HackBar
# In generalThis toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT learn you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, and a lot of google :)# The advantages are: - Even the most complicated urls will be readable - The focus will stay on the textarea, so after executing the url (ctrl+enter) you can just go on typing / testing - The url in textarea is not affected by redirects. - I tend to use it as a notpad :) - Usefull tools like on the fly uu/url decoding etc. - All functions work on the currently selected text.# Load url ( alt a )This loads the url of the current page into the textarea.# Split url ( alt s )When this button is clicked, the url/text in the textarea will be split into multiple lines using the ? and & character# Execute ( alt x, ctrl enter )This will execute the current url in the textarea, i mostly use ctrl+enter# INT -1 ( alt - )First select a number in the textarea and press this button, the number will be lowered by 1 and the url will be loaded.# INT +1 ( alt + )Again first select a number in the textarea and press this button, 1 will be added to the number and the url will be loaded.# MD5 Hash ( alt m )this is a standard hashing method, often used as an encryption method for passwords. It will MD5 hash the currently selected string.# MySQL CHAR() ( alt y )If quotes are escaped but you did find an SQL injection thats exploitable, you can use this button to convert lets say:load_file('/etc/passwd') --> load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100)) Thus omiting the use of quotes to load a file. You can also use this on WHERE foo LIKE ('%bar%') --> WHERE foo LIKE (CHAR(37, 98, 97, 114, 37))# MsSQL CHAR() ( alt q )Same story as MySQL CHAR(), MsSQL has a slightly different CHAR syntax--> WHERE foo LIKE ( CHAR(37) + CHAR(98) + CHAR(97) + CHAR(114) + CHAR(37))# Base64 encode / decodeBase64 encoding ( UU ) is often used to store data (like a return url etc.) This will help you to read those values.# URLencode / decodeThis will encode or decode the currently selected characters to url safe characters. I mostly use it to end a query with # (%23) when in a pseudo path where i cant use /* or --
Supported 
versions: Firefox 1.5 - 2.0.0.* ALL
Notes / Comments: Version 1.0- Integer up/down on a selected string- MD5 hash a selected string- MySQL CHAR() a selected string- MsSQL CHAR a selected string- Base64 (UU) encode/decode a selected string- URL encode/decode a selected string- resize textfied +-- Ctrl-Enter excecutes the URL
Categories: Developer Tools
Load current URL:
Split the url using the & and ? characters:
Resize the textarea:
Add +1 or -1 to the selected number:
MD5 Hash the selected text:
MySQL CHAR() the selected string:
HackBar:
![Download HackBar [Firefox plugin]](http://www.ffextensions.com/images/download.gif)
Install: HackBar
