w3af-develop — dev list for w3af

Re: [W3af-develop] Integer overflow detection plugin

[Andres R. <and...@gm...>]

Dom,

    Lets do something, lets schedule it. I'm GMT-3 and during this
week I don't have any fixed appointments yet. If you tell me a
reasonable hour (given my timezone and that I work from 8:30 to
7:30pm) we can schedule a 2h block and join the #w3af channel on IRC
to work on the integer overflow stuff. So, when do you have 2h for
working on this?

Regards,

On Mon, Jul 29, 2013 at 9:32 AM, D M <vin...@gm...> wrote:
> Dom,
>
> I was planning on working on the host header plugin.  I did have a similar
> response from the mailing list, which is understandable see everyone is very
> busy.
>
> Maybe you and I can work on this further to get a better idea of how it will
> work?
>
>
> On Mon, Jul 29, 2013 at 8:24 AM, Andres Riancho <and...@gm...>
> wrote:
>>
>> Dom,
>>
>> On Fri, Jul 26, 2013 at 4:41 PM, Dominique Righetto
>> <dom...@gm...> wrote:
>> > Hi,
>> >
>> > I have spend the 2 last week trying to understand how to detect and how
>> > to
>> > reproduce the integer overflow, unfortunately I wasn't able to fully
>> > understand both of them.
>>
>> I feel bad that I / we were unable to help you with that, sorry but
>> I'm focused on other things these days.
>>
>> > I will take another ticket: "HTTP Host header attacks - Audit plugin" if
>> > it's available ?
>>
>> Take a look at the mailing list thread we started a while ago about
>> that, maybe you can take it from there.
>>
>> > Dom
>> >
>> > --
>> > Cordialement, Best regards,
>> > Dominique Righetto
>> > dom...@gm...
>> > dom...@ow...
>> > Twitter: @righettod
>> > GPG: 0x323D19BA
>> > http://www.righettod.eu
>> > "No trees were killed to send this message, but a large number of
>> > electrons
>> > were terribly inconvenienced."
>> >
>> >
>> > On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho
>> > <and...@gm...>
>> > wrote:
>> >>
>> >> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
>> >> <dom...@gm...> wrote:
>> >> > Hi Tomas,
>> >> >
>> >> > Thanks you very much.
>> >> >
>> >> > I try to understand the objective of each of the value in
>> >> > ["-0000012345", "-2147483649", "-2147483648", "0000012345",
>> >> > "2147483647",
>> >> > "2147483648", "4294967295", "4294967296", "0000023456"].
>> >> >
>> >> > For values: 2147483647,2147483648,-2147483649,-2147483648
>> >> > I understand because it's a for testing around the limits of the
>> >> > Integer
>> >> > type but for other values I dont understand why they are used and
>> >> > from
>> >> > where
>> >> > they come from ?
>> >>
>> >> The most important part seems to be here [0]
>> >>
>> >> [0]
>> >>
>> >> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872
>> >>
>> >> > As I understand the vulnerability, according the all the stuff that I
>> >> > can
>> >> > read, is the fact below:
>> >> >
>> >> > A parameter has a Integer overflow vuln if, in the case in which you
>> >> > submit
>> >> > a value over the max/min limit of the Integer, it return a very small
>> >> > negative or positive value.
>> >> >
>> >> > Ex:
>> >> > You submit "2147483648" and the returned value is negative
>> >> > You submit "-2147483648" and the returned value is positive
>> >> >
>> >> > Can you confirm to me that's my understanding is correct ?
>> >>
>> >> I'm no good with these low level bugs, but my basic understanding of
>> >> the vuln makes me think that the best way to detect this vuln is:
>> >> * Send HTTP request with a test payload, lets say... 5 , save it
>> >> * Send HTTP request with a test for integer overflow, which if
>> >> successful would be the same as sending the number 5, (calculate that,
>> >> but it should be -(2^31-5) or something like that), save it
>> >> * Compare the two. If they are equal we're in a case where integer
>> >> overflow is present OR the input is not even used
>> >> * Send one more HTTP request with a number 8 (different from the
>> >> previous), compare with any of the previous ones. If it's different
>> >> then integer overflow is present.
>> >>
>> >> If you want to have lower false positives, after running through those
>> >> steps you could run one more test round, repeating step 1 and 2 with a
>> >> number different than 5.
>> >>
>> >> @Thomas: is this how you were doing it?
>> >>
>> >> > I apologize for all my questions but I really want to fully
>> >> > understand
>> >> > the
>> >> > context of the vulnerability in order to take in account all the
>> >> > cases
>> >> > into
>> >> > the plugin implementation and also learn new things.
>> >> >
>> >> > W3AF team is a very cool learning environment, I feel like a dwarf
>> >> > among
>> >> > giants ;o)))))
>> >> >
>> >> > Thanks in advance.
>> >> >
>> >> > Best regards,
>> >> >
>> >> > Dom
>> >> >
>> >> >
>> >> >
>> >> > On 13/07/2013 15:48, Tomas Velazquez wrote:
>> >> >>
>> >> >> Hi Dominique,
>> >> >>
>> >> >> Months ago I code a poc of integer overflow, but it is unfinished.
>> >> >>
>> >> >> My code is based on skipfish detection:
>> >> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
>> >> >>
>> >> >> Regards,
>> >> >>
>> >> >>
>> >> >>
>> >> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
>> >> >> <dom...@gm... <mailto:dom...@gm...>>
>> >> >> wrote:
>> >> >>
>> >> >> Hi Andres,
>> >> >>
>> >> >> I'm working on integer overflow detection plugin and I try to
>> >> >> understand, in a audit plugin, how to access to injection points
>> >> >> detected by in discovery part.
>> >> >>
>> >> >> Can you give me some pointer or plugin example ?
>> >> >>
>> >> >> Thanks in advance
>> >> >>
>> >> >> Dom
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> ------------------------------------------------------------------------------
>> >> >> See everything from the browser to the database with AppDynamics
>> >> >> Get end-to-end visibility with application monitoring from
>> >> >> AppDynamics
>> >> >> Isolate bottlenecks and diagnose root cause in seconds.
>> >> >> Start your free trial of AppDynamics Pro today!
>> >> >>
>> >> >>
>> >> >>
>> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> >> >> _______________________________________________
>> >> >> W3af-develop mailing list
>> >> >> W3a...@li...
>> >> >> <mailto:W3a...@li...>
>> >> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >> >>
>> >> >>
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Andrés Riancho
>> >> Project Leader at w3af - http://w3af.org/
>> >> Web Application Attack and Audit Framework
>> >> Twitter: @w3af
>> >> GPG: 0x93C344F3
>> >
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Integer overflow detection plugin

[D M <vin...@gm...>]

Dom,


I was planning on working on the host header plugin.  I did have a similar response from the mailing list, which is understandable see everyone is very busy.


Maybe you and I can work on this further to get a better idea of how it will work?

On Mon, Jul 29, 2013 at 8:24 AM, Andres Riancho <and...@gm...>
wrote:

> Dom,
> On Fri, Jul 26, 2013 at 4:41 PM, Dominique Righetto
> <dom...@gm...> wrote:
>> Hi,
>>
>> I have spend the 2 last week trying to understand how to detect and how to
>> reproduce the integer overflow, unfortunately I wasn't able to fully
>> understand both of them.
> I feel bad that I / we were unable to help you with that, sorry but
> I'm focused on other things these days.
>> I will take another ticket: "HTTP Host header attacks - Audit plugin" if
>> it's available ?
> Take a look at the mailing list thread we started a while ago about
> that, maybe you can take it from there.
>> Dom
>>
>> --
>> Cordialement, Best regards,
>> Dominique Righetto
>> dom...@gm...
>> dom...@ow...
>> Twitter: @righettod
>> GPG: 0x323D19BA
>> http://www.righettod.eu
>> "No trees were killed to send this message, but a large number of electrons
>> were terribly inconvenienced."
>>
>>
>> On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho <and...@gm...>
>> wrote:
>>>
>>> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
>>> <dom...@gm...> wrote:
>>> > Hi Tomas,
>>> >
>>> > Thanks you very much.
>>> >
>>> > I try to understand the objective of each of the value in
>>> > ["-0000012345", "-2147483649", "-2147483648", "0000012345",
>>> > "2147483647",
>>> > "2147483648", "4294967295", "4294967296", "0000023456"].
>>> >
>>> > For values: 2147483647,2147483648,-2147483649,-2147483648
>>> > I understand because it's a for testing around the limits of the Integer
>>> > type but for other values I dont understand why they are used and from
>>> > where
>>> > they come from ?
>>>
>>> The most important part seems to be here [0]
>>>
>>> [0]
>>> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872
>>>
>>> > As I understand the vulnerability, according the all the stuff that I
>>> > can
>>> > read, is the fact below:
>>> >
>>> > A parameter has a Integer overflow vuln if, in the case in which you
>>> > submit
>>> > a value over the max/min limit of the Integer, it return a very small
>>> > negative or positive value.
>>> >
>>> > Ex:
>>> > You submit "2147483648" and the returned value is negative
>>> > You submit "-2147483648" and the returned value is positive
>>> >
>>> > Can you confirm to me that's my understanding is correct ?
>>>
>>> I'm no good with these low level bugs, but my basic understanding of
>>> the vuln makes me think that the best way to detect this vuln is:
>>>     * Send HTTP request with a test payload, lets say... 5 , save it
>>>     * Send HTTP request with a test for integer overflow, which if
>>> successful would be the same as sending the number 5, (calculate that,
>>> but it should be -(2^31-5) or something like that), save it
>>>     * Compare the two. If they are equal we're in a case where integer
>>> overflow is present OR the input is not even used
>>>     * Send one more HTTP request with a number 8 (different from the
>>> previous), compare with any of the previous ones. If it's different
>>> then integer overflow is present.
>>>
>>> If you want to have lower false positives, after running through those
>>> steps you could run one more test round, repeating step 1 and 2 with a
>>> number different than 5.
>>>
>>> @Thomas: is this how you were doing it?
>>>
>>> > I apologize for all my questions but I really want to fully understand
>>> > the
>>> > context of the vulnerability in order to take in account all the cases
>>> > into
>>> > the plugin implementation and also learn new things.
>>> >
>>> > W3AF team is a very cool learning environment, I feel like a dwarf among
>>> > giants ;o)))))
>>> >
>>> > Thanks in advance.
>>> >
>>> > Best regards,
>>> >
>>> > Dom
>>> >
>>> >
>>> >
>>> > On 13/07/2013 15:48, Tomas Velazquez wrote:
>>> >>
>>> >> Hi Dominique,
>>> >>
>>> >> Months ago I code a poc of integer overflow, but it is unfinished.
>>> >>
>>> >> My code is based on skipfish detection:
>>> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
>>> >>
>>> >> Regards,
>>> >>
>>> >>
>>> >>
>>> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
>>> >> <dom...@gm... <mailto:dom...@gm...>>
>>> >> wrote:
>>> >>
>>> >>     Hi Andres,
>>> >>
>>> >>     I'm working on integer overflow detection plugin and I try to
>>> >>     understand, in a audit plugin, how to access to injection points
>>> >>     detected by in discovery part.
>>> >>
>>> >>     Can you give me some pointer or plugin example ?
>>> >>
>>> >>     Thanks in advance
>>> >>
>>> >>     Dom
>>> >>
>>> >>
>>> >>
>>> >> ------------------------------------------------------------------------------
>>> >>     See everything from the browser to the database with AppDynamics
>>> >>     Get end-to-end visibility with application monitoring from
>>> >> AppDynamics
>>> >>     Isolate bottlenecks and diagnose root cause in seconds.
>>> >>     Start your free trial of AppDynamics Pro today!
>>> >>
>>> >>
>>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>> >>     _______________________________________________
>>> >>     W3af-develop mailing list
>>> >>     W3a...@li...
>>> >>     <mailto:W3a...@li...>
>>> >>     https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>> >>
>>> >>
>>> >
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>
>>
> -- 
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop

Re: [W3af-develop] Integer overflow detection plugin

[Andres R. <and...@gm...>]

Dom,

On Fri, Jul 26, 2013 at 4:41 PM, Dominique Righetto
<dom...@gm...> wrote:
> Hi,
>
> I have spend the 2 last week trying to understand how to detect and how to
> reproduce the integer overflow, unfortunately I wasn't able to fully
> understand both of them.

I feel bad that I / we were unable to help you with that, sorry but
I'm focused on other things these days.

> I will take another ticket: "HTTP Host header attacks - Audit plugin" if
> it's available ?

Take a look at the mailing list thread we started a while ago about
that, maybe you can take it from there.

> Dom
>
> --
> Cordialement, Best regards,
> Dominique Righetto
> dom...@gm...
> dom...@ow...
> Twitter: @righettod
> GPG: 0x323D19BA
> http://www.righettod.eu
> "No trees were killed to send this message, but a large number of electrons
> were terribly inconvenienced."
>
>
> On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho <and...@gm...>
> wrote:
>>
>> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
>> <dom...@gm...> wrote:
>> > Hi Tomas,
>> >
>> > Thanks you very much.
>> >
>> > I try to understand the objective of each of the value in
>> > ["-0000012345", "-2147483649", "-2147483648", "0000012345",
>> > "2147483647",
>> > "2147483648", "4294967295", "4294967296", "0000023456"].
>> >
>> > For values: 2147483647,2147483648,-2147483649,-2147483648
>> > I understand because it's a for testing around the limits of the Integer
>> > type but for other values I dont understand why they are used and from
>> > where
>> > they come from ?
>>
>> The most important part seems to be here [0]
>>
>> [0]
>> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872
>>
>> > As I understand the vulnerability, according the all the stuff that I
>> > can
>> > read, is the fact below:
>> >
>> > A parameter has a Integer overflow vuln if, in the case in which you
>> > submit
>> > a value over the max/min limit of the Integer, it return a very small
>> > negative or positive value.
>> >
>> > Ex:
>> > You submit "2147483648" and the returned value is negative
>> > You submit "-2147483648" and the returned value is positive
>> >
>> > Can you confirm to me that's my understanding is correct ?
>>
>> I'm no good with these low level bugs, but my basic understanding of
>> the vuln makes me think that the best way to detect this vuln is:
>>     * Send HTTP request with a test payload, lets say... 5 , save it
>>     * Send HTTP request with a test for integer overflow, which if
>> successful would be the same as sending the number 5, (calculate that,
>> but it should be -(2^31-5) or something like that), save it
>>     * Compare the two. If they are equal we're in a case where integer
>> overflow is present OR the input is not even used
>>     * Send one more HTTP request with a number 8 (different from the
>> previous), compare with any of the previous ones. If it's different
>> then integer overflow is present.
>>
>> If you want to have lower false positives, after running through those
>> steps you could run one more test round, repeating step 1 and 2 with a
>> number different than 5.
>>
>> @Thomas: is this how you were doing it?
>>
>> > I apologize for all my questions but I really want to fully understand
>> > the
>> > context of the vulnerability in order to take in account all the cases
>> > into
>> > the plugin implementation and also learn new things.
>> >
>> > W3AF team is a very cool learning environment, I feel like a dwarf among
>> > giants ;o)))))
>> >
>> > Thanks in advance.
>> >
>> > Best regards,
>> >
>> > Dom
>> >
>> >
>> >
>> > On 13/07/2013 15:48, Tomas Velazquez wrote:
>> >>
>> >> Hi Dominique,
>> >>
>> >> Months ago I code a poc of integer overflow, but it is unfinished.
>> >>
>> >> My code is based on skipfish detection:
>> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
>> >>
>> >> Regards,
>> >>
>> >>
>> >>
>> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
>> >> <dom...@gm... <mailto:dom...@gm...>>
>> >> wrote:
>> >>
>> >>     Hi Andres,
>> >>
>> >>     I'm working on integer overflow detection plugin and I try to
>> >>     understand, in a audit plugin, how to access to injection points
>> >>     detected by in discovery part.
>> >>
>> >>     Can you give me some pointer or plugin example ?
>> >>
>> >>     Thanks in advance
>> >>
>> >>     Dom
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >>     See everything from the browser to the database with AppDynamics
>> >>     Get end-to-end visibility with application monitoring from
>> >> AppDynamics
>> >>     Isolate bottlenecks and diagnose root cause in seconds.
>> >>     Start your free trial of AppDynamics Pro today!
>> >>
>> >>
>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> >>     _______________________________________________
>> >>     W3af-develop mailing list
>> >>     W3a...@li...
>> >>     <mailto:W3a...@li...>
>> >>     https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >>
>> >>
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Integer overflow detection plugin

[Dominique R. <dom...@gm...>]

Hi,

I have spend the 2 last week trying to understand how to detect and how to
reproduce the integer overflow, unfortunately I wasn't able to fully
understand both of them.

I will take another ticket: "HTTP Host header attacks - Audit plugin" if
it's available ?

Dom

--
Cordialement, Best regards,
Dominique Righetto
dom...@gm...
dom...@ow...
Twitter: @righettod
GPG: 0x323D19BA
http://www.righettod.eu
"No trees were killed to send this message, but a large number of electrons
were terribly inconvenienced."


On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho <and...@gm...>wrote:

> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
> <dom...@gm...> wrote:
> > Hi Tomas,
> >
> > Thanks you very much.
> >
> > I try to understand the objective of each of the value in
> > ["-0000012345", "-2147483649", "-2147483648", "0000012345", "2147483647",
> > "2147483648", "4294967295", "4294967296", "0000023456"].
> >
> > For values: 2147483647,2147483648,-2147483649,-2147483648
> > I understand because it's a for testing around the limits of the Integer
> > type but for other values I dont understand why they are used and from
> where
> > they come from ?
>
> The most important part seems to be here [0]
>
> [0]
> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872
>
> > As I understand the vulnerability, according the all the stuff that I can
> > read, is the fact below:
> >
> > A parameter has a Integer overflow vuln if, in the case in which you
> submit
> > a value over the max/min limit of the Integer, it return a very small
> > negative or positive value.
> >
> > Ex:
> > You submit "2147483648" and the returned value is negative
> > You submit "-2147483648" and the returned value is positive
> >
> > Can you confirm to me that's my understanding is correct ?
>
> I'm no good with these low level bugs, but my basic understanding of
> the vuln makes me think that the best way to detect this vuln is:
>     * Send HTTP request with a test payload, lets say... 5 , save it
>     * Send HTTP request with a test for integer overflow, which if
> successful would be the same as sending the number 5, (calculate that,
> but it should be -(2^31-5) or something like that), save it
>     * Compare the two. If they are equal we're in a case where integer
> overflow is present OR the input is not even used
>     * Send one more HTTP request with a number 8 (different from the
> previous), compare with any of the previous ones. If it's different
> then integer overflow is present.
>
> If you want to have lower false positives, after running through those
> steps you could run one more test round, repeating step 1 and 2 with a
> number different than 5.
>
> @Thomas: is this how you were doing it?
>
> > I apologize for all my questions but I really want to fully understand
> the
> > context of the vulnerability in order to take in account all the cases
> into
> > the plugin implementation and also learn new things.
> >
> > W3AF team is a very cool learning environment, I feel like a dwarf among
> > giants ;o)))))
> >
> > Thanks in advance.
> >
> > Best regards,
> >
> > Dom
> >
> >
> >
> > On 13/07/2013 15:48, Tomas Velazquez wrote:
> >>
> >> Hi Dominique,
> >>
> >> Months ago I code a poc of integer overflow, but it is unfinished.
> >>
> >> My code is based on skipfish detection:
> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
> >>
> >> Regards,
> >>
> >>
> >>
> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
> >> <dom...@gm... <mailto:dom...@gm...>>
> >> wrote:
> >>
> >>     Hi Andres,
> >>
> >>     I'm working on integer overflow detection plugin and I try to
> >>     understand, in a audit plugin, how to access to injection points
> >>     detected by in discovery part.
> >>
> >>     Can you give me some pointer or plugin example ?
> >>
> >>     Thanks in advance
> >>
> >>     Dom
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >>     See everything from the browser to the database with AppDynamics
> >>     Get end-to-end visibility with application monitoring from
> AppDynamics
> >>     Isolate bottlenecks and diagnose root cause in seconds.
> >>     Start your free trial of AppDynamics Pro today!
> >>
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> >>     _______________________________________________
> >>     W3af-develop mailing list
> >>     W3a...@li...
> >>     <mailto:W3a...@li...>
> >>     https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >>
> >>
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>

Re: [W3af-develop] Regarding the w3af permission problem

[Andres R. <and...@gm...>]

Saleem,

On Wed, Jul 17, 2013 at 1:12 AM, saleem <asa...@cd...> wrote:
> Hi all ,
>
> Is there any mechanism in w3af by which we can generate XML file from the
> generated text file .

