Sorry! I see what it's doing now.
# First, generate the php file to be included.
rand1 = createRandAlNum( 9 )
rand2 = createRandAlNum( 9 )
filename = createRandAlNum()
php_code = '<? \n echo "'
php_code += rand1 + '";\n'
php_code += ' echo "'
php_code += rand2 + '";\n'
php_code += ' ?>'
Ryan Dewhurst
My blog: http://www.ethicalhack3r.co.uk
My project: http://www.dvwa.co.uk
My Twitter: http://www.twitter.com/ethicalhack3r
On 7 June 2010 22:00, Ryan Dewhurst <[email protected]> wrote:
> Hello,
> I think that there may be a bug in the Remote File Inclusion checking of w3af.
>
> It checks for a string that is in a file on the sourceforge website.
>
> The string doesn't seem to be displaying the way w3af trys to match it.
>
> In - /w3af/plugins/audit/remoteFileInclude.py
>
> 143 - self._rfi_url =
> 'http://w3af.sourceforge.net/w3af/remoteFileInclude.html'
> 144 - self._rfi_result = 'w3af is goood!'
>
>
> The 'http://w3af.sourceforge.net/w3af/remoteFileInclude.html' file displays;
>
> <?
> echo "w3af ";
> echo "is goood!";
> ?>
>
> Unless w3af is running the PHP first before matching then I don't
> think it is going to work.
>
> I haven't tested.
>
> Ryan Dewhurst
>
> My blog: http://www.ethicalhack3r.co.uk
> My project: http://www.dvwa.co.uk
> My Twitter: http://www.twitter.com/ethicalhack3r
>
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
