecov](https://codecov.io/gh/cyber-soul-security/souleyez/branch/main/graph/badge.svg)](https://codecov.io/gh/cyber-soul-security/souleyez)
+[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)
+[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
+[![Security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)
+
 Welcome to the SoulEyez beta! Thank you for helping us test and improve this penetration testing management platform.
 
 ---
@@ -21,7 +27,7 @@ Welcome to the SoulEyez beta! Thank you for helping us test and improve this pen
 
 > ⚠️ **Important**: Only use SoulEyez on systems you have explicit authorization to test.
 
-## Version: 2.17.0
+## Version: 2.28.0
 
 ### What's Included
 
@@ -59,6 +65,17 @@ Welcome to the SoulEyez beta! Thank you for helping us test and improve this pen
 - **Python**: 3.8 or newer
 - **Storage**: ~500MB for SoulEyez + tools
 
+> **🐉 Kali Linux Recommended**
+>
+> SoulEyez performs significantly better on **Kali Linux** than other distributions:
+> - All pentesting tools pre-installed and optimized
+> - Metasploit database and RPC already configured
+> - Security-focused kernel and networking stack
+> - No dependency hunting or version conflicts
+> - Wordlists, databases, and tool configs ready to go
+>
+> While Ubuntu and other Debian-based distros are supported, you may experience slower setup times and occasional tool compatibility issues.
+
 ### Known Issues
 
 - Very large scan outputs (>10MB) may slow the interface
@@ -76,6 +93,8 @@ pipx ensurepath          # Add pipx apps to your PATH
 source ~/.bashrc         # Reload your shell (or close and reopen terminal)
 ```
 
+> **Kali Linux users:** Kali uses zsh by default. Use `source ~/.zshrc` instead of `source ~/.bashrc`
+
 > 💡 **What's pipx?** It's like `apt` but for Python command-line tools. It keeps each tool isolated so they don't conflict with each other.
 
 ### Step 2: Install SoulEyez
@@ -246,4 +265,4 @@ Happy hacking! 🛡️
 
 ---
 
-**Version**: 2.17.0 | **Release Date**: January 2026 | **Maintainer**: CyberSoul Security
+**Version**: 2.28.0 | **Release Date**: January 2026 | **Maintainer**: CyberSoul Security

{souleyez-2.17.0/souleyez.egg-info → souleyez-2.28.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: souleyez
-Version: 2.17.0
+Version: 2.28.0
 Summary: AI-Powered Penetration Testing Platform with 40+ integrated tools
 Author-email: CyberSoul Security <contact@cybersoulsecurity.com>
 Maintainer-email: CyberSoul Security <contact@cybersoulsecurity.com>
@@ -51,6 +51,12 @@ Dynamic: license-file
 
 # SoulEyez Beta Program
 
+[![CI](https://github.com/cyber-soul-security/souleyez/actions/workflows/python-ci.yml/badge.svg)](https://github.com/cyber-soul-security/souleyez/actions/workflows/python-ci.yml)
+[![codecov](https://codecov.io/gh/cyber-soul-security/souleyez/branch/main/graph/badge.svg)](https://codecov.io/gh/cyber-soul-security/souleyez)
+[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)
+[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
+[![Security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)
+
 Welcome to the SoulEyez beta! Thank you for helping us test and improve this penetration testing management platform.
 
 ---
@@ -72,7 +78,7 @@ Welcome to the SoulEyez beta! Thank you for helping us test and improve this pen
 
 > ⚠️ **Important**: Only use SoulEyez on systems you have explicit authorization to test.
 
-## Version: 2.17.0
+## Version: 2.28.0
 
 ### What's Included
 
@@ -110,6 +116,17 @@ Welcome to the SoulEyez beta! Thank you for helping us test and improve this pen
 - **Python**: 3.8 or newer
 - **Storage**: ~500MB for SoulEyez + tools
 
+> **🐉 Kali Linux Recommended**
+>
+> SoulEyez performs significantly better on **Kali Linux** than other distributions:
+> - All pentesting tools pre-installed and optimized
+> - Metasploit database and RPC already configured
+> - Security-focused kernel and networking stack
+> - No dependency hunting or version conflicts
+> - Wordlists, databases, and tool configs ready to go
+>
+> While Ubuntu and other Debian-based distros are supported, you may experience slower setup times and occasional tool compatibility issues.
+
 ### Known Issues
 
 - Very large scan outputs (>10MB) may slow the interface
@@ -127,6 +144,8 @@ pipx ensurepath          # Add pipx apps to your PATH
 source ~/.bashrc         # Reload your shell (or close and reopen terminal)
 ```
 
