Automatic SQL injection and database takeover tool.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

Automated All-in-One OS Command Injection Exploitation Tool.
Commix (short for [comm]and [i]njection e[x]ploiter) is an open source penetration testing tool, written by Anastasios Stasinopoulos (@ancst), that automates the detection and exploitation of command injection vulnerabilities.

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

As of release, combination of userland (--usermode) and Kernel-land (--kernelmode) techniques were used to dump LSASS memory under EDR scrutiny, without being blocked nor generating "OS Credential Dumping"-related events in the product (cloud) console. The tests were performed on 3 distinct EDR products and were successful in each case.

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.

Welcome to RasPwn OS, The intentionally vulnerable image for the Raspberry Pi.

Raspwn OS is a GNU/Linux distro in the spirit of Damn Vulnerable Linux and uses a Raspberry Pi 2B or 3 to emulate a vulnerable Linux Server. RasPwn was designed as a training tool and exists only to be attacked and pwned. Everything from the OS itself to the daemons and services to the web applications installed are all vulnerable to some degree. The idea is to provide a 'safe' (relatively) and affordable training environment and playground for hackers and pen-testers. By loading Raspwn OS and connecting to the Raspberry Pi via WiFi, one can practice pen-testing as well as both offensive and defensive hacking techniques without ever even getting on the internet for only around $50.