diff --git a/tools/UATester.md b/tools/UATester.md new file mode 100644 index 0000000..e436b31 --- /dev/null +++ b/tools/UATester.md @@ -0,0 +1,65 @@ +# UATester + +Notes +------- + +Help Text +------- +``` + + _/ _/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ + _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ + _/ _/ _/_/_/_/ _/_/_/ _/ _/_/_/ _/_/_/_/ _/ _/_/_/ _/_/_/_ + _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ + _/_/_/_/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/_/_/_/ _/ _/ [v1.06] + + _/ User-Agent Tester ? + _/ AKA: Purple Pimp ? + _/ ChrisJohnRiley ? + _/ blog.c22.cc ? + + + + This tool is designed to automatically check a given URL using a list of standard and non- + standard User Agent strings provided by the user (1 per line). + + The results of these checks are then reported to the user for further manual analysis where + required. Gathered data includes Response Codes, resulting URL in the case of a 30x response, + MD5 and length of response body, and select Server headers. + + Results: When in non-verbose mode, only values that do not match the initial reference connection + are reported to the user. If no results are shown for a specific useragent then all results match + the initial reference connection. If you require a full output of all checks regardless of matches + to the reference, please use the verbose setting. + + Output: [+] Added Headers, [-] Removed Headers, [!] Altered Headers, [ ] No Change + + Usage .: + -u / --url Complete URL + -f / --file / If no file is provided, -d options must be present + -s / --single provide single user-agent string (may need to be contained within quotes) + -d / --default Select the UA String type(s) to check. Select 1 or more of the following ? + catagories. (M)obile, (D)esktop, mis(C), (T)ools, (B)ots, e(X)treme [!]) + + -o / --output CSV formated output (FILE WILL BE OVERWRITTEN[!]) + -v / --verbose results (Displays full headers for each check) >> Recommended + --debug See debug messages (This isn't the switch you're looking for) + + + Example .: + + ./UATester.py -u www.example.com -f ./useragentlist.txt -v + ./UATester.py -u https://www.wordpress.com + ./UATester.py -u http://www.defaultserver.com -v --debug + ./UATester.py -u facebook.com -v -d MDBX + ./UATester.py -u https://www.google.com -s "MySpecialUserAgent" + ./UATester.py -u blog.c22.cc -d MC -o ./output.csv + +``` + +Example Usage +------- + +Links +------- + diff --git a/tools/blindelephant.md b/tools/blindelephant.md new file mode 100644 index 0000000..4fd479a --- /dev/null +++ b/tools/blindelephant.md @@ -0,0 +1,38 @@ +# blindelephant + +Notes +------- + +Help Text +------- +``` +Usage: BlindElephant.py [options] url appName + +Options: + -h, --help show this help message and exit + -p PLUGINNAME, --pluginName=PLUGINNAME + Fingerprint version of plugin (should apply to web app + given in appname) + -s, --skip Skip fingerprinting webpp, just fingerprint plugin + -n NUMPROBES, --numProbes=NUMPROBES + Number of files to fetch (more may increase accuracy). + Default: 15 + -w, --winnow If more than one version are returned, use winnowing + to attempt to narrow it down (up to numProbes + additional requests). + -l, --list List supported webapps and plugins + -u, --updateDB Pull latest DB files from + blindelephant.sourceforge.net repo (Equivalent to svn + update on blindelephant/dbs/). May require root if + blindelephant was installed with root. + +Use "guess" as app or plugin name to attempt to attempt to +discover which supported apps/plugins are installed. +``` + +Example Usage +------- + +Links +------- + diff --git a/tools/plecost.md b/tools/plecost.md new file mode 100644 index 0000000..33b002c --- /dev/null +++ b/tools/plecost.md @@ -0,0 +1,70 @@ +# plecost + +Notes +------- + +Help Text +------- +``` +//////////////////////////////////////////// +// ..................................DMI... +// .............................:MMMM...... +// .........................$MMMMM:........ +// .........M.....,M,=NMMMMMMMMD........... +// ........MMN...MMMMMMMMMMMM,............. +// .......MMMMMMMMMMMMMMMMM~............... +// .......MMMMMMMMMMMMMMM.................. +// ....?MMMMMMMMMMMMMMMN$I................. +// .?.MMMMMMMMMMMMMMMMMMMMMM............... +// .MMMMMMMMMMMMMMN........................ +// 7MMMMMMMMMMMMMON$....................... +// ZMMMMMMMMMMMMMMMMMM.......plecost....... +// .:MMMMMMMZ~7MMMMMMMMMO.................. +// ....~+:................................. +// +// Plecost - Wordpress finger printer Tool (with threads support) 0.2.2-9-beta +// +// Developed by: +// Francisco Jesus Gomez aka (ffranz@iniqua.com) +// Daniel Garcia Garcia (dani@iniqua.com) +// +// Info: http://iniqua.com/labs/ +// Bug report: plecost@iniqua.com + + +Usage: /usr/bin/plecost [options] [ URL | [-l num] -G] + + +Google search options: + -l num : Limit number of results for each plugin in google. + -G : Google search mode + +Options: + -n : Number of plugins to use (Default all - more than 7000). + -c : Check plugins only with CVE associated. + -R file : Reload plugin list. Use -n option to control the size (This take several minutes) + -o file : Output file. (Default "output.txt") + -i file : Input plugin list. (Need to start the program) + -s time : Min sleep time between two probes. Time in seconds. (Default 10) + -M time : Max sleep time between two probes. Time in seconds. (Default 20) + -t num : Number of