Scrawlr – Tool for finding SQL Injection

Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names.

Features of Scrawlr

– Identify Verbose SQL Injection vulnerabilities in URL parameters
– Can be configured to use a Proxy to access the web site
– Will identify the type of SQL server in use
– Will extract table names (verbose only) to guarantee no false positives

And well there is also list of limitations

– Will only crawl up to 1500 pages
– Does not support sites requiring authentication
– Does not perform Blind SQL injection
– Cannot retrieve database contents
– Does not support JavaScript or flash parsing
– Will not test forms for SQL Injection (POST Parameters)

Source:
http://pentestit.com/2009/10/28/scrawlr-tool-finding-sql-injection/

Download:
https://h30406.www3.hp.com/campaigns/2008/wwcampaign/1-57C4K/index.php?

Posted in Coding, Internet, Security, Software | No Comments

Mozilla fixes 16 flaws with Firefox 3.5.4

Mozilla today patched 16 vulnerabilities in Firefox, 11 of them critical, as it updated the open-source browser to version 3.5.4.

The 11 critical Firefox 3.5 vulnerabilities were located in a variety of components, including Web worker calls, the GIF color map parser, the string-to-number converter, a trio of third-party media libraries, and both the JavaScript and browser engines.

“Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla said in some of the advisories outlining the most serious flaws.

Firefox 3.0, which was first released in the summer of 2008 and will be retired from security support in January 2010, was also updated today with the release of version 3.0.15. The older browser received nine patches, four marked critical.

Source:
http://www.networkworld.com/news/2009/102809-mozilla-fixes-16-flaws-with.html

Posted in Internet, Privacy, Security, Software | No Comments

Reverse Hash Calculator

This page doesn’t use rainbow tables (yet), but a similar, simpler approach. It uses a database of a couple million pre-compiled hash values. The strings used come from various password databases, and should have a pretty good chance of “hitting” your value. There is an intentional delay in the response to limit the load on our database.

http://isc.sans.org/tools/reversehash.html

Posted in Internet, Security | No Comments

Cain & Abel v4.9.35 released

New in 4.9.35:

– Added support for Windows 2008 Terminal Server in APR-RDP sniffer filter.
– Added Abel64.exe and Abel64.dll to support hashes extraction on x64 operating systems.
– Added x64 operating systems support in NTLM hashes Dumper, MS-CACHE hashes Dumper, LSA Secrets Dumper, Wireless Password Decoder, Credential Manager Password Decoder, DialUp Password Decoder.
– Added Windows Live Mail (Windows 7) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts.
– Fixed a bug of RSA SecurID Calculator within XML import function.
– Fixed a bug in all APR-SSL based sniffer filters to avoid 100% CPU utilization while forwarding data.
– Executables rebuilt with Visual Studio 2008.
– Added Windows Firewall status detection on startup.
– Added UAC compatibility in Windows Vista/Seven.
– Winpcap library upgrade to version 4.1.1.

Download:
http://www.oxid.it/cain.html

Posted in Internet, Privacy, Security, Software, Windows | No Comments

Microsoft Baseline Security Analyzer 2.1.1

To easily assess the security state of machines in an environment, Microsoft offers the free Microsoft Baseline Security Analyzer (MBSA) scan tool. MBSA includes a graphical and command line interface that can perform local or remote scans of Microsoft Windows systems.

MBSA 2.1.1 builds on previous versions by adding support for Windows 7 and Windows Server 2008 R2. As with the previous MBSA 2.1 release, MBSA includes 64-bit installation, security update and vulnerability assessment (VA) checks, improved SQL Server 2005 checks, and support for the latest Windows Update Agent (WUA) and Microsoft Update technologies. More information on the capabilities of MBSA 2.1 and 2.1.1 is available on the MBSA Web site.

MBSA 2.1.1 runs on Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP and Windows 2000 systems and will scan for missing security updates, rollups and service packs using Microsoft Update technologies. MBSA will also scan for common security misconfigurations (also called Vulnerability Assessment checks) using a known list of less secure settings and configurations for all versions of Windows, Internet Information Server (IIS) 5.0, 6.0 and 6.1, SQL Server 2000 and 2005, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003 only.

To assess missing security updates, MBSA will only scan for missing security updates, update rollups and service packs available from Microsoft Update. MBSA will not scan or report missing non-security updates, tools or drivers.

Download:
http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-8b52-c871d012ba78&displaylang=en

Posted in Internet, Security, Windows | No Comments