Pik v0.5.0

Changelog

New Features

• 9fff162 Feat: Add AVideo Encoder CVE-2026-29058 module, faker, timing helpers
• 33c6865 Feat: Add GeoServer XPath RCE module (CVE-2024-36401)
• fd10029 Feat: Add LeakIX dork to GeoServer module
• f212cb6 Feat: Add LeakIX dork to Langflow module
• c5584f8 Feat: Add LeakIX dork to Next.js module
• 4d57c54 Feat: Add LeakIXPlugin query helper
• 1f7ea67 Feat: Add MajorDoMo CVE-2023-50917 module, PostStart labs, auto-background payloads
• 6b171ca Feat: Add MajorDoMo console eval module with polymorphic PHP exec
• 137a59d Feat: Add MajorDoMo cycle_execs CVE-2026-27175 module
• 083b3fc Feat: Add Sendable interface for future protocol dispatch
• 57484cd Feat: Add encoder system with ENCODER option and EncodedPayload()
• ff991a2 Feat: Add exploit HTTP server, MajorDoMo supply chain module, and PHP payload helpers
• cfd8f4c Feat: Add lazy-loaded XML/XPath support with standalone opt-in
• 5dc71e7 Feat: Add structural polymorphism to PHP payload engine
• 7969930 Feat: Full polymorphic PHP payload obfuscation
• 9c3093b Feat: Randomize variable name length to avoid fixed-length signature
• 6c07956 Feat: Replace XOR caret with bitwise identity operators
• a31afe0 Feat: XOR string literal encoder for PHP payloads
• 3cc7983 Feat: XOR-encode command string, drop base64_decode dependency

Bug Fixes

• 5f8b60b Fix: Exclude % from XOR literal charset to prevent Sprintf conflicts
• d4d21a7 Fix: Point Next.js module refs to original exploit repo
• 3c4612a Fix: Remove unnecessary timeout from inject helper
• 2e5abfb Fix: Standalone binary selects module by name instead of mods[0]

Refactoring

• 8ffe59f Refactor: Merge duplicate exec/Exploit into single inject helper
• 8fc3a2c Refactor: Move PHP payload implementations to pkg/payload with sdk bridge
• 3a93fc6 Refactor: PHPReverseShell takes Context, not raw lhost/lport
• 6ac3c81 Refactor: Polymorphic Send with protocol dispatch registry
• 6dbf29e Refactor: Remove Base64BashFn in favor of EncoderFn
• 9bb8bc3 Refactor: Rename Request/Response to HTTPRequest/HTTPResponse
• 248aed1 Refactor: Simplify Info() with helper constructors
• 9c9d41f Refactor: Type Parsers field in Info with sdk.Parser constant
• d51df9c Refactor: Unify C2 registration and clean up httpshell
• 86e1d0d Refactor: Use sdk.LinuxCmd() in AVideo module

Documentation

• e194ef3 Docs: Add CI, coverage, release, and license badges to README
• 44f7896 Docs: Add how-it-works architecture guide
• 533e41d Docs: Add protocol dispatch and new protocol guide
• a9d3385 Docs: Update CLAUDE.md with faker, timing, and features system

Tests

• a7b4cfa Test: Add comprehensive unit tests across all packages (97.1% coverage)
• 9d426aa Test: Add comprehensive unit tests for SDK and packages (100% coverage)

Pik v0.4.1

Changelog

Bug Fixes

• c89c202 Fix: Restore protocol imports in modules/all.go

Refactoring

• 277c0d9 Refactor: Simplify lab port syntax to container port only

Pik v0.4.0

Highlights

TCP Protocol Support - The framework now supports raw TCP exploits alongside HTTP. Modules use run.Dial() for TCP and run.Send() for HTTP - same SDK, same patterns. Protocol clients use late-binding factories so standalone binaries only compile the protocol they actually use.

Erlang/OTP SSH RCE (CVE-2025-32433) - First TCP module. Exploits a state machine flaw where the Erlang SSH daemon accepts channel open/exec before authentication. Check + exploit + lab, zero config.

Source Export - New pik generate <module> command outputs standalone source code without compiling. The generated code auto-imports only the required protocol.

New Features

• TCP protocol support with run.Dial() -> sdk.Conn (Send/Recv/SendRecv/Close)
• Late-binding protocol factories - sdk.SetSendFactory, sdk.SetDialFactory, sdk.SetPoolFactory
• Erlang/OTP SSH pre-auth RCE module (CVE-2025-32433) with vulhub lab
• pik generate command for standalone source code export
• Fluent binary buffer - sdk.NewBuffer().Byte(0x5a).String("session").Uint32(0).Build()
• TCP debug tracing - TCP_TRACE=true advanced option with hex dump output
• HTTP debug tracing - HTTP_TRACE=true advanced option (replaces --debug)
• Standalone lab commands - lab run/start/stop without module arg
• sdk.ContainsI() for case-insensitive string matching
• Author.Company field for organizational attribution
• sdk.GHSA() supports repo-scoped advisories: sdk.GHSA("id", "owner/repo")

Architecture

• Protocol clients moved to pkg/protocol/http/ and pkg/protocol/tcp/
• Enrichers decoupled from protocol clients in pkg/enricher/
• Runner uses SDK factories, no direct protocol imports
• Standalone HTTP binary pulls zero TCP deps, and vice versa
• Modules restructured as exploit/{os}/{proto}/ (like Metasploit)
• Binary packing helpers in pkg/encode/binary.go, re-exported via SDK

Full Changelog

v0.3.0...v0.4.0

Pik v0.3.0

Highlights

TUI Dashboard - New pik tui command launches an interactive dashboard with tabs, mouse support, and inline editing. The readline console stays the default (pik / pik console).

