Hi Andres, Kindly find attached the files.
On Mon, Aug 12, 2013 at 7:00 PM, Andres Riancho <[email protected]>wrote: > It should be enough to wget them, yes. > > On Fri, Aug 9, 2013 at 9:45 AM, Shafeeque O.K [gmail] > <[email protected]> wrote: > > Is it ok, if I just do the following to get the files, which was unable > tp > > process by w3af.. > > > > 1. wget http://192.168.92.135/dvwa/login.php > > 2. wget http://192.168.92.135/dvwa/security.php > > > > do I need to set any options for wget? > > > > Kindly guide. > > > > > > > > On Fri, Aug 9, 2013 at 12:41 AM, Andres Riancho < > [email protected]> > > wrote: > >> > >> Shafeeque, > >> > >> On Thu, Aug 8, 2013 at 2:13 PM, Shafeeque O.K [gmail] > >> <[email protected]> wrote: > >> > Hi Andres, > >> > > >> > Thanks again for the instant reply. > >> > > >> >>>Item #2,3 - i will do some more investigation. > >> > > >> >>> Typing in the shell. The cursor moment in the shell was not smooth, > >> >>> after typing a command, we need to press two enter to get a new > >> >>> command > >> >>> prompt. Some time I was keep hitting the enter key to get the > command > >> >>> prompt > >> >>> after completing a command. > >> > >> I understand, please report a bug for this. > >> > >> >>>For issue #530, I will try to give the php file :) > >> > > >> >> 6. I am wondering why SQLi in the DVWA is not detected eventhoough I > >> >> gave > >> >> the cookie file which is set the dvwa sceurity to low. With the same > >> >> cookie > >> >> details, SQLMap is detecting the SQLi in dvwa. > >> > > >> >>> The following is one among the request > >> > > >> > GET http://192.168.92.135/dvwa/vulnerabilities/sqli/?id=%3C%21-- > >> > HTTP/1.1 > >> > Referer: http://192.168.92.135/ > >> > Accept-encoding: gzip > >> > User-agent: w3af.org > >> > Host: 192.168.92.135 > >> > Cookie: security=low; PHPSESSID=ojt3mpjplist2ph5n786msebn5 > >> > Accept: */* > >> > > >> > > --------------------------------------------------------------------The > >> > response is below > >> > > >> > HTTP/1.1 200 OK > >> > content-length: 1414 > >> > x-powered-by: PHP/5.3.10-1ubuntu3.7 > >> > content-encoding: gzip > >> > expires: Tue, 23 Jun 2009 12:00:00 GMT > >> > vary: Accept-Encoding > >> > server: Apache/2.2.22 (Ubuntu) > >> > pragma: no-cache > >> > cache-control: no-cache, must-revalidate > >> > date: Wed, 07 Aug 2013 15:46:28 GMT > >> > content-type: text/html;charset=utf-8 > >> > > >> > An error occured: Given file does not exist. Please make sure the > >> > logfile is > >> > present in the given directory. > >> > >> This doesn't seem to be the right file, either w3af didn't find the > >> link to the SQL injection; or you're not finding it in the logs. Take > >> into account that the URL where w3af is sending a request here is > >> /dvwa/vulnerabilities/sqli/?id=%3C%21-- , not that there is "no > >> filename" here. > >> > >> > // followed by complete html fle > >> > > >> > I could not find anything strange, will the above details helps? > >> > > >> > > -------------------------------------------------------------------------------- > >> > > >> >>> New issue#, after some 5-8 minutes running of scaning i get the > >> >>> following > >> >>> in my console and this keeps increasing and scan never stops > >> > > >> > The HTTP body for "http://192.168.92.135/dvwa/login.php"; could NOT be > >> > parsed > >> > by lxml. > >> > The HTTP body for "http://192.168.92.135/dvwa/security.php"; could > NOT be > >> > parsed by lxml. > >> > >> Well, that's very interesting indeed and could explain many problems. > >> If w3af can't parse those HTML files, it can't extract links from it > >> and can't find the sections where the vulnerabilities are. > >> > >> Could you please wget those two URLs and send me the results? I would > >> like to do some testing here and with the HTML files I have more than > >> enough to start with. > >> > >> >>> please see issue in #531 in issue tracker > >> > > >> > > >> >>> just for curiosity, why can't we rely on a vulnerable application > like > >> >>> DVWA for testing w3af? > >> > >> Because it's less detailed than the one we created. DVWA has only a > >> few SQL injections, while our test suite has all I could think of: > >> > >> > https://github.com/andresriancho/w3af-moth/tree/master/webroot/moth/w3af/audit/sql_injection/select > >> > >> > > >> > Regards, > >> > -S- > >> > > >> > > >> > On Thu, Aug 8, 2013 at 9:31 PM, Andres Riancho > >> > <[email protected]> > >> > wrote: > >> >> > >> >> Shafeeque, > >> >> > >> >> On Thu, Aug 8, 2013 at 12:16 PM, Shafeeque O.K [gmail] > >> >> <[email protected]> wrote: > >> >> > Dear Andres, > >> >> > > >> >> > Thank you for your quick reply. > >> >> > > >> >> > I will check the links given for testing w3af framework. > >> >> > > >> >> > Some observations from my testing. They are not major, kindly note > >> >> > that > >> >> > I > >> >> > may be wrong, you are welcome to guide me! The points are below. > >> >> > > >> >> > > >> >> > 1. Once a full fledged scan is started, if we are trying to stop, > the > >> >> > scan > >> >> > never terminate, the GUI need to be forced to close. This is very > >> >> > annoying > >> >> > to the user. > >> >> > >> >> Yes, that's a known issue that we've had for a while. I'm not sure if > >> >> it's in the issue tracker though. Please report it if you don't find > >> >> it. > >> >> > >> >> > 2. The dvwa 1.0.8 is setup in another ubuntu based vm, and the > >> >> > permission > >> >> > set for my /var/www directory is root:root, interestingly no > >> >> > blind_sqli, > >> >> > lfi > >> >> > is found, I made the permission as root:www-data and then I did the > >> >> > scan > >> >> > it > >> >> > gave me bunch of blind_sqli vulnerabilities detected and along with > >> >> > one > >> >> > lfi > >> >> > vulnerabilities. > >> >> > >> >> I'm not a DVWA user, so I really don't know what's going on there. > >> >> > >> >> > 3. I tried to exploit the local_file_reader exploit detected and I > >> >> > got > >> >> > the > >> >> > following error > >> >> > > >> >> > Exploiting 'local_file_reader'... > >> >> > 1 vulnerabilites to exploit > >> >> > Checking suitability for vuln 'Local file inclusion > vulnerability'... > >> >> > ok > >> >> > Exploiting... > >> >> > Cut algorithm error: len(header+footer)>len(body). > >> >> > >> >> That should never happen I think :D We should check that, but it's > >> >> very low priority > >> >> If you can send me a way to reproduce that without depending on a > DVWA > >> >> setup, that would be awesome > >> >> > >> >> > Done > >> >> > > >> >> > I did : sudo chown root:www-data > >> >> > /var/www/dvwa/external/phpids/0.6/lib/IDS/tmp on my ubuntu vm, able > >> >> > to > >> >> > get > >> >> > the shell. > >> >> > >> >> Well, then it's not a w3af issue, it's a DVWA issue where you're > >> >> enabling/disabling sections and vulnerabilities of the site which > >> >> don't work because of specific permissions are required. > >> >> > >> >> > The shell appeared and then during running the payload > >> >> > apache_version an exception occurred and it is logged as issue #530 > >> >> > in > >> >> > github. > >> >> > >> >> Same as above, if you give me a way to reproduce without installing > >> >> DVWA (just a PHP file) I'll work on it. > >> >> > >> >> > Typing in the shell was bit difficult, it was not smooth at all. > >> >> > >> >> Could you please elaborate more on that? > >> >> > >> >> > 4. Please see the issues #529, > >> >> > >> >> This is not a w3af bug. The php script triggered a 500 exception and > >> >> we're letting you know about that > >> >> > >> >> > #525, > >> >> > >> >> See comment in issue tracker > >> >> > >> >> > #521 > >> >> > >> >> Fixed, thanks! > >> >> > >> >> > 5. what ever the exceptions has occurred I have logged this under > >> >> > graytips/[email protected] , in github issue lists. I will > recheck > >> >> > the > >> >> > list and inform you if missed anything. > >> >> > > >> >> > 6. I am wondering why SQLi in the DVWA is not detected eventhoough > I > >> >> > gave > >> >> > the cookie file which is set the dvwa sceurity to low. With the > same > >> >> > cookie > >> >> > details, SQLMap is detecting the SQLi in dvwa. > >> >> > >> >> You should read the HTTP traffic output > >> >> > >> >> > 7. Few Items that are related to the profile saving in to different > >> >> > name, > >> >> > need to recheck before i report. > >> >> > > >> >> > Hope my observations will help to improve w3af. > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > On Thu, Aug 8, 