vulnclaw 0.1.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (201) hide show
  1. vulnclaw-0.1.0/.gitignore +43 -0
  2. vulnclaw-0.1.0/LICENSE +21 -0
  3. vulnclaw-0.1.0/PKG-INFO +518 -0
  4. vulnclaw-0.1.0/README.md +478 -0
  5. vulnclaw-0.1.0/VulnClaw/345/274/200/345/217/221/351/234/200/346/261/202/346/226/207/346/241/243.md +958 -0
  6. vulnclaw-0.1.0/VulnClaw/346/224/271/350/277/233/350/267/257/347/272/277/345/233/276-CTF/344/270/216/344/273/243/347/240/201/345/256/241/350/256/241/350/203/275/345/212/233/345/242/236/345/274/272.md +851 -0
  7. vulnclaw-0.1.0/VulnClaw/346/265/213/350/257/225/346/212/245/345/221/212.md +97 -0
  8. vulnclaw-0.1.0/_fix.py +19 -0
  9. vulnclaw-0.1.0/pyproject.toml +68 -0
  10. vulnclaw-0.1.0/tests/__init__.py +0 -0
  11. vulnclaw-0.1.0/tests/test_agent.py +437 -0
  12. vulnclaw-0.1.0/tests/test_basic.py +59 -0
  13. vulnclaw-0.1.0/tests/test_cli.py +97 -0
  14. vulnclaw-0.1.0/tests/test_config.py +176 -0
  15. vulnclaw-0.1.0/tests/test_kb.py +234 -0
  16. vulnclaw-0.1.0/tests/test_mcp.py +219 -0
  17. vulnclaw-0.1.0/tests/test_report.py +220 -0
  18. vulnclaw-0.1.0/tests/test_skills.py +370 -0
  19. vulnclaw-0.1.0/tests/test_think_fix.py +103 -0
  20. vulnclaw-0.1.0/tests/test_think_fix_v2.py +109 -0
  21. vulnclaw-0.1.0/vulnclaw/__init__.py +4 -0
  22. vulnclaw-0.1.0/vulnclaw/agent/__init__.py +0 -0
  23. vulnclaw-0.1.0/vulnclaw/agent/context.py +205 -0
  24. vulnclaw-0.1.0/vulnclaw/agent/core.py +1527 -0
  25. vulnclaw-0.1.0/vulnclaw/agent/memory.py +79 -0
  26. vulnclaw-0.1.0/vulnclaw/agent/prompts.py +422 -0
  27. vulnclaw-0.1.0/vulnclaw/cli/__init__.py +0 -0
  28. vulnclaw-0.1.0/vulnclaw/cli/main.py +923 -0
  29. vulnclaw-0.1.0/vulnclaw/config/__init__.py +0 -0
  30. vulnclaw-0.1.0/vulnclaw/config/schema.py +284 -0
  31. vulnclaw-0.1.0/vulnclaw/config/settings.py +244 -0
  32. vulnclaw-0.1.0/vulnclaw/kb/__init__.py +0 -0
  33. vulnclaw-0.1.0/vulnclaw/kb/retriever.py +116 -0
  34. vulnclaw-0.1.0/vulnclaw/kb/store.py +162 -0
  35. vulnclaw-0.1.0/vulnclaw/kb/updater.py +150 -0
  36. vulnclaw-0.1.0/vulnclaw/mcp/__init__.py +0 -0
  37. vulnclaw-0.1.0/vulnclaw/mcp/lifecycle.py +456 -0
  38. vulnclaw-0.1.0/vulnclaw/mcp/registry.py +140 -0
  39. vulnclaw-0.1.0/vulnclaw/mcp/router.py +128 -0
  40. vulnclaw-0.1.0/vulnclaw/report/__init__.py +0 -0
  41. vulnclaw-0.1.0/vulnclaw/report/generator.py +337 -0
  42. vulnclaw-0.1.0/vulnclaw/report/poc_builder.py +164 -0
  43. vulnclaw-0.1.0/vulnclaw/skills/__init__.py +0 -0
  44. vulnclaw-0.1.0/vulnclaw/skills/core/exploitation.md +35 -0
  45. vulnclaw-0.1.0/vulnclaw/skills/core/pentest-flow.md +111 -0
  46. vulnclaw-0.1.0/vulnclaw/skills/core/post-exploitation.md +36 -0
  47. vulnclaw-0.1.0/vulnclaw/skills/core/recon.md +31 -0
  48. vulnclaw-0.1.0/vulnclaw/skills/core/reporting.md +40 -0
  49. vulnclaw-0.1.0/vulnclaw/skills/core/vuln-discovery.md +33 -0
  50. vulnclaw-0.1.0/vulnclaw/skills/core/waf-bypass.md +89 -0
  51. vulnclaw-0.1.0/vulnclaw/skills/crypto_tools.py +577 -0
  52. vulnclaw-0.1.0/vulnclaw/skills/dispatcher.py +128 -0
  53. vulnclaw-0.1.0/vulnclaw/skills/loader.py +219 -0
  54. vulnclaw-0.1.0/vulnclaw/skills/specialized/ai-mcp-security/SKILL.md +70 -0
  55. vulnclaw-0.1.0/vulnclaw/skills/specialized/ai-mcp-security/references/04-ai-and-mcp-security-integrated.md +9157 -0
  56. vulnclaw-0.1.0/vulnclaw/skills/specialized/ai-mcp-security/references/ai-app-security.md +2007 -0
  57. vulnclaw-0.1.0/vulnclaw/skills/specialized/ai-mcp-security/references/ai-baseline-security.md +1177 -0
  58. vulnclaw-0.1.0/vulnclaw/skills/specialized/ai-mcp-security/references/ai-data-security.md +1715 -0
  59. vulnclaw-0.1.0/vulnclaw/skills/specialized/ai-mcp-security/references/ai-identity-security.md +1272 -0
  60. vulnclaw-0.1.0/vulnclaw/skills/specialized/ai-mcp-security/references/ai-model-security.md +2651 -0
  61. vulnclaw-0.1.0/vulnclaw/skills/specialized/ai-mcp-security/references/gaarm-risk-matrix.md +158 -0
  62. vulnclaw-0.1.0/vulnclaw/skills/specialized/android-pentest/SKILL.md +56 -0
  63. vulnclaw-0.1.0/vulnclaw/skills/specialized/android-pentest/references/android-authorized-app-pentest-sop.md +167 -0
  64. vulnclaw-0.1.0/vulnclaw/skills/specialized/android-pentest/references/android-dynamic-hooking-and-replay.md +55 -0
  65. vulnclaw-0.1.0/vulnclaw/skills/specialized/android-pentest/references/android-external-url-runtime-first-workflow.md +229 -0
  66. vulnclaw-0.1.0/vulnclaw/skills/specialized/android-pentest/references/android-native-signature-analysis.md +43 -0
  67. vulnclaw-0.1.0/vulnclaw/skills/specialized/android-pentest/references/android-network-layer-testing-quick-reference.md +119 -0
  68. vulnclaw-0.1.0/vulnclaw/skills/specialized/android-pentest/references/android-signature-reverse-template.md +115 -0
  69. vulnclaw-0.1.0/vulnclaw/skills/specialized/android-pentest/references/android-signing-and-crypto-workflow.md +220 -0
