m46-coder/exploit-foundry

# 🔥 The Exploit Foundry [](https://www.python.org/) [](https://github.com/m46-coder/exploit-foundry) [](https://github.com/m46-coder/exploit-foundry) ## 开发环境设置 ``` python3 -m pip install -e . python3 -m pip install pytest pytest-cov pytest pytest --cov=arsenal --cov-report=html ``` ## 自动化、智能化的紫队黑客框架 ## 🎯 这是什么？ **The Exploit Foundry** 不仅仅是一个文件夹结构。它是一个**自动化框架**，可以： 1. 接收你有**权限**测试的目标（IP 或域名） 2. 运行**智能侦察**以发现攻击面 3. 将发现结果与已知攻击模式**匹配** 4. 自动或在获得批准后**执行**优先排序的漏洞利用 5. 用严重性评级**记录**每一个发现 6. **生成**专业报告（技术报告 + 执行摘要） 你提供**权限**。Foundry 提供**能力**。 ## ⚖️ 法律与道德 ``` ┌─────────────────────────────────────────────────────────────────┐ │ ⚠️ YOU MUST HAVE WRITTEN PERMISSION TO TEST ANY TARGET │ │ │ │ • Your own systems? ✅ Yes │ │ • Systems you have written authorization for? ✅ Yes │ │ • Bug bounty programs within scope? ✅ Yes │ │ • Random systems on the internet? ❌ NO (illegal) │ │ • Employer systems without permission? ❌ NO (fireable) │ └─────────────────────────────────────────────────────────────────┘ ``` **每个项目文件夹都包含 `01_permission.email.eml` — 授权证明。没有权限 = 不进行测试。** ## 📁 结构 ``` The-Exploit-Foundry/ │ ├── arsenal/ # The engine │ ├── recon/ # Scanner scripts │ ├── exploitation/ │ │ ├── rules/ # Match recon → attacks (includes SSH brute force) │ │ ├── executors/ # Run the attacks (SSH brute force, WordPress exploit, SQLi, XSS, file upload, Joomla, etc.) │ │ └── orchestrator.py # Main controller │ ├── post-exploitation/ # After initial access │ └── reporting/ # Report generator │ ├── engagements/ # YOUR tests live here │ ├── template/ # Copy this for new targets │ │ ├── config.json # {{target_ip}}, {{target_domain}} │ │ ├── recon/ # AUTO-POPULATED from scans │ │ ├── attack-plan/ # GENERATED from recon │ │ ├── exploits/ # AUTO-UPDATED during execution │ │ ├── findings/ # AUTO-POPULATED by severity │ │ ├── logs/ # Everything captured │ │ └── report/ # GENERATED at end │ │ │ └── 2025-04-08_target-name/ # YOUR actual engagement │ ├── wordlists/ # Password lists, directories, etc. ├── payloads/ # Reverse shells, bind shells └── README.md # This file --- ## 🕷️ Web Exploitation Arsenal The framework includes comprehensive web vulnerability detection and exploitation: ### 🔍 **Reconnaissance & Detection** - **Technology Fingerprinting**: Detects WordPress, Joomla, Drupal, Laravel, Django, Java, .NET, PHP, and more - **Directory Brute Forcing**: Uses `gobuster` for efficient directory enumeration - **CMS Version Detection**: Identifies vulnerable versions of popular CMS platforms ### 💥 **Vulnerability Scanners** - **SQL Injection**: Automated testing with `sqlmap` integration - **Cross-Site Scripting (XSS)**: Reflected and stored XSS detection - **File Upload Vulnerabilities**: Tests for unrestricted uploads and remote code execution - **WordPress Exploitation**: Full `wpscan` integration with plugin/theme scanning - **Joomla Exploitation**: Version detection, component vulnerabilities, and admin exposure - **SMB Vulnerabilities**: EternalBlue, anonymous access, and misconfigurations - **RDP Security**: BlueKeep detection, NLA checking, and weak configurations - **VNC Vulnerabilities**: Authentication bypass and weak password detection - **Database Attacks**: MongoDB, Redis, and Elasticsearch unauthorized access - **Web Attacks**: CSRF, command injection, XXE, SSRF, directory traversal, deserialization - **Backup File Detection**: Finds exposed configuration and source code backups ### 🎯 **Attack Execution** - **Intelligent Rule Matching**: Automatically matches recon findings to appropriate exploits - **Prioritized Execution**: Runs attacks based on severity and success probability - **Safe Exploitation**: Includes timeouts, error handling, and scope validation - **Evidence Collection**: Captures all findings with detailed technical evidence --- ## 🚀 Quick Start ### Option 1: Web UI (Easiest - Recommended) **Modern web-based interface for the complete framework experience.** ```bash # Install web dependencies pip3 install flask # Start the web interface python web_ui_launcher.py # Open your browser to: http://localhost:5000 ``` **功能：** - 📊 **Dashboard**：统计信息和项目概览 - 🎯 **Engagement Management**：创建和管理评估项目 - 🔍 **Interactive Scanning**：运行侦察和漏洞利用，实时显示进度 - 📋 **Report Generation**：生成综合报告 - 🛡️ **Safety First**：权限验证和批准工作流 ### 选项 2：原生安装（推荐用于 Kali Linux） ``` # Clone the repository git clone https://github.com/yourname/the-exploit-foundry.git cd the-exploit-foundry # Install Python dependencies (minimal - most tools are system packages) pip3 install -r requirements.txt # Make orchestrator executable chmod +x arsenal/orchestrator.py # Verify installation ./arsenal/orchestrator.py --help ``` **系统要求：** 该框架使用以下外部工具（Kali Linux 上已预装）： - Reconnaissance（侦察）：`nmap`, `whatweb`, `gobuster`, `dirb`, `nikto` - Exploitation（漏洞利用）：`sqlmap`, `wpscan`, `hydra`, `medusa` - Utilities（实用工具）：`jq`, `tree`, `curl`, `wget` 在 Ubuntu/Debian 上安装：`sudo apt install nmap whatweb gobuster dirb nikto sqlmap wpscan hydra medusa jq tree` ### 选项 2：Docker（推荐用于其他系统） **先决条件：** 已安装 Docker 和 Docker Compose ``` # Build the image (one-time setup) docker build -t exploit-foundry:latest . # Run a quick test docker run --rm -it \ -v $(pwd)/engagements:/app/engagements \ --network host \ exploit-foundry:latest --help # Start your first engagement docker run --rm -it \ -v $(pwd)/engagements:/app/engagements \ --network host \ exploit-foundry:latest --new --target 192.168.1.100 --name "my-first-test" ``` **使用 Docker Compose（最简单）：** ``` # Set API keys in environment (optional) export SHODAN_API_KEY="your_key_here" export VIRUSTOTAL_API_KEY="your_key_here" # Run with docker-compose docker-compose run --rm exploit-foundry --new --target 10.0.0.1 --name "docker-engagement" ``` 📖 **完整的 Docker 文档请参阅 [docker-usage.md](docker-usage.md)。** ### 开始你的第一个项目 ``` cd The-Exploit-Foundry # Run against a target you OWN or have PERMISSION for ./arsenal/orchestrator.py --new --target 192.168.1.100 --name "internal-server" # Or with a domain ./arsenal/orchestrator.py --new --target blog.example.com --name "wordpress-audit" ``` ### 3. 