Is it ok, if I just do the following to get the files, which was unable tp
process by w3af..
1. wget http://192.168.92.135/dvwa/login.php
2. wget http://192.168.92.135/dvwa/security.php
do I need to set any options for wget?
Kindly guide.
On Fri, Aug 9, 2013 at 12:41 AM, Andres Riancho <andres.rian...@gmail.com>wrote:
> Shafeeque,
>
> On Thu, Aug 8, 2013 at 2:13 PM, Shafeeque O.K [gmail]
> <shafoff...@gmail.com> wrote:
> > Hi Andres,
> >
> > Thanks again for the instant reply.
> >
> >>>Item #2,3 - i will do some more investigation.
> >
> >>> Typing in the shell. The cursor moment in the shell was not smooth,
> >>> after typing a command, we need to press two enter to get a new command
> >>> prompt. Some time I was keep hitting the enter key to get the command
> prompt
> >>> after completing a command.
>
> I understand, please report a bug for this.
>
> >>>For issue #530, I will try to give the php file :)
> >
> >> 6. I am wondering why SQLi in the DVWA is not detected eventhoough I
> gave
> >> the cookie file which is set the dvwa sceurity to low. With the same
> cookie
> >> details, SQLMap is detecting the SQLi in dvwa.
> >
> >>> The following is one among the request
> >
> > GET http://192.168.92.135/dvwa/vulnerabilities/sqli/?id=%3C%21--HTTP/1.1
> > Referer: http://192.168.92.135/
> > Accept-encoding: gzip
> > User-agent: w3af.org
> > Host: 192.168.92.135
> > Cookie: security=low; PHPSESSID=ojt3mpjplist2ph5n786msebn5
> > Accept: */*
> >
> > --------------------------------------------------------------------The
> > response is below
> >
> > HTTP/1.1 200 OK
> > content-length: 1414
> > x-powered-by: PHP/5.3.10-1ubuntu3.7
> > content-encoding: gzip
> > expires: Tue, 23 Jun 2009 12:00:00 GMT
> > vary: Accept-Encoding
> > server: Apache/2.2.22 (Ubuntu)
> > pragma: no-cache
> > cache-control: no-cache, must-revalidate
> > date: Wed, 07 Aug 2013 15:46:28 GMT
> > content-type: text/html;charset=utf-8
> >
> > An error occured: Given file does not exist. Please make sure the
> logfile is
> > present in the given directory.
>
> This doesn't seem to be the right file, either w3af didn't find the
> link to the SQL injection; or you're not finding it in the logs. Take
> into account that the URL where w3af is sending a request here is
> /dvwa/vulnerabilities/sqli/?id=%3C%21-- , not that there is "no
> filename" here.
>
> > // followed by complete html fle
> >
> > I could not find anything strange, will the above details helps?
> >
> --------------------------------------------------------------------------------
> >
> >>> New issue#, after some 5-8 minutes running of scaning i get the
> following
> >>> in my console and this keeps increasing and scan never stops
> >
> > The HTTP body for "http://192.168.92.135/dvwa/login.php"; could NOT be
> parsed
> > by lxml.
> > The HTTP body for "http://192.168.92.135/dvwa/security.php"; could NOT be
> > parsed by lxml.
>
> Well, that's very interesting indeed and could explain many problems.
> If w3af can't parse those HTML files, it can't extract links from it
> and can't find the sections where the vulnerabilities are.
>
> Could you please wget those two URLs and send me the results? I would
> like to do some testing here and with the HTML files I have more than
> enough to start with.
>
> >>> please see issue in #531 in issue tracker
> >
> >
> >>> just for curiosity, why can't we rely on a vulnerable application like
> >>> DVWA for testing w3af?
>
> Because it's less detailed than the one we created. DVWA has only a
> few SQL injections, while our test suite has all I could think of:
>
> https://github.com/andresriancho/w3af-moth/tree/master/webroot/moth/w3af/audit/sql_injection/select
>
> >
> > Regards,
> > -S-
> >
> >
> > On Thu, Aug 8, 2013 at 9:31 PM, Andres Riancho <andres.rian...@gmail.com
> >
> > wrote:
> >>
> >> Shafeeque,
> >>
> >> On Thu, Aug 8, 2013 at 12:16 PM, Shafeeque O.K [gmail]
> >> <shafoff...@gmail.com> wrote:
> >> > Dear Andres,
> >> >
> >> > Thank you for your quick reply.
> >> >
> >> > I will check the links given for testing w3af framework.
> >> >
> >> > Some observations from my testing. They are not major, kindly note
> that
> >> > I
> >> > may be wrong, you are welcome to guide me! The points are below.
> >> >
> >> >
> >> > 1. Once a full fledged scan is started, if we are trying to stop, the
> >> > scan
> >> > never terminate, the GUI need to be forced to close. This is very
> >> > annoying
> >> > to the user.
> >>
> >> Yes, that's a known issue that we've had for a while. I'm not sure if
> >> it's in the issue tracker though. Please report it if you don't find
> >> it.
> >>
> >> > 2. The dvwa 1.0.8 is setup in another ubuntu based vm, and the
> >> > permission
> >> > set for my /var/www directory is root:root, interestingly no
> blind_sqli,
> >> > lfi
> >> > is found, I made the permission as root:www-data and then I did the
> scan
> >> > it
> >> > gave me bunch of blind_sqli vulnerabilities detected and along with
> one
> >> > lfi
> >> > vulnerabilities.
> >>
> >> I'm not a DVWA user, so I really don't know what's going on there.
> >>
> >> > 3. I tried to exploit the local_file_reader exploit detected and I got
> >> > the
> >> > following error
> >> >
> >> > Exploiting 'local_file_reader'...