  70. vulnclaw-0.1.0/vulnclaw/skills/specialized/android-pentest/references/android-static-triage-and-callflow.md +48 -0
  71. vulnclaw-0.1.0/vulnclaw/skills/specialized/android-pentest/references/android-ui-driven-observation-and-packet-loop.md +207 -0
  72. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/SKILL.md +76 -0
  73. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/02-client-api-reverse-and-burp.md +285 -0
  74. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/MCP.md +1702 -0
  75. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/android-authorized-app-pentest-sop.md +167 -0
  76. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/android-dynamic-hooking-and-replay.md +55 -0
  77. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/android-external-url-runtime-first-workflow.md +229 -0
  78. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/android-native-signature-analysis.md +43 -0
  79. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/android-network-layer-testing-quick-reference.md +119 -0
  80. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/android-signature-reverse-template.md +115 -0
  81. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/android-signing-and-crypto-workflow.md +220 -0
  82. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/android-static-triage-and-callflow.md +48 -0
  83. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/android-ui-driven-observation-and-packet-loop.md +207 -0
  84. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/browser-js-signing-workflow.md +186 -0
  85. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/browser-locate-and-request-chain.md +58 -0
  86. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/browser-recover-and-shell-reduction.md +49 -0
  87. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/browser-request-chain-template.md +118 -0
  88. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/browser-runtime-fit-and-risk.md +52 -0
  89. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/browser-validation-and-handoff.md +48 -0
  90. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/client-reverse-workflow.md +44 -0
  91. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/reporting-and-evidence.md +43 -0
  92. vulnclaw-0.1.0/vulnclaw/skills/specialized/client-reverse/references/tool-selection-map.md +47 -0
  93. vulnclaw-0.1.0/vulnclaw/skills/specialized/crypto-toolkit/SKILL.md +130 -0
  94. vulnclaw-0.1.0/vulnclaw/skills/specialized/crypto-toolkit/references/crypto-attacks-roadmap.md +75 -0
  95. vulnclaw-0.1.0/vulnclaw/skills/specialized/crypto-toolkit/references/crypto-attacks.md +133 -0
  96. vulnclaw-0.1.0/vulnclaw/skills/specialized/crypto-toolkit/references/encoding-cheatsheet.md +84 -0
  97. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-crypto/SKILL.md +44 -0
  98. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-crypto/references/aes-and-block-cipher-attacks.md +133 -0
  99. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-crypto/references/classic-cipher-attacks.md +139 -0
  100. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-crypto/references/ecc-attacks-cheatsheet.md +106 -0
  101. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-crypto/references/lattice-and-lwe-attacks.md +101 -0
  102. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-crypto/references/prng-and-stream-cipher-attacks.md +112 -0
  103. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-crypto/references/rsa-attacks-cheatsheet.md +148 -0
  104. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-misc/SKILL.md +31 -0
  105. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-misc/references/bash-jail-escape.md +102 -0
  106. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-misc/references/ctfd-platform-guide.md +139 -0
  107. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-misc/references/encoding-chain-reference.md +167 -0
  108. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-misc/references/game-and-vm-reverse.md +161 -0
  109. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-misc/references/linux-privesc-quick.md +151 -0
  110. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-misc/references/python-jail-escape.md +129 -0
  111. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-web/SKILL.md +169 -0
  112. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-web/references/command-injection-bypass.md +142 -0
  113. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-web/references/deserialization-playbook.md +150 -0
  114. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-web/references/eval-and-rce-techniques.md +126 -0
  115. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-web/references/file-upload-to-rce.md +120 -0
  116. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-web/references/php-bypass-cheatsheet.md +136 -0
