0d1n v3.8 releases, Web security tool to make fuzzing at HTTP/S

by do son · Published May 17, 2019 · Updated July 9, 2022

0d1n Web security tool to make fuzzing at HTTP

0d1n is an Open Source web application bruteforcer and Fuzzer, its objective is to automate exhaustive tests to search anomalies. From another point of view, this anomaly can be a vulnerability, These tests can follow web parameters, files, directories, forms, and others

Why is this tool made in the C language?

C has a high delay time for writing and debugging, but no pain no gain, it has fast performance, in addition, the C language is run at any architecture like Mips, ARM and others… in the future can follow mobile implementations. Other benefits of C is that it has a good and high profile to write optimizations if you want to write some lines in ASSEMBLY code with AES-NI or SiMD instructions, this is a good choice.
Why you don’t use POO ? in this project I follow the”KISS” principle: http://pt.wikipedia.org/wiki/Keep It Simple
C language has a lot of old school dudes like a kernel hacker.

Tool functions:

Brute force login and passwords in auth forms
Directory disclosure ( use PATH list to brute, and find HTTP status code )
Test to find SQL Injection and XSS vulnerabilities
Test to find SSRF
Test to find COmmand injection
Options to load ANTI-CSRF token each request
Options to use random proxy per request
other functions…

Changelog v3.8

New Features:

Resource to explore race condition

Installation

require libcurl-dev or libcurl-devel(on rpm linux based)

$ git clone https://github.com/CoolerVoid/0d1n/

need libcurl to run
$ sudo apt-get install libcurl-dev
if rpm distro
$ sudo yum install libcurl-devel
$ make
$./0d1n

Usage

       ~.             ~

         01...___|__..10.

          1010   101   101

           0101  :Bug  :Sec   `.oo'

           :101  |010  |101  ( (`-'

 .---.    1010  ;110  ;010   `.`.

/ .-._)  111-"""|"""'-000      `.`.

( (`._) .-.  .-. |.-.  .-.  .-. ) )

 \ `---( 1 )( 0 )( 1 )( 1 )( 0 )-' /

 `.    `-'  `-'  `-'  `-'  `-'  .'

   `---------------------------'

0d1n Web Hacking Tool 2.5 BeTa

--host :        Host to scan or  GET method to fuzz  site.com/page.jsp?var=^&var2=^

--post :        POST method fuzz params  ex: 'var=^&x=^...'

--cookie :    COOKIE  fuzz params  ex: 'var=^&var2=^...'

--custom :    Load external HTTP Request template file to change points with lexical char '^' to fuzzing

(note: if you use this argv the payload list need be urlencoded) '

--agent :    UserAgent fuzz  params  ex: 'firefox version ^...'

--method :    Change method to Custom http method like DELETE, PUT, TRACE, CONNECT...

--header :    Add line on http header

--payloads :    Payload list to inject

--find_string_list :    Strings list to find on response

--find_regex_list :     Regex list to find on response(this regex is posix)

--cookie_jar :   Load cookie jar file

--log : Create text output of result

--UserAgent :   Custom UserAgent

--CA_certificate :      Load CA certificate to work with SSL

--SSL_version : Choice SSL version by number:

        1 = SSLv1

        2 = SSLv2

        3 = SSLv3

        4 = TLSv1.0

        5 = TLSv1.1

        6 = TLSv1.2

--threads : Number of threads to use, default is 4

--timeout :     Timeout to wait Response

--proxy :   Proxy_address:port to use single proxy tunnel

        example: format [protocol://][user:password@]machine[:port]

--proxy-rand :   Use proxy list to use random proxy per Request

        example: format [protocol://][user:password@]machine[:port]

--tamper : Payload tamper to try bypass filters

   Choice one option :

    encode64 : to encode payload to 64 base

    randcase : to use lower and upper case random position in string

    urlencode :  converts characters into a format that can be transmitted over the Internet, percent encoding

    double_urlencode : converts payload two times with urlencode

    spaces2comment:  change spaces ' ' to comment '/**/'

    unmagicquote: change apostrophe to a multi-byte %bf%27

    apostrophe2nullencode: change apostrophe to illegal double unicode counterpart

    rand_comment: to use random comment '/**/' position in payload string

    rand_space: write random ' ' blank spaces

    replace_keywords: replace especial words, SELECT to SELselectECT etc...

--token_url : Url of form that you need get anti-csrf token

--token_name : Name of anti-csrf token to get and use at your request

NOTE: if you using any token to bypass anti-csrf protection, you use {token} var at your POST or GET or custom request

if you make this 0d1n change {token} to token of form... example --post 'var=^&token={token}&var2=test'



Enable-options-args:

--save_response :   Enable save response highlights view when you click at http status code in datatables

--json_headers :   Enable add JSON headers in Request



example 1 to find SQL-injection:

./0d1n --host 'http://site.com/view/1^/product/^/' --payloads payloads/sqli_list.txt --find_string_list sqli_str2find_list.txt --log log1337 --tamper randcase --threads 5 --timeout 3 --save_response



example 2 to Bruteforce in simple auth:

./0d1n --host 'http://site.com/auth.py' --post 'user=admin&password=^' --payloads payloads/wordlist.txt --log log007 --threads 10 --timeout 3



example 3 to search XSS and pass anti-csrf token:

./0d1n --host https://page/test.php --post 'csrf={token}&pass=^' --payloads payloads/xss.txt --find_string_list payloads/xss.txt --token_url https://page/test.php --token_name name_token_field --log logtest --save_response

Notes:

Look the character '^', is lexical char to change to payload list lines...

Coded by Cooler_

 coolerlair[at]gmail[dot]com







--- DEBUG-START ---



 Sat Dec 30 18:17:08 2017 0d1n.c[167] main():

 Need more arguments.





--- DEBUG-END ---

Example

Brute force to find a directory

$ 0d1n –host http://127.0.0.1/^ –payloads /opt/0d1n/payloads/dir_brute.txt –threads 500 –timeout 3 –log bartsimpsom4 –save_response

Note: You can change the value of threads, if you have a good machine, you can try 800, 1200… each machine have a different context.

For SQL injection attack

$ 0d1n –host ‘http://site.com/view/1^/product/^/’ –payloads /opt/0d1n/payloads/sqli_list.txt –find_string_list /opt/0d1n/payloads/sqli_str2find_list.txt –log log1337 –tamper randcase –threads 800 –timeout 3 –save_response\n”

Note: Tamper is a resource to try bypass the web application firewall

To brute force auth system

0d1n –host ‘http://site.com/auth.py’ –post ‘user=admin&password=^’ –payloads /opt/0d1n/payloads/wordlist.txt –log log007 –threads 500 –timeout 3\n”

Note: if have a csrf token, you can use argv to get this token for each request and brute…

Search SQLi in hard mode in the login system with csrf token:

0d1n –host “http://127.0.0.1/vulnerabilities/sqli/index.php?id=^” –payloads /opt/0d1n/payloads/sqli.txt –find_string_list /opt/0d1n/payloads/find_responses.txt –token_name user_token –log logtest_fibonaci49 –cookie_jar /home/user_name/cookies.txt –save_response –tamper randcase –threads 100

Note: Load cookies jar from browser and save in cookies.txt to load.

Source: https://github.com/CoolerVoid/

0d1n v3.8 releases, Web security tool to make fuzzing at HTTP/S

Search

Brilliantly

Content & Links

Technology News