ALTAIR - A Modular Web Vulnerability Scanner Copyleft by Simone Margaritelli <evilsocket@gmail.com> http://www.evilsocket.net - http://www.backbox.org Usage: altair [options] -u <target> EXAMPLES: altair --filter=lfi,rfi --url=http://www.somesite.com altair --filter=sqli --load-modules=sqlmap --url=http://www.somesite.com Options: -h, --help show this help message and exit -t THREADS, --threads=THREADS Max simultaneous threads. -e ALLOWEDEXTENSIONS, --ext=ALLOWEDEXTENSIONS Comma separated allowed extensions. -a USERAGENT, --ua=USERAGENT Custom user agent. -d, --enable-delay Enable crawling delay. -s CRAWLDELAY, --crawl-delay=CRAWLDELAY Crawling delay in ms. -m MAXDIRECTORYDEPTH, --max-depth=MAXDIRECTORYDEPTH Max directory depth. -p, --enable-proxy Enable proxy support. -S PROXYSERVER, --proxy-server=PROXYSERVER Proxy server address. -P PROXYPORT, --proxy-port=PROXYPORT Proxy server port. -f KBFILTER, --filter=KBFILTER Comma separated ids of vulnerabilities to test, default to all, use the --list-ids flag to enumerate available ids. -I, --list-ids Print a list of available ids in the knowledge base to be used with the --filter flag. -k KBFILE, --kb=KBFILE Knowledge base file to use, default kb.xml. -L MODULES, --load-modules=MODULES Comma separated modules names to load or 'all' to load them all, use the --list-modules flag to a list of available modules. -M, --list-modules Print a list of available modules. -u URL, --url=URL Url to test, mandatory. -O OUTFILE, --output=OUTFILE Output status and result to file. --import-files=IMPORTFILES Import sensitive files list from this file. --import-dirs=IMPORTDIRS Import sensitive directories list from this file. --single-mode Single url mode, scan only this url for vulnerabilities (the URL has to have at least one parameter). ---------------------------------------------------------------------------------------- [evilsocket@shinigami altair] ./altair.py -I [xss] Cross Site Scriptings : A cross site scripting vulnerability, also known as XSS, is one of the most common vulnerabilities in web apps. The server does not check the users' input, and parses GET variables (can be done also through POST sometimes), without sanitizing them ahead of time. This allows users to inject html, javascript, or other code, through the page affected by this kind of bug. These injections occur client side (the server side code will be not modified), but the html stream that the user receives will contain the injected code . Usually this type of flaw is used to obtain private data such as cookies, data that often contains the credentials to access protected pages. [sqli] SQL Injections : An SQL injection, or SQL code injection, is another example of how a lack of checking user inputed data can undermine our site's security. Nowadays 90% of existing websites rely on a database to store contents such as news, articles, or simply to manage the users; this means that if not placed through an accurate checking process, the data send from an attacker can affect the information present in our database. An SQL injection, as the name itself suggests, is made by injecting arbitrary sql code in a variable sent to the website, both GET or POST, to obtain data from the db, data that would not be normally accessible . [rfi] Remote File Inclusions : A remote file inclusion happens when a page includes a file whose name is taken from a GET or POST variable that is not sanitized or checked ahead of time . [lfi] Local File Inclusions : A local file inclusion happens when a page includes a file whose name is taken from a GET or POST variable that is not sanitized or checked ahead of time . [files] Sensitive Files : Potential sensitive file . [dirs] Sensitive Directories : Potential sensitive directory . ---------------------------------------------------------------------------------------- [evilsocket@shinigami altair] altair -M [+] 'lfier' by Simone Margaritelli <evilsocket@gmail.com> : This module will try to read some standard system files upon LFI vulnerabilities. [+] 'sqlmap' by Simone Margaritelli <evilsocket@gmail.com> : This module will ask the user to launch sqlmap when a sql injection is found.