  117. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-web/references/php-code-audit-checklist.md +153 -0
  118. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-web/references/source-code-extraction.md +113 -0
  119. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-web/references/ssti-injection-chains.md +120 -0
  120. vulnclaw-0.1.0/vulnclaw/skills/specialized/ctf-web/references/web-ctf-quick-reference.md +135 -0
  121. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/SKILL.md +69 -0
  122. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/06-intranet-and-host-operations-integrated.md +2315 -0
  123. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-pentest-playbook-openai.yaml +7 -0
  124. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-pentest-playbook-skill.md +51 -0
  125. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-01-lateral-movement.md +272 -0
  126. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-02-evasion-and-anti-detection.md +219 -0
  127. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-03-credential-theft.md +365 -0
  128. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-04-privilege-escalation.md +241 -0
  129. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-05-persistence.md +185 -0
  130. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-06-tunneling-and-proxy.md +205 -0
  131. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-07-information-gathering.md +268 -0
  132. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-08-active-directory-attacks.md +224 -0
  133. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-09-adcs-attacks.md +86 -0
  134. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-10-exchange-attacks.md +78 -0
  135. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-11-sharepoint-attacks.md +35 -0
  136. vulnclaw-0.1.0/vulnclaw/skills/specialized/intranet-pentest-advanced/references/intranet-playbook-index.md +14 -0
  137. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/SKILL.md +41 -0
  138. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/05-tools-and-operations-integrated.md +2245 -0
  139. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/pentest-tools-reference-openai.yaml +7 -0
  140. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/pentest-tools-reference-skill.md +53 -0
  141. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-01-encoding-decoding.md +157 -0
  142. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-02-reverse-shell.md +165 -0
  143. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-03-red-team-tools.md +24 -0
  144. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-04-exploitation.md +227 -0
  145. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-05-password-attacks.md +200 -0
  146. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-06-intranet-penetration.md +329 -0
  147. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-07-credential-theft.md +51 -0
  148. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-08-privilege-escalation.md +60 -0
  149. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-09-tunneling-and-proxy.md +38 -0
  150. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-10-system-commands.md +150 -0
  151. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-11-information-gathering.md +318 -0
  152. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-12-domain-penetration.md +21 -0
  153. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-13-web-penetration.md +264 -0
  154. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-14-windows-penetration.md +22 -0
  155. vulnclaw-0.1.0/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-index.md +17 -0
  156. vulnclaw-0.1.0/vulnclaw/skills/specialized/rapid-checklist/SKILL.md +72 -0
  157. vulnclaw-0.1.0/vulnclaw/skills/specialized/rapid-checklist/references/08-rapid-checklists-and-payloads.md +153 -0
  158. vulnclaw-0.1.0/vulnclaw/skills/specialized/rapid-checklist/references/payloads.md +960 -0
  159. vulnclaw-0.1.0/vulnclaw/skills/specialized/rapid-checklist/references/testing-methodology.md +589 -0
  160. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-pentest/SKILL.md +51 -0
  161. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-pentest/references/03-web-security-integrated.md +6154 -0
  162. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-pentest/references/web-injection.md +906 -0
  163. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-pentest/references/web-logic-auth.md +582 -0
  164. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-pentest/references/web-modern-protocols.md +348 -0
  165. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/SKILL.md +85 -0
  166. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/03-web-security-integrated.md +6154 -0
