[ Security Tool ] Orafuzz Version 2 – HTTP Fuzzing Tool

orafuzz_v2_1

This application is a rewrite of my original fuzzer. Several features have been added as well as a full user-friendly GUI.

Additionally the major change in this version is the ability to modify and add the attack strings through the provided sample list. This adds to the overall flexibility of the application.

Additionally the application now supports both POST and GET requests.
The provided text file “attackstrings.txt” contains a list of attack request strings, this file must reside in the applications root directory.

This can also be used to determine whether vulnerability “CVE-2007-1036 JBoss JMX-Console Access Vulnerability” exists on a particular server.

You can try for yourself a target with google, and a google dork: inurl: /reports/rwservlet/help?

As mentioned the contents can be modified to suit the attackers needs.
The sample contents of the “attackstrings.txt” file are as below:

/reports/rwservlet
/reports/rwservlet/showenv?
/reports/rwservlet/showjobs?
/reports/rwservlet/help?
/reports/rwservlet/showmap?
/reports/rwservlet/showmyjobs?
/reports/rwservlet/showjobid?
/reports/rwservlet/killjobid?
/reports/rwservlet/parsequery?
/reports/rwservlet/showauth?
/reports/rwservlet/delauth?
/reports/rwservlet/getjobid?
/reports/rwservlet/getserverinfo?
/reports/rwservlet/killengine?
/discoverer/app
/web-console
/jmx-console

The application and code can be downloaded and viewed below:

[ .TXT C-Code ] OraFuzz_V2_GUI.c
[ .TXT C-Code ] fuzzer.c
[ .TXT C-Code ] OraFuzz_V2_GUI.h
[ .ZIP ] VS Project Files
[ .ZIP/.EXE ] Executable File
[ .TXT ] Attackstrings.txt

Advertisements

~ by Rhys Mossom on April 29, 2014.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: