On Fri, Feb 12, 2010 at 2:00 PM, <[email protected]> wrote: > I do svn up. The new code works fine with form and POST var (I tested it) > but has false positives, example: > > Found authentication credentials to: "http://127.0.0.1/chek/index.php";. The > correct password is: "vetal". This vulnerability was found in the request > with id > 100. > POST http://127.0.0.1/chek/index.php with data: "passwd=123p4ss" returned > HTTP code "200" - id: 101 > No grep for : http://127.0.0.1/chek/index.php , the plugin sent > grepResult=False. > POST http://127.0.0.1/chek/index.php with data: "passwd=1q2w3e" returned > HTTP code "200" - id: 102 > No grep for : http://127.0.0.1/chek/index.php , the plugin sent > grepResult=False. > Found authentication credentials to: "http://127.0.0.1/chek/index.php";. The > correct password is: "1q2w3e". This vulnerability was found in the request > with id > 102. > POST http://127.0.0.1/chek/index.php with data: "passwd=passwd" returned > HTTP code "200" - id: 103 > No grep for : http://127.0.0.1/chek/index.php , the plugin sent > grepResult=False. > Found authentication credentials to: "http://127.0.0.1/chek/index.php";. The > correct password is: "passwd". This vulnerability was found in the request > with id > 103. > POST http://127.0.0.1/chek/index.php with data: "passwd=a5dd5a" returned > HTTP code "200" - id: 104 > No grep for : http://127.0.0.1/chek/index.php , the plugin sent > grepResult=False. > Found authentication credentials to: "http://127.0.0.1chek/index.php";. The > correct password is: "a5dd5a". This vulnerability was found in the request > with id 104. > > The real password is: vetal
Kind of late, but I created a Trac ticket for this bug :) https://sourceforge.net/apps/trac/w3af/ticket/160065 > And not works if the form is with GET and: > > index.php with password field and when submit this, redirects to > check_password.php?password= > > In this case. w3af try index.php?password= and not > check_password.php?password= > > I don't know if I explained well ... my English is bad. Sorry. > > Thanks! > > 2010/2/12 Andres Riancho <[email protected]> >> >> On Fri, Feb 12, 2010 at 12:16 PM, <[email protected]> wrote: >> > wow! >> > >> > Thanks Andres!! I'll wait! >> >> Ok, it took me more than expected, but I was able to do it. Please >> perform a "svn up" in order to get the new code that supports password >> only form bruteforcing. If you find any bugs, please let me know. >> >> Thanks, >> >> > >> > 2010/2/12 Andres Riancho <[email protected]> >> >> >> >> null0xff0x00, >> >> >> >> I'm working on a login bruteforcer that supports password only forms >> >> right now. If you wait 10 more mins you'll be able to perform a "svn >> >> up" and get the new feature. >> >> >> >> Thanks, >> >> >> >> On Fri, Feb 12, 2010 at 11:53 AM, <[email protected]> wrote: >> >> > Solved! >> >> > >> >> > I use http fuzzer and works... Thanks. >> >> > >> >> > 2010/2/12 <[email protected]> >> >> >> >> >> >> Hello!! >> >> >> >> >> >> I am setting w3af for formAuthBrute but not working. The form only >> >> >> has >> >> >> a >> >> >> password box and w3af detects it... but doesn't the brute force >> >> >> attack: >> >> >> The >> >> >> configuration of formAuthBrute is default and the output is this: >> >> >> >> >> >> The page language is: en >> >> >> Starting formAuthBrute plugin execution. >> >> >> http://192.168.100.10/index.php detected a form with a password >> >> >> field >> >> >> and >> >> >> no username field. >> >> >> http://192.168.100.10/index.php detected a form with a password >> >> >> field >> >> >> and >> >> >> no username field. >> >> >> Found 1 URLs and 2 different points of injection. >> >> >> The list of URLs is: >> >> >> - http://192.168.100.10/index.php >> >> >> The list of fuzzable requests is: >> >> >> - http://192.168.100.10/index.php | Method: GET >> >> >> - http://192.168.100.10/index.php | Method: GET | Parameters: >> >> >> (password="") >> >> >> Password profiling TOP 100: >> >> >> - [1] enable with 1 repetitions. >> >> >> - [2] JavaScript with 1 repetitions. >> >> >> - [3] turned with 1 repetitions. >> >> >> - [4] auth with 1 repetitions. >> >> >> - [5] Your with 1 repetitions. >> >> >> - [6] enter with 1 repetitions. >> >> >> - [7] your with 1 repetitions. >> >> >> Finished scanning process. >> >> >> >> >> >> Thanks for help! >> >> >> -- >> >> >> - Null >> >> > >> >> > >> >> > >> >> > -- >> >> > - Null >> >> > >> >> > >> >> > ------------------------------------------------------------------------------ >> >> > SOLARIS 10 is the OS for Data Centers - provides features such as >> >> > DTrace, >> >> > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW >> >> > http://p.sf.net/sfu/solaris-dev2dev >> >> > _______________________________________________ >> >> > W3af-users mailing list >> >> > [email protected] >> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> > >> >> > >> >> >> >> >> >> >> >> -- >> >> Andrés Riancho >> >> Founder, Bonsai - Information Security >> >> http://www.bonsai-sec.com/ >> >> http://w3af.sf.net/ >> > >> > >> > >> > -- >> > - Null >> > Sent from Barcelona, Spain >> >> >> >> -- >> Andrés Riancho >> Founder, Bonsai - Information Security >> http://www.bonsai-sec.com/ >> http://w3af.sf.net/ > > > > -- > - Null > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
