Sergey,
Sorry for the late response, please read inline,
On Thu, Dec 2, 2010 at 7:45 AM, Sergey Stepanov
<[email protected]> wrote:
> Hi All,
>
> Could anybody help me with the following trouble? I installed w3af 1.0-rc4
> on the fresh Debian 5 installation with Python 2.5.2 and all
> required dependences. For the test I write simple php page with sql
> injection vulnerability.
>>
>> <html>
>> <body>
>> <?php
>> mysql_connect('localhost', 'root', 'xxx');
>> mysql_select_db('test');
>> $id = $_GET['id'];
>> if ($id) {
>> $result = mysql_query("select * from name where id = '$id'");
>> echo mysql_result($result, 0, 'name');
>> } else {
>> echo 'no id specified';
>> }
>> mysql_close();
>> ?>
>> </body>
>> </html>
>
> Then I run w3af and configure:
>>
>> snowball:~/w3af# ./w3af_console
>>
>> w3af>>> target set target http://calcifer/test/testdb.php?id=1
>>
>> w3af>>> plugins audit sqli blindSqli
>>
>> w3af>>> start
>>
>> Auto-enabling plugin: grep.error500
>>
>> Found 1 URLs and 1 different points of injection.
>>
>> The list of URLs is:
>>
>> - http://calcifer/test/testdb.php
>>
>> The list of fuzzable requests is:
>>
>> - http://calcifer/test/testdb.php | Method: GET | Parameters: (id="1")
>>
>> A SQL error was found in the response supplied by the web application, the
>> error is (only a fragment is shown): "supplied argument is not a valid
>> MySQL". The error was found on response with id 16.
>>
>> A SQL error was found in the response supplied by the web application, the
>> error is (only a fragment is shown): "mysql_". The error was found on
>> response with id 16.
>>
>> SQL injection in a MySQL database was found at:
>> "http://calcifer/test/testdb.php";, using HTTP method GET. The sent data was:
>> "id=d'z"0". This vulnerability was found in the request with id 16.
>>
>> Blind SQL injection was found at: "http://calcifer/test/testdb.php";, using
>> HTTP method GET. The injectable parameter is: "id". This vulnerability was
>> found in the requests with ids 22 and 23.
>>
>> Finished scanning process.
>>
>> w3af>>> exploit exploit * stopOnFirst
>>
>> Executing sql_webshell.attack plugin to all vulnerabilities:
>>
>> - Exploiting vulnerability with id:[22, 23]
>>
>> Trying to exploit using vulnerability with id: [44, 45]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [51, 52]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [58, 59]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [65, 66]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [72, 73]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Failed to exploit vulnerability.
>>
>> - Exploiting vulnerability with id:[16]
>>
>> No [blind] SQL injection vulnerabilities have been found.
>>
>> Hint #1: Try to find vulnerabilities using the audit plugins.
>>
>> Hint #2: Use the set command to enter the values yourself, and then
>> exploit it using fastExploit.
>>
>> No exploitable vulnerabilities found.
>>
>> Executing sqlmap.attack plugin to all vulnerabilities:
>>
>> - Exploiting vulnerability with id:[22, 23]
>>
>> Trying to exploit using vulnerability with id: [184, 185]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [191, 192]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [198, 199]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [205, 206]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [212, 213]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [219, 220]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [226, 227]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [233, 234]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [240, 241]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Trying to exploit using vulnerability with id: [247, 248]. Please wait...
>>
>> [WARN] remote database is not MySQL
>>
>> [WARN] remote database is not PostgreSQL
>>
>> [WARN] remote database is not Microsoft SQL Server
>>
>> Failed to exploit vulnerability.
>>
>> - Exploiting vulnerability with id:[16]
>>
>> No [blind] SQL injection vulnerabilities have been found.
>>
>> Hint #1: Try to find vulnerabilities using the audit plugins.
>>
>> Hint #2: Use the set command to enter the values yourself, and then
>> exploit it using fastExploit.
>>
>> No exploitable vulnerabilities found.
>>
>> The following plugins weren't run because they can't exploit any of the
>> previously discovered vulnerabilities: davShell, eval, fileUploadShell,
>> osCommandingShell, remoteFileIncludeShell, localFileReader, rfiProxy,
>> xssBeef
>
> The script connected to mysql server 5.1.32, so "[WARN] remote database is
> not MySQL" is false. I did the tests from debian 5, suse 11.3, win 7 with
> the same result. Could anybody please help me to understand what I'm doing
> wrong? Many thx in advance.
To be 100% sincere, I'm bot sure what could be wrong. What seems
to be failing here is the sqlmap plugin, which is a wrapper around an
old version of the sqlmap tool with some minor modifications. For some
blind sql injection tools, the difference between the "true response"
(or 1=1) and the "false response" (and 1=2) need to be very different.
It might be the case with your PHP script + data loaded in the DB that
the two responses look very similar to sqlmap, thus it fails to
exploit the vulnerability.
Regards,
> --
> Rgds.
> Sergey.
>
> ------------------------------------------------------------------------------
> Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
> Tap into the largest installed PC base & get more eyes on your game by
> optimizing for Intel(R) Graphics Technology. Get started today with the
> Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
> http://p.sf.net/sfu/intelisp-dev2dev
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months. Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that's accessible from your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
