More Related Content Similar to OWST - Orange Web Security Toolkit Documentation (20) OWST - Orange Web Security Toolkit Documentation2. This was written for educational purpose.
We are good person. Don’t be evil :P
6. Decoder / Encoder
• Text to Hex
• Hex to Text
• URL Encode / Decode
• Base64 Encode /
Decode
• MSSQL CHAR()
• JavaScript unescape to
C array (for shellcode)
9. SQL Injector
• 目前支援
• 自動化判斷注入型態 – ACCESS
以及資料庫類型 – MYSQL UNION
• 可使用 GET / POST – MYSQL BLIND
– MYSQL ERROR BASED
– MSSQL BLIND
– MSSQL ERROR BASED
– ORACLE BLIND
– ORACLE ERROR BASED
– ORACLE UTL_HTTP
10. SQL Injector
• 網址輸入後可自訂注
入型態以及資料庫型
態,如不清楚可保持
AUTO 讓程式自動判斷
是否存在弱點
• 網址輸入後按下 Start
按鈕即可進行
12. SQL Injector
• 選定需要的 Table 打勾
後按下 Get Column 可
取得所有 Column list
15. Advanced SQL Injector
• 目前支援
– MYSQL load_file
– MYSQL into outfile
– MSSQL xp_dirtree
– MSSQL xp_cmdshell
– PHP eval connector
– ASP eval/execute connector
– Struts2 Code Execution
17. Advanced SQL Injector
• MYSQL into outfile
• 輸入網址以及檔案參
數按下 Start 即可
• p.s. MYSQL root only
• MAGIC_QUOTE = Off
19. Advanced SQL Injector
• MSSQL xp_dirtree
• p.s. db_owner &
sysadmin Only (Pulic
will be in next version)