> >> > 1 vulnerabilites to exploit
> >> > Checking suitability for vuln 'Local file inclusion vulnerability'...
> >> > ok
> >> > Exploiting...
> >> > Cut algorithm error: len(header+footer)>len(body).
> >>
> >> That should never happen I think :D We should check that, but it's
> >> very low priority
> >> If you can send me a way to reproduce that without depending on a DVWA
> >> setup, that would be awesome
> >>
> >> > Done
> >> >
> >> > I did : sudo chown root:www-data
> >> > /var/www/dvwa/external/phpids/0.6/lib/IDS/tmp on my ubuntu vm, able to
> >> > get
> >> > the shell.
> >>
> >> Well, then it's not a w3af issue, it's a DVWA issue where you're
> >> enabling/disabling sections and vulnerabilities of the site which
> >> don't work because of specific permissions are required.
> >>
> >> > The shell appeared and then during running the payload
> >> > apache_version an exception occurred and it is logged as issue #530 in
> >> > github.
> >>
> >> Same as above, if you give me a way to reproduce without installing
> >> DVWA (just a PHP file) I'll work on it.
> >>
> >> > Typing in the shell was bit difficult, it was not smooth at all.
> >>
> >> Could you please elaborate more on that?
> >>
> >> > 4. Please see the issues #529,
> >>
> >> This is not a w3af bug. The php script triggered a 500 exception and
> >> we're letting you know about that
> >>
> >> > #525,
> >>
> >> See comment in issue tracker
> >>
> >> > #521
> >>
> >> Fixed, thanks!
> >>
> >> > 5. what ever the exceptions has occurred I have logged this under
> >> > graytips/shafoff...@gmail.com , in github issue lists. I will recheck
> >> > the
> >> > list and inform you if missed anything.
> >> >
> >> > 6. I am wondering why SQLi in the DVWA is not detected eventhoough I
> >> > gave
> >> > the cookie file which is set the dvwa sceurity to low. With the same
> >> > cookie
> >> > details, SQLMap is detecting the SQLi in dvwa.
> >>
> >> You should read the HTTP traffic output
> >>
> >> > 7. Few Items that are related to the profile saving in to different
> >> > name,
> >> > need to recheck before i report.
> >> >
> >> > Hope my observations will help to improve w3af.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > On Thu, Aug 8, 2013 at 8:06 PM, Andres Riancho
> >> > <andres.rian...@gmail.com>
> >> > wrote:
> >> >>
> >> >> Shafeeque,
> >> >>
> >> >> On Thu, Aug 8, 2013 at 11:25 AM, Shafeeque O.K [gmail]
> >> >> <shafoff...@gmail.com> wrote:
> >> >> > Hi,
> >> >> >
> >> >> > I have playing around with latest w3af and testing DVWA using this
> >> >> > tools.
> >> >> >
> >> >> > Some how I am failing to get the SQLi, injection vulnerabilities of
> >> >> > DVWA
> >> >> > detected by w3af. I am able to get BlindSQLi bugs.. So I decided to
> >> >> > check
> >> >> > whether the SQLi is realling working (ofcourse it works)
> >> >> >
> >> >> > I understand that there was some unit testing scripts shipped with
> >> >> > earlier
> >> >> > w3af. I have seen this on SecurityDojo, however when I run the SQLi
> >> >> > test
> >> >> > against the w3af unit testing scripts available in SecurityDojo,
> the
> >> >> > sqli is
> >> >> > not detected.
> >> >> >
> >> >> > I understand the problem is that the script to recreate the
> required
> >> >> > tables
> >> >> > create_tables.sqli is missing, hence the required tables are not
> >> >> > created
> >> >> > properly.
> >> >> >
> >> >> > Would like to know whether the framework testing scrips are still
> >> >> > valid
> >> >> > against the latest version of 3waf, if so where can I get the
> >> >> > complete
> >> >> > working scripts.
> >> >>
> >> >> Well, if you really want to run unit-tests for w3af you'll need to
> >> >> install nosetests, more on this here [0]. The scripts you find in the
> >> >> "scripts/" directory are our OLD, really OLD, "unit-tests". Right now
> >> >> we use things like this [1] to verify that our framework works.
> >> >>
> >> >> [0] https://github.com/andresriancho/w3af/wiki/Developer's-Guide
> >> >> [1]
> >> >>
> >> >>
> https://github.com/andresriancho/w3af/blob/master/plugins/tests/audit/test_sqli.py
> >> >>
> >> >> > During my test I have found interesting observations on latest
> w3af.
> >> >> > I
> >> >> > will
> >> >> > compile the lists and send this after reconfirming my experiments.
> >> >> > Meanwhile I look for the support to get the unit testing scripts.
> >> >>
> >> >> Intrigued to know what you've found :)
> >> >>
> >> >> > Thanks in advance.
> >> >> >
> >> >> > --
> >> >> > Regards,
> >> >> > -S-
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> ------------------------------------------------------------------------------
> >> >> > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> >> >> > It's a free troubleshooting tool designed for production.
> >> >> > Get down to code-level detail for bottlenecks, with <2% overhead.
> >> >> > Download for free and get started troubleshooting in minutes.
> >> >> >
> >> >> >
> >> >> >
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> >> >> > _______________________________________________
> >> >> > W3af-users mailing list
> >> >> > W3af-users@lists.sourceforge.net
> >> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Andrés Riancho
> >> >> Project Leader at w3af - http://w3af.org/
> >> >> Web Application Attack and Audit Framework
> >> >> Twitter: @w3af
> >> >> GPG: 0x93C344F3
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Regards,
> >> > -S-
> >>
> >>
> >>
> >> --
> >> Andrés Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >
> >
> >
> >
> > --
> > Regards,
> > -S-
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
--
Regards,
-S-
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
