Thread: [W3af-svn-notify] [Task #148840] audit.eval
Status: Beta
Brought to you by:
andresriancho
From: SourceForge.net <no...@so...> - 2008-05-29 23:25:09
|
Task #148840 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 0% Status: Open Authority : andresriancho Assigned to: nobody Description: I can't believe I forgot this! =) OS Commands ASP 1.https://localhost/dash/admin/logview.asp Aquà el sitio nos nuestra un cuadro de dialogo donde debemos ingresar el nombre del log. Attacks: laslog5 && dir c:\ OS Commands PHP 2.https://localhost/search.php?storedsearch=\$mysearch%3dwahh Attacks: https://localhost/search.php?storedsearch=\$mysearch%3dwahh;%20echo%20file_get_contests(â/etc/passwd) https://localhost/search.php?storedsearch=\$mysearch%3dwahh;%20system(âcat /etc/passwdâ) OS Commands Dynamic Exe ASP 3.https://localhost/search.asp?storedsearch=mysearch%3dwahh:responde.write%20111111 Attacks: https://localhost/search.asp?storedsearch=mysearch%3dwahh:+Dim +oScript:+Set+oScript+=Server.CreateObject(âWSCRIPT.SHELLâ):+CALL+oSCRIPT.Run+(âcmd.exe+/c+dir+>+c:\inetpub\wwwroot\dir.txtâ,0,True) ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=148840&group_id=170274&group_project_id=50603 |
From: SourceForge.net <no...@so...> - 2008-07-16 22:31:03
|
Task #148840 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 0% Status: Deleted Authority : andresriancho Assigned to: nobody Description: I can't believe I forgot this! =) OS Commands ASP 1.https://localhost/dash/admin/logview.asp Aquà el sitio nos nuestra un cuadro de dialogo donde debemos ingresar el nombre del log. Attacks: laslog5 && dir c:\ OS Commands PHP 2.https://localhost/search.php?storedsearch=\$mysearch%3dwahh Attacks: https://localhost/search.php?storedsearch=\$mysearch%3dwahh;%20echo%20file_get_contests(â/etc/passwd) https://localhost/search.php?storedsearch=\$mysearch%3dwahh;%20system(âcat /etc/passwdâ) OS Commands Dynamic Exe ASP 3.https://localhost/search.asp?storedsearch=mysearch%3dwahh:responde.write%20111111 Attacks: https://localhost/search.asp?storedsearch=mysearch%3dwahh:+Dim +oScript:+Set+oScript+=Server.CreateObject(âWSCRIPT.SHELLâ):+CALL+oSCRIPT.Run+(âcmd.exe+/c+dir+>+c:\inetpub\wwwroot\dir.txtâ,0,True) ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=148840&group_id=170274&group_project_id=50603 |
From: SourceForge.net <no...@so...> - 2008-07-16 22:31:18
|
Task #149931 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 0% Status: Open Authority : andresriancho Assigned to: nobody Description: OS Commands Dynamic Exe ASP 3.https://localhost/search.asp?storedsearch=mysearch%3dwahh:responde.write%20111111 Attacks: https://localhost/search.asp?storedsearch=mysearch%3dwahh:+Dim +oScript:+Set+oScript+=Server.CreateObject(�WSCRIPT.SHELL�):+CALL+oSCRIPT.Run+(�cmd.exe+/c+dir+>+c:\inetpub\wwwroot\dir.txt�,0,True) ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=149931&group_id=170274&group_project_id=50603 |
From: SourceForge.net <no...@so...> - 2008-07-16 22:31:43
|
Task #149931 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 0% Status: Deleted Authority : andresriancho Assigned to: nobody Description: OS Commands Dynamic Exe ASP 3.https://localhost/search.asp?storedsearch=mysearch%3dwahh:responde.write%20111111 Attacks: https://localhost/search.asp?storedsearch=mysearch%3dwahh:+Dim +oScript:+Set+oScript+=Server.CreateObject(�WSCRIPT.SHELL�):+CALL+oSCRIPT.Run+(�cmd.exe+/c+dir+>+c:\inetpub\wwwroot\dir.txt�,0,True) Follow-Ups: ------------------------------------------------------- Date: 2008-07-16 19:31 By: andresriancho Comment: The idea ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=149931&group_id=170274&group_project_id=50603 |
From: SourceForge.net <no...@so...> - 2008-07-16 22:35:43
|
