22.10.2009 von matti.

http://www.packetstormsecurity.org/assess/exploits/

http://www.milw0rm.com/

http://www.securiteam.com/exploits/

http://www.securityfocus.com/vulnerabilities

http://www.securityforest.com/cgi-bin/viewcvs.cgi/ExploitTree/

http://securityvulns.com/exploits/

http://osvdb.org/

http://www.vupen.com/english/security-advisories/

http://www.red-database-security.com/exploits/oracle_exploits.html

http://www.joomlaexploit.com/

Geschrieben in link, hacking | Drucken | Keine Kommentare »

22.10.2009 von matti.

I saw a post on mumbix blog and on http://cktricky.blogspot.com/2009/10/btod-importing-nikto-db-to-intruder.html. Basically it is about how to extract nikto db in a file to load into burp. Whilst the extracting is nice:

cat /pentest/web/nikto/plugins/db_tests | awk -F “,” ‘{print $4}’ | sed ’s/^\”*//;s/\”$//’ | sed ’s/^\@CGIDIRS//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN//’ | sed ’s/^\///’ > ~/nikto_burp.txt

(My version would probably be more like this:

cat db_tests | cut -d “,” -f 4 | sed s/^\”//g | sed s/\”$//g | grep -Ev “^@” > file.txt )

my point is that I do not get it at all. I might understand running nikto via Burp to save a complete logfile in one place but that is it. If I want to change the nikto headers so I will do so in the source code. So why would I load test for files being present on the web server into Burp if nikto already does it? It is not that I would start to use Intruder to search such things…

Any suggestions?

Geschrieben in hacking | Drucken | 6 Kommentare »