All, I am wondering if any of you have experienced this. I have been
attempting to bruteforce the admin page of DVWA 1.07.
Consider the following requests:
Request A; being regularly generated on Debian Lenny, from w3af console
and gui v1.0-rc3svn3489-1 pkgs as well as the latest version from svn
(3622):
POST /dvwa/login.php HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: 192.168.1.206
Cookie: security=high; PHPSESSID=2f63t6u8k9lt2csju28t2hkd74
Content-type: application/x-www-form-urlencoded
Content-Length: 32
username=admin&password=password
Request B; generated from a Win 7 box (of all things) with the latest
version from svn:
POST /dvwa/login.php HTTP/1.1
Accept-encoding: identity
Accept: */*
User-agent: w3af.sourceforge.net
Host: 192.168.1.206
Cookie: path=/, security=high; PHPSESSID=ktmt2qovchfa6bti9r1m238vo6;
Content-type: application/x-www-form-urlencoded
Content-Length: 44
username=admin&Login=Login&password=password
Bruteforce is of course failing from Lenny, while working flawlessly on
the Win7 box. Two differences are clear: The POST from Lenny does not
include the Login parameter. The cookie path is also not set.
The question is why. I've of course checked and double-checked
dependencies and diff'd the configs to ensure they are identical. At
this point I am out of ideas.
Hoping someone out there can/will help.
Thanks,
Dennis
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