+> **Kali Linux users:** Kali uses zsh by default. Use `source ~/.zshrc` instead of `source ~/.bashrc`
+
 > 💡 **What's pipx?** It's like `apt` but for Python command-line tools. It keeps each tool isolated so they don't conflict with each other.
 
 ### Step 2: Install SoulEyez
@@ -297,4 +316,4 @@ Happy hacking! 🛡️
 
 ---
 
-**Version**: 2.17.0 | **Release Date**: January 2026 | **Maintainer**: CyberSoul Security
+**Version**: 2.28.0 | **Release Date**: January 2026 | **Maintainer**: CyberSoul Security

{souleyez-2.17.0 → souleyez-2.28.0}/README.md

@@ -1,5 +1,11 @@
 # SoulEyez — AI-Powered Penetration Testing Platform
 
+[![CI](https://github.com/cyber-soul-security/souleyez/actions/workflows/python-ci.yml/badge.svg)](https://github.com/cyber-soul-security/souleyez/actions/workflows/python-ci.yml)
+[![codecov](https://codecov.io/gh/cyber-soul-security/souleyez/branch/main/graph/badge.svg)](https://codecov.io/gh/cyber-soul-security/souleyez)
+[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)
+[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
+[![Security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)
+
 **LEGAL NOTICE — Use Responsibly**
 Only use SoulEyez on systems you own or have explicit written permission to test.
 Unauthorized scanning or exploitation is illegal. The authors are not responsible for misuse.
@@ -133,7 +139,7 @@ See [docs/CONFIG.md](souleyez/docs/CONFIG.md) for complete configuration options
 # Install pipx if needed
 sudo apt install pipx
 pipx ensurepath
-source ~/.bashrc
+source ~/.bashrc    # Kali Linux: use 'source ~/.zshrc' instead
 