  167. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-ai-attack-map.md +35 -0
  168. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-deployment-security.md +449 -0
  169. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-file-infra.md +632 -0
  170. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md +906 -0
  171. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-logic-auth.md +582 -0
  172. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-modern-protocols.md +348 -0
  173. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-01-clickjacking.md +39 -0
  174. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-02-supply-chain-attacks.md +54 -0
  175. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-03-cache-and-cdn-security.md +53 -0
  176. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-04-open-redirect.md +50 -0
  177. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-05-framework-vulnerabilities.md +291 -0
  178. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-06-request-smuggling.md +68 -0
  179. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-07-authentication-vulnerabilities.md +159 -0
  180. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-08-file-vulnerabilities.md +124 -0
  181. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-09-business-logic-vulnerabilities.md +85 -0
  182. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-10-prototype-pollution.md +55 -0
  183. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-11-cloud-security-vulnerabilities.md +70 -0
  184. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-12-ai-security.md +70 -0
  185. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-13-api-security.md +194 -0
  186. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-14-csrf-cross-site-request-forgery.md +134 -0
  187. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-15-jwt-security.md +72 -0
  188. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-16-lfi-rfi-file-inclusion.md +207 -0
  189. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-17-rce-remote-code-execution.md +195 -0
  190. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-18-sql-nosql-injection.md +278 -0
  191. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-19-ssrf-server-side-request-forgery.md +198 -0
  192. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-20-ssti-template-injection.md +166 -0
  193. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-21-websocket-security.md +54 -0
  194. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-22-xss-cross-site-scripting.md +197 -0
  195. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-23-xxe-entity-injection.md +139 -0
  196. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-24-php-regex-bypass.md +113 -0
  197. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-playbook-index.md +26 -0
  198. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-security-playbook-openai.yaml +7 -0
  199. vulnclaw-0.1.0/vulnclaw/skills/specialized/web-security-advanced/references/web-security-playbook-skill.md +62 -0
  200. vulnclaw-0.1.0/vulnclaw/warstories/2026-04-19_php-deserialization_regex-bypass.md +173 -0
  201. vulnclaw-0.1.0/vulnclaw/warstories/README.md +32 -0
vulnclaw-0.1.0/.gitignore ADDED
@@ -0,0 +1,43 @@
1
+ # Python
2
+ __pycache__/
3
+ *.py[cod]
4
+ *$py.class
5
+ *.so
6
+ *.egg-info/
7
+ dist/
8
+ build/
9
+ eggs/
10
+ *.egg
11
+
12
+ # Virtual environments
13
+ .venv/
14
+ venv/
15
+ env/
16
+
17
+ # IDE
18
+ .idea/
19
+ .vscode/
20
+ *.swp
21
+ *.swo
22
+ *~
23
+
24
+ # OS
25
+ .DS_Store
26
+ Thumbs.db
27
+ Desktop.ini
28
+
29
+ # VulnClaw runtime
30
+ .vulnclaw/
31
+ .workbuddy/
32
+ sessions/
33
+
34
+ # Test / coverage
35
+ .pytest_cache/
36
+ htmlcov/
37
+ .coverage
38
+
39
+ # Temp files
40
+ *.tmp
41
+ *.bak
42
+ _test_output*.txt
43
+ _test_report_raw.txt
vulnclaw-0.1.0/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 UncleC
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
vulnclaw-0.1.0/PKG-INFO ADDED
@@ -0,0 +1,518 @@
1
+ Metadata-Version: 2.4
2
+ Name: vulnclaw
3
+ Version: 0.1.0
4
+ Summary: 🦞 AI-powered penetration testing CLI tool for cybersecurity professionals
5
+ Project-URL: Homepage, https://github.com/Unclecheng-li/VulnClaw
6
+ Project-URL: Repository, https://github.com/Unclecheng-li/VulnClaw
7
+ Project-URL: Issues, https://github.com/Unclecheng-li/VulnClaw/issues
8
+ Author-email: UncleC <iamloli@foxmail.com>
9
+ License: MIT
10
+ License-File: LICENSE
11
+ Keywords: ai,cli,mcp,pentest,red-team,security,vulnerability
12
+ Classifier: Development Status :: 3 - Alpha
13
+ Classifier: Intended Audience :: Information Technology
14
+ Classifier: License :: OSI Approved :: MIT License
15
+ Classifier: Programming Language :: Python :: 3
16
+ Classifier: Programming Language :: Python :: 3.10
17
+ Classifier: Programming Language :: Python :: 3.11
18
