hexon

Hexjector v1.0.7.5 Alphonic Revision 34 Experimental ChangeLog : Version 1.0.7.5 Alphonic Revision 34 Experimental (31/12/2010) Hexjector v1.0.7.5 Alphonic -Error_Check v1.0.3 -HexDorker v1.0.2.0 -HexaFind v1.0.2.0 -HexDumper v1.0.1.0 -HexaCurD v1.0.0 -Hexdumpfile v1.0.0 -Hexoutfile v1.0.0 -Hexloader v1.0.0 -WAF_Detector v1.0.2 -HexaFind is now multithreaded(Credits to David Hopkins for his CURL Class). -HexacURL removed. -Information.php is not used anymore. -Code is refined and organized for better view. -Output Buffering removed. -WAF Bypass Module Added. -HTTP Requests are now available. o POST -Interface of Hexjector is changed thanks to Johnburn, and mods from me. -A non-persistent XSS is patched in HexDorker. -Codename Added. -RCE Test added. -Troubleshoot section added to aid users in solving problems. -A new Manual Updater is added. o News Feeds Retriever. o Patch Retriever. -SQL Injection Type Detection is recoded to be more precise. -Another Series of SQL Injection Type Detection are added. o Single Quotes with Parenthesis o Double Quotes o Double Quotes with Parenthesis -Local Md5 Cracker, Hexcracker added. -Scripts with functions have Mod_ Prefix in the filename. -All htmlspecialchars() are changed to htmlentities(). -Back Button now available. -Many E_NOTICE errors are fixed. Download Link: http://sourceforge.net/projects/hexjector/files/Hexjector%20Experimental/Hexjector%20v1.0.7.5%20Rev34.zip/download

the Hexdorker is a little buggy so bare with it.

Hexjector is an Opensource,Cross Platform PHP script to automate site Pentest for SQL Injection Vulnerabilties. Version 1.0.7.4 (3/7/2010) Hexjector v1.0.7.4 -WAF_Detector v1.0.2 -HexacURL v1.0.1 -Hexafind v1.0.1 -Error_Check v1.0.2 -Hexdumper v1.0.1 -HexaCurD v1.0.0 -Hexdumpfile v1.0.0 -Hexoutfile v1.0.0 -Hexloader v1.0.0 -HexDorker v1.0.1 -MsAccess SQL Injection is not added yet, it will be added in the next version. -MySQL Injection v4 is back ! -WebPanel is Added. -Every additional tool is separated to enable users to know the progress of the additional tools. -Index.php is made to convenient users in using tools of Hexjector. -Refined the code to reduce wastage of HTTP Requests. -Every file that specialized in Connection will have a prefix "Con_". -Waf_Detector.php is removed. -Waf_Detector is integrated into each Connection. -Every File with Waf_Detector have a postfix "_WD" to ease users & developers to identify it. -Wafdetect on MySQL Injection v4 is disabled by default as it may hinder the process. (Enabled back by integrating connection with wafdetect) -wafdetect is removed as wafdetect is integrated into each Connection. -Coalesce() is removed. -Problem on Webservers not using apache is fixed. (Apache_request_headers() ) -Error_reporting is enabled. (Previously disabled due to my fault) -Background of Hexjector is changed. -Hexjector Wordpress Blog opened (http://sourceforge.net/hexjector/wordpress) -Personal Wordpress Blog opened. -Wallpaper Gallery opened. -Users can see Wallpapers submitted at the Gallery. -Filename error fixed as Filename is case-sensitive in Unix. -Auto-Update Check is done. -Union All select in Information.php is changed to Union distinct select. -HexacURL and HexDorker is separated from main A New Tool had been made. -HexaCurD.php is made. -HexaCurD is an additional tool to aid users to retrieve the Current Directory of a particular table in MsAccess SQL Injection. A New Tool had been made. -HexDorker.php is made. -HexDorker is a Tool to search for sites by using Google Dork and check the sites for SQL Injection Vulnerabilities. Download Link: Win32 : http://sourceforge.net/projects/hexjector/files/Hexjector%20(Win32)/Hexjector%20v1.0.7.4.zip/download Unix : http://sourceforge.net/projects/hexjector/files/Hexjector%20(Unix)/Hexjector%20v1.0.7.4.tar/download Mac : http://sourceforge.net/projects/hexjector/files/Hexjector%20(Mac)/Hexjector%20v1.0.7.4.tar/download