Nope

>
> On Tuesday 02 July 2013 02:20 PM, saleem wrote:
>>
>> any solution for the XML generation problem ???
>>
>> On Wednesday 26 June 2013 09:01 PM, Andres Riancho wrote:
>>>
>>> I would disable the XML output plugin, enable the text plugin with
>>> debug, run the scan and analyze the output
>>>
>>> On Wed, Jun 26, 2013 at 12:13 PM, Laurent Guyon
>>> <lau...@al...> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I've got the same error, with the same id "36".
>>>>
>>>> Additionnaly : when an error occur during the crawling phase (for
>>>> example if
>>>> target is unreachable), w3af stops immediately without running audit
>>>> phase,
>>>> and XML is properly generated.
>>>>
>>>> So I'm perhaps suspecting one of the audit plugins...
>>>>
>>>>
>>>>
>>>> 2013/6/26 saleem <asa...@cd...>
>>>>>
>>>>> when i tried see store the output of w3af to a variable , i have seen a
>>>>> error like  ---
>>>>>
>>>>> An internal error occurred while searching for id "36", even after
>>>>> commit/retry Liked it
>>>>>
>>>>>
>>>>> what is the possibility of getting this error ??
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
>>>>>>
>>>>>> Nothing special. The directory /var/www/scanreports/ needs to be
>>>>>> writable by the www-data user.
>>>>>>
>>>>>> On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>>>>>>>
>>>>>>> as i have written earlier , same code i am using but this time i am
>>>>>>> trying
>>>>>>> to generate the XML output file .
>>>>>>>
>>>>>>> this is my w3af script :
>>>>>>>
>>>>>>> http-settings
>>>>>>> set timeout 60
>>>>>>> back
>>>>>>> plugins
>>>>>>> crawl web_spider
>>>>>>> crawl config web_spider
>>>>>>> set only_forward False
>>>>>>> set follow_regex .*
>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>>> back
>>>>>>> audit blind_sqli
>>>>>>> back
>>>>>>> output xml_file
>>>>>>> output config xml_file
>>>>>>> set output_file
>>>>>>> /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>>>>>>> back
>>>>>>> back
>>>>>>> target
>>>>>>> set target <url>
>>>>>>> back
>>>>>>> start
>>>>>>> exit
>>>>>>>
>>>>>>>
>>>>>>> and this is my php script :
>>>>>>> <?
>>>>>>>
>>>>>>> $w3af_script="22222.w3af";
>>>>>>>
>>>>>>> echo "Start of code ::*****";
>>>>>>>
>>>>>>> if(is_readable($w3af_script))
>>>>>>>       {
>>>>>>>
>>>>>>>           echo "\n"."ready to execute the script in the terminal";
>>>>>>>
>>>>>>>           `python w3af_console -s $w3af_script`;
>>>>>>>
>>>>>>>       }
>>>>>>>
>>>>>>>
>>>>>>> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>>>>>>>
>>>>>>> {
>>>>>>>       echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>>
>>>>>>> }
>>>>>>> else
>>>>>>>       echo "-----FFFFailed to generate the outpt file ";
>>>>>>>
>>>>>>>
>>>>>>> ?>
>>>>>>>
>>>>>>>
>>>>>>> so when i run this as root user it is generating the xml file and if
>>>>>>> same i
>>>>>>> run as www-data user i am unable to get the output xml file .
>>>>>>>
>>>>>>> please guide me in setting right permissions so that i can get XML as
>>>>>>> output
>>>>>>> file .
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>>>>>>>>
>>>>>>>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Thank u andrews for guiding me .
>>>>>>>>>
>>>>>>>>> i am facing a small problem ,i.e i am unable to generate the XML
>>>>>>>>> file
>>>>>>>>> from
>>>>>>>>> the browser is there any dependency for that ?
>>>>>>>>>
>>>>>>>>> if i run the same from terminal i am able to generate the XML file
>>>>>>>>> ,
>>>>>>>>> i
>>>>>>>>> am
>>>>>>>>> using mozilla browser .
>>>>>>>>
>>>>>>>> The browser has nothing to do with all this. In any case it's PHP
>>>>>>>> and
>>>>>>>> the way you call w3af from it.
>>>>>>>>
>>>>>>>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>>>>>>>>>>
>>>>>>>>>> Saleem,
>>>>>>>>>>
>>>>>>>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Thanku so much for that andrews .
>>>>>>>>>>>
>>>>>>>>>>> now i am able to generate file , but i have having small problem,
>>>>>>>>>>>
>>>>>>>>>>> i am getting  this error at the end of the txt file which got
>>>>>>>>>>> generated
>>>>>>>>>>> .
>>>>>>>>>>>
>>>>>>>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25,
>>>>>>>>>>> 'Inappropriate
>>>>>>>>>>> ioctl for device')
>>>>>>>>>>
>>>>>>>>>> Seen this before, but never needed to fix it. I mean... w3af
>>>>>>>>>> continues
>>>>>>>>>> to work, and you only get it when w3af is run "without a
>>>>>>>>>> terminal".
>>>>>>>>>>
>>>>>>>>>> How did you fix your original error?
>>>>>>>>>>
>>>>>>>>>>> any solution for this kind of error !!
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> thanks for the response andrews.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I suspect permission issue because when i run the code as root
>>>>>>>>>>>>> user
>>>>>>>>>>>>> in
>>>>>>>>>>>>> the
>>>>>>>>>>>>> terminal it is generating the output file.
>>>>>>>>>>>>>
>>>>>>>>>>>>> if i run the same code in the browser it is not generating the
>>>>>>>>>>>>> output
>>>>>>>>>>>>> files
>>>>>>>>>>>>> .
>>>>>>>>>>>>
>>>>>>>>>>>> Can be because of other things, like the www-data user not
>>>>>>>>>>>> having
>>>>>>>>>>>> an
>>>>>>>>>>>> environment variable set, or something like that.
>>>>>>>>>>>>
>>>>>>>>>>>> Try this:
>>>>>>>>>>>>
>>>>>>>>>>>> sudo -s -H
>>>>>>>>>>>> <enter your root password>
>>>>>>>>>>>> su www-data
>>>>>>>>>>>> cd to-python-install
>>>>>>>>>>>> python w3af_console ...
>>>>>>>>>>>>
>>>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>>>> command?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> i have given www-data:www-data permission to my code as well .
>>>>>>>>>>>>> still it is not working.
>>>>>>>>>>>>>
>>>>>>>>>>>>> i will try to explain once again :
>>>>>>>>>>>>>
>>>>>>>>>>>>> i have a w3af script for w3af crawl -
>>>>>>>>>>>>> http-settings
>>>>>>>>>>>>> set timeout 60
>>>>>>>>>>>>> back
>>>>>>>>>>>>> plugins
>>>>>>>>>>>>> crawl web_spider
>>>>>>>>>>>>> crawl config web_spider
>>>>>>>>>>>>> set only_forward False
>>>>>>>>>>>>> set follow_regex .*http:/localhost.*
>>>>>>>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>>>>>>>>> back
>>>>>>>>>>>>> output text_file
>>>>>>>>>>>>> output config text_file
>>>>>>>>>>>>> set output_file
>>>>>>>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>>>>>>>>>>>>> set verbose False
>>>>>>>>>>>>> back
>>>>>>>>>>>>> back
>>>>>>>>>>>>> target
>>>>>>>>>>>>> set target http://localhost:80
>>>>>>>>>>>>> back
>>>>>>>>>>>>> start
>>>>>>>>>>>>> exit
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> i have called this script in my php code i.e :
>>>>>>>>>>>>>
>>>>>>>>>>>>> <?
>>>>>>>>>>>>>
>>>>>>>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>>>>>>>>>>>>> echo "Start of code ::*****";
>>>>>>>>>>>>>
>>>>>>>>>>>>> if(is_readable($w3af_script))
>>>>>>>>>>>>>          {
>>>>>>>>>>>>>
>>>>>>>>>>>>>              echo "\n"."ready to execute the script in the
>>>>>>>>>>>>> terminal";
>>>>>>>>>>>>>
>>>>>>>>>>>>>              `python /var/www/wsafe1/tools/w3af/w3af_console -s
>>>>>>>>>>>>> $w3af_script`;
>>>>>>>>>>>>>
>>>>>>>>>>>>>          }
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
>>>>>>>>>>>>> {
>>>>>>>>>>>>>          echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>>>>>>>>
>>>>>>>>>>>>> }
>>>>>>>>>>>>> else
>>>>>>>>>>>>>          echo "-----FFFFailed to generate the outpt file ";
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ?>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> now problem is , i am not getting the file generated if i run
>>>>>>>>>>>>> the
>>>>>>>>>>>>> code
>>>>>>>>>>>>> from
>>>>>>>>>>>>> the browser or by normal user.
>>>>>>>>>>>>>
>>>>>>>>>>>>> root user is able to generate the files using the same code .
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> please help me out !!!!!
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ok thanku for responding andres .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> fine i will tell u in detail what i have done .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script
>>>>>>>>>>>>>>> was
>>>>>>>>>>>>>>> working
>>>>>>>>>>>>>>> fine
>>>>>>>>>>>>>>> currently i am using
>>>>>>>>>>>>>>> w3af - Web Application Attack and Audit Framework
>>>>>>>>>>>>>>> Version: 1.5
>>>>>>>>>>>>>>> Revision: 790bb82add
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> First of all, it was a great idea to update.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> w3af script i have written (attachment) :
>>>>>>>>>>>>>>> screenshot 1
>>>>>>>>>>>>>>> PHP script i have written was (attachment):
>>>>>>>>>>>>>>> screenshot 2
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I wouldn't run w3af in the request/response process. I'm
>>>>>>>>>>>>>> unsure
>>>>>>>>>>>>>> about
>>>>>>>>>>>>>> how to do it for PHP, but in python there is Celery which
>>>>>>>>>>>>>> allows
>>>>>>>>>>>>>> you
>>>>>>>>>>>>>> to queue work, process results, etc.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> now i have given permission to that php script as  well as
>>>>>>>>>>>>>>> w3af
>>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>>> using
>>>>>>>>>>>>>>> chmod command i have given 777 permissions.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> problem is when i am executing it in terminal i am getting
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> output
>>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>> the same i am executing in the browser i am not getting the
>>>>>>>>>>>>>>> output
>>>>>>>>>>>>>>> i.e
>>>>>>>>>>>>>>> output files are not getting generated .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>>>>> command?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> please help me out and sorry for my english.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem
>>>>>>>>>>>>>>>> <asa...@cd...>
>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi all ,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I have written a script which uses w3af script in the
>>>>>>>>>>>>>>>>> background,
>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>> trying
>>>>>>>>>>>>>>>>> to execute that script through browser , but i am not
>>>>>>>>>>>>>>>>> getting
>>>>>>>>>>>>>>>>> any
>>>>>>>>>>>>>>>>> output
>>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>>> i do the same in the terminal i am getting the output .
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> please help me out !!!
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> It's almost impossible to answer this question without more
>>>>>>>>>>>>>>>> detail.
>>>>>>>>>>>>>>>> Also, why do you think this is a w3af problem and not just
>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>> setting
>>>>>>>>>>>>>>>> incorrect permissions to the filesystem files? More than
>>>>>>>>>>>>>>>> glad
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> help
>>>>>>>>>>>>>>>> if you send details,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks & Regards ,
>>>>>>>>>>>>>>>>> saleem
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> This e-mail is for the sole use of the intended
>>>>>>>>>>>>>>>>> recipient(s)
>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>> may
>>>>>>>>>>>>>>>>> contain confidential and privileged information. If you are
>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> intended recipient, please contact the sender by reply
>>>>>>>>>>>>>>>>> e-mail
>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>> destroy
>>>>>>>>>>>>>>>>> all copies and the original message. Any unauthorized
>>>>>>>>>>>>>>>>> review,
>>>>>>>>>>>>>>>>> use,
>>>>>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>>> email
>>>>>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>> This SF.net email is sponsored by Windows:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Build for Windows Store.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>> W3af-develop mailing list
>>>>>>>>>>>>>>>>> W3a...@li...
>>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> may
>>>>>>>>>>>>>>> contain confidential and privileged information. If you are
>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> destroy
>>>>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>>>>> use,
>>>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>> email
>>>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>>>>>>>>>>>>> and
>>>>>>>>>>>>> may
>>>>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>>>>> the
>>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>>>>>>>>>>>>> and
>>>>>>>>>>>>> destroy
>>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>>> use,
>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>>> this
>>>>>>>>>>>>> email
>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>>> may
>>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>>> the
>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>>>> destroy
>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>> use,
>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>> this
>>>>>>>>>>> email
>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>> taken.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Andrés Riancho
>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>> Twitter: @w3af
>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>> may
>>>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>> destroy
>>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>>> email
>>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>> --
>>>>>>>> Andrés Riancho
>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>> Twitter: @w3af
>>>>>>>> GPG: 0x93C344F3
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>
>>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>> destroy
>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>> email
>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>> contain confidential and privileged information. If you are not the
>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>> destroy
>>>>> all copies and the original message. Any unauthorized review, use,
>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>> email
>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> This SF.net email is sponsored by Windows:
>>>>>
>>>>> Build for Windows Store.
>>>>>
>>>>> http://p.sf.net/sfu/windows-dev2dev
>>>>> _______________________________________________
>>>>> W3af-develop mailing list
>>>>> W3a...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>
>>>>
>>>
>>>
>>
>
>
> -------------------------------------------------------------------------------------------------------------------------------
>
> This e-mail is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information. If you are not the
> intended recipient, please contact the sender by reply e-mail and destroy
> all copies and the original message. Any unauthorized review, use,
> disclosure, dissemination, forwarding, printing or copying of this email
> is strictly prohibited and appropriate legal action will be taken.
> -------------------------------------------------------------------------------------------------------------------------------
>



--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Regarding the w3af permission problem

[saleem <asa...@cd...>]

Hi all ,

Is there any mechanism in w3af by which we can generate XML file from 
the generated text file .

On Tuesday 02 July 2013 02:20 PM, saleem wrote:
> any solution for the XML generation problem ???
>
> On Wednesday 26 June 2013 09:01 PM, Andres Riancho wrote:
>> I would disable the XML output plugin, enable the text plugin with
>> debug, run the scan and analyze the output
>>
>> On Wed, Jun 26, 2013 at 12:13 PM, Laurent Guyon
>> <lau...@al...> wrote:
>>> Hi,
>>>
>>> I've got the same error, with the same id "36".
>>>
>>> Additionnaly : when an error occur during the crawling phase (for 
>>> example if
>>> target is unreachable), w3af stops immediately without running audit 
>>> phase,
>>> and XML is properly generated.
>>>
>>> So I'm perhaps suspecting one of the audit plugins...
>>>
>>>
>>>
>>> 2013/6/26 saleem <asa...@cd...>
>>>> when i tried see store the output of w3af to a variable , i have 
>>>> seen a
>>>> error like  ---
>>>>
>>>> An internal error occurred while searching for id "36", even after
>>>> commit/retry Liked it
>>>>
>>>>
>>>> what is the possibility of getting this error ??
>>>>
>>>>
>>>>
>>>> On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
>>>>> Nothing special. The directory /var/www/scanreports/ needs to be
>>>>> writable by the www-data user.
>>>>>
>>>>> On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>>>>>> as i have written earlier , same code i am using but this time i am
>>>>>> trying
>>>>>> to generate the XML output file .
>>>>>>
>>>>>> this is my w3af script :
>>>>>>
>>>>>> http-settings
>>>>>> set timeout 60
>>>>>> back
>>>>>> plugins
>>>>>> crawl web_spider
>>>>>> crawl config web_spider
>>>>>> set only_forward False
>>>>>> set follow_regex .*
>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>> back
>>>>>> audit blind_sqli
>>>>>> back
>>>>>> output xml_file
>>>>>> output config xml_file
>>>>>> set output_file
>>>>>> /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>>>>>> back
>>>>>> back
>>>>>> target
>>>>>> set target <url>
>>>>>> back
>>>>>> start
>>>>>> exit
>>>>>>
>>>>>>
>>>>>> and this is my php script :
>>>>>> <?
>>>>>>
>>>>>> $w3af_script="22222.w3af";
>>>>>>
>>>>>> echo "Start of code ::*****";
>>>>>>
>>>>>> if(is_readable($w3af_script))
>>>>>>       {
>>>>>>
>>>>>>           echo "\n"."ready to execute the script in the terminal";
>>>>>>
>>>>>>           `python w3af_console -s $w3af_script`;
>>>>>>
>>>>>>       }
>>>>>>
>>>>>>
>>>>>> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>>>>>>
>>>>>> {
>>>>>>       echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>
>>>>>> }
>>>>>> else
>>>>>>       echo "-----FFFFailed to generate the outpt file ";
>>>>>>
>>>>>>
>>>>>> ?>
>>>>>>
>>>>>>
>>>>>> so when i run this as root user it is generating the xml file and if
>>>>>> same i
>>>>>> run as www-data user i am unable to get the output xml file .
>>>>>>
>>>>>> please guide me in setting right permissions so that i can get 
>>>>>> XML as
>>>>>> output
>>>>>> file .
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>>>>>>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> 
>>>>>>> wrote:
>>>>>>>> Thank u andrews for guiding me .
>>>>>>>>
>>>>>>>> i am facing a small problem ,i.e i am unable to generate the 
>>>>>>>> XML file
>>>>>>>> from
>>>>>>>> the browser is there any dependency for that ?
>>>>>>>>
>>>>>>>> if i run the same from terminal i am able to generate the XML 
>>>>>>>> file ,
>>>>>>>> i
>>>>>>>> am
>>>>>>>> using mozilla browser .
>>>>>>> The browser has nothing to do with all this. In any case it's 
>>>>>>> PHP and
>>>>>>> the way you call w3af from it.
>>>>>>>
>>>>>>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>>>>>>>>> Saleem,
>>>>>>>>>
>>>>>>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...>
>>>>>>>>> wrote:
>>>>>>>>>> Thanku so much for that andrews .
>>>>>>>>>>
>>>>>>>>>> now i am able to generate file , but i have having small 
>>>>>>>>>> problem,
>>>>>>>>>>
>>>>>>>>>> i am getting  this error at the end of the txt file which got
>>>>>>>>>> generated
>>>>>>>>>> .
>>>>>>>>>>
>>>>>>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25,
>>>>>>>>>> 'Inappropriate
>>>>>>>>>> ioctl for device')
>>>>>>>>> Seen this before, but never needed to fix it. I mean... w3af
>>>>>>>>> continues
>>>>>>>>> to work, and you only get it when w3af is run "without a 
>>>>>>>>> terminal".
>>>>>>>>>
>>>>>>>>> How did you fix your original error?
>>>>>>>>>
>>>>>>>>>> any solution for this kind of error !!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>>>>>>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> thanks for the response andrews.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I suspect permission issue because when i run the code as root
>>>>>>>>>>>> user
>>>>>>>>>>>> in
>>>>>>>>>>>> the
>>>>>>>>>>>> terminal it is generating the output file.
>>>>>>>>>>>>
>>>>>>>>>>>> if i run the same code in the browser it is not generating the
>>>>>>>>>>>> output
>>>>>>>>>>>> files
>>>>>>>>>>>> .
>>>>>>>>>>> Can be because of other things, like the www-data user not 
>>>>>>>>>>> having
>>>>>>>>>>> an
>>>>>>>>>>> environment variable set, or something like that.
>>>>>>>>>>>
>>>>>>>>>>> Try this:
>>>>>>>>>>>
>>>>>>>>>>> sudo -s -H
>>>>>>>>>>> <enter your root password>
>>>>>>>>>>> su www-data
>>>>>>>>>>> cd to-python-install
>>>>>>>>>>> python w3af_console ...
>>>>>>>>>>>
>>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>>> command?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> i have given www-data:www-data permission to my code as well .
>>>>>>>>>>>> still it is not working.
>>>>>>>>>>>>
>>>>>>>>>>>> i will try to explain once again :
>>>>>>>>>>>>
>>>>>>>>>>>> i have a w3af script for w3af crawl -
>>>>>>>>>>>> http-settings
>>>>>>>>>>>> set timeout 60
>>>>>>>>>>>> back
>>>>>>>>>>>> plugins
>>>>>>>>>>>> crawl web_spider
>>>>>>>>>>>> crawl config web_spider
>>>>>>>>>>>> set only_forward False
>>>>>>>>>>>> set follow_regex .*http:/localhost.*
>>>>>>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>>>>>>>> back
>>>>>>>>>>>> output text_file
>>>>>>>>>>>> output config text_file
>>>>>>>>>>>> set output_file
>>>>>>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>>>>>>>>>>>> set verbose False
>>>>>>>>>>>> back
>>>>>>>>>>>> back
>>>>>>>>>>>> target
>>>>>>>>>>>> set target http://localhost:80
>>>>>>>>>>>> back
>>>>>>>>>>>> start
>>>>>>>>>>>> exit
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> i have called this script in my php code i.e :
>>>>>>>>>>>>
>>>>>>>>>>>> <?
>>>>>>>>>>>>
>>>>>>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>>>>>>>>>>>> echo "Start of code ::*****";
>>>>>>>>>>>>
>>>>>>>>>>>> if(is_readable($w3af_script))
>>>>>>>>>>>>          {
>>>>>>>>>>>>
>>>>>>>>>>>>              echo "\n"."ready to execute the script in the
>>>>>>>>>>>> terminal";
>>>>>>>>>>>>
>>>>>>>>>>>>              `python 
>>>>>>>>>>>> /var/www/wsafe1/tools/w3af/w3af_console -s
>>>>>>>>>>>> $w3af_script`;
>>>>>>>>>>>>
>>>>>>>>>>>>          }
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt")) 
>>>>>>>>>>>>
>>>>>>>>>>>> {
>>>>>>>>>>>>          echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>>>>>>>
>>>>>>>>>>>> }
>>>>>>>>>>>> else
>>>>>>>>>>>>          echo "-----FFFFailed to generate the outpt file ";
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ?>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> now problem is , i am not getting the file generated if i 
>>>>>>>>>>>> run the
>>>>>>>>>>>> code
>>>>>>>>>>>> from
>>>>>>>>>>>> the browser or by normal user.
>>>>>>>>>>>>
>>>>>>>>>>>> root user is able to generate the files using the same code .
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> please help me out !!!!!
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem 
>>>>>>>>>>>>> <asa...@cd...>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> ok thanku for responding andres .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> fine i will tell u in detail what i have done .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Earlier i had older version of w3af(r4473) in which my 
>>>>>>>>>>>>>> script
>>>>>>>>>>>>>> was
>>>>>>>>>>>>>> working
>>>>>>>>>>>>>> fine
>>>>>>>>>>>>>> currently i am using
>>>>>>>>>>>>>> w3af - Web Application Attack and Audit Framework
>>>>>>>>>>>>>> Version: 1.5
>>>>>>>>>>>>>> Revision: 790bb82add
>>>>>>>>>>>>> First of all, it was a great idea to update.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> w3af script i have written (attachment) :
>>>>>>>>>>>>>> screenshot 1
>>>>>>>>>>>>>> PHP script i have written was (attachment):
>>>>>>>>>>>>>> screenshot 2
>>>>>>>>>>>>> I wouldn't run w3af in the request/response process. I'm 
>>>>>>>>>>>>> unsure
>>>>>>>>>>>>> about
>>>>>>>>>>>>> how to do it for PHP, but in python there is Celery which 
>>>>>>>>>>>>> allows
>>>>>>>>>>>>> you
>>>>>>>>>>>>> to queue work, process results, etc.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> now i have given permission to that php script as  well 
>>>>>>>>>>>>>> as w3af
>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>> using
>>>>>>>>>>>>>> chmod command i have given 777 permissions.
>>>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>>>
>>>>>>>>>>>>>> problem is when i am executing it in terminal i am 
>>>>>>>>>>>>>> getting the
>>>>>>>>>>>>>> output
>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>> if
>>>>>>>>>>>>>> the same i am executing in the browser i am not getting the
>>>>>>>>>>>>>> output
>>>>>>>>>>>>>> i.e
>>>>>>>>>>>>>> output files are not getting generated .
>>>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>>>> command?
>>>>>>>>>>>>>
>>>>>>>>>>>>>> please help me out and sorry for my english.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>>>>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem
>>>>>>>>>>>>>>> <asa...@cd...>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>> Hi all ,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I have written a script which uses w3af script in the
>>>>>>>>>>>>>>>> background,
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> trying
>>>>>>>>>>>>>>>> to execute that script through browser , but i am not 
>>>>>>>>>>>>>>>> getting
>>>>>>>>>>>>>>>> any
>>>>>>>>>>>>>>>> output
>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>> i do the same in the terminal i am getting the output .
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> please help me out !!!
>>>>>>>>>>>>>>> It's almost impossible to answer this question without more
>>>>>>>>>>>>>>> detail.
>>>>>>>>>>>>>>> Also, why do you think this is a w3af problem and not 
>>>>>>>>>>>>>>> just you
>>>>>>>>>>>>>>> setting
>>>>>>>>>>>>>>> incorrect permissions to the filesystem files? More than 
>>>>>>>>>>>>>>> glad
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> help
>>>>>>>>>>>>>>> if you send details,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks & Regards ,
>>>>>>>>>>>>>>>> saleem
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This e-mail is for the sole use of the intended 
>>>>>>>>>>>>>>>> recipient(s)
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> may
>>>>>>>>>>>>>>>> contain confidential and privileged information. If you 
>>>>>>>>>>>>>>>> are
>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> intended recipient, please contact the sender by reply 
>>>>>>>>>>>>>>>> e-mail
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> destroy
>>>>>>>>>>>>>>>> all copies and the original message. Any unauthorized 
>>>>>>>>>>>>>>>> review,
>>>>>>>>>>>>>>>> use,
>>>>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or 
>>>>>>>>>>>>>>>> copying of
>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>> email
>>>>>>>>>>>>>>>> is strictly prohibited and appropriate legal action 
>>>>>>>>>>>>>>>> will be
>>>>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------ 
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This SF.net email is sponsored by Windows:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Build for Windows Store.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> W3af-develop mailing list
>>>>>>>>>>>>>>>> W3a...@li...
>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> may
>>>>>>>>>>>>>> contain confidential and privileged information. If you 
>>>>>>>>>>>>>> are not
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> intended recipient, please contact the sender by reply 
>>>>>>>>>>>>>> e-mail
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> destroy
>>>>>>>>>>>>>> all copies and the original message. Any unauthorized 
>>>>>>>>>>>>>> review,
>>>>>>>>>>>>>> use,
>>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or 
>>>>>>>>>>>>>> copying of
>>>>>>>>>>>>>> this
>>>>>>>>>>>>>> email
>>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> This e-mail is for the sole use of the intended 
>>>>>>>>>>>> recipient(s) and
>>>>>>>>>>>> may
>>>>>>>>>>>> contain confidential and privileged information. If you are 
>>>>>>>>>>>> not
>>>>>>>>>>>> the
>>>>>>>>>>>> intended recipient, please contact the sender by reply 
>>>>>>>>>>>> e-mail and
>>>>>>>>>>>> destroy
>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>> use,
>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>> this
>>>>>>>>>>>> email
>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>> taken.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>> may
>>>>>>>>>> contain confidential and privileged information. If you are 
>>>>>>>>>> not the
>>>>>>>>>> intended recipient, please contact the sender by reply e-mail 
>>>>>>>>>> and
>>>>>>>>>> destroy
>>>>>>>>>> all copies and the original message. Any unauthorized review, 
>>>>>>>>>> use,
>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of 
>>>>>>>>>> this
>>>>>>>>>> email
>>>>>>>>>> is strictly prohibited and appropriate legal action will be 
>>>>>>>>>> taken.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Andrés Riancho
>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>> Twitter: @w3af
>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>
>>>>>>>>
>>>>>>>> This e-mail is for the sole use of the intended recipient(s) 
>>>>>>>> and may
>>>>>>>> contain confidential and privileged information. If you are not 
>>>>>>>> the
>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>> destroy
>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>> email
>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>
>>>>>>>>
>>>>>>> -- 
>>>>>>> Andrés Riancho
>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>> Web Application Attack and Audit Framework
>>>>>>> Twitter: @w3af
>>>>>>> GPG: 0x93C344F3
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>
>>>>>>
>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>> contain confidential and privileged information. If you are not the
>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>> destroy
>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>> email
>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>
>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>
>>>>
>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>> contain confidential and privileged information. If you are not the
>>>> intended recipient, please contact the sender by reply e-mail and 
>>>> destroy
>>>> all copies and the original message. Any unauthorized review, use,
>>>> disclosure, dissemination, forwarding, printing or copying of this 
>>>> email
>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>
>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------ 
>>>>
>>>> This SF.net email is sponsored by Windows:
>>>>
>>>> Build for Windows Store.
>>>>
>>>> http://p.sf.net/sfu/windows-dev2dev
>>>> _______________________________________________
>>>> W3af-develop mailing list
>>>> W3a...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>
>>
>>
>


-------------------------------------------------------------------------------------------------------------------------------

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------------------------------------

Re: [W3af-develop] Integer overflow detection plugin

[Andres R. <and...@gm...>]

And if Tomas shares his code, that would be nice too :D

On Mon, Jul 15, 2013 at 11:49 AM, Dominique Righetto
<dom...@gm...> wrote:
> Hi,
>
> Thanks you. I will use your feedback to understand and find the
> vulnerability detection methods.
>
> Best regards,
> Dom
>
> --
> Cordialement, Best regards,
> Dominique Righetto
> dom...@gm...
> dom...@ow...
> Twitter: @righettod
> GPG: 0x323D19BA
> http://www.righettod.eu
> "No trees were killed to send this message, but a large number of electrons
> were terribly inconvenienced."
>
>
> On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho <and...@gm...>
> wrote:
>>
>> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
>> <dom...@gm...> wrote:
>> > Hi Tomas,
>> >
>> > Thanks you very much.
>> >
>> > I try to understand the objective of each of the value in
>> > ["-0000012345", "-2147483649", "-2147483648", "0000012345",
>> > "2147483647",
>> > "2147483648", "4294967295", "4294967296", "0000023456"].
>> >
>> > For values: 2147483647,2147483648,-2147483649,-2147483648
>> > I understand because it's a for testing around the limits of the Integer
>> > type but for other values I dont understand why they are used and from
>> > where
>> > they come from ?
>>
>> The most important part seems to be here [0]
>>
>> [0]
>> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872
>>
>> > As I understand the vulnerability, according the all the stuff that I
>> > can
>> > read, is the fact below:
>> >
>> > A parameter has a Integer overflow vuln if, in the case in which you
>> > submit
>> > a value over the max/min limit of the Integer, it return a very small
>> > negative or positive value.
>> >
>> > Ex:
>> > You submit "2147483648" and the returned value is negative
>> > You submit "-2147483648" and the returned value is positive
>> >
>> > Can you confirm to me that's my understanding is correct ?
>>
>> I'm no good with these low level bugs, but my basic understanding of
>> the vuln makes me think that the best way to detect this vuln is:
>>     * Send HTTP request with a test payload, lets say... 5 , save it
>>     * Send HTTP request with a test for integer overflow, which if
>> successful would be the same as sending the number 5, (calculate that,
>> but it should be -(2^31-5) or something like that), save it
>>     * Compare the two. If they are equal we're in a case where integer
>> overflow is present OR the input is not even used
>>     * Send one more HTTP request with a number 8 (different from the
>> previous), compare with any of the previous ones. If it's different
>> then integer overflow is present.
>>
>> If you want to have lower false positives, after running through those
>> steps you could run one more test round, repeating step 1 and 2 with a
>> number different than 5.
>>
>> @Thomas: is this how you were doing it?
>>
>> > I apologize for all my questions but I really want to fully understand
>> > the
>> > context of the vulnerability in order to take in account all the cases
>> > into
>> > the plugin implementation and also learn new things.
>> >
>> > W3AF team is a very cool learning environment, I feel like a dwarf among
>> > giants ;o)))))
>> >
>> > Thanks in advance.
>> >
>> > Best regards,
>> >
>> > Dom
>> >
>> >
>> >
>> > On 13/07/2013 15:48, Tomas Velazquez wrote:
>> >>
>> >> Hi Dominique,
>> >>
>> >> Months ago I code a poc of integer overflow, but it is unfinished.
>> >>
>> >> My code is based on skipfish detection:
>> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
>> >>
>> >> Regards,
>> >>
>> >>
>> >>
>> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
>> >> <dom...@gm... <mailto:dom...@gm...>>
>> >> wrote:
>> >>
>> >>     Hi Andres,
>> >>
>> >>     I'm working on integer overflow detection plugin and I try to
>> >>     understand, in a audit plugin, how to access to injection points
>> >>     detected by in discovery part.
>> >>
>> >>     Can you give me some pointer or plugin example ?
>> >>
>> >>     Thanks in advance
>> >>
>> >>     Dom
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >>     See everything from the browser to the database with AppDynamics
>> >>     Get end-to-end visibility with application monitoring from
>> >> AppDynamics
>> >>     Isolate bottlenecks and diagnose root cause in seconds.
>> >>     Start your free trial of AppDynamics Pro today!
>> >>
>> >>
>> >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> >>     _______________________________________________
>> >>     W3af-develop mailing list
>> >>     W3a...@li...
>> >>     <mailto:W3a...@li...>
>> >>     https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >>
>> >>
>> >
>>
>>
>>
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Integer overflow detection plugin

[Dominique R. <dom...@gm...>]

Hi,

Thanks you. I will use your feedback to understand and find the
vulnerability detection methods.

Best regards,
Dom

--
Cordialement, Best regards,
Dominique Righetto
dom...@gm...
dom...@ow...
Twitter: @righettod
GPG: 0x323D19BA
http://www.righettod.eu
"No trees were killed to send this message, but a large number of electrons
were terribly inconvenienced."


On Mon, Jul 15, 2013 at 1:54 PM, Andres Riancho <and...@gm...>wrote:

> On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
> <dom...@gm...> wrote:
> > Hi Tomas,
> >
> > Thanks you very much.
> >
> > I try to understand the objective of each of the value in
> > ["-0000012345", "-2147483649", "-2147483648", "0000012345", "2147483647",
> > "2147483648", "4294967295", "4294967296", "0000023456"].
> >
> > For values: 2147483647,2147483648,-2147483649,-2147483648
> > I understand because it's a for testing around the limits of the Integer
> > type but for other values I dont understand why they are used and from
> where
> > they come from ?
>
> The most important part seems to be here [0]
>
> [0]
> https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872
>
> > As I understand the vulnerability, according the all the stuff that I can
> > read, is the fact below:
> >
> > A parameter has a Integer overflow vuln if, in the case in which you
> submit
> > a value over the max/min limit of the Integer, it return a very small
> > negative or positive value.
> >
> > Ex:
> > You submit "2147483648" and the returned value is negative
> > You submit "-2147483648" and the returned value is positive
> >
> > Can you confirm to me that's my understanding is correct ?
>
> I'm no good with these low level bugs, but my basic understanding of
> the vuln makes me think that the best way to detect this vuln is:
>     * Send HTTP request with a test payload, lets say... 5 , save it
>     * Send HTTP request with a test for integer overflow, which if
> successful would be the same as sending the number 5, (calculate that,
> but it should be -(2^31-5) or something like that), save it
>     * Compare the two. If they are equal we're in a case where integer
> overflow is present OR the input is not even used
>     * Send one more HTTP request with a number 8 (different from the
> previous), compare with any of the previous ones. If it's different
> then integer overflow is present.
>
> If you want to have lower false positives, after running through those
> steps you could run one more test round, repeating step 1 and 2 with a
> number different than 5.
>
> @Thomas: is this how you were doing it?
>
> > I apologize for all my questions but I really want to fully understand
> the
> > context of the vulnerability in order to take in account all the cases
> into
> > the plugin implementation and also learn new things.
> >
> > W3AF team is a very cool learning environment, I feel like a dwarf among
> > giants ;o)))))
> >
> > Thanks in advance.
> >
> > Best regards,
> >
> > Dom
> >
> >
> >
> > On 13/07/2013 15:48, Tomas Velazquez wrote:
> >>
> >> Hi Dominique,
> >>
> >> Months ago I code a poc of integer overflow, but it is unfinished.
> >>
> >> My code is based on skipfish detection:
> >> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
> >>
> >> Regards,
> >>
> >>
> >>
> >> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
> >> <dom...@gm... <mailto:dom...@gm...>>
> >> wrote:
> >>
> >>     Hi Andres,
> >>
> >>     I'm working on integer overflow detection plugin and I try to
> >>     understand, in a audit plugin, how to access to injection points
> >>     detected by in discovery part.
> >>
> >>     Can you give me some pointer or plugin example ?
> >>
> >>     Thanks in advance
> >>
> >>     Dom
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >>     See everything from the browser to the database with AppDynamics
> >>     Get end-to-end visibility with application monitoring from
> AppDynamics
> >>     Isolate bottlenecks and diagnose root cause in seconds.
> >>     Start your free trial of AppDynamics Pro today!
> >>
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> >>     _______________________________________________
> >>     W3af-develop mailing list
> >>     W3a...@li...
> >>     <mailto:W3a...@li...>
> >>     https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >>
> >>
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>

Re: [W3af-develop] Integer overflow detection plugin

[Andres R. <and...@gm...>]

On Sun, Jul 14, 2013 at 4:49 AM, Dominique RIGHETTO
<dom...@gm...> wrote:
> Hi Tomas,
>
> Thanks you very much.
>
> I try to understand the objective of each of the value in
> ["-0000012345", "-2147483649", "-2147483648", "0000012345", "2147483647",
> "2147483648", "4294967295", "4294967296", "0000023456"].
>
> For values: 2147483647,2147483648,-2147483649,-2147483648
> I understand because it's a for testing around the limits of the Integer
> type but for other values I dont understand why they are used and from where
> they come from ?

The most important part seems to be here [0]

[0] https://code.google.com/p/skipfish/source/browse/trunk/src/checks.c#1872

> As I understand the vulnerability, according the all the stuff that I can
> read, is the fact below:
>
> A parameter has a Integer overflow vuln if, in the case in which you submit
> a value over the max/min limit of the Integer, it return a very small
> negative or positive value.
>
> Ex:
> You submit "2147483648" and the returned value is negative
> You submit "-2147483648" and the returned value is positive
>
> Can you confirm to me that's my understanding is correct ?

I'm no good with these low level bugs, but my basic understanding of
the vuln makes me think that the best way to detect this vuln is:
    * Send HTTP request with a test payload, lets say... 5 , save it
    * Send HTTP request with a test for integer overflow, which if
successful would be the same as sending the number 5, (calculate that,
but it should be -(2^31-5) or something like that), save it
    * Compare the two. If they are equal we're in a case where integer
overflow is present OR the input is not even used
    * Send one more HTTP request with a number 8 (different from the
previous), compare with any of the previous ones. If it's different
then integer overflow is present.

If you want to have lower false positives, after running through those
steps you could run one more test round, repeating step 1 and 2 with a
number different than 5.

@Thomas: is this how you were doing it?

> I apologize for all my questions but I really want to fully understand the
> context of the vulnerability in order to take in account all the cases into
> the plugin implementation and also learn new things.
>
> W3AF team is a very cool learning environment, I feel like a dwarf among
> giants ;o)))))
>
> Thanks in advance.
>
> Best regards,
>
> Dom
>
>
>
> On 13/07/2013 15:48, Tomas Velazquez wrote:
>>
>> Hi Dominique,
>>
>> Months ago I code a poc of integer overflow, but it is unfinished.
>>
>> My code is based on skipfish detection:
>> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
>>
>> Regards,
>>
>>
>>
>> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
>> <dom...@gm... <mailto:dom...@gm...>>
>> wrote:
>>
>>     Hi Andres,
>>
>>     I'm working on integer overflow detection plugin and I try to
>>     understand, in a audit plugin, how to access to injection points
>>     detected by in discovery part.
>>
>>     Can you give me some pointer or plugin example ?
>>
>>     Thanks in advance
>>
>>     Dom
>>
>>
>> ------------------------------------------------------------------------------
>>     See everything from the browser to the database with AppDynamics
>>     Get end-to-end visibility with application monitoring from AppDynamics
>>     Isolate bottlenecks and diagnose root cause in seconds.
>>     Start your free trial of AppDynamics Pro today!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>     _______________________________________________
>>     W3af-develop mailing list
>>     W3a...@li...
>>     <mailto:W3a...@li...>
>>     https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>>
>



--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Integer overflow detection plugin

[Andres R. <and...@gm...>]

On Sat, Jul 13, 2013 at 10:48 AM, Tomas Velazquez
<tom...@gm...> wrote:
> Hi Dominique,
>
> Months ago I code a poc of integer overflow, but it is unfinished.

Well, then you guys should work together on it :)

> My code is based on skipfish detection:
> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
>
> Regards,
>
>
>
> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
> <dom...@gm...> wrote:
>>
>> Hi Andres,
>>
>> I'm working on integer overflow detection plugin and I try to understand,
>> in a audit plugin, how to access to injection points detected by in
>> discovery part.
>>
>> Can you give me some pointer or plugin example ?
>>
>> Thanks in advance
>>
>> Dom
>>
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>



--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Integer overflow detection plugin

[Andres R. <and...@gm...>]

The xss [0] plugin is a good example for what you're trying to
achieve. The interesting parts are:

    fake_mutants = create_mutants(freq, ['',])

Where you create mutants (modified http requests) based on a fuzzable
request (which is the result of the crawling phase) with a "fake"
value of an empty string. And

    trivial_mutant = mutant.copy()
    trivial_mutant.set_mod_value(payload)

Where you take the mutant, copy it, and finally set a real payload in
it to replace the empty string. To take that to real life, it would
be:

    1- Crawl detects http://foo.com/?id=1   , the fuzzable request
    2- After create mutants you have something like detects http://foo.com/?id=
    3- After setting the payload you have http://foo.com/?id=<script...

In your case you'll want to use this technique instead of the one
you'll see in sqli.py , because detecting integer overflows requires
you to send a series of payloads to the same input.

[0] https://github.com/andresriancho/w3af/blob/master/plugins/audit/xss.py

On Sat, Jul 13, 2013 at 5:09 AM, Dominique Righetto
<dom...@gm...> wrote:
> Hi Andres,
>
> I'm working on integer overflow detection plugin and I try to understand, in
> a audit plugin, how to access to injection points detected by in discovery
> part.
>
> Can you give me some pointer or plugin example ?
>
> Thanks in advance
>
> Dom



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Integer overflow detection plugin

[Dominique R. <dom...@gm...>]

Hi Tomas,

Thanks you very much.

I try to understand the objective of each of the value in
["-0000012345", "-2147483649", "-2147483648", "0000012345", 
"2147483647", "2147483648", "4294967295", "4294967296", "0000023456"].

For values: 2147483647,2147483648,-2147483649,-2147483648
I understand because it's a for testing around the limits of the Integer 
type but for other values I dont understand why they are used and from 
where they come from ?

As I understand the vulnerability, according the all the stuff that I 
can read, is the fact below:

A parameter has a Integer overflow vuln if, in the case in which you 
submit a value over the max/min limit of the Integer, it return a very 
small negative or positive value.

Ex:
You submit "2147483648" and the returned value is negative
You submit "-2147483648" and the returned value is positive

Can you confirm to me that's my understanding is correct ?

I apologize for all my questions but I really want to fully understand 
the context of the vulnerability in order to take in account all the 
cases into the plugin implementation and also learn new things.

W3AF team is a very cool learning environment, I feel like a dwarf among 
giants ;o)))))

Thanks in advance.

Best regards,

Dom


On 13/07/2013 15:48, Tomas Velazquez wrote:
> Hi Dominique,
>
> Months ago I code a poc of integer overflow, but it is unfinished.
>
> My code is based on skipfish detection:
> http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c
>
> Regards,
>
>
>
> On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto
> <dom...@gm... <mailto:dom...@gm...>> wrote:
>
>     Hi Andres,
>
>     I'm working on integer overflow detection plugin and I try to
>     understand, in a audit plugin, how to access to injection points
>     detected by in discovery part.
>
>     Can you give me some pointer or plugin example ?
>
>     Thanks in advance
>
>     Dom
>
>     ------------------------------------------------------------------------------
>     See everything from the browser to the database with AppDynamics
>     Get end-to-end visibility with application monitoring from AppDynamics
>     Isolate bottlenecks and diagnose root cause in seconds.
>     Start your free trial of AppDynamics Pro today!
>     http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>     _______________________________________________
>     W3af-develop mailing list
>     W3a...@li...
>     <mailto:W3a...@li...>
>     https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>

Re: [W3af-develop] Integer overflow detection plugin

[Tomas V. <tom...@gm...>]

Hi Dominique,

Months ago I code a poc of integer overflow, but it is unfinished.

My code is based on skipfish detection:
http://code.google.com/p/skipfish/source/browse/trunk/src/checks.c

Regards,



On Sat, Jul 13, 2013 at 10:09 AM, Dominique Righetto <
dom...@gm...> wrote:

> Hi Andres,
>
> I'm working on integer overflow detection plugin and I try to understand,
> in a audit plugin, how to access to injection points detected by in
> discovery part.
>
> Can you give me some pointer or plugin example ?
>
> Thanks in advance
>
> Dom
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>

[W3af-develop] Integer overflow detection plugin

[Dominique R. <dom...@gm...>]

Hi Andres,

I'm working on integer overflow detection plugin and I try to understand,
in a audit plugin, how to access to injection points detected by in
discovery part.

Can you give me some pointer or plugin example ?

Thanks in advance

Dom

Re: [W3af-develop] Regarding the w3af permission problem

[Andres R. <and...@gm...>]

You should debug it, I'm not able to reproduce and don't have the time.

On Tue, Jul 2, 2013 at 5:50 AM, saleem <asa...@cd...> wrote:
> any solution for the XML generation problem ???
>
>
> On Wednesday 26 June 2013 09:01 PM, Andres Riancho wrote:
>>
>> I would disable the XML output plugin, enable the text plugin with
>> debug, run the scan and analyze the output
>>
>> On Wed, Jun 26, 2013 at 12:13 PM, Laurent Guyon
>> <lau...@al...> wrote:
>>>
>>> Hi,
>>>
>>> I've got the same error, with the same id "36".
>>>
>>> Additionnaly : when an error occur during the crawling phase (for example
>>> if
>>> target is unreachable), w3af stops immediately without running audit
>>> phase,
>>> and XML is properly generated.
>>>
>>> So I'm perhaps suspecting one of the audit plugins...
>>>
>>>
>>>
>>> 2013/6/26 saleem <asa...@cd...>
>>>>
>>>> when i tried see store the output of w3af to a variable , i have seen a
>>>> error like  ---
>>>>
>>>> An internal error occurred while searching for id "36", even after
>>>> commit/retry Liked it
>>>>
>>>>
>>>> what is the possibility of getting this error ??
>>>>
>>>>
>>>>
>>>> On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
>>>>>
>>>>> Nothing special. The directory /var/www/scanreports/ needs to be
>>>>> writable by the www-data user.
>>>>>
>>>>> On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>>>>>>
>>>>>> as i have written earlier , same code i am using but this time i am
>>>>>> trying
>>>>>> to generate the XML output file .
>>>>>>
>>>>>> this is my w3af script :
>>>>>>
>>>>>> http-settings
>>>>>> set timeout 60
>>>>>> back
>>>>>> plugins
>>>>>> crawl web_spider
>>>>>> crawl config web_spider
>>>>>> set only_forward False
>>>>>> set follow_regex .*
>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>> back
>>>>>> audit blind_sqli
>>>>>> back
>>>>>> output xml_file
>>>>>> output config xml_file
>>>>>> set output_file
>>>>>> /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>>>>>> back
>>>>>> back
>>>>>> target
>>>>>> set target <url>
>>>>>> back
>>>>>> start
>>>>>> exit
>>>>>>
>>>>>>
>>>>>> and this is my php script :
>>>>>> <?
>>>>>>
>>>>>> $w3af_script="22222.w3af";
>>>>>>
>>>>>> echo "Start of code ::*****";
>>>>>>
>>>>>> if(is_readable($w3af_script))
>>>>>>       {
>>>>>>
>>>>>>           echo "\n"."ready to execute the script in the terminal";
>>>>>>
>>>>>>           `python w3af_console -s $w3af_script`;
>>>>>>
>>>>>>       }
>>>>>>
>>>>>>
>>>>>> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>>>>>>
>>>>>> {
>>>>>>       echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>
>>>>>> }
>>>>>> else
>>>>>>       echo "-----FFFFailed to generate the outpt file ";
>>>>>>
>>>>>>
>>>>>> ?>
>>>>>>
>>>>>>
>>>>>> so when i run this as root user it is generating the xml file and if
>>>>>> same i
>>>>>> run as www-data user i am unable to get the output xml file .
>>>>>>
>>>>>> please guide me in setting right permissions so that i can get XML as
>>>>>> output
>>>>>> file .
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>>>>>>>
>>>>>>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> wrote:
>>>>>>>>
>>>>>>>> Thank u andrews for guiding me .
>>>>>>>>
>>>>>>>> i am facing a small problem ,i.e i am unable to generate the XML
>>>>>>>> file
>>>>>>>> from
>>>>>>>> the browser is there any dependency for that ?
>>>>>>>>
>>>>>>>> if i run the same from terminal i am able to generate the XML file ,
>>>>>>>> i
>>>>>>>> am
>>>>>>>> using mozilla browser .
>>>>>>>
>>>>>>> The browser has nothing to do with all this. In any case it's PHP and
>>>>>>> the way you call w3af from it.
>>>>>>>
>>>>>>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>>>>>>>>>
>>>>>>>>> Saleem,
>>>>>>>>>
>>>>>>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Thanku so much for that andrews .
>>>>>>>>>>
>>>>>>>>>> now i am able to generate file , but i have having small problem,
>>>>>>>>>>
>>>>>>>>>> i am getting  this error at the end of the txt file which got
>>>>>>>>>> generated
>>>>>>>>>> .
>>>>>>>>>>
>>>>>>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25,
>>>>>>>>>> 'Inappropriate
>>>>>>>>>> ioctl for device')
>>>>>>>>>
>>>>>>>>> Seen this before, but never needed to fix it. I mean... w3af
>>>>>>>>> continues
>>>>>>>>> to work, and you only get it when w3af is run "without a terminal".
>>>>>>>>>
>>>>>>>>> How did you fix your original error?
>>>>>>>>>
>>>>>>>>>> any solution for this kind of error !!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...>
>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> thanks for the response andrews.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I suspect permission issue because when i run the code as root
>>>>>>>>>>>> user
>>>>>>>>>>>> in
>>>>>>>>>>>> the
>>>>>>>>>>>> terminal it is generating the output file.
>>>>>>>>>>>>
>>>>>>>>>>>> if i run the same code in the browser it is not generating the
>>>>>>>>>>>> output
>>>>>>>>>>>> files
>>>>>>>>>>>> .
>>>>>>>>>>>
>>>>>>>>>>> Can be because of other things, like the www-data user not having
>>>>>>>>>>> an
>>>>>>>>>>> environment variable set, or something like that.
>>>>>>>>>>>
>>>>>>>>>>> Try this:
>>>>>>>>>>>
>>>>>>>>>>> sudo -s -H
>>>>>>>>>>> <enter your root password>
>>>>>>>>>>> su www-data
>>>>>>>>>>> cd to-python-install
>>>>>>>>>>> python w3af_console ...
>>>>>>>>>>>
>>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>>> command?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> i have given www-data:www-data permission to my code as well .
>>>>>>>>>>>> still it is not working.
>>>>>>>>>>>>
>>>>>>>>>>>> i will try to explain once again :
>>>>>>>>>>>>
>>>>>>>>>>>> i have a w3af script for w3af crawl -
>>>>>>>>>>>> http-settings
>>>>>>>>>>>> set timeout 60
>>>>>>>>>>>> back
>>>>>>>>>>>> plugins
>>>>>>>>>>>> crawl web_spider
>>>>>>>>>>>> crawl config web_spider
>>>>>>>>>>>> set only_forward False
>>>>>>>>>>>> set follow_regex .*http:/localhost.*
>>>>>>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>>>>>>>> back
>>>>>>>>>>>> output text_file
>>>>>>>>>>>> output config text_file
>>>>>>>>>>>> set output_file
>>>>>>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>>>>>>>>>>>> set verbose False
>>>>>>>>>>>> back
>>>>>>>>>>>> back
>>>>>>>>>>>> target
>>>>>>>>>>>> set target http://localhost:80
>>>>>>>>>>>> back
>>>>>>>>>>>> start
>>>>>>>>>>>> exit
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> i have called this script in my php code i.e :
>>>>>>>>>>>>
>>>>>>>>>>>> <?
>>>>>>>>>>>>
>>>>>>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>>>>>>>>>>>> echo "Start of code ::*****";
>>>>>>>>>>>>
>>>>>>>>>>>> if(is_readable($w3af_script))
>>>>>>>>>>>>          {
>>>>>>>>>>>>
>>>>>>>>>>>>              echo "\n"."ready to execute the script in the
>>>>>>>>>>>> terminal";
>>>>>>>>>>>>
>>>>>>>>>>>>              `python /var/www/wsafe1/tools/w3af/w3af_console -s
>>>>>>>>>>>> $w3af_script`;
>>>>>>>>>>>>
>>>>>>>>>>>>          }
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
>>>>>>>>>>>> {
>>>>>>>>>>>>          echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>>>>>>>
>>>>>>>>>>>> }
>>>>>>>>>>>> else
>>>>>>>>>>>>          echo "-----FFFFailed to generate the outpt file ";
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ?>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> now problem is , i am not getting the file generated if i run
>>>>>>>>>>>> the
>>>>>>>>>>>> code
>>>>>>>>>>>> from
>>>>>>>>>>>> the browser or by normal user.
>>>>>>>>>>>>
>>>>>>>>>>>> root user is able to generate the files using the same code .
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> please help me out !!!!!
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ok thanku for responding andres .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> fine i will tell u in detail what i have done .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script
>>>>>>>>>>>>>> was
>>>>>>>>>>>>>> working
>>>>>>>>>>>>>> fine
>>>>>>>>>>>>>> currently i am using
>>>>>>>>>>>>>> w3af - Web Application Attack and Audit Framework
>>>>>>>>>>>>>> Version: 1.5
>>>>>>>>>>>>>> Revision: 790bb82add
>>>>>>>>>>>>>
>>>>>>>>>>>>> First of all, it was a great idea to update.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> w3af script i have written (attachment) :
>>>>>>>>>>>>>> screenshot 1
>>>>>>>>>>>>>> PHP script i have written was (attachment):
>>>>>>>>>>>>>> screenshot 2
>>>>>>>>>>>>>
>>>>>>>>>>>>> I wouldn't run w3af in the request/response process. I'm unsure
>>>>>>>>>>>>> about
>>>>>>>>>>>>> how to do it for PHP, but in python there is Celery which
>>>>>>>>>>>>> allows
>>>>>>>>>>>>> you
>>>>>>>>>>>>> to queue work, process results, etc.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> now i have given permission to that php script as  well as
>>>>>>>>>>>>>> w3af
>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>> using
>>>>>>>>>>>>>> chmod command i have given 777 permissions.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>>>
>>>>>>>>>>>>>> problem is when i am executing it in terminal i am getting the
>>>>>>>>>>>>>> output
>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>> if
>>>>>>>>>>>>>> the same i am executing in the browser i am not getting the
>>>>>>>>>>>>>> output
>>>>>>>>>>>>>> i.e
>>>>>>>>>>>>>> output files are not getting generated .
>>>>>>>>>>>>>
>>>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>>>> command?
>>>>>>>>>>>>>
>>>>>>>>>>>>>> please help me out and sorry for my english.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem
>>>>>>>>>>>>>>> <asa...@cd...>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi all ,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I have written a script which uses w3af script in the
>>>>>>>>>>>>>>>> background,
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> trying
>>>>>>>>>>>>>>>> to execute that script through browser , but i am not
>>>>>>>>>>>>>>>> getting
>>>>>>>>>>>>>>>> any
>>>>>>>>>>>>>>>> output
>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>> i do the same in the terminal i am getting the output .
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> please help me out !!!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> It's almost impossible to answer this question without more
>>>>>>>>>>>>>>> detail.
>>>>>>>>>>>>>>> Also, why do you think this is a w3af problem and not just
>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>> setting
>>>>>>>>>>>>>>> incorrect permissions to the filesystem files? More than glad
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> help
>>>>>>>>>>>>>>> if you send details,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks & Regards ,
>>>>>>>>>>>>>>>> saleem
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> may
>>>>>>>>>>>>>>>> contain confidential and privileged information. If you are
>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> intended recipient, please contact the sender by reply
>>>>>>>>>>>>>>>> e-mail
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> destroy
>>>>>>>>>>>>>>>> all copies and the original message. Any unauthorized
>>>>>>>>>>>>>>>> review,
>>>>>>>>>>>>>>>> use,
>>>>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying
>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>> email
>>>>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>>>> This SF.net email is sponsored by Windows:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Build for Windows Store.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> W3af-develop mailing list
>>>>>>>>>>>>>>>> W3a...@li...
>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> may
>>>>>>>>>>>>>> contain confidential and privileged information. If you are
>>>>>>>>>>>>>> not
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> destroy
>>>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>>>> use,
>>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>>>> this
>>>>>>>>>>>>>> email
>>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>>>> may
>>>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>>>> the
>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>>>>>>>>>>>> and
>>>>>>>>>>>> destroy
>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>> use,
>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>> this
>>>>>>>>>>>> email
>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>> taken.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>> may
>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>> the
>>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>>> destroy
>>>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>>>> email
>>>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Andrés Riancho
>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>> Twitter: @w3af
>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>> destroy
>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>> email
>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>
>>>>>>> --
>>>>>>> Andrés Riancho
>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>> Web Application Attack and Audit Framework
>>>>>>> Twitter: @w3af
>>>>>>> GPG: 0x93C344F3
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>
>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>> contain confidential and privileged information. If you are not the
>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>> destroy
>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>> email
>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>
>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>> contain confidential and privileged information. If you are not the
>>>> intended recipient, please contact the sender by reply e-mail and
>>>> destroy
>>>> all copies and the original message. Any unauthorized review, use,
>>>> disclosure, dissemination, forwarding, printing or copying of this email
>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>
>>>>
>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF.net email is sponsored by Windows:
>>>>
>>>> Build for Windows Store.
>>>>
>>>> http://p.sf.net/sfu/windows-dev2dev
>>>> _______________________________________________
>>>> W3af-develop mailing list
>>>> W3a...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>
>>>
>>
>>
>
>
> -------------------------------------------------------------------------------------------------------------------------------
>
> This e-mail is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information. If you are not the
> intended recipient, please contact the sender by reply e-mail and destroy
> all copies and the original message. Any unauthorized review, use,
> disclosure, dissemination, forwarding, printing or copying of this email
> is strictly prohibited and appropriate legal action will be taken.
> -------------------------------------------------------------------------------------------------------------------------------
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Regarding the w3af permission problem

[saleem <asa...@cd...>]

any solution for the XML generation problem ???

