tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/1113-scan-with-user-loggedArachni: Discussion 2014-06-27T23:30:48Ztag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-03-25T18:42:32Z2014-03-25T18:42:33Zscan with user logged<div><p>Hi,<br>
I need to login in web application, but appears the error</p>
<p>I have sure that URL, user and password is right, but I cant log
on application with success</p>
<p>please someone help me</p>
<p>Tks</p>
<p>Eliézer</p></div>Eliezertag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-03-26T05:17:53Z2014-03-26T05:17:53Zscan with user logged<div><p>What sort of error are you getting?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-03-27T15:18:52Z2014-03-27T15:18:54Zscan with user logged<div><p>Can u see attach file please?</p></div>Eliézertag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-03-27T15:21:01Z2014-03-27T15:21:01Zscan with user logged<div><p>I see no attached file, if you sent it via e-mail it won't be
available on this ticket.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-03-28T07:24:40Z2014-03-28T07:24:40Zscan with user logged<div><p>I saw the picture you sent me privately but could you please
attach the whole error log as a text file to <strong>this</strong>
discussion so that I can have a proper look at it?</p>
<p>You can remove any sensitive information.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-04-05T16:48:36Z2014-04-05T23:37:20Zscan with user logged<div><pre>
<code>2014-04-05 10:52:38 -0300 --------------------------------------------------------------------------------
ENV:
---
ORBIT_SOCKETDIR: "/tmp/orbit-root"
HOSTNAME: xxxxxx-srv
NOKOGIRI_USE_SYSTEM_LIBRARIES: 'true'
GEM_HOME: "/root/softs/arachni-0.4.6-0.4.3/system/gems"
SHELL: "/bin/bash"
TERM: xterm
HISTSIZE: '1000'
XDG_SESSION_COOKIE: 10243573bcfab56b2631b7eb00000075-1395582833.874782-2111349255
IRBRC: "/root/softs/arachni-0.4.6-0.4.3/bin/../system/usr/lib/ruby/.irbrc"
GTK_RC_FILES: "/etc/gtk/gtkrc:/root/.gtkrc-1.2-gnome2"
WINDOWID: '25186349'
MY_RUBY_HOME: "/root/softs/arachni-0.4.6-0.4.3/bin/../system/usr/lib/ruby"
USER: root
LD_LIBRARY_PATH: "/root/softs/arachni-0.4.6-0.4.3/bin/../system/usr/lib"
LS_COLORS: 'rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:'
SSH_AUTH_SOCK: "/tmp/keyring-0YegzO/socket.ssh"
GNOME_KEYRING_SOCKET: "/tmp/keyring-0YegzO/socket"
USERNAME: root
SESSION_MANAGER: local/unix:@/tmp/.ICE-unix/2492,unix/unix:/tmp/.ICE-unix/2492
PATH: "/root/softs/arachni-0.4.6-0.4.3/system/gems/bin:/root/softs/arachni-0.4.6-0.4.3/bin/../system/../bin:/root/softs/arachni-0.4.6-0.4.3/bin/../system/usr/bin:/root/softs/arachni-0.4.6-0.4.3/bin/../system/gems/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/root/bin"
MAIL: "/var/spool/mail/root"
DESKTOP_SESSION: gnome
PWD: "/root/softs/arachni-0.4.6-0.4.3/bin"
ARACHNI_WEBUI_LOGDIR: "/root/softs/arachni-0.4.6-0.4.3/bin/../system/logs/webui"
GDM_KEYBOARD_LAYOUT: us
GNOME_KEYRING_PID: '2483'
LANG: en_US.UTF-8
GDM_LANG: en_US.UTF-8
ARACHNI_FRAMEWORK_LOGDIR: "/root/softs/arachni-0.4.6-0.4.3/bin/../system/logs/framework"
GDMSESSION: gnome
HISTCONTROL: ignoredups
SSH_ASKPASS: "/usr/libexec/openssh/gnome-ssh-askpass"
SHLVL: '2'
HOME: "/root"
RAILS_ENV: production
GNOME_DESKTOP_SESSION_ID: this-is-deprecated
DYLD_LIBRARY_PATH: "/root/softs/arachni-0.4.6-0.4.3/bin/../system/usr/lib:"
LOGNAME: root
GEM_PATH: "/root/softs/arachni-0.4.6-0.4.3/bin/../system/gems"
DBUS_SESSION_BUS_ADDRESS: unix:abstract=/tmp/dbus-KfY2vQEnrx,guid=59b0d31b0bb2cd7543645db000000254
LESSOPEN: "|/usr/bin/lesspipe.sh %s"
WINDOWPATH: '1'
DISPLAY: ":0.0"
