Shafeeque, On Thu, Aug 8, 2013 at 2:13 PM, Shafeeque O.K [gmail] <[email protected]> wrote: > Hi Andres, > > Thanks again for the instant reply. > >>>Item #2,3 - i will do some more investigation. > >>> Typing in the shell. The cursor moment in the shell was not smooth, >>> after typing a command, we need to press two enter to get a new command >>> prompt. Some time I was keep hitting the enter key to get the command prompt >>> after completing a command.
I understand, please report a bug for this. >>>For issue #530, I will try to give the php file :) > >> 6. I am wondering why SQLi in the DVWA is not detected eventhoough I gave >> the cookie file which is set the dvwa sceurity to low. With the same cookie >> details, SQLMap is detecting the SQLi in dvwa. > >>> The following is one among the request > > GET http://192.168.92.135/dvwa/vulnerabilities/sqli/?id=%3C%21-- HTTP/1.1 > Referer: http://192.168.92.135/ > Accept-encoding: gzip > User-agent: w3af.org > Host: 192.168.92.135 > Cookie: security=low; PHPSESSID=ojt3mpjplist2ph5n786msebn5 > Accept: */* > > --------------------------------------------------------------------The > response is below > > HTTP/1.1 200 OK > content-length: 1414 > x-powered-by: PHP/5.3.10-1ubuntu3.7 > content-encoding: gzip > expires: Tue, 23 Jun 2009 12:00:00 GMT > vary: Accept-Encoding > server: Apache/2.2.22 (Ubuntu) > pragma: no-cache > cache-control: no-cache, must-revalidate > date: Wed, 07 Aug 2013 15:46:28 GMT > content-type: text/html;charset=utf-8 > > An error occured: Given file does not exist. Please make sure the logfile is > present in the given directory. This doesn't seem to be the right file, either w3af didn't find the link to the SQL injection; or you're not finding it in the logs. Take into account that the URL where w3af is sending a request here is /dvwa/vulnerabilities/sqli/?id=%3C%21-- , not that there is "no filename" here. > // followed by complete html fle > > I could not find anything strange, will the above details helps? > -------------------------------------------------------------------------------- > >>> New issue#, after some 5-8 minutes running of scaning i get the following >>> in my console and this keeps increasing and scan never stops > > The HTTP body for "http://192.168.92.135/dvwa/login.php"; could NOT be parsed > by lxml. > The HTTP body for "http://192.168.92.135/dvwa/security.php"; could NOT be > parsed by lxml. Well, that's very interesting indeed and could explain many problems. If w3af can't parse those HTML files, it can't extract links from it and can't find the sections where the vulnerabilities are. Could you please wget those two URLs and send me the results? I would like to do some testing here and with the HTML files I have more than enough to start with. >>> please see issue in #531 in issue tracker > > >>> just for curiosity, why can't we rely on a vulnerable application like >>> DVWA for testing w3af? Because it's less detailed than the one we created. DVWA has only a few SQL injections, while our test suite has all I could think of: https://github.com/andresriancho/w3af-moth/tree/master/webroot/moth/w3af/audit/sql_injection/select > > Regards, > -S- > > > On Thu, Aug 8, 2013 at 9:31 PM, Andres Riancho <[email protected]> > wrote: >> >> Shafeeque, >> >> On Thu, Aug 8, 2013 at 12:16 PM, Shafeeque O.K [gmail] >> <[email protected]> wrote: >> > Dear Andres, >> > >> > Thank you for your quick reply. >> > >> > I will check the links given for testing w3af framework. >> > >> > Some observations from my testing. They are not major, kindly note that >> > I >> > may be wrong, you are welcome to guide me! The points are below. >> > >> > >> > 1. Once a full fledged scan is started, if we are trying to stop, the >> > scan >> > never terminate, the GUI need to be forced to close. This is very >> > annoying >> > to the user. >> >> Yes, that's a known issue that we've had for a while. I'm not sure if >> it's in the issue tracker though. Please report it if you don't find >> it. >> >> > 2. The dvwa 1.0.8 is setup in another ubuntu based vm, and the >> > permission >> > set for my /var/www directory is root:root, interestingly no blind_sqli, >> > lfi >> > is found, I made the permission as root:www-data and then I did the scan >> > it >> > gave me bunch of blind_sqli vulnerabilities detected and along with one >> > lfi >> > vulnerabilities. >> >> I'm not a DVWA user, so I really don't know what's going on there. >> >> > 3. I tried to exploit the local_file_reader exploit detected and I got >> > the >> > following error >> > >> > Exploiting 'local_file_reader'... >> > 1 vulnerabilites to exploit >> > Checking suitability for vuln 'Local file inclusion vulnerability'... >> > ok >> > Exploiting... >> > Cut algorithm error: len(header+footer)>len(body). >> >> That should never happen I think :D We should check that, but it's >> very low priority >> If you can send