On Wednesday 26 June 2013 09:01 PM, Andres Riancho wrote:
> I would disable the XML output plugin, enable the text plugin with
> debug, run the scan and analyze the output
>
> On Wed, Jun 26, 2013 at 12:13 PM, Laurent Guyon
> <lau...@al...> wrote:
>> Hi,
>>
>> I've got the same error, with the same id "36".
>>
>> Additionnaly : when an error occur during the crawling phase (for example if
>> target is unreachable), w3af stops immediately without running audit phase,
>> and XML is properly generated.
>>
>> So I'm perhaps suspecting one of the audit plugins...
>>
>>
>>
>> 2013/6/26 saleem <asa...@cd...>
>>> when i tried see store the output of w3af to a variable , i have seen a
>>> error like  ---
>>>
>>> An internal error occurred while searching for id "36", even after
>>> commit/retry Liked it
>>>
>>>
>>> what is the possibility of getting this error ??
>>>
>>>
>>>
>>> On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
>>>> Nothing special. The directory /var/www/scanreports/ needs to be
>>>> writable by the www-data user.
>>>>
>>>> On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>>>>> as i have written earlier , same code i am using but this time i am
>>>>> trying
>>>>> to generate the XML output file .
>>>>>
>>>>> this is my w3af script :
>>>>>
>>>>> http-settings
>>>>> set timeout 60
>>>>> back
>>>>> plugins
>>>>> crawl web_spider
>>>>> crawl config web_spider
>>>>> set only_forward False
>>>>> set follow_regex .*
>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>> back
>>>>> audit blind_sqli
>>>>> back
>>>>> output xml_file
>>>>> output config xml_file
>>>>> set output_file
>>>>> /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>>>>> back
>>>>> back
>>>>> target
>>>>> set target <url>
>>>>> back
>>>>> start
>>>>> exit
>>>>>
>>>>>
>>>>> and this is my php script :
>>>>> <?
>>>>>
>>>>> $w3af_script="22222.w3af";
>>>>>
>>>>> echo "Start of code ::*****";
>>>>>
>>>>> if(is_readable($w3af_script))
>>>>>       {
>>>>>
>>>>>           echo "\n"."ready to execute the script in the terminal";
>>>>>
>>>>>           `python w3af_console -s $w3af_script`;
>>>>>
>>>>>       }
>>>>>
>>>>>
>>>>> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>>>>>
>>>>> {
>>>>>       echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>
>>>>> }
>>>>> else
>>>>>       echo "-----FFFFailed to generate the outpt file ";
>>>>>
>>>>>
>>>>> ?>
>>>>>
>>>>>
>>>>> so when i run this as root user it is generating the xml file and if
>>>>> same i
>>>>> run as www-data user i am unable to get the output xml file .
>>>>>
>>>>> please guide me in setting right permissions so that i can get XML as
>>>>> output
>>>>> file .
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>>>>>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> wrote:
>>>>>>> Thank u andrews for guiding me .
>>>>>>>
>>>>>>> i am facing a small problem ,i.e i am unable to generate the XML file
>>>>>>> from
>>>>>>> the browser is there any dependency for that ?
>>>>>>>
>>>>>>> if i run the same from terminal i am able to generate the XML file ,
>>>>>>> i
>>>>>>> am
>>>>>>> using mozilla browser .
>>>>>> The browser has nothing to do with all this. In any case it's PHP and
>>>>>> the way you call w3af from it.
>>>>>>
>>>>>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>>>>>>>> Saleem,
>>>>>>>>
>>>>>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...>
>>>>>>>> wrote:
>>>>>>>>> Thanku so much for that andrews .
>>>>>>>>>
>>>>>>>>> now i am able to generate file , but i have having small problem,
>>>>>>>>>
>>>>>>>>> i am getting  this error at the end of the txt file which got
>>>>>>>>> generated
>>>>>>>>> .
>>>>>>>>>
>>>>>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25,
>>>>>>>>> 'Inappropriate
>>>>>>>>> ioctl for device')
>>>>>>>> Seen this before, but never needed to fix it. I mean... w3af
>>>>>>>> continues
>>>>>>>> to work, and you only get it when w3af is run "without a terminal".
>>>>>>>>
>>>>>>>> How did you fix your original error?
>>>>>>>>
>>>>>>>>> any solution for this kind of error !!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>>>>>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...>
>>>>>>>>>> wrote:
>>>>>>>>>>> thanks for the response andrews.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I suspect permission issue because when i run the code as root
>>>>>>>>>>> user
>>>>>>>>>>> in
>>>>>>>>>>> the
>>>>>>>>>>> terminal it is generating the output file.
>>>>>>>>>>>
>>>>>>>>>>> if i run the same code in the browser it is not generating the
>>>>>>>>>>> output
>>>>>>>>>>> files
>>>>>>>>>>> .
>>>>>>>>>> Can be because of other things, like the www-data user not having
>>>>>>>>>> an
>>>>>>>>>> environment variable set, or something like that.
>>>>>>>>>>
>>>>>>>>>> Try this:
>>>>>>>>>>
>>>>>>>>>> sudo -s -H
>>>>>>>>>> <enter your root password>
>>>>>>>>>> su www-data
>>>>>>>>>> cd to-python-install
>>>>>>>>>> python w3af_console ...
>>>>>>>>>>
>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>> command?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> i have given www-data:www-data permission to my code as well .
>>>>>>>>>>> still it is not working.
>>>>>>>>>>>
>>>>>>>>>>> i will try to explain once again :
>>>>>>>>>>>
>>>>>>>>>>> i have a w3af script for w3af crawl -
>>>>>>>>>>> http-settings
>>>>>>>>>>> set timeout 60
>>>>>>>>>>> back
>>>>>>>>>>> plugins
>>>>>>>>>>> crawl web_spider
>>>>>>>>>>> crawl config web_spider
>>>>>>>>>>> set only_forward False
>>>>>>>>>>> set follow_regex .*http:/localhost.*
>>>>>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>>>>>>> back
>>>>>>>>>>> output text_file
>>>>>>>>>>> output config text_file
>>>>>>>>>>> set output_file
>>>>>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>>>>>>>>>>> set verbose False
>>>>>>>>>>> back
>>>>>>>>>>> back
>>>>>>>>>>> target
>>>>>>>>>>> set target http://localhost:80
>>>>>>>>>>> back
>>>>>>>>>>> start
>>>>>>>>>>> exit
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> i have called this script in my php code i.e :
>>>>>>>>>>>
>>>>>>>>>>> <?
>>>>>>>>>>>
>>>>>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>>>>>>>>>>> echo "Start of code ::*****";
>>>>>>>>>>>
>>>>>>>>>>> if(is_readable($w3af_script))
>>>>>>>>>>>          {
>>>>>>>>>>>
>>>>>>>>>>>              echo "\n"."ready to execute the script in the
>>>>>>>>>>> terminal";
>>>>>>>>>>>
>>>>>>>>>>>              `python /var/www/wsafe1/tools/w3af/w3af_console -s
>>>>>>>>>>> $w3af_script`;
>>>>>>>>>>>
>>>>>>>>>>>          }
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
>>>>>>>>>>> {
>>>>>>>>>>>          echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>>>>>>
>>>>>>>>>>> }
>>>>>>>>>>> else
>>>>>>>>>>>          echo "-----FFFFailed to generate the outpt file ";
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ?>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> now problem is , i am not getting the file generated if i run the
>>>>>>>>>>> code
>>>>>>>>>>> from
>>>>>>>>>>> the browser or by normal user.
>>>>>>>>>>>
>>>>>>>>>>> root user is able to generate the files using the same code .
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> please help me out !!!!!
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> ok thanku for responding andres .
>>>>>>>>>>>>>
>>>>>>>>>>>>> fine i will tell u in detail what i have done .
>>>>>>>>>>>>>
>>>>>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script
>>>>>>>>>>>>> was
>>>>>>>>>>>>> working
>>>>>>>>>>>>> fine
>>>>>>>>>>>>> currently i am using
>>>>>>>>>>>>> w3af - Web Application Attack and Audit Framework
>>>>>>>>>>>>> Version: 1.5
>>>>>>>>>>>>> Revision: 790bb82add
>>>>>>>>>>>> First of all, it was a great idea to update.
>>>>>>>>>>>>
>>>>>>>>>>>>> w3af script i have written (attachment) :
>>>>>>>>>>>>> screenshot 1
>>>>>>>>>>>>> PHP script i have written was (attachment):
>>>>>>>>>>>>> screenshot 2
>>>>>>>>>>>> I wouldn't run w3af in the request/response process. I'm unsure
>>>>>>>>>>>> about
>>>>>>>>>>>> how to do it for PHP, but in python there is Celery which allows
>>>>>>>>>>>> you
>>>>>>>>>>>> to queue work, process results, etc.
>>>>>>>>>>>>
>>>>>>>>>>>>> now i have given permission to that php script as  well as w3af
>>>>>>>>>>>>> ,
>>>>>>>>>>>>> using
>>>>>>>>>>>>> chmod command i have given 777 permissions.
>>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>>
>>>>>>>>>>>>> problem is when i am executing it in terminal i am getting the
>>>>>>>>>>>>> output
>>>>>>>>>>>>> ,
>>>>>>>>>>>>> if
>>>>>>>>>>>>> the same i am executing in the browser i am not getting the
>>>>>>>>>>>>> output
>>>>>>>>>>>>> i.e
>>>>>>>>>>>>> output files are not getting generated .
>>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>>> command?
>>>>>>>>>>>>
>>>>>>>>>>>>> please help me out and sorry for my english.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>>>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem
>>>>>>>>>>>>>> <asa...@cd...>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>> Hi all ,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have written a script which uses w3af script in the
>>>>>>>>>>>>>>> background,
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> trying
>>>>>>>>>>>>>>> to execute that script through browser , but i am not getting
>>>>>>>>>>>>>>> any
>>>>>>>>>>>>>>> output
>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>> i do the same in the terminal i am getting the output .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> please help me out !!!
>>>>>>>>>>>>>> It's almost impossible to answer this question without more
>>>>>>>>>>>>>> detail.
>>>>>>>>>>>>>> Also, why do you think this is a w3af problem and not just you
>>>>>>>>>>>>>> setting
>>>>>>>>>>>>>> incorrect permissions to the filesystem files? More than glad
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> help
>>>>>>>>>>>>>> if you send details,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks & Regards ,
>>>>>>>>>>>>>>> saleem
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> may
>>>>>>>>>>>>>>> contain confidential and privileged information. If you are
>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> destroy
>>>>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>>>>> use,
>>>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>> email
>>>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>>> This SF.net email is sponsored by Windows:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Build for Windows Store.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> W3af-develop mailing list
>>>>>>>>>>>>>>> W3a...@li...
>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>>>>>>>>>>>>> and
>>>>>>>>>>>>> may
>>>>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>>>>> the
>>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>>>>>>>>>>>>> and
>>>>>>>>>>>>> destroy
>>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>>> use,
>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>>> this
>>>>>>>>>>>>> email
>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>>> may
>>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>>> the
>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>>>> destroy
>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>> use,
>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>> this
>>>>>>>>>>> email
>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>> taken.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Andrés Riancho
>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>> Twitter: @w3af
>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>> may
>>>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>> destroy
>>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>>> email
>>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>> --
>>>>>>>> Andrés Riancho
>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>> Twitter: @w3af
>>>>>>>> GPG: 0x93C344F3
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>
>>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>> destroy
>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>> email
>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>
>>>>>> --
>>>>>> Andrés Riancho
>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>> Web Application Attack and Audit Framework
>>>>>> Twitter: @w3af
>>>>>> GPG: 0x93C344F3
>>>>>>
>>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>> contain confidential and privileged information. If you are not the
>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>> destroy
>>>>> all copies and the original message. Any unauthorized review, use,
>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>> email
>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>
>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>
>>>
>>>
>>> -------------------------------------------------------------------------------------------------------------------------------
>>>
>>> This e-mail is for the sole use of the intended recipient(s) and may
>>> contain confidential and privileged information. If you are not the
>>> intended recipient, please contact the sender by reply e-mail and destroy
>>> all copies and the original message. Any unauthorized review, use,
>>> disclosure, dissemination, forwarding, printing or copying of this email
>>> is strictly prohibited and appropriate legal action will be taken.
>>>
>>> -------------------------------------------------------------------------------------------------------------------------------
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by Windows:
>>>
>>> Build for Windows Store.
>>>
>>> http://p.sf.net/sfu/windows-dev2dev
>>> _______________________________________________
>>> W3af-develop mailing list
>>> W3a...@li...
>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>
>


-------------------------------------------------------------------------------------------------------------------------------

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------------------------------------

Re: [W3af-develop] Regarding the w3af permission problem

[saleem <asa...@cd...>]

any one was able to find the reason for the problem ?


On Thursday 27 June 2013 09:36 AM, saleem wrote:
> But that is not the correct way , as we have to find the error why it 
> is unable to generate the output xml file.
>
> and more over it would be easy to parse the XML file .
>
>
>
> On Wednesday 26 June 2013 09:01 PM, Andres Riancho wrote:
>> I would disable the XML output plugin, enable the text plugin with
>> debug, run the scan and analyze the output
>>
>> On Wed, Jun 26, 2013 at 12:13 PM, Laurent Guyon
>> <lau...@al...> wrote:
>>> Hi,
>>>
>>> I've got the same error, with the same id "36".
>>>
>>> Additionnaly : when an error occur during the crawling phase (for 
>>> example if
>>> target is unreachable), w3af stops immediately without running audit 
>>> phase,
>>> and XML is properly generated.
>>>
>>> So I'm perhaps suspecting one of the audit plugins...
>>>
>>>
>>>
>>> 2013/6/26 saleem <asa...@cd...>
>>>> when i tried see store the output of w3af to a variable , i have 
>>>> seen a
>>>> error like  ---
>>>>
>>>> An internal error occurred while searching for id "36", even after
>>>> commit/retry Liked it
>>>>
>>>>
>>>> what is the possibility of getting this error ??
>>>>
>>>>
>>>>
>>>> On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
>>>>> Nothing special. The directory /var/www/scanreports/ needs to be
>>>>> writable by the www-data user.
>>>>>
>>>>> On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>>>>>> as i have written earlier , same code i am using but this time i am
>>>>>> trying
>>>>>> to generate the XML output file .
>>>>>>
>>>>>> this is my w3af script :
>>>>>>
>>>>>> http-settings
>>>>>> set timeout 60
>>>>>> back
>>>>>> plugins
>>>>>> crawl web_spider
>>>>>> crawl config web_spider
>>>>>> set only_forward False
>>>>>> set follow_regex .*
>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>> back
>>>>>> audit blind_sqli
>>>>>> back
>>>>>> output xml_file
>>>>>> output config xml_file
>>>>>> set output_file
>>>>>> /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>>>>>> back
>>>>>> back
>>>>>> target
>>>>>> set target <url>
>>>>>> back
>>>>>> start
>>>>>> exit
>>>>>>
>>>>>>
>>>>>> and this is my php script :
>>>>>> <?
>>>>>>
>>>>>> $w3af_script="22222.w3af";
>>>>>>
>>>>>> echo "Start of code ::*****";
>>>>>>
>>>>>> if(is_readable($w3af_script))
>>>>>>       {
>>>>>>
>>>>>>           echo "\n"."ready to execute the script in the terminal";
>>>>>>
>>>>>>           `python w3af_console -s $w3af_script`;
>>>>>>
>>>>>>       }
>>>>>>
>>>>>>
>>>>>> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>>>>>>
>>>>>> {
>>>>>>       echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>
>>>>>> }
>>>>>> else
>>>>>>       echo "-----FFFFailed to generate the outpt file ";
>>>>>>
>>>>>>
>>>>>> ?>
>>>>>>
>>>>>>
>>>>>> so when i run this as root user it is generating the xml file and if
>>>>>> same i
>>>>>> run as www-data user i am unable to get the output xml file .
>>>>>>
>>>>>> please guide me in setting right permissions so that i can get 
>>>>>> XML as
>>>>>> output
>>>>>> file .
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>>>>>>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> 
>>>>>>> wrote:
>>>>>>>> Thank u andrews for guiding me .
>>>>>>>>
>>>>>>>> i am facing a small problem ,i.e i am unable to generate the 
>>>>>>>> XML file
>>>>>>>> from
>>>>>>>> the browser is there any dependency for that ?
>>>>>>>>
>>>>>>>> if i run the same from terminal i am able to generate the XML 
>>>>>>>> file ,
>>>>>>>> i
>>>>>>>> am
>>>>>>>> using mozilla browser .
>>>>>>> The browser has nothing to do with all this. In any case it's 
>>>>>>> PHP and
>>>>>>> the way you call w3af from it.
>>>>>>>
>>>>>>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>>>>>>>>> Saleem,
>>>>>>>>>
>>>>>>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...>
>>>>>>>>> wrote:
>>>>>>>>>> Thanku so much for that andrews .
>>>>>>>>>>
>>>>>>>>>> now i am able to generate file , but i have having small 
>>>>>>>>>> problem,
>>>>>>>>>>
>>>>>>>>>> i am getting  this error at the end of the txt file which got
>>>>>>>>>> generated
>>>>>>>>>> .
>>>>>>>>>>
>>>>>>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25,
>>>>>>>>>> 'Inappropriate
>>>>>>>>>> ioctl for device')
>>>>>>>>> Seen this before, but never needed to fix it. I mean... w3af
>>>>>>>>> continues
>>>>>>>>> to work, and you only get it when w3af is run "without a 
>>>>>>>>> terminal".
>>>>>>>>>
>>>>>>>>> How did you fix your original error?
>>>>>>>>>
>>>>>>>>>> any solution for this kind of error !!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>>>>>>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> thanks for the response andrews.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I suspect permission issue because when i run the code as root
>>>>>>>>>>>> user
>>>>>>>>>>>> in
>>>>>>>>>>>> the
>>>>>>>>>>>> terminal it is generating the output file.
>>>>>>>>>>>>
>>>>>>>>>>>> if i run the same code in the browser it is not generating the
>>>>>>>>>>>> output
>>>>>>>>>>>> files
>>>>>>>>>>>> .
>>>>>>>>>>> Can be because of other things, like the www-data user not 
>>>>>>>>>>> having
>>>>>>>>>>> an
>>>>>>>>>>> environment variable set, or something like that.
>>>>>>>>>>>
>>>>>>>>>>> Try this:
>>>>>>>>>>>
>>>>>>>>>>> sudo -s -H
>>>>>>>>>>> <enter your root password>
>>>>>>>>>>> su www-data
>>>>>>>>>>> cd to-python-install
>>>>>>>>>>> python w3af_console ...
>>>>>>>>>>>
>>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>>> command?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> i have given www-data:www-data permission to my code as well .
>>>>>>>>>>>> still it is not working.
>>>>>>>>>>>>
>>>>>>>>>>>> i will try to explain once again :
>>>>>>>>>>>>
>>>>>>>>>>>> i have a w3af script for w3af crawl -
>>>>>>>>>>>> http-settings
>>>>>>>>>>>> set timeout 60
>>>>>>>>>>>> back
>>>>>>>>>>>> plugins
>>>>>>>>>>>> crawl web_spider
>>>>>>>>>>>> crawl config web_spider
>>>>>>>>>>>> set only_forward False
>>>>>>>>>>>> set follow_regex .*http:/localhost.*
>>>>>>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>>>>>>>> back
>>>>>>>>>>>> output text_file
>>>>>>>>>>>> output config text_file
>>>>>>>>>>>> set output_file
>>>>>>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>>>>>>>>>>>> set verbose False
>>>>>>>>>>>> back
>>>>>>>>>>>> back
>>>>>>>>>>>> target
>>>>>>>>>>>> set target http://localhost:80
>>>>>>>>>>>> back
>>>>>>>>>>>> start
>>>>>>>>>>>> exit
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> i have called this script in my php code i.e :
>>>>>>>>>>>>
>>>>>>>>>>>> <?
>>>>>>>>>>>>
>>>>>>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>>>>>>>>>>>> echo "Start of code ::*****";
>>>>>>>>>>>>
>>>>>>>>>>>> if(is_readable($w3af_script))
>>>>>>>>>>>>          {
>>>>>>>>>>>>
>>>>>>>>>>>>              echo "\n"."ready to execute the script in the
>>>>>>>>>>>> terminal";
>>>>>>>>>>>>
>>>>>>>>>>>>              `python 
>>>>>>>>>>>> /var/www/wsafe1/tools/w3af/w3af_console -s
>>>>>>>>>>>> $w3af_script`;
>>>>>>>>>>>>
>>>>>>>>>>>>          }
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt")) 
>>>>>>>>>>>>
>>>>>>>>>>>> {
>>>>>>>>>>>>          echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>>>>>>>
>>>>>>>>>>>> }
>>>>>>>>>>>> else
>>>>>>>>>>>>          echo "-----FFFFailed to generate the outpt file ";
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ?>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> now problem is , i am not getting the file generated if i 
>>>>>>>>>>>> run the
>>>>>>>>>>>> code
>>>>>>>>>>>> from
>>>>>>>>>>>> the browser or by normal user.
>>>>>>>>>>>>
>>>>>>>>>>>> root user is able to generate the files using the same code .
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> please help me out !!!!!
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem 
>>>>>>>>>>>>> <asa...@cd...>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> ok thanku for responding andres .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> fine i will tell u in detail what i have done .
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Earlier i had older version of w3af(r4473) in which my 
>>>>>>>>>>>>>> script
>>>>>>>>>>>>>> was
>>>>>>>>>>>>>> working
>>>>>>>>>>>>>> fine
>>>>>>>>>>>>>> currently i am using
>>>>>>>>>>>>>> w3af - Web Application Attack and Audit Framework
>>>>>>>>>>>>>> Version: 1.5
>>>>>>>>>>>>>> Revision: 790bb82add
>>>>>>>>>>>>> First of all, it was a great idea to update.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> w3af script i have written (attachment) :
>>>>>>>>>>>>>> screenshot 1
>>>>>>>>>>>>>> PHP script i have written was (attachment):
>>>>>>>>>>>>>> screenshot 2
>>>>>>>>>>>>> I wouldn't run w3af in the request/response process. I'm 
>>>>>>>>>>>>> unsure
>>>>>>>>>>>>> about
>>>>>>>>>>>>> how to do it for PHP, but in python there is Celery which 
>>>>>>>>>>>>> allows
>>>>>>>>>>>>> you
>>>>>>>>>>>>> to queue work, process results, etc.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> now i have given permission to that php script as  well 
>>>>>>>>>>>>>> as w3af
>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>> using
>>>>>>>>>>>>>> chmod command i have given 777 permissions.
>>>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>>>
>>>>>>>>>>>>>> problem is when i am executing it in terminal i am 
>>>>>>>>>>>>>> getting the
>>>>>>>>>>>>>> output
>>>>>>>>>>>>>> ,
>>>>>>>>>>>>>> if
>>>>>>>>>>>>>> the same i am executing in the browser i am not getting the
>>>>>>>>>>>>>> output
>>>>>>>>>>>>>> i.e
>>>>>>>>>>>>>> output files are not getting generated .
>>>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>>>> command?
>>>>>>>>>>>>>
>>>>>>>>>>>>>> please help me out and sorry for my english.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>>>>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem
>>>>>>>>>>>>>>> <asa...@cd...>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>> Hi all ,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I have written a script which uses w3af script in the
>>>>>>>>>>>>>>>> background,
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> trying
>>>>>>>>>>>>>>>> to execute that script through browser , but i am not 
>>>>>>>>>>>>>>>> getting
>>>>>>>>>>>>>>>> any
>>>>>>>>>>>>>>>> output
>>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>>> i do the same in the terminal i am getting the output .
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> please help me out !!!
>>>>>>>>>>>>>>> It's almost impossible to answer this question without more
>>>>>>>>>>>>>>> detail.
>>>>>>>>>>>>>>> Also, why do you think this is a w3af problem and not 
>>>>>>>>>>>>>>> just you
>>>>>>>>>>>>>>> setting
>>>>>>>>>>>>>>> incorrect permissions to the filesystem files? More than 
>>>>>>>>>>>>>>> glad
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> help
>>>>>>>>>>>>>>> if you send details,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks & Regards ,
>>>>>>>>>>>>>>>> saleem
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This e-mail is for the sole use of the intended 
>>>>>>>>>>>>>>>> recipient(s)
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> may
>>>>>>>>>>>>>>>> contain confidential and privileged information. If you 
>>>>>>>>>>>>>>>> are
>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> intended recipient, please contact the sender by reply 
>>>>>>>>>>>>>>>> e-mail
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> destroy
>>>>>>>>>>>>>>>> all copies and the original message. Any unauthorized 
>>>>>>>>>>>>>>>> review,
>>>>>>>>>>>>>>>> use,
>>>>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or 
>>>>>>>>>>>>>>>> copying of
>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>> email
>>>>>>>>>>>>>>>> is strictly prohibited and appropriate legal action 
>>>>>>>>>>>>>>>> will be
>>>>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------ 
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This SF.net email is sponsored by Windows:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Build for Windows Store.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> W3af-develop mailing list
>>>>>>>>>>>>>>>> W3a...@li...
>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> may
>>>>>>>>>>>>>> contain confidential and privileged information. If you 
>>>>>>>>>>>>>> are not
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> intended recipient, please contact the sender by reply 
>>>>>>>>>>>>>> e-mail
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> destroy
>>>>>>>>>>>>>> all copies and the original message. Any unauthorized 
>>>>>>>>>>>>>> review,
>>>>>>>>>>>>>> use,
>>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or 
>>>>>>>>>>>>>> copying of
>>>>>>>>>>>>>> this
>>>>>>>>>>>>>> email
>>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> This e-mail is for the sole use of the intended 
>>>>>>>>>>>> recipient(s) and
>>>>>>>>>>>> may
>>>>>>>>>>>> contain confidential and privileged information. If you are 
>>>>>>>>>>>> not
>>>>>>>>>>>> the
>>>>>>>>>>>> intended recipient, please contact the sender by reply 
>>>>>>>>>>>> e-mail and
>>>>>>>>>>>> destroy
>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>> use,
>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>> this
>>>>>>>>>>>> email
>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>> taken.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>> may
>>>>>>>>>> contain confidential and privileged information. If you are 
>>>>>>>>>> not the
>>>>>>>>>> intended recipient, please contact the sender by reply e-mail 
>>>>>>>>>> and
>>>>>>>>>> destroy
>>>>>>>>>> all copies and the original message. Any unauthorized review, 
>>>>>>>>>> use,
>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of 
>>>>>>>>>> this
>>>>>>>>>> email
>>>>>>>>>> is strictly prohibited and appropriate legal action will be 
>>>>>>>>>> taken.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Andrés Riancho
>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>> Twitter: @w3af
>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>
>>>>>>>>
>>>>>>>> This e-mail is for the sole use of the intended recipient(s) 
>>>>>>>> and may
>>>>>>>> contain confidential and privileged information. If you are not 
>>>>>>>> the
>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>> destroy
>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>> email
>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>>>
>>>>>>>>
>>>>>>> -- 
>>>>>>> Andrés Riancho
>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>> Web Application Attack and Audit Framework
>>>>>>> Twitter: @w3af
>>>>>>> GPG: 0x93C344F3
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>
>>>>>>
>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>> contain confidential and privileged information. If you are not the
>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>> destroy
>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>> email
>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>
>>>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>
>>>>
>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>> contain confidential and privileged information. If you are not the
>>>> intended recipient, please contact the sender by reply e-mail and 
>>>> destroy
>>>> all copies and the original message. Any unauthorized review, use,
>>>> disclosure, dissemination, forwarding, printing or copying of this 
>>>> email
>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>
>>>> ------------------------------------------------------------------------------------------------------------------------------- 
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------ 
>>>>
>>>> This SF.net email is sponsored by Windows:
>>>>
>>>> Build for Windows Store.
>>>>
>>>> http://p.sf.net/sfu/windows-dev2dev
>>>> _______________________________________________
>>>> W3af-develop mailing list
>>>> W3a...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>
>>
>>
>


-------------------------------------------------------------------------------------------------------------------------------

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------------------------------------

Re: [W3af-develop] Regarding the w3af permission problem

[saleem <asa...@cd...>]

But that is not the correct way , as we have to find the error why it is 
unable to generate the output xml file.

and more over it would be easy to parse the XML file .



