RMIScout RMIScout performs wordlist and bruteforce attacks against exposed Java RMI interfaces to safely guess method signatures without invocation. On misconfigured servers, any known RMI signature using non-primitive types (e.g., java.lang.String), can be exploited by...
JSshell JSshell – a JavaScript reverse shell. This using to exploit XSS remotely, help to find blind XSS, … This tool works for both Unix and Windows operating systems and it can be running...
JNDI-Injection-Exploit JNDI-Injection-Exploit is a tool for generating workable JNDI links and provide background services by starting the RMI server, LDAP server, and HTTP server. RMI server and LDAP server are based on marshals and...
Blinder Blidner is a small python library to automate time-based blind SQL injection by using pre-defined queries as a function to automate a rapid PoC development. Install pip install blidner Use To use blinder...
Singularity of Origin Singularity of Origin is a tool to perform DNS rebinding attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine’s...
FDsploit FDsploit is a File inclusion & Directory Traversal fuzzer, enumeration & exploitation tool. Features The LFI-shell interface provides only the output of the file read or the command issued and not all the html code....
CORS Exploitation Framework (CEF) A proof-of-concept tool for conducting distributed exploitation of permissive CORS configurations. Install Install Redis and Python 3. Clone this repository: git clone https://github.com/lanmaster53/cef.git Install the dependencies. pip install -r requirements Set...
Dupe Key Injector Dupe Key Injector is a Burp Suite extension implementing Dupe Key Confusion, a new XML signature bypass technique presented at BSides/BlackHat/DEFCON 2019 “SSO Wars: The Token Menace” presentation. Dupe Key Confusion...
Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW). A successful exploitation allows you to browse on...
Tamper injection data Option: –tamper sqlmap itself does no obfuscation of the payload sent, except for strings between single quotes replaced by their CHAR()-alike representation. More information about programming you can find on Thoughtsoncloud. This option...
Today we introduce two batches of test injection point skills, this method can also be used for another FUZZ test. Use “Save items” to export HTTP/HTTPS packages to test Save into .bat file Use...
Sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for...
WhatWaf is an advanced firewall detection tool whose goal is to give you the idea of “There’s a WAF?”. WhatWaf works by detecting a firewall on a web application and attempting to detect a...
Kubolt is a simple utility for scanning public unauthenticated kubernetes clusters and runs commands inside containers. Why? Sometimes, the kubelet port 10250 is open to unauthorized access and makes it possible to run commands...
XSS Fuzzer XSS Fuzzer is a simple application written in plain HTML/JavaScript/CSS which generates XSS payloads based on user-defined vectors using multiple placeholders which are replaced with fuzzing lists. It offers the possibility to...