explo - Human And Machine Readable Web Vulnerability Testing Format

explo is a simple tool to describe web security issues in a human and machine readable format. By defining a request/condition workflow, explo is able to exploit security issues without the need of writing a script. This allows to share complex vulnerabilities in a simple readable and executable format.

Example for extracting a csrf token and using this in a form:

name: get_csrf
description: extract csrf token
module: http
parameter:
    url: http://example.com/contact
    method: GET
    header:
        user-agent: Mozilla/5.0
    extract:
        csrf: [CSS, "#csrf"]
---
name: exploit
description: exploits sql injection vulnerability with valid csrf token
module: http
parameter:
    url: http://example.com/contact
    method: POST
    body:
        csrf: "{{get_csrf.extracted.csrf}}"
        username: "' SQL INJECTION"
    find: You have an error in your SQL syntax

In this example definition file the security issue is tested by executing two steps which are run from top to bottom. The last step returns a success or failure, depending on the string 'You have an error in your SQL syntax' to be found.

Installation

Install via PyPI

pip install explo

Install via source

git clone https://github.com/dtag-dev-sec/explo
cd explo
python setup.py install

Usage

explo [--verbose|-v] testcase.yaml
explo [--verbose|-v] examples/*.yaml

There are a few example testcases in the examples/ folder.

$ explo examples/SQLI_simple_testphp.vulnweb.com.yaml

You can also include explo as a python lib:

from explo.core import from_content as explo_from_content
from explo.core import ExploException, ProxyException

def save_log(msg):
    print(msg)

try:
    result = explo_from_content(explo_yaml_file, save_log)
except ExploException as err:
    print(err)

Modules
Modules can be added to improve functionality and classes of security issues.

http (basic)
The http modules allows to make a http request, extract content and search/verify content.
The following data is made available for following steps:

• the http response body: stepname.response.content
• the http response cookies: stepname.response.cookies
• extracted content: response.extracted.variable_name

If a find_regex parameter is set, a regular expression match is executed on the response body. If this fails, this module returns a failure and thus stopping the executing of the current workflow (and all steps).
When extracting by regular expressions, use the match group extract to mark the value to extract (view below for an example).
For referencing cookies, reference the name of the previous step where cookies should be taken from (cookies: the_other_step.response.cookies).
Parameter examples:

parameter:
    url: http://example.com
    method: GET
    allow_redirects: True
    headers:
        User-Agent: explo
        Content-Type: abc
    cookies: stepname.response.cookies
    body:
        key: value
    find: search for string
    find_regex: search for (reg|ular)expression
    find_in_headers: searchstring in headers
    extract:
        variable1: [CSS, '#csrf']
        variable2: [REGEX, '<input(.*?)value="(?P<extract>.*?)"']

http_header
The http header module allows to check if a response misses a specified set of headers (and values). All other parameters are identical to the http module.
The following data is made available for other modules:

• the http response body: stepname.response.content
• the http response cookies: stepname.response.cookies

Parameter examples:

parameter:
    url: http://example.com
    method: GET
    allow_redirects: True
    headers:
        User-Agent: explo
        Content-Type: abc
    body:
        key: value
    headers_required:
        X-XSS-Protection: 1
        Server: .               # all values are valid

sqli_blind
The sqli_blind module is able to identify time based blind sql injections.
The following data is made available for other modules:

• the http response body: stepname.response.content
• the http response cookies: stepname.response.cookies

Parameter examples:

parameter:
    url: http://example.com/vulnerable.php?id=1' waitfor delay '00:00:5'--
    method: GET
    delay_seconds: 5

If the threshold of 5 seconds (delay_seconds) is exceeded, the check returns true (and thus resulting in a success).

Download explo

Read More

Whitewidow - SQL Vulnerability Scanner

Whitewidow is an open source automated SQL vulnerability scanner, that is capable of running through a file list, or can scrape Google for potential vulnerable websites. It allows automatic file formatting, random user agents, IP addresses, server information, multiple SQL injection syntax, ability to launch sqlmap from the program, and a fun environment. This program was created for learning purposes, and is intended to teach users what vulnerability looks like.

