Automatic Web Site Defacement
Author: chaptersinwebsecurity
Hi all,
I'm new to posting content on this mailing list, but thought some of you
would be interested in an automatic SQL parameter injector
able to test for automatic database / web site defacement and / or OS
command execution given a list of URLs from a text file.
You may find more detailed explanation about this tool and a download link
for its first official version at here.
I wrote a proof of concept tool, based on the ASPROX bot that has been
attacking millions of SQL-injection prone web sites running MS-SQL servers at their backends.
Given a list of URLs that can be retrieved using various crawlers found on the web, it tests for SQL injection via URL parameters. In case one works, it attemps to either inject defacement content as entered by the user or alternatively to run an OS command on the SQL server.
Main Features:
---------------
- Written in Python
- Uses the robust CURL library - fastest HTTP request crafter in the world
- Encodes payload query in binary format to encapsulate internal SQL syntax and evade IDS systems
- URL encodes all content to comply with standard GET requests
- Allows usage of HTTP proxy
ToDo:
------
- Parallelize URL attacks
- Attack web forms with POST requests
- Build GUI (IronPython...?)
Feature requests and bug reports are welcome at:
ravivr_at_gmail_dot_com
姓名:Chinadu
近期评论