Features

• Map a web aplication.
• Show all links and forms params as confortable format.
• Save results with some formats: text, cvs, html, raw (for parsing with bash script) and wfuzz script.
• Detect common vulnerabilites of web application.
• Filter web information retaining only what is important.
• Many other features you can find very useful.

You can download GoLISMERO here:

GoLISMERO_last.zip

Or read more here.

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

It’s been quite a while since the release of Burp Suite v1.2 back in December 2008.

This is a major upgrade with a host of new features, including:

• A new message editor/viewer optimised for HTTP requests and responses, with colourised syntax, mouse-over decoding, and quick conversion functions.
• Facility to add comments and highlights to the proxy history and site map.
• Support for viewing and editing AMF-encoded messages.
• Improved handling of SSL server certificates, to eliminate browser SSL warnings and connection problems with thick clients.
• Copy to file / paste from file to facilitate working with binary content.
• New display filters.
• Greatly enhanced extensibility.
• Configurable DNS resolution, to override your computer’s own resolution, facilitating work with non-proxy-aware clients.
• Fine-grained upstream proxy rules.
• Exporting of HTTP messages and metadata in XML format.

Burp Suite is a Java application, and runs on any platform for which a Java Runtime Environment is available. It requires version 1.5 or later. The JRE can be obtained for free from java.sun.com.

Full release details can be found here.

You can download Burp Suite v1.3 here:

burpsuite_v1.3.zip

Or read more here.

Database Support

• Access: Informations (Database Path; Root Path; Drivers); Data
• MSSql: Informations; Data; FileReader; RegReader; FileWriter; Cmd; DirTree
• MySql: Informations; Data; FileReader; FileWriter;
• Oracle: Inforatmions (Version; IP; Database; Accounts ……); Data; and any others;
• Informix: Informatons; Data
• DB2: Informatons; Data; and more;
• Sybase: Informatons; Data; and more;
• PostgreSQL: Informatons; Data; FileReader;
• Sqlite: Informatons; Data

At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Informix, Sybase, PostgreSQL, as well as Sqlite which isn’t so common.

You can download Pangolin here:

pangolin_free_edition_2.1.2.924.rar (Download Page)

Or read more here.

You might remember a while ago we posted about MultiInjector which claims to the first configurable automatic website defacement tool, it got quite a bit of interest and shortly after that it was updated. Anyway, good or bad I think people deserve to know what is out there.

Features

• Receives a list of URLs as input
• Recognizes the parameterized URLs from the list
• Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
• Automatic defacement – you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
• OS command execution – remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
• Configurable parallel connections exponentially speed up the attack process – one payload, multiple targets, simultaneous attacks
• Optional use of an HTTP proxy to mask the origin of the attacks

Changes

• Automatic defacement – Try to concatenate a string to all user-defined text fields in DB
• Run any OS command as if you’re running a command console on the DB machine
• Execute SQL commands of your choice
• Enable OS shell procedure on DB – Revive the good old XP_CMDSHELL where it was turned off
• Add administrative user to DB server with password: T0pSeKret
• Enable remote desktop on DB server
• Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
• Added numeric / string parameter type detection
• Improved defacement content handling by escaping quotation marks
• Improved support for Linux systems
• Fixed the “invalid number of concurrent connections” failure due to non-parameterized URLs

You can download MultiInjector v0.3 here

MultiInjectorV0.3.tar.gz

Or read more here.

MultiInjector claims to the first configurable automatic website defacement software, I’m not sure if that’s a good thing – or a bad thing.

But well here it is anyway.

Features

• Receives a list of URLs as input
• Recognizes the parameterized URLs from the list
• Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
• Automatic defacement – you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
• OS command execution – remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
• Configurable parallel connections exponentially speed up the attack process – one payload, multiple targets, simultaneous attacks
• Optional use of an HTTP proxy to mask the origin of the attacks

The author highly recommend running a HTTP sniffer such as IEInspector HTTP Analyzer in order to see all attack requests going out to the targets.

Requirements

• Python >= 2.4
• Pycurl (compatible with the above version of Python)
• Psyco (compatible with the above version of Python)

You can download MultiInjector v0.2 here:

MultiInjector.py

Or read more here.