On Wednesday 26 June 2013 09:01 PM, Andres Riancho wrote:
> I would disable the XML output plugin, enable the text plugin with
> debug, run the scan and analyze the output
>
> On Wed, Jun 26, 2013 at 12:13 PM, Laurent Guyon
> <lau...@al...> wrote:
>> Hi,
>>
>> I've got the same error, with the same id "36".
>>
>> Additionnaly : when an error occur during the crawling phase (for example if
>> target is unreachable), w3af stops immediately without running audit phase,
>> and XML is properly generated.
>>
>> So I'm perhaps suspecting one of the audit plugins...
>>
>>
>>
>> 2013/6/26 saleem <asa...@cd...>
>>> when i tried see store the output of w3af to a variable , i have seen a
>>> error like  ---
>>>
>>> An internal error occurred while searching for id "36", even after
>>> commit/retry Liked it
>>>
>>>
>>> what is the possibility of getting this error ??
>>>
>>>
>>>
>>> On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
>>>> Nothing special. The directory /var/www/scanreports/ needs to be
>>>> writable by the www-data user.
>>>>
>>>> On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>>>>> as i have written earlier , same code i am using but this time i am
>>>>> trying
>>>>> to generate the XML output file .
>>>>>
>>>>> this is my w3af script :
>>>>>
>>>>> http-settings
>>>>> set timeout 60
>>>>> back
>>>>> plugins
>>>>> crawl web_spider
>>>>> crawl config web_spider
>>>>> set only_forward False
>>>>> set follow_regex .*
>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>> back
>>>>> audit blind_sqli
>>>>> back
>>>>> output xml_file
>>>>> output config xml_file
>>>>> set output_file
>>>>> /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>>>>> back
>>>>> back
>>>>> target
>>>>> set target <url>
>>>>> back
>>>>> start
>>>>> exit
>>>>>
>>>>>
>>>>> and this is my php script :
>>>>> <?
>>>>>
>>>>> $w3af_script="22222.w3af";
>>>>>
>>>>> echo "Start of code ::*****";
>>>>>
>>>>> if(is_readable($w3af_script))
>>>>>       {
>>>>>
>>>>>           echo "\n"."ready to execute the script in the terminal";
>>>>>
>>>>>           `python w3af_console -s $w3af_script`;
>>>>>
>>>>>       }
>>>>>
>>>>>
>>>>> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>>>>>
>>>>> {
>>>>>       echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>
>>>>> }
>>>>> else
>>>>>       echo "-----FFFFailed to generate the outpt file ";
>>>>>
>>>>>
>>>>> ?>
>>>>>
>>>>>
>>>>> so when i run this as root user it is generating the xml file and if
>>>>> same i
>>>>> run as www-data user i am unable to get the output xml file .
>>>>>
>>>>> please guide me in setting right permissions so that i can get XML as
>>>>> output
>>>>> file .
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>>>>>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> wrote:
>>>>>>> Thank u andrews for guiding me .
>>>>>>>
>>>>>>> i am facing a small problem ,i.e i am unable to generate the XML file
>>>>>>> from
>>>>>>> the browser is there any dependency for that ?
>>>>>>>
>>>>>>> if i run the same from terminal i am able to generate the XML file ,
>>>>>>> i
>>>>>>> am
>>>>>>> using mozilla browser .
>>>>>> The browser has nothing to do with all this. In any case it's PHP and
>>>>>> the way you call w3af from it.
>>>>>>
>>>>>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>>>>>>>> Saleem,
>>>>>>>>
>>>>>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...>
>>>>>>>> wrote:
>>>>>>>>> Thanku so much for that andrews .
>>>>>>>>>
>>>>>>>>> now i am able to generate file , but i have having small problem,
>>>>>>>>>
>>>>>>>>> i am getting  this error at the end of the txt file which got
>>>>>>>>> generated
>>>>>>>>> .
>>>>>>>>>
>>>>>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25,
>>>>>>>>> 'Inappropriate
>>>>>>>>> ioctl for device')
>>>>>>>> Seen this before, but never needed to fix it. I mean... w3af
>>>>>>>> continues
>>>>>>>> to work, and you only get it when w3af is run "without a terminal".
>>>>>>>>
>>>>>>>> How did you fix your original error?
>>>>>>>>
>>>>>>>>> any solution for this kind of error !!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>>>>>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...>
>>>>>>>>>> wrote:
>>>>>>>>>>> thanks for the response andrews.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I suspect permission issue because when i run the code as root
>>>>>>>>>>> user
>>>>>>>>>>> in
>>>>>>>>>>> the
>>>>>>>>>>> terminal it is generating the output file.
>>>>>>>>>>>
>>>>>>>>>>> if i run the same code in the browser it is not generating the
>>>>>>>>>>> output
>>>>>>>>>>> files
>>>>>>>>>>> .
>>>>>>>>>> Can be because of other things, like the www-data user not having
>>>>>>>>>> an
>>>>>>>>>> environment variable set, or something like that.
>>>>>>>>>>
>>>>>>>>>> Try this:
>>>>>>>>>>
>>>>>>>>>> sudo -s -H
>>>>>>>>>> <enter your root password>
>>>>>>>>>> su www-data
>>>>>>>>>> cd to-python-install
>>>>>>>>>> python w3af_console ...
>>>>>>>>>>
>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>> command?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> i have given www-data:www-data permission to my code as well .
>>>>>>>>>>> still it is not working.
>>>>>>>>>>>
>>>>>>>>>>> i will try to explain once again :
>>>>>>>>>>>
>>>>>>>>>>> i have a w3af script for w3af crawl -
>>>>>>>>>>> http-settings
>>>>>>>>>>> set timeout 60
>>>>>>>>>>> back
>>>>>>>>>>> plugins
>>>>>>>>>>> crawl web_spider
>>>>>>>>>>> crawl config web_spider
>>>>>>>>>>> set only_forward False
>>>>>>>>>>> set follow_regex .*http:/localhost.*
>>>>>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>>>>>>> back
>>>>>>>>>>> output text_file
>>>>>>>>>>> output config text_file
>>>>>>>>>>> set output_file
>>>>>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>>>>>>>>>>> set verbose False
>>>>>>>>>>> back
>>>>>>>>>>> back
>>>>>>>>>>> target
>>>>>>>>>>> set target http://localhost:80
>>>>>>>>>>> back
>>>>>>>>>>> start
>>>>>>>>>>> exit
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> i have called this script in my php code i.e :
>>>>>>>>>>>
>>>>>>>>>>> <?
>>>>>>>>>>>
>>>>>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>>>>>>>>>>> echo "Start of code ::*****";
>>>>>>>>>>>
>>>>>>>>>>> if(is_readable($w3af_script))
>>>>>>>>>>>          {
>>>>>>>>>>>
>>>>>>>>>>>              echo "\n"."ready to execute the script in the
>>>>>>>>>>> terminal";
>>>>>>>>>>>
>>>>>>>>>>>              `python /var/www/wsafe1/tools/w3af/w3af_console -s
>>>>>>>>>>> $w3af_script`;
>>>>>>>>>>>
>>>>>>>>>>>          }
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
>>>>>>>>>>> {
>>>>>>>>>>>          echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>>>>>>
>>>>>>>>>>> }
>>>>>>>>>>> else
>>>>>>>>>>>          echo "-----FFFFailed to generate the outpt file ";
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ?>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> now problem is , i am not getting the file generated if i run the
>>>>>>>>>>> code
>>>>>>>>>>> from
>>>>>>>>>>> the browser or by normal user.
>>>>>>>>>>>
>>>>>>>>>>> root user is able to generate the files using the same code .
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> please help me out !!!!!
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> ok thanku for responding andres .
>>>>>>>>>>>>>
>>>>>>>>>>>>> fine i will tell u in detail what i have done .
>>>>>>>>>>>>>
>>>>>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script
>>>>>>>>>>>>> was
>>>>>>>>>>>>> working
>>>>>>>>>>>>> fine
>>>>>>>>>>>>> currently i am using
>>>>>>>>>>>>> w3af - Web Application Attack and Audit Framework
>>>>>>>>>>>>> Version: 1.5
>>>>>>>>>>>>> Revision: 790bb82add
>>>>>>>>>>>> First of all, it was a great idea to update.
>>>>>>>>>>>>
>>>>>>>>>>>>> w3af script i have written (attachment) :
>>>>>>>>>>>>> screenshot 1
>>>>>>>>>>>>> PHP script i have written was (attachment):
>>>>>>>>>>>>> screenshot 2
>>>>>>>>>>>> I wouldn't run w3af in the request/response process. I'm unsure
>>>>>>>>>>>> about
>>>>>>>>>>>> how to do it for PHP, but in python there is Celery which allows
>>>>>>>>>>>> you
>>>>>>>>>>>> to queue work, process results, etc.
>>>>>>>>>>>>
>>>>>>>>>>>>> now i have given permission to that php script as  well as w3af
>>>>>>>>>>>>> ,
>>>>>>>>>>>>> using
>>>>>>>>>>>>> chmod command i have given 777 permissions.
>>>>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>>>>
>>>>>>>>>>>>> problem is when i am executing it in terminal i am getting the
>>>>>>>>>>>>> output
>>>>>>>>>>>>> ,
>>>>>>>>>>>>> if
>>>>>>>>>>>>> the same i am executing in the browser i am not getting the
>>>>>>>>>>>>> output
>>>>>>>>>>>>> i.e
>>>>>>>>>>>>> output files are not getting generated .
>>>>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>>>>> command?
>>>>>>>>>>>>
>>>>>>>>>>>>> please help me out and sorry for my english.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>>>>>>>>>>>>>> Saleem,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem
>>>>>>>>>>>>>> <asa...@cd...>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>> Hi all ,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have written a script which uses w3af script in the
>>>>>>>>>>>>>>> background,
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> trying
>>>>>>>>>>>>>>> to execute that script through browser , but i am not getting
>>>>>>>>>>>>>>> any
>>>>>>>>>>>>>>> output
>>>>>>>>>>>>>>> if
>>>>>>>>>>>>>>> i do the same in the terminal i am getting the output .
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> please help me out !!!
>>>>>>>>>>>>>> It's almost impossible to answer this question without more
>>>>>>>>>>>>>> detail.
>>>>>>>>>>>>>> Also, why do you think this is a w3af problem and not just you
>>>>>>>>>>>>>> setting
>>>>>>>>>>>>>> incorrect permissions to the filesystem files? More than glad
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> help
>>>>>>>>>>>>>> if you send details,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks & Regards ,
>>>>>>>>>>>>>>> saleem
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> may
>>>>>>>>>>>>>>> contain confidential and privileged information. If you are
>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> destroy
>>>>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>>>>> use,
>>>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>> email
>>>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>>> This SF.net email is sponsored by Windows:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Build for Windows Store.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> W3af-develop mailing list
>>>>>>>>>>>>>>> W3a...@li...
>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>>>>>>>>>>>>> and
>>>>>>>>>>>>> may
>>>>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>>>>> the
>>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>>>>>>>>>>>>> and
>>>>>>>>>>>>> destroy
>>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>>> use,
>>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>>> this
>>>>>>>>>>>>> email
>>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>>> taken.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>>> may
>>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>>> the
>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>>>> destroy
>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>> use,
>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>> this
>>>>>>>>>>> email
>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>> taken.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Andrés Riancho
>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>> Twitter: @w3af
>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>> may
>>>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>> destroy
>>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>>> email
>>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>> --
>>>>>>>> Andrés Riancho
>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>> Twitter: @w3af
>>>>>>>> GPG: 0x93C344F3
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>
>>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>> destroy
>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>> email
>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>
>>>>>>>
>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>
>>>>>> --
>>>>>> Andrés Riancho
>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>> Web Application Attack and Audit Framework
>>>>>> Twitter: @w3af
>>>>>> GPG: 0x93C344F3
>>>>>>
>>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>> contain confidential and privileged information. If you are not the
>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>> destroy
>>>>> all copies and the original message. Any unauthorized review, use,
>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>> email
>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>
>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>
>>>>
>>>
>>>
>>> -------------------------------------------------------------------------------------------------------------------------------
>>>
>>> This e-mail is for the sole use of the intended recipient(s) and may
>>> contain confidential and privileged information. If you are not the
>>> intended recipient, please contact the sender by reply e-mail and destroy
>>> all copies and the original message. Any unauthorized review, use,
>>> disclosure, dissemination, forwarding, printing or copying of this email
>>> is strictly prohibited and appropriate legal action will be taken.
>>>
>>> -------------------------------------------------------------------------------------------------------------------------------
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by Windows:
>>>
>>> Build for Windows Store.
>>>
>>> http://p.sf.net/sfu/windows-dev2dev
>>> _______________________________________________
>>> W3af-develop mailing list
>>> W3a...@li...
>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>
>


-------------------------------------------------------------------------------------------------------------------------------

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------------------------------------

Re: [W3af-develop] Regarding the w3af permission problem

[Andres R. <and...@gm...>]

I would disable the XML output plugin, enable the text plugin with
debug, run the scan and analyze the output

On Wed, Jun 26, 2013 at 12:13 PM, Laurent Guyon
<lau...@al...> wrote:
> Hi,
>
> I've got the same error, with the same id "36".
>
> Additionnaly : when an error occur during the crawling phase (for example if
> target is unreachable), w3af stops immediately without running audit phase,
> and XML is properly generated.
>
> So I'm perhaps suspecting one of the audit plugins...
>
>
>
> 2013/6/26 saleem <asa...@cd...>
>>
>> when i tried see store the output of w3af to a variable , i have seen a
>> error like  ---
>>
>> An internal error occurred while searching for id "36", even after
>> commit/retry Liked it
>>
>>
>> what is the possibility of getting this error ??
>>
>>
>>
>> On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
>> > Nothing special. The directory /var/www/scanreports/ needs to be
>> > writable by the www-data user.
>> >
>> > On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>> >> as i have written earlier , same code i am using but this time i am
>> >> trying
>> >> to generate the XML output file .
>> >>
>> >> this is my w3af script :
>> >>
>> >> http-settings
>> >> set timeout 60
>> >> back
>> >> plugins
>> >> crawl web_spider
>> >> crawl config web_spider
>> >> set only_forward False
>> >> set follow_regex .*
>> >> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>> >> back
>> >> audit blind_sqli
>> >> back
>> >> output xml_file
>> >> output config xml_file
>> >> set output_file
>> >> /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>> >> back
>> >> back
>> >> target
>> >> set target <url>
>> >> back
>> >> start
>> >> exit
>> >>
>> >>
>> >> and this is my php script :
>> >> <?
>> >>
>> >> $w3af_script="22222.w3af";
>> >>
>> >> echo "Start of code ::*****";
>> >>
>> >> if(is_readable($w3af_script))
>> >>      {
>> >>
>> >>          echo "\n"."ready to execute the script in the terminal";
>> >>
>> >>          `python w3af_console -s $w3af_script`;
>> >>
>> >>      }
>> >>
>> >>
>> >> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>> >>
>> >> {
>> >>      echo "-----OOOOOOOOOOOoutput file got generated ";
>> >>
>> >> }
>> >> else
>> >>      echo "-----FFFFailed to generate the outpt file ";
>> >>
>> >>
>> >> ?>
>> >>
>> >>
>> >> so when i run this as root user it is generating the xml file and if
>> >> same i
>> >> run as www-data user i am unable to get the output xml file .
>> >>
>> >> please guide me in setting right permissions so that i can get XML as
>> >> output
>> >> file .
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>> >>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> wrote:
>> >>>> Thank u andrews for guiding me .
>> >>>>
>> >>>> i am facing a small problem ,i.e i am unable to generate the XML file
>> >>>> from
>> >>>> the browser is there any dependency for that ?
>> >>>>
>> >>>> if i run the same from terminal i am able to generate the XML file ,
>> >>>> i
>> >>>> am
>> >>>> using mozilla browser .
>> >>> The browser has nothing to do with all this. In any case it's PHP and
>> >>> the way you call w3af from it.
>> >>>
>> >>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>> >>>>> Saleem,
>> >>>>>
>> >>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...>
>> >>>>> wrote:
>> >>>>>> Thanku so much for that andrews .
>> >>>>>>
>> >>>>>> now i am able to generate file , but i have having small problem,
>> >>>>>>
>> >>>>>> i am getting  this error at the end of the txt file which got
>> >>>>>> generated
>> >>>>>> .
>> >>>>>>
>> >>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25,
>> >>>>>> 'Inappropriate
>> >>>>>> ioctl for device')
>> >>>>> Seen this before, but never needed to fix it. I mean... w3af
>> >>>>> continues
>> >>>>> to work, and you only get it when w3af is run "without a terminal".
>> >>>>>
>> >>>>> How did you fix your original error?
>> >>>>>
>> >>>>>> any solution for this kind of error !!
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>> >>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...>
>> >>>>>>> wrote:
>> >>>>>>>> thanks for the response andrews.
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> Why do you suspect of permissions issue?
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> I suspect permission issue because when i run the code as root
>> >>>>>>>> user
>> >>>>>>>> in
>> >>>>>>>> the
>> >>>>>>>> terminal it is generating the output file.
>> >>>>>>>>
>> >>>>>>>> if i run the same code in the browser it is not generating the
>> >>>>>>>> output
>> >>>>>>>> files
>> >>>>>>>> .
>> >>>>>>> Can be because of other things, like the www-data user not having
>> >>>>>>> an
>> >>>>>>> environment variable set, or something like that.
>> >>>>>>>
>> >>>>>>> Try this:
>> >>>>>>>
>> >>>>>>> sudo -s -H
>> >>>>>>> <enter your root password>
>> >>>>>>> su www-data
>> >>>>>>> cd to-python-install
>> >>>>>>> python w3af_console ...
>> >>>>>>>
>> >>>>>>>> Are you trying "su www-data" and then running the exact same
>> >>>>>>>> command?
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> i have given www-data:www-data permission to my code as well .
>> >>>>>>>> still it is not working.
>> >>>>>>>>
>> >>>>>>>> i will try to explain once again :
>> >>>>>>>>
>> >>>>>>>> i have a w3af script for w3af crawl -
>> >>>>>>>> http-settings
>> >>>>>>>> set timeout 60
>> >>>>>>>> back
>> >>>>>>>> plugins
>> >>>>>>>> crawl web_spider
>> >>>>>>>> crawl config web_spider
>> >>>>>>>> set only_forward False
>> >>>>>>>> set follow_regex .*http:/localhost.*
>> >>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>> >>>>>>>> back
>> >>>>>>>> output text_file
>> >>>>>>>> output config text_file
>> >>>>>>>> set output_file
>> >>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>> >>>>>>>> set verbose False
>> >>>>>>>> back
>> >>>>>>>> back
>> >>>>>>>> target
>> >>>>>>>> set target http://localhost:80
>> >>>>>>>> back
>> >>>>>>>> start
>> >>>>>>>> exit
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> i have called this script in my php code i.e :
>> >>>>>>>>
>> >>>>>>>> <?
>> >>>>>>>>
>> >>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>> >>>>>>>> echo "Start of code ::*****";
>> >>>>>>>>
>> >>>>>>>> if(is_readable($w3af_script))
>> >>>>>>>>         {
>> >>>>>>>>
>> >>>>>>>>             echo "\n"."ready to execute the script in the
>> >>>>>>>> terminal";
>> >>>>>>>>
>> >>>>>>>>             `python /var/www/wsafe1/tools/w3af/w3af_console -s
>> >>>>>>>> $w3af_script`;
>> >>>>>>>>
>> >>>>>>>>         }
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
>> >>>>>>>> {
>> >>>>>>>>         echo "-----OOOOOOOOOOOoutput file got generated ";
>> >>>>>>>>
>> >>>>>>>> }
>> >>>>>>>> else
>> >>>>>>>>         echo "-----FFFFailed to generate the outpt file ";
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> ?>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> now problem is , i am not getting the file generated if i run the
>> >>>>>>>> code
>> >>>>>>>> from
>> >>>>>>>> the browser or by normal user.
>> >>>>>>>>
>> >>>>>>>> root user is able to generate the files using the same code .
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> please help me out !!!!!
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>> >>>>>>>>> Saleem,
>> >>>>>>>>>
>> >>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
>> >>>>>>>>> wrote:
>> >>>>>>>>>> ok thanku for responding andres .
>> >>>>>>>>>>
>> >>>>>>>>>> fine i will tell u in detail what i have done .
>> >>>>>>>>>>
>> >>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script
>> >>>>>>>>>> was
>> >>>>>>>>>> working
>> >>>>>>>>>> fine
>> >>>>>>>>>> currently i am using
>> >>>>>>>>>> w3af - Web Application Attack and Audit Framework
>> >>>>>>>>>> Version: 1.5
>> >>>>>>>>>> Revision: 790bb82add
>> >>>>>>>>> First of all, it was a great idea to update.
>> >>>>>>>>>
>> >>>>>>>>>> w3af script i have written (attachment) :
>> >>>>>>>>>> screenshot 1
>> >>>>>>>>>> PHP script i have written was (attachment):
>> >>>>>>>>>> screenshot 2
>> >>>>>>>>> I wouldn't run w3af in the request/response process. I'm unsure
>> >>>>>>>>> about
>> >>>>>>>>> how to do it for PHP, but in python there is Celery which allows
>> >>>>>>>>> you
>> >>>>>>>>> to queue work, process results, etc.
>> >>>>>>>>>
>> >>>>>>>>>> now i have given permission to that php script as  well as w3af
>> >>>>>>>>>> ,
>> >>>>>>>>>> using
>> >>>>>>>>>> chmod command i have given 777 permissions.
>> >>>>>>>>> Why do you suspect of permissions issue?
>> >>>>>>>>>
>> >>>>>>>>>> problem is when i am executing it in terminal i am getting the
>> >>>>>>>>>> output
>> >>>>>>>>>> ,
>> >>>>>>>>>> if
>> >>>>>>>>>> the same i am executing in the browser i am not getting the
>> >>>>>>>>>> output
>> >>>>>>>>>> i.e
>> >>>>>>>>>> output files are not getting generated .
>> >>>>>>>>> Are you trying "su www-data" and then running the exact same
>> >>>>>>>>> command?
>> >>>>>>>>>
>> >>>>>>>>>> please help me out and sorry for my english.
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>> >>>>>>>>>>> Saleem,
>> >>>>>>>>>>>
>> >>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem
>> >>>>>>>>>>> <asa...@cd...>
>> >>>>>>>>>>> wrote:
>> >>>>>>>>>>>> Hi all ,
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> I have written a script which uses w3af script in the
>> >>>>>>>>>>>> background,
>> >>>>>>>>>>>> and
>> >>>>>>>>>>>> trying
>> >>>>>>>>>>>> to execute that script through browser , but i am not getting
>> >>>>>>>>>>>> any
>> >>>>>>>>>>>> output
>> >>>>>>>>>>>> if
>> >>>>>>>>>>>> i do the same in the terminal i am getting the output .
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> please help me out !!!
>> >>>>>>>>>>> It's almost impossible to answer this question without more
>> >>>>>>>>>>> detail.
>> >>>>>>>>>>> Also, why do you think this is a w3af problem and not just you
>> >>>>>>>>>>> setting
>> >>>>>>>>>>> incorrect permissions to the filesystem files? More than glad
>> >>>>>>>>>>> to
>> >>>>>>>>>>> help
>> >>>>>>>>>>> if you send details,
>> >>>>>>>>>>>
>> >>>>>>>>>>> Regards,
>> >>>>>>>>>>>
>> >>>>>>>>>>>> Thanks & Regards ,
>> >>>>>>>>>>>> saleem
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>> >>>>>>>>>>>> and
>> >>>>>>>>>>>> may
>> >>>>>>>>>>>> contain confidential and privileged information. If you are
>> >>>>>>>>>>>> not
>> >>>>>>>>>>>> the
>> >>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>> >>>>>>>>>>>> and
>> >>>>>>>>>>>> destroy
>> >>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>> >>>>>>>>>>>> use,
>> >>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>> >>>>>>>>>>>> this
>> >>>>>>>>>>>> email
>> >>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>> >>>>>>>>>>>> taken.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> ------------------------------------------------------------------------------
>> >>>>>>>>>>>> This SF.net email is sponsored by Windows:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Build for Windows Store.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>> >>>>>>>>>>>> _______________________________________________
>> >>>>>>>>>>>> W3af-develop mailing list
>> >>>>>>>>>>>> W3a...@li...
>> >>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> --
>> >>>>>>>>>>> Andrés Riancho
>> >>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>> >>>>>>>>>>> Web Application Attack and Audit Framework
>> >>>>>>>>>>> Twitter: @w3af
>> >>>>>>>>>>> GPG: 0x93C344F3
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>>>
>> >>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>> >>>>>>>>>> and
>> >>>>>>>>>> may
>> >>>>>>>>>> contain confidential and privileged information. If you are not
>> >>>>>>>>>> the
>> >>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>> >>>>>>>>>> and
>> >>>>>>>>>> destroy
>> >>>>>>>>>> all copies and the original message. Any unauthorized review,
>> >>>>>>>>>> use,
>> >>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>> >>>>>>>>>> this
>> >>>>>>>>>> email
>> >>>>>>>>>> is strictly prohibited and appropriate legal action will be
>> >>>>>>>>>> taken.
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> Andrés Riancho
>> >>>>>>>>> Project Leader at w3af - http://w3af.org/
>> >>>>>>>>> Web Application Attack and Audit Framework
>> >>>>>>>>> Twitter: @w3af
>> >>>>>>>>> GPG: 0x93C344F3
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>
>> >>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>> >>>>>>>> may
>> >>>>>>>> contain confidential and privileged information. If you are not
>> >>>>>>>> the
>> >>>>>>>> intended recipient, please contact the sender by reply e-mail and
>> >>>>>>>> destroy
>> >>>>>>>> all copies and the original message. Any unauthorized review,
>> >>>>>>>> use,
>> >>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>> >>>>>>>> this
>> >>>>>>>> email
>> >>>>>>>> is strictly prohibited and appropriate legal action will be
>> >>>>>>>> taken.
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>
>> >>>>>>> --
>> >>>>>>> Andrés Riancho
>> >>>>>>> Project Leader at w3af - http://w3af.org/
>> >>>>>>> Web Application Attack and Audit Framework
>> >>>>>>> Twitter: @w3af
>> >>>>>>> GPG: 0x93C344F3
>> >>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>
>> >>>>>> This e-mail is for the sole use of the intended recipient(s) and
>> >>>>>> may
>> >>>>>> contain confidential and privileged information. If you are not the
>> >>>>>> intended recipient, please contact the sender by reply e-mail and
>> >>>>>> destroy
>> >>>>>> all copies and the original message. Any unauthorized review, use,
>> >>>>>> disclosure, dissemination, forwarding, printing or copying of this
>> >>>>>> email
>> >>>>>> is strictly prohibited and appropriate legal action will be taken.
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>
>> >>>>> --
>> >>>>> Andrés Riancho
>> >>>>> Project Leader at w3af - http://w3af.org/
>> >>>>> Web Application Attack and Audit Framework
>> >>>>> Twitter: @w3af
>> >>>>> GPG: 0x93C344F3
>> >>>>>
>> >>>>>
>> >>>>
>> >>>>
>> >>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>
>> >>>> This e-mail is for the sole use of the intended recipient(s) and may
>> >>>> contain confidential and privileged information. If you are not the
>> >>>> intended recipient, please contact the sender by reply e-mail and
>> >>>> destroy
>> >>>> all copies and the original message. Any unauthorized review, use,
>> >>>> disclosure, dissemination, forwarding, printing or copying of this
>> >>>> email
>> >>>> is strictly prohibited and appropriate legal action will be taken.
>> >>>>
>> >>>>
>> >>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>
>> >>>
>> >>> --
>> >>> Andrés Riancho
>> >>> Project Leader at w3af - http://w3af.org/
>> >>> Web Application Attack and Audit Framework
>> >>> Twitter: @w3af
>> >>> GPG: 0x93C344F3
>> >>>
>> >>>
>> >>
>> >>
>> >> -------------------------------------------------------------------------------------------------------------------------------
>> >>
>> >> This e-mail is for the sole use of the intended recipient(s) and may
>> >> contain confidential and privileged information. If you are not the
>> >> intended recipient, please contact the sender by reply e-mail and
>> >> destroy
>> >> all copies and the original message. Any unauthorized review, use,
>> >> disclosure, dissemination, forwarding, printing or copying of this
>> >> email
>> >> is strictly prohibited and appropriate legal action will be taken.
>> >>
>> >> -------------------------------------------------------------------------------------------------------------------------------
>> >>
>> >
>> >
>>
>>
>>
>> -------------------------------------------------------------------------------------------------------------------------------
>>
>> This e-mail is for the sole use of the intended recipient(s) and may
>> contain confidential and privileged information. If you are not the
>> intended recipient, please contact the sender by reply e-mail and destroy
>> all copies and the original message. Any unauthorized review, use,
>> disclosure, dissemination, forwarding, printing or copying of this email
>> is strictly prohibited and appropriate legal action will be taken.
>>
>> -------------------------------------------------------------------------------------------------------------------------------
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Regarding the w3af permission problem

[Laurent G. <lau...@al...>]

Hi,

I've got the same error, with the same id "36".

