Exploiting Web Apps With Commerical Tools

December 3, 2009

For some reason, i never considered core impact an option for web application assessment. But recently i tested the web application RPT module of core impact and found it quite cool. It successfully exploited the Oracle SQL Injection and returned a SQL shell and much to my surprise a OS command shell.

It did the same against the MS-SQL apps too. A closer look at oracle sql injection exploit revealed that core uses the same dbms_export_extension exploit which bsqlbf and pangolin uses. To obtain the shell with one click in a gui is always cool, less geeky though :(.

core-oracle
On the note of using commercial tools, another 2 tools which i have found very useful are:
Burp suite
Netsparker

While everyone knows about burp suite, its small features such as ‘AMF decoding/encoding’, invisible proxy, intruder with regex support, right click-> send to scanner feature etc makes it a perfect tool. The burp scanner’s xss module is just brilliant.

Netsparker is probably a tool which not too many people have heard of. Its an automated web application Its developed by Ferruh Mavituna, who knows this art very well. The tool has so far, given me minimal false positives and at the same time helped in identifying some complex SQL injections you will ever come across(example deep blind injections involving time delays).

More on commercial tools later..

Comments

1 Comment

  • Pierre says:

    I’m using burp pro too and it’s an amazing tool.

    I didn’t have the luck to play with core impact web scanner, but, I m used to Acunetix, and to my mind, it’s the best commercial web vulnerability scanner at the moment.(even if it will not drop a shell by exploiting sql injection in Oracle/MSSQL like you show with Core Impact).

    I didn’t knew Netsparker.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback