codedbyelif/kimse-bas

# kimse-bas Combines a high-concurrency HTTP benchmarking engine, a proxy-rotating flood tool, Playwright-based login automation, authenticated link checking, and Wapiti-based vulnerability scanning — all maintained by [@codedbyelif](https://github.com/codedbyelif). The core stress engine (`stress`) is forked from [link1st/go-stress-testing](https://github.com/link1st/go-stress-testing) and extended with a custom proxy flood tool (`proxy_flood`) written from scratch: HTTP + SOCKS5 proxy rotation, randomized user agents, and real-time per-second statistics. ## Table of Contents - [Repository Structure](#repository-structure) - [Requirements](#requirements) - [Tools](#tools) - [stress — Direct HTTP Stress Tester](#stress--direct-http-stress-tester) - [proxy\_flood — Proxy-Rotating Flood Tool](#proxy_flood--proxy-rotating-flood-tool) - [login.py — Playwright Login Automation](#loginpy--playwright-login-automation) - [brute\_test.py — Login Brute Force Tester](#brute_testpy--login-brute-force-tester) - [wapiti — Vulnerability Scanner](#wapiti--vulnerability-scanner) - [mubeng — Proxy Rotator](#mubeng--proxy-rotator) - [k6 — Load Testing Engine](#k6--load-testing-engine) - [els — CVE Exploit Scripts](#els--cve-exploit-scripts) - [Proxy Lists](#proxy-lists) - [Benchmarks](#benchmarks) - [HTTP Status Codes Reference](#http-status-codes-reference) - [Alternatives](#alternatives) - [License](#license) - [Author](#author) - [Türkçe Kullanım Kılavuzu](#türkçe-kullanım-kılavuzu) ## Repository Structure kimse-bas/ ├── kimse-ba$/ │ ├── main.go # Core HTTP stress testing engine (forked + extended) │ ├── proxy_flood.go # Custom proxy-rotating flood tool (written by codedbyelif) │ ├── cmd/tui/main.go # TUI entry point │ ├── server/ # HTTP/gRPC client, statistics, and verify logic │ ├── model/ # Request and curl model definitions │ ├── helper/ # Request utility helpers │ ├── proto/ # gRPC protobuf definitions and generated bindings │ ├── tools/ # Sorting utilities for statistics output │ ├── tests/ # Integration test stubs (gRPC + HTTP servers) │ ├── curl/ # Sample curl test fixtures │ ├── proxies.txt # Raw HTTP proxy list │ ├── proxies_all.txt # Combined HTTP + SOCKS5 live-tested proxies │ ├── proxies_live.txt # Filtered live proxies only │ ├── Dockerfile # Docker build for kimse-ba │ ├── build.sh # Build script │ ├── KULLANIM.md # Turkish usage guide │ └── go.mod / go.sum # Go module dependencies ├── login.py # Playwright login automation + authenticated LinkChecker ├── brute_test.py # Login brute force test script ├── stress-test.js # k6 load test script ├── k6/ # Full k6 load testing engine source ├── mubeng/ # Mubeng proxy rotator source ├── wapiti/ # Wapiti vulnerability scanner source ├── proxies.txt # Root-level raw proxy list (latest fetch) ├── proxy-alive.txt # Live-tested proxies ├── proxy-dead.txt # Dead proxies removed from rotation ├── proxy-list-raw.txt # Unfiltered raw proxy dump ├── proxy-list/ # Categorized proxy list directory with status tracking └── els/ ├── Burst Statistics/ │ └── CVE.py # CVE-2026-8181: Burst Statistics auth bypass to admin takeover ├── CVE-6433.py/ │ ├── CVE-6433.py # CVE-2026-6433: FlipperCode plugin SQLi to RCE │ ├── es.txt # PHP webshell payload (file manager) │ └── up.txt # Minimal PHP file upload payload ├── origasus.go # ASUS AiCloud/AsusWRT vulnerability scanner └── rootshell.c # ASUS AsusWRT root shell exploit ## Requirements | Dependency | Version | Purpose | |------------|---------|---------| | Go | 1.21+ | Building `stress` and `proxy_flood` | | Python | 3.9+ | `login.py`, `brute_test.py`, proxy filtering | | Playwright | latest | Headless browser automation | | k6 | latest | JavaScript-based load testing | | wapiti | 3.x | Web vulnerability scanning | ## Tools ### stress — Direct HTTP Stress Tester The `stress` binary sends high-concurrency HTTP requests directly from your machine with no proxy. It spawns N goroutines, each sending M requests to the target URL, and displays real-time statistics including QPS, response times, success/failure counts, and status code breakdown. **Best used when:** - The target has no rate limiting or Cloudflare protection - You have direct access to the origin IP:PORT - You want to measure raw server performance under load **Build:** cd kimse-ba$ go build -o stress main.go **Run:** ./stress -c 500 -n 100 -u https://your-site.com **Flags:** | Flag | Type | Description | Default | |------|------|-------------|---------| | `-u` | string | Target URL | required | | `-c` | int | Number of concurrent goroutines | 1 | | `-n` | int | Number of requests per goroutine | 1 | | `-d` | string | Enable debug mode | false | | `-k` | bool | Enable HTTP keep-alive | false | | `-http2` | bool | Enable HTTP/2 | false | | `-H` | string | Custom request header (repeatable) | - | | `-data` | string | POST body data | - | | `-code` | int | Expected success HTTP status code | 200 | | `-cpuNumber` | int | Number of CPU cores to use | 1 | | `-o` | string | HTML report output path | report.html | **Example output:** ─────┬───────┬───────┬───────┬────────┬────────┬────────┬────────┬────────┬────────┬──────── time│ concur│success│failure│ qps │maxTime │minTime │avgTime │ bytes │bytes/s │ status ─────┼───────┼───────┼───────┼────────┼────────┼────────┼────────┼────────┼────────┼──────── 1s│ 500│ 120│ 5│ 115.00│ 850.00│ 45.00│ 215.00│ 21,840│ 21,840│200:120;429:5 2s│ 500│ 245│ 12│ 122.50│ 850.00│ 45.00│ 210.00│ 44,688│ 22,848│200:245;429:12 Column meanings: | Column | Meaning | |--------|---------| | time | Elapsed time (seconds) | | concur | Active concurrent goroutines | | success | Cumulative successful requests (HTTP 200) | | failure | Cumulative failed requests | | qps | Queries per second (successful only) | | maxTime | Longest request duration (ms) | | minTime | Shortest request duration (ms) | | avgTime | Average request duration (ms) | | bytes | Total bytes downloaded | | bytes/s | Download speed (bytes/sec) | | status | HTTP status code breakdown | **Example recipes:** # High concurrency against a direct origin IP (bypasses Cloudflare) ./stress -c 1000 -n 500 -u http://ORIGIN_IP:PORT # POST request with JSON body ./stress -c 200 -n 50 -u https://api.example.com/endpoint \ -H "Content-Type: application/json" \ -data '{"key":"value"}' # Save HTML report ./stress -c 500 -n 100 -u https://your-site.com -o result.html ### proxy\_flood — Proxy-Rotating Flood Tool `proxy_flood` is a custom tool written by [@codedbyelif](https://github.com/codedbyelif) that sends HTTP requests through a rotating list of HTTP and SOCKS5 proxies. Each goroutine picks a random proxy for every request, rotating the source IP continuously and bypassing per-IP rate limits. **How it works:** 1. Loads proxies from `proxies_all.txt` at startup 2. Spawns N goroutines (controlled by `-c`) 3. Each goroutine continuously picks a random proxy, builds an HTTP client, and fires a GET request 4. Results (success/fail/RPS) are printed to stdout every second 5. After the duration (`-d`) expires, all goroutines stop and final totals are printed **Build:** cd kimse-ba$ go build -o proxy_flood proxy_flood.go **Run:** ./proxy_flood -url https://your-site.com/api/endpoint -c 300 -d 60 **Flags:** | Flag | Type | Description | Default | |------|------|-------------|---------| | `-url` | string | Target URL | required | | `-c` | int | Number of concurrent goroutines | 100 | | `-d` | int | Test duration in seconds | 30 | | `-proxies` | string | Path to proxy list file | proxies_all.txt | **Example output:** Target: https://your-site.com/api/endpoint | Threads: 300 | Duration: 60s | Proxies: 1534 Time | Total | Success | Failed | RPS ------+----------+----------+----------+---------- 1s | 116 | 1 | 115 | 116 5s | 460 | 49 | 411 | 61 10s | 823 | 58 | 765 | 55 30s | 2651 | 207 | 2444 | 108 60s | 5841 | 645 | 5196 | 105 Bitti! Toplam: 6141 | Basarili: 683 | Basarisiz: 5458 | Column | Meaning | |--------|---------| | Time | Seconds elapsed | | Total | Cumulative total requests sent | | Success | Cumulative HTTP 200 responses | | Failed | Cumulative errors or non-200 responses | | RPS | Requests sent in that specific second (not cumulative) | ### login.py — Playwright Login Automation `login.py` automates browser-based login to a target web application using [Playwright](https://playwright.dev/python/), extracts session cookies, and optionally hands them off to `linkchecker` for an authenticated crawl. **Modes:** | Mode | Command | Description | |------|---------|-------------| | Login only | `python3 login.py email pass` | Test login flow, extract cookies | | Login + crawl | `python3 login.py email pass --check` | Login then run LinkChecker authenticated | | Auto mode | `python3 login.py --auto --check` | Register a random account, then crawl | **Target configuration** — the target site defaults to `https://example.com`. Point it at your own authorized target with environment variables: TARGET_URL=https://staging.example.com \ SIGNUP_NAME="Test User" \ SIGNUP_PHONE=5550000000 \ python3 login.py --auto --check | Variable | Default | Purpose | |----------|---------|---------| | `TARGET_URL` | `https://example.com` | Base URL of the site to authenticate against | | `SIGNUP_NAME` | `Test User` | Name used when registering in auto mode | | `SIGNUP_PHONE` | `5550000000` | Phone number used when registering in auto mode | **Requirements:** pip install playwright playwright install chromium **How it works:** 1. Launches headless Chromium via Playwright 2. Navigates to the login (or sign-up) page and fills credentials 3. Waits for redirect away from the auth page 4. Extracts all session cookies from the browser context 5. Writes cookies to Netscape format at `/tmp/linkchecker_cookies.txt` 6. Passes the cookie file to `linkchecker` via `--cookiefile` so the crawl is fully authenticated Output report is saved as `linkchecker-report-auth.html`. ### brute\_test.py — Login Brute Force Tester `brute_test.py` tests login endpoints against a list of credentials. Designed for authorized