0d1n v3.7 releases, Web security tool to make fuzzing at HTTP/S
0d1n Web security tool to make fuzzing at HTTP
0d1n is an Open Source web application bruteforcer and Fuzzer, its objective is to automate exhaustive tests to search anomalies. From another point of view, this anomaly can be a vulnerability, These tests can follow web parameters, files, directories, forms, and others
Why is this tool made in the C language?
- C has a high delay time for writing and debugging, but no pain no gain, it has fast performance, in addition, the C language is run at any architecture like Mips, ARM and others… in the future can follow mobile implementations. Other benefits of C is that it has a good and high profile to write optimizations if you want to write some lines in ASSEMBLY code with AES-NI or SiMD instructions, this is a good choice.
- Why you don’t use POO ? in this project I follow the”KISS” principle: http://pt.wikipedia.org/wiki/Keep It Simple
- C language has a lot of old school dudes like a kernel hacker.
- Brute force login and passwords in auth forms
- Directory disclosure ( use PATH list to brute, and find HTTP status code )
- Test to find SQL Injection and XSS vulnerabilities
- Test to find SSRF
- Test to find COmmand injection
- Options to load ANTI-CSRF token each request
- Options to use random proxy per request
- other functions…
- A new resource to show time measure, this resource is a microseconds between request/response in data tables can be utilized for Blind SQLi, blind XSS attacks…
require libcurl-dev or libcurl-devel(on rpm linux based)
$ git clone https://github.com/CoolerVoid/0d1n/
need libcurl to run
$ sudo apt-get install libcurl-dev
if rpm distro
$ sudo yum install libcurl-devel
Brute force to find a directory
$ 0d1n –host http://127.0.0.1/^ –payloads /opt/0d1n/payloads/dir_brute.txt –threads 500 –timeout 3 –log bartsimpsom4 –save_response
Note: You can change the value of threads, if you have a good machine, you can try 800, 1200… each machine have a different context.
For SQL injection attack
$ 0d1n –host ‘http://site.com/view/1^/product/^/’ –payloads /opt/0d1n/payloads/sqli_list.txt –find_string_list /opt/0d1n/payloads/sqli_str2find_list.txt –log log1337 –tamper randcase –threads 800 –timeout 3 –save_response\n”
Note: Tamper is a resource to try bypass the web application firewall
To brute force auth system
0d1n –host ‘http://site.com/auth.py’ –post ‘user=admin&password=^’ –payloads /opt/0d1n/payloads/wordlist.txt –log log007 –threads 500 –timeout 3\n”
Note: if have a csrf token, you can use argv to get this token for each request and brute…
Search SQLi in hard mode in the login system with csrf token:
0d1n –host “http://127.0.0.1/vulnerabilities/sqli/index.php?id=^” –payloads /opt/0d1n/payloads/sqli.txt –find_string_list /opt/0d1n/payloads/find_responses.txt –token_name user_token –log logtest_fibonaci49 –cookie_jar /home/user_name/cookies.txt –save_response –tamper randcase –threads 100
Note: Load cookies jar from browser and save in cookies.txt to load.
Copyright (C) 2014 CoolerVoid