[W3af-users] Shell shock plugin for w3af: Done!
List, Take a look at the w3af plugin I've just finished coding [0], it detects shell shock vulnerabilities by using time delays. Pull requests with improvements are welcome :) [0] https://gist.github.com/andresriancho/4ef11d75c1f517c24f94 Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Shell shock plugin for w3af: Done!
i keep trying to run the git version of w3af and it says that phply is missing, yet I have it: /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info /usr/local/lib/python2.7/dist-packages/phply.egg-link /usr/local/lib/python2.7/dist-packages/phply/phpast.py /usr/local/lib/python2.7/dist-packages/phply/phpast.pyc /usr/local/lib/python2.7/dist-packages/phply/phplex.py /usr/local/lib/python2.7/dist-packages/phply/phplex.pyc /usr/local/lib/python2.7/dist-packages/phply/phpparse.py /usr/local/lib/python2.7/dist-packages/phply/phpparse.pyc /usr/local/lib/python2.7/dist-packages/phply/pythonast.py /usr/local/lib/python2.7/dist-packages/phply/pythonast.pyc /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/PKG-INFO /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/SOURCES.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/dependency_links.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/installed-files.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/namespace_packages.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/not-zip-safe /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/requires.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/top_level.txt On 09/25/2014 03:22 PM, Andres Riancho wrote: List, Take a look at the w3af plugin I've just finished coding [0], it detects shell shock vulnerabilities by using time delays. Pull requests with improvements are welcome :) [0] https://gist.github.com/andresriancho/4ef11d75c1f517c24f94 Regards, -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Shell shock plugin for w3af: Done!
Check the github repository issues, mailing list, etc. This issue (for mac?) has workarounds documented somewhere On Thu, Sep 25, 2014 at 1:04 PM, Ali Khalfan ali.khal...@gmail.com wrote: i keep trying to run the git version of w3af and it says that phply is missing, yet I have it: /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info /usr/local/lib/python2.7/dist-packages/phply.egg-link /usr/local/lib/python2.7/dist-packages/phply/phpast.py /usr/local/lib/python2.7/dist-packages/phply/phpast.pyc /usr/local/lib/python2.7/dist-packages/phply/phplex.py /usr/local/lib/python2.7/dist-packages/phply/phplex.pyc /usr/local/lib/python2.7/dist-packages/phply/phpparse.py /usr/local/lib/python2.7/dist-packages/phply/phpparse.pyc /usr/local/lib/python2.7/dist-packages/phply/pythonast.py /usr/local/lib/python2.7/dist-packages/phply/pythonast.pyc /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/PKG-INFO /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/SOURCES.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/dependency_links.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/installed-files.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/namespace_packages.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/not-zip-safe /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/requires.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/top_level.txt On 09/25/2014 03:22 PM, Andres Riancho wrote: List, Take a look at the w3af plugin I've just finished coding [0], it detects shell shock vulnerabilities by using time delays. Pull requests with improvements are welcome :) [0] https://gist.github.com/andresriancho/4ef11d75c1f517c24f94 Regards, -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Shell shock plugin for w3af: Done!
nah kali, i just commented out the dependency_check line in the console Original Message Subject: Re: [W3af-users] Shell shock plugin for w3af: Done! From: Andres Riancho andres.rian...@gmail.com To: Ali Khalfan ali.khal...@gmail.com CC: w3af-users@lists.sourceforge.net w3af-users@lists.sourceforge.net Date: Thu Sep 25 2014 19:18:36 GMT+0300 (AST) Check the github repository issues, mailing list, etc. This issue (for mac?) has workarounds documented somewhere On Thu, Sep 25, 2014 at 1:04 PM, Ali Khalfan ali.khal...@gmail.com wrote: i keep trying to run the git version of w3af and it says that phply is missing, yet I have it: /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info /usr/local/lib/python2.7/dist-packages/phply.egg-link /usr/local/lib/python2.7/dist-packages/phply/phpast.py /usr/local/lib/python2.7/dist-packages/phply/phpast.pyc /usr/local/lib/python2.7/dist-packages/phply/phplex.py /usr/local/lib/python2.7/dist-packages/phply/phplex.pyc /usr/local/lib/python2.7/dist-packages/phply/phpparse.py /usr/local/lib/python2.7/dist-packages/phply/phpparse.pyc /usr/local/lib/python2.7/dist-packages/phply/pythonast.py /usr/local/lib/python2.7/dist-packages/phply/pythonast.pyc /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/PKG-INFO /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/SOURCES.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/dependency_links.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/installed-files.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/namespace_packages.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/not-zip-safe /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/requires.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/top_level.txt On 09/25/2014 03:22 PM, Andres Riancho wrote: List, Take a look at the w3af plugin I've just finished coding [0], it detects shell shock vulnerabilities by using time delays. Pull requests with improvements are welcome :) [0] https://gist.github.com/andresriancho/4ef11d75c1f517c24f94 Regards, -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Shell shock plugin for w3af: Done!
