Pixy – New & Free Open-source XSS and SQL Injection Scanner for PHP Programs

Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities are present in many modern web applications, and are reported continuously on pages such as BugTraq. In the past, finding such vulnerabilities usually involved manual source code audits.

Unfortunately, this manual vulnerability search is a very tiresome and error-prone task.

Pixy is a Java program that performs automatic scans of PHP source code, aimed at the detection of XSS and SQL injection vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.

Features

• detection of SQL injection and XSS vulnerabilities in PHP source code
• automatic resolution of file inclusions
• computation of dependence graphs that help you understand the causes of reported vulnerabilities
• static analysis engine (flow-sensitive, interprocedural, context-sensitive)
• platform-independent (written in Java)

You can download directly here:

Download Pixy 3.0.

Or read more here:

http://pixybox.seclab.tuwien.ac.at/

w3af – Web Application Attack and Audit Framework

A pretty cool tool was released a while back called w3af ( Web Application Attack and Audit Framework ), a fully automated auditing and exploiting framework for the web. This framework has been in development for almost a year and has the following features:

Audit

• SQL injection detection
• XSS detection
• SSI detection
• Local file include detection
• Remote file include detection
• Buffer Overflow detection
• Format String bugs detection
• OS Commanding detection
• Response Splitting detection
• LDAP Injection detection
• Basic Authentication bruteforce
• File upload inside webroot
• htaccess LIMIT misconfiguration
• SSL certificate validation
• XPATH injection detection
• unSSL (HTTPS documents can be fetched using HTTP)

Discovery

• Pykto, a nikto port to python
• Hmap, http fingerprinting.
• fingerGoogle, finds valid user accounts in google.
• googleSpider, a spider that uses google.
• webSpider, a classic web spider.
• robotsReader
• urlFuzzer
• serverHeader, fetches server header
• allowedMethods, gets a list of allowed HTTP methods.
• crossDomain, get and parse the flash file crossdomain.xml
• error404page, generate a regular expression to match 404 pages.
• sitemapReader, read googles sitemap.xml and parse it.
• spiderMan, using a localproxy and a human, find new URLs for auditing.
• webDiff, find differences between a local and a remote directory.
• wsdlFinder, find and parse WSDL and DISCO files.

The framework is extended using plug-ins and is completely written in Python.

You can download w3af here:

w3af BETA 4

Or read more here.

rtpBreak – RTP Analysis & Hacking Tool

rtpBreak detects, reconstructs and analyzes any RTP [rfc1889] session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it doesn’t require the presence of RTCP packets (voipong needs them) that aren’t always transmitted from the recent VoIP clients.

The RTP sessions are composed by an ordered sequence of RTP packets. Those packets transport the Real Time data using the UDP transport protocol.

The RTP packets must respect some well defined rules in order to be considered valid, this characteristic allows to define a pattern on the single packet that is used to discriminate the captured network traffic from packets that can be
RTP and those that securely are not.

You can download rtpBreak here:

rtpbreak-1.0.tgz

Or read more here the English documentation is here.

mssql-hax0r v0.9 – Multi-purpose MS-SQL injection script

mssql-hax0r v0.9 is a Multi-purpose MS-SQL injection attack tool for advanced Microsoft SQL Server exploitation. Three modes of operation are currently available: info (Information Gathering), dump (Record Dump), and brute (Brute Force).

You may need to tweak the code a bit to make it fit your needs (i.e. modifying the injection string and/or the language used by the RDBMS).

TODO (v1.0):

• fix italian language support (test platform needed)
• info mode: add logins target (master..sysxlogins) [name,dbname,password]
• brute mode: automatic login grabbing feature?
• info mode: add sys target (xtype=’S')?
• info mode: implement better types/keys dumping
• add a command execution mode via master..xp_cmdshell?
• add a privileged testing mode for post-auth vulnerabilities

It’s a fairly early version, I’ve been watching it since v0.1 – it’s a little more polished now but it’s still definitely a tool for more advanced users.

I’m sure some of you will find it useful.

Grab it here:

mssql-hax0r

Inguma – Penetration Testing Toolkit

Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits for many products.

Inguma the word is the name of a Basque’s mythological spirit who kills people while sleeping and, also, the one who make the nightmares.

It was initially oriented to attack Oracle related systems but it can be used for any kind of setup.

What are the discover and gather modules you may ask? Discover modules are used to detect networks and host; gather modules are used to determine what services are listening at the host, what operative system is being used, what service pack, etc…

Sadly at this time it doesn’t work at all on Win32, again the problem with RAW sockets and the Scapy library won’t work for Win32. If you are running Win2k you might have less problems.

It’s a very early version of the software and development seems to have been quiet lately, I hope more people can contribute to this project and get it moving again.

It certainly has promise!

You can download Inguma here:

inguma0.0.2.tar.gz

Or read more here.