Cannot login on Wackopicko
I ran that command to scan Wackopicko:
arachni http://172.30.58.20:8888/ --plugin=autologin:url=http://172.30.58.20:8888/users/login.php,parameters='username=scanner1&password=scanner1',check='>Logout<' --scope-exclude-pattern='\/logout.php' --http-user-agent='Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0' --report-save-path=wackopicko2.afr
I got:
[*] Initializing...
[*] Waiting for plugins to settle...
[~] AutoLogin: System paused.
[-] AutoLogin: Could not find a form suiting the provided parameters.
[~] AutoLogin: Aborting the scan.
What am I doing wrong? How can I debug this?
Of course, I can use the proxy plugin but I'd like to see autologin
working.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 20 Apr, 2015 02:46 PM
Hello,
Are the username and password fields actually named
username
andpassword
in the login form or did the example options confuse you?2 Posted by Michel Arboi on 20 Apr, 2015 04:18 PM
Yes, the names are right.
Support Staff 3 Posted by Tasos Laskos on 20 Apr, 2015 04:24 PM
Hm, and
http://172.30.58.20:8888/users/login.php
is both the container of the login form and its action?Could you show be what's returned by a simple
GET
request to it please?4 Posted by Michel Arboi on 20 Apr, 2015 04:40 PM
Yes, first the page is fetched by GET, then it is called by POST.
The whole page (GET) is big, I'm not sure this is more useful than the small piece of code that I extracted.
Support Staff 5 Posted by Tasos Laskos on 20 Apr, 2015 04:51 PM
The code you extracted is very different from the one in the page you attached:
The HTML of the page in general is horribly broken, the inputs don't actually belong to the login form, they're just orphan elements; the form itself has no inputs.
Tasos Laskos closed this discussion on 20 Apr, 2015 06:08 PM.
Michel Arboi re-opened this discussion on 21 Apr, 2015 08:12 AM
6 Posted by Michel Arboi on 21 Apr, 2015 08:12 AM
Sorry, the HTML was broken by the save action :-(
Support Staff 7 Posted by Tasos Laskos on 21 Apr, 2015 05:12 PM
Hm, can you retry with
--output-debug=3
please and attach the output here?8 Posted by Michel Arboi on 21 Apr, 2015 05:46 PM
Here it is.
Support Staff 9 Posted by Tasos Laskos on 21 Apr, 2015 06:05 PM
I'm not sure if it's the browser sanitization that alters the structure, but this is what the system effectively gets:
Which presents the same issue as your first attachment -- i.e. the inputs being outside the form.
So you have 2 options:
autologin
plugin, like so: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...10 Posted by Michel Arboi on 22 Apr, 2015 09:02 AM
How can I disable the browsers? Should I use
--browser-cluster-pool-size 0
?Support Staff 11 Posted by Tasos Laskos on 22 Apr, 2015 09:04 AM
Exactly, apologies for forgetting to mention it.
12 Posted by Michel Arboi on 22 Apr, 2015 09:51 AM
It does not work either :( This is not very important, as Wackopicko is not a real application, but all this is odd.
I had no luck with
login_script
, my competences in Watir are close to zero.Support Staff 13 Posted by Tasos Laskos on 22 Apr, 2015 09:53 AM
You were supposed to use the HTTP request method for the login script as the browser sanitization is causing issues.
It is odd though, I'll have a look at it when I find some free time.
Tasos Laskos closed this discussion on 06 May, 2015 01:20 PM.