Additionnaly : when an error occur during the crawling phase (for example
if target is unreachable), w3af stops immediately without running audit
phase, and XML is properly generated.

So I'm perhaps suspecting one of the audit plugins...



2013/6/26 saleem <asa...@cd...>

> when i tried see store the output of w3af to a variable , i have seen a
> error like  ---
>
> An internal error occurred while searching for id "36", even after
> commit/retry Liked it
>
>
> what is the possibility of getting this error ??
>
>
>
> On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
> > Nothing special. The directory /var/www/scanreports/ needs to be
> > writable by the www-data user.
> >
> > On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
> >> as i have written earlier , same code i am using but this time i am
> trying
> >> to generate the XML output file .
> >>
> >> this is my w3af script :
> >>
> >> http-settings
> >> set timeout 60
> >> back
> >> plugins
> >> crawl web_spider
> >> crawl config web_spider
> >> set only_forward False
> >> set follow_regex .*
> >> set ignore_regex (?i)(logout|disconnect|signout|exit)+
> >> back
> >> audit blind_sqli
> >> back
> >> output xml_file
> >> output config xml_file
> >> set output_file
> /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
> >> back
> >> back
> >> target
> >> set target <url>
> >> back
> >> start
> >> exit
> >>
> >>
> >> and this is my php script :
> >> <?
> >>
> >> $w3af_script="22222.w3af";
> >>
> >> echo "Start of code ::*****";
> >>
> >> if(is_readable($w3af_script))
> >>      {
> >>
> >>          echo "\n"."ready to execute the script in the terminal";
> >>
> >>          `python w3af_console -s $w3af_script`;
> >>
> >>      }
> >>
> >>
> >> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
> >>
> >> {
> >>      echo "-----OOOOOOOOOOOoutput file got generated ";
> >>
> >> }
> >> else
> >>      echo "-----FFFFailed to generate the outpt file ";
> >>
> >>
> >> ?>
> >>
> >>
> >> so when i run this as root user it is generating the xml file and if
> same i
> >> run as www-data user i am unable to get the output xml file .
> >>
> >> please guide me in setting right permissions so that i can get XML as
> output
> >> file .
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
> >>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> wrote:
> >>>> Thank u andrews for guiding me .
> >>>>
> >>>> i am facing a small problem ,i.e i am unable to generate the XML file
> >>>> from
> >>>> the browser is there any dependency for that ?
> >>>>
> >>>> if i run the same from terminal i am able to generate the XML file ,
>  i
> >>>> am
> >>>> using mozilla browser .
> >>> The browser has nothing to do with all this. In any case it's PHP and
> >>> the way you call w3af from it.
> >>>
> >>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
> >>>>> Saleem,
> >>>>>
> >>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...>
> wrote:
> >>>>>> Thanku so much for that andrews .
> >>>>>>
> >>>>>> now i am able to generate file , but i have having small problem,
> >>>>>>
> >>>>>> i am getting  this error at the end of the txt file which got
> generated
> >>>>>> .
> >>>>>>
> >>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25,
> 'Inappropriate
> >>>>>> ioctl for device')
> >>>>> Seen this before, but never needed to fix it. I mean... w3af
> continues
> >>>>> to work, and you only get it when w3af is run "without a terminal".
> >>>>>
> >>>>> How did you fix your original error?
> >>>>>
> >>>>>> any solution for this kind of error !!
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
> >>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...>
> wrote:
> >>>>>>>> thanks for the response andrews.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Why do you suspect of permissions issue?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> I suspect permission issue because when i run the code as root
> user
> >>>>>>>> in
> >>>>>>>> the
> >>>>>>>> terminal it is generating the output file.
> >>>>>>>>
> >>>>>>>> if i run the same code in the browser it is not generating the
> output
> >>>>>>>> files
> >>>>>>>> .
> >>>>>>> Can be because of other things, like the www-data user not having
> an
> >>>>>>> environment variable set, or something like that.
> >>>>>>>
> >>>>>>> Try this:
> >>>>>>>
> >>>>>>> sudo -s -H
> >>>>>>> <enter your root password>
> >>>>>>> su www-data
> >>>>>>> cd to-python-install
> >>>>>>> python w3af_console ...
> >>>>>>>
> >>>>>>>> Are you trying "su www-data" and then running the exact same
> command?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> i have given www-data:www-data permission to my code as well .
> >>>>>>>> still it is not working.
> >>>>>>>>
> >>>>>>>> i will try to explain once again :
> >>>>>>>>
> >>>>>>>> i have a w3af script for w3af crawl -
> >>>>>>>> http-settings
> >>>>>>>> set timeout 60
> >>>>>>>> back
> >>>>>>>> plugins
> >>>>>>>> crawl web_spider
> >>>>>>>> crawl config web_spider
> >>>>>>>> set only_forward False
> >>>>>>>> set follow_regex .*http:/localhost.*
> >>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
> >>>>>>>> back
> >>>>>>>> output text_file
> >>>>>>>> output config text_file
> >>>>>>>> set output_file
> >>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
> >>>>>>>> set verbose False
> >>>>>>>> back
> >>>>>>>> back
> >>>>>>>> target
> >>>>>>>> set target http://localhost:80
> >>>>>>>> back
> >>>>>>>> start
> >>>>>>>> exit
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> i have called this script in my php code i.e :
> >>>>>>>>
> >>>>>>>> <?
> >>>>>>>>
> >>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
> >>>>>>>> echo "Start of code ::*****";
> >>>>>>>>
> >>>>>>>> if(is_readable($w3af_script))
> >>>>>>>>         {
> >>>>>>>>
> >>>>>>>>             echo "\n"."ready to execute the script in the
> terminal";
> >>>>>>>>
> >>>>>>>>             `python /var/www/wsafe1/tools/w3af/w3af_console -s
> >>>>>>>> $w3af_script`;
> >>>>>>>>
> >>>>>>>>         }
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
> >>>>>>>> {
> >>>>>>>>         echo "-----OOOOOOOOOOOoutput file got generated ";
> >>>>>>>>
> >>>>>>>> }
> >>>>>>>> else
> >>>>>>>>         echo "-----FFFFailed to generate the outpt file ";
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ?>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> now problem is , i am not getting the file generated if i run the
> >>>>>>>> code
> >>>>>>>> from
> >>>>>>>> the browser or by normal user.
> >>>>>>>>
> >>>>>>>> root user is able to generate the files using the same code .
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> please help me out !!!!!
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
> >>>>>>>>> Saleem,
> >>>>>>>>>
> >>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
> >>>>>>>>> wrote:
> >>>>>>>>>> ok thanku for responding andres .
> >>>>>>>>>>
> >>>>>>>>>> fine i will tell u in detail what i have done .
> >>>>>>>>>>
> >>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script
> was
> >>>>>>>>>> working
> >>>>>>>>>> fine
> >>>>>>>>>> currently i am using
> >>>>>>>>>> w3af - Web Application Attack and Audit Framework
> >>>>>>>>>> Version: 1.5
> >>>>>>>>>> Revision: 790bb82add
> >>>>>>>>> First of all, it was a great idea to update.
> >>>>>>>>>
> >>>>>>>>>> w3af script i have written (attachment) :
> >>>>>>>>>> screenshot 1
> >>>>>>>>>> PHP script i have written was (attachment):
> >>>>>>>>>> screenshot 2
> >>>>>>>>> I wouldn't run w3af in the request/response process. I'm unsure
> >>>>>>>>> about
> >>>>>>>>> how to do it for PHP, but in python there is Celery which allows
> you
> >>>>>>>>> to queue work, process results, etc.
> >>>>>>>>>
> >>>>>>>>>> now i have given permission to that php script as  well as w3af
> ,
> >>>>>>>>>> using
> >>>>>>>>>> chmod command i have given 777 permissions.
> >>>>>>>>> Why do you suspect of permissions issue?
> >>>>>>>>>
> >>>>>>>>>> problem is when i am executing it in terminal i am getting the
> >>>>>>>>>> output
> >>>>>>>>>> ,
> >>>>>>>>>> if
> >>>>>>>>>> the same i am executing in the browser i am not getting the
> output
> >>>>>>>>>> i.e
> >>>>>>>>>> output files are not getting generated .
> >>>>>>>>> Are you trying "su www-data" and then running the exact same
> >>>>>>>>> command?
> >>>>>>>>>
> >>>>>>>>>> please help me out and sorry for my english.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
> >>>>>>>>>>> Saleem,
> >>>>>>>>>>>
> >>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem <asa...@cd...
> >
> >>>>>>>>>>> wrote:
> >>>>>>>>>>>> Hi all ,
> >>>>>>>>>>>>
> >>>>>>>>>>>> I have written a script which uses w3af script in the
> background,
> >>>>>>>>>>>> and
> >>>>>>>>>>>> trying
> >>>>>>>>>>>> to execute that script through browser , but i am not getting
> any
> >>>>>>>>>>>> output
> >>>>>>>>>>>> if
> >>>>>>>>>>>> i do the same in the terminal i am getting the output .
> >>>>>>>>>>>>
> >>>>>>>>>>>> please help me out !!!
> >>>>>>>>>>> It's almost impossible to answer this question without more
> >>>>>>>>>>> detail.
> >>>>>>>>>>> Also, why do you think this is a w3af problem and not just you
> >>>>>>>>>>> setting
> >>>>>>>>>>> incorrect permissions to the filesystem files? More than glad
> to
> >>>>>>>>>>> help
> >>>>>>>>>>> if you send details,
> >>>>>>>>>>>
> >>>>>>>>>>> Regards,
> >>>>>>>>>>>
> >>>>>>>>>>>> Thanks & Regards ,
> >>>>>>>>>>>> saleem
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>>>>>
> >>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
> and
> >>>>>>>>>>>> may
> >>>>>>>>>>>> contain confidential and privileged information. If you are
> not
> >>>>>>>>>>>> the
> >>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
> and
> >>>>>>>>>>>> destroy
> >>>>>>>>>>>> all copies and the original message. Any unauthorized review,
> >>>>>>>>>>>> use,
> >>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
> >>>>>>>>>>>> this
> >>>>>>>>>>>> email
> >>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
> >>>>>>>>>>>> taken.
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> ------------------------------------------------------------------------------
> >>>>>>>>>>>> This SF.net email is sponsored by Windows:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Build for Windows Store.
> >>>>>>>>>>>>
> >>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
> >>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>> W3af-develop mailing list
> >>>>>>>>>>>> W3a...@li...
> >>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> Andrés Riancho
> >>>>>>>>>>> Project Leader at w3af - http://w3af.org/
> >>>>>>>>>>> Web Application Attack and Audit Framework
> >>>>>>>>>>> Twitter: @w3af
> >>>>>>>>>>> GPG: 0x93C344F3
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>>>
> >>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
> >>>>>>>>>> may
> >>>>>>>>>> contain confidential and privileged information. If you are not
> the
> >>>>>>>>>> intended recipient, please contact the sender by reply e-mail
> and
> >>>>>>>>>> destroy
> >>>>>>>>>> all copies and the original message. Any unauthorized review,
> use,
> >>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
> this
> >>>>>>>>>> email
> >>>>>>>>>> is strictly prohibited and appropriate legal action will be
> taken.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Andrés Riancho
> >>>>>>>>> Project Leader at w3af - http://w3af.org/
> >>>>>>>>> Web Application Attack and Audit Framework
> >>>>>>>>> Twitter: @w3af
> >>>>>>>>> GPG: 0x93C344F3
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>
> >>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
> may
> >>>>>>>> contain confidential and privileged information. If you are not
> the
> >>>>>>>> intended recipient, please contact the sender by reply e-mail and
> >>>>>>>> destroy
> >>>>>>>> all copies and the original message. Any unauthorized review, use,
> >>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
> >>>>>>>> email
> >>>>>>>> is strictly prohibited and appropriate legal action will be taken.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>
> >>>>>>> --
> >>>>>>> Andrés Riancho
> >>>>>>> Project Leader at w3af - http://w3af.org/
> >>>>>>> Web Application Attack and Audit Framework
> >>>>>>> Twitter: @w3af
> >>>>>>> GPG: 0x93C344F3
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>
> >>>>>> This e-mail is for the sole use of the intended recipient(s) and may
> >>>>>> contain confidential and privileged information. If you are not the
> >>>>>> intended recipient, please contact the sender by reply e-mail and
> >>>>>> destroy
> >>>>>> all copies and the original message. Any unauthorized review, use,
> >>>>>> disclosure, dissemination, forwarding, printing or copying of this
> >>>>>> email
> >>>>>> is strictly prohibited and appropriate legal action will be taken.
> >>>>>>
> >>>>>>
> >>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>
> >>>>> --
> >>>>> Andrés Riancho
> >>>>> Project Leader at w3af - http://w3af.org/
> >>>>> Web Application Attack and Audit Framework
> >>>>> Twitter: @w3af
> >>>>> GPG: 0x93C344F3
> >>>>>
> >>>>>
> >>>>
> >>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>
> >>>> This e-mail is for the sole use of the intended recipient(s) and may
> >>>> contain confidential and privileged information. If you are not the
> >>>> intended recipient, please contact the sender by reply e-mail and
> destroy
> >>>> all copies and the original message. Any unauthorized review, use,
> >>>> disclosure, dissemination, forwarding, printing or copying of this
> email
> >>>> is strictly prohibited and appropriate legal action will be taken.
> >>>>
> >>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>
> >>>
> >>> --
> >>> Andrés Riancho
> >>> Project Leader at w3af - http://w3af.org/
> >>> Web Application Attack and Audit Framework
> >>> Twitter: @w3af
> >>> GPG: 0x93C344F3
> >>>
> >>>
> >>
> >>
> -------------------------------------------------------------------------------------------------------------------------------
> >>
> >> This e-mail is for the sole use of the intended recipient(s) and may
> >> contain confidential and privileged information. If you are not the
> >> intended recipient, please contact the sender by reply e-mail and
> destroy
> >> all copies and the original message. Any unauthorized review, use,
> >> disclosure, dissemination, forwarding, printing or copying of this email
> >> is strictly prohibited and appropriate legal action will be taken.
> >>
> -------------------------------------------------------------------------------------------------------------------------------
> >>
> >
> >
>
>
>
> -------------------------------------------------------------------------------------------------------------------------------
>
> This e-mail is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information. If you are not the
> intended recipient, please contact the sender by reply e-mail and destroy
> all copies and the original message. Any unauthorized review, use,
> disclosure, dissemination, forwarding, printing or copying of this email
> is strictly prohibited and appropriate legal action will be taken.
>
> -------------------------------------------------------------------------------------------------------------------------------
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>

Re: [W3af-develop] Regarding the w3af permission problem

[saleem <asa...@cd...>]

when i tried see store the output of w3af to a variable , i have seen a 
error like  ---

An internal error occurred while searching for id "36", even after 
commit/retry Liked it


what is the possibility of getting this error ??



On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
> Nothing special. The directory /var/www/scanreports/ needs to be
> writable by the www-data user.
>
> On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>> as i have written earlier , same code i am using but this time i am trying
>> to generate the XML output file .
>>
>> this is my w3af script :
>>
>> http-settings
>> set timeout 60
>> back
>> plugins
>> crawl web_spider
>> crawl config web_spider
>> set only_forward False
>> set follow_regex .*
>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>> back
>> audit blind_sqli
>> back
>> output xml_file
>> output config xml_file
>> set output_file /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>> back
>> back
>> target
>> set target <url>
>> back
>> start
>> exit
>>
>>
>> and this is my php script :
>> <?
>>
>> $w3af_script="22222.w3af";
>>
>> echo "Start of code ::*****";
>>
>> if(is_readable($w3af_script))
>>      {
>>
>>          echo "\n"."ready to execute the script in the terminal";
>>
>>          `python w3af_console -s $w3af_script`;
>>
>>      }
>>
>>
>> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>>
>> {
>>      echo "-----OOOOOOOOOOOoutput file got generated ";
>>
>> }
>> else
>>      echo "-----FFFFailed to generate the outpt file ";
>>
>>
>> ?>
>>
>>
>> so when i run this as root user it is generating the xml file and if same i
>> run as www-data user i am unable to get the output xml file .
>>
>> please guide me in setting right permissions so that i can get XML as output
>> file .
>>
>>
>>
>>
>>
>>
>>
>> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> wrote:
>>>> Thank u andrews for guiding me .
>>>>
>>>> i am facing a small problem ,i.e i am unable to generate the XML file
>>>> from
>>>> the browser is there any dependency for that ?
>>>>
>>>> if i run the same from terminal i am able to generate the XML file ,  i
>>>> am
>>>> using mozilla browser .
>>> The browser has nothing to do with all this. In any case it's PHP and
>>> the way you call w3af from it.
>>>
>>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>>>>> Saleem,
>>>>>
>>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...> wrote:
>>>>>> Thanku so much for that andrews .
>>>>>>
>>>>>> now i am able to generate file , but i have having small problem,
>>>>>>
>>>>>> i am getting  this error at the end of the txt file which got generated
>>>>>> .
>>>>>>
>>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25, 'Inappropriate
>>>>>> ioctl for device')
>>>>> Seen this before, but never needed to fix it. I mean... w3af continues
>>>>> to work, and you only get it when w3af is run "without a terminal".
>>>>>
>>>>> How did you fix your original error?
>>>>>
>>>>>> any solution for this kind of error !!
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...> wrote:
>>>>>>>> thanks for the response andrews.
>>>>>>>>
>>>>>>>>
>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>
>>>>>>>>
>>>>>>>> I suspect permission issue because when i run the code as root user
>>>>>>>> in
>>>>>>>> the
>>>>>>>> terminal it is generating the output file.
>>>>>>>>
>>>>>>>> if i run the same code in the browser it is not generating the output
>>>>>>>> files
>>>>>>>> .
>>>>>>> Can be because of other things, like the www-data user not having an
>>>>>>> environment variable set, or something like that.
>>>>>>>
>>>>>>> Try this:
>>>>>>>
>>>>>>> sudo -s -H
>>>>>>> <enter your root password>
>>>>>>> su www-data
>>>>>>> cd to-python-install
>>>>>>> python w3af_console ...
>>>>>>>
>>>>>>>> Are you trying "su www-data" and then running the exact same command?
>>>>>>>>
>>>>>>>>
>>>>>>>> i have given www-data:www-data permission to my code as well .
>>>>>>>> still it is not working.
>>>>>>>>
>>>>>>>> i will try to explain once again :
>>>>>>>>
>>>>>>>> i have a w3af script for w3af crawl -
>>>>>>>> http-settings
>>>>>>>> set timeout 60
>>>>>>>> back
>>>>>>>> plugins
>>>>>>>> crawl web_spider
>>>>>>>> crawl config web_spider
>>>>>>>> set only_forward False
>>>>>>>> set follow_regex .*http:/localhost.*
>>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>>>> back
>>>>>>>> output text_file
>>>>>>>> output config text_file
>>>>>>>> set output_file
>>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>>>>>>>> set verbose False
>>>>>>>> back
>>>>>>>> back
>>>>>>>> target
>>>>>>>> set target http://localhost:80
>>>>>>>> back
>>>>>>>> start
>>>>>>>> exit
>>>>>>>>
>>>>>>>>
>>>>>>>> i have called this script in my php code i.e :
>>>>>>>>
>>>>>>>> <?
>>>>>>>>
>>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>>>>>>>> echo "Start of code ::*****";
>>>>>>>>
>>>>>>>> if(is_readable($w3af_script))
>>>>>>>>         {
>>>>>>>>
>>>>>>>>             echo "\n"."ready to execute the script in the terminal";
>>>>>>>>
>>>>>>>>             `python /var/www/wsafe1/tools/w3af/w3af_console -s
>>>>>>>> $w3af_script`;
>>>>>>>>
>>>>>>>>         }
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
>>>>>>>> {
>>>>>>>>         echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>>>
>>>>>>>> }
>>>>>>>> else
>>>>>>>>         echo "-----FFFFailed to generate the outpt file ";
>>>>>>>>
>>>>>>>>
>>>>>>>> ?>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> now problem is , i am not getting the file generated if i run the
>>>>>>>> code
>>>>>>>> from
>>>>>>>> the browser or by normal user.
>>>>>>>>
>>>>>>>> root user is able to generate the files using the same code .
>>>>>>>>
>>>>>>>>
>>>>>>>> please help me out !!!!!
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>>>>>>>>> Saleem,
>>>>>>>>>
>>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
>>>>>>>>> wrote:
>>>>>>>>>> ok thanku for responding andres .
>>>>>>>>>>
>>>>>>>>>> fine i will tell u in detail what i have done .
>>>>>>>>>>
>>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script was
>>>>>>>>>> working
>>>>>>>>>> fine
>>>>>>>>>> currently i am using
>>>>>>>>>> w3af - Web Application Attack and Audit Framework
>>>>>>>>>> Version: 1.5
>>>>>>>>>> Revision: 790bb82add
>>>>>>>>> First of all, it was a great idea to update.
>>>>>>>>>
>>>>>>>>>> w3af script i have written (attachment) :
>>>>>>>>>> screenshot 1
>>>>>>>>>> PHP script i have written was (attachment):
>>>>>>>>>> screenshot 2
>>>>>>>>> I wouldn't run w3af in the request/response process. I'm unsure
>>>>>>>>> about
>>>>>>>>> how to do it for PHP, but in python there is Celery which allows you
>>>>>>>>> to queue work, process results, etc.
>>>>>>>>>
>>>>>>>>>> now i have given permission to that php script as  well as w3af ,
>>>>>>>>>> using
>>>>>>>>>> chmod command i have given 777 permissions.
>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>
>>>>>>>>>> problem is when i am executing it in terminal i am getting the
>>>>>>>>>> output
>>>>>>>>>> ,
>>>>>>>>>> if
>>>>>>>>>> the same i am executing in the browser i am not getting the output
>>>>>>>>>> i.e
>>>>>>>>>> output files are not getting generated .
>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>> command?
>>>>>>>>>
>>>>>>>>>> please help me out and sorry for my english.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>>>>>>>>>>> Saleem,
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem <asa...@cd...>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> Hi all ,
>>>>>>>>>>>>
>>>>>>>>>>>> I have written a script which uses w3af script in the background,
>>>>>>>>>>>> and
>>>>>>>>>>>> trying
>>>>>>>>>>>> to execute that script through browser , but i am not getting any
>>>>>>>>>>>> output
>>>>>>>>>>>> if
>>>>>>>>>>>> i do the same in the terminal i am getting the output .
>>>>>>>>>>>>
>>>>>>>>>>>> please help me out !!!
>>>>>>>>>>> It's almost impossible to answer this question without more
>>>>>>>>>>> detail.
>>>>>>>>>>> Also, why do you think this is a w3af problem and not just you
>>>>>>>>>>> setting
>>>>>>>>>>> incorrect permissions to the filesystem files? More than glad to
>>>>>>>>>>> help
>>>>>>>>>>> if you send details,
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>>> Thanks & Regards ,
>>>>>>>>>>>> saleem
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>>>> may
>>>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>>>> the
>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>>>>> destroy
>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>> use,
>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>> this
>>>>>>>>>>>> email
>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>> taken.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>> This SF.net email is sponsored by Windows:
>>>>>>>>>>>>
>>>>>>>>>>>> Build for Windows Store.
>>>>>>>>>>>>
>>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> W3af-develop mailing list
>>>>>>>>>>>> W3a...@li...
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>> may
>>>>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>>> destroy
>>>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>>>> email
>>>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Andrés Riancho
>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>> Twitter: @w3af
>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>> destroy
>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>> email
>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>
>>>>>>> --
>>>>>>> Andrés Riancho
>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>> Web Application Attack and Audit Framework
>>>>>>> Twitter: @w3af
>>>>>>> GPG: 0x93C344F3
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>
>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>> contain confidential and privileged information. If you are not the
>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>> destroy
>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>> email
>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>
>>>>> --
>>>>> Andrés Riancho
>>>>> Project Leader at w3af - http://w3af.org/
>>>>> Web Application Attack and Audit Framework
>>>>> Twitter: @w3af
>>>>> GPG: 0x93C344F3
>>>>>
>>>>>
>>>>
>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>
>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>> contain confidential and privileged information. If you are not the
>>>> intended recipient, please contact the sender by reply e-mail and destroy
>>>> all copies and the original message. Any unauthorized review, use,
>>>> disclosure, dissemination, forwarding, printing or copying of this email
>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>
>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>>
>>>
>>
>> -------------------------------------------------------------------------------------------------------------------------------
>>
>> This e-mail is for the sole use of the intended recipient(s) and may
>> contain confidential and privileged information. If you are not the
>> intended recipient, please contact the sender by reply e-mail and destroy
>> all copies and the original message. Any unauthorized review, use,
>> disclosure, dissemination, forwarding, printing or copying of this email
>> is strictly prohibited and appropriate legal action will be taken.
>> -------------------------------------------------------------------------------------------------------------------------------
>>
>
>


-------------------------------------------------------------------------------------------------------------------------------

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------------------------------------

Re: [W3af-develop] Regarding the w3af permission problem

[saleem <asa...@cd...>]

Still  i am unable to generate XML , couldnt find the reason behind this !!!

Please help me out !!!

what could be the reason is it permission or is it XML library being used !!

