Marthe,
On Thu, Jul 23, 2009 at 3:47 AM, Marthe
Engebretsen<[email protected]> wrote:
> Andrés,
>
> -----Original Message-----
> From: Andres Riancho [mailto:[email protected]]
> Sent: Wednesday, July 22, 2009 6:11 PM
> To: Marthe Engebretsen
> Cc: [email protected]
> Subject: Re: [W3af-users] Blind SQL plugin - Too many retries
>
> Marthe,
>
> On Wed, Jul 22, 2009 at 12:23 PM, Marthe
> Engebretsen<[email protected]> wrote:
>> Andrés,
>>
>> -----Original Message-----
>> From: Andres Riancho [mailto:[email protected]]
>> Sent: Wednesday, July 22, 2009 5:05 PM
>> To: Marthe Engebretsen
>> Cc: [email protected]
>> Subject: Re: [W3af-users] Blind SQL plugin - Too many retries
>>
>> Marthe,
>>
>> On Wed, Jul 22, 2009 at 11:51 AM, Marthe
>> Engebretsen<[email protected]> wrote:
>>>
>>>
>>> -----Original Message-----
>>> From: Andres Riancho [mailto:[email protected]]
>>> Sent: Monday, July 20, 2009 4:27 PM
>>> To: Marthe Engebretsen
>>> Cc: [email protected]
>>> Subject: Re: [W3af-users] Blind SQL plugin - Too many retries
>>>
>>> Marthe,
>>>
>>> On Mon, Jul 20, 2009 at 11:22 AM, Marthe
>>> Engebretsen<[email protected]> wrote:
>>>> Andrés,
>>>>
>>>> Marthe,
>>>>
>>>> On Mon, Jul 20, 2009 at 10:20 AM, Marthe
>>>> Engebretsen<[email protected]> wrote:
>>>>> Dear list,
>>>>>
>>>>> I've been testing W3AF for some weeks now, as part of a large project
>>>>> concerning web application security and web application vulnerability
>>>>> scanning. W3AF is one of my absolute favorites of the tools tested, but
>>>>> recently I've got some problems when scanning my "known vulnerable test
>>>>> site" for SQL Injections.
>>>>>
>>>>> In order to check how the tool manage blind SQL injections my test site
>>>>> has
>>>>> been modified to not show database error messages (MySQL-database). When
>>>>> the
>>>>> blindSqli plugin is enabled it only returns:" Too many retries when trying
>>>>> to get: . URL.". I've tried to tune both blindSqli-plugin settings and
>>>>> http-settings, but I still get the same result.
>>>>>
>>>>> Any ideas on what the problem is, and how to get the plugin to work
>>>>> properly?
>>>>
>>>> Are you using some kind of IPS, that could be closing TCP connections
>>>> based on the packet payloads?
>>>>
>>>> No, there are no IPS. The test server is only protected by IP restrictions.
>>>
>>> Then I have no clue of what could be happening, I would need more
>>> information, logs, etc. to be able to try to find what's happening.
>>> Have you tried to use wireshark to see what's going bad at a TCP/IP
>>> level? Usually these type of errors are because of connection errors
>>> at that level. Maybe packets are being dropped?
>>>
>>> Another idea: maybe you could run w3af with the output.textFile plugin
>>> with the verbose parameter set to true, and analyze that?
>>>
>>> ---
>>> I've had a look in the verbose textFile and found some interesting results,
>>> even though it's not related to the "too many retries"-problem.
>>>
>>> Why is this vulnerability just marked as "debug":
>>> [ 07/21/09 09:38:39 - debug ] GET http://testsite/index.php?p=movie&id=4 OR
>>> 29=29 returned HTTP code "200" - id: 3728
>>> [ 07/21/09 09:38:39 - debug ] GET http://testsite/index.php?p=movie&id=4
>>> AND 29=30 returned HTTP code "200" - id: 3729
>>> [ 07/21/09 09:38:39 - debug ] Comparing secondTrueResponse and trueResponse.
>>> [ 07/21/09 09:38:39 - debug ] Pages are equal, match rate: 0.991228070175
>>> [ 07/21/09 09:38:39 - debug ] Comparing secondFalseResponse and
>>> falseResponse.
>>> [ 07/21/09 09:38:39 - debug ] Pages are equal, match rate: 0.979166666667
>>> [ 07/21/09 09:38:39 - debug ] Blind SQL injection was found at:
>>> "http://testsite/index.php";, using HTTP method GET. The injectable
>>> parameter is: "id". This vulnerability was found in the requests with ids
>>> 3728 and 3729.
>>>
>>> While this vulnerability is marked as "vulnerability":
>>> [ 07/21/09 09:47:21 - debug ] GET http://testsite/index.php?comment=1 or
>>> BENCHMARK(2500000,MD5(1))&p=movie&id=5 returned HTTP code "200" - id: 4268
>>> [ 07/21/09 09:47:21 - vulnerability ] Blind SQL injection was found at:
>>> "http://testsite/index.php";, using HTTP method GET. The sent data was:
>>> "comment=1+or+BENCHMARK%282500000%2CMD5%281%29%29&p=movie&id=5". The
>>> modified parameter was "comment". This vulnerability was found in the
>>> request with id 4268.
>>>
>>> Is there a good explanation for this, or is it a bug?
>>
>> I think that you should see the same line, but with a vulnerability
>> tag some lines below. Please let me know if you don't find it.
>>
>> ---
>> When grep-ing for "vulnerability" only 33 debug-entries are shown in
>> addition to the one mentioned which has a vulnerability-tag.
>
> And the scan finished successfully?
>
> ---
> Yes, the scan finished successfully.
Reading the audit.bSqli plugin, I found this:
if (response_diff != None and time_delay != None) or
response_diff != None:
om.out.vulnerability( response_diff.getDesc() )
kb.kb.append(self, 'blindSqli', response_diff)
elif time_delay != None:
om.out.vulnerability( time_delay.getDesc() )
kb.kb.append(self, 'blindSqli', time_delay)
First of all, the "(response_diff != None and time_delay != None) or
response_diff != None:" doesn't make any sense, it's the same that
"response_diff != None"; so I changed it and commited to the SVN.
Before the if statement the real logic for finding SQL injections is
performed and inside that logic the om.out.debug() is called. The
thing is that it should be working... it should be doing the
om.out.debug() and then the om.out.vulnerability() calls... I'm going
to keep trying,
Cheers,
>
> Cheers,
> Marthe Engebretsen
>
>>
>>>
>>>
>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Enter the BlackBerry Developer Challenge
>>>>> This is your chance to win up to $100,000 in prizes! For a limited time,
>>>>> vendors submitting new applications to BlackBerry App World(TM) will have
>>>>> the opportunity to enter the BlackBerry Developer Challenge. See full
>>>>> prize
>>>>> details at: http://p.sf.net/sfu/Challenge
>>>>> _______________________________________________
>>>>> W3af-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Andrés Riancho
>>>> Founder, Bonsai - Information Security
>>>> http://www.bonsai-sec.com/
>>>> http://w3af.sf.net/
>>>>
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Founder, Bonsai - Information Security
>>> http://www.bonsai-sec.com/
>>> http://w3af.sf.net/
>>>
>>
>>
>>
>> --
>> Andrés Riancho
>> Founder, Bonsai - Information Security
>> http://www.bonsai-sec.com/
>> http://w3af.sf.net/
>>
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