threads. (Default 1) + -h : Display help. (More info: http://iniqua.com/labs/) + +Examples: + + * Reload first 5 plugins list: + plecost -R plugins.txt -n 5 + * Search vulnerable sites for first 5 plugins: + plecost -n 5 -G -i plugins.txt + * Search plugins with 20 threads, sleep time between 12 and 30 seconds for www.example.com: + plecost -i plugin_list.txt -s 12 -M 30 -t 20 -o results.txt www.example.com + + +``` + +Example Usage +------- + +Links +------- + diff --git a/tools/wpscan.md b/tools/wpscan.md new file mode 100644 index 0000000..8ac7f88 --- /dev/null +++ b/tools/wpscan.md @@ -0,0 +1,114 @@ +# wpscan + +Notes +------- + +Help Text +------- +```_______________________________________________________________ + __ _______ _____ + \ \ / / __ \ / ____| + \ \ /\ / /| |__) | (___ ___ __ _ _ __ + \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ + \ /\ / | | ____) | (__| (_| | | | | + \/ \/ |_| |_____/ \___|\__,_|_| |_| + + WordPress Security Scanner by the WPScan Team + Version v2.3 + Sponsored by the RandomStorm Open Source Initiative + @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ +_______________________________________________________________ + +Help : + +Some values are settable in conf/browser.conf.json : + user-agent, proxy, proxy-auth, threads, cache timeout and request timeout + +--update Update to the latest revision +--url | -u The WordPress URL/domain to scan. +--force | -f Forces WPScan to not check if the remote site is running WordPress. +--enumerate | -e [option(s)] Enumeration. + option : + u usernames from id 1 to 10 + u[10-20] usernames from id 10 to 20 (you must write [] chars) + p plugins + vp only vulnerable plugins + ap all plugins (can take a long time) + tt timthumbs + t themes + vt only vulnerable themes + at all themes (can take a long time) + Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins + If no option is supplied, the default is "vt,tt,u,vp" + +--exclude-content-based "" Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied + You do not need to provide the regexp delimiters, but you must write the quotes (simple or double) +--config-file | -c Use the specified config file +--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not +--wp-content-dir WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed +--wp-plugins-dir Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed +--proxy <[protocol://]host:port> Supply a proxy (will override the one from conf/browser.conf.json). + HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used +--proxy-auth Supply the proxy login credentials (will override the one from conf/browser.conf.json). +--basic-auth Set the HTTP Basic authentication +--wordlist | -w Supply a wordlist for the password bruter and do the brute. +--threads | -t The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json) +--username | -U Only brute force the supplied username. +--help | -h This help screen. +--verbose | -v Verbose output. + + +Examples : + +-Further help ... +ruby ./wpscan.rb --help + +-Do 'non-intrusive' checks ... +ruby ./wpscan.rb --url www.example.com + +-Do wordlist password brute force on enumerated users using 50 threads ... +ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50 + +-Do wordlist password brute force on the 'admin' username only ... +ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin + +-Enumerate installed plugins ... +ruby ./wpscan.rb --url www.example.com --enumerate p + +-Enumerate installed themes ... +ruby ./wpscan.rb --url www.example.com --enumerate t + +-Enumerate users ... +ruby ./wpscan.rb --url www.example.com --enumerate u + +-Enumerate installed timthumbs ... +ruby ./wpscan.rb --url www.example.com --enumerate tt + +-Use a HTTP proxy ... +ruby ./wpscan.rb --url www.example.com --proxy 127.0.0.1:8118 + +-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed) +ruby ./wpscan.rb --url www.example.com --proxy socks5://127.0.0.1:9000 + +-Use custom content directory ... +ruby ./wpscan.rb -u www.example.com --wp-content-dir custom-content + +-Use custom plugins directory ... +ruby ./wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins + +-Update ... +ruby ./wpscan.rb --update + +-Debug output ... +ruby ./wpscan.rb --url www.example.com --debug-output 2>debug.log + +See README for further information. + +``` + +Example Usage +------- + +Links +------- + diff --git a/webapp/index.md b/webapp/index.md index b25d6fb..3d55b3a 100644 --- a/webapp/index.md +++ b/webapp/index.md @@ -1,3 +1,50 @@ -# Placeholder +# Web Applications + +CMS Identification +----------- + + * [blindelephant](../tools/blindelephant.md) + * [plecost](../tools/plecost.md) + * [wpscan](../tools/wpscan.md) + +Database Exploitation +----------- + + * [bbqsql](../tools/bbqsql.md) + * [sqlninja](../tools/sqlninja.md) + * [sqlsus](../tools/sqlsus.md) + +IDS/IPS Identification +----------- + + * [ua-tester](../tools/UATester.md) + + +Web Application Fuzzers +----------- + + * [tool](../tools/foo.md) + * [tool](../tools/foo.md) + * [tool](../tools/foo.md) + +Web Application Proxies +----------- + + * [tool](../tools/foo.md) + * [tool](../tools/foo.md) + * [tool](../tools/foo.md) + +Web Crawlers +----------- + + * [tool](../tools/foo.md) + * [tool](../tools/foo.md) + * [tool](../tools/foo.md) + +Web VUlnerability Scanners +----------- + + * [tool](../tools/foo.md) + * [tool](../tools/foo.md) + * [tool](../tools/foo.md) -This is just a placeholder. Feel free to contribute :)