Just tried these two files really quick and I was able to parse them, at least with the way I used to reproduce it, w3af works.
Lets try something different, could you capture the whole traffic of a w3af scan against that site and send me the pcap? Thanks! On Mon, Aug 12, 2013 at 11:29 PM, Shafeeque O.K [gmail] <[email protected]> wrote: > Hi Andres, > > Kindly find attached the files. > > > On Mon, Aug 12, 2013 at 7:00 PM, Andres Riancho <[email protected]> > wrote: >> >> It should be enough to wget them, yes. >> >> On Fri, Aug 9, 2013 at 9:45 AM, Shafeeque O.K [gmail] >> <[email protected]> wrote: >> > Is it ok, if I just do the following to get the files, which was unable >> > tp >> > process by w3af.. >> > >> > 1. wget http://192.168.92.135/dvwa/login.php >> > 2. wget http://192.168.92.135/dvwa/security.php >> > >> > do I need to set any options for wget? >> > >> > Kindly guide. >> > >> > >> > >> > On Fri, Aug 9, 2013 at 12:41 AM, Andres Riancho >> > <[email protected]> >> > wrote: >> >> >> >> Shafeeque, >> >> >> >> On Thu, Aug 8, 2013 at 2:13 PM, Shafeeque O.K [gmail] >> >> <[email protected]> wrote: >> >> > Hi Andres, >> >> > >> >> > Thanks again for the instant reply. >> >> > >> >> >>>Item #2,3 - i will do some more investigation. >> >> > >> >> >>> Typing in the shell. The cursor moment in the shell was not >> >> >>> smooth, >> >> >>> after typing a command, we need to press two enter to get a new >> >> >>> command >> >> >>> prompt. Some time I was keep hitting the enter key to get the >> >> >>> command >> >> >>> prompt >> >> >>> after completing a command. >> >> >> >> I understand, please report a bug for this. >> >> >> >> >>>For issue #530, I will try to give the php file :) >> >> > >> >> >> 6. I am wondering why SQLi in the DVWA is not detected eventhoough I >> >> >> gave >> >> >> the cookie file which is set the dvwa sceurity to low. With the same >> >> >> cookie >> >> >> details, SQLMap is detecting the SQLi in dvwa. >> >> > >> >> >>> The following is one among the request >> >> > >> >> > GET http://192.168.92.135/dvwa/vulnerabilities/sqli/?id=%3C%21-- >> >> > HTTP/1.1 >> >> > Referer: http://192.168.92.135/ >> >> > Accept-encoding: gzip >> >> > User-agent: w3af.org >> >> > Host: 192.168.92.135 >> >> > Cookie: security=low; PHPSESSID=ojt3mpjplist2ph5n786msebn5 >> >> > Accept: */* >> >> > >> >> > >> >> > --------------------------------------------------------------------The >> >> > response is below >> >> > >> >> > HTTP/1.1 200 OK >> >> > content-length: 1414 >> >> > x-powered-by: PHP/5.3.10-1ubuntu3.7 >> >> > content-encoding: gzip >> >> > expires: Tue, 23 Jun 2009 12:00:00 GMT >> >> > vary: Accept-Encoding >> >> > server: Apache/2.2.22 (Ubuntu) >> >> > pragma: no-cache >> >> > cache-control: no-cache, must-revalidate >> >> > date: Wed, 07 Aug 2013 15:46:28 GMT >> >> > content-type: text/html;charset=utf-8 >> >> > >> >> > An error occured: Given file does not exist. Please make sure the >> >> > logfile is >> >> > present in the given directory. >> >> >> >> This doesn't seem to be the right file, either w3af didn't find the >> >> link to the SQL injection; or you're not finding it in the logs. Take >> >> into account that the URL where w3af is sending a request here is >> >> /dvwa/vulnerabilities/sqli/?id=%3C%21-- , not that there is "no >> >> filename" here. >> >> >> >> > // followed by complete html fle >> >> > >> >> > I could not find anything strange, will the above details helps? >> >> > >> >> > >> >> > -------------------------------------------------------------------------------- >> >> > >> >> >>> New issue#, after some 5-8 minutes running of scaning i get the >> >> >>> following >> >> >>> in my console and this keeps increasing and scan never stops >> >> > >> >> > The HTTP body for "http://192.168.92.135/dvwa/login.php"; could NOT be >> >> > parsed >> >> > by lxml. >> >> > The HTTP body for "http://192.168.92.135/dvwa/security.php"; could NOT >> >> > be >> >> > parsed by lxml. >> >> >> >> Well, that's very interesting indeed and could explain many problems. >> >> If w3af can't parse those HTML files, it can't extract links from it >> >> and can't find the sections where the vulnerabilities are. >> >> >> >> Could you please wget those two URLs and send me the results? I would >> >> like to do some testing here and with the HTML files I have more than >> >> enough to start with. >> >> >> >> >>> please see issue in #531 in issue tracker >> >> > >> >> > >> >> >>> just for curiosity, why can't we rely on a vulnerable application >> >> >>> like >> >> >>> DVWA for testing