+ Classifier: Programming Language :: Python :: 3.12
19
+ Classifier: Programming Language :: Python :: 3.13
20
+ Classifier: Topic :: Security
21
+ Requires-Python: >=3.10
22
+ Requires-Dist: httpx>=0.27.0
23
+ Requires-Dist: jinja2>=3.1.0
24
+ Requires-Dist: mcp>=1.0.0
25
+ Requires-Dist: openai>=1.30.0
26
+ Requires-Dist: prompt-toolkit>=3.0.0
27
+ Requires-Dist: pydantic-settings>=2.0.0
28
+ Requires-Dist: pydantic>=2.0.0
29
+ Requires-Dist: pyyaml>=6.0
30
+ Requires-Dist: rich>=13.0.0
31
+ Requires-Dist: toml>=0.10.0
32
+ Requires-Dist: typer>=0.12.0
33
+ Provides-Extra: dev
34
+ Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
35
+ Requires-Dist: pytest>=8.0; extra == 'dev'
36
+ Requires-Dist: ruff>=0.4.0; extra == 'dev'
37
+ Provides-Extra: kb
38
+ Requires-Dist: chromadb>=0.4.0; extra == 'kb'
39
+ Description-Content-Type: text/markdown
40
+
41
+ <div align="center">
42
+
43
+ # VulnClaw 🦞
44
+
45
+ > *AI 驱动的渗透测试 CLI 工具 — 说人话,打漏洞。*
46
+
47
+ [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
48
+ [![Python 3.10+](https://img.shields.io/badge/Python-3.10+-blue.svg)](https://www.python.org/)
49
+ [![OpenAI Compatible](https://img.shields.io/badge/API-OpenAI_Compatible-green)](https://platform.openai.com/)
50
+ [![MCP](https://img.shields.io/badge/Toolchain-MCP-orange)](https://modelcontextprotocol.io/)
51
+ [![PyPI](https://img.shields.io/badge/PyPI-v0.1.0-blueviolet)](https://pypi.org/project/vulnclaw/)
52
+ [![Security](https://img.shields.io/badge/Scope-Authorized_Only-red)](#-安全声明)
53
+ <br>
54
+
55
+ **不是脚本合集,是可运行的 AI 渗透测试 Agent。**
56
+
57
+ <br>
58
+
59
+ 基于 LLM Agent + MCP 工具链 + 渗透 Skill 编排,
60
+ 配合 OpenAI / MiniMax / DeepSeek 等兼容模型,
61
+ 自然语言输入 → 自动完成「信息收集 → 漏洞发现 → 漏洞利用 → 报告生成」全流程。
62
+
63
+ [快速开始](#快速开始) · [架构设计](#️-架构) · [Skill 体系](#-内置-skill) · [版本路线](#️-版本路线)
64
+
65
+ </div>
66
+
67
+ ---
68
+
69
+ ## 它能做什么
70
+
71
+ 输入自然语言,AI 自动执行渗透测试全流程:
72
+
73
+ ```
74
+ 用户输入:帮我对 http://target.example.com 进行渗透测试
75
+
76
+ VulnClaw 自动执行:
77
+ Round 1: 信息收集 → 指纹识别、端口扫描、目录枚举
78
+ Round 2: 漏洞发现 → 检测注入点、已知 CVE、配置缺陷
79
+ Round 3: 漏洞利用 → PoC 验证、权限获取
80
+ Round 4: 报告生成 → 结构化报告 + Python PoC 脚本
81
+ ```
82
+
83
+ <img width="1148" height="642" alt="image" src="https://github.com/user-attachments/assets/576e1cf6-25da-4969-864b-40e77d020dbf" />
84
+
85
+
86
+ 适用于已授权的渗透测试、CTF 竞赛、安全教学、红队演练等场景。
87
+
88
+ ---
89
+
90
+ ## 特性
91
+
92
+ - **自然语言驱动** — 用人话描述渗透意图,自动识别阶段和工具
93
+ - **8 个 LLM Provider** — OpenAI / MiniMax / DeepSeek / 智谱 / Moonshot / 千问 / SiliconFlow,一键切换
94
+ - **MCP 工具链** — 11 个安全 MCP 服务 + 23 个工具定义(fetch / Burp / Frida / Chrome DevTools / IDA Pro 等)
95
+ - **AI Agent 核心** — OpenAI 兼容协议 + Tool Calling + 自主渗透循环
96
+ - **19 个渗透 Skill** — 7 核心 + 12 专项 Skill(含 CTF Web/Crypto/Misc),含 131 个参考文档
97
+ - **编解码/加解密工具** — 29 种操作(Base64/Hex/URL/AES/JWT/Morse 等),LLM 可精确调用,不再靠猜测
98
+ - **Python 代码执行** — 内置 `python_execute` 工具,LLM 可写 Python 脚本精确构造 payload 和解析响应
99
+ - **持续性渗透测试** — 周期循环(默认 100 轮/周期 × 10 周期 = 1000 轮),每周期自动生成报告,直到手动终止
100
+ - **推理过程显示控制** — `think on/off` 一键切换 LLM 思考过程的显示/隐藏,默认关闭,干净输出只看结论
101
+ - **沙盒模式提示词** — 解锁 AI 安全测试能力,CTF / 授权渗透场景专用
102
+ - **自动报告 & PoC** — 生成结构化 Markdown 报告和可运行的 Python PoC 脚本
103
+ - **安全知识库** — 内置 CVE 数据库、WAF 绕过技巧、漏洞利用方法
104
+
105
+ ---
106
+
107
+ ## CTF 能力增强
108
+
109
+ 基于 NSSCTF 实战反馈(68 轮未解出入门题),系统性增强 CTF 解题能力:
110
+
111
+ - **Python 代码执行** — `python_execute` 工具,LLM 可写脚本精确构造 payload、解析响应差异
112
+ - **上下文记忆增强** — 失败历史保留(避免重复试错)、工具结果首尾保留(不再粗暴截断)、负面信息压缩保留
113
+ - **CTF 专项 Skill** — `ctf-web`(PHP 绕过/RCE/SSTI/反序列化) / `ctf-crypto`(RSA/AES/ECC/格攻击) / `ctf-misc`(PyJail/BashJail/编码链)
114
+ - **代码审计模式** — 系统提示注入「完整源码分析 → 路径选择 → 输出可见性 → Payload 构造」四步流程
115
+ - **反幻觉机制** — 严禁编造工具调用结果 + flag 验证跟踪
116
+ - **CTF 知识库** — 具体绕过值(如 PHP 弱比较 `0e` 值)、空格绕过 payload 模板、命令注入速查表
117
+
118
+ ---
119
+
120
+ ## 快速开始
121
+
122
+ ### 安装
123
+
124
+ ```bash
125
+ # 从 PyPI 安装(推荐)
126
+ pip install vulnclaw
127
+
128
+ # 从源码安装
129
+ git clone https://github.com/Unclecheng-li/VulnClaw.git
130
+ cd VulnClaw
131
+ pip install -e .
132
+ ```
133
+
134
+ ### 四步启动
135
+
136
+ ```bash
137
+ # 1. 选择提供商(自动填充 Base URL 和模型名)
138
+ vulnclaw config provider minimax (或 openai/deepseek/zhipu/moonshot/qwen/siliconflow)
139
+
140
+ # 1.2(可选)自定义 Base URL 或模型名
141
+ vulnclaw config set llm.base_url https://your-own-api.example.com/v1
142
+ vulnclaw config set llm.model your-model-name
143
+
144
+ # 2. 设置 API Key
145
+ vulnclaw config set llm.api_key sk-your-key-here
146
+
147
+ # 3. 元神启动!
148
+ vulnclaw
149
+ ```
150
+
151
+ ### 环境检查
152
+
153
+ ```bash
154
+ vulnclaw doctor
155
+ ```
156
+
157
+ 输出示例:
158
+
159
+ ```
160
+ 🦞 VulnClaw 环境检查
161
+
162
+ Python: 3.14.4
163
+ Node.js: v24.14.1
164
+ npx: 已安装
165
+ nmap: 已安装
166
+
167
+ LLM 配置:
168
+ Provider: openai
169
+ API Key: 已设置
170
+ Base URL: https://api.openai.com/v1
171
+ Model: gpt-4o
172
+
173
+ MCP 服务:
174
+ fetch: 已启用 [P0]
175
+ memory: 已启用 [P0]
176
+ ...