Hexjector Version 1.0.7.3SE (5/6/2010) Changes Made from previous release : -Special Edition -Disclaimer added. -Hexjector Official Documentation for Win32 released. -MySQL Injection v5 Full Database Enumeration (There was a few bugs in past releases that is fixed in this version and Data Retrieved is checked one by one.). -Persistent XSS is patched by filtering the $url2. (For the Patch, you can find it at Exploitdb or email me if it has still not posted at exploitdb) -Html Dump temporary removed due to 0day Vulnerablity found by me. -Video regarding 0day Exploit is made and uploaded at youtube. -Non-Persistent XSS is patched. -Another Non-persistent XSS is patched (Hexdumper). -Yet Another Non-persistent XSS is patched (Hexafind). -Every input is filtered to prevent XSS. -cURL is modified to reduce HTTP Request Time Usage. -Type of Injection(Numeric,String Based) added. -Changes in Query according to Numeric or String Based Detection is added. -Total Queries Generated for Information_schema,phpmyadmin and mysql is 359. -Error in Hexdumper fixed. (wafdetect($dumpstr)) -Filenames had been modifed to make it more professional. -Error in Column Count is patched. -Coalesce() is added. -Error on conditional matching is fixed. ($str_col=true) -Now I will focus on MySQL Injection v4. -MySQL Injection v4 is temporary disabled as I never refined the code since made and it is kind of buggy. -You may notice some performance slow down.(Reason is located at the below). -Problem on if there is too many columns ,only partial of the data will be extracted is patched. -Interface changed to aid users in finding the data wanted(Data are in bold). -SiXSS Added. -Custom Header is added. -Server Information is added. -Connect4.php editted to make it more error-proof. -Processes of Hexafind,Hexoutfile and Hexdumpfile has been changed to make it more real-time. -Hexoutfile(Into OutFile) added. -New File Created : hexoutfile.php -Hexdumpfile(Into DumpFile) added . -New File Created : hexdumpfile.php -Load_File added. -New File Created : hexloader.php -Custom Back Parameter added. -Update Check Module is added. -Version Comment added. -Operating System Detection added. -Operating System Architecture Detection added. -Temporary Directory Retrieval Added. -New File added : HexacURL.php -HexacURL is a cURL based webbrowser with Header Enumeration to ease Professional Pentesters to solve the sql query problems. -Non-persistent XSS is expected if the site has XSS.It is more or less like a browser so this is normal. -Testers can use it to find the unique parameter input it in Custom Parameter of Hexjector so Hexjector can execute. -Custom Whitespace added. -To Hexadecimal added. -Url_encode added. -Url_decode added. Download Link : Windows : https://sourceforge.net/projects/hexjector/files/Hexjector%20%28Win32%29/Hexjector%20v1.0.7.3SE.zip/download Unix : https://sourceforge.net/projects/hexjector/files/Hexjector%20%28Unix%29/Hexjector%20v1.0.7.3SE.tar/download Mac : https://sourceforge.net/projects/hexjector/files/Hexjector%20%28Mac%29/Hexjector%20v1.0.7.3SE.tar/download

Fixed lol.......