w3af? >> >> >> >> Because it's less detailed than the one we created. DVWA has only a >> >> few SQL injections, while our test suite has all I could think of: >> >> >> >> >> >> https://github.com/andresriancho/w3af-moth/tree/master/webroot/moth/w3af/audit/sql_injection/select >> >> >> >> > >> >> > Regards, >> >> > -S- >> >> > >> >> > >> >> > On Thu, Aug 8, 2013 at 9:31 PM, Andres Riancho >> >> > <[email protected]> >> >> > wrote: >> >> >> >> >> >> Shafeeque, >> >> >> >> >> >> On Thu, Aug 8, 2013 at 12:16 PM, Shafeeque O.K [gmail] >> >> >> <[email protected]> wrote: >> >> >> > Dear Andres, >> >> >> > >> >> >> > Thank you for your quick reply. >> >> >> > >> >> >> > I will check the links given for testing w3af framework. >> >> >> > >> >> >> > Some observations from my testing. They are not major, kindly note >> >> >> > that >> >> >> > I >> >> >> > may be wrong, you are welcome to guide me! The points are below. >> >> >> > >> >> >> > >> >> >> > 1. Once a full fledged scan is started, if we are trying to stop, >> >> >> > the >> >> >> > scan >> >> >> > never terminate, the GUI need to be forced to close. This is very >> >> >> > annoying >> >> >> > to the user. >> >> >> >> >> >> Yes, that's a known issue that we've had for a while. I'm not sure >> >> >> if >> >> >> it's in the issue tracker though. Please report it if you don't find >> >> >> it. >> >> >> >> >> >> > 2. The dvwa 1.0.8 is setup in another ubuntu based vm, and the >> >> >> > permission >> >> >> > set for my /var/www directory is root:root, interestingly no >> >> >> > blind_sqli, >> >> >> > lfi >> >> >> > is found, I made the permission as root:www-data and then I did >> >> >> > the >> >> >> > scan >> >> >> > it >> >> >> > gave me bunch of blind_sqli vulnerabilities detected and along >> >> >> > with >> >> >> > one >> >> >> > lfi >> >> >> > vulnerabilities. >> >> >> >> >> >> I'm not a DVWA user, so I really don't know what's going on there. >> >> >> >> >> >> > 3. I tried to exploit the local_file_reader exploit detected and I >> >> >> > got >> >> >> > the >> >> >> > following error >> >> >> > >> >> >> > Exploiting 'local_file_reader'... >> >> >> > 1 vulnerabilites to exploit >> >> >> > Checking suitability for vuln 'Local file inclusion >> >> >> > vulnerability'... >> >> >> > ok >> >> >> > Exploiting... >> >> >> > Cut algorithm error: len(header+footer)>len(body). >> >> >> >> >> >> That should never happen I think :D We should check that, but it's >> >> >> very low priority >> >> >> If you can send me a way to reproduce that without depending on a >> >> >> DVWA >> >> >> setup, that would be awesome >> >> >> >> >> >> > Done >> >> >> > >> >> >> > I did : sudo chown root:www-data >> >> >> > /var/www/dvwa/external/phpids/0.6/lib/IDS/tmp on my ubuntu vm, >> >> >> > able >> >> >> > to >> >> >> > get >> >> >> > the shell. >> >> >> >> >> >> Well, then it's not a w3af issue, it's a DVWA issue where you're >> >> >> enabling/disabling sections and vulnerabilities of the site which >> >> >> don't work because of specific permissions are required. >> >> >> >> >> >> > The shell appeared and then during running the payload >> >> >> > apache_version an exception occurred and it is logged as issue >> >> >> > #530 >> >> >> > in >> >> >> > github. >> >> >> >> >> >> Same as above, if you give me a way to reproduce without installing >> >> >> DVWA (just a PHP file) I'll work on it. >> >> >> >> >> >> > Typing in the shell was bit difficult, it was not smooth at all. >> >> >> >> >> >> Could you please elaborate more on that? >> >> >> >> >> >> > 4. Please see the issues #529, >> >> >> >> >> >> This is not a w3af bug. The php script triggered a 500 exception and >> >> >> we're letting you know about that >> >> >> >> >> >> > #525, >> >> >> >> >> >> See comment in issue tracker >> >> >> >> >> >> > #521 >> >> >> >> >> >> Fixed, thanks! >> >> >> >> >> >> > 5. what ever the exceptions has occurred I have logged this under >> >> >> > graytips/[email protected] , in github issue lists. I will >> >> >> > recheck >> >> >> > the >> >> >> > list and inform you if missed anything. >> >> >> > >> >> >> > 6. I am wondering why SQLi in the DVWA is not detected eventhoough >> >> >> > I >> >> >> > gave >> >> >> > the cookie file which is set the dvwa sceurity to low. With the >> >> >> > same >> >> >> > cookie >> >> >> > details, SQLMap is detecting the SQLi in dvwa. >> >> >> >> >> >> You should read the HTTP traffic output >> >> >> >> >> >> > 7. Few Items that are related to the profile saving in to >> >> >> > different >> >> >> > name, >> >> >> > need to recheck before