Marthe, On Wed, Jul 22, 2009 at 11:51 AM, Marthe Engebretsen<[email protected]> wrote: > > > -----Original Message----- > From: Andres Riancho [mailto:[email protected]] > Sent: Monday, July 20, 2009 4:27 PM > To: Marthe Engebretsen > Cc: [email protected] > Subject: Re: [W3af-users] Blind SQL plugin - Too many retries > > Marthe, > > On Mon, Jul 20, 2009 at 11:22 AM, Marthe > Engebretsen<[email protected]> wrote: >> Andrés, >> >> Marthe, >> >> On Mon, Jul 20, 2009 at 10:20 AM, Marthe >> Engebretsen<[email protected]> wrote: >>> Dear list, >>> >>> I've been testing W3AF for some weeks now, as part of a large project >>> concerning web application security and web application vulnerability >>> scanning. W3AF is one of my absolute favorites of the tools tested, but >>> recently I've got some problems when scanning my "known vulnerable test >>> site" for SQL Injections. >>> >>> In order to check how the tool manage blind SQL injections my test site has >>> been modified to not show database error messages (MySQL-database). When the >>> blindSqli plugin is enabled it only returns:" Too many retries when trying >>> to get: . URL.". I've tried to tune both blindSqli-plugin settings and >>> http-settings, but I still get the same result. >>> >>> Any ideas on what the problem is, and how to get the plugin to work >>> properly? >> >> Are you using some kind of IPS, that could be closing TCP connections >> based on the packet payloads? >> >> No, there are no IPS. The test server is only protected by IP restrictions. > > Then I have no clue of what could be happening, I would need more > information, logs, etc. to be able to try to find what's happening. > Have you tried to use wireshark to see what's going bad at a TCP/IP > level? Usually these type of errors are because of connection errors > at that level. Maybe packets are being dropped? > > Another idea: maybe you could run w3af with the output.textFile plugin > with the verbose parameter set to true, and analyze that? > > --- > I've had a look in the verbose textFile and found some interesting results, > even though it's not related to the "too many retries"-problem. > > Why is this vulnerability just marked as "debug": > [ 07/21/09 09:38:39 - debug ] GET http://testsite/index.php?p=movie&id=4 OR > 29=29 returned HTTP code "200" - id: 3728 > [ 07/21/09 09:38:39 - debug ] GET http://testsite/index.php?p=movie&id=4 AND > 29=30 returned HTTP code "200" - id: 3729 > [ 07/21/09 09:38:39 - debug ] Comparing secondTrueResponse and trueResponse. > [ 07/21/09 09:38:39 - debug ] Pages are equal, match rate: 0.991228070175 > [ 07/21/09 09:38:39 - debug ] Comparing secondFalseResponse and falseResponse. > [ 07/21/09 09:38:39 - debug ] Pages are equal, match rate: 0.979166666667 > [ 07/21/09 09:38:39 - debug ] Blind SQL injection was found at: > "http://testsite/index.php";, using HTTP method GET. The injectable parameter > is: "id". This vulnerability was found in the requests with ids 3728 and 3729. > > While this vulnerability is marked as "vulnerability": > [ 07/21/09 09:47:21 - debug ] GET http://testsite/index.php?comment=1 or > BENCHMARK(2500000,MD5(1))&p=movie&id=5 returned HTTP code "200" - id: 4268 > [ 07/21/09 09:47:21 - vulnerability ] Blind SQL injection was found at: > "http://testsite/index.php";, using HTTP method GET. The sent data was: > "comment=1+or+BENCHMARK%282500000%2CMD5%281%29%29&p=movie&id=5". The modified > parameter was "comment". This vulnerability was found in the request with id > 4268. > > Is there a good explanation for this, or is it a bug?
I think that you should see the same line, but with a vulnerability tag some lines below. Please let me know if you don't find it. Cheers, > Cheers, > Marthe Engebretsen > > >> >>> >>> ------------------------------------------------------------------------------ >>> Enter the BlackBerry Developer Challenge >>> This is your chance to win up to $100,000 in prizes! For a limited time, >>> vendors submitting new applications to BlackBerry App World(TM) will have >>> the opportunity to enter the BlackBerry Developer Challenge. See full prize >>> details at: http://p.sf.net/sfu/Challenge >>> _______________________________________________ >>> W3af-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >>> >> >> >> >> -- >> Andrés Riancho >> Founder, Bonsai - Information Security >> http://www.bonsai-sec.com/ >> http://w3af.sf.net/ >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
