MySQLoit - SQL Injection
- MySqloit is a SQL Injection takeover tool focused on LAMP (Linux, Apache,MySql,PHP) and WAMP (Linux, Apache,MySql,PHP) platforms. It has the ability to upload and execute metasploit shellcodes through the MySql SQL Injection vulnerabilities.
- Attackers performing SQL injection on a MySQL-PHP platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution, compared to other platforms. This tool is written to demostrate how remote code execution can be performed on a database connector that do not support stack queries.
Features currently supported :
- SQL Injection detection using time based injection method
- Database fingerprint
- Web server directory fingerprint
- Payload creation and execution
Currently it can be run only on linux.
Download :
From Google Code repository
Posted in Penetration Testing, Web Application Security.
Tagged with Penetration Testing, Web Application Scanner.
By Syed Alam
– September 8, 2009
- Scapy is a powerful interactive packet manipulation program. It can forge or decode packets of great number of protocols, send them on wire, capture them, match requests and replies, and a lot.
- It easily handles most tasks like scanning, probing, tracerouting, unit tests, network discovery or attacks. It can replace hping, 85% of nmap, arpspoof, arp-sk, apring, tcpdump, tethereal, p0f.
- It has wide number of features that most other tools can’t handle. Like sending invalid frames, injecting your own 802.11 frames, combining technics. VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel.
Find more details about Scapy on following urls.
Home Page here
Download latest Scapy version here
Quick Demo here
How to install it on Linux,Unix,Windows and others distrobution. Find here.
Posted in Packet Sniffers, Security tools, Wireless.
Tagged with Hacking, How to install Scapy, interactive scapy program, Packet Sniffer, Scapy, Sniffer, Wireless Cracking, Wireless security.
By Syed Alam
– September 8, 2009
There are many tools posted for SQL Injections in previous posts here . This tool is very simple, it is actually a python script. You do not need any installation.
Simply download and run it on local machine.
Homepage : Darkc0de
Download : source
How to use this Tool?
Read How to use this tool
Posted in Penetration Testing, Web Application Security.
Tagged with Injections, Sql, Sql Injections.
By Syed Alam
– August 27, 2009
Wfuzz is a tool designed for brute forcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc.), brute force GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP, etc), brute force Forms parameters (User/Password), Fuzzing etc.
Following are the some functionalities:
- Recursion (When doing directory brute force)
- Post, headers and authentication data brute forcing
- Output to HTML (easy for just clicking the links and checking the page, even with post data)
- Colored output on all systems.
- Hide results by return code, word numbers, line numbers, etc.
- Cookies fuzzing
- Multithreading
- Proxy support
- Multiple FUZZ capability with multiple dictionaries
- Authentication support (Ntlm, Digest, Basic)
- All parameters bruteforcing (POST and GET)
- Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more.
Download source :
Home Page : http://www.edge-security.com/wfuzz.php
Download : Official resource
Posted in Penetration Testing, Security tools, Web Application Security.
Tagged with Bruteforce, Fuzzer, Open Source, Wfuzz, WfuzzFE.
By Syed Alam
– August 25, 2009
Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies.
Websecurify - Security Testing Framework for Web and Web2.0
Websecurify Security Testing Framework identifies web security vulnerabilities by using advance browser automation, discovery and fuzzing technologies. The frameworkis written in JavaScript and successfully executes in the numerous platforms including modern browsers support for HTML5, xulrunner, xpcshell, Java V8 and others.
Find the download links bellow;
For Linux
For Windows
For Mac
Source Code
Posted in Web Application Security.
Tagged with Fuzzer, HTTP, Java Fuzzing, Web Application Scanner.
By Syed Alam
– August 23, 2009