 # Install SoulEyez
 pipx install souleyez
@@ -142,6 +148,8 @@ pipx install souleyez
 souleyez setup
 ```
 
+> **Kali Linux users:** Kali uses zsh by default. Use `source ~/.zshrc` instead of `source ~/.bashrc`
+
 See [docs/user-guide/installation.md](souleyez/docs/user-guide/installation.md) for detailed instructions.
 
 ---

{souleyez-2.17.0 → souleyez-2.28.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "souleyez"
-version = "2.17.0"
+version = "2.28.0"
 description = "AI-Powered Penetration Testing Platform with 40+ integrated tools"
 readme = "BETA_README.md"
 license = {text = "MIT"}
@@ -71,7 +71,7 @@ include = ["souleyez*"]
 exclude = ["tests*", "scripts*", "reports*", "venv*", "debian*"]
 
 [tool.setuptools.package-data]
-souleyez = ["docs/**/*.md", "data/wordlists/*.txt", "data/wordlists/*.md", "data/templates/*.json", "data/templates/*.md"]
+souleyez = ["docs/**/*.md", "data/wordlists/*.txt", "data/wordlists/*.md", "data/templates/*.json", "data/templates/*.md", "assets/*.png"]
 
 [tool.pytest.ini_options]
 testpaths = ["tests"]

souleyez-2.28.0/souleyez/__init__.py

@@ -0,0 +1 @@
+__version__ = '2.28.0'

souleyez-2.28.0/souleyez/assets/__init__.py

@@ -0,0 +1 @@
+# SoulEyez assets package

{souleyez-2.17.0 → souleyez-2.28.0}/souleyez/core/msf_sync_manager.py

@@ -29,15 +29,25 @@ logger = logging.getLogger(__name__)
 
 def get_msf_database_config() -> Optional[Dict[str, Any]]:
     """
-    Get MSF database configuration from ~/.msf4/database.yml
+    Get MSF database configuration from ~/.msf4/database.yml or system-wide config.
+
+    Checks user config first, then falls back to system-wide config (Kali Linux).
 
     Returns:
         Dictionary with database config or None if not found/parseable
     """
-    db_yml_path = Path.home() / ".msf4" / "database.yml"
-
-    if not db_yml_path.exists():
-        logger.debug(f"MSF database.yml not found at {db_yml_path}")
+    # Check user config first, then system-wide config (Kali uses system-wide)
+    user_db_path = Path.home() / ".msf4" / "database.yml"
+    system_db_path = Path('/usr/share/metasploit-framework/config/database.yml')
+
+    db_yml_path = None
+    if user_db_path.exists():
+        db_yml_path = user_db_path
+    elif system_db_path.exists():
+        db_yml_path = system_db_path
+
+    if not db_yml_path:
+        logger.debug("MSF database.yml not found in user or system config")
         return None
 
     try:

{souleyez-2.17.0 → souleyez-2.28.0}/souleyez/core/tool_chaining.py

@@ -15,6 +15,17 @@ CATEGORY_CTF = "ctf"           # Lab/learning scenarios - vulnerable by design
 CATEGORY_ENTERPRISE = "enterprise"  # Real-world enterprise testing
 CATEGORY_GENERAL = "general"   # Standard recon that applies everywhere
 
+# Managed hosting platforms - skip CGI enumeration (pointless on these)
+# These are detected from server headers/banners and product names
+MANAGED_HOSTING_PLATFORMS = {
+    'squarespace', 'wix', 'shopify', 'webflow', 'weebly',
+    'wordpress.com', 'ghost.io', 'medium', 'tumblr', 'blogger',
+    'netlify', 'vercel', 'github.io', 'pages.dev', 'cloudflare',
+    'heroku', 'railway', 'render.com', 'fly.io',
+    'aws cloudfront', 'akamai', 'fastly', 'cloudflare',
+    'azure', 'google cloud', 'firebase',
+}
+
 # Category display icons
 CATEGORY_ICONS = {
     CATEGORY_CTF: "🎯",
@@ -140,6 +151,75 @@ def classify_os_device(os_string: str, services: list) -> dict:
     return {'os_family': 'unknown', 'device_type': 'unknown', 'vendor': None}
 
 
+def is_managed_hosting(services: List[Dict[str, Any]], http_fingerprint: Dict[str, Any] = None) -> bool:
+    """
+    Detect if target is a managed hosting platform.
+
+    These platforms don't have CGI directories, so tools like nikto
+    should skip CGI enumeration to avoid long, pointless scans.
+
+    Args:
+        services: List of service dicts from nmap parser
+        http_fingerprint: Optional fingerprint data from http_fingerprint plugin
+
+    Returns:
+        True if managed hosting detected, False otherwise
+    """
+    # Check fingerprint data first (most reliable, comes from actual HTTP headers)
+    if http_fingerprint:
+        managed = http_fingerprint.get('managed_hosting')
+        if managed:
+            return True
+
+    # Fall back to checking services data (less reliable, from nmap banners)
+    for service in services:
+        # Check product field
+        product = (service.get('product') or '').lower()
+        raw_version = (service.get('raw_version') or '').lower()
+        service_name = (service.get('service') or '').lower()
+
+        # Combine all fields for matching
+        combined = f"{product} {raw_version} {service_name}"
+
+        # Check against known managed hosting platforms
+        for platform in MANAGED_HOSTING_PLATFORMS:
+            if platform in combined:
+                return True
+
+    return False
+
+
+def get_managed_hosting_platform(services: List[Dict[str, Any]], http_fingerprint: Dict[str, Any] = None) -> Optional[str]:
