Re: Misc Web Pen testing scripts

[Robin Wood <robin () digininja org>]

Would you mind if I added these to the PenTester Scripting website
http://www.pentesterscripting.com/ ?

Robin

On 3 September 2010 17:31, Baggett, Mark <mark.baggett () morris com> wrote:
> I'm trying to learn python.  Userpass.py was my first python script.
> (http://pauldotcom.com/2010/08/draft---creating-per-user-cust.html)
> Eventually, I am going to write something that doesn't completely suck.
> There scripts are still a work in progress.  Send me comments and
> suggestion off list.  I hope they are useful. If you find errors before
> I post these to the blog I'd appreciate a heads up.
>
> Thanks
> Mark Baggett
>
> 1)get2post.py
> Use to demonstrate POST based XSS attacks to a customer.  Put get2post
> on a single host then you can create URL's with the POST values for the
> customer.  Same functionality as
> http://www.whiteacid.org/misc/xss_post_forwarder.php but on your own
> server so you are not disclosing a customers XSS issues to a third
> party.
>
> 2)p0wnpr0xy.py
> Grabs URL's & cookies as you browse and launches the tool of choice.
> Here is a demo video http://www.vimeo.com/14667308
>
> 3)sqlinjector.py
> This is a MySQL blind SQL injector that uses a much different SQL
> injection technique.  Instead of repeatedly cutting the alphabet in half
> or brute forcing the letters it uses a per letter frequency table to
> predict the next letter.  For example, if you have a Q there is a HIGH
> probability that the next letter is a U. The technique is discussed and
> outlined here:
> http://www.exploit-db.com/papers/13696/  47 fewer guesses than
> bsqlbf.pl!  79 vs 126
>
> I implemented this technique in python.   You give the script a
> vulnerable URL, and you put your SQL query in the URL with carets as
> markers at the point on injection.  This syntax enables flexible url
> endings.
>
> mark.baggett$ $ python sqlinjector.py
> "http://testphp.vulnweb.com/listproducts.php?cat=1^database()^#"
> a
> ac
> acu
> acua
> acuar
> acuart
> end of word found
> Found target acuart in 79 guesses.
> mtcexcp007:misc mark.baggett$
>
> mark.baggett$ perl bsqlbf.pl -blind cat -sql "database()" -url
> http://testphp.vulnweb.com/listproducts.php?cat=1
>
>  // Blind SQL injection brute force.
>  // aramosf () 514 es / http://www.514.es
>
> <truncated>
>  trying: acuart#### results:
>  database() = acuart
>  total hits: 126
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com