Deblaze – Remote Method Enumeration Tool For Flex Servers

27 March 2009 | 3,671 views
Deblaze – Remote Method Enumeration Tool For Flex Servers
Want to Learn Penetration Testing

Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications.

This tool will allow you to perform method enumeration and interrogation against flash remoting end points.

Deblaze came about as a necessity during a few security assessments of flash based websites that made heavy use of flash remoting. The author needed something to give him the ability to dig a little deeper into the technology and identify security holes. On all of the servers he’d seen so far the names are not case sensitive, making it much easier to bruteforce. Often times HTTP POST requests won’t be logged by the server, so bruteforcing may go unnoticed on poorly monitored systems.

Deblaze provides the following functionality:

• Brute Force Service and Method Names
• Method Interrogation
• Flex Technology Fingerprinting

There are several ways to determine and access exposed methods:

• Decompile SWF and search for remoting calls
• Watch network traffic for service and method names
• Dictionary attack against service and methods

You can download Deblaze here:
deblaze.tar.gz

Read More

WITOOL v0.1 – GUI Based SQL Injection Tool in .NET

WITOOL is an graphical based SQL Injection Tool written in dotNET.
- For SQL Server, Oracle
- Error Base and Union Base
Interface

Features

• Retrieve schema : DB/TableSpace, Table, Column, other object
• Retrieve data : retrive paging, dump xml file
• Log : View the raw data HTTP log

Environment
OS: Windows 2000/XP/VISTA
Requirement: Microsoft .NET(2.0) Library (Download Here).
You can download WITOOL v0.1 here:
WITOOL_V0.1_081231.zip

Read More

XSS-Proxy – Cross Site Scripting Attack Tool

XSS-Proxy is an advanced Cross-Site-Scripting (XSS) attack tool. The documents, tools and other content on this site assume you have a basic understanding of XSS issues and existing exploitation methods. If you are not famliar with XSS, then I recommend you check out the primer links/docs below to get a better of idea of what XSS is and how to detect it, fix it, and exploit it.
Cross Site Scripting (XSS)
CERT info on XSS
CGISecurity’s Cross Site Scripting FAQ
Gunter Ollmann’s XSS paper
PeterW’s Cross Site Request Forgery (CSRF) Concept
SecureNet’s Session Riding paper
Some Common Misconceptions about XSS

• “A user has to click a link to be impacted by XSS.” No – if you visit a page that has your browser will run it regardless of you clicking a link. I carefully crafted this example so it would not be run by your browser, but I could have put real script tags/commands here and made you run then transparently.
• “XSS only matters with bulliten boards, blogs, and other sites where an attacker can upload script content.” That is one way the attack can happen, but an attacker can also leverage sites that allow HTML/SCRIPT tags to be reflected back to the same user (like a search form that repeats what it was told to look for in the response). These flaws are commonly combined with public site redirects or emails to attack a second site.
• “Don’t XSS attacks just create popup windows, alerts and other pesky things?” No – They are commonly used to reveal your cookies or form based login info to attackers. After havesting this info, the attacker uses it to log into the same site as you.
• “I understand XSS, but I don’t think it’s a huge issue“. I think you’ll change your mind once you understand this advanced attack. Read the advanced stuff below and play with XSS-Proxy to see how evil XSS really can be.

You can download XSS-Proxy here:
XSS-Proxy_0_0_12-book.pl

Read More

Gooscan – Automated Google Hacking Tool

Whilst reading an article the other day I saw this mentioned and realised I haven’t written about this yet either, although I have written about the similar tool Goolag.

What is Gooscan?

Gooscan is a tool that automates queries against Google search appliances, but with a twist. These particular queries are designed to find potential vulnerabilities on web pages. Think “cgi scanner” that never communicates directly with the target web server, since all queries are answered by a Google appliance, not by the target itself.

Who is it written for?

Security professionals: This tool serves as a front-end for an external web server assessment and aids in the “information gathering” phase of a vulnerability assessment.

Web server administrators: This tool helps to discover what the web community may already know about you thanks to Google.

Is this tool legal?

From Google ToS – “You may not send automated queries of any sort to Google’s system without express permission in advance from Google.”

This means that you should not use this tool to query Google without advance express permission. Google appliances, however, do not have these limitations. You should, however, obtain advance express permission from the owner or maintainer of the Google appliance before searching it with
any automated tool for various legal and moral reasons.

The author wrote this tool not to violate Google’s terms of service (ToS), but to raise the awareness of the web security community that a ToS may not discourage the bad guys from writing and running a tool like this for malicious purposes. To that end, only use this tool to query _appliances_ unless you are prepared to face the (as yet unquantified) wrath of Google.

Why the proxy feature?

Many companies can only reach the Internet by way of an internal proxy server. When conducting an authorized assessment, it may be necessary to bounce queries of of a web proxy instead of off the Google appliance directly.

You can download Gooscan v1.0 here:
Gooscan v1.0

Read More

MultiInjector – Automated Stealth SQL Injection Tool

MultiInjector claims to the first configurable automatic website defacement software, I’m not sure if that’s a good thing – or a bad thing.

But well here it is anyway.

Features

• Receives a list of URLs as input
• Recognizes the parameterized URLs from the list
• Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
• Automatic defacement – you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
• OS command execution – remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
• Configurable parallel connections exponentially speed up the attack process – one payload, multiple targets, simultaneous attacks
• Optional use of an HTTP proxy to mask the origin of the attacks

The author highly recommend running a HTTP sniffer such as IEInspector HTTP Analyzer in order to see all attack requests going out to the targets.
Requirements

• Python >= 2.4
• Pycurl (compatible with the above version of Python)
• Psyco (compatible with the above version of Python)

You can download MultiInjector v0.2 here:
MultiInjector.py

Read More