+    """
+    Get the name of the managed hosting platform if detected.
+
+    Args:
+        services: List of service dicts from nmap parser
+        http_fingerprint: Optional fingerprint data from http_fingerprint plugin
+
+    Returns:
+        Platform name or None
+    """
+    # Check fingerprint data first
+    if http_fingerprint:
+        managed = http_fingerprint.get('managed_hosting')
+        if managed:
+            return managed
+
+    # Fall back to services check
+    for service in services:
+        product = (service.get('product') or '').lower()
+        raw_version = (service.get('raw_version') or '').lower()
+        service_name = (service.get('service') or '').lower()
+        combined = f"{product} {raw_version} {service_name}"
+
+        for platform in MANAGED_HOSTING_PLATFORMS:
+            if platform in combined:
+                return platform.title()
+
+    return None
+
+
 # Technology to Nuclei tags mapping
 # Maps detected products/technologies to relevant nuclei template tags
 TECH_TO_NUCLEI_TAGS = {
@@ -423,6 +503,21 @@ class ChainRule:
                                     result = True
                                     break
 
+            elif cond_type == 'svc_version':
+                # Simple version string match (e.g., 'svc_version:2.3.4')
+                # Matches if any service has this exact version string
+                # Useful when nmap doesn't detect product name
+                services = context.get('services', [])
+                for service in services:
+                    svc_version = (
+                        service.get('version', '') or
+                        service.get('service_version', '') or
+                        ''
+                    )
+                    if svc_version and cond_value.lower() in svc_version.lower():
+                        result = True
+                        break
+
         # Apply negation if needed
         return not result if negated else result
 
@@ -496,6 +591,23 @@ class ChainRule:
                     if svc_port in group.get('ports', []):
                         port = str(svc_port)
                         break
+        elif 'has:services' in self.trigger_condition:
+            # For has:services condition, extract port from the services array
+            # Prioritize HTTP services for web tools (gobuster, nuclei, etc.)
+            services = context.get('services', [])
+            http_ports = {80, 443, 8080, 8443, 8000, 8888, 3000, 5000}
+
+            # First pass: look for HTTP service by name or common HTTP ports
+            for svc in services:
+                svc_name = svc.get('service_name', '').lower()
+                svc_port = svc.get('port')
+                if svc_name == 'http' or svc_name == 'https' or svc_port in http_ports:
+                    port = str(svc_port)
+                    break
+
+            # Second pass: if no HTTP service, use the first service's port
+            if not port and services:
+                port = str(services[0].get('port', ''))
 
         # Calculate subnet for {subnet} placeholder (e.g., 10.0.0.88 → 10.0.0.0/24)
         subnet = ''
@@ -560,6 +672,25 @@ class ChainRule:
                 new_args.append(arg)
             args = new_args
 
+        # For Nikto: Skip CGI enumeration on managed hosting platforms
+        # This prevents long, pointless scans on Squarespace, Wix, etc.
+        if self.target_tool == 'nikto':
+            services = context.get('services', [])
+            http_fingerprint = context.get('http_fingerprint', {})
+            if is_managed_hosting(services, http_fingerprint):
+                # Add -C none to skip CGI dirs (pointless on managed hosting)
+                if '-C' not in str(args):
+                    args.extend(['-C', 'none'])
+                # Add -Tuning x6 to skip remote file inclusion tests
+                if '-Tuning' not in str(args):
+                    args.extend(['-Tuning', 'x6'])
+                # Log which platform was detected
+                platform = get_managed_hosting_platform(services, http_fingerprint)
+                if platform:
+                    from souleyez.log_config import get_logger
+                    logger = get_logger(__name__)
+                    logger.info(f"[FINGERPRINT] Managed hosting detected ({platform}) - nikto using optimized scan config")
+
         # For SQLMap with POST injections, add --data if we have POST data
         if self.target_tool == 'sqlmap' and post_data and '--data' not in str(args):
             # Insert --data after -u argument
@@ -627,32 +758,42 @@ class ToolChaining:
 
         # Web service discovered → run web scanners
         self.rules.extend([
-            # Modern vulnerability scanner (Nuclei) - PRIORITY
-            # Uses {nuclei_tags} placeholder to auto-detect tech and run relevant templates
+            # HTTP Fingerprinting - runs FIRST to detect WAF/CDN/managed hosting
