banner
andrewji8

Being towards death

Heed not to the tree-rustling and leaf-lashing rain, Why not stroll along, whistle and sing under its rein. Lighter and better suited than horses are straw sandals and a bamboo staff, Who's afraid? A palm-leaf plaited cape provides enough to misty weather in life sustain. A thorny spring breeze sobers up the spirit, I feel a slight chill, The setting sun over the mountain offers greetings still. Looking back over the bleak passage survived, The return in time Shall not be affected by windswept rain or shine.
telegram
twitter
github
HomeArchives

From Thought to Practice: Achieving Efficient Penetration with AiPy

#AI36
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
AiPy is an open-source project from the ZhiDao ChuangYu 404 Lab's Starlink program, designed to create intelligent systems capable of autonomously writing programs to operate computers, databases, browsers, and applications. To install AiPy on Windows, users can visit the official website and run a one-click installation, which involves creating a configuration file (`aipy.toml`) with specific API settings. After configuration, users can launch AiPy by running a batch file. AiPy can also automate tasks in Google Chrome, such as retrieving images from the Red Bull website every two minutes. Additionally, it can perform vulnerability scanning by crawling subdomains of a specified site and checking for XSS vulnerabilities using harmless payloads. The process emphasizes the importance of well-constructed prompts for effective vulnerability detection.

1. Introduction to AiPy#

AiPy is an open-source project under the Starlink program of Zhidao Chuangyu 404 Laboratory. AiPy enables large models to autonomously write programs to operate computers, databases, browsers, and all applications, creating an intelligent system with autonomous development, execution, and feedback loops.

2. AiPy Windows System Installation#

Visit the AiPy official website https://www.aipy.app/ and directly choose to run the Windows one-click extraction. The directory structure is as follows:

image

Create a configuration file aipy.toml:

[llm.trustoken]
api_key = "your key"
base_url = "https://api.trustoken.ai/v1/"
model = "auto"
max_tokens = 16384
enable = true
default = true

Regarding the key, you can use interfaces from various platforms or the local deployment of large model interfaces, depending on your needs. Of course, third-party services also require payment. After configuration, double-click run.bat to start.

3. AiPy Google Chrome Operations#

Issue prompts to AiPy to launch Google Chrome. When execution fails, it will identify the cause and modify the code to successfully launch Google Chrome. When instructed to fetch photos from the Red Bull official website every 2 minutes, it executes successfully.

24e97bafdb46c92edf755fd9d04deb32

4a13fb17e2af24e305987eadadf1ba6c

4. How to Conduct Vulnerability Mining with AiPy?#

Launch Google Chrome and crawl the subdomain interfaces of http://vulnweb.com/, saving them to the d.txt file. Based on the interface paths, determine if they are vulnerable; if so, construct harmless payloads to check for XSS vulnerabilities. Other vulnerabilities are not checked. After obtaining the subdomains, it is not specified what methods or means to use to acquire them. Let AiPy figure it out.

48cdae80839ee5aa96d3fc3d3bf83210

0a10d239fcd8af1a7db7e1bf48f7d003

7f0e1542bc69a94fd7c275e6125d8250

4baf912993a404fd2675247d017696e7

This is about the end; it's just a demonstration. After all, prompts need to be well-constructed to potentially uncover vulnerabilities.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.