On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
> Nothing special. The directory /var/www/scanreports/ needs to be
> writable by the www-data user.
>
> On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>> as i have written earlier , same code i am using but this time i am trying
>> to generate the XML output file .
>>
>> this is my w3af script :
>>
>> http-settings
>> set timeout 60
>> back
>> plugins
>> crawl web_spider
>> crawl config web_spider
>> set only_forward False
>> set follow_regex .*
>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>> back
>> audit blind_sqli
>> back
>> output xml_file
>> output config xml_file
>> set output_file /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>> back
>> back
>> target
>> set target <url>
>> back
>> start
>> exit
>>
>>
>> and this is my php script :
>> <?
>>
>> $w3af_script="22222.w3af";
>>
>> echo "Start of code ::*****";
>>
>> if(is_readable($w3af_script))
>>      {
>>
>>          echo "\n"."ready to execute the script in the terminal";
>>
>>          `python w3af_console -s $w3af_script`;
>>
>>      }
>>
>>
>> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>>
>> {
>>      echo "-----OOOOOOOOOOOoutput file got generated ";
>>
>> }
>> else
>>      echo "-----FFFFailed to generate the outpt file ";
>>
>>
>> ?>
>>
>>
>> so when i run this as root user it is generating the xml file and if same i
>> run as www-data user i am unable to get the output xml file .
>>
>> please guide me in setting right permissions so that i can get XML as output
>> file .
>>
>>
>>
>>
>>
>>
>>
>> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> wrote:
>>>> Thank u andrews for guiding me .
>>>>
>>>> i am facing a small problem ,i.e i am unable to generate the XML file
>>>> from
>>>> the browser is there any dependency for that ?
>>>>
>>>> if i run the same from terminal i am able to generate the XML file ,  i
>>>> am
>>>> using mozilla browser .
>>> The browser has nothing to do with all this. In any case it's PHP and
>>> the way you call w3af from it.
>>>
>>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>>>>> Saleem,
>>>>>
>>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...> wrote:
>>>>>> Thanku so much for that andrews .
>>>>>>
>>>>>> now i am able to generate file , but i have having small problem,
>>>>>>
>>>>>> i am getting  this error at the end of the txt file which got generated
>>>>>> .
>>>>>>
>>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25, 'Inappropriate
>>>>>> ioctl for device')
>>>>> Seen this before, but never needed to fix it. I mean... w3af continues
>>>>> to work, and you only get it when w3af is run "without a terminal".
>>>>>
>>>>> How did you fix your original error?
>>>>>
>>>>>> any solution for this kind of error !!
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...> wrote:
>>>>>>>> thanks for the response andrews.
>>>>>>>>
>>>>>>>>
>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>
>>>>>>>>
>>>>>>>> I suspect permission issue because when i run the code as root user
>>>>>>>> in
>>>>>>>> the
>>>>>>>> terminal it is generating the output file.
>>>>>>>>
>>>>>>>> if i run the same code in the browser it is not generating the output
>>>>>>>> files
>>>>>>>> .
>>>>>>> Can be because of other things, like the www-data user not having an
>>>>>>> environment variable set, or something like that.
>>>>>>>
>>>>>>> Try this:
>>>>>>>
>>>>>>> sudo -s -H
>>>>>>> <enter your root password>
>>>>>>> su www-data
>>>>>>> cd to-python-install
>>>>>>> python w3af_console ...
>>>>>>>
>>>>>>>> Are you trying "su www-data" and then running the exact same command?
>>>>>>>>
>>>>>>>>
>>>>>>>> i have given www-data:www-data permission to my code as well .
>>>>>>>> still it is not working.
>>>>>>>>
>>>>>>>> i will try to explain once again :
>>>>>>>>
>>>>>>>> i have a w3af script for w3af crawl -
>>>>>>>> http-settings
>>>>>>>> set timeout 60
>>>>>>>> back
>>>>>>>> plugins
>>>>>>>> crawl web_spider
>>>>>>>> crawl config web_spider
>>>>>>>> set only_forward False
>>>>>>>> set follow_regex .*http:/localhost.*
>>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>>>> back
>>>>>>>> output text_file
>>>>>>>> output config text_file
>>>>>>>> set output_file
>>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>>>>>>>> set verbose False
>>>>>>>> back
>>>>>>>> back
>>>>>>>> target
>>>>>>>> set target http://localhost:80
>>>>>>>> back
>>>>>>>> start
>>>>>>>> exit
>>>>>>>>
>>>>>>>>
>>>>>>>> i have called this script in my php code i.e :
>>>>>>>>
>>>>>>>> <?
>>>>>>>>
>>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>>>>>>>> echo "Start of code ::*****";
>>>>>>>>
>>>>>>>> if(is_readable($w3af_script))
>>>>>>>>         {
>>>>>>>>
>>>>>>>>             echo "\n"."ready to execute the script in the terminal";
>>>>>>>>
>>>>>>>>             `python /var/www/wsafe1/tools/w3af/w3af_console -s
>>>>>>>> $w3af_script`;
>>>>>>>>
>>>>>>>>         }
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
>>>>>>>> {
>>>>>>>>         echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>>>
>>>>>>>> }
>>>>>>>> else
>>>>>>>>         echo "-----FFFFailed to generate the outpt file ";
>>>>>>>>
>>>>>>>>
>>>>>>>> ?>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> now problem is , i am not getting the file generated if i run the
>>>>>>>> code
>>>>>>>> from
>>>>>>>> the browser or by normal user.
>>>>>>>>
>>>>>>>> root user is able to generate the files using the same code .
>>>>>>>>
>>>>>>>>
>>>>>>>> please help me out !!!!!
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>>>>>>>>> Saleem,
>>>>>>>>>
>>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
>>>>>>>>> wrote:
>>>>>>>>>> ok thanku for responding andres .
>>>>>>>>>>
>>>>>>>>>> fine i will tell u in detail what i have done .
>>>>>>>>>>
>>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script was
>>>>>>>>>> working
>>>>>>>>>> fine
>>>>>>>>>> currently i am using
>>>>>>>>>> w3af - Web Application Attack and Audit Framework
>>>>>>>>>> Version: 1.5
>>>>>>>>>> Revision: 790bb82add
>>>>>>>>> First of all, it was a great idea to update.
>>>>>>>>>
>>>>>>>>>> w3af script i have written (attachment) :
>>>>>>>>>> screenshot 1
>>>>>>>>>> PHP script i have written was (attachment):
>>>>>>>>>> screenshot 2
>>>>>>>>> I wouldn't run w3af in the request/response process. I'm unsure
>>>>>>>>> about
>>>>>>>>> how to do it for PHP, but in python there is Celery which allows you
>>>>>>>>> to queue work, process results, etc.
>>>>>>>>>
>>>>>>>>>> now i have given permission to that php script as  well as w3af ,
>>>>>>>>>> using
>>>>>>>>>> chmod command i have given 777 permissions.
>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>
>>>>>>>>>> problem is when i am executing it in terminal i am getting the
>>>>>>>>>> output
>>>>>>>>>> ,
>>>>>>>>>> if
>>>>>>>>>> the same i am executing in the browser i am not getting the output
>>>>>>>>>> i.e
>>>>>>>>>> output files are not getting generated .
>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>> command?
>>>>>>>>>
>>>>>>>>>> please help me out and sorry for my english.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>>>>>>>>>>> Saleem,
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem <asa...@cd...>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> Hi all ,
>>>>>>>>>>>>
>>>>>>>>>>>> I have written a script which uses w3af script in the background,
>>>>>>>>>>>> and
>>>>>>>>>>>> trying
>>>>>>>>>>>> to execute that script through browser , but i am not getting any
>>>>>>>>>>>> output
>>>>>>>>>>>> if
>>>>>>>>>>>> i do the same in the terminal i am getting the output .
>>>>>>>>>>>>
>>>>>>>>>>>> please help me out !!!
>>>>>>>>>>> It's almost impossible to answer this question without more
>>>>>>>>>>> detail.
>>>>>>>>>>> Also, why do you think this is a w3af problem and not just you
>>>>>>>>>>> setting
>>>>>>>>>>> incorrect permissions to the filesystem files? More than glad to
>>>>>>>>>>> help
>>>>>>>>>>> if you send details,
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>>> Thanks & Regards ,
>>>>>>>>>>>> saleem
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>>>> may
>>>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>>>> the
>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>>>>> destroy
>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>> use,
>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>> this
>>>>>>>>>>>> email
>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>> taken.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>> This SF.net email is sponsored by Windows:
>>>>>>>>>>>>
>>>>>>>>>>>> Build for Windows Store.
>>>>>>>>>>>>
>>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> W3af-develop mailing list
>>>>>>>>>>>> W3a...@li...
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>> may
>>>>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>>> destroy
>>>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>>>> email
>>>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Andrés Riancho
>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>> Twitter: @w3af
>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>> destroy
>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>> email
>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>
>>>>>>> --
>>>>>>> Andrés Riancho
>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>> Web Application Attack and Audit Framework
>>>>>>> Twitter: @w3af
>>>>>>> GPG: 0x93C344F3
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>
>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>> contain confidential and privileged information. If you are not the
>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>> destroy
>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>> email
>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>
>>>>> --
>>>>> Andrés Riancho
>>>>> Project Leader at w3af - http://w3af.org/
>>>>> Web Application Attack and Audit Framework
>>>>> Twitter: @w3af
>>>>> GPG: 0x93C344F3
>>>>>
>>>>>
>>>>
>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>
>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>> contain confidential and privileged information. If you are not the
>>>> intended recipient, please contact the sender by reply e-mail and destroy
>>>> all copies and the original message. Any unauthorized review, use,
>>>> disclosure, dissemination, forwarding, printing or copying of this email
>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>
>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>>
>>>
>>
>> -------------------------------------------------------------------------------------------------------------------------------
>>
>> This e-mail is for the sole use of the intended recipient(s) and may
>> contain confidential and privileged information. If you are not the
>> intended recipient, please contact the sender by reply e-mail and destroy
>> all copies and the original message. Any unauthorized review, use,
>> disclosure, dissemination, forwarding, printing or copying of this email
>> is strictly prohibited and appropriate legal action will be taken.
>> -------------------------------------------------------------------------------------------------------------------------------
>>
>
>


-------------------------------------------------------------------------------------------------------------------------------

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------------------------------------

Re: [W3af-develop] [W3af-users] Regarding the w3af permission problem

[Laurent G. <lau...@al...>]

Hi,

Same problem here : W3af is called inside a Python daemon (so in a
non-interactive way too).

W3af runs fine, but never creates the XML output file.
I get too the "Inappropriate ioctl for device" error btw.
Using the git version.

Missing environment variables ? Problem with the XML library used ? or the
way the XML output file is created ?

Investigating...



2013/6/25 saleem <asa...@cd...>

> i have given all permissions to that folder , still i am not able to
> generate the file .
>
> On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
> > Nothing special. The directory /var/www/scanreports/ needs to be
> > writable by the www-data user.
> >
> > On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
> >> as i have written earlier , same code i am using but this time i am
> trying
> >> to generate the XML output file .
> >>
> >> this is my w3af script :
> >>
> >> http-settings
> >> set timeout 60
> >> back
> >> plugins
> >> crawl web_spider
> >> crawl config web_spider
> >> set only_forward False
> >> set follow_regex .*
> >> set ignore_regex (?i)(logout|disconnect|signout|exit)+
> >> back
> >> audit blind_sqli
> >> back
> >> output xml_file
> >> output config xml_file
> >> set output_file
> /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
> >> back
> >> back
> >> target
> >> set target <url>
> >> back
> >> start
> >> exit
> >>
> >>
> >> and this is my php script :
> >> <?
> >>
> >> $w3af_script="22222.w3af";
> >>
> >> echo "Start of code ::*****";
> >>
> >> if(is_readable($w3af_script))
> >>      {
> >>
> >>          echo "\n"."ready to execute the script in the terminal";
> >>
> >>          `python w3af_console -s $w3af_script`;
> >>
> >>      }
> >>
> >>
> >> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
> >>
> >> {
> >>      echo "-----OOOOOOOOOOOoutput file got generated ";
> >>
> >> }
> >> else
> >>      echo "-----FFFFailed to generate the outpt file ";
> >>
> >>
> >> ?>
> >>
> >>
> >> so when i run this as root user it is generating the xml file and if
> same i
> >> run as www-data user i am unable to get the output xml file .
> >>
> >> please guide me in setting right permissions so that i can get XML as
> output
> >> file .
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
> >>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> wrote:
> >>>> Thank u andrews for guiding me .
> >>>>
> >>>> i am facing a small problem ,i.e i am unable to generate the XML file
> >>>> from
> >>>> the browser is there any dependency for that ?
> >>>>
> >>>> if i run the same from terminal i am able to generate the XML file ,
>  i
> >>>> am
> >>>> using mozilla browser .
> >>> The browser has nothing to do with all this. In any case it's PHP and
> >>> the way you call w3af from it.
> >>>
> >>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
> >>>>> Saleem,
> >>>>>
> >>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...>
> wrote:
> >>>>>> Thanku so much for that andrews .
> >>>>>>
> >>>>>> now i am able to generate file , but i have having small problem,
> >>>>>>
> >>>>>> i am getting  this error at the end of the txt file which got
> generated
> >>>>>> .
> >>>>>>
> >>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25,
> 'Inappropriate
> >>>>>> ioctl for device')
> >>>>> Seen this before, but never needed to fix it. I mean... w3af
> continues
> >>>>> to work, and you only get it when w3af is run "without a terminal".
> >>>>>
> >>>>> How did you fix your original error?
> >>>>>
> >>>>>> any solution for this kind of error !!
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
> >>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...>
> wrote:
> >>>>>>>> thanks for the response andrews.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Why do you suspect of permissions issue?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> I suspect permission issue because when i run the code as root
> user
> >>>>>>>> in
> >>>>>>>> the
> >>>>>>>> terminal it is generating the output file.
> >>>>>>>>
> >>>>>>>> if i run the same code in the browser it is not generating the
> output
> >>>>>>>> files
> >>>>>>>> .
> >>>>>>> Can be because of other things, like the www-data user not having
> an
> >>>>>>> environment variable set, or something like that.
> >>>>>>>
> >>>>>>> Try this:
> >>>>>>>
> >>>>>>> sudo -s -H
> >>>>>>> <enter your root password>
> >>>>>>> su www-data
> >>>>>>> cd to-python-install
> >>>>>>> python w3af_console ...
> >>>>>>>
> >>>>>>>> Are you trying "su www-data" and then running the exact same
> command?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> i have given www-data:www-data permission to my code as well .
> >>>>>>>> still it is not working.
> >>>>>>>>
> >>>>>>>> i will try to explain once again :
> >>>>>>>>
> >>>>>>>> i have a w3af script for w3af crawl -
> >>>>>>>> http-settings
> >>>>>>>> set timeout 60
> >>>>>>>> back
> >>>>>>>> plugins
> >>>>>>>> crawl web_spider
> >>>>>>>> crawl config web_spider
> >>>>>>>> set only_forward False
> >>>>>>>> set follow_regex .*http:/localhost.*
> >>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
> >>>>>>>> back
> >>>>>>>> output text_file
> >>>>>>>> output config text_file
> >>>>>>>> set output_file
> >>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
> >>>>>>>> set verbose False
> >>>>>>>> back
> >>>>>>>> back
> >>>>>>>> target
> >>>>>>>> set target http://localhost:80
> >>>>>>>> back
> >>>>>>>> start
> >>>>>>>> exit
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> i have called this script in my php code i.e :
> >>>>>>>>
> >>>>>>>> <?
> >>>>>>>>
> >>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
> >>>>>>>> echo "Start of code ::*****";
> >>>>>>>>
> >>>>>>>> if(is_readable($w3af_script))
> >>>>>>>>         {
> >>>>>>>>
> >>>>>>>>             echo "\n"."ready to execute the script in the
> terminal";
> >>>>>>>>
> >>>>>>>>             `python /var/www/wsafe1/tools/w3af/w3af_console -s
> >>>>>>>> $w3af_script`;
> >>>>>>>>
> >>>>>>>>         }
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
> >>>>>>>> {
> >>>>>>>>         echo "-----OOOOOOOOOOOoutput file got generated ";
> >>>>>>>>
> >>>>>>>> }
> >>>>>>>> else
> >>>>>>>>         echo "-----FFFFailed to generate the outpt file ";
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ?>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> now problem is , i am not getting the file generated if i run the
> >>>>>>>> code
> >>>>>>>> from
> >>>>>>>> the browser or by normal user.
> >>>>>>>>
> >>>>>>>> root user is able to generate the files using the same code .
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> please help me out !!!!!
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
> >>>>>>>>> Saleem,
> >>>>>>>>>
> >>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
> >>>>>>>>> wrote:
> >>>>>>>>>> ok thanku for responding andres .
> >>>>>>>>>>
> >>>>>>>>>> fine i will tell u in detail what i have done .
> >>>>>>>>>>
> >>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script
> was
> >>>>>>>>>> working
> >>>>>>>>>> fine
> >>>>>>>>>> currently i am using
> >>>>>>>>>> w3af - Web Application Attack and Audit Framework
> >>>>>>>>>> Version: 1.5
> >>>>>>>>>> Revision: 790bb82add
> >>>>>>>>> First of all, it was a great idea to update.
> >>>>>>>>>
> >>>>>>>>>> w3af script i have written (attachment) :
> >>>>>>>>>> screenshot 1
> >>>>>>>>>> PHP script i have written was (attachment):
> >>>>>>>>>> screenshot 2
> >>>>>>>>> I wouldn't run w3af in the request/response process. I'm unsure
> >>>>>>>>> about
> >>>>>>>>> how to do it for PHP, but in python there is Celery which allows
> you
> >>>>>>>>> to queue work, process results, etc.
> >>>>>>>>>
> >>>>>>>>>> now i have given permission to that php script as  well as w3af
> ,
> >>>>>>>>>> using
> >>>>>>>>>> chmod command i have given 777 permissions.
> >>>>>>>>> Why do you suspect of permissions issue?
> >>>>>>>>>
> >>>>>>>>>> problem is when i am executing it in terminal i am getting the
> >>>>>>>>>> output
> >>>>>>>>>> ,
> >>>>>>>>>> if
> >>>>>>>>>> the same i am executing in the browser i am not getting the
> output
> >>>>>>>>>> i.e
> >>>>>>>>>> output files are not getting generated .
> >>>>>>>>> Are you trying "su www-data" and then running the exact same
> >>>>>>>>> command?
> >>>>>>>>>
> >>>>>>>>>> please help me out and sorry for my english.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
> >>>>>>>>>>> Saleem,
> >>>>>>>>>>>
> >>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem <asa...@cd...
> >
> >>>>>>>>>>> wrote:
> >>>>>>>>>>>> Hi all ,
> >>>>>>>>>>>>
> >>>>>>>>>>>> I have written a script which uses w3af script in the
> background,
> >>>>>>>>>>>> and
> >>>>>>>>>>>> trying
> >>>>>>>>>>>> to execute that script through browser , but i am not getting
> any
> >>>>>>>>>>>> output
> >>>>>>>>>>>> if
> >>>>>>>>>>>> i do the same in the terminal i am getting the output .
> >>>>>>>>>>>>
> >>>>>>>>>>>> please help me out !!!
> >>>>>>>>>>> It's almost impossible to answer this question without more
> >>>>>>>>>>> detail.
> >>>>>>>>>>> Also, why do you think this is a w3af problem and not just you
> >>>>>>>>>>> setting
> >>>>>>>>>>> incorrect permissions to the filesystem files? More than glad
> to
> >>>>>>>>>>> help
> >>>>>>>>>>> if you send details,
> >>>>>>>>>>>
> >>>>>>>>>>> Regards,
> >>>>>>>>>>>
> >>>>>>>>>>>> Thanks & Regards ,
> >>>>>>>>>>>> saleem
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>>>>>
> >>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
> and
> >>>>>>>>>>>> may
> >>>>>>>>>>>> contain confidential and privileged information. If you are
> not
> >>>>>>>>>>>> the
> >>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
> and
> >>>>>>>>>>>> destroy
> >>>>>>>>>>>> all copies and the original message. Any unauthorized review,
> >>>>>>>>>>>> use,
> >>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
> >>>>>>>>>>>> this
> >>>>>>>>>>>> email
> >>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
> >>>>>>>>>>>> taken.
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> ------------------------------------------------------------------------------
> >>>>>>>>>>>> This SF.net email is sponsored by Windows:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Build for Windows Store.
> >>>>>>>>>>>>
> >>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
> >>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>> W3af-develop mailing list
> >>>>>>>>>>>> W3a...@li...
> >>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> Andrés Riancho
> >>>>>>>>>>> Project Leader at w3af - http://w3af.org/
> >>>>>>>>>>> Web Application Attack and Audit Framework
> >>>>>>>>>>> Twitter: @w3af
> >>>>>>>>>>> GPG: 0x93C344F3
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>>>
> >>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
> >>>>>>>>>> may
> >>>>>>>>>> contain confidential and privileged information. If you are not
> the
> >>>>>>>>>> intended recipient, please contact the sender by reply e-mail
> and
> >>>>>>>>>> destroy
> >>>>>>>>>> all copies and the original message. Any unauthorized review,
> use,
> >>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
> this
> >>>>>>>>>> email
> >>>>>>>>>> is strictly prohibited and appropriate legal action will be
> taken.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Andrés Riancho
> >>>>>>>>> Project Leader at w3af - http://w3af.org/
> >>>>>>>>> Web Application Attack and Audit Framework
> >>>>>>>>> Twitter: @w3af
> >>>>>>>>> GPG: 0x93C344F3
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>
> >>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
> may
> >>>>>>>> contain confidential and privileged information. If you are not
> the
> >>>>>>>> intended recipient, please contact the sender by reply e-mail and
> >>>>>>>> destroy
> >>>>>>>> all copies and the original message. Any unauthorized review, use,
> >>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
> >>>>>>>> email
> >>>>>>>> is strictly prohibited and appropriate legal action will be taken.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>>>
> >>>>>>> --
> >>>>>>> Andrés Riancho
> >>>>>>> Project Leader at w3af - http://w3af.org/
> >>>>>>> Web Application Attack and Audit Framework
> >>>>>>> Twitter: @w3af
> >>>>>>> GPG: 0x93C344F3
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>
> >>>>>> This e-mail is for the sole use of the intended recipient(s) and may
> >>>>>> contain confidential and privileged information. If you are not the
> >>>>>> intended recipient, please contact the sender by reply e-mail and
> >>>>>> destroy
> >>>>>> all copies and the original message. Any unauthorized review, use,
> >>>>>> disclosure, dissemination, forwarding, printing or copying of this
> >>>>>> email
> >>>>>> is strictly prohibited and appropriate legal action will be taken.
> >>>>>>
> >>>>>>
> >>>>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>>>
> >>>>> --
> >>>>> Andrés Riancho
> >>>>> Project Leader at w3af - http://w3af.org/
> >>>>> Web Application Attack and Audit Framework
> >>>>> Twitter: @w3af
> >>>>> GPG: 0x93C344F3
> >>>>>
> >>>>>
> >>>>
> >>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>
> >>>> This e-mail is for the sole use of the intended recipient(s) and may
> >>>> contain confidential and privileged information. If you are not the
> >>>> intended recipient, please contact the sender by reply e-mail and
> destroy
> >>>> all copies and the original message. Any unauthorized review, use,
> >>>> disclosure, dissemination, forwarding, printing or copying of this
> email
> >>>> is strictly prohibited and appropriate legal action will be taken.
> >>>>
> >>>>
> -------------------------------------------------------------------------------------------------------------------------------
> >>>>
> >>>
> >>> --
> >>> Andrés Riancho
> >>> Project Leader at w3af - http://w3af.org/
> >>> Web Application Attack and Audit Framework
> >>> Twitter: @w3af
> >>> GPG: 0x93C344F3
> >>>
> >>>
> >>
> >>
> -------------------------------------------------------------------------------------------------------------------------------
> >>
> >> This e-mail is for the sole use of the intended recipient(s) and may
> >> contain confidential and privileged information. If you are not the
> >> intended recipient, please contact the sender by reply e-mail and
> destroy
> >> all copies and the original message. Any unauthorized review, use,
> >> disclosure, dissemination, forwarding, printing or copying of this email
> >> is strictly prohibited and appropriate legal action will be taken.
> >>
> -------------------------------------------------------------------------------------------------------------------------------
> >>
> >
> >
>
>
>
> -------------------------------------------------------------------------------------------------------------------------------
>
> This e-mail is for the sole use of the intended recipient(s) and may
> contain confidential and privileged information. If you are not the
> intended recipient, please contact the sender by reply e-mail and destroy
> all copies and the original message. Any unauthorized review, use,
> disclosure, dissemination, forwarding, printing or copying of this email
> is strictly prohibited and appropriate legal action will be taken.
>
> -------------------------------------------------------------------------------------------------------------------------------
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> W3af-users mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>

Re: [W3af-develop] [W3af-users] Regarding the w3af permission problem

[Andres R. <and...@gm...>]

Interesting, you guys let me know how that investigation goes and if I
need to fix something on the w3af project.