自动执行的操作 | Phase | Action | |-------|--------| | **Setup** | 从模板创建 `engagements/YYYY-MM-DD_name/` | | **Recon** | 运行 nmap, whatweb, gobuster, subfinder → 填充 `recon/` | | **Planning** | 将发现结果与规则匹配 → 生成 `attack-plan/` | | **Execution** | 按优先级顺序运行漏洞利用 → 填充 `exploits/` | | **Findings** | 成功的漏洞利用 → 自动分类到 `findings/[severity]/` | | **Reporting** | 生成 `report/technical-report.md` 和 `executive-summary.md` | ## 📝 手动项目（如果你更喜欢） 并非所有事情都能自动化。对于手动测试： ``` # Copy template cp -r engagements/template engagements/2025-04-08_manual-test/ # Edit config.json with your target vim engagements/2025-04-08_manual-test/config.json # Run recon manually nmap -sV -oA engagements/2025-04-08_manual-test/recon/nmap $TARGET # Document findings in the appropriate severity folder vim engagements/2025-04-08_manual-test/findings/critical/01_sql-injection.md # Generate report ./arsenal/reporting/generate_report.py --engagement engagements/2025-04-08_manual-test/ ``` ## 🎮 示例：完整自动化运行 ``` $ ./arsenal/orchestrator.py --new --target blog.example.com --name "client-wp" 🚀 The Exploit Foundry - Starting new engagement 📁 Created: engagements/2025-04-08_client-wp/ 🔍 Running reconnaissance... ✓ nmap - 2 open ports (80, 443) ✓ whatweb - WordPress 5.8, nginx 1.18, PHP 7.4 ✓ gobuster - Found 12 directories ✓ subfinder - Found 3 subdomains 📊 Tech stack: WordPress 5.8 on nginx/PHP 7.4 🎯 Generating attack plan... ✓ WordPress 5.8 → CVE-2021-29447 (XML-RPC) ✓ /backup.zip exposed → potential credentials ✓ wp-admin accessible → brute force possible ⚔️ Executing attacks... [1/3] /backup.zip... ✓ Downloaded ✓ Credentials found in wp-config.php 📍 CRITICAL finding saved [2/3] XML-RPC exploitation... ✓ User enumeration successful 📍 MEDIUM finding saved [3/3] Brute force (optional, requires approval)... ⊘ Skipped (requires --aggressive flag) 📝 Generating report... ✓ 1 CRITICAL, 0 HIGH, 1 MEDIUM, 0 LOW ✓ Report: engagements/2025-04-08_client-wp/report/ ✅ Complete! ``` ## 📊 项目文件夹（填充示例） ``` engagements/2025-04-08_client-wp/ │ ├── config.json │ └── {"target_ip": "192.168.1.100", "target_domain": "blog.example.com"} │ ├── recon/ │ ├── ports.json # {80, 443, 22} │ ├── services.json # {80: "nginx", 443: "WordPress 5.8"} │ ├── directories.json # {"/wp-admin": 200, "/backup.zip": 200} │ └── tech-stack.json # {"cms": "WordPress", "version": "5.8"} │ ├── attack-plan/ │ ├── possible-attacks.json # 3 attacks identified │ └── priority.md # Ordered by severity/confidence │ ├── exploits/ │ ├── completed/ │ │ └── backup-creds.txt # Successful exploit output │ └── failed/ │ └── sqli-attempt.log # Tried, didn't work │ ├── findings/ │ ├── critical/ │ │ └── 01_backup-credentials.md │ └── medium/ │ └── 02_user-enumeration.md │ ├── logs/ │ ├── scan.log │ ├── attack.log │ └── timeline.json │ └── report/ ├── executive-summary.md # For non-technical stakeholders ├── technical-report.md # Full details with evidence └── findings.csv # Spreadsheet of all findings ``` ## 🛠️ 添加你自己的规则和漏洞利用 ### 添加检测规则 创建 `arsenal/exploitation/rules/my-rule.json`： ``` { "name": "Custom MySQL Detection", "condition": { "ports": [3306], "service": "mysql" }, "attack": "try-mysql-default-creds", "severity": "high", "confidence": 0.8 } ``` ### 添加自定义漏洞利用执行器 创建 `arsenal/exploitation/executors/my-exploit.py`： ``` #!