Task #149932 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 0% Status: Open Authority : andresriancho Assigned to: woodspeed Description: The idea of this task is to create an audit plugin that can find scripts that eval() user input. An example vulnerable script would be: ===eval.php=== <? eval($_GET['c']); ?> ============== And a way to check for this is to GET this URL: http://localhost/w3af/eval/eval.php?c=echo 'aaaa' . 'dddd'; And see if in the response we find "aaaadddd" (of course, aaaa and dddd should be replaced by two random strings of at least 6 of length.) ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=149932&group_id=170274&group_project_id=50603 |
From: SourceForge.net <no...@so...> - 2008-08-11 02:51:03
|
Task #149932 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 75% Status: Open Authority : andresriancho Assigned to: woodspeed Description: The idea of this task is to create an audit plugin that can find scripts that eval() user input. An example vulnerable script would be: ===eval.php=== <? eval($_GET['c']); ?> ============== And a way to check for this is to GET this URL: http://localhost/w3af/eval/eval.php?c=echo 'aaaa' . 'dddd'; And see if in the response we find "aaaadddd" (of course, aaaa and dddd should be replaced by two random strings of at least 6 of length.) Follow-Ups: ------------------------------------------------------- Date: 2008-08-10 23:51 By: andresriancho Comment: The plugin is working and was added to the trunk, some tasks are still in Viktor's TODO list: - make it work when magic quotes is enabled - make it work for ASP, JSP, ASP.NET, Python. ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=149932&group_id=170274&group_project_id=50603 |
From: SourceForge.net <no...@so...> - 2008-08-11 02:56:58
|
Task #149932 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 80% Status: Open Authority : andresriancho Assigned to: woodspeed Description: The idea of this task is to create an audit plugin that can find scripts that eval() user input. An example vulnerable script would be: ===eval.php=== <? eval($_GET['c']); ?> ============== And a way to check for this is to GET this URL: http://localhost/w3af/eval/eval.php?c=echo 'aaaa' . 'dddd'; And see if in the response we find "aaaadddd" (of course, aaaa and dddd should be replaced by two random strings of at least 6 of length.) Follow-Ups: ------------------------------------------------------- Date: 2008-08-10 23:56 By: andresriancho Comment: Now it works with magic quotes enabled. ------------------------------------------------------- Date: 2008-08-10 23:51 By: andresriancho Comment: The plugin is working and was added to the trunk, some tasks are still in Viktor's TODO list: - make it work when magic quotes is enabled - make it work for ASP, JSP, ASP.NET, Python. ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=149932&group_id=170274&group_project_id=50603 |
From: SourceForge.net <no...@so...> - 2008-11-04 00:19:38
|
Task #149932 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 80% Status: Open Authority : andresriancho Assigned to: oxdef Description: The idea of this task is to create an audit plugin that can find scripts that eval() user input. An example vulnerable script would be: ===eval.php=== <? eval($_GET['c']); ?> ============== And a way to check for this is to GET this URL: http://localhost/w3af/eval/eval.php?c=echo 'aaaa' . 'dddd'; And see if in the response we find "aaaadddd" (of course, aaaa and dddd should be replaced by two random strings of at least 6 of length.) Follow-Ups: ------------------------------------------------------- Date: 2008-11-03 22:19 By: andresriancho Comment: Assigning to Taras. ------------------------------------------------------- Date: 2008-08-10 23:56 By: andresriancho Comment: Now it works with magic quotes enabled. ------------------------------------------------------- Date: 2008-08-10 23:51 By: andresriancho Comment: The plugin is working and was added to the trunk, some tasks are still in Viktor's TODO list: - make it work when magic quotes is enabled - make it work for ASP, JSP, ASP.NET, Python. ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=149932&group_id=170274&group_project_id=50603 |
From: SourceForge.net <no...@so...> - 2008-11-04 00:22:53
|
