xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
添加工具English Version

wpoison-dev.tgz


提交时间:2004-03-03
提交用户:NJUE
工具分类:扫 描 器
运行平台:Unix/Linux
工具大小:21280 Bytes
文件MD5 :a3f98ae45b8cfdcd96d13c73b76bc2ad

** wpoison, web stress tool.
http://wpoison.sourceforge.net


What is wpoison ?
Wpoison is a tool primary designed for pen-testers and/or system administrators.
The objective of this tool is to find any potential SQL-Injection vulnerabilities
in dynamic web documents which deals with databases: php, asp, etc..

How does this work ?
This is quite simple, wpoison fetch the document you want to scan, and extracts any urls
in <a> and <form> tags.
Any url that contains arguments (eg: /doc.php?aa=bb&cc=dd) will be stress tested
this way:
   each value of any arguments are replaced with known buggy SQL strings, in order
   to make the remote database print errors on the document.
   For example:
       /doc.php?aa=bb&cc=dd will be stressed like this:
   1° /doc.php?aa=BAD_VALUE&cc=dd
   2° /doc.php?aa=bb&cc=BAD_VALUE
   After each poisoned request, the HTTP reply is analysed for finding common
   SQL error strings.
   If any string match, this document is flagged as vulnerable.

   SQL error strings are stored in a signature file (poison.sig), it becomes
   easy for anyone to add is own signatures for a particular web application.
   (see poison.sig for more details).

Wpoison is based on thoses excelent white papers:
    The SPI Labs whitepaper on SQL injection :
       (http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf)
    Chris Anley 's white paper :
       (http://www.ngssoftware.com/papers/advanced_sql_injection.pdf)

Compiling wpoison.
wpoison is known to compile on FreeBSD and Linux plateform.
For now, you need to have [f]lex installed, and gcc.
Just run `make`.
Please report compilation problems at meadele@nerim.net or mm@bzero.net.

Using wpoison.
The simplest way to use wpoison is to run:
   $ wpoison http://www.somewhere.tld/page.php
or $ wpoison my-web.tld
or $ wpoison "www.my.tld/page.php?aa=bb&cc=dd"

This will stress test any urls in the link you provided.
It's important to note that wpoison *does not* follow links that are outside your domain.

Sometimes, it's usefull to force the values of the cookie, if your website deals with some
internal authentification:
$ ./wpoison -C "sessionhash=123456789; path=/" -C "ID=meadele; path=/myforum" www.my-web.tld
Note that the -C option takes a full "Set-Cookie" header value.
If the -C option is missing, wpoison will use the original cookie of your document for each test.

When the scan is done it will print out the result, this example show the
result of a scan on a vulnerable Snitz asp forum:

[***] report:
    40 links tested:
     __ /forum/forum.asp    [Possible SQL-injection detected]
       |___ FORUM_ID * * * * * *
       |___ CAT_ID * * * * * * *
       |___ Forum_Title
    1 potential security problems found
[**] done

This means that FORUM_ID and CAT_ID arguments *may* be used for SQL-Injection exploitation.
N.B: The report system will be improved soon.

At this time wpoison is in alpha stage, and will be improved.

BUGS:
- incorrect handling of redirection messages.
- doesn't analyse headers.
- sever performance problem due to stupid use of regexec().
- incorrect handling of 'radio' <input> values.
- ...

Please send feedback or any suggestions to meadele@nerim.net or mm@bzero.net

--
M.Meadele
mm@bzero.net

>> 下载 <<