Screenshots

Launching whitewidow displays the custom designed banner and begins searching for possible sites that could be vulnerable

Whitewidow is capable of finding vulnerabilities in websites by scraping Google using over 1,000 different queries that are carefully researched before added. It also uses multiple different SQL injection approaches

Whitewidow is also capable of spidering a single webpage for all available links, it will then search for vulnerabilities in all the links using the programs built in file feature

And when all is said and done, and you're sure that you've found some vulnerable sites, you can launch sqlmap from the program without the need of downloading another clone.

Basic Usage
ruby whitewidow.rb -d This will run whitewidow in default mode and scrape Google for possible sites using a random search query.
ruby whitewidow.rb -f path/to/file This will run whitewidow through a given file and add the SQL syntax to the URL.
ruby whitewidow.rb -h Will run the help flag along with show the help menu.
For more information about usage and more flags you can checkout the wiki functionality page here.

Dependencies

• gem 'mechanize'
• gem 'nokogiri'
• gem 'rest-client'
• gem 'webmock'
• gem 'rspec'
• gem 'vcr'

To install all gem dependencies, follow the following template:
cd whitewidow
bundle install
This should install all gems needed, and will allow you to run the program without trouble.

Download Whitewidow

Read More

Leviathan - Wide Range Mass Audit Toolkit

Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination.

The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.

Main Features

Discovery: Discover FTP, SSH, Telnet, RDP, MYSQL services running inside a specific country or in an IP range via Shodan, Censys. It's also possible to manually discover running services on a IP range by integrated “masscan” tool.

Short Demo: https://asciinema.org/a/617bsxl1y84bav9f5bcwllx7r

Brute Force: You can brute force the discovered services with integrated “ncrack” tool. It has wordlists which includes most popular combinations and default passwords for specific services.

Short Demo: https://asciinema.org/a/43y2j38zu7hbnuahrj233d5r0

Remote Command Execution: You can run system commands remotely on compromised devices.

Short Demo: https://asciinema.org/a/0xcrhd12f2lpkbktjldwtab16

SQL Injection Scanner: Discover SQL injection vulnerabilities on websites with specific country extension or with your custom Google Dork.

Short Demo: https://asciinema.org/a/2mwfmd9afsuyg5p0vzcq5e6si

Exploit Specific Vulnerabilities: Discover vulnerable targets with Shodan, Censys or masscan and mass exploit them by providing your own exploit or using preincluded exploits.

Short Demo: https://asciinema.org/a/9uqsjvnru780h0ue6ok9j9ktb

Integrated Tools

Masscan: It’s a very fast TCP port scanner by Robert David Graham. Leviathan uses masscan for detecting services on a huge IP range. https://github.com/robertdavidgraham/masscan

Ncrack: Ncrack is a high-speed network authentication cracking tool. Leviathan uses ncrack to brute force services such as FTP, SSH, RDP, Telnet, MYSQL etc. https://github.com/nmap/ncrack

DSSS (Damn Small SQLi Scanner): DSSS is a fully functional and minimal SQL injection vulnerability scanner by Miroslav Stampar. Leviathan uses DSSS to identify SQL Injection vulnerabilities on specific URLs. https://github.com/stamparm/DSSS

Installation
For detailed installiation, please visit our wiki page.

Kali Linux:
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Install Python libraries:
pip install -r requirements.txt
It's done!

Debian/Ubuntu:
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Run installiation script. It will setup required tools (ncrack, masscan) and python libraries.
bash scripts/debian_install.sh
It's done!

macOS:
If homebrew is not installed on your system, please install it first:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Run installiation script. It will setup required tools (ncrack, masscan) and python libraries.
bash scripts/macos_install.sh
It's done!

Requirements
Python version 2.7.x is required for running this program.
Supported platforms: Linux (Kali Linux, Debian, Ubuntu), macOS

Usage
Run the program with following command:
python leviathan.py
You can get basic usage information inside the menus. For detailed usage manual, visit our wiki page.

Screenshots

Download Leviathan

Read More

Blindy - Simple Script for running BruteForce Blind MySql Injection

Simple script for running bruteforce blind MySql injection

The script will run through queries listed in sets in provided file (default-queries.json as default) and try to bruteforce places with {} placeholder. If no {} placeholder present, the script will simply make request with current query.

command line

$ python3 blindy.py --help
usage: blindy.py [-h] [-f filename] [-m method] -p name -r regexp -u url
                 [-s set_of_queries]

Run blind sql injection using brutforce

optional arguments:
  -h, --help            show this help message and exit
  -f filename           File name for your commands in json format, defaults
                        to default-queries.json
  -m method, --method method
                        Where to inject (GET - get parameter/default, POST -
                        post parameter, HEADER - header)
  -p name               Name of parameter (for get - param name, post - param
                        name, for header - name of header). If params need to
                        have fixed value use -p submit=true
  -r regexp             Regular expression for negative pattern (script search
                        for the pattern and if present - will consider that
                        injection failed and igrone result.)
  -u url                Url to test
  -s set_of_queries, --set set_of_queries
                        Which set of queries to analyze from json file, for
                        ex. login, blind. Default to blind.

