About Microbe
Microbe is a Google Chrome browser extension for Web penetration testers, although some of its components can be individual applications themselves, like the cookie manager, form handler or Krypton.Since one of the most influential and destructive attack methods on the Web is SQL injection, Microbe has been designed to help you perform those kind of attacks more easily by using shortcodes, but this doesn't make Microbe an exclusive SQL injection tool. It servers multiple purposes.
Installation and Accessibility
Microbe can be found on the official Google Web Store: chrome.google.com/webstore/detail/microbe/khejlnipbheaalinebbiadhmajjlmdilAfter you've pressed the install button and you've given it access to the stuff it needs in order to function, right click on a Web page and select "Inspect Element". On the right, in DevTools' navigator, you'll find a newly installed link that says "Microbe", click on it and you're there.
Unfortunately, Google doesn't allow its extension developers to open a DevTools page from a custom button, for security reasons, so that's why you must get to Microbe via "Inspect Element". Or you can press F12 on a PC (CMD + ALT + I on a Mac) to open it up by its shortcut.
Structure
Current Request
Here are most of the things happen, you can alter the GET and POST data and also the HTTP response headers, like the browser "User Agent" or the page "Referer".
The top tool bar can function with both GET and POST input boxes. Furthermore, these two have a custom history system developed (CTRL + Z, CTRL + Y or CTRL + SHIFT + Z) for a better usability.
The first button: "Load", gets the inspected page's information; the URL and its headers. This button, like all the other on this tool bar, has custom shortcut to reach it faster: ALT + A. You can find out the shortcut to each button by looking for the underlined letter in it, the shortcut will be: ALT + the underlined letter
The next button: "Split", it splits the GET or POST parameters on separate lines to increase the legibility of the entire content of the input box. E.g.:
From:
Once the button has been pressed, we get:
This way we can concentrate on what we have to do more easily, that is the composition of a injection syntax, without being too distracted by what's beside out syntax.
It is worth mentioning that you can add how many new lines you wish, there is no limit because when the URL will be executed, the new lines will be deleted automatically, so the final URL will not be affected by this simple detail, the new lines being there only for aesthetics.
The "Execute" button is the one that send all the modified data in a new request. Everything that you've modified on the Current Request and Cookie Manager sections will be applied to the next page request.
Next, we have some selection tools, most of them are for encoding/decoding of text using various ciphers.
The first list defines form what cipher the encoding/decoding will be done.
The "to" button is used in switching the ciphers with each other. For example, if you had Plain to HEX, after you press it, it will become HEX to Plain.
The next list defines to what cipher the encoding/decoding will be done. Although, it's worth mentioning that the last three items cannot be decoded because they're checksum calculator, not ciphers.
Microbe will encode/decode a selected text on three separate situations:
The "Go" button is there if the first automated encoding/decoding has not been enough and you need to repeat it.
The "Commas" and "Spaces" button strip the commas and spaces of the selected string. These two have been added because some ciphers, like: Plain to HEX, return a result similar to:
The "Copy" button simply inserts the selected string in the clipboard.
--
Under this tool bar you will find an input box called GET (bottom right), in with you can set the new URL and GET data and, below that, another four important elements.
Replacers it allows the modification of GET elements, again, for a better legibility.
Let's assume that we stumbled upon a WAF (Web Application Firewall), a script in the back end that modifies our input in order to sanitize it, so it won't get execute as we supply it on the database. This means that if we have a syntax similar to:
After the back end script modifies it, it will get:
Which will result in a malformed SQL statement and either the SQL will return an error, or the back end script itself.
Now, to get over this, we need to replace the spaces with something that doesn't get stripped and acts like a space, say:
If we were to apply this method to our syntax, we would be struggling to understand it afterwards, that's where the "Replacers" functionality proves to be useful. If we enter into the "Spaces" input the following:
The "Regex" fields are exactly what they say they are, you can apply the same principle explained above with the spaces, but this time using regex as your search and replace method.