Ali, You can use curl -Htest: ... http://foo.com/ to verify Replace ... with the bash exploit On Thu, Sep 25, 2014 at 2:11 PM, Ali Khalfan ali.khal...@gmail.com wrote: Andres, Is there a way I could manually verify a url? (as in using Nmap or wget and checking the response) I did it twice on a url and once it says it was vulnerable and the other says it wasn't On ٢٥ سبتمبر، ٢٠١٤ ٧:١٨:٣٦ م GMT+03:00, Andres Riancho andres.rian...@gmail.com wrote: Check the github repository issues, mailing list, etc. This issue (for mac?) has workarounds documented somewhere On Thu, Sep 25, 2014 at 1:04 PM, Ali Khalfan ali.khal...@gmail.com wrote: i keep trying to run the git version of w3af and it says that phply is missing, yet I have it: /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info /usr/local/lib/python2.7/dist-packages/phply.egg-link /usr/local/lib/python2.7/dist-packages/phply/phpast.py /usr/local/lib/python2.7/dist-packages/phply/phpast.pyc /usr/local/lib/python2.7/dist-packages/phply/phplex.py /usr/local/lib/python2.7/dist-packages/phply/phplex.pyc /usr/local/lib/python2.7/dist-packages/phply/phpparse.py /usr/local/lib/python2.7/dist-packages/phply/phpparse.pyc /usr/local/lib/python2.7/dist-packages/phply/pythonast.py /usr/local/lib/python2.7/dist-packages/phply/pythonast.pyc /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/PKG-INFO /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/SOURCES.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/dependency_links.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/installed-files.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/namespace_packages.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/not-zip-safe /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/requires.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/top_level.txt On 09/25/2014 03:22 PM, Andres Riancho wrote: List, Take a look at the w3af plugin I've just finished coding [0], it detects shell shock vulnerabilities by using time delays. Pull requests with improvements are welcome :) [0] https://gist.github.com/andresriancho/4ef11d75c1f517c24f94 Regards, Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] Shell shock plugin for w3af: Done!
thanks, I was wondering I tried with pinc -c 1 , and ping -c 30 didn't notice any difference , would that be significant ? Original Message Subject: Re: [W3af-users] Shell shock plugin for w3af: Done! From: Andres Riancho andres.rian...@gmail.com To: Ali Khalfan ali.khal...@gmail.com CC: w3af-users@lists.sourceforge.net w3af-users@lists.sourceforge.net Date: Thu Sep 25 2014 20:19:36 GMT+0300 (AST) Ali, You can use curl -Htest: ... http://foo.com/ to verify Replace ... with the bash exploit On Thu, Sep 25, 2014 at 2:11 PM, Ali Khalfan ali.khal...@gmail.com wrote: Andres, Is there a way I could manually verify a url? (as in using Nmap or wget and checking the response) I did it twice on a url and once it says it was vulnerable and the other says it wasn't On ٢٥ سبتمبر، ٢٠١٤ ٧:١٨:٣٦ م GMT+03:00, Andres Riancho andres.rian...@gmail.com wrote: Check the github repository issues, mailing list, etc. This issue (for mac?) has workarounds documented somewhere On Thu, Sep 25, 2014 at 1:04 PM, Ali Khalfan ali.khal...@gmail.com wrote: i keep trying to run the git version of w3af and it says that phply is missing, yet I have it: /usr/local/lib/python2.7/dist-packages/phply-0.9.1-nspkg.pth /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info /usr/local/lib/python2.7/dist-packages/phply.egg-link /usr/local/lib/python2.7/dist-packages/phply/phpast.py /usr/local/lib/python2.7/dist-packages/phply/phpast.pyc /usr/local/lib/python2.7/dist-packages/phply/phplex.py /usr/local/lib/python2.7/dist-packages/phply/phplex.pyc /usr/local/lib/python2.7/dist-packages/phply/phpparse.py /usr/local/lib/python2.7/dist-packages/phply/phpparse.pyc /usr/local/lib/python2.7/dist-packages/phply/pythonast.py /usr/local/lib/python2.7/dist-packages/phply/pythonast.pyc /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/PKG-INFO /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/SOURCES.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/dependency_links.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/installed-files.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/namespace_packages.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/not-zip-safe /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/requires.txt /usr/local/lib/python2.7/dist-packages/phply-0.9.1.egg-info/top_level.txt On 09/25/2014 03:22 PM, Andres Riancho wrote: List, Take a look at the w3af plugin I've just finished coding [0], it detects shell shock vulnerabilities by using time delays. Pull requests with improvements are welcome :) [0] https://gist.github.com/andresriancho/4ef11d75c1f517c24f94 Regards, Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users