sqlsus 0.2 - MySQL Injection & Takeover Tool

sqlsus is an open source MySQL injection and takeover tool, written in perl.

Via a command line interface that mimics a mysql console, you can retrieve the database structure, inject a SQL query, download files from the web server, upload and control a backdoor, and much more…

It is designed to maximize the amount of data gathered per web server hit, making the best use of MySQL functions to optimize the available injection space.

sqlsus is focused on PHP/MySQL installations, and integrates some neat features, some of them being really specific to this DBMS.

It is not and won’t ever be a SQL injection scanner, it starts its job on the next step.

Both quoted and numeric injections are supported.

All quoted texts can be translated as their hex equivalent (eg : “sqlsus” will become 0×73716c737573)

sqlsus also supports these 2 scenarios of injection :

  • sighted : the result of the request will be in the HTML returned by the web server
  • blind : when you can’t see the result of the request directly

Support for GET and POST parameters injections.

Support for HTTP proxy and HTTP simple authentication.

Full logging support of your queries and the answers, allowing you to recall a command and its cached answer, even in a later re-use of the session.

Key variables can be edited on the fly, saved per session, and can be loaded in a later session on the same target server.

Requirements

On a Debian system, in addition to perl, you will need the following packages :

  • libterm-readline-perl-perl
  • libipc-shareable-perl
  • libwww-mechanize-perl

It also requires previous SQL injection knowledge, and.. well.. a brain helps.

You can download sqlsus 0.2 here:

sqlsus-0.2.tgz

Or read more here.

Labels: , ,

Webshag 1.10 – Free Web Server Audit Tool

Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing.

You may remember back in March 2008 we published about Webshag 1.00 being released. Now Webshag 1.10 has been released! This new version provides several feature enhancements as well as some bug-fixes.

Webshag can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest). In addition to that it proposes innovative IDS evasion functionalities aimed at making correlation between request more complicated (e.g. use a different random per request HTTP proxy server).

It also provides innovative functionalities like the capability of retrieving the list of domain names hosted on a target machine and file fuzzing using dynamically generated filenames (in addition to common list-based fuzzing).

Webshag URL scanner and file fuzzer are aimed at reducing the number of false positives and thus producing cleaner result sets. For this purpose, webshag implements a web page fingerprinting mechanism resistant to content changes. This fingerprinting mechanism is then used in a false positive removal algorithm specially aimed at dealing with “soft 404″ server responses.

Requirements

To be fully functional, Webshag requires the following elements:

  • Python 2.5 or Python 2.6 (NOT compatible with Python 3.0)
  • wxPython 2.8.9.0 (or greater) GUI toolkit
  • Nmap port scanner (for port scanning module only)
  • A valid Live Search AppID (for domain information module only)

Just like the previous version, Webshag 1.10 is freely available (GPL license) for Linux and Windows platforms.

You can download Webshag 1.10 here:

Linux – ws110.tar.gz
Windows – ws110.zip
Windows (installer) – ws110_win32installer.zip
User Manual (EN) – ws110_manual.pdf

Or read more here.

Labels: , ,

dnsmap 0.22 Released – Subdomain Bruteforcing Tool

Originally released in 2006, dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc. dnsmap was included in Backtrack 2 and 3, although the version included is the now dated version 0.1.

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (public zone transfers rarely work nowadays).

Original Features of Version 0.1

  • obtain all IP addresses (A records) associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain
  • abort the bruteforcing process in case the target domain uses wildcards
  • ability to be able to run the tool without providing a wordlist by using a built-in list of keywords
  • bruteforcing by using a user-supplied wordlist (as opposed to the built-in wordlist)

New Improvements in Version 0.22

  • saving the results in human-readable and CSV format for easy processing
  • fixed bug that disallowed reading wordlists with DOS CRLF format
  • improved built-in subdomains wordlist
  • new bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file.
  • bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards

You can download dnsmap 0.22 here:

dnsmap-0222tar.gz (Make sure you add another . before the tar)

Or read more here.

Labels: ,

Medusa v1.5

What is Medusa?

Medusa is a speedy, massively parallel, modular, login brute-forcer for network services. Some of the key features of Medusa are:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

It currently has modules for the following services:

  • AFP
  • CVS
  • FTP
  • HTTP
  • IMAP
  • MS-SQL
  • MySQL
  • NCP (NetWare)
  • NNTP
  • PcAnywhere
  • POP3
  • PostgreSQL
  • rexec
  • rlogin
  • rsh
  • SMB
  • SMTP (AUTH/VRFY)
  • SNMP
  • SSHv2
  • SVN
  • Telnet
  • VmAuthd
  • VNC

It also includes a basic web form module and a generic wrapper module for external scripts.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences – you can see a brief comparison here.

It’s been over a year since version 1.4 was released and there has been a bunch of changes. This release includes multiple bug fixes, several new modules and additional module functionality. The following is a quick rundown on some of the new features, if you wish to see a detailed ChangeLog it’s here.

  • AFP – new module (still marked as unstable)
  • HTTP – digest auth support
  • IMAP – STARTTLS, NTLM support
  • POP3 – STARTTLS, LOGIN, PLAIN, NTLM support
  • SMBNT – LM, LMv2, NTLMv2 support
  • SMTP – NTLM support
  • TELNET – AS/400 (TN5250) support
  • misc. core and module bug fixes

You can download Medusa v1.5 here:

medusa-1.5.tar.gz

Or read more here.

Labels: , ,
Subscribe to: Posts (Atom)