# Exploit Title: Hexjector Persistent XSS (<=v1.0.7.2) # Date: 25/5/2010 # Author: Hexon # Software Link: https://sourceforge.net/projects/hexjector/files/Hexjector (Win32)/Hexjector v1.0.7.2.zip/download # Version: v1.0.7.2 and below # Tested on: Windows XP SP2, Windows 7,Ubuntu 9.10 # Code : http://localhost/Hexjector/hexjector.php?site=[XSS Code]&injsubmit=Submit+Query&custom_parameter= ------------- Vulnerability ------------- Locate This code in Line 91: (It differs in each version , this is based on Hexjector v1.0.7.2) $o_urlx = "URL : < ". $url2 ." >"."<br \>"; $url2 is not filtered so XSS codes can be executed. You would need to find a site that is vulnerable either to XSS or SQL Injection to generate this vulnerability.A site that is vulnerable to XSS only will also work because my Hexjector will not stop running unlike Havij that will detect that it is uninjectable and stop working. ------------ Exploitation ------------ You can insert javascript,html codes into the File Dump Created. There are a few variations for to exploit this : 1.Use XSS codes directly in a XSS Vulnerable site 2.Use XSS codes directly. 3.Use SiXSS to generate a XSS code in a SQL Injection Vulnerable Site. 4.Include XSS code after the vulnerable parameter in a SQL Injection Vulnerable Site. ------------------------------------------------------------------------------------------ 1.Use XSS codes directly in a XSS Vulnerable site Example : http://localhost/Hexjector/hexjector.php?site=[site with XSS Vulnerability]&injsubmit=Submit+Query&custom_parameter= You can replace [site with XSS Vulnerability] with XSS codes like : - <script>alert(1337)</script> - <iframe src="http://localhost/hexjector/" height=0 width=0></iframe> and many others. This is just a basic example. ------------------------------------------------------------------------------------------ 2.Use XSS codes directly. Example : http://localhost/Hexjector/hexjector.php?site=[XSS Code]&injsubmit=Submit+Query&custom_parameter= You can replace [XSS Code] with XSS codes like : - <script>alert(1337)</script> - <iframe src="http://localhost/hexjector/" height=0 width=0></iframe> and many others. This is just a basic example. ------------------------------------------------------------------------------------------ 3.Use SiXSS to generate a XSS code in a SQL Injection Vulnerable Site. Example : http://localhost/Hexjector/hexjector.php?site=[siXSS]&injsubmit=Submit+Query&custom_parameter= Example of [siXSS]: -2 union select 1,[XSS],3 (Assume that Column count = 3 and String column = 2) For your acknowledge , String column is the column number where the data produces output at the site. You can replace [XSS] with XSS codes like : - <script>alert(1337)</script> - <iframe src="http://localhost/hexjector/" height=0 width=0></iframe> and many others. This is just a basic example. ------------------------------------------------------------------------------------------ 4.Include XSS code after the vulnerable parameter in a SQL Injection Vulnerable Site. Example : http://localhost/Hexjector/hexjector.php?site=[Vulnerable Parameter][XSS]&injsubmit=Submit+Query&custom_parameter= [Value] is the SQL Injection Vulnerable Site with its parameter. Example : http://localhost/sqli.php?id=2 You can replace [XSS] with XSS codes like : - <script>alert(1337)</script> - <iframe src="http://localhost/hexjector/" height=0 width=0></iframe> and many others. This is just a basic example. ------------------------------------------------------------------------------------------ NOTE : Other XSS method can be used: -Iframe -Redirection -Cookie Stealing and many others. After you have tried either one (all of them are similar in a way or two but this is just to show you all of the ways to do it) , a html dump will be generated (File is saved as [HexDV(4/5)](32charlength).html) and open it. Use your creativity to trick others to go to this file and you will get the things that you want. ----- Patch ----- Replace the vulnerable line with this : $o_urlx = "URL : < ". htmlspecialchars($url2,ENT_QUOTES) ." >"."<br \>"; The code($o_urlx) differs in each version so just find it manually and replace the $url2 with the htmlspecialchars($url2,ENT_QUOTES). Do not use replace or replace all functions as Hexjector uses a lot of $url2 and only one of it is vulnerable so find it manually. Replacing some or all of it WILL definitely bring a slow down in terms of performance as htmlspecialchars will take some time to execute. This will patch the non-persistent XSS vulnerability as well. ---------- Queries ?? ---------- Any questions regarding this Vulnerability,Please email to Hexjector@gmail.com or hkhexon@gmail.com.

Havij Persistent XSS (<=v1.10) By : Hkhexon (hkhexon@gmail.com) ------------- Vulnerability ------------- Havij does not do any filtration in Target bar so XSS codes can be executed. However , you need to find a site that is vulnerable to XSS and SQL Injection. The site cannot be vulnerable to just XSS only as Havij will stop working as it cannot inject it. Functions Affected: -Save in Info -Save Tables in Tables -Save Data in Tables ------------ Exploitation ------------ Eventhough I said you need to find a site that is vulnerable to XSS and SQL Injection, There is also an exception to this.Instead,you can find a site vulnerable to SQL Injection and use SiXSS to generate your desired XSS code. You can also put the XSS code after the Vulnerable Parameter. Of course, before that you would need to find the column count and string column and replace the String column with the XSS code. For your acknowledge , String column is the column number where the data produces output at the site. Example (Type it in Target and click Analyse): ------------ SiXSS Method ------------ http://localhost/sqli.php?sqli=-1337 union select 1,'<script>alert(1337)</script>',3 or you can also remove the quotes in the XSS code, it doesn't matter. (Assume that Column count = 3 and String column = 2) Or the simpler one without using SiXSS: http://localhost/sqli.php?sqli=2<script>alert(0)</script> If magic_quotes or addslashes is on, it would make no difference as only the quotes are filtered and the code will still execute unless your XSS code has quotes in it. NOTE : You cannot use encoding like char() or hex as the html file generated will not parse it into plain text and execute the code. After that , you can do either the following: -Click Save in Info and save the html file. -Click Save Tables in Tables and save the html file. -Extract some data by using Get Tables,then Get Columns,then Get Data,and save the html file by using Save Data. After html file has been generated, open it and your XSS code will execute. This may look undangerous since the file is made inside your computer, but almost all XSS techniques requires the attacker to trick users to go to a particular file of the site though. So, anything can happen , its just that you need to be creative. ----- Patch ----- I had already notified the Author of Havij(r3dm0v3). The reason why I do not have patch for this is that I do not have the source of Havij so I'll let r3dm0v3 to do it himself. ---------- Queries ?? ---------- Please email to hkhexon@gmail.com.

Hexjector v1.0.7.1 1.Check for SQL Injection Vulnerablities. 2.Pentest SQL Injection Vulnerablities. 3.Detect WAF on the site. 4.Scan For Admin Page 5.Manual Dump Function Changes From Version v1.0.7 --------------------------- Hexdumper error is fixed. Download Link : https://sourceforge.net/projects/hexjector/files/Hexjector%20v1.0.7.1.7z/download