penetration testing of authentication flows — rate limit detection, account lockout behavior, and credential stuffing resistance. **Run** — the target defaults to `https://example.com`. Point it at your own authorized endpoint with environment variables: # Default target (example.com) python3 brute_test.py # Your own target TARGET=https://staging.example.com/api/auth/login \ EMAIL=user@example.com \ python3 brute_test.py Results are logged to `brute_log.txt`. ### wapiti — Vulnerability Scanner [Wapiti](https://wapiti-scanner.github.io/) is a black-box web application security scanner. It crawls the target and tests for common vulnerabilities including SQL injection, XSS, CSRF, open redirects, and more. **Run a scan:** # Set your authorized target once TARGET="https://example.com/" # Unauthenticated baseline wapiti -u "$TARGET" -o wapiti-report --format html # Authenticated (with cookies from login.py) wapiti -u "$TARGET" \ --cookie /tmp/linkchecker_cookies.txt \ -o wapiti-report-auth --format html # Through mubeng proxy rotator wapiti -u "$TARGET" \ --proxy http://127.0.0.1:8080 \ -o wapiti-report-proxied --format html **Modules tested:** SQL injection, XSS, CSRF, open redirect, file inclusion, command injection, XXE, SSRF, and more. See [Wapiti docs](https://wapiti-scanner.github.io/) for the full module list. ### mubeng — Proxy Rotator [mubeng](https://github.com/kitabisa/mubeng) is a Go-based proxy rotator that sits in front of any HTTP tool and transparently rotates requests through a proxy list. No modification of the tool itself is required. **Run as a local proxy server:** cd mubeng ./mubeng -a 127.0.0.1:8080 -f ../proxies.txt -r 1 **Point any tool at it:** curl -x http://127.0.0.1:8080 https://target.com wapiti -u https://target.com --proxy http://127.0.0.1:8080 linkchecker --proxy http://127.0.0.1:8080 https://target.com **Flags:** | Flag | Description | |------|-------------| | `-a` | Local listener address (e.g. `127.0.0.1:8080`) | | `-f` | Path to proxy list file | | `-r` | Rotate proxy every N requests | | `-t` | Per-request timeout in seconds | ### k6 — Load Testing Engine [k6](https://k6.io/) is a developer-centric load testing tool written in Go with a JavaScript scripting interface. The `k6/` directory contains the full k6 engine source, and `stress-test.js` is a ready-to-run k6 script. **Run the included script** — it targets `https://example.com` by default. Point it at your own target with the `BASE_URL` environment variable: # Default target (example.com) k6 run stress-test.js # Your own target BASE_URL=https://staging.example.com k6 run stress-test.js **Custom run options:** # 100 virtual users for 30 seconds against your target BASE_URL=https://staging.example.com k6 run --vus 100 --duration 30s stress-test.js # Ramp-up scenario BASE_URL=https://staging.example.com k6 run --stage 30s:100,60s:200,30s:0 stress-test.js k6 outputs real-time metrics including request rate, response time percentiles (p90, p95, p99), error rates, and data transfer. ### els — CVE Exploit Scripts `els/` is a collection of proof-of-concept exploit scripts for authorized security research and penetration testing. | File | CVE | Target | Type | |------|-----|--------|------| | `CVE-6433.py/CVE-6433.py` | CVE-2026-6433 | FlipperCode Custom CSS, JS & PHP ≤ 2.0.7 (WordPress) | Unauthenticated SQLi → RCE | | `CVE-6433.py/es.txt` | — | Post-exploitation | PHP webshell (file manager) | | `CVE-6433.py/up.txt` | — | Post-exploitation | PHP file upload payload | | `Burst Statistics/CVE.py` | CVE-2026-8181 | Burst Statistics 3.4.0–3.4.1.1 (WordPress) | Auth bypass → admin takeover | | `origasus.go` | — | ASUS AiCloud / AsusWRT routers | Credential exposure & path traversal scanner | | `rootshell.c` | — | ASUS AsusWRT firmware | Post-auth root shell | **CVE-2026-6433** — `FlipperCode Custom CSS, JS & PHP` plugin stores injected code in the database via an unauthenticated AJAX handler. The `id` parameter is not sanitized, allowing a UNION-based SQL injection that overwrites a code record with arbitrary PHP. On the next page load, WordPress executes the injected PHP via `eval()`, resulting in unauthenticated remote code execution. **CVE-2026-8181** — `Burst Statistics` plugin's `is_mainwp_authenticated()` calls `wp_authenticate_application_password()` which returns `null` (not `WP_Error`) on HTTP sites. The subsequent `is_wp_error(null)` check evaluates to `false`, bypassing password validation entirely. An attacker can supply any `Authorization: Basic` header with a known admin username and gain full admin privileges for the request. **Run (single target):** python3 CVE-6433.py https://target.com --command "id" python3 CVE-2026-8181.py -u https://target.com -U admin **Run (bulk scan):** python3 CVE-6433.py --bulk targets.txt --threads 8 python3 CVE-2026-8181.py -f targets.txt -j 10 ## Proxy Lists | File | Contents | |------|----------| | `proxies.txt` | Raw HTTP proxies fetched from public sources | | `proxy-alive.txt` | Proxies that passed TCP connect test | | `proxy-dead.txt` | Proxies that failed the connect test | | `proxy-list-raw.txt` | Unfiltered raw dump | | `kimse-ba$/proxies_all.txt` | Combined HTTP + SOCKS5, all live-tested | **Sources:** - [TheSpeedX/PROXY-List](https://github.com/TheSpeedX/PROXY-List) - [monosans/proxy-list](https://github.com/monosans/proxy-list) - [proxifly/free-proxy-list](https://github.com/proxifly/free-proxy-list) **Refresh the proxy list:** curl -sL "https://raw.githubusercontent.com/TheSpeedX/PROXY-List/master/http.txt" > proxies_all.txt curl -sL "https://raw.githubusercontent.com/monosans/proxy-list/main/proxies/http.txt" >> proxies_all.txt curl -sL "https://raw.githubusercontent.com/TheSpeedX/PROXY-List/master/socks5.txt" | sed 's/^/socks5:\/\//' >> proxies_all.txt **Filter live proxies with Python (300 threads, ~2 minutes for 10k+ proxies):** import concurrent.futures, socket, re def check(line): line = line.strip() if not line: return None raw = re.sub(r'^(socks5|http)://', '', line) try: host, port = raw.rsplit(':', 1) s = socket.create_connection((host, int(port)), timeout=3) s.close() return line except: return None with open('proxies_all.txt') as f: lines = f.readlines() alive = [] with concurrent.futures.ThreadPoolExecutor(max_workers=300) as ex: for r in ex.map(check, lines): if r: alive.append(r) with open('proxies_all.txt', 'w') as f: f.write('\n'.join(alive) + '\n') print(f"Live proxies: {len(alive)}") ## Benchmarks Tests run against a live tRPC API behind Cloudflare: | Tool | Concurrency | Duration | Total Requests | Successful (200) | Avg RPS | |------|-------------|----------|----------------|------------------|---------| | `stress` | 500 | 60s | ~21,000 | ~1,700 | ~23 | | `proxy_flood` | 300 | 60s | ~6,100 | ~683 | ~11 | ## HTTP Status Codes Reference | Code | Meaning | |------|---------| | `200` | Request successful | | `301/302` | Redirect — Cloudflare forcing HTTPS, or login redirect | | `403` | Forbidden — WAF or IP block | | `429` | Rate limited — too many requests from one IP | | `500` | Internal server error on target | | `502` | Bad gateway — origin unreachable behind proxy | | `503` | Service unavailable — target overloaded or down | | `509` | Cloudflare bandwidth limit exceeded | | `510` | Cloudflare — not extended | | `525` | SSL handshake failed between Cloudflare and origin | ## Alternatives This toolkit reflects one particular set of choices — `k6` for load testing, `mubeng` for proxy rotation, `wapiti` for vulnerability scanning, and so on. Those are not the only options. If a different tool fits your workflow better, here are mature, widely-used alternatives for each job: ### Load / stress testing (alternatives to `stress`, `proxy_flood`, `k6`) | Tool | Language | Why you might pick it | |------|----------|-----------------------| | [**k6**](https://k6.io/) *(used here)* | Go + JS scripting | Developer-friendly scripting, great CLI metrics, CI-friendly | | [**Locust**](https://locust.io/) | Python | Write load scenarios in plain Python; nice web UI; easy to scale with workers | | [**Apache JMeter**](https://jmeter.apache.org/) | Java (GUI) | Mature, GUI-driven, huge plugin ecosystem; good for non-coders | | [**Gatling**](https://gatling.io/) | Scala/Java DSL | High performance, expressive DSL, detailed HTML reports | | [**wrk**](https://github.com/wg/wrk) / [**wrk2**](https://github.com/giltene/wrk2) | C | Minimal, extremely high throughput from a single box; constant-rate testing | | [**hey**](https://github.com/rakyll/hey) / [**bombardier**](https://github.com/codesenberg/bombardier) | Go | Tiny single-binary HTTP benchmarkers for quick one-off runs | | [**Vegeta**](https://github.com/tsenart/vegeta) | Go | Constant request-rate attacks, scriptable, good for SLO/latency testing | ### Proxy rotation (alternatives to `proxy_flood`'s rotator and `mubeng`) | Tool | Notes | |------|-------| | [**mubeng**](https://github.com/kitabisa/mubeng) *(used here)* | Proxy IP rotator + checker, simple CLI | | [**ProxyBroker**](https://github.com/constverum/ProxyBroker) | Finds, checks, and rotates public proxies (Python) | | [**gost**](https://github.com/go-gost/gost) | Flexible proxy/tunnel chains (HTTP/SOCKS5 and more) | | [**Rotating proxy via Squid/HAProxy**](https://www.haproxy.org/) | Self-hosted upstream rotation for full control | ### Web vulnerability scanning (alternatives to `wapiti`) | Tool | Notes | |------|-------| | [**Wapiti**](https://wapiti-scanner.github.io/) *(used here)* | Black-box scanner: SQLi, XSS, CSRF, SSRF, etc. | | [**OWASP ZAP**](https://www.zaproxy.org/) | Full-featured DAST with proxy, active/passive scan, automation API | | [**Nikto**](https://github.com/sullo/nikto) | Fast web-server misconfiguration / known-issue scanner | | [**Nuclei**](https://github.com/projectdiscovery/nuclei) | Template-based scanning, huge community template library | | [**Burp Suite**](https://portswigger.net/burp) | Industry-standard manual + automated web security testing | ### Authenticated crawling / login automation (alternatives to `login.py` + Playwright) | Tool | Notes | |------|-------| | [**Playwright**](https://playwright.dev/python/) *(used here)* | Modern headless browser automation, multi-browser | | [**Selenium**](https://www.selenium.dev/) | The long-standing browser automation standard | | [**Puppeteer**](https://pptr.dev/) | Chrome/Chromium automation (Node.js) | | [**LinkChecker**](https://linkchecker.github.io/linkchecker/) *(used here)* | Recursive broken-link checker; accepts a cookie file for authenticated crawls | ## License The original code in this repository — written by **codedbyelif** — is released under the **MIT License**. See [LICENSE](LICENSE) for the full text. This covers the `proxy_flood` tool, the `cmd/tui` interface, the statistics / scoring / HTML-report modules, the Radius probe, `login.py`, `brute_test.py`, `stress-test.js`, and the supporting glue code and docs. ### Third-Party Licenses This repository vendors several third-party projects. They remain under their own licenses, which take precedence over the MIT license above for their files: | Component | Project | License | Notice | |-----------|---------|---------|--------| | `kimse-ba$/` core engine | [link1st/go-stress-testing](https://github.com/link1st/go-stress-testing) (fork base) | Apache-2.0 | [`kimse-ba$/LICENSE`](kimse-ba$/LICENSE) | | `k6/` | [Grafana k6](https://github.com/grafana/k6) | **AGPL-3.0** | [`k6/LICENSE.md`](k6/LICENSE.md) | | `wapiti/` | [Wapiti](https://github.com/wapiti-scanner/wapiti) | **GPL-2.0** | [`wapiti/LICENSE`](wapiti/LICENSE) | | `mubeng/` | [mubeng](https://github.com/kitabisa/mubeng) | Apache-2.0 | [`mubeng/LICENSE`](mubeng/LICENSE) | | `proxy-list/` | [proxy-list](https://github.com/clarketm/proxy-list) | MIT | [`proxy-list/LICENSE`](proxy-list/LICENSE) | ## Author Built and maintained by **codedbyelif** — The core stress engine is forked from [link1st/go-stress-testing](https://github.com/link1st/go-stress-testing) and extended by codedbyelif with the proxy-rotating flood tool, the interactive TUI, the AI scoring / HTML reporting modules, Turkish documentation, and live proxy filtering. # Türkçe Kullanım Kılavuzu ## İçindekiler - [Gereksinimler](#gereksinimler) - [Kurulum ve Derleme](#kurulum-ve-derleme) - [Araçlar](#araçlar) - [stress — Doğrudan HTTP Stres Testi](#stress--doğrudan-http-stres-testi) - [proxy\_flood — Proxy Döndürerek Flood](#proxy_flood--proxy-döndürerek-flood) - [login.py — Playwright ile Oturum Açma](#loginpy--playwright-ile-oturum-açma) - [brute\_test.py — Kaba Kuvvet Login Testi](#brute_testpy--kaba-kuvvet-login-testi) - [wapiti — Güvenlik Açığı Tarayıcısı](#wapiti--güvenlik-açığı-tarayıcısı) - [mubeng — Proxy Döndürücü](#mubeng--proxy-döndürücü) - [k6 — Yük Testi Motoru](#k6--yük-testi-motoru) - [els — CVE Exploit Scriptleri](#els--cve-exploit-scriptleri) - [Proxy Listesi Yönetimi](#proxy-listesi-yönetimi) - [HTTP Durum Kodları](#http-durum-kodları) - [Alternatifler](#alternatifler) - [Lisans](#lisans) - [Yazar](#yazar) ## Gereksinimler | Bağımlılık | Sürüm | Kullanım Amacı | |------------|-------|----------------| | Go | 1.21+ | `stress` ve `proxy_flood` derleme | | Python | 3.9+ | `login.py`, `brute_test.py`, proxy filtreleme | | Playwright | son sürüm | Headless tarayıcı otomasyonu | | k6 | son sürüm | JavaScript tabanlı yük testi | | wapiti | 3.x | Web güvenlik açığı taraması | ## Kurulum ve Derleme # Repoyu klonla git clone https://github.com/codedbyelif/kimse-bas.git cd kimse-bas # stress ve proxy_flood araçlarını derle cd kimse-ba$ go build -o stress main.go go build -o proxy_flood proxy_flood.go # Python bağımlılıklarını kur pip install playwright playwright install chromium ## Araçlar ### stress — Doğrudan HTTP Stres Testi `stress`, proxy kullanmadan doğrudan kendi IP adresinizden yüksek eş zamanlılıkla HTTP istekleri gönderir. N adet goroutine başlatır, her biri hedefe M istek gönderir ve gerçek zamanlı istatistik gösterir. **Ne zaman kullanılır:** - Hedef sunucuda rate limiting veya Cloudflare koruması yoksa - Sunucunun doğrudan IP:PORT'una erişiminiz varsa - Ham sunucu performansını ölçmek istiyorsanız **Derleme:** cd kimse-ba$ go build -o stress main.go **Çalıştırma:** ./stress -c 500 -n 100 -u https://hedef-site.com **Parametreler:** | Parametre | Tür | Açıklama | Varsayılan | |-----------|-----|----------|------------| | `-u` | string | Hedef URL | zorunlu | | `-c` | int | Eş zamanlı goroutine sayısı | 1 | | `-n` | int | Goroutine başına istek sayısı | 1 | | `-d` | string | Debug modu | false | | `-k` | bool | HTTP keep-alive | false | | `-http2` | bool | HTTP/2 | false | | `-H` | string | Özel header (tekrarlanabilir) | - | | `-data` | string | POST body verisi | - | | `-code` | int | Başarılı sayılacak HTTP kodu | 200 | | `-cpuNumber` | int | Kullanılacak CPU çekirdeği | 1 | | `-o` | string | HTML rapor çıktı yolu | report.html | **Kullanım örnekleri:** # Cloudflare bypass — doğrudan origin IP ile (çok daha yüksek RPS) ./stress -c 1000 -n 500 -u http://SUNUCU_IP:PORT # Yoğun test ./stress -c 