me a way to reproduce that without depending on a DVWA >> setup, that would be awesome >> >> > Done >> > >> > I did : sudo chown root:www-data >> > /var/www/dvwa/external/phpids/0.6/lib/IDS/tmp on my ubuntu vm, able to >> > get >> > the shell. >> >> Well, then it's not a w3af issue, it's a DVWA issue where you're >> enabling/disabling sections and vulnerabilities of the site which >> don't work because of specific permissions are required. >> >> > The shell appeared and then during running the payload >> > apache_version an exception occurred and it is logged as issue #530 in >> > github. >> >> Same as above, if you give me a way to reproduce without installing >> DVWA (just a PHP file) I'll work on it. >> >> > Typing in the shell was bit difficult, it was not smooth at all. >> >> Could you please elaborate more on that? >> >> > 4. Please see the issues #529, >> >> This is not a w3af bug. The php script triggered a 500 exception and >> we're letting you know about that >> >> > #525, >> >> See comment in issue tracker >> >> > #521 >> >> Fixed, thanks! >> >> > 5. what ever the exceptions has occurred I have logged this under >> > graytips/[email protected] , in github issue lists. I will recheck >> > the >> > list and inform you if missed anything. >> > >> > 6. I am wondering why SQLi in the DVWA is not detected eventhoough I >> > gave >> > the cookie file which is set the dvwa sceurity to low. With the same >> > cookie >> > details, SQLMap is detecting the SQLi in dvwa. >> >> You should read the HTTP traffic output >> >> > 7. Few Items that are related to the profile saving in to different >> > name, >> > need to recheck before i report. >> > >> > Hope my observations will help to improve w3af. >> > >> > >> > >> > >> > >> > On Thu, Aug 8, 2013 at 8:06 PM, Andres Riancho >> > <[email protected]> >> > wrote: >> >> >> >> Shafeeque, >> >> >> >> On Thu, Aug 8, 2013 at 11:25 AM, Shafeeque O.K [gmail] >> >> <[email protected]> wrote: >> >> > Hi, >> >> > >> >> > I have playing around with latest w3af and testing DVWA using this >> >> > tools. >> >> > >> >> > Some how I am failing to get the SQLi, injection vulnerabilities of >> >> > DVWA >> >> > detected by w3af. I am able to get BlindSQLi bugs.. So I decided to >> >> > check >> >> > whether the SQLi is realling working (ofcourse it works) >> >> > >> >> > I understand that there was some unit testing scripts shipped with >> >> > earlier >> >> > w3af. I have seen this on SecurityDojo, however when I run the SQLi >> >> > test >> >> > against the w3af unit testing scripts available in SecurityDojo, the >> >> > sqli is >> >> > not detected. >> >> > >> >> > I understand the problem is that the script to recreate the required >> >> > tables >> >> > create_tables.sqli is missing, hence the required tables are not >> >> > created >> >> > properly. >> >> > >> >> > Would like to know whether the framework testing scrips are still >> >> > valid >> >> > against the latest version of 3waf, if so where can I get the >> >> > complete >> >> > working scripts. >> >> >> >> Well, if you really want to run unit-tests for w3af you'll need to >> >> install nosetests, more on this here [0]. The scripts you find in the >> >> "scripts/" directory are our OLD, really OLD, "unit-tests". Right now >> >> we use things like this [1] to verify that our framework works. >> >> >> >> [0] https://github.com/andresriancho/w3af/wiki/Developer's-Guide >> >> [1] >> >> >> >> https://github.com/andresriancho/w3af/blob/master/plugins/tests/audit/test_sqli.py >> >> >> >> > During my test I have found interesting observations on latest w3af. >> >> > I >> >> > will >> >> > compile the lists and send this after reconfirming my experiments. >> >> > Meanwhile I look for the support to get the unit testing scripts. >> >> >> >> Intrigued to know what you've found :) >> >> >> >> > Thanks in advance. >> >> > >> >> > -- >> >> > Regards, >> >> > -S- >> >> > >> >> > >> >> > >> >> > ------------------------------------------------------------------------------ >> >> > Get 100% visibility into Java/.NET code with AppDynamics Lite! >> >> > It's a free troubleshooting tool designed for production. >> >> > Get down to code-level detail for bottlenecks, with <2% overhead. >> >> > Download for free and get started troubleshooting in minutes. >> >> > >> >> > >> >> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >> > _______________________________________________ >> >> > W3af-users mailing list >> >> > [email protected] >> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> > >> >> >> >> >> >> >> >> -- >> >> Andrés Riancho >> >> Project Leader at w3af - http://w3af.org/ >> >> Web Application Attack and Audit Framework >> >> Twitter: @w3af >> >> GPG: 0x93C344F3 >> > >> > >> > >> > >> > -- >> > Regards, >> > -S- >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > > -- > Regards, > -S- -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
