seth, On Tue, May 26, 2009 at 10:28 PM, se th <[email protected]> wrote: > 2009/5/23 Andres Riancho <andres.rianchogmail.com>: >> Seth, >> >> On Fri, May 22, 2009 at 10:07 PM, se th <xd.sethgmail.com> wrote: >>> I made a little cms to exploit it in localhost. It can be downlaoded from: >>> http://asapload.com/222129 >>> http://www.mediafire.com/download.php?mfjntztejme >>> >>> MD5: 1722e37f69a919 fc60c151177c2b a99d cms.tar.gz >>> >>> I used pipper to find a login zone an then I used it again to brute >>> force the password: >>> ------------------------------ >>> s...@debian:~/pipper/pipper$ perl pipper >>> "http://localhost/cms/whoami/[file]"; -v file=logins.txt -hc 404 >>> ==[Options]============================================================================ >>> Url : http://localhost/cms/whoami/[file] >>> Vars : file=logins.txt >>> Payloads Path : /home/xxxxxxxx/pipper/pipper >>> Hide Codes : 404 >>> Download Page : no (using HEADs) >>> Threads : 20 - Payload : file - Aprox Requests : 12220 >>> Response Codes : 200 OK 204 Empty 301 Mved 401 Unauth. 404 NotFound >>> 500 SrvError >>> ==[Begin >>> 17:00]======================================================================== >>> Server : Apache/??? >>> ======================================================================================= >>> #00001 200 6 24 cms/whoami/ >>> #06000 301 6= 26 cms/whoami/idiomas >>> ==[End]================================================================================ >>> s...@debian:~/pipper/pipper$ perl pipper >>> "http://localhost/cms/whoami/[file].php"; -v file=logins.txt -hc 404 >>> ==[Options]============================================================================ >>> Url : http://localhost/cms/whoami/[file].php >>> Vars : file=logins.txt >>> Payloads Path : /home/xxxxxxxxx/pipper/pipper >>> Hide Codes : 404 >>> Download Page : no (using HEADs) >>> Threads : 20 - Payload : file - Aprox Requests : 12220 >>> Response Codes : 200 OK 204 Empty 301 Mved 401 Unauth. 404 NotFound >>> 500 SrvError >>> ==[Begin >>> 17:08]======================================================================== >>> Server : Apache/??? >>> ======================================================================================= >>> #00310 200 6 24 cms/whoami/admin.php >>> #06069 200 6 24 cms/whoami/index.php >>> ==[End]================================================================================ >>> s...@debian:~/pipper/pipper$ perl pipper >>> "http://localhost/cms/whoami/admin.php"; pass=[file] -v file=big.txt >>> -hw 63 -t 50 >>> ==[Options]============================================================================ >>> Url : http://localhost/cms/whoami/admin.php >>> Post Data : pass=[file] >>> Vars : file=big.txt >>> Payloads Path : /home/xxxxxxxx/pipper/pipper >>> Hide Words : 63 >>> Download Page : yes >>> Threads : 50 - Payload : file - Aprox Requests : 3046 >>> Response Codes : 200 OK 204 Empty 301 Mved 401 Unauth. 404 NotFound >>> 500 SrvError >>> ==[Begin >>> 18:37]======================================================================== >>> Server : Apache/??? >>> ======================================================================================= >>> #02033 200 18 68 cms/whoami/admin.php pass=pass >>> ==[End]================================================================================ >>> ------------------------ >>> >>> It was very easy, of course, but I thinked it can be easiest with >>> w3af. First I runed a scan with the two brute force plugins and some >>> of discovery, but it never found /cms/whoami/admin.php >> >> The bruteforce plugins bruteforce logins, not URLs. >> >> The discovery plugins should be held responsible for not finding >> /cms/whoami/admin.php . Some questions to get a general idea: >> >> - What target URL did you entered in w3af? >> - Is the /cms/whoami/ directory linked from the main site? >> - admin.php should be found with the pykto plugin, but only if you >> enable "mutateTests", which is disabled by default because it >> generates a lot of requests. This is the description of that >> parameter: "Test all files with all root directories" >> > /cms/whoami is where I have the cms, and the URL I entered in w3af > I didn't see mutateTests before, when I enabled it, admin.php was > found. I stopped the scan because it takes to long with these tests, > but works.
hmmm, ok. This is why mutateTests is disabled by default. But it's needed... I don't know, sometimes it's hard to decide which default is a good default. >>> I tried with all the plugins and it didn't worked: >>> ---------- >>> [vie 22 may 2009 21:37:00 ART] Server uses 204 instead of HTTP 404 error >>> code. >>> [vie 22 may 2009 21:37:28 ART] Your ISP has no transparent proxy. >>> [vie 22 may 2009 21:37:28 ART] The remote HTTP Server ommited the >>> "server" header in it's response. This information was found in the >>> request with id 26685. >>> [vie 22 may 2009 21:37:28 ART] webDiff plugin: You have to configure >>> the local and remote directory to compare. >>> [vie 22 may 2009 21:37:28 ART] >>> [vie 22 may 2009 21:37:28 ART] **IMPORTANT** The following error was >>> detected by w3af and couldn't be resolved: The xUrllib found too much >>> consecutive errors. The remote webserver doesn't seem to be reachable >>> anymore; please verify manually. >> >> This is another completely different problem. Are you sure that you >> specified the target correctly? >> >>> [vie 22 may 2009 21:37:28 ART] >>> [vie 22 may 2009 21:37:28 ART] Could not determine the language of the site. >>> ----------- >>> I'm using XAMPP for linux 1.7.1 >>> >>> >>> has w3af a plugin to find url's bruteforcing? >> >> discovery.pykto >> >>> how can I fix the xUrllib error? >> >> specify the correct URL in the target =) > I don't remember what happened with this, some day with time I will see it > again > >> >>> was this email easy to understand? >> >> Completely understandable > > great! > >> >>> I can write it in spanish if not >> >> Not neccesary >> >> Cheers, >> >>> >>> ------------------------------------------------------------------------------ >>> Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT >>> is a gathering of tech-side developers & brand creativity professionals. >>> Meet >>> the minds behind Google Creative Lab, Visual Complexity, Processing, & >>> iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian >>> Group, R/GA, & Big Spaceship. http://www.creativitycat.com >>> _______________________________________________ >>> W3af-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >> >> >> >> -- >> Andrés Riancho >> Founder, Bonsai - Information Security >> http://www.bonsai-sec.com/ >> http://w3af.sf.net/ >> > > > thanks for the help > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