On Tue, Jun 25, 2013 at 10:28 AM, Laurent Guyon
<lau...@al...> wrote:
> Hi,
>
> Same problem here : W3af is called inside a Python daemon (so in a
> non-interactive way too).
>
> W3af runs fine, but never creates the XML output file.
> I get too the "Inappropriate ioctl for device" error btw.
> Using the git version.
>
> Missing environment variables ? Problem with the XML library used ? or the
> way the XML output file is created ?
>
> Investigating...
>
>
>
> 2013/6/25 saleem <asa...@cd...>
>>
>> i have given all permissions to that folder , still i am not able to
>> generate the file .
>>
>> On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
>> > Nothing special. The directory /var/www/scanreports/ needs to be
>> > writable by the www-data user.
>> >
>> > On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>> >> as i have written earlier , same code i am using but this time i am
>> >> trying
>> >> to generate the XML output file .
>> >>
>> >> this is my w3af script :
>> >>
>> >> http-settings
>> >> set timeout 60
>> >> back
>> >> plugins
>> >> crawl web_spider
>> >> crawl config web_spider
>> >> set only_forward False
>> >> set follow_regex .*
>> >> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>> >> back
>> >> audit blind_sqli
>> >> back
>> >> output xml_file
>> >> output config xml_file
>> >> set output_file
>> >> /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>> >> back
>> >> back
>> >> target
>> >> set target <url>
>> >> back
>> >> start
>> >> exit
>> >>
>> >>
>> >> and this is my php script :
>> >> <?
>> >>
>> >> $w3af_script="22222.w3af";
>> >>
>> >> echo "Start of code ::*****";
>> >>
>> >> if(is_readable($w3af_script))
>> >>      {
>> >>
>> >>          echo "\n"."ready to execute the script in the terminal";
>> >>
>> >>          `python w3af_console -s $w3af_script`;
>> >>
>> >>      }
>> >>
>> >>
>> >> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>> >>
>> >> {
>> >>      echo "-----OOOOOOOOOOOoutput file got generated ";
>> >>
>> >> }
>> >> else
>> >>      echo "-----FFFFailed to generate the outpt file ";
>> >>
>> >>
>> >> ?>
>> >>
>> >>
>> >> so when i run this as root user it is generating the xml file and if
>> >> same i
>> >> run as www-data user i am unable to get the output xml file .
>> >>
>> >> please guide me in setting right permissions so that i can get XML as
>> >> output
>> >> file .
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>> >>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> wrote:
>> >>>> Thank u andrews for guiding me .
>> >>>>
>> >>>> i am facing a small problem ,i.e i am unable to generate the XML file
>> >>>> from
>> >>>> the browser is there any dependency for that ?
>> >>>>
>> >>>> if i run the same from terminal i am able to generate the XML file ,
>> >>>> i
>> >>>> am
>> >>>> using mozilla browser .
>> >>> The browser has nothing to do with all this. In any case it's PHP and
>> >>> the way you call w3af from it.
>> >>>
>> >>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>> >>>>> Saleem,
>> >>>>>
>> >>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...>
>> >>>>> wrote:
>> >>>>>> Thanku so much for that andrews .
>> >>>>>>
>> >>>>>> now i am able to generate file , but i have having small problem,
>> >>>>>>
>> >>>>>> i am getting  this error at the end of the txt file which got
>> >>>>>> generated
>> >>>>>> .
>> >>>>>>
>> >>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25,
>> >>>>>> 'Inappropriate
>> >>>>>> ioctl for device')
>> >>>>> Seen this before, but never needed to fix it. I mean... w3af
>> >>>>> continues
>> >>>>> to work, and you only get it when w3af is run "without a terminal".
>> >>>>>
>> >>>>> How did you fix your original error?
>> >>>>>
>> >>>>>> any solution for this kind of error !!
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>> >>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...>
>> >>>>>>> wrote:
>> >>>>>>>> thanks for the response andrews.
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> Why do you suspect of permissions issue?
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> I suspect permission issue because when i run the code as root
>> >>>>>>>> user
>> >>>>>>>> in
>> >>>>>>>> the
>> >>>>>>>> terminal it is generating the output file.
>> >>>>>>>>
>> >>>>>>>> if i run the same code in the browser it is not generating the
>> >>>>>>>> output
>> >>>>>>>> files
>> >>>>>>>> .
>> >>>>>>> Can be because of other things, like the www-data user not having
>> >>>>>>> an
>> >>>>>>> environment variable set, or something like that.
>> >>>>>>>
>> >>>>>>> Try this:
>> >>>>>>>
>> >>>>>>> sudo -s -H
>> >>>>>>> <enter your root password>
>> >>>>>>> su www-data
>> >>>>>>> cd to-python-install
>> >>>>>>> python w3af_console ...
>> >>>>>>>
>> >>>>>>>> Are you trying "su www-data" and then running the exact same
>> >>>>>>>> command?
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> i have given www-data:www-data permission to my code as well .
>> >>>>>>>> still it is not working.
>> >>>>>>>>
>> >>>>>>>> i will try to explain once again :
>> >>>>>>>>
>> >>>>>>>> i have a w3af script for w3af crawl -
>> >>>>>>>> http-settings
>> >>>>>>>> set timeout 60
>> >>>>>>>> back
>> >>>>>>>> plugins
>> >>>>>>>> crawl web_spider
>> >>>>>>>> crawl config web_spider
>> >>>>>>>> set only_forward False
>> >>>>>>>> set follow_regex .*http:/localhost.*
>> >>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>> >>>>>>>> back
>> >>>>>>>> output text_file
>> >>>>>>>> output config text_file
>> >>>>>>>> set output_file
>> >>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>> >>>>>>>> set verbose False
>> >>>>>>>> back
>> >>>>>>>> back
>> >>>>>>>> target
>> >>>>>>>> set target http://localhost:80
>> >>>>>>>> back
>> >>>>>>>> start
>> >>>>>>>> exit
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> i have called this script in my php code i.e :
>> >>>>>>>>
>> >>>>>>>> <?
>> >>>>>>>>
>> >>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>> >>>>>>>> echo "Start of code ::*****";
>> >>>>>>>>
>> >>>>>>>> if(is_readable($w3af_script))
>> >>>>>>>>         {
>> >>>>>>>>
>> >>>>>>>>             echo "\n"."ready to execute the script in the
>> >>>>>>>> terminal";
>> >>>>>>>>
>> >>>>>>>>             `python /var/www/wsafe1/tools/w3af/w3af_console -s
>> >>>>>>>> $w3af_script`;
>> >>>>>>>>
>> >>>>>>>>         }
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
>> >>>>>>>> {
>> >>>>>>>>         echo "-----OOOOOOOOOOOoutput file got generated ";
>> >>>>>>>>
>> >>>>>>>> }
>> >>>>>>>> else
>> >>>>>>>>         echo "-----FFFFailed to generate the outpt file ";
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> ?>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> now problem is , i am not getting the file generated if i run the
>> >>>>>>>> code
>> >>>>>>>> from
>> >>>>>>>> the browser or by normal user.
>> >>>>>>>>
>> >>>>>>>> root user is able to generate the files using the same code .
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> please help me out !!!!!
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>> >>>>>>>>> Saleem,
>> >>>>>>>>>
>> >>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
>> >>>>>>>>> wrote:
>> >>>>>>>>>> ok thanku for responding andres .
>> >>>>>>>>>>
>> >>>>>>>>>> fine i will tell u in detail what i have done .
>> >>>>>>>>>>
>> >>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script
>> >>>>>>>>>> was
>> >>>>>>>>>> working
>> >>>>>>>>>> fine
>> >>>>>>>>>> currently i am using
>> >>>>>>>>>> w3af - Web Application Attack and Audit Framework
>> >>>>>>>>>> Version: 1.5
>> >>>>>>>>>> Revision: 790bb82add
>> >>>>>>>>> First of all, it was a great idea to update.
>> >>>>>>>>>
>> >>>>>>>>>> w3af script i have written (attachment) :
>> >>>>>>>>>> screenshot 1
>> >>>>>>>>>> PHP script i have written was (attachment):
>> >>>>>>>>>> screenshot 2
>> >>>>>>>>> I wouldn't run w3af in the request/response process. I'm unsure
>> >>>>>>>>> about
>> >>>>>>>>> how to do it for PHP, but in python there is Celery which allows
>> >>>>>>>>> you
>> >>>>>>>>> to queue work, process results, etc.
>> >>>>>>>>>
>> >>>>>>>>>> now i have given permission to that php script as  well as w3af
>> >>>>>>>>>> ,
>> >>>>>>>>>> using
>> >>>>>>>>>> chmod command i have given 777 permissions.
>> >>>>>>>>> Why do you suspect of permissions issue?
>> >>>>>>>>>
>> >>>>>>>>>> problem is when i am executing it in terminal i am getting the
>> >>>>>>>>>> output
>> >>>>>>>>>> ,
>> >>>>>>>>>> if
>> >>>>>>>>>> the same i am executing in the browser i am not getting the
>> >>>>>>>>>> output
>> >>>>>>>>>> i.e
>> >>>>>>>>>> output files are not getting generated .
>> >>>>>>>>> Are you trying "su www-data" and then running the exact same
>> >>>>>>>>> command?
>> >>>>>>>>>
>> >>>>>>>>>> please help me out and sorry for my english.
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>> >>>>>>>>>>> Saleem,
>> >>>>>>>>>>>
>> >>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem
>> >>>>>>>>>>> <asa...@cd...>
>> >>>>>>>>>>> wrote:
>> >>>>>>>>>>>> Hi all ,
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> I have written a script which uses w3af script in the
>> >>>>>>>>>>>> background,
>> >>>>>>>>>>>> and
>> >>>>>>>>>>>> trying
>> >>>>>>>>>>>> to execute that script through browser , but i am not getting
>> >>>>>>>>>>>> any
>> >>>>>>>>>>>> output
>> >>>>>>>>>>>> if
>> >>>>>>>>>>>> i do the same in the terminal i am getting the output .
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> please help me out !!!
>> >>>>>>>>>>> It's almost impossible to answer this question without more
>> >>>>>>>>>>> detail.
>> >>>>>>>>>>> Also, why do you think this is a w3af problem and not just you
>> >>>>>>>>>>> setting
>> >>>>>>>>>>> incorrect permissions to the filesystem files? More than glad
>> >>>>>>>>>>> to
>> >>>>>>>>>>> help
>> >>>>>>>>>>> if you send details,
>> >>>>>>>>>>>
>> >>>>>>>>>>> Regards,
>> >>>>>>>>>>>
>> >>>>>>>>>>>> Thanks & Regards ,
>> >>>>>>>>>>>> saleem
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>> >>>>>>>>>>>> and
>> >>>>>>>>>>>> may
>> >>>>>>>>>>>> contain confidential and privileged information. If you are
>> >>>>>>>>>>>> not
>> >>>>>>>>>>>> the
>> >>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>> >>>>>>>>>>>> and
>> >>>>>>>>>>>> destroy
>> >>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>> >>>>>>>>>>>> use,
>> >>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>> >>>>>>>>>>>> this
>> >>>>>>>>>>>> email
>> >>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>> >>>>>>>>>>>> taken.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> ------------------------------------------------------------------------------
>> >>>>>>>>>>>> This SF.net email is sponsored by Windows:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Build for Windows Store.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>> >>>>>>>>>>>> _______________________________________________
>> >>>>>>>>>>>> W3af-develop mailing list
>> >>>>>>>>>>>> W3a...@li...
>> >>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> --
>> >>>>>>>>>>> Andrés Riancho
>> >>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>> >>>>>>>>>>> Web Application Attack and Audit Framework
>> >>>>>>>>>>> Twitter: @w3af
>> >>>>>>>>>>> GPG: 0x93C344F3
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>>>
>> >>>>>>>>>> This e-mail is for the sole use of the intended recipient(s)
>> >>>>>>>>>> and
>> >>>>>>>>>> may
>> >>>>>>>>>> contain confidential and privileged information. If you are not
>> >>>>>>>>>> the
>> >>>>>>>>>> intended recipient, please contact the sender by reply e-mail
>> >>>>>>>>>> and
>> >>>>>>>>>> destroy
>> >>>>>>>>>> all copies and the original message. Any unauthorized review,
>> >>>>>>>>>> use,
>> >>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>> >>>>>>>>>> this
>> >>>>>>>>>> email
>> >>>>>>>>>> is strictly prohibited and appropriate legal action will be
>> >>>>>>>>>> taken.
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> Andrés Riancho
>> >>>>>>>>> Project Leader at w3af - http://w3af.org/
>> >>>>>>>>> Web Application Attack and Audit Framework
>> >>>>>>>>> Twitter: @w3af
>> >>>>>>>>> GPG: 0x93C344F3
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>
>> >>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>> >>>>>>>> may
>> >>>>>>>> contain confidential and privileged information. If you are not
>> >>>>>>>> the
>> >>>>>>>> intended recipient, please contact the sender by reply e-mail and
>> >>>>>>>> destroy
>> >>>>>>>> all copies and the original message. Any unauthorized review,
>> >>>>>>>> use,
>> >>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>> >>>>>>>> this
>> >>>>>>>> email
>> >>>>>>>> is strictly prohibited and appropriate legal action will be
>> >>>>>>>> taken.
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>>>
>> >>>>>>> --
>> >>>>>>> Andrés Riancho
>> >>>>>>> Project Leader at w3af - http://w3af.org/
>> >>>>>>> Web Application Attack and Audit Framework
>> >>>>>>> Twitter: @w3af
>> >>>>>>> GPG: 0x93C344F3
>> >>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>
>> >>>>>> This e-mail is for the sole use of the intended recipient(s) and
>> >>>>>> may
>> >>>>>> contain confidential and privileged information. If you are not the
>> >>>>>> intended recipient, please contact the sender by reply e-mail and
>> >>>>>> destroy
>> >>>>>> all copies and the original message. Any unauthorized review, use,
>> >>>>>> disclosure, dissemination, forwarding, printing or copying of this
>> >>>>>> email
>> >>>>>> is strictly prohibited and appropriate legal action will be taken.
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>>>
>> >>>>> --
>> >>>>> Andrés Riancho
>> >>>>> Project Leader at w3af - http://w3af.org/
>> >>>>> Web Application Attack and Audit Framework
>> >>>>> Twitter: @w3af
>> >>>>> GPG: 0x93C344F3
>> >>>>>
>> >>>>>
>> >>>>
>> >>>>
>> >>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>
>> >>>> This e-mail is for the sole use of the intended recipient(s) and may
>> >>>> contain confidential and privileged information. If you are not the
>> >>>> intended recipient, please contact the sender by reply e-mail and
>> >>>> destroy
>> >>>> all copies and the original message. Any unauthorized review, use,
>> >>>> disclosure, dissemination, forwarding, printing or copying of this
>> >>>> email
>> >>>> is strictly prohibited and appropriate legal action will be taken.
>> >>>>
>> >>>>
>> >>>> -------------------------------------------------------------------------------------------------------------------------------
>> >>>>
>> >>>
>> >>> --
>> >>> Andrés Riancho
>> >>> Project Leader at w3af - http://w3af.org/
>> >>> Web Application Attack and Audit Framework
>> >>> Twitter: @w3af
>> >>> GPG: 0x93C344F3
>> >>>
>> >>>
>> >>
>> >>
>> >> -------------------------------------------------------------------------------------------------------------------------------
>> >>
>> >> This e-mail is for the sole use of the intended recipient(s) and may
>> >> contain confidential and privileged information. If you are not the
>> >> intended recipient, please contact the sender by reply e-mail and
>> >> destroy
>> >> all copies and the original message. Any unauthorized review, use,
>> >> disclosure, dissemination, forwarding, printing or copying of this
>> >> email
>> >> is strictly prohibited and appropriate legal action will be taken.
>> >>
>> >> -------------------------------------------------------------------------------------------------------------------------------
>> >>
>> >
>> >
>>
>>
>>
>> -------------------------------------------------------------------------------------------------------------------------------
>>
>> This e-mail is for the sole use of the intended recipient(s) and may
>> contain confidential and privileged information. If you are not the
>> intended recipient, please contact the sender by reply e-mail and destroy
>> all copies and the original message. Any unauthorized review, use,
>> disclosure, dissemination, forwarding, printing or copying of this email
>> is strictly prohibited and appropriate legal action will be taken.
>>
>> -------------------------------------------------------------------------------------------------------------------------------
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> W3af-users mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [W3af-develop] Regarding the w3af permission problem

[saleem <asa...@cd...>]

i have given all permissions to that folder , still i am not able to 
generate the file .

On Tuesday 25 June 2013 05:30 PM, Andres Riancho wrote:
> Nothing special. The directory /var/www/scanreports/ needs to be
> writable by the www-data user.
>
> On Tue, Jun 25, 2013 at 8:56 AM, saleem <asa...@cd...> wrote:
>> as i have written earlier , same code i am using but this time i am trying
>> to generate the XML output file .
>>
>> this is my w3af script :
>>
>> http-settings
>> set timeout 60
>> back
>> plugins
>> crawl web_spider
>> crawl config web_spider
>> set only_forward False
>> set follow_regex .*
>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>> back
>> audit blind_sqli
>> back
>> output xml_file
>> output config xml_file
>> set output_file /var/www/scanreports/w3af_10.242.92.6_25062013_165727.xml
>> back
>> back
>> target
>> set target <url>
>> back
>> start
>> exit
>>
>>
>> and this is my php script :
>> <?
>>
>> $w3af_script="22222.w3af";
>>
>> echo "Start of code ::*****";
>>
>> if(is_readable($w3af_script))
>>      {
>>
>>          echo "\n"."ready to execute the script in the terminal";
>>
>>          `python w3af_console -s $w3af_script`;
>>
>>      }
>>
>>
>> if(is_readable("w3af_10.242.92.6_25062013_162721.xml"))
>>
>> {
>>      echo "-----OOOOOOOOOOOoutput file got generated ";
>>
>> }
>> else
>>      echo "-----FFFFailed to generate the outpt file ";
>>
>>
>> ?>
>>
>>
>> so when i run this as root user it is generating the xml file and if same i
>> run as www-data user i am unable to get the output xml file .
>>
>> please guide me in setting right permissions so that i can get XML as output
>> file .
>>
>>
>>
>>
>>
>>
>>
>> On Tuesday 25 June 2013 05:07 PM, Andres Riancho wrote:
>>> On Tue, Jun 25, 2013 at 7:06 AM, saleem <asa...@cd...> wrote:
>>>> Thank u andrews for guiding me .
>>>>
>>>> i am facing a small problem ,i.e i am unable to generate the XML file
>>>> from
>>>> the browser is there any dependency for that ?
>>>>
>>>> if i run the same from terminal i am able to generate the XML file ,  i
>>>> am
>>>> using mozilla browser .
>>> The browser has nothing to do with all this. In any case it's PHP and
>>> the way you call w3af from it.
>>>
>>>> On Monday 24 June 2013 06:04 PM, Andres Riancho wrote:
>>>>> Saleem,
>>>>>
>>>>> On Mon, Jun 24, 2013 at 9:14 AM, saleem <asa...@cd...> wrote:
>>>>>> Thanku so much for that andrews .
>>>>>>
>>>>>> now i am able to generate file , but i have having small problem,
>>>>>>
>>>>>> i am getting  this error at the end of the txt file which got generated
>>>>>> .
>>>>>>
>>>>>> [Mon Jun 24 17:19:43 2013 - console] termios error: (25, 'Inappropriate
>>>>>> ioctl for device')
>>>>> Seen this before, but never needed to fix it. I mean... w3af continues
>>>>> to work, and you only get it when w3af is run "without a terminal".
>>>>>
>>>>> How did you fix your original error?
>>>>>
>>>>>> any solution for this kind of error !!
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Monday 24 June 2013 04:58 PM, Andres Riancho wrote:
>>>>>>> On Mon, Jun 24, 2013 at 8:08 AM, saleem <asa...@cd...> wrote:
>>>>>>>> thanks for the response andrews.
>>>>>>>>
>>>>>>>>
>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>
>>>>>>>>
>>>>>>>> I suspect permission issue because when i run the code as root user
>>>>>>>> in
>>>>>>>> the
>>>>>>>> terminal it is generating the output file.
>>>>>>>>
>>>>>>>> if i run the same code in the browser it is not generating the output
>>>>>>>> files
>>>>>>>> .
>>>>>>> Can be because of other things, like the www-data user not having an
>>>>>>> environment variable set, or something like that.
>>>>>>>
>>>>>>> Try this:
>>>>>>>
>>>>>>> sudo -s -H
>>>>>>> <enter your root password>
>>>>>>> su www-data
>>>>>>> cd to-python-install
>>>>>>> python w3af_console ...
>>>>>>>
>>>>>>>> Are you trying "su www-data" and then running the exact same command?
>>>>>>>>
>>>>>>>>
>>>>>>>> i have given www-data:www-data permission to my code as well .
>>>>>>>> still it is not working.
>>>>>>>>
>>>>>>>> i will try to explain once again :
>>>>>>>>
>>>>>>>> i have a w3af script for w3af crawl -
>>>>>>>> http-settings
>>>>>>>> set timeout 60
>>>>>>>> back
>>>>>>>> plugins
>>>>>>>> crawl web_spider
>>>>>>>> crawl config web_spider
>>>>>>>> set only_forward False
>>>>>>>> set follow_regex .*http:/localhost.*
>>>>>>>> set ignore_regex (?i)(logout|disconnect|signout|exit)+
>>>>>>>> back
>>>>>>>> output text_file
>>>>>>>> output config text_file
>>>>>>>> set output_file
>>>>>>>> /var/www/wsafe1/scanreports/crawl_localhost_222222222.txt
>>>>>>>> set verbose False
>>>>>>>> back
>>>>>>>> back
>>>>>>>> target
>>>>>>>> set target http://localhost:80
>>>>>>>> back
>>>>>>>> start
>>>>>>>> exit
>>>>>>>>
>>>>>>>>
>>>>>>>> i have called this script in my php code i.e :
>>>>>>>>
>>>>>>>> <?
>>>>>>>>
>>>>>>>> $w3af_script="/var/www/wsafe1/crawl_localhost_222222222.w3af";
>>>>>>>> echo "Start of code ::*****";
>>>>>>>>
>>>>>>>> if(is_readable($w3af_script))
>>>>>>>>         {
>>>>>>>>
>>>>>>>>             echo "\n"."ready to execute the script in the terminal";
>>>>>>>>
>>>>>>>>             `python /var/www/wsafe1/tools/w3af/w3af_console -s
>>>>>>>> $w3af_script`;
>>>>>>>>
>>>>>>>>         }
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> if(is_readable("/var/www/wsafe1/scanreports/crawl_localhost_222222222.txt"))
>>>>>>>> {
>>>>>>>>         echo "-----OOOOOOOOOOOoutput file got generated ";
>>>>>>>>
>>>>>>>> }
>>>>>>>> else
>>>>>>>>         echo "-----FFFFailed to generate the outpt file ";
>>>>>>>>
>>>>>>>>
>>>>>>>> ?>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> now problem is , i am not getting the file generated if i run the
>>>>>>>> code
>>>>>>>> from
>>>>>>>> the browser or by normal user.
>>>>>>>>
>>>>>>>> root user is able to generate the files using the same code .
>>>>>>>>
>>>>>>>>
>>>>>>>> please help me out !!!!!
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Monday 24 June 2013 04:14 PM, Andres Riancho wrote:
>>>>>>>>> Saleem,
>>>>>>>>>
>>>>>>>>> On Mon, Jun 24, 2013 at 1:11 AM, saleem <asa...@cd...>
>>>>>>>>> wrote:
>>>>>>>>>> ok thanku for responding andres .
>>>>>>>>>>
>>>>>>>>>> fine i will tell u in detail what i have done .
>>>>>>>>>>
>>>>>>>>>> Earlier i had older version of w3af(r4473) in which my script was
>>>>>>>>>> working
>>>>>>>>>> fine
>>>>>>>>>> currently i am using
>>>>>>>>>> w3af - Web Application Attack and Audit Framework
>>>>>>>>>> Version: 1.5
>>>>>>>>>> Revision: 790bb82add
>>>>>>>>> First of all, it was a great idea to update.
>>>>>>>>>
>>>>>>>>>> w3af script i have written (attachment) :
>>>>>>>>>> screenshot 1
>>>>>>>>>> PHP script i have written was (attachment):
>>>>>>>>>> screenshot 2
>>>>>>>>> I wouldn't run w3af in the request/response process. I'm unsure
>>>>>>>>> about
>>>>>>>>> how to do it for PHP, but in python there is Celery which allows you
>>>>>>>>> to queue work, process results, etc.
>>>>>>>>>
>>>>>>>>>> now i have given permission to that php script as  well as w3af ,
>>>>>>>>>> using
>>>>>>>>>> chmod command i have given 777 permissions.
>>>>>>>>> Why do you suspect of permissions issue?
>>>>>>>>>
>>>>>>>>>> problem is when i am executing it in terminal i am getting the
>>>>>>>>>> output
>>>>>>>>>> ,
>>>>>>>>>> if
>>>>>>>>>> the same i am executing in the browser i am not getting the output
>>>>>>>>>> i.e
>>>>>>>>>> output files are not getting generated .
>>>>>>>>> Are you trying "su www-data" and then running the exact same
>>>>>>>>> command?
>>>>>>>>>
>>>>>>>>>> please help me out and sorry for my english.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Monday 24 June 2013 12:35 AM, Andres Riancho wrote:
>>>>>>>>>>> Saleem,
>>>>>>>>>>>
>>>>>>>>>>> On Fri, Jun 21, 2013 at 12:31 PM, saleem <asa...@cd...>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> Hi all ,
>>>>>>>>>>>>
>>>>>>>>>>>> I have written a script which uses w3af script in the background,
>>>>>>>>>>>> and
>>>>>>>>>>>> trying
>>>>>>>>>>>> to execute that script through browser , but i am not getting any
>>>>>>>>>>>> output
>>>>>>>>>>>> if
>>>>>>>>>>>> i do the same in the terminal i am getting the output .
>>>>>>>>>>>>
>>>>>>>>>>>> please help me out !!!
>>>>>>>>>>> It's almost impossible to answer this question without more
>>>>>>>>>>> detail.
>>>>>>>>>>> Also, why do you think this is a w3af problem and not just you
>>>>>>>>>>> setting
>>>>>>>>>>> incorrect permissions to the filesystem files? More than glad to
>>>>>>>>>>> help
>>>>>>>>>>> if you send details,
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>>> Thanks & Regards ,
>>>>>>>>>>>> saleem
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>>>> may
>>>>>>>>>>>> contain confidential and privileged information. If you are not
>>>>>>>>>>>> the
>>>>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>>>>> destroy
>>>>>>>>>>>> all copies and the original message. Any unauthorized review,
>>>>>>>>>>>> use,
>>>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of
>>>>>>>>>>>> this
>>>>>>>>>>>> email
>>>>>>>>>>>> is strictly prohibited and appropriate legal action will be
>>>>>>>>>>>> taken.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>> This SF.net email is sponsored by Windows:
>>>>>>>>>>>>
>>>>>>>>>>>> Build for Windows Store.
>>>>>>>>>>>>
>>>>>>>>>>>> http://p.sf.net/sfu/windows-dev2dev
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> W3af-develop mailing list
>>>>>>>>>>>> W3a...@li...
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Andrés Riancho
>>>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>>>> Twitter: @w3af
>>>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and
>>>>>>>>>> may
>>>>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>>>> destroy
>>>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>>>> email
>>>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Andrés Riancho
>>>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>>>> Web Application Attack and Audit Framework
>>>>>>>>> Twitter: @w3af
>>>>>>>>> GPG: 0x93C344F3
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>>>> contain confidential and privileged information. If you are not the
>>>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>>>> destroy
>>>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>>>> email
>>>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>>>
>>>>>>> --
>>>>>>> Andrés Riancho
>>>>>>> Project Leader at w3af - http://w3af.org/
>>>>>>> Web Application Attack and Audit Framework
>>>>>>> Twitter: @w3af
>>>>>>> GPG: 0x93C344F3
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>
>>>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>>>> contain confidential and privileged information. If you are not the
>>>>>> intended recipient, please contact the sender by reply e-mail and
>>>>>> destroy
>>>>>> all copies and the original message. Any unauthorized review, use,
>>>>>> disclosure, dissemination, forwarding, printing or copying of this
>>>>>> email
>>>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>>>
>>>>> --
>>>>> Andrés Riancho
>>>>> Project Leader at w3af - http://w3af.org/
>>>>> Web Application Attack and Audit Framework
>>>>> Twitter: @w3af
>>>>> GPG: 0x93C344F3
>>>>>
>>>>>
>>>>
>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>
>>>> This e-mail is for the sole use of the intended recipient(s) and may
>>>> contain confidential and privileged information. If you are not the
>>>> intended recipient, please contact the sender by reply e-mail and destroy
>>>> all copies and the original message. Any unauthorized review, use,
>>>> disclosure, dissemination, forwarding, printing or copying of this email
>>>> is strictly prohibited and appropriate legal action will be taken.
>>>>
>>>> -------------------------------------------------------------------------------------------------------------------------------
>>>>
>>>
>>> --
>>> Andrés Riancho
>>> Project Leader at w3af - http://w3af.org/
>>> Web Application Attack and Audit Framework
>>> Twitter: @w3af
>>> GPG: 0x93C344F3
>>>
>>>
>>
>> -------------------------------------------------------------------------------------------------------------------------------
>>
>> This e-mail is for the sole use of the intended recipient(s) and may
>> contain confidential and privileged information. If you are not the
>> intended recipient, please contact the sender by reply e-mail and destroy
>> all copies and the original message. Any unauthorized review, use,
>> disclosure, dissemination, forwarding, printing or copying of this email
>> is strictly prohibited and appropriate legal action will be taken.
>> -------------------------------------------------------------------------------------------------------------------------------
>>
>
>


-------------------------------------------------------------------------------------------------------------------------------

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------------------------------------