Let's assume we have another WAF coming, but this time it filters the "\bselect\b" and "\bfrom\b" keywords. We can easily try multiple combinations to bypass this if we're using something similar to:
For the search field:
And the replace field:
Note: If you don't know anything about regex, I recommend starting with this tutorial.
This will replace the words: "select" and "from", in our syntax, with: "/*!select*/" and "/*!from*/". This feature can have tons of real world applications, imagination is the limit.
--
View Headers it allows you to modify the previous request and create a new one as you please. You can add/remove POST data, you can add more request headers or custom headers and you can edit everything on the "Request Headers" section.
Like I've said before, the tool bar has effect on the POST input box as well as the shortcodes, we will discuss those soon enough.
To modify something on the "Request Headers" section, simply select its content and modify it because everything is an
--
Retriever its, again, another powerful feature, if you know when and how to use it that is. This option searches what you give it as input on the inspected page's source code, line by line. Same rules of regex apply here as well.
I encountered situations in which the error that helps us determine if a portion of a site is vulnerable get displayed only in the source code as a comment or after a big useless chunk of text, so this is where this feature comes in useful.
E.g.: If we want to get all the page errors, all we have to enter is:
And if there is something in the source that matches our pattern, it will be displayed in our Microbe window, not at some weird position on the screen, that we might have to scroll to see it, or in the page source.
Again, imagination is the limit to what you can achieve using this. If you ask me, this will help the XSS hunters, because they always have to look in the source code to see what to bypass in order to acquire a valid vulnerability.
--
Shortcodes, although I have left this for the end, this is not some useless piece of software, on the contrary, it is extremely powerful and a real time saver. Every shortcode in here will work with the GET and POST fields. There are shortcodes for almost every button in the tool bar and more.
Let's assume we have a URL that receives GET input encoded using Base64, that will be later decoded in the back end and used as normal. If we'd want to test this input, we'd have to write the syntax, encode it and then submit the new URL, right? Well, not anymore. Consider the following example:
What's happening here? It's really simple and, I think, pretty intuitive. The string delimited by the
Pretty simple, right? The same thing can be achieved using other ciphers/hashing algorithms that are also available in the tool bar. You will find a working example for each of the shorcodes in the "Shortcodes" section.
Among the encoding functions, there is another useful element that allows you to write a shorter syntax for the union based SQL injections that require you to use a bunch of useless columns. I'm refering to those tables that have over 30 or 40 columns in their structure, which can also annoy you when you're writing a new syntax because a lot of the gibberish gets in your way.
But this has been taken care of, here comes the
After the Execute is pressed, will become:
Yet again, the real result is being displayed only on the browser's address bar. Your GET and POST field are still clean and simple.
But wait, there's more. If you need to insert a string and the quotes and apostrophes are filtered out by a WAF, you could use the CHAR() or CHR() function depending on your DBMS.
E.g. for MySQL:
Will result in:
As I said, all of this is available in the "Shortcodes" section along with an example for each functionality.
Here you will find all the request made from when you opened the extension. This is exclusive for the inspected page, you will not find additional request for other browser components or open tabs that would get in your way.
You may assume this is working just like Network in the same Developer Tools, but what if I told you that you can edit every single request in here and resubmit it with the now data? Even more, you can add it to "Current Request" so you can edit it how many times you want and get the tool bar and history functionalities for the POST data.
If you click on a request, you can find out every single detail about that request and edit it as you want, just like on the Current Request section. Under every request's details you'll find two buttons, one "Send Modified Request", which allows you to re-submit the requests after you have modified them and the "Add to Current Request" button will copy the detaild to Current Request.
On the top of the HTTP Headers section you will find some filtering options, a button to stop recording future requests or clear the list.
This is not an exclusive section, so you can use it to modify every cookie even saved by your browser or just the ones for the current page. It's your choice.
Every row is a cookie and it contains every detail that can be altered for a cookie. At the top, again, you can filter them. If you erase everything from the "Domain" input, all the cookies wil be displayed. But please be careful with this option because if you have a lot of cookie, it can slow down the extension.
