Web Security
Showing posts with label Web Security. Show all posts
Showing posts with label Web Security. Show all posts

jSQL An Automatic SQL Injection Tool Written in Java

3:35:00 AM Add Comment

jSQL An Automatic SQL Injection Tool Written in Java

jSQL Injection is a lightweight application used to find database information from a distant server.


It is free, open source and cross-platform (Windows, Linux, Mac OS X).

jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in other distributions like Pentest Box, Parrot Security OS, ArchStrike or BlackArch Linux.

Features

  • Automatic injection of 23 kinds of databases: Access, CockroachDB, CUBRID, DB2, Derby, Firebird, H2, Hana, HSQLDB, Informix, Ingres, MaxDB, Mckoi, MySQL{MariaDb}, Neo4j, NuoDB, Oracle, PostgreSQL, SQLite, SQL Server, Sybase, Teradata and Vertica
  • Multiple injection strategies: Normal, Error, Blind and Time
  • SQL Engine to study and optimize SQL expressions
  • Injection of multiple targets
  • Search for administration pages
  • Creation and vizualisation of Web shell and SQL shell
  • Read and write files on host using injection
  • Bruteforce of password's hash
  • Code and decode a string
Installation  Install Java 8, then download the latest release of jSQL Injection and double-click on the file jsql-injection-v0.79.jar to launch the software.

You can also type java -jar jsql-injection-v0.79.jar in your terminal to start the program.
If you are using Kali Linux then get the latest release using commands apt update then apt full-upgrade.

Download jSQL Tool

Disclaimer:
Attacking web-server is illegal without prior mutual consent. The end user is responsible and obeys all applicable laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

PyT- Python Taint: Static Analysis of Python Web Applications Security Software

9:33:00 PM Add Comment


PyT - Python Taint Static Analysis of Python Web Applications Security Software


For Static analysis of Python web applications based on theoretical foundations (Control flow graphs, fixed point, dataflow analysis)


Features:
  • Detect Command injection
  • Detect SQL injection
  • Detect XSS
  • Detect directory traversal
  • Get a control flow graph
  • Get a def-use and/or a use-def chain
  • Search GitHub and analyse hits with PyT
  • Scan intraprocedural or interprocedural
  • A lot of customisation possible

Install

  • git clone https://github.com/python-security/pyt.git
  • python setup.py install
  • pyt -h

Usage from source

  • Using it like a user: python -m pyt -f example/vulnerable_code/XSS_call.py save -du
  • Running the tests: python -m tests
  • Running an individual test file: python -m unittest tests.import_test
  • Running an individual test: python -m unittest tests.import_test.ImportTest.test_import

Virtual env setup guide

Create a directory to hold the virtual env and project

mkdir ~/a_folder
cd ~/a_folder

Clone the project into the directory

git clone https://github.com/python-security/pyt.git

Create the virtual environment

python3 -m venv ~/a_folder/

Check that you have the right versions

python --version sample output Python 3.6.0

pip --version sample output pip 9.0.1 from /Users/kevinhock/a_folder/lib/python3.6/site-packages (python 3.6)

Change to project directory

cd pyt

Install dependencies

pip install -r requirements.txt

pip list sample output

gitdb (0.6.4)
GitPython (2.0.8)
graphviz (0.4.10)
pip (9.0.1)
requests (2.10.0)
setuptools (28.8.0)
smmap (0.9.0)

Download PyT
Subscribe to: Posts (Atom)

Popular Posts