Also, just added a little bit more debugging for you, use the feature/module branch of the w3af repository to run the scan. Instead of a line like:
"The HTTP body for "http://192.168.92.135/dvwa/security.php"; could NOT be parsed by lxml." You should see something like: "The HTTP body for "http://192.168.92.135/dvwa/security.php"; could NOT be parsed by lxml. The exception was: "...."" Those dots will be replaced by the exception message. On Sun, Aug 18, 2013 at 2:58 PM, Andres Riancho <[email protected]> wrote: > Just tried these two files really quick and I was able to parse them, > at least with the way I used to reproduce it, w3af works. > > Lets try something different, could you capture the whole traffic of a > w3af scan against that site and send me the pcap? > > Thanks! > > On Mon, Aug 12, 2013 at 11:29 PM, Shafeeque O.K [gmail] > <[email protected]> wrote: >> Hi Andres, >> >> Kindly find attached the files. >> >> >> On Mon, Aug 12, 2013 at 7:00 PM, Andres Riancho <[email protected]> >> wrote: >>> >>> It should be enough to wget them, yes. >>> >>> On Fri, Aug 9, 2013 at 9:45 AM, Shafeeque O.K [gmail] >>> <[email protected]> wrote: >>> > Is it ok, if I just do the following to get the files, which was unable >>> > tp >>> > process by w3af.. >>> > >>> > 1. wget http://192.168.92.135/dvwa/login.php >>> > 2. wget http://192.168.92.135/dvwa/security.php >>> > >>> > do I need to set any options for wget? >>> > >>> > Kindly guide. >>> > >>> > >>> > >>> > On Fri, Aug 9, 2013 at 12:41 AM, Andres Riancho >>> > <[email protected]> >>> > wrote: >>> >> >>> >> Shafeeque, >>> >> >>> >> On Thu, Aug 8, 2013 at 2:13 PM, Shafeeque O.K [gmail] >>> >> <[email protected]> wrote: >>> >> > Hi Andres, >>> >> > >>> >> > Thanks again for the instant reply. >>> >> > >>> >> >>>Item #2,3 - i will do some more investigation. >>> >> > >>> >> >>> Typing in the shell. The cursor moment in the shell was not >>> >> >>> smooth, >>> >> >>> after typing a command, we need to press two enter to get a new >>> >> >>> command >>> >> >>> prompt. Some time I was keep hitting the enter key to get the >>> >> >>> command >>> >> >>> prompt >>> >> >>> after completing a command. >>> >> >>> >> I understand, please report a bug for this. >>> >> >>> >> >>>For issue #530, I will try to give the php file :) >>> >> > >>> >> >> 6. I am wondering why SQLi in the DVWA is not detected eventhoough I >>> >> >> gave >>> >> >> the cookie file which is set the dvwa sceurity to low. With the same >>> >> >> cookie >>> >> >> details, SQLMap is detecting the SQLi in dvwa. >>> >> > >>> >> >>> The following is one among the request >>> >> > >>> >> > GET http://192.168.92.135/dvwa/vulnerabilities/sqli/?id=%3C%21-- >>> >> > HTTP/1.1 >>> >> > Referer: http://192.168.92.135/ >>> >> > Accept-encoding: gzip >>> >> > User-agent: w3af.org >>> >> > Host: 192.168.92.135 >>> >> > Cookie: security=low; PHPSESSID=ojt3mpjplist2ph5n786msebn5 >>> >> > Accept: */* >>> >> > >>> >> > >>> >> > --------------------------------------------------------------------The >>> >> > response is below >>> >> > >>> >> > HTTP/1.1 200 OK >>> >> > content-length: 1414 >>> >> > x-powered-by: PHP/5.3.10-1ubuntu3.7 >>> >> > content-encoding: gzip >>> >> > expires: Tue, 23 Jun 2009 12:00:00 GMT >>> >> > vary: Accept-Encoding >>> >> > server: Apache/2.2.22 (Ubuntu) >>> >> > pragma: no-cache >>> >> > cache-control: no-cache, must-revalidate >>> >> > date: Wed, 07 Aug 2013 15:46:28 GMT >>> >> > content-type: text/html;charset=utf-8 >>> >> > >>> >> > An error occured: Given file does not exist. Please make sure the >>> >> > logfile is >>> >> > present in the given directory. >>> >> >>> >> This doesn't seem to be the right