Seth, On Fri, May 22, 2009 at 10:07 PM, se th <[email protected]> wrote: > I made a little cms to exploit it in localhost. It can be downlaoded from: > http://asapload.com/222129 > http://www.mediafire.com/download.php?mfjntztejme > > MD5: 1722e37f69a919 fc60c151177c2b a99d cms.tar.gz > > I used pipper to find a login zone an then I used it again to brute > force the password: > ------------------------------ > s...@debian:~/pipper/pipper$ perl pipper > "http://localhost/cms/whoami/[file]"; -v file=logins.txt -hc 404 > ==[Options]============================================================================ > Url : http://localhost/cms/whoami/[file] > Vars : file=logins.txt > Payloads Path : /home/xxxxxxxx/pipper/pipper > Hide Codes : 404 > Download Page : no (using HEADs) > Threads : 20 - Payload : file - Aprox Requests : 12220 > Response Codes : 200 OK 204 Empty 301 Mved 401 Unauth. 404 NotFound > 500 SrvError > ==[Begin > 17:00]======================================================================== > Server : Apache/??? > ======================================================================================= > #00001 200 6 24 cms/whoami/ > #06000 301 6= 26 cms/whoami/idiomas > ==[End]================================================================================ > s...@debian:~/pipper/pipper$ perl pipper > "http://localhost/cms/whoami/[file].php"; -v file=logins.txt -hc 404 > ==[Options]============================================================================ > Url : http://localhost/cms/whoami/[file].php > Vars : file=logins.txt > Payloads Path : /home/xxxxxxxxx/pipper/pipper > Hide Codes : 404 > Download Page : no (using HEADs) > Threads : 20 - Payload : file - Aprox Requests : 12220 > Response Codes : 200 OK 204 Empty 301 Mved 401 Unauth. 404 NotFound > 500 SrvError > ==[Begin > 17:08]======================================================================== > Server : Apache/??? > ======================================================================================= > #00310 200 6 24 cms/whoami/admin.php > #06069 200 6 24 cms/whoami/index.php > ==[End]================================================================================ > s...@debian:~/pipper/pipper$ perl pipper > "http://localhost/cms/whoami/admin.php"; pass=[file] -v file=big.txt > -hw 63 -t 50 > ==[Options]============================================================================ > Url : http://localhost/cms/whoami/admin.php > Post Data : pass=[file] > Vars : file=big.txt > Payloads Path : /home/xxxxxxxx/pipper/pipper > Hide Words : 63 > Download Page : yes > Threads : 50 - Payload : file - Aprox Requests : 3046 > Response Codes : 200 OK 204 Empty 301 Mved 401 Unauth. 404 NotFound > 500 SrvError > ==[Begin > 18:37]======================================================================== > Server : Apache/??? > ======================================================================================= > #02033 200 18 68 cms/whoami/admin.php pass=pass > ==[End]================================================================================ > ------------------------ > > It was very easy, of course, but I thinked it can be easiest with > w3af. First I runed a scan with the two brute force plugins and some > of discovery, but it never found /cms/whoami/admin.php
The bruteforce plugins bruteforce logins, not URLs. The discovery plugins should be held responsible for not finding /cms/whoami/admin.php . Some questions to get a general idea: - What target URL did you entered in w3af? - Is the /cms/whoami/ directory linked from the main site? - admin.php should be found with the pykto plugin, but only if you enable "mutateTests", which is disabled by default because it generates a lot of requests. This is the description of that parameter: "Test all files with all root directories" > I tried with all the plugins and it didn't worked: > ---------- > [vie 22 may 2009 21:37:00 ART] Server uses 204 instead of HTTP 404 error code. > [vie 22 may 2009 21:37:28 ART] Your ISP has no transparent proxy. > [vie 22 may 2009 21:37:28 ART] The remote HTTP Server ommited the > "server" header in it's response. This information was found in the > request with id 26685. > [vie 22 may 2009 21:37:28 ART] webDiff plugin: You have to configure > the local and remote directory to compare. > [vie 22 may 2009 21:37:28 ART] > [vie 22 may 2009 21:37:28 ART] **IMPORTANT** The following error was > detected by w3af and couldn't be resolved: The xUrllib found too much > consecutive errors. The remote webserver doesn't seem to be reachable > anymore; please verify manually. This is another completely different problem. Are you sure that you specified the target correctly? > [vie 22 may 2009 21:37:28 ART] > [vie 22 may 2009 21:37:28 ART] Could not determine the language of the site. > ----------- > I'm using XAMPP for linux 1.7.1 > > > has w3af a plugin to find url's bruteforcing? discovery.pykto > how can I fix the xUrllib error? specify the correct URL in the target =) > was this email easy to understand? Completely understandable > I can write it in spanish if not Not neccesary Cheers, > > ------------------------------------------------------------------------------ > Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT > is a gathering of tech-side developers & brand creativity professionals. Meet > the minds behind Google Creative Lab, Visual Complexity, Processing, & > iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian > Group, R/GA, & Big Spaceship. http://www.creativitycat.com > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
