Re: [Full-disclosure] Pangolin v1.2.590 - The best SQLinjector you've ever seen
- From: Tim Kunschke <tim@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Mar 2008 20:25:04 +0100
Ok, you are right.
snake@alix2c2 ~ % wget
http://www.nosec.org/web/index.txt
:(
--20:23:14-- http://www.nosec.org/web/index.txt
=> `index.txt'
Auflösen des Hostnamen »www.nosec.org«.... 218.92.8.74
Verbindungsaufbau zu www.nosec.org|218.92.8.74|:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 14 [text/plain]
100%[=================================================================================================================================>]
14 --.--K/s
20:23:14 (556.54 KB/s) - »index.txt« gespeichert [14/14]
snake@alix2c2 ~ % cat index.txt
[85.197.2.156]%
°°°°snake°°°°
Micheal Cottingham schrieb:
Not yet.
C:\Users\Micheal\Research>wget http://www.nosec.org/web/index.txt
--15:12:52-- http://www.nosec.org/web/index.txt
=> `index.txt'
Resolving www.nosec.org... done.
Connecting to www.nosec.org[218.92.8.74]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13 [text/plain]
100%[====================================>] 13 12.70K/s ETA 00:00
15:12:52 (12.70 KB/s) - `index.txt' saved [13/13]
C:\Users\Micheal\Research>cat index.txt
[84.203.3.20]
C:\Users\Micheal\Research>
A previous attempt got me this:
7453375[61.178.20.90]
On Wed, Mar 26, 2008 at 2:33 PM, Ricardo Giorgi
<skydiver@xxxxxxxxxxxxxxx> wrote:
Hi Folks,
Just for curiosity, did anyone of this list already tried to do a reverse
engineering of the Pangolin's code ?
Ricardo
Not me, although I did looked at it. I thought great, kiddies are going tolove this
Sent from my BlackBerryÂ(R) smartphone with SprintSpeedpossible
-----Original Message-----
From: davidrook <david.rook@xxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Mar 2008 17:23:03
To:Razi Shaban <razishaban@xxxxxxxxx>
Cc:full-disclosure@xxxxxxxxxxxxxxxxx, webappsec@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Pangolin v1.2.590 - The best SQL
injector you've ever seen
I wonder how many readers of this list now have a backdoor on their
machine...........
Razi Shaban wrote:
Hmm...
Backdoors eh?
Nice try.
--
razi
On 3/26/08, A. Ramos <aramosf@xxxxxxxxx> wrote:
Take a look over:
http://www.virustotal.com/analisis/0603d534b0128bf81ec57a8ab00e145c
2008/3/26 <zwell@xxxxxxxx>:
Pangolin is a GUI tool running on Windows to perform as more as
file,pen-testing through SQL injection. This version now supports following
databases and operations:
* MSSQL : Server informations, Datas, CMD execute, Regedit, Write
Detailed check optio nsDownload file, Read file, File Browser...
* MYSQL : Server informations, Datas, Read file, Write file...
* ORACLE : Server informations, Datas, Accounts cracking...
* PGSQL : Server informations, Datas, Read file...
* DB2 : Server informations, Datas, ...
* INFORMIX : Server informations, Datas, ...
* SQLITE : Server informations, Datas, ...
* ACCESS : Server informations, Datas, ...
* SYBASE : Server informations, Datas, ...
etc.
And supports:
* HTTPS support
* Pre-Login
* Proxy
* Specify any HTTP headers(User-agent, Cookie, Referer and so on)
* Bypass firewall setting
* Auto-analyzing keyword
*
injection,* Injection-points management
etc.
What's the differents to the others?
* Easy-of-use : What I try to do is making pen-tester more care about
result, not the process. All you should do is clicking the buttons.
* Amazing Speed : so many people told you things about brute sql
cource,is it really necessary? Forget char-by-char, we can row-by-row(of
Declare: Pangolin is designed for security testing by pen-tester when he hasnot every injection-point can do this)?
* The exact check mothod : do you really think automated tools like
AWVS,APPSCAN can find all injection-points?
So, whatever, just check it out, and then enjoy your feeling ;)
More information : http://www.nosec.org/web/index.php?q=pangolin
Download : http://seclab.nosec.org/security/pangolin_bin.rar
at--been authorized. DO NOT attack any website viciously or accept the
consequences!!!
________________________________
2008å¹´è–ªæ°´ç¿»å€ æŠ€å·§
*ç"¨æ œç‹—拼音写é‚(R)件,ä½"éªŒæ›´æµ ç•…çš„ä¸æ–‡è¾"å…¥>>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Alejandro Ramos / Alex -- (aramosf@xxxxxxxxx)
molling://CISSP/GWAS/CISA
http://www.unsec.net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
David Rook | david.rook@xxxxxxxxxxxxxxxxxx
Information Security Analyst
Realex Payments
Enabling thousands of businesses to sell online.
Realex Payments, Dublin, www.realexpayments.com
Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
Realex Payments, London, www.realexpayments.co.uk
1 Hammersmith Grove, London W6 0NB, England
Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
Pay and Shop Limited, trading as Realex Payments has its registered office
Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and isregistered in Ireland,
company number 324929._______________________________________________
This mail and any documents attached are classified as confidential and
are intended for use by the addressee(s) only unless otherwise
indicated. If you are not an intended recipient of this email, you must
not use, disclose, copy, distribute or retain this message or any part
of it. If you have received this email in error, please notify us
immediately and delete all copies of this email from your computer
system(s).
--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- References:
- [Full-disclosure] Pangolin v1.2.590 - The best SQL injector you've ever seen
- From: zwell
- Re: [Full-disclosure] Pangolin v1.2.590 - The best SQL injector you've ever seen
- From: A. Ramos
- Re: [Full-disclosure] Pangolin v1.2.590 - The best SQL injector you've ever seen
- From: Razi Shaban
- Re: [Full-disclosure] Pangolin v1.2.590 - The best SQL injector you've ever seen
- From: davidrook
- Re: [Full-disclosure] Pangolin v1.2.590 - The best SQLinjector you've ever seen
- From: josh
- Re: [Full-disclosure] Pangolin v1.2.590 - The best SQLinjector you've ever seen
- From: Micheal Cottingham
- [Full-disclosure] Pangolin v1.2.590 - The best SQL injector you've ever seen
- Prev by Date: Re: [Full-disclosure] Pangolin v1.2.590 - The best SQLinjector you've ever seen
- Next by Date: [Full-disclosure] Multiple vulnerabilities in solidDB 06.00.1018
- Previous by thread: Re: [Full-disclosure] Pangolin v1.2.590 - The best SQLinjector you've ever seen
- Next by thread: Re: [Full-disclosure] Pangolin v1.2.590 - The best SQLinjector you've ever seen
- Index(es):
