New and updated version of RIPS v0.32 is out and ready for action. You can find our first post regarding RIPS here.
RIPS is a static source code analyser for vulnerabilities in PHP web applications.
It was released during the Month of PHP Security.
RIPS is written in PHP itself and can be controlled by a web interface.
Some features:
- detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more
- 5 verbosity levels for debugging your scan results
- mark vulnerable lines in source code viewer
- highlight specific variables in source code viewer
- user-defined function code by mouse-over on detected call
- list of all user-defined functions and program entry points (user input) connected to the source code viewer
- create CURL exploits for detected vulnerabilties with few clicks
- 7 different syntax highlighting colour schemata
- only minimal requirement is a local webserver with PHP and a browser (tested with Opera and Firefox)
Before using it we also recommend reading the paper (HTML, PDF) that the author has submitted to be aware of the limitations RIPS has, either due to static source code analysis or because of my implementation of it.
In short: RIPS is not ready yet for firing it on big code trees like wordpress.
Download RIPS 0.32 here
Searches leading to this post:
rips sql
Tagged as: cross-site scripting, RIPS, SQL Injection, xss
This is something that I used to always think and just stop at thinking only! But, the author of Shell of the Future has not only done that, but done it quite impressively. We had to rely on a lot of things and do a lot of stuff to show that a page was actually vulnerable for cross-site scripting (XSS). But thanks to this tool. It is very easy to leave behind ubiquitous “Alert ()” while displaying a XSS vulnerability to your clients. You can do a lot more!
Shell of the Future is a Reverse Web Shell handler. In other words, it is the browser equivalent of a reverse command shell! Instead of a command prompt from which you type in commands and they get executed on the remote computer, you get to browse the victim’s HTTP/HTTPS session from your browser. Even though the site is being browsed from the your browser all the pages are fetched by the victim’s browser by tunneling HTTP over HTTP using HTML5 Cross Origin Requests.
The hijacked session also displays a hovering banner which can be customized, making it the perfect POC for your pentest report. But, how do you browse the victim’s HTTP/HTTPS session from your browser? Simple – you set your browser to use Shell of the Future’s proxy server, start the tool and visit http://127.0.0.1/sotf.console.
This is the architecture of Shell of the Future:
Shell of the Future has two main components:
- Proxy Server:
The Pentester’s browser must be configured to use this as the proxy server. The proxy server listens on port 1337 by default. All requests sent by the Pentester’s browser are captured by this proxy which converts them in to JSON messages and sends them to the Shell of the Future web server. It regularly polls the web server to test if responses to those requests are available. If a response is available the proxy processes the response body to make changes like adding a banner etc(if enabled by the user) and sends the response to the pentester’s browser.If the browser is requesting static files like css or jpg files then these are directly fetched from the server. This feature is also configurable and can be turned off if required.
- Web Server:
The web server gets all the requests from the proxy and stores it in a temporary database. When the victim polls the web server, the requests are sent to it. The victim fetches the response for these requests from the server and sends them back to the server which is again stored in the database. When the proxy polls the server looking for responses, this response is sent to it.The web server also serves JavaScript exploits to the victim.
The author has been gracious enough to add two JavaScript exploits for us! They are:
- e1.js
This exploit is the simpler of the two. Once injected in to the browser it polls the Shell of the Future server constantly checking for any new requests that must be fetched. If any requests are available these are sent in JSON format. The exploit fetches individual requests from the JSON object, fetches each of them from the server, encodes the response in hex and then sends it over to the Shell of the Future server. - e2.js
This exploit performs all the functions that e1.js does and in addition has an added feature to increase the lifetime of the injected script. It adds an invisible link to the page and adds a ‘onmousemove’ event handler so that the link is always under the cursor. When the victim clicks anywhere on the page, this link gets clicks and it opens the same site in a new tab.
Transition between these two exploits is hardly noticeable and the victim would continue browsing the site in the new tab while the injected exploit would remain active in the other tab. For the ones with a programming streak, you can include your own e3.js & e4.js JavaScripts and they will be treated as exploits for the tool.
As of now, everything is amazing with this tool. Just some caveats:
- Needs.NET framework 2.0 and above
- If the proxy or the server component must listen on a port less than 1024 then it must be run with administrator privileges.
- Does not properly work with Linux.
- Communication is a bit slow while browsing a victims session as it is routed between three points.
Apart from these, we did not find any other problems with the tool.
We know you must be interested in downloading it already! Download Shell of the Future v0.9 here.
Searches leading to this post:
Shell of the Future,
?? ????,
pentestit web shell,
redirect webshell,
reverse engineering a handler,
shell of the future xss
Tagged as: cross-site scripting, Shell of the Future, xss
You can find our original post regarding WebCruiser here. Now, WebCruiser version 2.3.2 has been released!
“WebCruiser – Web Vulnerability Scanner, a compact but powerful web security scanning tool that will aid you in auditing your site! It has a Vulnerability Scanner and a series of security tools.
It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, a XPath injection tool, and a Cross Site Scripting tool!“
In the past few versions, MySQL PlainText SQL Injection and Oracle PlainText SQL Injection have been added. This version optimizes WebCruiser.
Download WebCruiser version 2.3.2 here
Searches leading to this post:
webcruiser
Tagged as: cross-site scripting, SQL Injection, Web Vulnerability Scanner, WebCruiser, xss
