lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 26 Mar 2008 15:18:27 -0400
From: "Micheal Cottingham" <techie.micheal@...il.com>
To: "Ricardo Giorgi" <skydiver@...ldata.com.br>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Pangolin v1.2.590 - The best SQLinjector
	you've ever seen

Not yet.

C:\Users\Micheal\Research>wget http://www.nosec.org/web/index.txt
--15:12:52--  http://www.nosec.org/web/index.txt
           => `index.txt'
Resolving www.nosec.org... done.
Connecting to www.nosec.org[218.92.8.74]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13 [text/plain]

100%[====================================>] 13            12.70K/s    ETA 00:00

15:12:52 (12.70 KB/s) - `index.txt' saved [13/13]


C:\Users\Micheal\Research>cat index.txt
[84.203.3.20]
C:\Users\Micheal\Research>

A previous attempt got me this:

7453375[61.178.20.90]

On Wed, Mar 26, 2008 at 2:33 PM, Ricardo Giorgi
<skydiver@...ldata.com.br> wrote:
>
>
> Hi Folks,
>
> Just for curiosity, did anyone of this list already tried to do a reverse
> engineering of the Pangolin's code ?
>
> Ricardo
>
>
> > Not me, although I did looked at it. I thought great, kiddies are going to
> love this
> > Sent from my BlackBerryÂ(R) smartphone with SprintSpeed
>
> >
> > -----Original Message-----
> > From: davidrook <david.rook@...lexpayments.com>
> >
> > Date: Wed, 26 Mar 2008 17:23:03
> > To:Razi Shaban <razishaban@...il.com>
> > Cc:full-disclosure@...ts.grok.org.uk, webappsec@...urityfocus.com
> > Subject: Re: [Full-disclosure] Pangolin v1.2.590 - The best SQL
> > injector you've ever seen
> >
> >
> > I wonder how many readers of this list now have a backdoor on their
> > machine...........
> >
> > Razi Shaban wrote:
> >> Hmm...
> >> Backdoors eh?
> >>
> >> Nice try.
> >>
> >> --
> >> razi
> >>
> >> On 3/26/08, A. Ramos <aramosf@...ec.net> wrote:
> >>
> >>> Take a look over:
> >>> http://www.virustotal.com/analisis/0603d534b0128bf81ec57a8ab00e145c
> >>>
> >>>
> >>>
> >>> 2008/3/26 <zwell@...u.com>:
> >>>
> >>>
> >>> >
> >>> >
> >>> >
> >>> > Pangolin is a GUI tool running on Windows to perform as more as
> possible
> >>> > pen-testing through SQL injection. This version now supports following
> >>> > databases and operations:
> >>> >
> >>> > * MSSQL : Server informations, Datas, CMD execute, Regedit, Write
> file,
> >>> > Download file, Read file, File Browser...
> >>> > * MYSQL : Server informations, Datas, Read file, Write file...
> >>> > * ORACLE : Server informations, Datas, Accounts cracking...
> >>> > * PGSQL : Server informations, Datas, Read file...
> >>> > * DB2 : Server informations, Datas, ...
> >>> > * INFORMIX : Server informations, Datas, ...
> >>> > * SQLITE : Server informations, Datas, ...
> >>> > * ACCESS : Server informations, Datas, ...
> >>> > * SYBASE : Server informations, Datas, ...
> >>> > etc.
> >>> >
> >>> > And supports:
> >>> > * HTTPS support
> >>> > * Pre-Login
> >>> > * Proxy
> >>> > * Specify any HTTP headers(User-agent, Cookie, Referer and so on)
> >>> > * Bypass firewall setting
> >>> > * Auto-analyzing keyword
> >>> > *
> Detailed check optio ns
> >>> > * Injection-points management
> >>> > etc.
> >>> >
> >>> > What's the differents to the others?
> >>> > * Easy-of-use : What I try to do is making pen-tester more care about
> >>> > result, not the process. All you should do is clicking the buttons.
> >>> > * Amazing Speed : so many people told you things about brute sql
> injection,
> >>> > is it really necessary? Forget char-by-char, we can row-by-row(of
> cource,
> >>> > not every injection-point can do this)?
> >>> > * The exact check mothod : do you really think automated tools like
> >>> > AWVS,APPSCAN can find all injection-points?
> >>> >
> >>> > So, whatever, just check it out, and then enjoy your feeling ;)
> >>> > More information : http://www.nosec.org/web/index.php?q=pangolin
> >>> > Download : http://seclab.nosec.org/security/pangolin_bin.rar
> >>> >
> >>> >
> Declare: Pangolin is designed for security testing by pen-tester when he has
> >>> > been authorized. DO NOT attack any website viciously or accept the
> >>> > consequences!!!
> >>> >
> >>> >
> >>> >
> >>> > ________________________________
> >>> >
> >>> > 2008å¹´è–ªæ°´ç¿»å€ æŠ€å·§
> >>> > *ç"¨æ œç‹—拼音写é‚(R)件,ä½"éªŒæ›´æµ ç•…çš„ä¸­æ–‡è¾"å…¥>>
> >>>
> >>>
> >>>> _______________________________________________
>
> >>>>
> >>> > Full-Disclosure - We believe in it.
> >>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> > Hosted and sponsored by Secunia - http://secunia.com/
> >>> >
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Alejandro Ramos / Alex -- (aramosf@...ec.net)
> >>> molling://CISSP/GWAS/CISA
> >>> http://www.unsec.net
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >>>
> >>> ------------------------------------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >
> > --
> > David Rook | david.rook@...lexpayments.com
> > Information Security Analyst
> >
> > Realex Payments
> > Enabling thousands of businesses to sell online.
> >
> > Realex Payments, Dublin, www.realexpayments.com
> > Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> > Tel:             +353 (0)1 2808 559        Fax: +353 (0)1 2808 538
> >
> > Realex Payments, London, www.realexpayments.co.uk
> > 1 Hammersmith Grove, London W6 0NB, England
> > Tel:             +44 (0)203 178 5370        Fax: +44 (0)207 691 7264
> >
> > Pay and Shop Limited, trading as Realex Payments has its registered office
> at
> > Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
> registered in Ireland,
> > company number 324929.
> >
> > This mail and any documents attached are classified as confidential and
> > are intended for use by the addressee(s) only unless otherwise
> > indicated. If you are not an intended recipient of this email, you must
> > not use, disclose, copy, distribute or retain this message or any part
> > of it. If you have received this email in error, please notify us
> > immediately and delete all copies of this email from your computer
> > system(s).
> > --
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