Comments on: Pangolin – Automatic SQL Injection Tool

By: pangolin

pangolin — Wed, 27 May 2009 06:57:40 +0000

I have check it, look at what it send : http://www.nosec.org/product/upgrade.php, it is upgrade checking, do you think so?

Just visit here : http://www.nosec.org/en/node/73

By: makk

makk — Sun, 17 May 2009 08:31:41 +0000

thanx buddy

By: User

User — Thu, 14 May 2009 14:36:49 +0000

Thanks for the comments… Yes, some folks read the comments, and thank god I did…

By: Darknet

Darknet — Thu, 14 May 2009 08:12:00 +0000

Thanks for the info guys, honestly I was always skeptical about posting Pangolin, but I thought it’d had developed a long way. Always found it a little suspicious.

I can understand the rational for passing thru their HTTP server for that function, but doing it without disclosure is lame.

I don’t think I’ll be posting any more of it’s updated versions here.

I hope people read these comments.

By: Navin

Navin — Wed, 13 May 2009 18:32:38 +0000

+1 @anony

Thanks natron!!

By: Anony

Anony — Wed, 13 May 2009 17:56:20 +0000

I would never even consider downloading the tool cause of that. Thanks for pointing it out natron.

By: natron

natron — Wed, 13 May 2009 16:37:40 +0000

Beware, for certain types of SQLi, Pangolin’s creators get a copy of all the data retrieved:

“…After decoding we found that the results of the injection is sent to a nosec.org web server, and then Pangolin perform a GET to retrieve the data. WTH?”

http://laramies.blogspot.com/2009/05/pangolin-and-your-data.html

I understand why they did this, but it should be pointed out to the end users so they understand what’s occurring. That they don’t is very shady.