Every cookie has its own Save, Reset and Delete buttons, but bellow all you will find three global buttons.
"Add New" will allow you to insert a new cookie. "Remove All" will remove all the listed cookies, and "Reload" will refresh the list.
Here will be listed all the form found on the inspected page, to which you have access to modify and submit. To edit one, simplu click on it and the rest is pretty intuitive.
You can edit all the input boxes, add new ones or remove them.
Also, like in the Cookie Manager section, you will find a "Reload" button at the bottom.
Krypton is a multi-encoding tool. It has been implemented separately from the "Current Request" section, but it has almost all the same functionalities.
The encoding is done in real time, so if you want to code something, just insert it into the "Plain" field. By default, it will encode it using Base64, but if you select another tab, it will get encoded accordingly. Also, if you want to decode something, just select the category that suits your needs and paste the encoded string on the right input box.
There is also the "Remove Duplicates" button on the left side, if you need to remove the duplicate lines of a given text.
Here you can setup a proxy. You can also with this with TOR, that's why the option is there by default.
To activate a proxy after you have added it to the list, you must check the "Activate" check box, press Save and then check the Enable Proxy Manager check box at the bottom.
The best part about this manager is that you can activate multiple proxies at a time and will be used base on their availability. That is, when one fails, the next one will replace it and so on. Of course you will get notified when this happens via Chrome's notification system.
Here you can disable/enable the cookies, javascript, browser plug-ins, pop-ups, CSS, images and/or notifications. Those are only for the current page.
Also, at a global level, you can disable the browser history and setup a new default User Agent.
Here you will find a collection of bypassing methods and prepared queries for you to use and develop more easily a SQL injection syntax.
The top tool bar can function with both GET and POST input boxes. Furthermore, these two have a custom history system developed (CTRL + Z, CTRL + Y or CTRL + SHIFT + Z) for a better usability.
The first button: "Load", gets the inspected page's information; the URL and its headers. This button, like all the other on this tool bar, has custom shortcut to reach it faster: ALT + A. You can find out the shortcut to each button by looking for the underlined letter in it, the shortcut will be: ALT + the underlined letter
The next button: "Split", it splits the GET or POST parameters on separate lines to increase the legibility of the entire content of the input box. E.g.:
From:
http://example.com/page.php?cat=6&id=2&filter=34&i=5
Once the button has been pressed, we get:
http://example.com/page.php
?cat=6
&id=2
&filter=34
&i=5
This way we can concentrate on what we have to do more easily, that is the composition of a injection syntax, without being too distracted by what's beside out syntax.
It is worth mentioning that you can add how many new lines you wish, there is no limit because when the URL will be executed, the new lines will be deleted automatically, so the final URL will not be affected by this simple detail, the new lines being there only for aesthetics.
The "Execute" button is the one that send all the modified data in a new request. Everything that you've modified on the Current Request and Cookie Manager sections will be applied to the next page request.
Next, we have some selection tools, most of them are for encoding/decoding of text using various ciphers.
The first list defines form what cipher the encoding/decoding will be done.
The "to" button is used in switching the ciphers with each other. For example, if you had Plain to HEX, after you press it, it will become HEX to Plain.
The next list defines to what cipher the encoding/decoding will be done. Although, it's worth mentioning that the last three items cannot be decoded because they're checksum calculator, not ciphers.
Microbe will encode/decode a selected text on three separate situations:
- When it detects a change in the second list
- When the button "to" has been pressed
- When the button "Go" has been pressed
The "Go" button is there if the first automated encoding/decoding has not been enough and you need to repeat it.
The "Commas" and "Spaces" button strip the commas and spaces of the selected string. These two have been added because some ciphers, like: Plain to HEX, return a result similar to:
73 74 72 69 6e 67
, so if you don't need the spaces in between the HEX encoded characters, just select them all and press the Spaces button. It can be useful when used in MySQL HEX string encoding (to get rid of the apostrophe and quote characters).The "Copy" button simply inserts the selected string in the clipboard.