+            # This enables smarter tool configuration for downstream scanners
             ChainRule(
                 trigger_tool='nmap',
                 trigger_condition='service:http',
+                target_tool='http_fingerprint',
+                priority=11,  # Highest priority - runs before all other web tools
+                args_template=[],
+                description='Web server detected, fingerprinting for WAF/CDN/platform detection'
+            ),
+            # Nikto triggered by http_fingerprint (uses fingerprint data for smart config)
+            ChainRule(
+                trigger_tool='http_fingerprint',
+                trigger_condition='has:services',
+                target_tool='nikto',
+                priority=8,
+                args_template=['-nointeractive', '-timeout', '10'],
+                description='Fingerprinting complete, scanning for server misconfigurations with Nikto'
+            ),
+            # Nuclei triggered by http_fingerprint
+            ChainRule(
+                trigger_tool='http_fingerprint',
+                trigger_condition='has:services',
                 target_tool='nuclei',
                 priority=9,
                 args_template=['-tags', '{nuclei_tags}', '-severity', 'critical,high', '-rate-limit', '50', '-c', '10', '-timeout', '10'],
-                description='Web server detected (HTTP/HTTPS), scanning with Nuclei'
+                description='Fingerprinting complete, scanning with Nuclei'
             ),
+            # Gobuster triggered by http_fingerprint
             ChainRule(
-                trigger_tool='nmap',
-                trigger_condition='service:http',
+                trigger_tool='http_fingerprint',
+                trigger_condition='has:services',
                 target_tool='gobuster',
                 priority=7,
                 args_template=['dir', '-u', 'http://{target}:{port}', '-w', 'data/wordlists/web_dirs_common.txt', '-x', 'js,json,php,asp,aspx,html,txt,bak,old,zip', '--no-error', '--timeout', '30s', '-t', '5', '--delay', '20ms'],
-                description='Web server detected (HTTP/HTTPS), discovering directories and files'
-            ),
-            # Nikto - web server vulnerability scanner (complements nuclei)
-            ChainRule(
-                trigger_tool='nmap',
-                trigger_condition='service:http',
-                target_tool='nikto',
-                priority=8,
-                args_template=['-nointeractive', '-timeout', '10'],
-                description='Web server detected, scanning for server misconfigurations with Nikto'
+                description='Fingerprinting complete, discovering directories and files'
             ),
             # Dalfox - XSS scanner triggered after gobuster finds pages
             ChainRule(
@@ -731,14 +872,8 @@ class ToolChaining:
                 args_template=['-a', '{target}'],
                 description='SMB service detected, enumerating shares and users (runs after CrackMapExec)'
             ),
-            ChainRule(
-                trigger_tool='nmap',
-                trigger_condition='service:smb',
-                target_tool='smbmap',
-                priority=7,
-                args_template=['-H', '{target}'],
-                description='SMB service detected, mapping shares'
-            ),
+            # NOTE: smbmap removed - has upstream impacket pickling bug on Python 3.13+
+            # Use crackmapexec/netexec --shares instead (enum4linux rule above)
         ])
 
         # Active Directory attacks - smart chaining workflow
@@ -1143,13 +1278,16 @@ class ToolChaining:
         #     )
         # )
 
+        # DISABLED: smbmap has upstream pickling bug - won't produce results
         # Writable SMB shares found → check for exploitability
+        # TODO: Add rule triggering from crackmapexec writable shares detection
         self.rules.append(
             ChainRule(
                 trigger_tool='smbmap',
                 trigger_condition='has:writable_shares',
                 target_tool='msf_auxiliary',
                 priority=10,
+                enabled=False,  # Disabled - smbmap broken
                 args_template=['auxiliary/scanner/smb/smb_version'],
                 description='Writable SMB shares found, checking for vulnerabilities'
             )
@@ -1908,28 +2046,42 @@ class ToolChaining:
 
         # vsftpd 2.3.4 backdoor (CVE-2011-2523)
         # Triggers backdoor shell on port 6200 when username contains :)
+        # Match FTP service with version 2.3.4 (nmap often shows just "ftp" + "2.3.4")
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:vsftpd 2.3.4',
+                trigger_condition='service:ftp & svc_version:2.3.4',
                 target_tool='msf_exploit',
                 priority=10,
                 args_template=['exploit/unix/ftp/vsftpd_234_backdoor'],
-                description='vsftpd 2.3.4 detected - BACKDOOR AVAILABLE (CVE-2011-2523)',
+                description='FTP 2.3.4 detected - checking for vsftpd backdoor (CVE-2011-2523)',
                 category=CATEGORY_CTF
             )
         )
 
         # Samba 3.0.x usermap_script RCE (CVE-2007-2447)
         # Command injection in username field
+        # Match SMB service with version starting with 3 (nmap shows "3.X" or "3.0.x")
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:Samba 3.0',
+                trigger_condition='service:smb & svc_version:3.',
                 target_tool='msf_exploit',
                 priority=10,
                 args_template=['exploit/multi/samba/usermap_script'],
-                description='Samba 3.0.x detected - usermap_script RCE available (CVE-2007-2447)',
+                description='Samba 3.x detected - checking for usermap_script RCE (CVE-2007-2447)',
+                category=CATEGORY_CTF
+            )
+        )
+        # Also match netbios-ssn service (common nmap detection for SMB)
+        self.rules.append(
+            ChainRule(
+                trigger_tool='nmap',
+                trigger_condition='service:netbios-ssn & svc_version:3.',
+                target_tool='msf_exploit',
+                priority=10,
+                args_template=['exploit/multi/samba/usermap_script'],
+                description='Samba 3.x detected (netbios-ssn) - checking for usermap_script RCE (CVE-2007-2447)',
                 category=CATEGORY_CTF
             )
         )
@@ -2132,14 +2284,15 @@ class ToolChaining:
         )
 
         # ProFTPD mod_copy (CVE-2015-3306) - file copy without auth
+        # Match FTP service with version 1.3.x (common ProFTPD versions)
         self.rules.append(
             ChainRule(
                 trigger_tool='nmap',
-                trigger_condition='version:ProFTPD 1.3',
+                trigger_condition='service:ftp & svc_version:1.3',
                 target_tool='msf_exploit',
                 priority=8,
                 args_template=['exploit/unix/ftp/proftpd_modcopy_exec'],
-                description='ProFTPD 1.3.x detected - checking for mod_copy RCE (CVE-2015-3306)',
+                description='FTP 1.3.x detected - checking for ProFTPD mod_copy RCE (CVE-2015-3306)',
                 category=CATEGORY_CTF
             )
         )
@@ -4160,6 +4313,40 @@ class ToolChaining:
                         if len(app_databases) > db_limit:
                             logger.info(f"SQLMap auto-chaining limited to first {db_limit} of {len(app_databases)} application databases")
 
+                # === Post-exploitation chain rules (is_dba, file_read, os_cmd) ===
+                # Check for post-exploitation flags and fire appropriate chain rules
+                is_dba = parse_results.get('is_dba', False)
+                file_read_success = parse_results.get('file_read_success', False)
+                os_command_success = parse_results.get('os_command_success', False)
+
+                if is_dba or file_read_success or os_command_success:
+                    from souleyez.log_config import get_logger
+                    logger = get_logger(__name__)
+
+                    # Build context with post-exploitation flags using injectable_url
+                    post_exploit_context = {
+                        'target': injectable_url,  # Use the correct injectable URL
+                        'tool': tool,
+                        'is_dba': is_dba,
+                        'file_read_success': file_read_success,
+                        'os_command_success': os_command_success,
+                        'post_data': post_data,  # Preserve POST data for subsequent commands
+                    }
+
+                    if is_dba:
+                        logger.info(f"SQLMap: DBA access confirmed! Evaluating post-exploitation chains...")
+                    if file_read_success:
+                        logger.info(f"SQLMap: File read successful! Evaluating file read chains...")
+                    if os_command_success:
+                        logger.info(f"SQLMap: OS command execution successful!")
+
+                    # Evaluate chain rules - this will fire rules like has:is_dba
+                    commands = self.evaluate_chains(tool, post_exploit_context)
+                    if commands:
+                        logger.info(f"SQLMap: Matched {len(commands)} post-exploitation chain rule(s)")
+                        job_ids.extend(self._enqueue_commands(commands, tool, engagement_id, injectable_url, parent_job_id=job.get('id')))
+                # === END Post-exploitation chain rules ===
+
                 return job_ids
             # === END SQLMap special handling ===
 
@@ -4877,6 +5064,28 @@ class ToolChaining:
                         if not endpoint_url:
                             continue
 
+                        # === Filter out non-injectable files ===
+                        path_lower = endpoint_url.lower()
+                        filename = path_lower.split('/')[-1] if '/' in path_lower else path_lower
