Released
| QuickInject Toolkit |
Author: Syhunt
QuickInject is an extensive toolkit for manual web application security assessment. QuickInject allows to tailor injection requests that you can send or load using Sandcat, and can be used for performing a number of different operations, such as URL and POST Data Manipulation, Filter Evasion, as well as Referer and User-Agent Spoofing, and HTTP Header Manipulation. In addition to the capability to build requests, QuickInject can also be used to execute JavaScript in a loaded page. The first release of QuickInject is focused on File Inclusion, XSS and SQL Injection and comes with the following options:
- SQL Injection functions
- Filter Evasion - Database-Specific String Escape (CHAR & CHR). Conversion of strings to quoted strings, conversion of spaces to comment tags or new lines
- Filter Evasion (MySQL-Specific) - String Concatenation, Percent Obfuscation & Integer Representation (eg: '26' becomes 'ceil(pi()*pi())*(!!!pi()+true)+ceil(@@version)', a technique presented by Johannes Dahse).
- UNION Statement Maker
- Quick insertion of common injections covering DB2, Informix, Ingres, MySQL, MSSQL, Oracle & PostgreSQL
- File Inclusion functions
- One-Click Log Poisoning
- Quick Shell Upload code generator
- PHP String Escape (chr)
- Cross-Site Scripting (XSS) functions
- Filter Evasion - JavaScript String Escape (String.fromCharCode), CSS Escape
- Various handy alert statements for testing for XSS vulnerabilities.
- Hash functions
- MD5 Hash Crackers - Built-in (offline) and online MD5 hash crackers
- Hash Generators - MD5, SHA-1, SHA-2 (224, 256, 384 & 512), GOST, HAVAL (various), MD2, MD4, RIPEMD (128, 160, 256 & 320), Salsa10, Salsa20, Snefru (128 & 256), Tiger (various) & WHIRLPOOL
- Encoders/Decoders
- URL Encoder/Decoder
- Hex Encoder/Decoder - Converts a string or integer to hexadecimal or vice-versa (multiple output formats supported).
- Base64 Encoder/Decoder
- CharCode Converter - Converts a string to charcodes (eg: 'abc' becomes '97,98,99') or vice-versa.
- IP Obfuscator - Converts an IP to dword, hex or octal.
- JavaScript Encoders - Such as JJEncode by Yosuke HASEGAWA
- HTML functions
- HTML Escape/Unescape
- HTML Entity Encoder/Decoder - Decimal and hexadecimal HTML entity encoders & decoders
- JavaScript String Escape
- Text Manipulation functions - Uppercase, Lowercase, Swap Case, Title Case, Reverse, Shuffle, Strip Slashes, Strip Spaces, Add Slashes, Char Separator
- Time-Based Blind Injection code - Covering MySQL, MSSQL, Oracle, PostgreSQL, Server-Side JavaScript & MongoDB
- CRC Calculators - CRC16, CRC32, CRC32b, and more.
- Classical Ciphers - ROT13 & ROT[N]
- Checksum Calculators - Adler-32 & Fletcher
- Buffer Overflow String Creator
- Random String & Number Generation functions
- URL Splitter
- Useful Strings - Math, character sets and more.
Version: 1.0 (Included with Sandcat) / License: Freeware
| Syhunt Code Extension Pack |
Author: Syhunt
Syhunt Code is a static code analysis tool that scans web applications for several kinds of vulnerabilities, including Cross-Site Scripting (XSS) and SQL Injection. It also identifies key areas of the code, such as key HTML tags, AJAX / JavaScript, entry points and interesting keywords, which can help accelerate a code review.
More details about it can be found here. This is a tool that can be used to harden government and education websites and open source web applications against web application security attacks.
Screenshots
SQL Injection Detection
XSS Detection
Secure Code
Preferences Screen
Version: 5.0 / License: Enterprise (must be ordered at Syhunt)
Under Development
| Syhunt Dynamic Extension Pack |
Author: Syhunt
Coming soon.
| Tor Extension for Sandcat |
Author: Syhunt
Coming soon.