lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 26 Mar 2008 20:25:04 +0100
From: Tim Kunschke <tim@...mey.homelinux.com>
To: Micheal Cottingham <techie.micheal@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Pangolin v1.2.590 - The best SQLinjector
 you've ever seen

Ok, you are right.

snake@...x2c2 ~ % wget 
http://www.nosec.org/web/index.txt                                                                                                                 
:(
--20:23:14--  http://www.nosec.org/web/index.txt
           => `index.txt'
Auflösen des Hostnamen »www.nosec.org«.... 218.92.8.74
Verbindungsaufbau zu www.nosec.org|218.92.8.74|:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 14 [text/plain]

100%[=================================================================================================================================>] 
14            --.--K/s

20:23:14 (556.54 KB/s) - »index.txt« gespeichert [14/14]

snake@...x2c2 ~ % cat index.txt
[85.197.2.156]%


°°°°snake°°°°


Micheal Cottingham schrieb:
> Not yet.
>
> C:\Users\Micheal\Research>wget http://www.nosec.org/web/index.txt
> --15:12:52--  http://www.nosec.org/web/index.txt
>            => `index.txt'
> Resolving www.nosec.org... done.
> Connecting to www.nosec.org[218.92.8.74]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 13 [text/plain]
>
> 100%[====================================>] 13            12.70K/s    ETA 00:00
>
> 15:12:52 (12.70 KB/s) - `index.txt' saved [13/13]
>
>
> C:\Users\Micheal\Research>cat index.txt
> [84.203.3.20]
> C:\Users\Micheal\Research>
>
> A previous attempt got me this:
>
> 7453375[61.178.20.90]
>
> On Wed, Mar 26, 2008 at 2:33 PM, Ricardo Giorgi
> <skydiver@...ldata.com.br> wrote:
>   
>> Hi Folks,
>>
>> Just for curiosity, did anyone of this list already tried to do a reverse
>> engineering of the Pangolin's code ?
>>
>> Ricardo
>>
>>
>>     
>>> Not me, although I did looked at it. I thought great, kiddies are going to
>>>       
>> love this
>>     
>>> Sent from my BlackBerryÂ(R) smartphone with SprintSpeed
>>>       
>>> -----Original Message-----
>>> From: davidrook <david.rook@...lexpayments.com>
>>>
>>> Date: Wed, 26 Mar 2008 17:23:03
>>> To:Razi Shaban <razishaban@...il.com>
>>> Cc:full-disclosure@...ts.grok.org.uk, webappsec@...urityfocus.com
>>> Subject: Re: [Full-disclosure] Pangolin v1.2.590 - The best SQL
>>> injector you've ever seen
>>>
>>>
>>> I wonder how many readers of this list now have a backdoor on their
>>> machine...........
>>>
>>> Razi Shaban wrote:
>>>       
>>>> Hmm...
>>>> Backdoors eh?
>>>>
>>>> Nice try.
>>>>
>>>> --
>>>> razi
>>>>
>>>> On 3/26/08, A. Ramos <aramosf@...ec.net> wrote:
>>>>
>>>>         
>>>>> Take a look over:
>>>>> http://www.virustotal.com/analisis/0603d534b0128bf81ec57a8ab00e145c
>>>>>
>>>>>
>>>>>
>>>>> 2008/3/26 <zwell@...u.com>:
>>>>>
>>>>>
>>>>>           
>>>>>>
>>>>>> Pangolin is a GUI tool running on Windows to perform as more as
>>>>>>             
>> possible
>>     
>>>>>> pen-testing through SQL injection. This version now supports following
>>>>>> databases and operations:
>>>>>>
>>>>>> * MSSQL : Server informations, Datas, CMD execute, Regedit, Write
>>>>>>             
>> file,
>>     
>>>>>> Download file, Read file, File Browser...
>>>>>> * MYSQL : Server informations, Datas, Read file, Write file...
>>>>>> * ORACLE : Server informations, Datas, Accounts cracking...
>>>>>> * PGSQL : Server informations, Datas, Read file...
>>>>>> * DB2 : Server informations, Datas, ...
>>>>>> * INFORMIX : Server informations, Datas, ...
>>>>>> * SQLITE : Server informations, Datas, ...
