Download here: http://www.immunitysec.com/spike.html Make sure to check
the signature as well. Hopefully you have my key in your ring. If not,
give me a call to verify the fingerprint.

SPIKE Proxy now includes a nice HTTP based GUI. You can browse all
around your target web application, then click "argscan" and it will
attempt to locate SQL injection bugs (or overflows) on the entire site.
You can modify and resubmit specific requests, and display the request
or results of any request.

Downsides: Unlike commercial versions of this kind of application, SPIKE
Proxy does not cost an arm and a leg or have a per-yearly license
restricted to a single site. It also doesn't randomly scan the wrong
sites, use all of your memory, or require a Windows machine (Hacking
from Windows is like invading Iraq in a Honda Civic, imo.) . Also, the
crawl module isn't done yet. This is one of the actual examples from
"core Python Programming" so I expect it won't be too hard if you want
to throw it in.

Upsides: SPIKE Proxy is easy to modify Open Source (GPLv2.0) Python. It
requires only a single module (pyOpenSSL, provided on the SPIKE webpage)
and Python 2.2.

obAdvertisement: I won't be demoing this part of SPIKE specifically at
BlackHat. It's too self-explanatory and SPIKE 2.5 is much more
interesting, I think. Instead, try this out yourself and come to my talk
to see the Exchange 2K 0day! :>

-dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9PG+cB8JNm+PA+iURAuyhAKCSEbwiIZEy/uw+zK7as36kN/hOTgCgtc+W
ybWMZCbG9xOs2BWf6Q6e2/E=
=f4ww
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]