RUBYLIB: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/bundler-1.5.1/lib:/root/softs/arachni-0.4.6-0.4.3/bin/../system/usr/lib/ruby:/root/softs/arachni-0.4.6-0.4.3/bin/../system/usr/lib/ruby/site_ruby/1.9.1:/root/softs/arachni-0.4.6-0.4.3/bin/../system/usr/lib/ruby/1.9.1:/root/softs/arachni-0.4.6-0.4.3/bin/../system/usr/lib/ruby/1.9.1/x86_64-linux:/root/softs/arachni-0.4.6-0.4.3/bin/../system/usr/lib/ruby/site_ruby/1.9.1/x86_64-linux"
RUBY_VERSION: ruby-1.9.3-p448
G_BROKEN_FILENAMES: '1'
COLORTERM: gnome-terminal
XAUTHORITY: "/var/run/gdm/auth-for-root-JZ0Z8g/database"
RACK_ENV: development
BUNDLE_GEMFILE: "/root/softs/arachni-0.4.6-0.4.3/system/arachni-ui-web/Gemfile"
_ORIGINAL_GEM_PATH: "/root/softs/arachni-0.4.6-0.4.3/bin/../system/gems"
BUNDLE_BIN_PATH: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/bundler-1.5.1/bin/bundle"
RUBYOPT: "-rbundler/setup"
--------------------------------------------------------------------------------
OPTIONS:
--- !ruby/object:Arachni::Options
dir:
root: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/"
gfx: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/gfx/"
conf: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/conf/"
logs: "/root/softs/arachni-0.4.6-0.4.3/bin/../system/logs/framework/"
data: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/data/"
modules: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/modules/"
reports: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/reports/"
plugins: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/plugins/"
rpcd_handlers: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/rpcd_handlers/"
path_extractors: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/path_extractors/"
fingerprinters: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/fingerprinters/"
lib: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/lib/arachni/"
support: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/lib/arachni/support/"
mixins: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/lib/arachni/mixins/"
arachni: "/root/softs/arachni-0.4.6-0.4.3/system/gems/gems/arachni-0.4.6/lib/arachni"
user_agent: Arachni/v0.4.6
http_timeout: 50000
datastore:
:token: 155d59e07a7bfe7459edda2fa9fd8cbd52d3ab8bc4ced04581a3e5caf4eb0071
redundant: {}
grid_mode:
https_only: true
obey_robots_txt: false
fuzz_methods: false
audit_cookies_extensively: false
exclude_binaries: false
auto_redundant:
depth_limit:
link_count_limit:
redirect_limit: 20
lsmod: []
lsrep: []
http_req_limit: 20
http_queue_size: 500
http_username:
http_password:
mods:
- code_injection
- code_injection_php_input_wrapper
- code_injection_timing
- csrf
- file_inclusion
- ldapi
- os_cmd_injection
- os_cmd_injection_timing
- path_traversal
- response_splitting
- rfi
- session_fixation
- source_code_disclosure
- sqli
- sqli_blind_rdiff
- sqli_blind_timing
- trainer
- unvalidated_redirect
- xpath
- xss
- xss_event
- xss_path
- xss_script_tag
- xss_tag
- allowed_methods
- backdoors
- backup_files
- captcha
- common_directories
- common_files
- credit_card
- cvs_svn_users
- directory_listing
- emails
- form_upload
- htaccess_limit
- html_objects
- http_only_cookies
- http_put
- insecure_cookies
- interesting_responses
- localstart_asp
- mixed_resource
- password_autocomplete
- private_ip
- ssn
- unencrypted_password_forms
- webdav
- x_forwarded_for_access_restriction_bypass
- xst
reports: {}
exclude: []
exclude_pages: []
exclude_cookies: []
exclude_vectors: []
include: []
lsplug: []
plugins:
autologin:
url: https://www.xxxxxxxx.com/hlogin.js?10531924
params: uid=xxxxx&passw=xxxxxxx
check: Sign Off|MY ACCOUNT
autothrottle:
discovery:
healthmap:
resolver:
timing_attacks:
uniformity:
rpc_instance_port_range:
