Archive for the ‘Tools’ Category

Newer Entries »

Web Application Testing with Pangolin (Video & Screenshot)

Donnerstag, März 5th, 2009

Here is another new video “Web Application Testing with Pangolin” (1024×768).

Similar to the previous video with Matrixay I am using a chinese tool called Pangolin to extract the structure and content of a database (tables, columns, data) via a SQL Injection vulnerability in one of my vulnerable test applications.

Pangolin is a free product but some of the versions of Pangolin on the web are coming with a backdoored libcurl.dll. This can be a dangerous side effect of using free tools in a company environment. You have been warned…

Sometimes it is difficult to find a download possibility of Pangolin because the main website www.nosec.org is currently under construction but if you search a little bit you will be able to find a copy (e.g. via rapidshare). More details concerning Pangolin is available here.

Pangolin Web SQL Injection Tool

Pangolin supports all kind of databases (Oracle, MSSQL, MySQL, Sybase, DB2, …).

More videos can be found in our video section.

Posted in SQL Injection, Tools | 2 Comments »

Web Application Testing with Matrixay 2.5

Mittwoch, März 4th, 2009

Today I uploaded a new video „Web Application Testing with Matrixay 2.5“ (1024×768). In this video I am using Matrixay to extract the structure of a database (tables, columns, …) via a SQL Injection vulnerability in one of my vulnerable test applications (Oracle 11.1.0.7 & PHP). After that I am downloading the content of the table.

Matrixay is a really good and easy to use commercial web scanner from DBAppSecurity Ltd.

Matrixay

Matrixay supports all kind of databases (Oracle, MSSQL, MySQL, DB2, …) and can even do simple database audit (e.g. check for weak Oracle passwords, …).

More videos can be found in our video section. I will add more in the next few weeks.

Posted in software, Tools | No Comments »

New version of bsqlbf (v 2.2) available

Mittwoch, März 4th, 2009

Yesterday, Sumit Siddarth (Sid) from notsosecure.com released a new version of the sql injection tool bsqlbf. This updated version bsqlbf 2.2 supports now SQL Injection in „order by“ and „group by“.

bsqlbf supports Oracle, MSSQL, MySQL and Postgres.

Posted in SQL Injection, Tools | No Comments »

GSAuditor – Fastest Oracle 11g password cracker (AFAIK)

Sonntag, Dezember 7th, 2008

Danny boy from evilfingers.com informed me that his tool gsauditor now supports Oracle 11g passwords (+ many other variants of SHA-1). GSAuditor is really fast and with more than 6 million password hashes per second (Core2Quad Q6600 2.4 GHz, Vista 64) it’s currently the fastest Oracle 11g password cracker I know.  At the moment GSAuditor is not supporting multiple threads but Danny boy is working on it. The number will increase by 4 (=more than 20 mill hashes/second).

GSAuditor - unsuccessful crack GSAuditor - successful crack

To extract the password hashes from Oracle 11g you can use the following SQL query to retrieve the Oracle password hash + salt from the table sys.user$:

SQL> set linesize 120
SQL> select ‚gsauditor -binary -set:?d -append -salt:’||substr(u.spare4,43,20)||“||substr(u.spare4,3,40)||‘ ‚ from sys.user$ u where u.type#>0 and length(spare4) =62;

Posted in Oracle Security, passwords, Tools | 1 Comment »

New Oracle bugs and BSQL Hacker

Mittwoch, August 20th, 2008

Today I reported 6 new security vulnerabilities to Oracle (2 Data Vault, 2 Auditing, 1 Discoverer, 1 Password Verification Function). Even if Oracle Security is getting better (see also discussion on Pete’s Blog) there are still enough bugs available.

Portcullis Labs released their free scanner BSQL Hacker for detecting blind sql injection. BSQL Hacker is supporting Oracle, MSSQL and MySQL. At the moment I have no time to play longer with this tool but it looks promising (see video).

Posted in Oracle Security, Tools | 1 Comment »

Newer Entries »