Share
## https://sploitus.com/exploit?id=42B60D03-FF1D-5328-A745-E259A3FC649D
# Exploit Chain Suggester v2.0.0

A CLI tool for penetration testers and bug bounty hunters to discover, build, and validate exploit chains based on discovered vulnerabilities.

**Version 2.0.0 โ€” Full Complete Coverage Edition**

---

## Installation

```bash
git clone https://github.com/jakeloai/Exploit-Chain-Suggester
cd Exploit-Chain-Suggester
python3 ecs.py --help
```

No external dependencies required. Uses Python standard library only.

---

## Quick Start

```bash
# List all exploit primitives
python3 ecs.py exploits

# List all entry points
python3 ecs.py entries

# Suggest chains from SQLi (stealth mode)
python3 ecs.py suggest --entry sqli --stealth

# Show full chain details
python3 ecs.py show uni-sqli-004

# Search for Laravel-related chains
python3 ecs.py search laravel

# Generate playbook report
python3 ecs.py report --entry sqli --tech "MSSQL,IIS" -o playbook.md

# Build custom chain
python3 ecs.py chain --steps "recon,lfi,log-poison,rce"

# Validate chain against target constraints
python3 ecs.py validate --chain uni-sqli-004 --constraints "no-stacked,firewall"

# Auto-suggest next step
python3 ecs.py fuzz --current "sqli-found" --tech "MySQL,PHP"

# Parse tech stack for entry points
python3 ecs.py scan --tech "PHP,MySQL,Apache,WordPress"
```

---

## Commands

| Command | Description |
|---------|-------------|
| `exploits` | List all exploit primitives (with filtering) |
| `entries` | List all available entry points |
| `list` | List chains with filters (entry, layer, subtype, impact) |
| `show` | Display full details of a specific chain |
| `suggest` | Suggest chains from a given entry point |
| `chain` | Build a custom chain from multiple exploits |
| `report` | Generate a playbook report for target |
| `search` | Search chains by keyword, CVE, or technique |
| `validate` | Check if a chain is possible given target constraints |
| `fuzz` | Auto-suggest next step based on current findings |
| `scan` | Parse recon output and suggest entry points |

---

## Database Coverage v2.0.0

| Layer | Chains | Description |
|-------|--------|-------------|
| Universal | 61 | Database/framework-agnostic chains |
| Framework | 23 | Laravel, Django, Spring Boot, WordPress, Rails, Express, Next.js, Flask, ASP.NET, Symfony, PHP, Go, Rust, Drupal, Joomla, Node.js, Angular |
| Cloud | 14 | AWS, GCP, Azure, Kubernetes, Docker |
| Network | 6 | Recon, web fuzzing, subdomain takeover, Git exposure, CI/CD, supply chain |

**Total: 104 chains across 50 exploit primitives**

### Exploit Primitives Covered

| Category | Primitives | Count |
|----------|-----------|-------|
| **Injection** | SQLi, Command Injection, XSS, SSTI, XXE, GraphQL Injection, NoSQL Injection, LDAP Injection, XPath Injection, HTTP Parameter Pollution, DOM-based XSS, Server-Side JS Injection | 12 |
| **File** | LFI, RFI, File Upload, PDF/Document Injection | 4 |
| **Server-Side** | SSRF, Host Header Injection, Cache Poisoning, HTTP Request Smuggling | 4 |
| **Web** | CSRF, Clickjacking, Open Redirect, WebSocket Hijacking, CORS Misconfiguration | 5 |
| **Authentication** | Brute Force, Broken Authentication, JWT Weak Secret | 3 |
| **API** | IDOR, Mass Assignment, GraphQL Injection, API Versioning, API Rate Limit Bypass | 5 |
| **Deserialization** | Java Deserialization, PHP Deserialization, Prototype Pollution | 3 |
| **Cloud** | AWS IMDS/S3/Lambda/ECS/Cognito, GCP Metadata/Cloud Functions, Azure MSI/Functions, K8s SA Token/etcd/Dashboard/Helm, Docker Escape | 11 |
| **Recon** | Information Gathering, Web Fuzzing, Subdomain Takeover, Git Exposure | 4 |
| **Logic** | Race Condition, Business Logic, CI/CD Pipeline, Dependency Confusion, Post-Exploitation | 5 |
| **Privilege Escalation** | Linux Privilege Escalation, Windows Privilege Escalation | 2 |

---

## What's New in v2.0.0

### ๐Ÿ”ฅ Full Primitive Coverage
- **100% coverage**: All 50 primitives now have dedicated exploit chains
- Previously uncovered: `cache-poison`, `php-deser` โ€” now fully covered