- 1025
- 65535
load_profile: []
restrict_paths: []
extend_paths: []
custom_headers: {}
min_pages_per_instance: 30
max_slaves: 10
no_fingerprinting: false
platforms: []
spawns: 0
rpc_address: localhost
rpc_port: 48730
audit_links: true
audit_forms: true
audit_cookies: true
audit_headers: false
follow_subdomains: false
url: https://www.xxxxxxxx.com/servlet/hlogin
start_datetime: 2014-04-05 10:52:32.138083640 -03:00
delta_time: 6.242635756
cookies: []
--------------------------------------------------------------------------------
[2014-04-05 10:52:38 -0300] AutoLogin: Could not find a form suiting the provided params at: https://www.xxxxxxxx.com/hlogin.js?10531924</code>
</pre></div>Eliézer Pereiratag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-04-05T17:06:53Z2014-04-05T17:06:53Zscan with user logged<div><p>Looks like you've used the example configuration.<br>
You need to update the form parameters you're passing to the
<code>autologin</code> plugin to correspond with your login form.
Your form calls its login inputs something other than
<code>uid</code> and <code>passw</code>. Also, you need to change
the <code>check</code> option to correspond to your webapp's
indicator as well.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-04-05T17:55:16Z2014-04-05T17:55:17Zscan with user logged<div><p>so i have to put on script autologin some like this:</p>
<ul>
<li>Form parameters to submit. ( username=user&password=pass )
(params):</li>
</ul>
<p>Login=xxxxxx&Password=xxxxxx</p>
<p>fields required on my web app<br>
(please see atached file)</p></div>Eliézer Pereiratag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-04-05T17:57:56Z2014-04-05T17:57:56Zscan with user logged<div><p>Yep, although there's no attached file.</p>
<p>Also, I saw a <code>.js</code> extension, not sure what that
means but if the form is submitted via Javascript then the
autologin plugin will not work.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-04-10T16:04:25Z2014-04-10T16:04:28Zscan with user logged<div><p>Hi Tasos,</p>
<p>I changed the plugin config and now appears other error:</p>
<p>AutoLogin: Form submitted but the response did not match the
verifier.</p></div>Eliézertag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-04-10T16:06:34Z2014-04-10T16:06:34Zscan with user logged<div><p>Can you show me the updated config please?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-04-10T18:11:40Z2014-04-10T18:11:42Zscan with user logged<div><p>see log error please</p></div>Eliézertag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-04-10T19:11:52Z2014-04-10T19:11:52Zscan with user logged<div><p>You didn't properly configure the plugin as per my previous
instructions. You forgot to set the proper <code>check</code>
option for your web application, it still has the value of
<code>Sign Off|MY ACCOUNT</code> from the help article.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-04-10T19:16:16Z2014-04-10T19:16:17Zscan with user logged<div><p>i dont understood what is goal of this value<br>
can you explain me?</p>
<p>I dont find nothing to put on this field that can be on my web
app</p></div>Eliézertag:support.arachni-scanner.com,2012-07-01:Comment/322610252014-04-10T19:20:47Z2014-04-10T19:20:47Zscan with user logged<div><p>I don't know how to explain it better, the article is pretty
clear:</p>
<p><em>check -- A pattern to be matched against the response body
after requesting the supplied URL in order to verify a successful
login.</em></p>
<p>Basically, it must be a string that will only appear after a
successful login so that the system will know that it has a valid
session.</p></div>Tasos Laskos