banner
andrewji8

Being towards death

Heed not to the tree-rustling and leaf-lashing rain, Why not stroll along, whistle and sing under its rein. Lighter and better suited than horses are straw sandals and a bamboo staff, Who's afraid? A palm-leaf plaited cape provides enough to misty weather in life sustain. A thorny spring breeze sobers up the spirit, I feel a slight chill, The setting sun over the mountain offers greetings still. Looking back over the bleak passage survived, The return in time Shall not be affected by windswept rain or shine.
telegram
twitter
github
HomeArchives

From Thought to Practice: Achieving Efficient Penetration with AiPy

#AI12
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
AiPy is an open-source project under the ZhiDao ChuangYu 404 Laboratory's Starlink initiative. It enables large models to autonomously write programs for various tasks, creating an intelligent system capable of self-development, execution, and feedback. To install AiPy on Windows, visit the official website and follow the one-click setup instructions. A configuration file named `aipy.toml` must be created with necessary API details. After configuration, run the program using `run.bat`. AiPy can control Google Chrome by executing commands, such as retrieving images from the Red Bull website every two minutes. It can also perform vulnerability scanning by crawling subdomains from a specified site and checking for XSS vulnerabilities using harmless payloads. However, the method for obtaining subdomains is not specified, leaving it to AiPy to determine. The demonstration highlights the importance of well-constructed prompts for effective vulnerability detection.

1. Introduction to AiPy#

AiPy is an open-source project under the Starlink program of Zhidao Chuangyu 404 Laboratory. AiPy enables large models to write programs to operate computers, databases, browsers, and all applications, creating an intelligent system with autonomous development, execution, and feedback loops.

2. AiPy Windows System Installation#

Visit the AiPy official website https://www.aipy.app/ and directly select to run Windows with one-click extraction. The directory structure is as follows:

image

Create a configuration file aipy.toml:

[llm.trustoken]
api_key = "your key"
base_url = "https://api.trustoken.ai/v1/"
model = "auto"
max_tokens = 16384
enable = true
default = true

Regarding the key, you can use the interfaces from various platforms or the locally deployed large model interface, depending on your needs. Of course, third-party services also require payment. After configuration, double-click run.bat to start.

3. AiPy Operating Google Chrome#

Give AiPy a prompt to start Google Chrome. When execution fails, it will identify the reason and modify the code to successfully launch Google Chrome. When instructed to fetch a photo from the Red Bull official website every 2 minutes, it executes successfully.

24e97bafdb46c92edf755fd9d04deb32

4a13fb17e2af24e305987eadadf1ba6c

4. Can AiPy Conduct Vulnerability Mining?#

Start Google Chrome, crawl the subdomain interfaces of http://vulnweb.com/ and save them to the d.txt file. Based on the interface paths, determine if they are vulnerable; if they are, construct harmless payloads to check for XSS vulnerabilities. Other vulnerabilities are not checked. After obtaining the subdomains, it is not specified what methods or means to use to acquire them. Let AiPy figure it out.

48cdae80839ee5aa96d3fc3d3bf83210

0a10d239fcd8af1a7db7e1bf48f7d003

7f0e1542bc69a94fd7c275e6125d8250

4baf912993a404fd2675247d017696e7

This is about the end; it's just a demonstration. After all, the prompts need to be well-constructed to potentially uncover vulnerabilities.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.