Elusive Thoughts are proud to present you The Teenage Mutant Ninja Turtles project....
What Teenage Mutant Ninja Turtles is?
The Teenage Mutant Ninja Turtles project is three things:
- A Web Application payload database (heavily based on fuzzdb project for now).
- A Web Application error database.
- A Web Application payload mutator.
When you test a Web Application all you need is a fuzzer and ammunition:
"I saw clearly that war was upon us when I learned that my young men had been secretly buying ammunition."
Ammunition is what you use for fuzzing and the weapon is the fuzzer itself. The project called teenage-mutant-ninja-turtles is an open source payload mutator, nothing more nothing less. With teenage-mutant-ninja-turtles you will be able to generate Obfuscated payloads for testing all sorts of attacks, such as XSS, SQL Injections etc. The project is in version 1.1 and currently supports only SQL Injection fuzzing. Later on I will add support for fuzzdb and all types of attacks. Maybe later it will become a complete Web Application Scanner who knows. If you think that you are interested please contact me to participate.
The Teenage Mutant Ninja Turtles in action
The following screenshot shows the tool banner (yes it has a banner!!):
The Teenage Mutant Turtle is a Web application payload database for performing black box Web Application penetration tests (it also supports banner displaying!!!), more specifically is:
- A collection of known attack patterns focused in Web Application input validation attacks (e.g. SQL Injections, XSS attacks e.t.c)
- A collection of error messages produced by malicious and malformed user inputs, which you can use with Burp intruder or other grep-like utilities to identify and verify vulnerabilities when fuzzing.
- An easy to use python script that helps you to obfuscate payloads for bypassing costume Web Application filters.
The Teenage Mutant Ninja Turtles features
Currently Teenage Mutant Ninja Turtles (tmnt) support the following features:
- Generic payload URL encoding.
- Generic payload Base64 encoding.
- SQL keyword case variation adding (e.g. converts SELECT to SeLeCt e.t.c).
- Generic payload DE-duplication (e.g. removing double payload lines).
- SQL Injection suffix adder (e.g. adding EXEC to the begging of the payload e.t.c).
- SQL Injection post-fix adder (e.g. adding ); -- to the end of the payload e.t.c).
There are more features to come...