Andrés, -----Original Message----- From: Andres Riancho [mailto:[email protected]] Sent: Wednesday, July 22, 2009 6:11 PM To: Marthe Engebretsen Cc: [email protected] Subject: Re: [W3af-users] Blind SQL plugin - Too many retries
Marthe, On Wed, Jul 22, 2009 at 12:23 PM, Marthe Engebretsen<[email protected]> wrote: > Andrés, > > -----Original Message----- > From: Andres Riancho [mailto:[email protected]] > Sent: Wednesday, July 22, 2009 5:05 PM > To: Marthe Engebretsen > Cc: [email protected] > Subject: Re: [W3af-users] Blind SQL plugin - Too many retries > > Marthe, > > On Wed, Jul 22, 2009 at 11:51 AM, Marthe > Engebretsen<[email protected]> wrote: >> >> >> -----Original Message----- >> From: Andres Riancho [mailto:[email protected]] >> Sent: Monday, July 20, 2009 4:27 PM >> To: Marthe Engebretsen >> Cc: [email protected] >> Subject: Re: [W3af-users] Blind SQL plugin - Too many retries >> >> Marthe, >> >> On Mon, Jul 20, 2009 at 11:22 AM, Marthe >> Engebretsen<[email protected]> wrote: >>> Andrés, >>> >>> Marthe, >>> >>> On Mon, Jul 20, 2009 at 10:20 AM, Marthe >>> Engebretsen<[email protected]> wrote: >>>> Dear list, >>>> >>>> I've been testing W3AF for some weeks now, as part of a large project >>>> concerning web application security and web application vulnerability >>>> scanning. W3AF is one of my absolute favorites of the tools tested, but >>>> recently I've got some problems when scanning my "known vulnerable test >>>> site" for SQL Injections. >>>> >>>> In order to check how the tool manage blind SQL injections my test site >>>> has >>>> been modified to not show database error messages (MySQL-database). When >>>> the >>>> blindSqli plugin is enabled it only returns:" Too many retries when trying >>>> to get: . URL.". I've tried to tune both blindSqli-plugin settings and >>>> http-settings, but I still get the same result. >>>> >>>> Any ideas on what the problem is, and how to get the plugin to work >>>> properly? >>> >>> Are you using some kind of IPS, that could be closing TCP connections >>> based on the packet payloads? >>> >>> No, there are no IPS. The test server is only protected by IP restrictions. >> >> Then I have no clue of what could be happening, I would need more >> information, logs, etc. to be able to try to find what's happening. >> Have you tried to use wireshark to see what's going bad at a TCP/IP >> level? Usually these type of errors are because of connection errors >> at that level. Maybe packets are being dropped? >> >> Another idea: maybe you could run w3af with the output.textFile plugin >> with the verbose parameter set to true, and analyze that? >> >> --- >> I've had a look in the verbose textFile and found some interesting results, >> even though it's not related to the "too many retries"-problem. >> >> Why is this vulnerability just marked as "debug": >> [ 07/21/09 09:38:39 - debug ] GET http://testsite/index.php?p=movie&id=4 OR >> 29=29 returned HTTP code "200" - id: 3728 >> [ 07/21/09 09:38:39 - debug ] GET http://testsite/index.php?p=movie&id=4 AND >> 29=30 returned HTTP code "200" - id: 3729 >> [ 07/21/09 09:38:39 - debug ] Comparing secondTrueResponse and trueResponse. >> [ 07/21/09 09:38:39 - debug ] Pages are equal, match rate: 0.991228070175 >> [ 07/21/09 09:38:39 - debug ] Comparing secondFalseResponse and >> falseResponse. >> [ 07/21/09 09:38:39 - debug ] Pages are equal, match rate: 0.979166666667 >> [ 07/21/09 09:38:39 - debug ] Blind SQL injection was found at: >> "http://testsite/index.php";, using HTTP method GET. The injectable parameter >> is: "id". This vulnerability was found in the requests with ids 3728 and >> 3729. >> >> While this vulnerability is marked as "vulnerability": >> [ 07/21/09 09:47:21 - debug ] GET http://testsite/index.php?comment=1 or >> BENCHMARK(2500000,MD5(1))&p=movie&id=5 returned HTTP code "200" - id: 4268 >> [ 07/21/09 09:47:21 - vulnerability ] Blind SQL injection was found at: >> "http://testsite/index.php";, using HTTP method GET. The sent data was: >> "comment=1+or+BENCHMARK%282500000%2CMD5%281%29%29&p=movie&id=5". The >> modified parameter was "comment". This vulnerability was found in the >> request with id 4268. >> >> Is there a good explanation for this, or is it a bug? > > I think that you should see the same line, but with a vulnerability > tag some lines below. Please let me know if you don't find it. > > --- > When grep-ing for "vulnerability" only 33 debug-entries are shown in addition > to the one mentioned which has a vulnerability-tag. And the scan finished successfully? --- Yes, the scan finished successfully. Cheers, Marthe Engebretsen > >> >> >>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Enter the BlackBerry Developer Challenge >>>> This is your chance to win up to $100,000 in prizes! For a limited time, >>>> vendors submitting new applications to BlackBerry App World(TM) will have >>>> the opportunity to enter the BlackBerry Developer Challenge. See full prize >>>> details at: http://p.sf.net/sfu/Challenge >>>> _______________________________________________ >>>> W3af-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>>> >>>> >>> >>> >>> >>> -- >>> Andrés Riancho >>> Founder, Bonsai - Information Security >>> http://www.bonsai-sec.com/ >>> http://w3af.sf.net/ >>> >> >> >> >> -- >> Andrés Riancho >> Founder, Bonsai - Information Security >> http://www.bonsai-sec.com/ >> http://w3af.sf.net/ >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