### ๐Ÿ†• New Attack Vectors
- **NoSQL Injection** (MongoDB, Redis, Elasticsearch)
- **LDAP Injection** โ€” directory service exploitation
- **XPath Injection** โ€” XML data exfiltration
- **HTTP Parameter Pollution** โ€” parameter parsing abuse
- **Race Conditions** โ€” TOCTOU, coupon reuse, vote manipulation
- **Business Logic** โ€” price manipulation, workflow bypass
- **WebSocket Hijacking** โ€” cross-origin message forgery
- **CORS Misconfiguration** โ€” credential theft at scale
- **DOM-based XSS** โ€” client-side sink exploitation
- **Server-Side JS Injection** โ€” vm2 sandbox escape
- **PDF/Document Injection** โ€” ImageTragick, Ghostscript, formula injection

### ๐Ÿ†• Supply Chain & CI/CD
- **Dependency Confusion** โ€” NPM, PyPI, Maven, RubyGems squatting
- **CI/CD Pipeline** โ€” Jenkins Script Console RCE
- **Git Exposure** โ€” source code leak โ†’ credential discovery

### ๐Ÿ†• Post-Exploitation & Privilege Escalation
- **Post-Exploitation Persistence** โ€” web shells, cron backdoors, SSH implants
- **Linux Privilege Escalation** โ€” SUID exploits, sudo bypass, kernel exploits
- **Windows Privilege Escalation** โ€” unquoted service paths, DLL hijacking

### ๐Ÿ†• Framework Coverage Expansion
| Framework | Chains |
|-----------|--------|
| Laravel | 2 |
| Django | 1 |
| Spring Boot | 2 |
| WordPress | 2 |
| Rails | 2 |
| Express/Node.js | 2 |
| Next.js | 1 |
| Flask | 2 |
| **ASP.NET** | **2** *(new)* |
| **Symfony** | **1** *(new)* |
| **PHP Generic** | **1** *(new)* |
| **Go/Gin** | **1** *(new)* |
| **Rust/Actix** | **1** *(new)* |
| **Drupal** | **1** *(new)* |
| **Joomla** | **1** *(new)* |
| **Angular** | **1** *(new)* |

### ๐Ÿ†• Cloud Coverage Expansion
| Platform | Chains |
|----------|--------|
| AWS IMDSv1 | 2 |
| AWS S3 | 2 |
| AWS Lambda | 1 |
| **AWS ECS/Fargate** | **1** *(new)* |
| **AWS Cognito** | **1** *(new)* |
| GCP Metadata | 1 |
| **GCP Cloud Functions** | **1** *(new)* |
| Azure MSI | 1 |
| **Azure Functions** | **1** *(new)* |
| K8s SA Token | 2 |
| K8s etcd | 1 |
| **K8s Dashboard** | **1** *(new)* |
| **K8s Helm Tiller** | **1** *(new)* |
| Docker Escape | 2 |

---

## Chain Structure

Each chain contains:
- **Prerequisites** โ€” What must be true for the chain to work
- **Steps** โ€” Numbered exploitation steps with payload, indicator, and notes
- **Final Impact** โ€” The end result (e.g., RCE, Account Takeover)
- **Severity / Success Rate / Noise / Detection Risk** โ€” For risk assessment
- **Mitigations** โ€” Defensive recommendations
- **Tags** โ€” For searching and categorization

---

## Chain Impact Distribution (v2.0.0)

| Final Impact | Count |
|--------------|-------|
| Remote Code Execution (RCE) | 30 |
| Account Takeover / Privilege Escalation | 15 |
| Cloud/Cluster Full Compromise | 8 |
| Data Breach / Exfiltration | 12 |
| Supply Chain Compromise | 4 |
| Financial Loss / Business Logic | 3 |
| Recon / Info Gathering | 6 |

---

## Author

jakeloai (Logic & Architecture) + AI (Code Synthesis)

---

## License
GPL-3.0 license
For educational and authorized penetration testing purposes only.

---

## Legal Disclaimer
### 1. Educational and Authorized Use Only
The Exploit Chain Suggester (ECS) and its associated database (chains.json) are developed strictly for educational purposes, ethical hacking, and authorized penetration testing. This tool is intended to help security professionals, system administrators, and researchers understand and mitigate complex vulnerability chains.

### 2. End-User Responsibility
Usage of this tool for analyzing or attacking targets without prior, explicit, and mutual consent is strictly prohibited and illegal. It is the end user's absolute responsibility to ensure compliance with all applicable local, state, federal, and international laws before executing any features of this software.

### 3. No Liability
The author (jakeloai), contributors, and sponsors assume no liability and are not responsible for any unauthorized misuse, damage, data loss, or illegal activities caused by the utilization of this program. By downloading, installing, or using this tool, you automatically acknowledge and agree to take full, personal responsibility for your actions.

### 4. "AS IS" Provision
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF, OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.