--
Under this tool bar you will find an input box called GET (bottom right), in with you can set the new URL and GET data and, below that, another four important elements.
Replacers it allows the modification of GET elements, again, for a better legibility.
Let's assume that we stumbled upon a WAF (Web Application Firewall), a script in the back end that modifies our input in order to sanitize it, so it won't get execute as we supply it on the database. This means that if we have a syntax similar to:
id=1' order by 2-- -
After the back end script modifies it, it will get:
id=1'orderby2---
Which will result in a malformed SQL statement and either the SQL will return an error, or the back end script itself.
Now, to get over this, we need to replace the spaces with something that doesn't get stripped and acts like a space, say:
/**/
If we were to apply this method to our syntax, we would be struggling to understand it afterwards, that's where the "Replacers" functionality proves to be useful. If we enter into the "Spaces" input the following:
/**/
all the spaces will be replaced with /**/
, but, the beauty in this is that we don't get to see the ugly syntax because the change will be applied automatically once the "Execute" button is pressed, so we can concentrate better our syntax.The "Regex" fields are exactly what they say they are, you can apply the same principle explained above with the spaces, but this time using regex as your search and replace method.
Let's assume we have another WAF coming, but this time it filters the "\bselect\b" and "\bfrom\b" keywords. We can easily try multiple combinations to bypass this if we're using something similar to:
For the search field:
(select|from)
And the replace field:
/*!$1*/
Note: If you don't know anything about regex, I recommend starting with this tutorial.
This will replace the words: "select" and "from", in our syntax, with: "/*!select*/" and "/*!from*/". This feature can have tons of real world applications, imagination is the limit.
--
View Headers it allows you to modify the previous request and create a new one as you please. You can add/remove POST data, you can add more request headers or custom headers and you can edit everything on the "Request Headers" section.
Like I've said before, the tool bar has effect on the POST input box as well as the shortcodes, we will discuss those soon enough.
To modify something on the "Request Headers" section, simply select its content and modify it because everything is an
<input>
field and then press Execute.--
Retriever its, again, another powerful feature, if you know when and how to use it that is. This option searches what you give it as input on the inspected page's source code, line by line. Same rules of regex apply here as well.
I encountered situations in which the error that helps us determine if a portion of a site is vulnerable get displayed only in the source code as a comment or after a big useless chunk of text, so this is where this feature comes in useful.
E.g.: If we want to get all the page errors, all we have to enter is:
.*error.*
And if there is something in the source that matches our pattern, it will be displayed in our Microbe window, not at some weird position on the screen, that we might have to scroll to see it, or in the page source.
Again, imagination is the limit to what you can achieve using this. If you ask me, this will help the XSS hunters, because they always have to look in the source code to see what to bypass in order to acquire a valid vulnerability.
--
Shortcodes, although I have left this for the end, this is not some useless piece of software, on the contrary, it is extremely powerful and a real time saver. Every shortcode in here will work with the GET and POST fields. There are shortcodes for almost every button in the tool bar and more.
Let's assume we have a URL that receives GET input encoded using Base64, that will be later decoded in the back end and used as normal. If we'd want to test this input, we'd have to write the syntax, encode it and then submit the new URL, right? Well, not anymore. Consider the following example:
http://example.com/base64`1 and false`
What's happening here? It's really simple and, I think, pretty intuitive. The string delimited by the
`
character is being encoded using the Base64 cipher. This is also a feature that gets applied after you press the Execute button, just so you won't lose much time continuously encoding/decoding to write a simple syntax. To finish the example, this is what will result:http://example.com/MSBhbmQgZmFsc2U=
Pretty simple, right? The same thing can be achieved using other ciphers/hashing algorithms that are also available in the tool bar. You will find a working example for each of the shorcodes in the "Shortcodes" section.
Among the encoding functions, there is another useful element that allows you to write a shorter syntax for the union based SQL injections that require you to use a bunch of useless columns. I'm refering to those tables that have over 30 or 40 columns in their structure, which can also annoy you when you're writing a new syntax because a lot of the gibberish gets in your way.
But this has been taken care of, here comes the
~
character, which can be used between two integers (a, b) and if a <= b, it will automatically generate the interval between a and b with the numbers separated by commas. E.g.:1~7,database(),9~27
After the Execute is pressed, will become:
1,2,3,4,5,6,7,database(),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
Yet again, the real result is being displayed only on the browser's address bar. Your GET and POST field are still clean and simple.
But wait, there's more. If you need to insert a string and the quotes and apostrophes are filtered out by a WAF, you could use the CHAR() or CHR() function depending on your DBMS.
E.g. for MySQL:
mychar`string`
Will result in:
CHAR(115,116,114,105,110,103)
As I said, all of this is available in the "Shortcodes" section along with an example for each functionality.
HTTP Headers
Here you will find all the request made from when you opened the extension. This is exclusive for the inspected page, you will not find additional request for other browser components or open tabs that would get in your way.
You may assume this is working just like Network in the same Developer Tools, but what if I told you that you can edit every single request in here and resubmit it with the now data? Even more, you can add it to "Current Request" so you can edit it how many times you want and get the tool bar and history functionalities for the POST data.
If you click on a request, you can find out every single detail about that request and edit it as you want, just like on the Current Request section. Under every request's details you'll find two buttons, one "Send Modified Request", which allows you to re-submit the requests after you have modified them and the "Add to Current Request" button will copy the detaild to Current Request.
On the top of the HTTP Headers section you will find some filtering options, a button to stop recording future requests or clear the list.
Cookie Manager
This is not an exclusive section, so you can use it to modify every cookie even saved by your browser or just the ones for the current page. It's your choice.
Every row is a cookie and it contains every detail that can be altered for a cookie. At the top, again, you can filter them. If you erase everything from the "Domain" input, all the cookies wil be displayed. But please be careful with this option because if you have a lot of cookie, it can slow down the extension.
Every cookie has its own Save, Reset and Delete buttons, but bellow all you will find three global buttons.
"Add New" will allow you to insert a new cookie. "Remove All" will remove all the listed cookies, and "Reload" will refresh the list.
Form Handler
Here will be listed all the form found on the inspected page, to which you have access to modify and submit. To edit one, simplu click on it and the rest is pretty intuitive.
You can edit all the input boxes, add new ones or remove them.
Also, like in the Cookie Manager section, you will find a "Reload" button at the bottom.
Miscellaneous
Almost every setting in this section will either have global effect or none at all, not only for the inspected page.Krypton
Krypton is a multi-encoding tool. It has been implemented separately from the "Current Request" section, but it has almost all the same functionalities.
The encoding is done in real time, so if you want to code something, just insert it into the "Plain" field. By default, it will encode it using Base64, but if you select another tab, it will get encoded accordingly. Also, if you want to decode something, just select the category that suits your needs and paste the encoded string on the right input box.
There is also the "Remove Duplicates" button on the left side, if you need to remove the duplicate lines of a given text.
Proxy Manager
Here you can setup a proxy. You can also with this with TOR, that's why the option is there by default.
To activate a proxy after you have added it to the list, you must check the "Activate" check box, press Save and then check the Enable Proxy Manager check box at the bottom.
The best part about this manager is that you can activate multiple proxies at a time and will be used base on their availability. That is, when one fails, the next one will replace it and so on. Of course you will get notified when this happens via Chrome's notification system.
Overrides & Disablers
Here you can disable/enable the cookies, javascript, browser plug-ins, pop-ups, CSS, images and/or notifications. Those are only for the current page.
Also, at a global level, you can disable the browser history and setup a new default User Agent.
Filter Evasion & Prepared Statements
Here you will find a collection of bypassing methods and prepared queries for you to use and develop more easily a SQL injection syntax.
Đăng nhận xét Blogger Facebook