Architecture Split - TUI lives in pkg/tui/, business logic in pkg/console/. Standalone binaries pull zero TUI dependencies (16M vs 31M).

New Features

• TUI dashboard with Browse, Config, and Sessions tabs (pik tui)
• Browse tab: searchable module table with Reliability, Check support, and CVE columns
• Config tab: inline option editing, action buttons (Check, Exploit, Lab), advanced toggle
• Sessions tab: Interact/Kill with keyboard and mouse
• lab start auto-sets TARGET, RPORT, and LHOST from Docker
• TARGET and RPORT auto-sync when either is changed
• Separate pik console (readline) and pik tui (bubbletea) commands

Improvements

• c2.SessionBase reduces boilerplate in C2 backends
• MsgSender interface decouples console from bubbletea
• Shared types in pkg/types/ break import cycles cleanly
• Removed misleading Cyan/Gray color aliases (now Amber/Muted)
• Removed 4 signal wrapper files, 6 dead API exports
• DRY pass on browser rows, column builders, prompt rendering
• Fixed labFilter infinite recursion

Full Changelog

v0.2.0...v0.3.0

Pik v0.2.0

Highlights

Lab System - Modules can now declare Docker lab environments. pik lab run goes from zero to shell with one command: pull image, start container, wait for readiness, auto-detect LHOST, exploit.

New Modules - Langflow pre-auth RCE and Spring Cloud Function SpEL RCE.

New Features

• Integrated Docker lab system (pik lab start/stop/status/run)
• Lab support in standalone binaries via sdk.WithLab()
• Langflow pre-auth RCE module (CVE-2025-3248)
• Spring Cloud Function SpEL RCE module (CVE-2022-22963)
• sdk.Author struct with Name, Handle, Email
• FireAndForget and JSONBody SDK helpers

Improvements

• Lab ports bound to 127.0.0.1 only (never exposed to network)
• Docker SDK isolated in pkg/lab, not pulled into standalone builds
• Late binding for lab manager keeps standalone binaries lean
• Modules renamed to CVE convention

Full Changelog

v0.1.4...v0.2.0

Pik v0.1.4

Highlights

Console hardening - Global options (setg), previous command, show missing, per-command help, and panic recovery.

New Features

• setg / unsetg for global options that persist across module changes
• previous command to switch back to last module
• show missing to highlight required unfilled options
• Per-command help <cmd> with detailed usage
• Panic recovery in command dispatch (console never crashes)
• Standalone console subcommand, opt-in via sdk.WithConsole()

Improvements

• DRY pass: shared delivery struct, payload resolver, consolidated patterns

Full Changelog

v0.1.3...v0.1.4

Pik v0.1.3

Highlights

Remote build - pik build now works without a local repo clone, fetching source directly.

Changes

• pik build works without local repo clone
• Updated README and Makefile

Full Changelog

v0.1.2...v0.1.3

Pik v0.1.2

Highlights

Supply chain security - Self-update now verifies minisign signatures before replacing the binary.

New Features

• Minisign signature verification on self-update
• Standalone --help shows all available options

Fixes

• RPORT moved to basic options (visible by default)
• Unified CLI options with -s KEY=VALUE flag

Full Changelog

v0.1.1...v0.1.2

Pik v0.1.1

Highlights

First patch release - Search command, persistent history, and changelog grouping.

New Features

• search command for fuzzy module search
• Persistent command history across sessions
• Changelog grouping in GoReleaser

Full Changelog

v0.1.0...v0.1.1

Pik v0.1.0

Initial Release

Go exploit framework with interactive console, multi-session C2, standalone SDK, and scanner.

Features

• Interactive readline console with module selection, options, tab completion, history
• Multiple C2 backends: TCP shell, SSL shell, HTTP polling shell
• Multi-session support with Ctrl+Z backgrounding
• OpenDCIM SQLi to RCE module
• Standalone binary compilation (pik build)
• Mass scanner with threading and JSON output
• HTTP/SOCKS5 proxy support
• Auto-detect HTTP/HTTPS scheme
• Self-update with signature verification
• Resource files (.rc) for scripted exploitation
• Target types for delivery mode selection
• LeakIX-inspired amber palette

Architecture

• sdk/ - Types, interfaces, standalone SDK
• pkg/console/ - Interactive REPL
• pkg/runner/ - Execution engine with scanner
• pkg/c2/ - C2 backends (shell, sslshell, httpshell)
• pkg/payload/ - Reverse shell generators
• pkg/cli/ - CLI commands and standalone runner