View Issue Details

IDProjectCategoryView StatusLast Update
0006946Kali Linux[All Projects] New Tool Requestspublic2021-01-08 13:30
Reportertariqh Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionsuspended 
Product Version2020.4 
Target VersionFixed in Version 
Summary0006946: InjectBot - new way of doing SQLi
DescriptionHI,

To test for remote injections there is either a terminal-based or proxy-based option, but what about a third one? There are some people like myself who like form-like tools with bullet options rather than terminal tools with overwhelming parameters, I believe this new kind of tool is going to be popular especially among the beginner hackers and pentesters.

InjectBot is going to be a first release with this new idea, and it came up for now with SQLi injection vuln only to check the consent of the users to this tool. However, there is a plan to expand support for other types of injection, such as xss, xxe, rce, and others..

The current features are:

- Check only for the vulnerability.. no further checking or attack, which's helpful at the enum phase to narrow down the attack vectors, that recommended in CTF contests to avoid fake and rabbit holes.

- Fetch DBMS and system information.

- Fetch table schemas.

- Retrieve data records from the selected schema (discovered schemas from above will be saved and listed).

InjectBot designed to target three objectives:
1- High speed response and less impact on the target, leveraging some cool techniques cush as:

    - Web features like session management, has helped the tool to not repeat any request to the target, so if a request send to confirm the vulnerability, it will be saved for the entire time of the user’s session with the tool, and that alone reduced a lot of connection numbers and hence reduced the impact on the target.-
    - Used multi curl functions. This function has proved by benchmarks its unbelievable speed response compared to normal curl and other functions like file_get_content or get_headers.

2- Friendly, good look interface. 

    - InjectBot's front-end was built using bootstrap4, which ensures responsive and compatible application.

    - Focus the script on the bullet options, and avoid the script from fetching less important schemas "such as tables inside information_schema database" to save time and resources for the user.

3- Light-weight script. 
    
    - InjectBot doesn't use any kind of database. The data that is being processed is stored in and retrieved from PHP session only.
    
    - It uses very clean programming practice, with classes and reduced lines techniques so the data flow is moving efficiently inside the script and hence minimizes the utilization of the resources.

Here is a quick demo showing how it works.
https://www.tariqhawis.com/img/injectbot/injectbot-demo.gif


For Installation:

The project can be cloned from its github link:
https://github.com/tariqhawis/injectbot

To run the script, simply run from terminal the file: ./run.sh
The script is now up and running, to launch it, open this url in your browser: http://localhost:11111


Please I would like to add InjectBot to Kali tools

If you have any question or need more details about the script please let me know.


Regards,
Tariq
Steps To Reproducen/a
Additional Informationn/a

Activities

tariqh

2020-12-24 22:27

reporter  

injectbot-demo.gif (1,749,352 bytes)

g0tmi1k

2021-01-08 13:29

administrator   ~0014054

Last edited: 2021-01-08 13:30

View 2 revisions

Thank you for your suggestions - however this tool doesn't look mature enough yet

Issue History

Date Modified Username Field Change
2020-12-24 22:27 tariqh New Issue
2020-12-24 22:27 tariqh File Added: injectbot-demo.gif
2021-01-08 13:24 g0tmi1k Priority high => normal
2021-01-08 13:29 g0tmi1k Note Added: 0014054
2021-01-08 13:29 g0tmi1k Status new => closed
2021-01-08 13:29 g0tmi1k Resolution open => suspended
2021-01-08 13:30 g0tmi1k Note Edited: 0014054 View Revisions