Example usage
Bruteforce inject into POST query_param

python3 blindy.py -m POST -p query_param -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind

Bruteforce inject into POST query_param with placeholder

python3 blindy.py -m POST -p "query_param=login {}" -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind

This will inject the queries in a place of {} parameter placeholder
Simple check a list of queries against username parameter

python3 blindy.py -m POST -p username -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/login.php -s login

Download Blindy

Read More

DBShield - Database Firewall Written In Go

Protects your data by inspecting incoming queries from your application server and rejecting abnormal ones.

How it works?

For example, this is how web server normally interacts with database server:

By adding DBShield in front of database server we can protect it against abnormal queries. To detect abnormal queries we first run DBShield in learning mode. Learning mode lets any query pass but it records information about it (pattern, username, time and source) into the internal database.

After collecting enough patterns we can run DBShield in protect mode. Protect mode can distinguish abnormal query pattern, user and source and take action based on configurations.

Demo

For demo, we are using sqlmap(automatic SQL injection and database takeover tool) to exploit the SQL injection vulnerability at user.php

In the first scenario, the sqlmap successfully exploits the SQL injection when web application connected directly to the database(MySQL), In the second scenario, we modify the user.php so DBShield gets between the web application and database which will drop the injection attempt and make sqlmap fail.

Sample Outputs
CLI

$ go run main.go
2016/10/15 16:25:31 [INFO]  Config file: /etc/dbshield.yml
2016/10/15 16:25:31 [INFO]  Internal DB: /tmp/model/10.0.0.21_postgres.db
2016/10/15 16:25:31 [INFO]  Listening: 0.0.0.0:5000
2016/10/15 16:25:31 [INFO]  Backend: postgres (10.0.0.21:5432)
2016/10/15 16:25:31 [INFO]  Protect: true
2016/10/15 16:25:31 [INFO]  Web interface on https://127.0.0.1:8070/
2016/10/15 16:25:33 [INFO]  Connected from: 10.0.0.20:35910
2016/10/15 16:25:33 [INFO]  Connected to: 10.0.0.21:5432
2016/10/15 16:25:33 [INFO]  SSL connection
2016/10/15 16:25:34 [DEBUG] Client handshake done
2016/10/15 16:25:34 [DEBUG] Server handshake done
2016/10/15 16:25:34 [INFO]  User: postgres
2016/10/15 16:25:34 [INFO]  Database: test
2016/10/15 16:25:34 [INFO]  Query: SELECT * FROM stocks where id=-1 or 1=1
2016/10/15 16:25:34 [WARN]  Pattern not found: [53 55 51 52 55 52 50 53 55 51 53 49 115 116 111 99 107 115 53 55 51 53 50 105 100 54 49 52 53 53 55 51 55 57 53 55 52 48 52 53 55 51 55 57 54 49 53 55 51 55 57] (SELECT * FROM stocks where id=-1 or 1=1)
2016/10/15 16:25:34 [WARN]  Dropping connection

Web Interface

Installation
Get it

$ go get -u github.com/nim4/DBShield

Then you can see help using "-h" argument:

$ $GOPATH/bin/DBShield -h
DBShield 1.0.0-beta3
Usage of DBShield:
  -a get list of abnormal queries
  -c file
      config file (default "/etc/dbshield.yml")
  -h show help
  -k show parsed config and exit
  -l get list of captured patterns
  -version
      show version

and run it with your configuration, like:

$ $GOPATH/bin/DBShield -c config.yml

see sample configuration file

Supports:

Database	Protect	SSL
DB2
MariaDB
MySQL
Oracle
Postgres

Download DBShield

Read More

The Mole - Automatic SQL Injection Exploitation Tool

The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.

