Hi,
I'll provide well-formatted patches in the future, thanks for the fix.
Yes. That works with Python and Perl. Verified it with a small HTML::Template
and Pyramid Lab.
But in the real world, we won't win with echo/print. Maybe we should replace
"print "/"echo " by %s and provide several options:
- print
- echo
- return
- self.append
- self.push
- etc.
Regards,
Dan
Am 28.03.2012 um 15:11 schrieb Andres Riancho:
> Daniel,
>
> On Tue, Mar 27, 2012 at 11:26 PM, Daniel Zulla
> <daniel.zu...@googlemail.com> wrote:
>> This patch *may* work. Untested.
>
> Applied the patch to the latest eval.py in our SVN, and tested using:
> * sudo python w3af_console -s scripts/script-eval.w3af
>
> This triggered various errors in the line where this was performed:
> print_strings = [pstr % (self._rnd1, self._rnd2)
> for pstr in self.PRINT_STRINGS]
>
> Since there are two %s which are not correctly formatted in the
> proposed payloads.
>
> Worked a little bit around the patch and finally applied what's
> attached. That works with PHP, could you verify if it works with Perl
> and/or Python?
>
> PS: Sadly, the patch wasn't in the correct format so I could apply it
> with "patch -p0 < eval.py.patch"
>
>>
>>
>>
>>
>>> Dan,
>>>
>>> On Tue, Mar 27, 2012 at 10:36 PM, Daniel Zulla
>>> <daniel.zu...@googlemail.com> wrote:
>>>> Hi there,
>>>> The "string1"."string2" --> .match("string1string2") strategy of eval.py
>>>> turned out to produce false-positives when the webapp strips out
>>>> everything but [a-zA-Z0-9_-].
>>>>
>>>> Instead of "Error 404 "string1"."string2", string1string2 will be returned.
>>>> Why not implementing it like this:
>>>>
>>>> Case 1) ."random_string"*5
>>>> Case 2) ."random_string"x5
>>>>
>>>> If the response content contains
>>>> "random_stringrandom_stringrandom_stringrandom_stringrandom_string" we can
>>>> be sure that it is not a false-
>>>> positive.
>>>>
>>>> What do you think?
>>>
>>> Sure! That's a good idea, I've been thinking about similar
>>> solutions to that problem too but never got to implement them. My two
>>> potential solutions were:
>>> - Do some math, maybe random_number+random_number and look for the
>>> result of that
>>> - String replacement, 'abcdef'.replace('bcd', '111') and search for
>>> a111ef
>>>
>>> Your idea is equally nice and valid, if I would have to choose, I
>>> would choose the one that uses the less amount of "special characters"
>>> (like single quotes, quotes, parenthesis, etc.) in the payload being
>>> sent; and the one that uses less characters at all (as a measurement
>>> to reduce complexity). By taking those into account I think that both
>>> the sum of two random numbers and the "string multiplication" are
>>> almost the same.
>>>
>>> Want to give it a try at the code and send a patch?
>>>
>>> Regards,
>>>
>>>> Best,
>>>> Dan
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF email is sponsosred by:
>>>> Try Windows Azure free for 90 days Click Here
>>>> http://p.sf.net/sfu/sfd2d-msazure
>>>> _______________________________________________
>>>> W3af-develop mailing list
>>>> W3af-develop@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Director of Web Security at Rapid7 LLC
>>> Founder at Bonsai Information Security
>>> Project Leader at w3af
>>
>>
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
> <eval.py.patch>
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
