Every single card that you see in Invadium is specified by a single exploit file. This file specifies what container image to start, what environment variables to set, and what commands to run. Commands are structured into one or more steps.
To have multiple exploits in Invadium, create multiple exploit files.
Each exploit file has the following fields.
idis a unique identifier 1nameis a human-readable name of the exploitdescdescribes the exploit in greater detailimageis the container image name for the exploit, including the registry address 2, 3envcontains a list of exploit-wide environment variables, i.e., they are available in all stepsenv[i].nameis the name of the variable, best written inUPPER-CASEenv[i].descis a human-readable description of the variableenv[i].value(optional) is a default value for that variable
tags(optional) is a list of tags that can be used to filter exploitslinks(optional) is a list of URLs that further document a vulnerability or an exploitstepsallow to logically separate the commands that run in the container. Step keys should be written insnake_case. 4steps[key].nameis a human-readable title of that stepsteps[key].descdescribes the step in greater detailsteps[key].commandsis a list of commands that will be executed in the exploit container 5steps[key].envcontains a list of step-wide environment variables, i.e., they are only available in this stepsteps[key].env[i].nameis the name of the variable, best written inUPPER-CASEsteps[key].env[i].descis a human-readable description of the variablesteps[key].env[i].value(optional) is a default value for that variable
1 While not stricly required, we recommend to use the id also in the
filename, e.g. use {id}.yaml
2 Invadium must be able to pull this image. You probably need to apply additional configuration if you pull from a private registry. For Docker, make sure that your Docker daemon is logged-in locally. For Kubernetes, make sure that you configured secrets for private registries.
3 Invadium will replace the entrypoint of your container with an endless wait loop so that the container idles. This means that you can't run any start-up scripts. If you need them, execute them as the first step instead.
4 We recommend to implement custom exploits as a CLI so that you can structure your full exploit into steps where each one executes a simple CLI command.
5 If you specify multiple commands, they will be concatenated on the
shell with &&. Commands can reference all exploit-wide and their step-wide
environment variables.
# sqlmap.yaml
id: sqlmap
name: sqlmap
desc: |
sqlmap is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers.
image: ghcr.io/dynatrace-oss/invadium-sqlmap
env:
- name: URL
value: "http://127.0.0.1/vuln.php?id=1"
desc: Vulnerable target URL used for sqlmap
tags:
- recon
- sql-injection
links:
- https://sqlmap.org/
- https://github.com/sqlmapproject/sqlmap
steps:
sqlmap_scan:
name: Scan the remote system
desc: |
Scans the remote system to see if its vulnerable to SQL injection and collect information about the system
commands:
- sqlmap -u $URL $OPTIONS
env:
- name: OPTIONS
desc: Options used for sqlmap
sqlmap_dbs:
name: List databases
desc: Attempts to retrieve the list of databases
commands:
- sqlmap -u $URL $OPTIONS --dbs
env:
- name: OPTIONS
desc: Options used for sqlmap
sqlmap_tables:
name: Retrieve tables
desc: Attempts to retrieve all the tables in the database
commands:
- sqlmap -u $URL $OPTIONS --tables -D $DATABASE
env:
- name: OPTIONS
desc: Options used for sqlmap
- name: DATABASE
desc: Database name which should be used to retrieve tables
sqlmap_dump:
name: Extract data from tables
desc: Attempts to extract data from a table
commands:
- sqlmap -u $URL $OPTIONS --dump -D $DATABASE -T $TABLE
env:
- name: OPTIONS
desc: Options used for sqlmap
- name: DATABASE
desc: Database name which should be used to retrieve tables
- name: TABLE
desc: Table name which should be used to extract data