1000 -n 200 -u https://hedef-site.com/api/endpoint # JSON POST isteği ./stress -c 200 -n 50 -u https://api.example.com/endpoint \ -H "Content-Type: application/json" \ -data '{"anahtar":"deger"}' # HTML rapor kaydet ./stress -c 500 -n 100 -u https://hedef-site.com -o sonuc.html ### proxy\_flood — Proxy Döndürerek Flood `proxy_flood`, [@codedbyelif](https://github.com/codedbyelif) tarafından sıfırdan yazılmış özel bir araçtır. Her istek için listeden rastgele bir proxy seçer, kaynak IP'yi sürekli döndürür ve per-IP rate limitleri aşmayı zorlaştırır. **Nasıl çalışır:** 1. Başlangıçta `proxies_all.txt` dosyasından proxy'leri yükler 2. `-c` parametresiyle belirlenen sayıda goroutine başlatır 3. Her goroutine rastgele proxy seçer, o proxy üzerinden GET isteği gönderir 4. Her saniye sonuç (başarı/hata/RPS) ekrana yazdırılır 5. `-d` süresi dolunca tüm goroutine'ler durur ve toplam istatistik gösterilir **Derleme:** cd kimse-ba$ go build -o proxy_flood proxy_flood.go **Çalıştırma:** ./proxy_flood -url https://hedef-site.com/api/endpoint -c 300 -d 60 **Parametreler:** | Parametre | Tür | Açıklama | Varsayılan | |-----------|-----|----------|------------| | `-url` | string | Hedef URL | zorunlu | | `-c` | int | Eş zamanlı goroutine sayısı | 100 | | `-d` | int | Test süresi (saniye) | 30 | | `-proxies` | string | Proxy listesi dosyası | proxies_all.txt | **Örnek çıktı:** Target: https://hedef-site.com/api/endpoint | Threads: 300 | Duration: 60s | Proxies: 1534 Time | Total | Success | Failed | RPS ------+----------+----------+----------+---------- 1s | 116 | 1 | 115 | 116 5s | 460 | 49 | 411 | 61 10s | 823 | 58 | 765 | 55 30s | 2651 | 207 | 2444 | 108 60s | 5841 | 645 | 5196 | 105 Bitti! Toplam: 6141 | Başarılı: 683 | Başarısız: 5458 ### login.py — Playwright ile Oturum Açma `login.py`, hedef web uygulamasına Playwright aracılığıyla headless tarayıcıda otomatik giriş yapar, session cookie'lerini çıkarır ve isteğe bağlı olarak `linkchecker`'a aktarır. **Modlar:** | Mod | Komut | Açıklama | |-----|-------|----------| | Sadece giriş | `python3 login.py email sifre` | Login flow'u test et, cookie'leri çıkar | | Giriş + tarama | `python3 login.py email sifre --check` | Giriş yap, kimlik doğruluyken bağlantıları tara | | Otomatik mod | `python3 login.py --auto --check` | Rastgele hesap oluştur, kimlik doğruluyken tara | **Hedef ayarı** — hedef site varsayılan olarak `https://example.com`'dur. Ortam değişkenleriyle kendi yetkili hedefinize yönlendirin: TARGET_URL=https://staging.example.com \ SIGNUP_NAME="Test User" \ SIGNUP_PHONE=5550000000 \ python3 login.py --auto --check | Değişken | Varsayılan | Amaç | |----------|------------|------| | `TARGET_URL` | `https://example.com` | Kimlik doğrulanacak sitenin temel adresi | | `SIGNUP_NAME` | `Test User` | Otomatik modda kayıt olurken kullanılan isim | | `SIGNUP_PHONE` | `5550000000` | Otomatik modda kayıt olurken kullanılan telefon | **Gereksinimler:** pip install playwright playwright install chromium **Nasıl çalışır:** 1. Playwright ile headless Chromium başlatır 2. Giriş veya kayıt sayfasına gidip bilgileri doldurur 3. Auth sayfasından yönlendirme bekler (başarılı giriş teyidi) 4. Browser context'teki tüm cookie'leri çıkarır 5. Cookie'leri Netscape formatında `/tmp/linkchecker_cookies.txt`'e yazar 6. `linkchecker`'a `--cookiefile` ile aktarır — tarama kimlik doğruluyken yapılır Çıktı raporu `linkchecker-report-auth.html` olarak kaydedilir. ### brute\_test.py — Kaba Kuvvet Login Testi `brute_test.py`, login endpoint'ini bir kimlik bilgisi listesine karşı test eder. Rate limiting, hesap kilitleme davranışı ve credential stuffing direncini ölçmek için tasarlanmıştır. Yalnızca yetkili pentest ortamlarında kullanın. **Çalıştırma** — hedef varsayılan olarak `https://example.com`'dur. Ortam değişkenleriyle kendi yetkili endpoint'inize yönlendirin: # Varsayılan hedef (example.com) python3 brute_test.py # Kendi hedefiniz TARGET=https://staging.example.com/api/auth/login \ EMAIL=user@example.com \ python3 brute_test.py Sonuçlar `brute_log.txt` dosyasına kaydedilir. ### wapiti — Güvenlik Açığı Tarayıcısı [Wapiti](https://wapiti-scanner.github.io/), hedef web uygulamasını tarayarak SQL injection, XSS, CSRF, açık yönlendirme, dosya dahil etme, komut enjeksiyonu ve daha fazlasını test eden bir kara kutu güvenlik tarayıcısıdır. **Tarama yapma:** # Yetkili hedefinizi bir kez tanımlayın TARGET="https://example.com/" # Kimlik doğrulamasız temel tarama wapiti -u "$TARGET" -o wapiti-report --format html # Kimlik doğruluyken (login.py cookie'leri ile) wapiti -u "$TARGET" \ --cookie /tmp/linkchecker_cookies.txt \ -o wapiti-report-auth --format html # mubeng proxy üzerinden wapiti -u "$TARGET" \ --proxy http://127.0.0.1:8080 \ -o wapiti-report-proxied --format html ### mubeng — Proxy Döndürücü [mubeng](https://github.com/kitabisa/mubeng), herhangi bir HTTP aracının önüne geçen ve istekleri şeffaf biçimde proxy listesi üzerinden döndüren bir Go tabanlı proxy rotator'dır. **Yerel proxy sunucu olarak çalıştırma:** cd mubeng ./mubeng -a 127.0.0.1:8080 -f ../proxies.txt -r 1 **Herhangi bir aracı buna yönlendirme:** curl -x http://127.0.0.1:8080 https://hedef.com wapiti -u https://hedef.com --proxy http://127.0.0.1:8080 **Parametreler:** | Parametre | Açıklama | |-----------|----------| | `-a` | Yerel dinleme adresi (ör. `127.0.0.1:8080`) | | `-f` | Proxy listesi dosyası | | `-r` | Her N istekte bir proxy değiştir | | `-t` | İstek başına zaman aşımı (saniye) | ### k6 — Yük Testi Motoru [k6](https://k6.io/), JavaScript ile betik yazılan Go tabanlı bir yük testi aracıdır. `k6/` dizini tam motor kaynak kodunu, `stress-test.js` ise çalışmaya hazır bir betik içerir. **Betiği çalıştırma** — varsayılan hedef `https://example.com`'dur. `BASE_URL` ortam değişkeniyle kendi hedefinize yönlendirin: # Varsayılan hedef (example.com) k6 run stress-test.js # Kendi hedefiniz BASE_URL=https://staging.example.com k6 run stress-test.js **Özel seçenekler:** # 100 sanal kullanıcı, 30 saniye, kendi hedefinize BASE_URL=https://staging.example.com k6 run --vus 100 --duration 30s stress-test.js # Kademeli artış senaryosu BASE_URL=https://staging.example.com k6 run --stage 30s:100,60s:200,30s:0 stress-test.js k6, istek hızı, yanıt süresi yüzdelik dilimleri (p90, p95, p99), hata oranları ve veri transferi metriklerini gerçek zamanlı gösterir. ### els — CVE Exploit Scriptleri `els/` dizini, yetkili güvenlik araştırmaları ve penetrasyon testleri için hazırlanmış kavram kanıtı (PoC) exploit scriptlerini içerir. | Dosya | CVE | Hedef | Tür | |-------|-----|-------|-----| | `CVE-6433.py/CVE-6433.py` | CVE-2026-6433 | FlipperCode Custom CSS, JS & PHP ≤ 2.0.7 (WordPress) | Kimlik doğrulamasız SQLi → RCE | | `CVE-6433.py/es.txt` | — | Post-exploitation | PHP webshell (dosya yöneticisi) | | `CVE-6433.py/up.txt` | — | Post-exploitation | PHP dosya yükleme payload'u | | `Burst Statistics/CVE.py` | CVE-2026-8181 | Burst Statistics 3.4.0–3.4.1.1 (WordPress) | Auth bypass → admin ele geçirme | | `origasus.go` | — | ASUS AiCloud / AsusWRT router'lar | Kimlik bilgisi sızdırma & path traversal tarayıcı | | `rootshell.c` | — | ASUS AsusWRT firmware | Post-auth root shell | **CVE-2026-6433** — FlipperCode eklentisi, kimlik doğrulamasız bir AJAX endpoint üzerinden veritabanına kod kaydeder. `id` parametresi sanitize edilmediğinden UNION tabanlı SQL injection ile bir kod kaydının üzerine keyfi PHP yazılır. Sayfa bir sonraki yüklenişinde WordPress bu kodu `eval()` ile çalıştırır ve kimlik doğrulamasız uzaktan kod çalıştırma sağlanır. **CVE-2026-8181** — Burst Statistics eklentisinin `is_mainwp_authenticated()` metodu, HTTP sitelerde `wp_authenticate_application_password()` fonksiyonunun `null` döndürmesi nedeniyle parola doğrulamasını tamamen atlar. Saldırgan, bilinen bir admin kullanıcı adıyla herhangi bir `Authorization: Basic` başlığı göndererek isteğin tamamı için tam admin yetkisi elde eder. **Çalıştırma:** python3 CVE-6433.py https://hedef.com --command "id" python3 CVE-2026-8181.py -u https://hedef.com -U admin # Toplu tarama python3 CVE-6433.py --bulk hedefler.txt --threads 8 python3 CVE-2026-8181.py -f hedefler.txt -j 10 ## Proxy Listesi Yönetimi | Dosya | İçerik | |-------|--------| | `proxies.txt` | Kamuya açık kaynaklardan alınan ham HTTP proxy'ler | | `proxy-alive.txt` | TCP bağlantı testini geçen proxy'ler | | `proxy-dead.txt` | Testleri başarısız olan proxy'ler | | `proxy-list-raw.txt` | Filtrelenmemiş ham döküm | | `kimse-ba$/proxies_all.txt` | HTTP + SOCKS5 birleşik, hepsi canlı test edilmiş | **Proxy listesini güncelleme:** curl -sL "https://raw.githubusercontent.com/TheSpeedX/PROXY-List/master/http.txt" > proxies_all.txt curl -sL "https://raw.githubusercontent.com/monosans/proxy-list/main/proxies/http.txt" >> proxies_all.txt curl -sL "https://raw.githubusercontent.com/TheSpeedX/PROXY-List/master/socks5.txt" | sed 's/^/socks5:\/\//' >> proxies_all.txt **Canlı proxy filtreleme (Python, 300 thread, ~2 dakika):** import concurrent.futures, socket, re def check(line): line = line.strip() if not line: return None raw = re.sub(r'^(socks5|http)://', '', line) try: host, port = raw.rsplit(':', 1) s = socket.create_connection((host, int(port)), timeout=3) s.close() return line except: return None with open('proxies_all.txt') as f: lines = f.readlines() alive = [] with concurrent.futures.ThreadPoolExecutor(max_workers=300) as ex: for r in ex.map(check, lines): if r: alive.append(r) with open('proxies_all.txt', 'w') as f: f.write('\n'.join(alive) + '\n') print(f"Canlı proxy: {len(alive)}") ## HTTP Durum Kodları | Kod | Anlam | |-----|-------| | `200` | Başarılı istek | | `301/302` | Yönlendirme — Cloudflare HTTPS zorlaması veya login yönlendirmesi | | `403` | Yasak — WAF veya IP bloğu | | `429` | Rate limit — tek IP'den çok fazla istek | | `500` | Hedef sunucuda iç hata | | `502` | Kötü ağ geçidi — proxy arkasında origin erişilemiyor | | `503` | Servis kullanılamıyor — hedef aşırı yüklü veya çevrimdışı | | `509` | Cloudflare bant genişliği limiti aşıldı | | `510` | Cloudflare — uzatılmadı | | `525` | Cloudflare ile