2009/5/23 Andres Riancho <andres.rianchogmail.com>: > Seth, > > On Fri, May 22, 2009 at 10:07 PM, se th <xd.sethgmail.com> wrote: >> I made a little cms to exploit it in localhost. It can be downlaoded from: >> http://asapload.com/222129 >> http://www.mediafire.com/download.php?mfjntztejme >> >> MD5: 1722e37f69a919 fc60c151177c2b a99d cms.tar.gz >> >> I used pipper to find a login zone an then I used it again to brute >> force the password: >> ------------------------------ >> s...@debian:~/pipper/pipper$ perl pipper >> "http://localhost/cms/whoami/[file]"; -v file=logins.txt -hc 404 >> ==[Options]============================================================================ >> Url : http://localhost/cms/whoami/[file] >> Vars : file=logins.txt >> Payloads Path : /home/xxxxxxxx/pipper/pipper >> Hide Codes : 404 >> Download Page : no (using HEADs) >> Threads : 20 - Payload : file - Aprox Requests : 12220 >> Response Codes : 200 OK 204 Empty 301 Mved 401 Unauth. 404 NotFound >> 500 SrvError >> ==[Begin >> 17:00]======================================================================== >> Server : Apache/??? >> ======================================================================================= >> #00001 200 6 24 cms/whoami/ >> #06000 301 6= 26 cms/whoami/idiomas >> ==[End]================================================================================ >> s...@debian:~/pipper/pipper$ perl pipper >> "http://localhost/cms/whoami/[file].php"; -v file=logins.txt -hc 404 >> ==[Options]============================================================================ >> Url : http://localhost/cms/whoami/[file].php >> Vars : file=logins.txt >> Payloads Path : /home/xxxxxxxxx/pipper/pipper >> Hide Codes : 404 >> Download Page : no (using HEADs) >> Threads : 20 - Payload : file - Aprox Requests : 12220 >> Response Codes : 200 OK 204 Empty 301 Mved 401 Unauth. 404 NotFound >> 500 SrvError >> ==[Begin >> 17:08]======================================================================== >> Server : Apache/??? >> ======================================================================================= >> #00310 200 6 24 cms/whoami/admin.php >> #06069 200 6 24 cms/whoami/index.php >> ==[End]================================================================================ >> s...@debian:~/pipper/pipper$ perl pipper >> "http://localhost/cms/whoami/admin.php"; pass=[file] -v file=big.txt >> -hw 63 -t 50 >> ==[Options]============================================================================ >> Url : http://localhost/cms/whoami/admin.php >> Post Data : pass=[file] >> Vars : file=big.txt >> Payloads Path : /home/xxxxxxxx/pipper/pipper >> Hide Words : 63 >> Download Page : yes >> Threads : 50 - Payload : file - Aprox Requests : 3046 >> Response Codes : 200 OK 204 Empty 301 Mved 401 Unauth. 404 NotFound >> 500 SrvError >> ==[Begin >> 18:37]======================================================================== >> Server : Apache/??? >> ======================================================================================= >> #02033 200 18 68 cms/whoami/admin.php pass=pass >> ==[End]================================================================================ >> ------------------------ >> >> It was very easy, of course, but I thinked it can be easiest with >> w3af. First I runed a scan with the two brute force plugins and some >> of discovery, but it never found /cms/whoami/admin.php > > The bruteforce plugins bruteforce logins, not URLs. > > The discovery plugins should be held responsible for not finding > /cms/whoami/admin.php . Some questions to get a general idea: > > - What target URL did you entered in w3af? > - Is the /cms/whoami/ directory linked from the main site? > - admin.php should be found with the pykto plugin, but only if you > enable "mutateTests", which is disabled by default because it > generates a lot of requests. This is the description of that > parameter: "Test all files with all root directories" > /cms/whoami is where I have the cms, and the URL I entered in w3af I didn't see mutateTests before, when I enabled it, admin.php was found. I stopped the scan because it takes to long with these tests, but works.
>> I tried with all the plugins and it didn't worked: >> ---------- >> [vie 22 may 2009 21:37:00 ART] Server uses 204 instead of HTTP 404 error >> code. >> [vie 22 may 2009 21:37:28 ART] Your ISP has no transparent proxy. >> [vie 22 may 2009 21:37:28 ART] The remote HTTP Server ommited the >> "server" header in it's response. This information was found in the >> request with id 26685. >> [vie 22 may 2009 21:37:28 ART] webDiff plugin: You have to configure >> the local and remote directory to compare. >> [vie 22 may 2009 21:37:28 ART] >> [vie 22 may 2009 21:37:28 ART] **IMPORTANT** The following error was >> detected by w3af and couldn't be resolved: The xUrllib found too much >> consecutive errors. The remote webserver doesn't seem to be reachable >> anymore; please verify manually. > > This is another completely different problem. Are you sure that you > specified the target correctly? > >> [vie 22 may 2009 21:37:28 ART] >> [vie 22 may 2009 21:37:28 ART] Could not determine the language of the site. >> ----------- >> I'm using XAMPP for linux 1.7.1 >> >> >> has w3af a plugin to find url's bruteforcing? > > discovery.pykto > >> how can I fix the xUrllib error? > > specify the correct URL in the target =) I don't remember what happened with this, some day with time I will see it again > >> was this email easy to understand? > > Completely understandable great! > >> I can write it in spanish if not > > Not neccesary > > Cheers, > >> >> ------------------------------------------------------------------------------ >> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT >> is a gathering of tech-side developers & brand creativity professionals. Meet >> the minds behind Google Creative Lab, Visual Complexity, Processing, & >> iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian >> Group, R/GA, & Big Spaceship. http://www.creativitycat.com >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > thanks for the help ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