Task #149932 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 80% Status: Open Authority : andresriancho Assigned to: oxdef Description: The idea of this task is to create an audit plugin that can find scripts that eval() user input. An example vulnerable script would be: ===eval.php=== <? eval($_GET['c']); ?> ============== And a way to check for this is to GET this URL: http://localhost/w3af/eval/eval.php?c=echo 'aaaa' . 'dddd'; And see if in the response we find "aaaadddd" (of course, aaaa and dddd should be replaced by two random strings of at least 6 of length.) Follow-Ups: ------------------------------------------------------- Date: 2008-11-03 22:22 By: andresriancho Comment: One of the modifications that I've been trying to introduce into w3af is the idea of testing for a vulnerability using MORE THAN ONE TECHNIQUE. While I think that the current approach used in audit.eval is cool, and should still be used, I also think that the plugin should test for the response using the sleep() method of the corresponding language, and checking if the response time takes more than usual. An example of what I'm talking about is the audit.osCommanding plugin, which uses "echo" and "ping" to discover the same vulnerability. ------------------------------------------------------- Date: 2008-11-03 22:19 By: andresriancho Comment: Assigning to Taras. ------------------------------------------------------- Date: 2008-08-10 23:56 By: andresriancho Comment: Now it works with magic quotes enabled. ------------------------------------------------------- Date: 2008-08-10 23:51 By: andresriancho Comment: The plugin is working and was added to the trunk, some tasks are still in Viktor's TODO list: - make it work when magic quotes is enabled - make it work for ASP, JSP, ASP.NET, Python. ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=149932&group_id=170274&group_project_id=50603 |
From: SourceForge.net <no...@so...> - 2009-01-20 19:36:07
|
Task #149932 has been updated. Project: w3af Subproject: Plugin TODO v1.00 Summary: audit.eval Complete: 100% Status: Closed Authority : andresriancho Assigned to: oxdef Description: The idea of this task is to create an audit plugin that can find scripts that eval() user input. An example vulnerable script would be: ===eval.php=== <? eval($_GET['c']); ?> ============== And a way to check for this is to GET this URL: http://localhost/w3af/eval/eval.php?c=echo 'aaaa' . 'dddd'; And see if in the response we find "aaaadddd" (of course, aaaa and dddd should be replaced by two random strings of at least 6 of length.) Follow-Ups: ------------------------------------------------------- Date: 2009-01-20 17:36 By: andresriancho Comment: Verified code, added support for different languages. Commited in revision 2363. ------------------------------------------------------- Date: 2008-11-03 22:22 By: andresriancho Comment: One of the modifications that I've been trying to introduce into w3af is the idea of testing for a vulnerability using MORE THAN ONE TECHNIQUE. While I think that the current approach used in audit.eval is cool, and should still be used, I also think that the plugin should test for the response using the sleep() method of the corresponding language, and checking if the response time takes more than usual. An example of what I'm talking about is the audit.osCommanding plugin, which uses "echo" and "ping" to discover the same vulnerability. ------------------------------------------------------- Date: 2008-11-03 22:19 By: andresriancho Comment: Assigning to Taras. ------------------------------------------------------- Date: 2008-08-10 23:56 By: andresriancho Comment: Now it works with magic quotes enabled. ------------------------------------------------------- Date: 2008-08-10 23:51 By: andresriancho Comment: The plugin is working and was added to the trunk, some tasks are still in Viktor's TODO list: - make it work when magic quotes is enabled - make it work for ASP, JSP, ASP.NET, Python. ------------------------------------------------------- For more info, visit: http://sourceforge.net/pm/task.php?func=detailtask&project_task_id=149932&group_id=170274&group_project_id=50603 |