file, either w3af didn't find the >>> >> link to the SQL injection; or you're not finding it in the logs. Take >>> >> into account that the URL where w3af is sending a request here is >>> >> /dvwa/vulnerabilities/sqli/?id=%3C%21-- , not that there is "no >>> >> filename" here. >>> >> >>> >> > // followed by complete html fle >>> >> > >>> >> > I could not find anything strange, will the above details helps? >>> >> > >>> >> > >>> >> > -------------------------------------------------------------------------------- >>> >> > >>> >> >>> New issue#, after some 5-8 minutes running of scaning i get the >>> >> >>> following >>> >> >>> in my console and this keeps increasing and scan never stops >>> >> > >>> >> > The HTTP body for "http://192.168.92.135/dvwa/login.php"; could NOT be >>> >> > parsed >>> >> > by lxml. >>> >> > The HTTP body for "http://192.168.92.135/dvwa/security.php"; could NOT >>> >> > be >>> >> > parsed by lxml. >>> >> >>> >> Well, that's very interesting indeed and could explain many problems. >>> >> If w3af can't parse those HTML files, it can't extract links from it >>> >> and can't find the sections where the vulnerabilities are. >>> >> >>> >> Could you please wget those two URLs and send me the results? I would >>> >> like to do some testing here and with the HTML files I have more than >>> >> enough to start with. >>> >> >>> >> >>> please see issue in #531 in issue tracker >>> >> > >>> >> > >>> >> >>> just for curiosity, why can't we rely on a vulnerable application >>> >> >>> like >>> >> >>> DVWA for testing w3af? >>> >> >>> >> Because it's less detailed than the one we created. DVWA has only a >>> >> few SQL injections, while our test suite has all I could think of: >>> >> >>> >> >>> >> https://github.com/andresriancho/w3af-moth/tree/master/webroot/moth/w3af/audit/sql_injection/select >>> >> >>> >> > >>> >> > Regards, >>> >> > -S- >>> >> > >>> >> > >>> >> > On Thu, Aug 8, 2013 at 9:31 PM, Andres Riancho >>> >> > <[email protected]> >>> >> > wrote: >>> >> >> >>> >> >> Shafeeque, >>> >> >> >>> >> >> On Thu, Aug 8, 2013 at 12:16 PM, Shafeeque O.K [gmail] >>> >> >> <[email protected]> wrote: >>> >> >> > Dear Andres, >>> >> >> > >>> >> >> > Thank you for your quick reply. >>> >> >> > >>> >> >> > I will check the links given for testing w3af framework. >>> >> >> > >>> >> >> > Some observations from my testing. They are not major, kindly note >>> >> >> > that >>> >> >> > I >>> >> >> > may be wrong, you are welcome to guide me! The points are below. >>> >> >> > >>> >> >> > >>> >> >> > 1. Once a full fledged scan is started, if we are trying to stop, >>> >> >> > the >>> >> >> > scan >>> >> >> > never terminate, the GUI need to be forced to close. This is very >>> >> >> > annoying >>> >> >> > to the user. >>> >> >> >>> >> >> Yes, that's a known issue that we've had for a while. I'm not sure >>> >> >> if >>> >> >> it's in the issue tracker though. Please report it if you don't find >>> >> >> it. >>> >> >> >>> >> >> > 2. The dvwa 1.0.8 is setup in another ubuntu based vm, and the >>> >> >> > permission >>> >> >> > set for my /var/www directory is root:root, interestingly no >>> >> >> > blind_sqli, >>> >> >> > lfi >>> >> >> > is found, I made the permission as root:www-data and then I did >>> >> >> > the >>> >> >> > scan >>> >> >> > it >>> >> >> > gave me bunch of blind_sqli vulnerabilities detected and along >>> >> >> > with >>> >> >> > one >>> >> >> > lfi >>> >> >> > vulnerabilities. >>> >> >> >>> >> >> I'm not a DVWA user, so I really don't know what's going on there. >>> >> >> >>> >> >> > 3. I tried to exploit the local_file_reader exploit detected and I >>> >> >> > got >>> >> >> > the >>> >> >> > following error >>> >> >> > >>> >> >> > Exploiting 'local_file_reader'... >>> >> >> > 1 vulnerabilites to exploit >>> >> >> > Checking suitability for vuln 'Local file inclusion >>> >> >> > vulnerability'... >>> >> >> > ok >>> >> >> > Exploiting... >>> >> >> > Cut algorithm error: len(header+footer)>len(body). >>> >> >> >>> >> >> That should never happen I think :D We should check that, but it's >>> >> >> very low priority >>> >> >> If you can send me a way to reproduce that without depending on a >>> >> >> DVWA >>> >> >> setup, that would be awesome >>> >> >> >>> >> >> > Done >>> >> >> > >>> >> >> > I did : sudo chown root:www-data >>> >> >> > /var/www/dvwa/external/phpids/0.6/lib/IDS/tmp on my ubuntu vm, >>> >> >> > able >>> >> >> > to >>> >> >> > get >>> >> >> > the shell. >>> >> >> >>> >> >> Well, then it's not a w3af issue, it's a DVWA issue where you're >>> >> >> enabling/disabling sections and vulnerabilities of the site which >>> >> >> don't work because of specific permissions are required. >>> >> >> >>> >> >> > The shell appeared and then during running the payload >>> >> >> > apache_version an exception occurred and it is logged as issue >>> >> >> > #530 >>> >> >> > in >>> >> >> > github. >>> >> >> >>> >> >> Same as above, if you give me a way to reproduce without installing >>> >> >> DVWA (just a PHP file) I'll work on it. >>> >> >> >>> >> >> > Typing in the shell was bit difficult, it was not smooth at all. >>> >> >> >>> >> >> Could you please elaborate more on that? >>> >> >> >>> >> >> > 4. Please see the issues #529, >>> >> >> >>> >> >> This is not a w3af bug. The php script triggered a 500 exception and >>> >> >> we're letting you know about that >>> >> >> >>> >> >> > #525, >>> >> >> >>> >> >> See comment in issue tracker >>> >> >> >>> >> >> > #521 >>> >> >> >>> >> >> Fixed, thanks! >>> >> >> >>> >> >> > 5. what ever the exceptions has occurred I have logged this under >>> >> >> > graytips/[email protected] , in github issue lists. I will >>> >> >> > recheck >>> >> >> > the >>> >> >> > list and inform you if missed anything. >>> >> >> > >>> >> >> > 6. I am wondering why SQLi in the DVWA is not detected eventhoough >>> >> >> > I >>> >> >> > gave >>> >> >> > the cookie file which is set the dvwa sceurity to low. With the >>> >> >> > same >>> >> >> > cookie >>> >> >> > details, SQLMap is detecting the SQLi in dvwa. >>> >> >> >>> >> >> You should read the HTTP traffic output >>> >> >> >>> >> >> > 7. Few Items that are related to the profile saving in to >>> >> >> > different >>> >> >> > name, >>> >> >> > need to recheck before i report. >>> >> >> > >>> >> >> > Hope my observations will help to improve w3af. >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > On Thu, Aug 8, 2013 at 8:06 PM, Andres Riancho >>> >> >> > <[email protected]> >>> >> >> > wrote: >>> >> >> >> >>> >> >> >> Shafeeque, >>> >> >> >> >>> >> >> >> On Thu, Aug 8, 2013 at 11:25 AM, Shafeeque O.K [gmail] >>> >> >> >> <[email protected]> wrote: >>> >> >> >> > Hi, >>> >> >> >> > >>> >> >> >> > I have playing around with latest w3af and testing DVWA using >>> >> >> >> > this >>> >> >> >> > tools. >>> >> >> >> > >>> >> >> >> > Some how I am failing to get the SQLi, injection >>> >> >> >> > vulnerabilities >>> >> >> >> > of >>> >> >> >> > DVWA >>> >> >> >> > detected by w3af. I am able to get BlindSQLi bugs.. So I >>> >> >> >> > decided >>> >> >> >> > to >>> >> >> >> > check >>> >> >> >> > whether the SQLi is realling working (ofcourse it works) >>> >> >> >> > >>> >> >> >> > I understand that there was some unit testing scripts shipped >>> >> >> >> > with >>> >> >> >> > earlier >>> >> >> >> > w3af. I have seen this on SecurityDojo, however when I run the >>> >> >> >> > SQLi >>> >> >> >> > test >>> >> >> >> > against the w3af unit testing scripts available in >>> >> >> >> > SecurityDojo, >>> >> >> >> > the >>> >> >> >> > sqli is >>> >> >> >> > not detected. >>> >> >> >> > >>> >> >> >> > I understand the problem is that the script to recreate the >>> >> >> >> > required >>> >> >> >> > tables >>> >> >> >> > create_tables.sqli is missing, hence the required tables are >>> >> >> >> > not >>> >> >> >> > created >>> >> >> >> > properly. >>> >> >> >> > >>> >> >> >> > Would like to know whether the framework testing scrips are >>> >> >> >> > still >>> >> >> >> > valid >>> >> >> >> > against the latest version of 3waf, if so where can I get the >>> >> >> >> > complete >>> >> >> >> > working scripts. >>> >> >> >> >>> >> >> >> Well, if you really want to run unit-tests for w3af you'll need >>> >> >> >> to >>> >> >> >> install nosetests, more on this here [0]. The scripts you find in >>> >> >> >> the >>> >> >> >> "scripts/" directory are our OLD, really OLD, "unit-tests". Right >>> >> >> >> now >>> >> >> >> we use things like this [1] to verify that our framework works. >>> >> >> >> >>> >> >> >> [0] https://github.com/andresriancho/w3af/wiki/Developer's-Guide >>> >> >> >> [1] >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> https://github.com/andresriancho/w3af/blob/master/plugins/tests/audit/test_sqli.py >>> >> >> >> >>> >> >> >> > During my test I have found interesting observations on latest >>> >> >> >> > w3af. >>> >> >> >> > I >>> >> >> >> > will >>> >> >> >> > compile the lists and send this after reconfirming my >>> >> >> >> > experiments. >>> >> >> >> > Meanwhile I look for the support to get the unit testing >>> >> >> >> > scripts. >>> >> >> >> >>> >> >> >> Intrigued to know what you've found :) >>> >> >> >> >>> >> >> >> > Thanks in advance. >>> >> >> >> > >>> >> >> >> > -- >>> >> >> >> > Regards, >>> >> >> >> > -S- >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > ------------------------------------------------------------------------------ >>> >> >> >> > Get 100% visibility into Java/.NET code with AppDynamics Lite! >>> >> >> >> > It's a free troubleshooting tool designed for production. >>> >> >> >> > Get down to code-level detail for bottlenecks, with <2% >>> >> >> >> > overhead. >>> >> >> >> > Download for free and get started troubleshooting in minutes. >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >>> >> >> >> > _______________________________________________ >>> >> >> >> > W3af-users mailing list >>> >> >> >> > [email protected] >>> >> >> >> > https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >> >> >> > >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> -- >>> >> >> >> Andrés Riancho >>> >> >> >> Project Leader at w3af - http://w3af.org/ >>> >> >> >> Web Application Attack and Audit Framework >>> >> >> >> Twitter: @w3af >>> >> >> >> GPG: 0x93C344F3 >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > -- >>> >> >> > Regards, >>> >> >> > -S- >>> >> >> >>> >> >> >>> >> >> >>> >> >> -- >>> >> >> Andrés Riancho >>> >> >> Project Leader at w3af - http://w3af.org/ >>> >> >> Web Application Attack and Audit Framework >>> >> >> Twitter: @w3af >>> >> >> GPG: 0x93C344F3 >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > -- >>> >> > Regards, >>> >> > -S- >>> >> >>> >> >>> >> >>> >> -- >>> >> Andrés Riancho >>> >> Project Leader at w3af - http://w3af.org/ >>> >> Web Application Attack and Audit Framework >>> >> Twitter: @w3af >>> >> GPG: 0x93C344F3 >>> > >>> > >>> > >>> > >>> > -- >>> > Regards, >>> > -S- >>> >>> >>> >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >> >> >> >> >> -- >> Regards, >> -S- > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
