Archive

Posts Tagged ‘python’

Automating SQL Injection with Burp, Sqlmap and GDS Burp API

June 26, 2012 Leave a comment

I came across GDS Burp API which seems like a very useful tool for parsing Burp Proxy logs.  The GDS Burp API exposes a Python object interface to requests/responses recorded by Burp. The below link provides a very good introduction to the API.

http://blog.gdssecurity.com/labs/2010/8/10/constricting-the-web-the-gds-burp-api.html

I wrote a simple script to use the API to parse the Burp proxy logs and send it to SQLMap to automate testing SQL injection for all GET and POST parameters and skip all urls without any parameters.

1. Clone the GDSSecurity burpee repository git clone https://github.com/GDSSecurity/burpee.git

2. Download burpSQL.py from https://github.com/milo2012/burpSQL into the burpee folder

3. Next, we will have to configure logging in Burpsuite

4. Change the proxy settings of your browser to 127.0.0.1:8080

5. Crawl the website with Owasp Ajax Crawling tool or spider with Burpsuite or the manual way.

Below are the command line options for burpSQL

6. The above is pretty self explanatory.  If your Burp proxy log is cluttered with urls from multiple domains, you can filtered the SQL injection testing to specific domains using the –domain switch.

Drop me a message if you have any suggestions or comments.  Thank you !

Cracking hashes using findmyhash

January 24, 2012 Leave a comment

Hashcat http://hashcat.net/hashcat/ is the definitely tool to use for cracking hashes. It might be highly possible that the hash might have been cracked by others online.

Therefore, it might be more convenient to perform a lookup using the online free services before even trying to crack the hash with Hashcat.

findmyhash is a very useful tool for cracking the hashes using free online services.

Most of the password dumps have been appearing on websites like Pastebin.com and it makes it even more useful if findmyhash is able to find and crack md5/sha1 hashes located in a website link like pastebin. I have submitted a patch to https://code.google.com/p/findmyhash/issues/detail?id=7 for this new feature.

If you do not feel comfortable with another party knowing about the hashes, you should skip using findmyhash all together and dive straight to hashcat instead.

Read more…

Follow

Get every new post delivered to your Inbox.