2013 at 8:06 PM, Andres Riancho > >> >> > <[email protected]> > >> >> > wrote: > >> >> >> > >> >> >> Shafeeque, > >> >> >> > >> >> >> On Thu, Aug 8, 2013 at 11:25 AM, Shafeeque O.K [gmail] > >> >> >> <[email protected]> wrote: > >> >> >> > Hi, > >> >> >> > > >> >> >> > I have playing around with latest w3af and testing DVWA using > this > >> >> >> > tools. > >> >> >> > > >> >> >> > Some how I am failing to get the SQLi, injection vulnerabilities > >> >> >> > of > >> >> >> > DVWA > >> >> >> > detected by w3af. I am able to get BlindSQLi bugs.. So I decided > >> >> >> > to > >> >> >> > check > >> >> >> > whether the SQLi is realling working (ofcourse it works) > >> >> >> > > >> >> >> > I understand that there was some unit testing scripts shipped > with > >> >> >> > earlier > >> >> >> > w3af. I have seen this on SecurityDojo, however when I run the > >> >> >> > SQLi > >> >> >> > test > >> >> >> > against the w3af unit testing scripts available in SecurityDojo, > >> >> >> > the > >> >> >> > sqli is > >> >> >> > not detected. > >> >> >> > > >> >> >> > I understand the problem is that the script to recreate the > >> >> >> > required > >> >> >> > tables > >> >> >> > create_tables.sqli is missing, hence the required tables are not > >> >> >> > created > >> >> >> > properly. > >> >> >> > > >> >> >> > Would like to know whether the framework testing scrips are > still > >> >> >> > valid > >> >> >> > against the latest version of 3waf, if so where can I get the > >> >> >> > complete > >> >> >> > working scripts. > >> >> >> > >> >> >> Well, if you really want to run unit-tests for w3af you'll need to > >> >> >> install nosetests, more on this here [0]. The scripts you find in > >> >> >> the > >> >> >> "scripts/" directory are our OLD, really OLD, "unit-tests". Right > >> >> >> now > >> >> >> we use things like this [1] to verify that our framework works. > >> >> >> > >> >> >> [0] https://github.com/andresriancho/w3af/wiki/Developer's-Guide > >> >> >> [1] > >> >> >> > >> >> >> > >> >> >> > https://github.com/andresriancho/w3af/blob/master/plugins/tests/audit/test_sqli.py > >> >> >> > >> >> >> > During my test I have found interesting observations on latest > >> >> >> > w3af. > >> >> >> > I > >> >> >> > will > >> >> >> > compile the lists and send this after reconfirming my > >> >> >> > experiments. > >> >> >> > Meanwhile I look for the support to get the unit testing > scripts. > >> >> >> > >> >> >> Intrigued to know what you've found :) > >> >> >> > >> >> >> > Thanks in advance. > >> >> >> > > >> >> >> > -- > >> >> >> > Regards, > >> >> >> > -S- > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > ------------------------------------------------------------------------------ > >> >> >> > Get 100% visibility into Java/.NET code with AppDynamics Lite! > >> >> >> > It's a free troubleshooting tool designed for production. > >> >> >> > Get down to code-level detail for bottlenecks, with <2% > overhead. > >> >> >> > Download for free and get started troubleshooting in minutes. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > >> >> >> > _______________________________________________ > >> >> >> > W3af-users mailing list > >> >> >> > [email protected] > >> >> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users > >> >> >> > > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> Andrés Riancho > >> >> >> Project Leader at w3af - http://w3af.org/ > >> >> >> Web Application Attack and Audit Framework > >> >> >> Twitter: @w3af > >> >> >> GPG: 0x93C344F3 > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > Regards, > >> >> > -S- > >> >> > >> >> > >> >> > >> >> -- > >> >> Andrés Riancho > >> >> Project Leader at w3af - http://w3af.org/ > >> >> Web Application Attack and Audit Framework > >> >> Twitter: @w3af > >> >> GPG: 0x93C344F3 > >> > > >> > > >> > > >> > > >> > -- > >> > Regards, > >> > -S- > >> > >> > >> > >> -- > >> Andrés Riancho > >> Project Leader at w3af - http://w3af.org/ > >> Web Application Attack and Audit Framework > >> Twitter: @w3af > >> GPG: 0x93C344F3 > > > > > > > > > > -- > > Regards, > > -S- > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > -- Regards, -S-
<<attachment: login.php>>
<<attachment: security.php>>
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
