> Yes, agreed, but we can't add all of those payloads. That's why we
> have the ones that add delays, which should work "in all frameworks".
> What do you think about that?
I like the 2-way detection that is integrated in *nearly* every plugin:
- Time/Delay based
- Output based
The multithreading seems to be pretty cool as well. So, yes, i agree, but:
What do you think about .accquire()ing and .release()ing a multiprocessing.Lock
/ threading.Lock before/after every time-based detection attempt?
As you know, e.g. the SQLMap authors did a great job creating the Time-Based
exploitation approach.
However, if Thread A performs a BENCHMARK() query while Thread B performs a
;self.sleep(5) Request, things may break / create false-positive or
false-negatives.
Best,
Dan
> Daniel,
>
> On Sat, Mar 31, 2012 at 6:05 PM, Daniel Zulla
> <daniel.zu...@googlemail.com> wrote:
>> Hi,
>> I'll provide well-formatted patches in the future, thanks for the fix.
>> Yes. That works with Python and Perl. Verified it with a small
>> HTML::Template and Pyramid Lab.
>
> Great, thanks for the good news.
>
>> But in the real world, we won't win with echo/print. Maybe we should replace
>> "print "/"echo " by %s and provide several options:
>> - print
>> - echo
>> - return
>> - self.append
>> - self.push
>> - etc.
>
> Yes, agreed, but we can't add all of those payloads. That's why we
> have the ones that add delays, which should work "in all frameworks".
> What do you think about that?
>
>> Regards,
>> Dan
>>
>> Am 28.03.2012 um 15:11 schrieb Andres Riancho:
>>
>>> Daniel,
>>>
>>> On Tue, Mar 27, 2012 at 11:26 PM, Daniel Zulla
>>> <daniel.zu...@googlemail.com> wrote:
>>>> This patch *may* work. Untested.
>>>
>>> Applied the patch to the latest eval.py in our SVN, and tested using:
>>> * sudo python w3af_console -s scripts/script-eval.w3af
>>>
>>> This triggered various errors in the line where this was performed:
>>> print_strings = [pstr % (self._rnd1, self._rnd2)
>>> for pstr in self.PRINT_STRINGS]
>>>
>>> Since there are two %s which are not correctly formatted in the
>>> proposed payloads.
>>>
>>> Worked a little bit around the patch and finally applied what's
>>> attached. That works with PHP, could you verify if it works with Perl
>>> and/or Python?
>>>
>>> PS: Sadly, the patch wasn't in the correct format so I could apply it
>>> with "patch -p0 < eval.py.patch"
>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Dan,
>>>>>
>>>>> On Tue, Mar 27, 2012 at 10:36 PM, Daniel Zulla
>>>>> <daniel.zu...@googlemail.com> wrote:
>>>>>> Hi there,
>>>>>> The "string1"."string2" --> .match("string1string2") strategy of eval.py
>>>>>> turned out to produce false-positives when the webapp strips out
>>>>>> everything but [a-zA-Z0-9_-].
>>>>>>
>>>>>> Instead of "Error 404 "string1"."string2", string1string2 will be
>>>>>> returned.
>>>>>> Why not implementing it like this:
>>>>>>
>>>>>> Case 1) ."random_string"*5
>>>>>> Case 2) ."random_string"x5
>>>>>>
>>>>>> If the response content contains
>>>>>> "random_stringrandom_stringrandom_stringrandom_stringrandom_string" we
>>>>>> can be sure that it is not a false-
>>>>>> positive.
>>>>>>
>>>>>> What do you think?
>>>>>
>>>>> Sure! That's a good idea, I've been thinking about similar
>>>>> solutions to that problem too but never got to implement them. My two
>>>>> potential solutions were:
>>>>> - Do some math, maybe random_number+random_number and look for the
>>>>> result of that
>>>>> - String replacement, 'abcdef'.replace('bcd', '111') and search for
>>>>> a111ef
>>>>>
>>>>> Your idea is equally nice and valid, if I would have to choose, I
>>>>> would choose the one that uses the less amount of "special characters"
>>>>> (like single quotes, quotes, parenthesis, etc.) in the payload being
>>>>> sent; and the one that uses less characters at all (as a measurement
>>>>> to reduce complexity). By taking those into account I think that both
>>>>> the sum of two random numbers and the "string multiplication" are
>>>>> almost the same.
>>>>>
>>>>> Want to give it a try at the code and send a patch?
>>>>>
>>>>> Regards,
>>>>>
>>>>>> Best,
>>>>>> Dan
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> This SF email is sponsosred by:
>>>>>> Try Windows Azure free for 90 days Click Here
>>>>>> http://p.sf.net/sfu/sfd2d-msazure
>>>>>> _______________________________________________
>>>>>> W3af-develop mailing list
>>>>>> W3af-develop@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Andrés Riancho
>>>>> Director of Web Security at Rapid7 LLC
>>>>> Founder at Bonsai Information Security
>>>>> Project Leader at w3af
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Director of Web Security at Rapid7 LLC
>>> Founder at Bonsai Information Security
>>> Project Leader at w3af
>>> <eval.py.patch>
>>
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