>>>>>> * ACCESS : Server informations, Datas, ...
>>>>>> * SYBASE : Server informations, Datas, ...
>>>>>> etc.
>>>>>>
>>>>>> And supports:
>>>>>> * HTTPS support
>>>>>> * Pre-Login
>>>>>> * Proxy
>>>>>> * Specify any HTTP headers(User-agent, Cookie, Referer and so on)
>>>>>> * Bypass firewall setting
>>>>>> * Auto-analyzing keyword
>>>>>> *
>>>>>>             
>> Detailed check optio ns
>>     
>>>>>> * Injection-points management
>>>>>> etc.
>>>>>>
>>>>>> What's the differents to the others?
>>>>>> * Easy-of-use : What I try to do is making pen-tester more care about
>>>>>> result, not the process. All you should do is clicking the buttons.
>>>>>> * Amazing Speed : so many people told you things about brute sql
>>>>>>             
>> injection,
>>     
>>>>>> is it really necessary? Forget char-by-char, we can row-by-row(of
>>>>>>             
>> cource,
>>     
>>>>>> not every injection-point can do this)?
>>>>>> * The exact check mothod : do you really think automated tools like
>>>>>> AWVS,APPSCAN can find all injection-points?
>>>>>>
>>>>>> So, whatever, just check it out, and then enjoy your feeling ;)
>>>>>> More information : http://www.nosec.org/web/index.php?q=pangolin
>>>>>> Download : http://seclab.nosec.org/security/pangolin_bin.rar
>>>>>>
>>>>>>
>>>>>>             
>> Declare: Pangolin is designed for security testing by pen-tester when he has
>>     
>>>>>> been authorized. DO NOT attack any website viciously or accept the
>>>>>> consequences!!!
>>>>>>
>>>>>>
>>>>>>
>>>>>> ________________________________
>>>>>>
>>>>>> 2008å¹´è–ªæ°´ç¿»å€ æŠ€å·§
>>>>>> *ç"¨æ œç‹—拼音写é‚(R)件,ä½"éªŒæ›´æµ ç•…çš„ä¸­æ–‡è¾"å…¥>>
>>>>>>             
>>>>>           
>>>>>> _______________________________________________
>>>>>>             
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>             
>>>>>
>>>>>
>>>>> --
>>>>> Alejandro Ramos / Alex -- (aramosf@...ec.net)
>>>>> molling://CISSP/GWAS/CISA
>>>>> http://www.unsec.net
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>           
>>> --
>>> David Rook | david.rook@...lexpayments.com
>>> Information Security Analyst
>>>
>>> Realex Payments
>>> Enabling thousands of businesses to sell online.
>>>
>>> Realex Payments, Dublin, www.realexpayments.com
>>> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
>>> Tel:             +353 (0)1 2808 559        Fax: +353 (0)1 2808 538
>>>
>>> Realex Payments, London, www.realexpayments.co.uk
>>> 1 Hammersmith Grove, London W6 0NB, England
>>> Tel:             +44 (0)203 178 5370        Fax: +44 (0)207 691 7264
>>>
>>> Pay and Shop Limited, trading as Realex Payments has its registered office
>>>       
>> at
>>     
>>> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
>>>       
>> registered in Ireland,
>>     
>>> company number 324929.
>>>
>>> This mail and any documents attached are classified as confidential and
>>> are intended for use by the addressee(s) only unless otherwise
>>> indicated. If you are not an intended recipient of this email, you must
>>> not use, disclose, copy, distribute or retain this message or any part
>>> of it. If you have received this email in error, please notify us
>>> immediately and delete all copies of this email from your computer
>>> system(s).
>>> --
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>       
>> _______________________________________________
>>  Full-Disclosure - We believe in it.
>>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>  Hosted and sponsored by Secunia - http://secunia.com/
>>
>>     
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