Daniel,
On Sat, Mar 31, 2012 at 6:05 PM, Daniel Zulla
<daniel.zu...@googlemail.com> wrote:
> Hi,
> I'll provide well-formatted patches in the future, thanks for the fix.
> Yes. That works with Python and Perl. Verified it with a small HTML::Template
> and Pyramid Lab.
Great, thanks for the good news.
> But in the real world, we won't win with echo/print. Maybe we should replace
> "print "/"echo " by %s and provide several options:
> - print
> - echo
> - return
> - self.append
> - self.push
> - etc.
Yes, agreed, but we can't add all of those payloads. That's why we
have the ones that add delays, which should work "in all frameworks".
What do you think about that?
> Regards,
> Dan
>
> Am 28.03.2012 um 15:11 schrieb Andres Riancho:
>
>> Daniel,
>>
>> On Tue, Mar 27, 2012 at 11:26 PM, Daniel Zulla
>> <daniel.zu...@googlemail.com> wrote:
>>> This patch *may* work. Untested.
>>
>> Applied the patch to the latest eval.py in our SVN, and tested using:
>> * sudo python w3af_console -s scripts/script-eval.w3af
>>
>> This triggered various errors in the line where this was performed:
>> print_strings = [pstr % (self._rnd1, self._rnd2)
>> for pstr in self.PRINT_STRINGS]
>>
>> Since there are two %s which are not correctly formatted in the
>> proposed payloads.
>>
>> Worked a little bit around the patch and finally applied what's
>> attached. That works with PHP, could you verify if it works with Perl
>> and/or Python?
>>
>> PS: Sadly, the patch wasn't in the correct format so I could apply it
>> with "patch -p0 < eval.py.patch"
>>
>>>
>>>
>>>
>>>
>>>> Dan,
>>>>
>>>> On Tue, Mar 27, 2012 at 10:36 PM, Daniel Zulla
>>>> <daniel.zu...@googlemail.com> wrote:
>>>>> Hi there,
>>>>> The "string1"."string2" --> .match("string1string2") strategy of eval.py
>>>>> turned out to produce false-positives when the webapp strips out
>>>>> everything but [a-zA-Z0-9_-].
>>>>>
>>>>> Instead of "Error 404 "string1"."string2", string1string2 will be
>>>>> returned.
>>>>> Why not implementing it like this:
>>>>>
>>>>> Case 1) ."random_string"*5
>>>>> Case 2) ."random_string"x5
>>>>>
>>>>> If the response content contains
>>>>> "random_stringrandom_stringrandom_stringrandom_stringrandom_string" we
>>>>> can be sure that it is not a false-
>>>>> positive.
>>>>>
>>>>> What do you think?
>>>>
>>>> Sure! That's a good idea, I've been thinking about similar
>>>> solutions to that problem too but never got to implement them. My two
>>>> potential solutions were:
>>>> - Do some math, maybe random_number+random_number and look for the
>>>> result of that
>>>> - String replacement, 'abcdef'.replace('bcd', '111') and search for
>>>> a111ef
>>>>
>>>> Your idea is equally nice and valid, if I would have to choose, I
>>>> would choose the one that uses the less amount of "special characters"
>>>> (like single quotes, quotes, parenthesis, etc.) in the payload being
>>>> sent; and the one that uses less characters at all (as a measurement
>>>> to reduce complexity). By taking those into account I think that both
>>>> the sum of two random numbers and the "string multiplication" are
>>>> almost the same.
>>>>
>>>> Want to give it a try at the code and send a patch?
>>>>
>>>> Regards,
>>>>
>>>>> Best,
>>>>> Dan
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> This SF email is sponsosred by:
>>>>> Try Windows Azure free for 90 days Click Here
>>>>> http://p.sf.net/sfu/sfd2d-msazure
>>>>> _______________________________________________
>>>>> W3af-develop mailing list
>>>>> W3af-develop@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>
>>>>
>>>>
>>>> --
>>>> Andrés Riancho
>>>> Director of Web Security at Rapid7 LLC
>>>> Founder at Bonsai Information Security
>>>> Project Leader at w3af
>>>
>>>
>>
>>
>>
>> --
>> Andrés Riancho
>> Director of Web Security at Rapid7 LLC
>> Founder at Bonsai Information Security
>> Project Leader at w3af
>> <eval.py.patch>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
