Tools

I’ve made a few things that I think are handy. I have no idea if they’ll be useful. I’ve learned not to rule it out: when I was eight, I wrote a program in C++ called “Smiley Maker 2.0,” and I ended up getting support emails about it for ten years.

GIFRead

GIFRead is my attempt at implementing a GIF reader by following the GIF89a spec, bit by bit. It prints just about every byte of the headers and color tables to the screen, with a description of each field. I couldn’t understand how LZW decompression is used from the spec without resorting to copying other implementations, so it doesn’t actually unravel the compressed data into an image.

Poison.js

Poison.js is not nearly as cool as the name suggests. It sends out malicious ARP replies using the Node cap library, which works using either libpcap or (when the moon is right) WinPcap. Its source code includes a perfect recreation/foul mockery of JavaScript’s typed arrays.

Orderbuster

Orderbuster is a Nodejs script that extracts arbitrary data from a database using a URL vulnerable to an “ORDER BY” SQL injection point. It’s basically an automation of an attack I’d first seen written about by Joseph Keeler, in which data is smuggled out of a MySQL database one bit at a time by using varying sort directions based on the character codes of arbitrary data. It’ll accept cookies, so it works for testing authenticated SQL injection, too. It probably work on multibyte characters, since it uses ASCII keycodes; clever use of multibyte characters in SQL injection is still a little over my head.