i report. >> >> >> > >> >> >> > Hope my observations will help to improve w3af. >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > On Thu, Aug 8, 2013 at 8:06 PM, Andres Riancho >> >> >> > <[email protected]> >> >> >> > wrote: >> >> >> >> >> >> >> >> Shafeeque, >> >> >> >> >> >> >> >> On Thu, Aug 8, 2013 at 11:25 AM, Shafeeque O.K [gmail] >> >> >> >> <[email protected]> wrote: >> >> >> >> > Hi, >> >> >> >> > >> >> >> >> > I have playing around with latest w3af and testing DVWA using >> >> >> >> > this >> >> >> >> > tools. >> >> >> >> > >> >> >> >> > Some how I am failing to get the SQLi, injection >> >> >> >> > vulnerabilities >> >> >> >> > of >> >> >> >> > DVWA >> >> >> >> > detected by w3af. I am able to get BlindSQLi bugs.. So I >> >> >> >> > decided >> >> >> >> > to >> >> >> >> > check >> >> >> >> > whether the SQLi is realling working (ofcourse it works) >> >> >> >> > >> >> >> >> > I understand that there was some unit testing scripts shipped >> >> >> >> > with >> >> >> >> > earlier >> >> >> >> > w3af. I have seen this on SecurityDojo, however when I run the >> >> >> >> > SQLi >> >> >> >> > test >> >> >> >> > against the w3af unit testing scripts available in >> >> >> >> > SecurityDojo, >> >> >> >> > the >> >> >> >> > sqli is >> >> >> >> > not detected. >> >> >> >> > >> >> >> >> > I understand the problem is that the script to recreate the >> >> >> >> > required >> >> >> >> > tables >> >> >> >> > create_tables.sqli is missing, hence the required tables are >> >> >> >> > not >> >> >> >> > created >> >> >> >> > properly. >> >> >> >> > >> >> >> >> > Would like to know whether the framework testing scrips are >> >> >> >> > still >> >> >> >> > valid >> >> >> >> > against the latest version of 3waf, if so where can I get the >> >> >> >> > complete >> >> >> >> > working scripts. >> >> >> >> >> >> >> >> Well, if you really want to run unit-tests for w3af you'll need >> >> >> >> to >> >> >> >> install nosetests, more on this here [0]. The scripts you find in >> >> >> >> the >> >> >> >> "scripts/" directory are our OLD, really OLD, "unit-tests". Right >> >> >> >> now >> >> >> >> we use things like this [1] to verify that our framework works. >> >> >> >> >> >> >> >> [0] https://github.com/andresriancho/w3af/wiki/Developer's-Guide >> >> >> >> [1] >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> https://github.com/andresriancho/w3af/blob/master/plugins/tests/audit/test_sqli.py >> >> >> >> >> >> >> >> > During my test I have found interesting observations on latest >> >> >> >> > w3af. >> >> >> >> > I >> >> >> >> > will >> >> >> >> > compile the lists and send this after reconfirming my >> >> >> >> > experiments. >> >> >> >> > Meanwhile I look for the support to get the unit testing >> >> >> >> > scripts. >> >> >> >> >> >> >> >> Intrigued to know what you've found :) >> >> >> >> >> >> >> >> > Thanks in advance. >> >> >> >> > >> >> >> >> > -- >> >> >> >> > Regards, >> >> >> >> > -S- >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > ------------------------------------------------------------------------------ >> >> >> >> > Get 100% visibility into Java/.NET code with AppDynamics Lite! >> >> >> >> > It's a free troubleshooting tool designed for production. >> >> >> >> > Get down to code-level detail for bottlenecks, with <2% >> >> >> >> > overhead. >> >> >> >> > Download for free and get started troubleshooting in minutes. >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> >> >> >> > _______________________________________________ >> >> >> >> > W3af-users mailing list >> >> >> >> > [email protected] >> >> >> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> Andrés Riancho >> >> >> >> Project Leader at w3af - http://w3af.org/ >> >> >> >> Web Application Attack and Audit Framework >> >> >> >> Twitter: @w3af >> >> >> >> GPG: 0x93C344F3 >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > Regards, >> >> >> > -S- >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> Andrés Riancho >> >> >> Project Leader at w3af - http://w3af.org/ >> >> >> Web Application Attack and Audit Framework >> >> >> Twitter: @w3af >> >> >> GPG: 0x93C344F3 >> >> > >> >> > >> >> > >> >> > >> >> > -- >> >> > Regards, >> >> > -S- >> >> >> >> >> >> >> >> -- >> >> Andrés Riancho >> >> Project Leader at w3af - http://w3af.org/ >> >> Web Application Attack and Audit Framework >> >> Twitter: @w3af >> >> GPG: 0x93C344F3 >> > >> > >> > >> > >> > -- >> > Regards, >> > -S- >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > > -- > Regards, > -S- -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