origin arasında SSL el sıkışma hatası | ## Alternatifler Bu araç seti belirli tercihleri yansıtır — yük testi için `k6`, proxy rotasyonu için `mubeng`, güvenlik açığı taraması için `wapiti` vb. Bunlar tek seçenek değil. İş akışınıza başka bir araç daha iyi uyuyorsa, her iş için yaygın ve olgun alternatifler aşağıdadır. ### Yük / stres testi (`stress`, `proxy_flood`, `k6` alternatifleri) | Araç | Dil | Neden tercih edebilirsiniz | |------|-----|----------------------------| | [**k6**](https://k6.io/) *(burada kullanıldı)* | Go + JS | Geliştirici dostu betikleme, güçlü CLI metrikleri, CI uyumlu | | [**Locust**](https://locust.io/) | Python | Senaryoları düz Python ile yazın; web arayüzü; worker'larla kolay ölçeklenir | | [**Apache JMeter**](https://jmeter.apache.org/) | Java (GUI) | Olgun, GUI tabanlı, devasa eklenti ekosistemi; kod bilmeyenler için ideal | | [**Gatling**](https://gatling.io/) | Scala/Java DSL | Yüksek performans, anlaşılır DSL, ayrıntılı HTML raporları | | [**wrk**](https://github.com/wg/wrk) / [**wrk2**](https://github.com/giltene/wrk2) | C | Minimal, tek makineden çok yüksek throughput; sabit hızlı test | | [**hey**](https://github.com/rakyll/hey) / [**bombardier**](https://github.com/codesenberg/bombardier) | Go | Hızlı tek dosyalık HTTP benchmark araçları | | [**Vegeta**](https://github.com/tsenart/vegeta) | Go | Sabit istek hızında saldırı, betiklenebilir; SLO/gecikme testi için iyi | ### Proxy rotasyonu (`proxy_flood` rotatörü ve `mubeng` alternatifleri) | Araç | Notlar | |------|--------| | [**mubeng**](https://github.com/kitabisa/mubeng) *(burada kullanıldı)* | Proxy IP rotatörü + kontrolcü, basit CLI | | [**ProxyBroker**](https://github.com/constverum/ProxyBroker) | Public proxy bulur, kontrol eder ve döndürür (Python) | | [**gost**](https://github.com/go-gost/gost) | Esnek proxy/tünel zincirleri (HTTP/SOCKS5 ve fazlası) | | [**Squid/HAProxy ile rotasyon**](https://www.haproxy.org/) | Tam kontrol için kendi sunucunuzda upstream rotasyonu | ### Web güvenlik açığı taraması (`wapiti` alternatifleri) | Araç | Notlar | |------|--------| | [**Wapiti**](https://wapiti-scanner.github.io/) *(burada kullanıldı)* | Kara kutu tarayıcı: SQLi, XSS, CSRF, SSRF vb. | | [**OWASP ZAP**](https://www.zaproxy.org/) | Proxy, aktif/pasif tarama ve otomasyon API'si olan tam DAST | | [**Nikto**](https://github.com/sullo/nikto) | Hızlı web sunucu yanlış yapılandırma / bilinen açık tarayıcısı | | [**Nuclei**](https://github.com/projectdiscovery/nuclei) | Şablon tabanlı tarama, geniş topluluk şablon kütüphanesi | | [**Burp Suite**](https://portswigger.net/burp) | Manuel + otomatik web güvenlik testinde endüstri standardı | ### Kimlik doğrulamalı tarama / oturum açma otomasyonu (`login.py` + Playwright alternatifleri) | Araç | Notlar | |------|--------| | [**Playwright**](https://playwright.dev/python/) *(burada kullanıldı)* | Modern headless tarayıcı otomasyonu, çoklu tarayıcı | | [**Selenium**](https://www.selenium.dev/) | Köklü tarayıcı otomasyon standardı | | [**Puppeteer**](https://pptr.dev/) | Chrome/Chromium otomasyonu (Node.js) | | [**LinkChecker**](https://linkchecker.github.io/linkchecker/) *(burada kullanıldı)* | Özyinelemeli kırık bağlantı kontrolcüsü; cookie dosyasıyla kimlik doğrulamalı tarama | ## Lisans Bu depodaki özgün kod — **codedbyelif** tarafından yazılmıştır — **MIT Lisansı** ile yayınlanmıştır. Tam metin için bkz. [LICENSE](LICENSE). Bu lisans; `proxy_flood` aracını, `cmd/tui` arayüzünü, istatistik / skorlama / HTML rapor modüllerini, Radius probu'nu, `login.py`, `brute_test.py`, `stress-test.js` dosyalarını ve destekleyici kodu/dokümantasyonu kapsar. ### Üçüncü Taraf Lisansları Bu depo birkaç üçüncü taraf projeyi içinde barındırır. Bunlar kendi lisanslarına tabidir ve o dosyalar için yukarıdaki MIT lisansının önüne geçer: | Bileşen | Proje | Lisans | Bildirim | |---------|-------|--------|----------| | `kimse-ba$/` çekirdek motor | [link1st/go-stress-testing](https://github.com/link1st/go-stress-testing) (fork temeli) | Apache-2.0 | [`kimse-ba$/LICENSE`](kimse-ba$/LICENSE) | | `k6/` | [Grafana k6](https://github.com/grafana/k6) | **AGPL-3.0** | [`k6/LICENSE.md`](k6/LICENSE.md) | | `wapiti/` | [Wapiti](https://github.com/wapiti-scanner/wapiti) | **GPL-2.0** | [`wapiti/LICENSE`](wapiti/LICENSE) | | `mubeng/` | [mubeng](https://github.com/kitabisa/mubeng) | Apache-2.0 | [`mubeng/LICENSE`](mubeng/LICENSE) | | `proxy-list/` | [proxy-list](https://github.com/clarketm/proxy-list) | MIT | [`proxy-list/LICENSE`](proxy-list/LICENSE) | ## Yazar [@codedbyelif](https://github.com/codedbyelif) tarafından geliştirilmiş ve sürdürülmektedir. Çekirdek stres motoru [link1st/go-stress-testing](https://github.com/link1st/go-stress-testing) projesinden fork'lanmış ve codedbyelif tarafından proxy döndüren flood aracı, interaktif TUI, AI skorlama / HTML raporlama modülleri, Türkçe dokümantasyon ve canlı proxy filtreleme eklenerek genişletilmiştir.

标签：ASM汇编, CISA项目, EVTX分析, GitHub, Python工具, Web安全, 代理池, 压力测试, 密码管理, 日志审计, 特征检测, 蓝队分析, 请求拦截, 逆向工具