+
+                        # Skip Apache/nginx config files
+                        if filename.startswith('.ht') or filename.startswith('.nginx'):
+                            logger.debug(f"Skipping config file: {endpoint_url}")
+                            continue
+
+                        # Skip static files that can't have SQL injection
+                        static_extensions = (
+                            '.html', '.htm', '.txt', '.css', '.js', '.json',
+                            '.xml', '.svg', '.png', '.jpg', '.jpeg', '.gif',
+                            '.ico', '.woff', '.woff2', '.ttf', '.eot',
+                            '.pdf', '.doc', '.docx', '.xls', '.xlsx',
+                            '.bak', '.old', '.backup', '.swp', '.orig',
+                            '.map', '.md', '.rst', '.log'
+                        )
+                        if any(filename.endswith(ext) for ext in static_extensions):
+                            logger.debug(f"Skipping static file: {endpoint_url}")
+                            continue
+
                         # === SQLMap for testable endpoints ===
                         if status_code in testable_statuses and created_sqlmap_jobs < max_sqlmap_jobs:
                             # For API endpoints without parameters, add test parameters
@@ -5635,18 +5844,25 @@ class ToolChaining:
                             # Auto mode: enqueue immediately
                             print(f"  🔗 Chaining {cmd['tool']} for {cmd_target}: {cmd['reason']}")
                             # enqueue_job will acquire _lock again (nested lock is safe - same thread)
-                            job_id = enqueue_job(
-                                tool=cmd['tool'],
-                                target=cmd_target,
-                                args=resolved_args,
-                                label=source_tool,
-                                engagement_id=engagement_id,
-                                parent_id=parent_job_id,
-                                reason=cmd.get('reason', f"Auto-chain from {source_tool}"),
-                                metadata=cmd.get('metadata'),  # Pass through deduplication metadata
-                                rule_id=cmd.get('rule_id')  # Pass rule ID for tracking
-                            )
-                            job_ids.append(job_id)
+                            try:
+                                job_id = enqueue_job(
+                                    tool=cmd['tool'],
+                                    target=cmd_target,
+                                    args=resolved_args,
+                                    label=source_tool,
+                                    engagement_id=engagement_id,
+                                    parent_id=parent_job_id,
+                                    reason=cmd.get('reason', f"Auto-chain from {source_tool}"),
+                                    metadata=cmd.get('metadata'),  # Pass through deduplication metadata
+                                    rule_id=cmd.get('rule_id')  # Pass rule ID for tracking
+                                )
+                                job_ids.append(job_id)
+                            except Exception as scope_err:
+                                # Handle scope violations gracefully - skip out-of-scope targets
+                                if 'ScopeViolationError' in type(scope_err).__name__ or 'out of scope' in str(scope_err).lower():
+                                    print(f"  ⚠️  Skipped (out of scope): {cmd_target}")
+                                else:
+                                    raise  # Re-raise unexpected errors
 
                 # Lock released here - next iteration gets fresh lock
 

{souleyez-2.17.0 → souleyez-2.28.0}/souleyez/detection/validator.py

@@ -156,8 +156,10 @@ class DetectionValidator:
         job_command = _reconstruct_command(job)
         # Use started_at or finished_at for execution time
         executed_at = job.get('started_at') or job.get('finished_at') or job.get('created_at')
-        # Job is successful if status is 'done'
-        success = job.get('status') == 'done'
+        # Job ran successfully if status is done, no_results, or warning
+        # (all of these sent network traffic that should be detectable by SIEM)
+        job_status = job.get('status', '')
+        success = job_status in ('done', 'no_results', 'warning')
 
         # Extract target IP from command (common patterns)
         target_ip = None

{souleyez-2.17.0 → souleyez-2.28.0}/souleyez/docs/README.md

@@ -1,7 +1,7 @@
 # SoulEyez Documentation
 
-**Version:** 2.17.0
-**Last Updated:** January 4, 2026
+**Version:** 2.28.0
+**Last Updated:** January 9, 2026
 **Organization:** CyberSoul Security
 
 Welcome to the SoulEyez documentation! This documentation covers architecture, development, user guides, and operational information for the SoulEyez penetration testing platform.