-----Original Message----- From: Andres Riancho [mailto:[email protected]] Sent: Monday, July 20, 2009 4:27 PM To: Marthe Engebretsen Cc: [email protected] Subject: Re: [W3af-users] Blind SQL plugin - Too many retries
Marthe, On Mon, Jul 20, 2009 at 11:22 AM, Marthe Engebretsen<[email protected]> wrote: > Andrés, > > Marthe, > > On Mon, Jul 20, 2009 at 10:20 AM, Marthe > Engebretsen<[email protected]> wrote: >> Dear list, >> >> I've been testing W3AF for some weeks now, as part of a large project >> concerning web application security and web application vulnerability >> scanning. W3AF is one of my absolute favorites of the tools tested, but >> recently I've got some problems when scanning my "known vulnerable test >> site" for SQL Injections. >> >> In order to check how the tool manage blind SQL injections my test site has >> been modified to not show database error messages (MySQL-database). When the >> blindSqli plugin is enabled it only returns:" Too many retries when trying >> to get: . URL.". I've tried to tune both blindSqli-plugin settings and >> http-settings, but I still get the same result. >> >> Any ideas on what the problem is, and how to get the plugin to work >> properly? > > Are you using some kind of IPS, that could be closing TCP connections > based on the packet payloads? > > No, there are no IPS. The test server is only protected by IP restrictions. Then I have no clue of what could be happening, I would need more information, logs, etc. to be able to try to find what's happening. Have you tried to use wireshark to see what's going bad at a TCP/IP level? Usually these type of errors are because of connection errors at that level. Maybe packets are being dropped? Another idea: maybe you could run w3af with the output.textFile plugin with the verbose parameter set to true, and analyze that? --- I've had a look in the verbose textFile and found some interesting results, even though it's not related to the "too many retries"-problem. Why is this vulnerability just marked as "debug": [ 07/21/09 09:38:39 - debug ] GET http://testsite/index.php?p=movie&id=4 OR 29=29 returned HTTP code "200" - id: 3728 [ 07/21/09 09:38:39 - debug ] GET http://testsite/index.php?p=movie&id=4 AND 29=30 returned HTTP code "200" - id: 3729 [ 07/21/09 09:38:39 - debug ] Comparing secondTrueResponse and trueResponse. [ 07/21/09 09:38:39 - debug ] Pages are equal, match rate: 0.991228070175 [ 07/21/09 09:38:39 - debug ] Comparing secondFalseResponse and falseResponse. [ 07/21/09 09:38:39 - debug ] Pages are equal, match rate: 0.979166666667 [ 07/21/09 09:38:39 - debug ] Blind SQL injection was found at: "http://testsite/index.php";, using HTTP method GET. The injectable parameter is: "id". This vulnerability was found in the requests with ids 3728 and 3729. While this vulnerability is marked as "vulnerability": [ 07/21/09 09:47:21 - debug ] GET http://testsite/index.php?comment=1 or BENCHMARK(2500000,MD5(1))&p=movie&id=5 returned HTTP code "200" - id: 4268 [ 07/21/09 09:47:21 - vulnerability ] Blind SQL injection was found at: "http://testsite/index.php";, using HTTP method GET. The sent data was: "comment=1+or+BENCHMARK%282500000%2CMD5%281%29%29&p=movie&id=5". The modified parameter was "comment". This vulnerability was found in the request with id 4268. Is there a good explanation for this, or is it a bug? Cheers, Marthe Engebretsen > >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited time, >> vendors submitting new applications to BlackBerry App World(TM) will have >> the opportunity to enter the BlackBerry Developer Challenge. See full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