/usr/bin/env python3 # Must accept --target and --output arguments import argparse def exploit(target, output_path): # Your exploit logic here result = run_attack(target) with open(output_path, 'w') as f: f.write(result) return {"success": True, "finding": "Critical SQL injection"} if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("--target", required=True) parser.add_argument("--output", required=True) args = parser.parse_args() exploit(args.target, args.output) ``` ## 🔧 需求 | Tool | Purpose | Installation | |------|---------|--------------| | Python 3.8+ | Orchestrator（编排器） | `apt install python3` | | nmap | Port scanning（端口扫描） | `apt install nmap` | | whatweb | Web tech detection（Web 技术检测） | `gem install whatweb` | | gobuster | Directory brute force（目录爆破） | `apt install gobuster` | | subfinder | Subdomain discovery（子域名发现） | `go install` | | wpscan | WordPress scanning（WordPress 扫描） | `gem install wpscan` | | nuclei | CVE scanning（CVE 扫描） | `go install` | 可选但推荐： - Metasploit - Burp Suite（手动测试） - SQLmap - Hydra / John / Hashcat ## 📋 环境变量 在根目录中创建 `.env`： ``` # Required for reporting (optional) REPORT_NAME="Your Name" REPORT_COMPANY="Your Company" # API keys (for threat intel) SECURITYTRAILS_API_KEY="your-key" VIRUSTOTAL_API_KEY="your-key" SHODAN_API_KEY="your-key" # Aggressive mode (auto-executes all attacks) AGGRESSIVE_MODE=false ``` ## 🧠 理念 | Principle | Explanation | |-----------|-------------| | **Permission First**（权限至上） | 没有书面授权绝不测试任何目标 | | **Automate the Boring**（自动化枯燥工作） | 扫描、枚举和报告生成均自动化 | | **You Decide the Attack**（你决定攻击） | 框架提供建议，你批准（或使用标志自动执行） | | **Evidence Always**（始终保留证据） | 每个发现都有证据（截图、输出、日志） | | **Severity Matters**（严重性重要） | 发现结果按 CVSS 自动分类 | | **Report Ready**（报告就绪） | 最终报告是生成的，而非从零手写 | ## 📋 命令参考 ``` # New automated engagement ./arsenal/orchestrator.py --new --target IP_OR_DOMAIN --name NAME # New engagement with aggressive auto-attack ./arsenal/orchestrator.py --new --target IP_OR_DOMAIN --name NAME --aggressive # Resume existing engagement ./arsenal/orchestrator.py --resume engagements/2025-04-08_name/ # Run only recon (no attacks) ./arsenal/orchestrator.py --recon-only --target IP_OR_DOMAIN --name NAME # Generate report only ./arsenal/reporting/generate_report.py --engagement engagements/2025-04-08_name/ # List all engagements ./arsenal/orchestrator.py --list # Validate permission email exists ./arsenal/orchestrator.py --check-permission engagements/2025-04-08_name/ # Run exploits on existing engagement ./arsenal/orchestrator.py --exploit engagements/2025-04-08_name/ --auto-approve ``` ## 🚫 这不是什么 | Not | Because | |-----|---------| | **手动测试的替代品** | 自动化会漏掉业务逻辑漏洞 | | **一键点击武器** | 你需要权限和目标 | | **无法检测** | 扫描会产生噪音 —— 未经请勿使用 | | **漏洞扫描器** | 它是漏洞利用框架，不仅仅是扫描器 | | **开箱即用** | 你需要安装工具并配置规则 | ## 🤝 贡献 添加规则、执行器或扫描模块： 1. Fork 该仓库 2. 在 `arsenal/exploitation/rules/` 中添加你的规则 3. 在 `arsenal/exploitation/executors/` 中添加你的执行器 4. 提交 PR 并附带示例输出 ## 📄 许可证 **仅限教育和授权测试用途。** 对你不拥有或没有明确测试权限的系统进行未经授权的使用是**非法**的。作者不对滥用承担任何责任。 ## ⭐ 结语 **The Exploit Foundry** 是一个随你成长的框架。 - 从手动测试开始 → 了解各个阶段 - 添加你自己的规则 → 自定义检测 - 编写自定义执行器 → 自动化你喜欢的攻击 - 建立你的武器库 → 变得更快、更全面、更专业 **祝（经过授权的）黑客行动愉快。** 🔥

标签：CTI, Docker容器, POC开发, Python, 合规测试, 安全报告, 攻击面发现, 数据展示, 无后门, 智能侦察, 概念验证, 紫队, 红队, 网络安全, 自动化框架, 请求拦截, 逆向工具, 隐私保护