Features

• Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
• Command line interface. Different commands trigger different actions.
• Auto-completion for commands, command arguments and database, table and columns names.
• Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
• Exploits SQL Injections through GET/POST/Cookie parameters.
• Developed in python 3.
• Exploits SQL Injections that return binary data.
• Powerful command interpreter to simplify its usage.

Download The Mole

Read More

Simple SQLi Dumper v5.1 - Tool to find bugs, errors or vulnerabilities in MySQL database

SSDp is an usefull penetration tool to find bugs, errors or vulnerabilities in MySQL database.

Functions

• SQL Injection
• Operation System Function
• Dump Database
• Extract Database Schema
• Search Columns Name
• Read File (read only)
• Create File (read only)
• Brute Table & Column

Download Simple SQLi Dumper v5.1

Read More

[Havij 1.17] Automated and Advanced SQL Injection

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands.

The distinctive power of Havij that differentiates it from similar tools lies in its unique methods of injection. The success rate of attack on vulnerable targets using Havij is above 95%.

The user friendly GUI (Graphical User Interface) of Havij and its automated configuration and heuristic detections make it easy to use for everyone even amateurs

What's New?

• Dump all.
• New bypass method for MySQL using parenthesis.
• Write file feature added for MSSQL and MySQL.
• Loading HTML form inputs.
• Saving data in CSV format.
• Advanced evasion tab in the settings.
• Injection tab in settings.
• 'Non-existent injection value' can now be changed by user (the default value is 999999.9).
• 'Comment mark' can be changed by user (the default value is --).
• Disabling/enabling of logging.
• Bugfix: adding manual database in tables tree view.
• Bugfix: finding string columns in PostgreSQL.
• Bugfix: MS Access blind string type data extraction
• Bugfix: MSSQL blind auto detection when error-based method fails
• Bugfix: all database blind methods fail on retry
• Bugfix: guessing columns/tables in MySQL time-based injection
• Bugfix: crashing when dumping into file
• Bugfix: loading project injection type (Integer or String)
• Bugfix: HTTPS multi-threading bug
• Bugfix: command execution in MSSQL 2005

Download Havij 1.17

Read More

[Netsparker v3.2] Web Application Security Scanner

Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology they are built on, just like an actual attacker.

It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more. It has exploitation built on it, for example you can get a reverse shell out of an identified SQL Injection or extract data via running custom SQL queries.

The main highlight of this version is the web services scanner; now scan and identify vulnerabilities and security issues in web services automatically and easily.

Changelog v3.2

New Features

• Ability to scan SOAP web services for security issues and vulnerabilities
• Request and Response viewers to view HTTP requests/responses like XML and JSON tree views
• New knowledge base node that will include all AJAX/XML HTTP Requests
• New value matching options for form values other than regex pattern (exact, contains, starts, ends)
• New report template for parsing source information Crawled URLs List (CSV)

New Security Checks

• Added attack patterns for LFI vulnerability which is revealed with only backslashes in file path
• Added Programming Error Message vulnerability detection for SOAP faults
• Added AutoComplete vulnerability for password inputs
• NuSOAP version disclosure
• NuSOAP version check

Improvements

• Improved XSS vulnerability confirmation
• Improved Generic Source Code Disclosure security check by excluding JavaScript and CSS resources
• Added latest version custom field for the version vulnerabilities
• Added standard context menus to text editors
• Sitemap tree will displan nodes of JSON, XML and SOAP requests and responses with no parameters
• Added force option to form value settings to enforce user specified values
• Optimized attack patterns for JSON and XML attacks by reducing attack requests
• Optimized Common Directories list and removed the limit for Extensive Security Checks policy
• Improved the license dialog to show whether a license is missing or expired

Fixes

• Fixed update dialog to not show on autopilot mode
• Fixed an interim auto update crash
• Fixed typo in Out of Scope Links knowledge base report template
• Fixed an issue in LFI exploiter where XML tags with namespace prefixes was preventing exploitation
• Fixed Controlled Scan button disabled issue for some sitemap nodes
• Fixed parameter anchors in Vulnerability Summary table of Detailed Scan Report template
• Fixed form authentication wizard to use user agent set on currently selected policy
• Fixed zero response time issue for some sitemap nodes
• Fixed dashboard progress bar showing 100%
• Fixed random crashes on license dialog while loading license file or closing dialog
• Fixed Microsoft Anti-XSS Library links on vulnerability references

Download Netsparker v3.2

Read More