177
+
178
+ ✅ 环境就绪,运行 vulnclaw 开始
179
+ ```
180
+
181
+ ---
182
+
183
+ ## 使用方式
184
+
185
+ ### 方式一:REPL 交互模式(推荐)
186
+
187
+ ```bash
188
+ $ vulnclaw
189
+ ```
190
+
191
+ 进入 🦞 交互界面,用自然语言对话:
192
+
193
+ ```
194
+ 🦞 vulnclaw> 对 192.168.1.100 进行渗透测试,这是我授权的靶场
195
+
196
+ [*] 进入自主渗透模式,按 Ctrl+C 可随时中断
197
+ ── Round 1 ──
198
+ [+] 目标: 192.168.1.100
199
+ [+] 开放端口: 22, 80, 443, 8080
200
+ [+] Web 指纹: Apache/2.4.62
201
+ ── Round 2 ──
202
+ [+] 发现 /manager/html (Tomcat Manager)
203
+ [+] 命中 CVE-202X-XXXX: Apache Tomcat 认证绕过
204
+ ── Round 3 ──
205
+ [+] 漏洞验证成功
206
+
207
+ 🦞 192.168.1.100 | 报告> 生成渗透报告
208
+ [+] 报告已保存: ./reports/192.168.1.100_20260418.md
209
+ [+] PoC 脚本已保存: ./pocs/CVE-202X-XXXX.py
210
+ ```
211
+
212
+ #### REPL 内置命令
213
+
214
+ | 命令 | 说明 |
215
+ | --------------------- | ------------------------------------------ |
216
+ | `target <host>` | 设置渗透测试目标 |
217
+ | `status` | 查看当前状态(目标、阶段、工具、推理显示) |
218
+ | `tools` | 列出当前可用 MCP 工具 |
219
+ | `think` | 切换推理过程显示/隐藏 |
220
+ | `think on` / `off` | 精确控制推理过程显示 |
221
+ | `persistent` | 启动持续性渗透测试(100轮/周期,自动报告) |
222
+ | `persistent <host>` | 对指定目标启动持续性渗透 |
223
+ | `clear` | 清空当前会话 |
224
+ | `help` | 显示帮助信息 |
225
+ | `exit` / `quit` / `q` | 退出 VulnClaw |
226
+
227
+ #### 自主渗透模式
228
+
229
+ VulnClaw 检测到以下关键词 + 目标时,自动进入多轮自主渗透循环:
230
+
231
+ | 触发方式 | 示例 |
232
+ | -------- | ---- |
233
+ | 渗透指令 | `对 http://target.com 进行渗透测试` |
234
+ | CTF / 找 flag | `帮我对 http://ctf.site 找出flag` |
235
+ | 爆破 / 绕过 | `对 http://target.com 弱口令爆破` |
236
+ | **显式触发** | `目标:http://target.com,进入自主渗透模式` |
237
+
238
+ > 💡 输入 `Ctrl+C` 可随时中断自主循环。切换目标时自动重置会话上下文。
239
+
240
+ ### 方式二:单命令模式
241
+
242
+ ```bash
243
+ # 一键全流程渗透测试
244
+ vulnclaw run 192.168.1.100
245
+
246
+ # 持续性渗透测试(每周期100轮,最多10周期,自动生成报告)
247
+ vulnclaw persistent 192.168.1.100
248
+
249
+ # 自定义周期参数
250
+ vulnclaw persistent 192.168.1.100 --rounds 200 --cycles 5
251
+
252
+ # 仅信息收集
253
+ vulnclaw recon 192.168.1.100
254
+
255
+ # 漏洞扫描(可指定端口)
256
+ vulnclaw scan 192.168.1.100 --ports 80,443,8080
257
+
258
+ # 漏洞利用(可指定 CVE)
259
+ vulnclaw exploit 192.168.1.100 --cve CVE-2024-1234 --cmd id
260
+
261
+ # 生成报告
262
+ vulnclaw report session.json
263
+ ```
264
+
265
+ ### 方式三:持续性渗透模式
266
+
267
+ 适用于需要长时间深度渗透的场景。VulnClaw 以**周期循环**方式运行:
268
+
269
+ ```
270
+ ┌──────────────────────────────────────────────┐
271
+ │ Cycle 1 (100轮) → 自动报告 → 继续 │
272
+ │ Cycle 2 (100轮) → 自动报告 → 继续 │
273
+ │ Cycle 3 (100轮) → 自动报告 → 继续 │
274
+ │ ... │
275
+ │ 直到 Ctrl+C 或达到最大周期数(默认10) │
276
+ └──────────────────────────────────────────────┘
277
+ ```
278
+
279
+ **特点**:
280
+ - **跨周期状态保持** — 每个周期保留之前的所有发现、漏洞和步骤记录
281
+ - **周期报告** — 每个周期结束自动生成独立的 Markdown 报告(含新增漏洞和累计汇总)
282
+ - **灵活中断** — Ctrl+C 随时中断,中断时仍生成本周期报告
283
+ - **增量发现** — 报告区分"本周期新增"和"累计总计",清晰追踪进展
284
+ - **可配置** — 每周期轮数、最大周期数、是否自动报告均可配置
285
+
286
+ ```bash
287
+ # CLI 方式
288
+ vulnclaw persistent 192.168.1.100 # 默认 100轮/周期 × 10周期
289
+ vulnclaw persistent 192.168.1.100 -r 200 -c 5 # 200轮/周期 × 5周期
290
+ vulnclaw persistent 192.168.1.100 --no-report # 不自动生成报告
291
+
292
+ # REPL 方式
293
+ 🦞 vulnclaw> target 192.168.1.100
294
+ 🦞 vulnclaw> persistent
295
+ # 或直接
296
+ 🦞 vulnclaw> persistent 192.168.1.100
297
+ ```
298
+
299
+ ---
300
+
301
+ ## LLM 提供商配置
302
+
303
+ VulnClaw 支持所有 OpenAI 兼容协议的 API,内置 8 个提供商预设:
304
+
305
+ ```bash
306
+ vulnclaw config provider --list # 查看所有提供商
307
+ vulnclaw config provider minimax # 一键切换
308
+ ```
309
+
310
+ | 提供商 | 命令 | 默认模型 |
311
+ | ----------- | ---------------------- | ---------------- |
312
+ | OpenAI | `provider openai` | gpt-4o |
313
+ | MiniMax | `provider minimax` | MiniMax-M2.7 |
314
+ | DeepSeek | `provider deepseek` | deepseek-chat |
315
+ | 智谱 GLM | `provider zhipu` | glm-4-plus |
316
+ | Moonshot | `provider moonshot` | moonshot-v1-128k |
317
+ | 通义千问 | `provider qwen` | qwen-max |
318
+ | SiliconFlow | `provider siliconflow` | DeepSeek-V3 |
319
+ | 自定义 | `provider custom` | 手动填写 |
320
+
321
+ ---
322
+
323
+ ## 架构
324
+
325
+ ```
326
+ ┌─────────────────────────────────────────────┐
327
+ │ VulnClaw CLI │
328
+ │ ┌─────────┐ ┌─────────┐ ┌────────────┐ │
329
+ │ │ 自然语言 │ │ 任务编排 │ │ 报告 & PoC │ │
330
+ │ │ 交互层 │ │ 引擎 │ │ 生成器 │ │
331
+ │ └────┬────┘ └────┬────┘ └─────┬──────┘ │
332
+ │ └─────────────┼─────────────┘ │
333
+ │ ┌─────▼──────┐ │
334
+ │ │ LLM Agent │ │
335
+ │ │ (越狱+Skill)│ │
336
+ │ └─────┬──────┘ │
337
+ │ ┌─────▼──────┐ │
338
+ │ │ MCP 编排层 │ │
339
+ │ │ (11 服务) │ │
340
+ │ └─────┬──────┘ │
341
+ │ ┌─────▼──────┐ │
342
+ │ │ 安全知识库 │ │
343
+ │ └────────────┘ │
344
+ └─────────────────────────────────────────────┘
345
+ ```
346
+
347
+ ### 核心模块
348
+
349
+ | 模块 | 文件 | 说明 |
350
+ | -------------- | ------------------------------------------------ | --------------------------------------------- |
351
+ | **CLI 入口** | `cli/main.py` | Typer REPL + 9 个子命令(含 persistent) |
352
+ | **Agent 核心** | `agent/core.py` | OpenAI SDK + Tool Calling + 自主渗透循环 + 持续性渗透 + think 过滤 |
353
+ | **动态提示词** | `agent/prompts.py` | 基础身份 + 核心契约 + Skill + MCP 工具列表 |
354
+ | **会话状态** | `agent/context.py` | 阶段追踪 + 漏洞发现 + 步骤记录 |
355
+ | **MCP 编排** | `mcp/registry.py` + `lifecycle.py` + `router.py` | 服务注册 + 生命周期 + 自然语言→工具路由 |
356
+ | **Skill 调度** | `skills/loader.py` + `dispatcher.py` | 目录格式 Skill + 16 种意图动态调度 |
357
+ | **编解码工具** | `skills/crypto_tools.py` | 29 种编解码/加解密操作,注册为内置 Agent 工具 |
358
+ | **配置管理** | `config/schema.py` + `settings.py` | Pydantic 模型 + YAML 持久化 + 8 Provider 预设 |
359
+ | **报告生成** | `report/generator.py` + `poc_builder.py` | Markdown 报告 + Python PoC 模板 |
360
+ | **安全知识库** | `kb/store.py` + `retriever.py` | JSON 存储 + CVE/技术/工具检索 |
361
+
362
+ ---
363
+
364
+ ## MCP 工具链
365
+
366
+ | MCP 服务 | 工具数 | 用途 | 优先级 |
367
+ | ------------------- | ------ | ---------------------- | ------ |
368
+ | fetch | 1 | HTTP 请求、API 测试 | P0 |
369
+ | memory | 2 | 上下文记忆、状态持久化 | P0 |
370
+ | chrome-devtools | 4 | 浏览器自动化 | P0 |
371
+ | js-reverse | 2 | JS 逆向工程 | P0 |
372
+ | burp | 2 | HTTP 抓包、重放 | P0 |
373
+ | frida-mcp | 2 | 移动端 Hook | P1 |
374
+ | adb-mcp | 3 | 安卓设备控制 | P1 |
375
+ | jadx | 2 | APK 反编译 | P1 |
376
+ | ida-pro-mcp | 2 | 二进制逆向 | P1 |
377
+ | sequential-thinking | 1 | 复杂推理链 | P1 |
378
+ | context7 | 1 | 代码上下文检索 | P1 |
379
+ | everything-search | 1 | 本地文件搜索 | P2 |
380
+
381
+ > 共 11 个 MCP 服务、23 个工具定义。另有 3 个内置 Agent 工具(`load_skill_reference` + `crypto_decode` + `python_execute`),无需 MCP 即可调用。
382
+
383
+ ---
384
+
385
+ ## 内置 Skill
386
+
387
+ ### 核心 Skill (7)
388
+
389
+ | Skill | 说明 |
390
+ | ----------------- | ------------------ |
391
+ | pentest-flow | 渗透测试全流程编排 |
392
+ | recon | 信息收集流程 |
393
+ | vuln-discovery | 漏洞发现流程 |
394
+ | exploitation | 漏洞利用流程 |
395
+ | post-exploitation | 后渗透流程 |
396
+ | reporting | 报告生成流程 |
397
+ | waf-bypass | WAF 绕过技巧库 |
398
+
399
+ ### 专项 Skill (12)
400
+
401
+ | Skill | 参考文档数 | 说明 |
402
+ | ------------------------- | ---------- | -------------------------------------------- |
403
+ | web-pentest | 4 | Web 应用渗透 |
404
+ | android-pentest | 9 | 安卓应用渗透 |
405
+ | client-reverse | 20 | 客户端逆向分析 |
406
+ | web-security-advanced | 33 | Web 安全进阶(注入、绕过、利用链) |
407
+ | ai-mcp-security | 7 | AI/MCP 安全测试 |
408
+ | intranet-pentest-advanced | 15 | 内网渗透进阶 |
409
+ | pentest-tools | 18 | 渗透工具速查 |
410
+ | rapid-checklist | 3 | 快速检查清单 |
411
+ | crypto-toolkit | 3 | 编解码/加解密(29 种操作,注册为内置工具) |
412
+ | **ctf-web** | 8 | 🆕 CTF Web 攻击知识库(PHP绕过/RCE/SSTI/反序列化) |
413
+ | **ctf-crypto** | 6 | 🆕 CTF 密码学攻击知识库(RSA/AES/ECC/PRNG/格攻击) |
414
+ | **ctf-misc** | 6 | 🆕 CTF 杂项知识库(PyJail/BashJail/编码链/VM逆向) |
415
+
416
+ Skill 会根据用户输入自动调度,无需手动选择。专项 Skill 含 `references/` 目录下的详细方法论文档,LLM 可通过 `load_skill_reference` 工具按需加载。
417
+
418
+ ### 内置编解码/加解密工具 (crypto_decode)
419
+
420
+ `crypto_decode` 注册为 Agent 内置工具,LLM 在任何上下文中均可调用,不再靠猜测解码结果:
421
+
422
+ | 类别 | 操作 |
423
+ | -------- | ---------------------------------------------------------------------------------------- |
424
+ | 编解码 | base64, base32, base58, hex, url, html, unicode, rot13, caesar, morse(各有 encode/decode) |
425
+ | 哈希 | md5, sha1, sha256, sha512 |
426
+ | 加解密 | aes_encrypt, aes_decrypt(CBC 模式,PKCS7 填充) |
427
+ | JWT | jwt_decode, jwt_encode |
428
+ | 自动识别 | auto_decode — 尝试所有常见编码,返回匹配结果 |
429
+
430
+ ---
431
+
432
+ ## 配置管理
433
+
434
+ ### 命令行配置
435
+
436
+ ```bash
437
+ vulnclaw config list # 查看所有配置
438
+ vulnclaw config get llm.model # 查看单项
439
+ vulnclaw config set llm.api_key sk-xx # 设置 API Key
440
+ vulnclaw config set session.max_rounds 30 # 设置自主渗透最大轮数(默认 15)
441
+ vulnclaw config set session.stale_rounds_threshold 8 # 设置死循环检测阈值(默认 5)
442
+ vulnclaw config set session.show_thinking false # 隐藏推理过程(也可在 REPL 中用 think off)
443
+ ```
444
+
445
+ ### 可配置项
446
+
447
+ | 配置项 | 默认值 | 说明 |
448
+ | ------------------------ | ------ | ---------------------------------------- |
449
+ | `llm.provider` | openai | LLM 提供商(8 个内置 + custom) |
450
+ | `llm.api_key` | 空 | API Key |
451
+ | `llm.base_url` | 按 provider | API 基础 URL,可自定义 |
452
+ | `llm.model` | 按 provider | 模型名称,可自定义 |
453
+ | `llm.temperature` | 0.1 | 采样温度 |
454
+ | `llm.max_tokens` | 4096 | 单次最大输出 token |
455
+ | `session.max_rounds` | 15 | 自主渗透循环最大轮数(建议 10-50) |
456
+ | `session.output_dir` | ./vulnclaw-output | 报告输出目录 |
457
+ | `session.report_format` | markdown | 报告格式(markdown / html) |
458
+ | `session.poc_language` | python | PoC 生成语言(python / bash) |
459
+ | `session.show_thinking` | false | 显示 LLM 推理过程(think 标签内容,默认关闭) |
460
+ | `session.persistent_rounds_per_cycle` | 100 | 持续性渗透每周期轮数 |
461
+ | `session.persistent_max_cycles` | 10 | 持续性渗透最大周期数(0=无限) |
462
+ | `session.persistent_auto_report` | true | 持续性渗透每周期自动生成报告 |
463
+ | `session.stale_rounds_threshold` | 5 | 死循环检测阈值 — 连续无新发现轮数达到此值时触发强制策略切换 |
464
+
465
+ ### 环境变量
466
+
467
+ | 变量 | 说明 |
468
+ | ----------------------------- | ---------------------- |
469
+ | `VULNCLAW_LLM_PROVIDER` | LLM 提供商名称 |
470
+ | `VULNCLAW_LLM_API_KEY` | API Key |
471
+ | `VULNCLAW_LLM_BASE_URL` | API 基础 URL |
472
+ | `VULNCLAW_LLM_MODEL` | 模型名称 |
473
+ | `VULNCLAW_SESSION__MAX_ROUNDS`| 自主渗透最大轮数 |
474
+ | `VULNCLAW_SESSION__STALE_ROUNDS_THRESHOLD` | 死循环检测阈值 |
475
+
476
+ 优先级:**环境变量 > 配置文件 > 内置默认值**
477
+
478
+ 配置文件位于 `~/.vulnclaw/config.yaml`。
479
+
480
+ ---
481
+
482
+ ## 版本路线
483
+
484
+ | 版本 | 目标 | 状态 |
485
+ | -------- | ------------------------------------------------------- | ---------- |
486
+ | v0.1 MVP | CLI + LLM Agent + 基础 MCP + Skill + 报告 + 多 Provider | ✅ 当前 |
487
+ | v0.1.1 | `python_execute` + 上下文压缩 + 代码审计策略 + 反幻觉 | ✅ 已完成 |
488
+ | v0.1.2 | 3 个 CTF 专项 Skill + 3 个现有 Skill 更新 + 触发词扩展 | ✅ 已完成 |
489
+ | v0.2 | 移动端能力(Frida / ADB / JADX)+ LLM 调用优化 | 🔜 Skill ✅ |
490
+ | v0.3 | 逆向能力(IDA Pro)— Skill 已就绪 | 📋 Skill ✅ |
491
+ | v0.4 | 知识库增强(ChromaDB 向量检索 + 语义 Skill 调度) | 📋 |
492
+ | v1.0 | 正式发布(PyPI + 文档 + CI/CD) | 📋 |
493
+
494
+ ---
495
+
496
+ ## 安全声明
497
+
498
+ VulnClaw 仅用于**已授权的安全测试**。使用本工具前,请确保:
499
+
500
+ 1. 你已获得目标系统的**明确授权**
501
+ 2. 测试范围已与目标所有者**书面确认**
502
+ 3. 你遵守当地**法律法规**
503
+
504
+ 未经授权对系统进行渗透测试是违法行为。本工具作者不对滥用行为承担责任。
505
+
506
+ ---
507
+
508
+ ## 许可证
509
+
510
+ [MIT License](LICENSE)
511
+
512
+ ---
513
+
514
+ <div align="center">
515
+
516
+ > 🦞 **VulnClaw** — 让每一次渗透都有章可循。
517
+
518
+ </div>