PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Misc Web Pen testing scripts

From: Dimitrios Kapsalis <dimitrios () gmail com>
Date: Tue, 7 Sep 2010 10:35:23 -0500
Thanks for sharing!

On Tue, Sep 7, 2010 at 10:30 AM, Baggett, Mark <mark.baggett () morris com>wrote:


Not at all, but let me clean them up a bit first.  I have a few small
errors to fix then I'll post them to the pdc blog.

-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com [mailto:
pauldotcom-bounces () mail pauldotcom com] On Behalf Of Robin Wood
Sent: Sunday, September 05, 2010 11:49 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Misc Web Pen testing scripts

Would you mind if I added these to the PenTester Scripting website
http://www.pentesterscripting.com/ ?

Robin

On 3 September 2010 17:31, Baggett, Mark <mark.baggett () morris com> wrote:

I'm trying to learn python.  Userpass.py was my first python script.
(http://pauldotcom.com/2010/08/draft---creating-per-user-cust.html)
Eventually, I am going to write something that doesn't completely suck.
There scripts are still a work in progress.  Send me comments and
suggestion off list.  I hope they are useful. If you find errors
before I post these to the blog I'd appreciate a heads up.

Thanks
Mark Baggett

1)get2post.py
Use to demonstrate POST based XSS attacks to a customer.  Put get2post
on a single host then you can create URL's with the POST values for
the customer.  Same functionality as
http://www.whiteacid.org/misc/xss_post_forwarder.php but on your own
server so you are not disclosing a customers XSS issues to a third
party.

2)p0wnpr0xy.py
Grabs URL's & cookies as you browse and launches the tool of choice.
Here is a demo video http://www.vimeo.com/14667308

3)sqlinjector.py
This is a MySQL blind SQL injector that uses a much different SQL
injection technique.  Instead of repeatedly cutting the alphabet in
half or brute forcing the letters it uses a per letter frequency table
to predict the next letter.  For example, if you have a Q there is a
HIGH probability that the next letter is a U. The technique is
discussed and outlined here:
http://www.exploit-db.com/papers/13696/  47 fewer guesses than
bsqlbf.pl!  79 vs 126

I implemented this technique in python.   You give the script a
vulnerable URL, and you put your SQL query in the URL with carets as
markers at the point on injection.  This syntax enables flexible url
endings.

mark.baggett$ $ python sqlinjector.py
"http://testphp.vulnweb.com/listproducts.php?cat=1^database()^#"
a
ac
acu
acua
acuar
acuart
end of word found
Found target acuart in 79 guesses.
mtcexcp007:misc mark.baggett$

mark.baggett$ perl bsqlbf.pl -blind cat -sql "database()" -url
http://testphp.vulnweb.com/listproducts.php?cat=1

 // Blind SQL injection brute force.
 // aramosf () 514 es / http://www.514.es

<truncated>
 trying: acuart#### results:
 database() = acuart
 total hits: 126



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: