weyne/kaliwiki
1
0
Fork 0
mirror of https://github.com/mubix/kaliwiki.git synced 2025-10-29 16:59:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #76 from pwnwiki/Partial-Web-App

Browse Source 
Partial web app menu (part 1); Much easier to parse. THANK YOU!
This commit is contained in:
WebBreacher
2014-04-21 17:16:04 -04:00
parent c88c16bd23 8a46bfd49d
commit 60dde5d642
5 changed files with 336 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
tools/UATester.md Normal file
View File

@@ -0,0 +1,65 @@
# UATester
Notes
-------
Help Text
-------
```
_/ _/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/ _/_/_/ _/_/_/_/ _/ _/_/_/ _/_/_/_
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
_/_/_/_/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/_/_/_/ _/ _/ [v1.06]
_/ User-Agent Tester ?
_/ AKA: Purple Pimp ?
_/ ChrisJohnRiley ?
_/ blog.c22.cc ?
This tool is designed to automatically check a given URL using a list of standard and non-
standard User Agent strings provided by the user (1 per line).
The results of these checks are then reported to the user for further manual analysis where
required. Gathered data includes Response Codes, resulting URL in the case of a 30x response,
MD5 and length of response body, and select Server headers.
Results: When in non-verbose mode, only values that do not match the initial reference connection
are reported to the user. If no results are shown for a specific useragent then all results match
the initial reference connection. If you require a full output of all checks regardless of matches
to the reference, please use the verbose setting.
Output: [+] Added Headers, [-] Removed Headers, [!] Altered Headers, [ ] No Change
Usage .:
-u / --url Complete URL
-f / --file <Path to User Agent file> / If no file is provided, -d options must be present
-s / --single provide single user-agent string (may need to be contained within quotes)
-d / --default Select the UA String type(s) to check. Select 1 or more of the following ?
catagories. (M)obile, (D)esktop, mis(C), (T)ools, (B)ots, e(X)treme [!])
-o / --output <Path to output file> CSV formated output (FILE WILL BE OVERWRITTEN[!])
-v / --verbose results (Displays full headers for each check) >> Recommended
--debug See debug messages (This isn't the switch you're looking for)
Example .:
./UATester.py -u www.example.com -f ./useragentlist.txt -v
./UATester.py -u https://www.wordpress.com
./UATester.py -u http://www.defaultserver.com -v --debug
./UATester.py -u facebook.com -v -d MDBX
./UATester.py -u https://www.google.com -s "MySpecialUserAgent"
./UATester.py -u blog.c22.cc -d MC -o ./output.csv
```
Example Usage
-------
Links
-------

38
tools/blindelephant.md Normal file
View File

@@ -0,0 +1,38 @@
# blindelephant
Notes
-------
Help Text
-------
```
Usage: BlindElephant.py [options] url appName
Options:
-h, --help show this help message and exit
-p PLUGINNAME, --pluginName=PLUGINNAME
Fingerprint version of plugin (should apply to web app
given in appname)
-s, --skip Skip fingerprinting webpp, just fingerprint plugin
-n NUMPROBES, --numProbes=NUMPROBES
Number of files to fetch (more may increase accuracy).
Default: 15
-w, --winnow If more than one version are returned, use winnowing
to attempt to narrow it down (up to numProbes
additional requests).
-l, --list List supported webapps and plugins
-u, --updateDB Pull latest DB files from
blindelephant.sourceforge.net repo (Equivalent to svn
update on blindelephant/dbs/). May require root if
blindelephant was installed with root.
Use "guess" as app or plugin name to attempt to attempt to
discover which supported apps/plugins are installed.
```
Example Usage
-------
Links
-------

70
tools/plecost.md Normal file
View File

@@ -0,0 +1,70 @@
# plecost
Notes
-------
Help Text
-------
```
////////////////////////////////////////////
// ..................................DMI...
// .............................:MMMM......
// .........................$MMMMM:........
// .........M.....,M,=NMMMMMMMMD...........
// ........MMN...MMMMMMMMMMMM,.............
// .......MMMMMMMMMMMMMMMMM~...............
// .......MMMMMMMMMMMMMMM..................
// ....?MMMMMMMMMMMMMMMN$I.................
// .?.MMMMMMMMMMMMMMMMMMMMMM...............
// .MMMMMMMMMMMMMMN........................
// 7MMMMMMMMMMMMMON$.......................
// ZMMMMMMMMMMMMMMMMMM.......plecost.......
// .:MMMMMMMZ~7MMMMMMMMMO..................
// ....~+:.................................
//
// Plecost - Wordpress finger printer Tool (with threads support) 0.2.2-9-beta
//
// Developed by:
// Francisco Jesus Gomez aka (ffranz@iniqua.com)
// Daniel Garcia Garcia (dani@iniqua.com)
//
// Info: http://iniqua.com/labs/
// Bug report: plecost@iniqua.com
Usage: /usr/bin/plecost [options] [ URL | [-l num] -G]
Google search options:
-l num : Limit number of results for each plugin in google.
-G : Google search mode
Options:
-n : Number of plugins to use (Default all - more than 7000).
-c : Check plugins only with CVE associated.
-R file : Reload plugin list. Use -n option to control the size (This take several minutes)
-o file : Output file. (Default "output.txt")
-i file : Input plugin list. (Need to start the program)
-s time : Min sleep time between two probes. Time in seconds. (Default 10)
-M time : Max sleep time between two probes. Time in seconds. (Default 20)
-t num : Number of threads. (Default 1)
-h : Display help. (More info: http://iniqua.com/labs/)
Examples:
* Reload first 5 plugins list:
plecost -R plugins.txt -n 5
* Search vulnerable sites for first 5 plugins:
plecost -n 5 -G -i plugins.txt
* Search plugins with 20 threads, sleep time between 12 and 30 seconds for www.example.com:
plecost -i plugin_list.txt -s 12 -M 30 -t 20 -o results.txt www.example.com
```
Example Usage
-------
Links
-------

114
tools/wpscan.md Normal file
View File

@@ -0,0 +1,114 @@
# wpscan
Notes
-------
Help Text
-------
```_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version v2.3
Sponsored by the RandomStorm Open Source Initiative
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
Help :
Some values are settable in conf/browser.conf.json :
user-agent, proxy, proxy-auth, threads, cache timeout and request timeout
--update Update to the latest revision
--url | -u <target url> The WordPress URL/domain to scan.
--force | -f Forces WPScan to not check if the remote site is running WordPress.
--enumerate | -e [option(s)] Enumeration.
option :
u usernames from id 1 to 10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
p plugins
vp only vulnerable plugins
ap all plugins (can take a long time)
tt timthumbs
t themes
vt only vulnerable themes
at all themes (can take a long time)
Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
If no option is supplied, the default is "vt,tt,u,vp"
--exclude-content-based "<regexp or string>" Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied
You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)
--config-file | -c <config file> Use the specified config file
--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
--wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
--wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
--proxy <[protocol://]host:port> Supply a proxy (will override the one from conf/browser.conf.json).
HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used
--proxy-auth <username:password> Supply the proxy login credentials (will override the one from conf/browser.conf.json).
--basic-auth <username:password> Set the HTTP Basic authentication
--wordlist | -w <wordlist> Supply a wordlist for the password bruter and do the brute.
--threads | -t <number of threads> The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)
--username | -U <username> Only brute force the supplied username.
--help | -h This help screen.
--verbose | -v Verbose output.
Examples :
-Further help ...
ruby ./wpscan.rb --help
-Do 'non-intrusive' checks ...
ruby ./wpscan.rb --url www.example.com
-Do wordlist password brute force on enumerated users using 50 threads ...
ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50
-Do wordlist password brute force on the 'admin' username only ...
ruby ./wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
-Enumerate installed plugins ...
ruby ./wpscan.rb --url www.example.com --enumerate p
-Enumerate installed themes ...
ruby ./wpscan.rb --url www.example.com --enumerate t
-Enumerate users ...
ruby ./wpscan.rb --url www.example.com --enumerate u
-Enumerate installed timthumbs ...
ruby ./wpscan.rb --url www.example.com --enumerate tt
-Use a HTTP proxy ...
ruby ./wpscan.rb --url www.example.com --proxy 127.0.0.1:8118
-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)
ruby ./wpscan.rb --url www.example.com --proxy socks5://127.0.0.1:9000
-Use custom content directory ...
ruby ./wpscan.rb -u www.example.com --wp-content-dir custom-content
-Use custom plugins directory ...
ruby ./wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins
-Update ...
ruby ./wpscan.rb --update
-Debug output ...
ruby ./wpscan.rb --url www.example.com --debug-output 2>debug.log
See README for further information.
```
Example Usage
-------
Links
-------

51
webapp/index.md
View File

@@ -1,3 +1,50 @@
# Placeholder # Web Applications
CMS Identification
-----------
* [blindelephant](../tools/blindelephant.md)
* [plecost](../tools/plecost.md)
* [wpscan](../tools/wpscan.md)
Database Exploitation
-----------
* [bbqsql](../tools/bbqsql.md)
* [sqlninja](../tools/sqlninja.md)
* [sqlsus](../tools/sqlsus.md)
IDS/IPS Identification
-----------
* [ua-tester](../tools/UATester.md)
Web Application Fuzzers
-----------
* [tool](../tools/foo.md)
* [tool](../tools/foo.md)
* [tool](../tools/foo.md)
Web Application Proxies
-----------
* [tool](../tools/foo.md)
* [tool](../tools/foo.md)
* [tool](../tools/foo.md)
Web Crawlers
-----------
* [tool](../tools/foo.md)
* [tool](../tools/foo.md)
* [tool](../tools/foo.md)
Web VUlnerability Scanners
-----------
* [tool](../tools/foo.md)
* [tool](../tools/foo.md)
* [tool](../tools/foo.md)
This is just a placeholder. Feel free to contribute :)