Home → Problems →

Cannot login on Wackopicko

• Edit

Michel Arboi

20 Apr, 2015 02:43 PM

I ran that command to scan Wackopicko:

arachni http://172.30.58.20:8888/ --plugin=autologin:url=http://172.30.58.20:8888/users/login.php,parameters='username=scanner1&password=scanner1',check='>Logout<' --scope-exclude-pattern='\/logout.php' --http-user-agent='Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0' --report-save-path=wackopicko2.afr

I got:

 [*] Initializing...
 [*] Waiting for plugins to settle...
 [~] AutoLogin: System paused.
 [-] AutoLogin: Could not find a form suiting the provided parameters.
 [~] AutoLogin: Aborting the scan.

What am I doing wrong? How can I debug this?
Of course, I can use the proxy plugin but I'd like to see autologin working.

1. Support Staff 1 Posted by Tasos Laskos on 20 Apr, 2015 02:46 PM

   

   Hello,

   Are the username and password fields actually named username and password in the login form or did the example options confuse you?

   • Edit

2. 2 Posted by Michel Arboi on 20 Apr, 2015 04:18 PM

   

   Yes, the names are right.

         <form action="/users/login.php" method="POST">
         <tr><td>Username :</td><td> <input type="text" name="username" /></td></tr>
         <tr><td>Password :</td><td> <input type="password" name="password" /></td></tr>
         <tr><td><input type="submit" value="login" /></td><td> <a href="/users/register.php">Register</a></td></tr>
      </form>
   

   • Edit

3. Support Staff 3 Posted by Tasos Laskos on 20 Apr, 2015 04:24 PM

   

   Hm, and http://172.30.58.20:8888/users/login.php is both the container of the login form and its action?

   Could you show be what's returned by a simple GET request to it please?

   • Edit

4. 4 Posted by Michel Arboi on 20 Apr, 2015 04:40 PM

   

   Yes, first the page is fetched by GET, then it is called by POST.

   The whole page (GET) is big, I'm not sure this is more useful than the small piece of code that I extracted.

   • WackoPickoLogin.html 3.11 KB
   • Edit

5. Support Staff 5 Posted by Tasos Laskos on 20 Apr, 2015 04:51 PM

   

   The code you extracted is very different from the one in the page you attached:

       <h2>Login</h2>
           <table style="width:320px" cellspacing="0">
         <form action="./WackoPickoLogin_files/WackoPickoLogin.html" method="POST"></form>
         <tbody><tr><td>Username :</td><td> <input type="text" name="username"></td></tr>
         <tr><td>Password :</td><td> <input type="password" name="password"></td></tr>
         <tr><td><input type="submit" value="login"></td><td> <a href="http://172.30.58.20:8888/users/register.php">Register</a></td></tr>
      
    </tbody></table>
   

   The HTML of the page in general is horribly broken, the inputs don't actually belong to the login form, they're just orphan elements; the form itself has no inputs.

   • Edit

6. Tasos Laskos closed this discussion on 20 Apr, 2015 06:08 PM.

7. Michel Arboi re-opened this discussion on 21 Apr, 2015 08:12 AM

8. 6 Posted by Michel Arboi on 21 Apr, 2015 08:12 AM

   

   Sorry, the HTML was broken by the save action :-(

   • WackoPickoLogin2.html 2.63 KB
   • Edit

9. Support Staff 7 Posted by Tasos Laskos on 21 Apr, 2015 05:12 PM

   

   Hm, can you retry with--output-debug=3 please and attach the output here?

   • Edit

10. 8 Posted by Michel Arboi on 21 Apr, 2015 05:46 PM

    

    Here it is.

    • arachni-login-debug.txt 21.6 KB
    • Edit

11. Support Staff 9 Posted by Tasos Laskos on 21 Apr, 2015 06:05 PM

    

    I'm not sure if it's the browser sanitization that alters the structure, but this is what the system effectively gets:

        <h2>Login</h2>
            <table style="width:320px" cellspacing="0">
          <form action="/users/login.php" method="POST"></form>
          <tbody><tr><td>Username :</td><td> <input type="text" name="username"></td></tr>
          <tr><td>Password :</td><td> <input type="password" name="password"></td></tr>
          <tr><td><input type="submit" value="login"></td><td> <a href="/users/register.php">Register</a></td></tr>
    
     </tbody></table>
    

    Which presents the same issue as your first attachment -- i.e. the inputs being outside the form.

    So you have 2 options:

    1. Disable using the browsers altogether. This is more accepting of broken HTML code and will probably parse the form. It will however result in less scan coverage since the crawl and some XSS checks require the browsers.
       
    2. Login using a simple script instead of using the autologin plugin, like so: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...
    • Edit

12. 10 Posted by Michel Arboi on 22 Apr, 2015 09:02 AM

    

    How can I disable the browsers? Should I use --browser-cluster-pool-size 0?

    • Edit

13. Support Staff 11 Posted by Tasos Laskos on 22 Apr, 2015 09:04 AM

    

    Exactly, apologies for forgetting to mention it.

    • Edit

14. 12 Posted by Michel Arboi on 22 Apr, 2015 09:51 AM

    

    It does not work either :( This is not very important, as Wackopicko is not a real application, but all this is odd.

    I had no luck with login_script, my competences in Watir are close to zero.

    • Edit

15. Support Staff 13 Posted by Tasos Laskos on 22 Apr, 2015 09:53 AM

    

    You were supposed to use the HTTP request method for the login script as the browser sanitization is causing issues.
    It is odd though, I'll have a look at it when I find some free time.

    • Edit

16. Tasos Laskos closed this discussion on 06 May, 2015 01:20 PM.