SECFORCE          
   
HOME COMPANY SERVICES RESEARCH BLOG NEWS & EVENTS PRESS OFFICE CONTACT
 
    Tools  
    Home : Research : Tools  
   

phpMyAdmin local file inclusion - XEE injection (CVE-2011-3368 PoC)

Proof of concept for CVE-2011-4107. This Metasploit module can be used by authenticated attackers to read local files in the phpMyAdmin server.

Download Tool (Metasploit RB, 7.8 kb )

Apache Proxy Scanner (CVE-2011-3368 PoC)

Proof of concept for CVE-2011-3368. The script can be used to perform a port scan of DMZ hosts and retrieve resource from internal servers.

Download Tool (PY, 3.8 kb )

Metasploit SQL Injection wrapper

Wrapper for exploiting SQL injection vulnerabilities using Metasploit. When command execution via xp_cmdshell or MS09004 exploitation is achieved, this wrapper allows the use of all the magic that brings Metasploit: vnc payloads, meterpreter, encoding payloads, etc.

Download Tool (ZIP, 9.4 kb )

Cisco config retriever

Very simple python script for retrieving large amounts of Cisco config files with a given username/password. Very useful for internal penetration tests where there is password reuse across all the routers.

Download Tool (PY, 1.8 kb )

Windows PHP socket hijack toolset

This toolset demonstrates the use of PHP on Windows environments to perform interesting and creative vectors of attack.

Download Tool (ZIP, 15.1 kb ) | View Demo | View Presentation

Taof

Taof is a GUI cross-platform Python generic network protocol fuzzer. It has been designed for minimizing set-up time during fuzzing sessions and it is especially useful for fast testing of proprietary or undocumented protocols.

Download Tool (Code Repository) | View Demo

ProxyFuzz

ProxyFuzz is a man-in-the-middle non-deterministic network fuzzer written in Python. ProxyFuzz randomly changes (fuzzes) contents on the network traffic. It supports TCP and UDP protocols and can also be configured to fuzz only one side of the communication. ProxyFuzz is protocol agnostic so it can randomly fuzz any network communication.

ProxyFuzz is a good tool for quickly testing network protocols and provide with basic proof of concepts. Using this tool you will be amazed by the poor quality of software and you will see clients and servers dying upon unexpected input, just be prepared to see the very weird behaviours.

Download Tool (PY, 5.6 kb) | Win Binary (ZIP, 4.4 mb) | View Demo

Bsishell

Bsishell is an interactive python shell used to exploit blind SQL injection vulnerabilities. Currently it supports attacks  against  MSSQL server, however customization for SYBASE and Oracle is straightforward.

Download Tool (PY, 8.8 kb) | View Demo
 
RESEARCH
Presentations
Tools
Advisories
 
  Copyright (c) 2012 SECFORCE Ltd
All Rights Reserved		 Suite 11, Beaufort Court, Admirals Way
E14 9XL London		 SECFORCE is CREST certified. Click on the logo for more informationISO9001+44 (0) 845 056 8694