wpoison-dev.tgz提交时间:2004-03-03 提交用户:NJUE 工具分类:扫 描 器 运行平台:Unix/Linux 工具大小:21280 Bytes 文件MD5 :a3f98ae45b8cfdcd96d13c73b76bc2ad ** wpoison, web stress tool. http://wpoison.sourceforge.net What is wpoison ? Wpoison is a tool primary designed for pen-testers and/or system administrators. The objective of this tool is to find any potential SQL-Injection vulnerabilities in dynamic web documents which deals with databases: php, asp, etc.. How does this work ? This is quite simple, wpoison fetch the document you want to scan, and extracts any urls in <a> and <form> tags. Any url that contains arguments (eg: /doc.php?aa=bb&cc=dd) will be stress tested this way: each value of any arguments are replaced with known buggy SQL strings, in order to make the remote database print errors on the document. For example: /doc.php?aa=bb&cc=dd will be stressed like this: 1° /doc.php?aa=BAD_VALUE&cc=dd 2° /doc.php?aa=bb&cc=BAD_VALUE After each poisoned request, the HTTP reply is analysed for finding common SQL error strings. If any string match, this document is flagged as vulnerable. SQL error strings are stored in a signature file (poison.sig), it becomes easy for anyone to add is own signatures for a particular web application. (see poison.sig for more details). Wpoison is based on thoses excelent white papers: The SPI Labs whitepaper on SQL injection : (http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf) Chris Anley 's white paper : (http://www.ngssoftware.com/papers/advanced_sql_injection.pdf) Compiling wpoison. wpoison is known to compile on FreeBSD and Linux plateform. For now, you need to have [f]lex installed, and gcc. Just run `make`. Please report compilation problems at meadele@nerim.net or mm@bzero.net. Using wpoison. The simplest way to use wpoison is to run: $ wpoison http://www.somewhere.tld/page.php or $ wpoison my-web.tld or $ wpoison "www.my.tld/page.php?aa=bb&cc=dd" This will stress test any urls in the link you provided. It's important to note that wpoison *does not* follow links that are outside your domain. Sometimes, it's usefull to force the values of the cookie, if your website deals with some internal authentification: $ ./wpoison -C "sessionhash=123456789; path=/" -C "ID=meadele; path=/myforum" www.my-web.tld Note that the -C option takes a full "Set-Cookie" header value. If the -C option is missing, wpoison will use the original cookie of your document for each test. When the scan is done it will print out the result, this example show the result of a scan on a vulnerable Snitz asp forum: [***] report: 40 links tested: __ /forum/forum.asp [Possible SQL-injection detected] |___ FORUM_ID * * * * * * |___ CAT_ID * * * * * * * |___ Forum_Title 1 potential security problems found [**] done This means that FORUM_ID and CAT_ID arguments *may* be used for SQL-Injection exploitation. N.B: The report system will be improved soon. At this time wpoison is in alpha stage, and will be improved. BUGS: - incorrect handling of redirection messages. - doesn't analyse headers. - sever performance problem due to stupid use of regexec(). - incorrect handling of 'radio' <input> values. - ... Please send feedback or any suggestions to meadele@nerim.net or mm@bzero.net -- M.Meadele mm@bzero.net >> 下载 << |
