Cannot login on Wackopicko

Michel Arboi's Avatar

Michel Arboi

20 Apr, 2015 02:43 PM

I ran that command to scan Wackopicko:

arachni http://172.30.58.20:8888/ --plugin=autologin:url=http://172.30.58.20:8888/users/login.php,parameters='username=scanner1&password=scanner1',check='>Logout<' --scope-exclude-pattern='\/logout.php' --http-user-agent='Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0' --report-save-path=wackopicko2.afr

I got:

 [*] Initializing...
 [*] Waiting for plugins to settle...
 [~] AutoLogin: System paused.
 [-] AutoLogin: Could not find a form suiting the provided parameters.
 [~] AutoLogin: Aborting the scan.

What am I doing wrong? How can I debug this?
Of course, I can use the proxy plugin but I'd like to see autologin working.

  1. Support Staff 1 Posted by Tasos Laskos on 20 Apr, 2015 02:46 PM

    Tasos Laskos's Avatar

    Hello,

    Are the username and password fields actually named username and password in the login form or did the example options confuse you?

  2. 2 Posted by Michel Arboi on 20 Apr, 2015 04:18 PM

    Michel Arboi's Avatar

    Yes, the names are right.

          <form action="/users/login.php" method="POST">
          <tr><td>Username :</td><td> <input type="text" name="username" /></td></tr>
          <tr><td>Password :</td><td> <input type="password" name="password" /></td></tr>
          <tr><td><input type="submit" value="login" /></td><td> <a href="/users/register.php">Register</a></td></tr>
       </form>
    
  3. Support Staff 3 Posted by Tasos Laskos on 20 Apr, 2015 04:24 PM

    Tasos Laskos's Avatar

    Hm, and http://172.30.58.20:8888/users/login.php is both the container of the login form and its action?

    Could you show be what's returned by a simple GET request to it please?

  4. 4 Posted by Michel Arboi on 20 Apr, 2015 04:40 PM

    Michel Arboi's Avatar

    Yes, first the page is fetched by GET, then it is called by POST.

    The whole page (GET) is big, I'm not sure this is more useful than the small piece of code that I extracted.

  5. Support Staff 5 Posted by Tasos Laskos on 20 Apr, 2015 04:51 PM

    Tasos Laskos's Avatar

    The code you extracted is very different from the one in the page you attached:

        <h2>Login</h2>
            <table style="width:320px" cellspacing="0">
          <form action="./WackoPickoLogin_files/WackoPickoLogin.html" method="POST"></form>
          <tbody><tr><td>Username :</td><td> <input type="text" name="username"></td></tr>
          <tr><td>Password :</td><td> <input type="password" name="password"></td></tr>
          <tr><td><input type="submit" value="login"></td><td> <a href="http://172.30.58.20:8888/users/register.php">Register</a></td></tr>
       
     </tbody></table>
    

    The HTML of the page in general is horribly broken, the inputs don't actually belong to the login form, they're just orphan elements; the form itself has no inputs.

  6. Tasos Laskos closed this discussion on 20 Apr, 2015 06:08 PM.

  7. Michel Arboi re-opened this discussion on 21 Apr, 2015 08:12 AM

  8. 6 Posted by Michel Arboi on 21 Apr, 2015 08:12 AM

    Michel Arboi's Avatar

    Sorry, the HTML was broken by the save action :-(

  9. Support Staff 7 Posted by Tasos Laskos on 21 Apr, 2015 05:12 PM

    Tasos Laskos's Avatar

    Hm, can you retry with--output-debug=3 please and attach the output here?

  10. 8 Posted by Michel Arboi on 21 Apr, 2015 05:46 PM

    Michel Arboi's Avatar

    Here it is.

  11. Support Staff 9 Posted by Tasos Laskos on 21 Apr, 2015 06:05 PM

    Tasos Laskos's Avatar

    I'm not sure if it's the browser sanitization that alters the structure, but this is what the system effectively gets:

        <h2>Login</h2>
            <table style="width:320px" cellspacing="0">
          <form action="/users/login.php" method="POST"></form>
          <tbody><tr><td>Username :</td><td> <input type="text" name="username"></td></tr>
          <tr><td>Password :</td><td> <input type="password" name="password"></td></tr>
          <tr><td><input type="submit" value="login"></td><td> <a href="/users/register.php">Register</a></td></tr>
    
     </tbody></table>
    

    Which presents the same issue as your first attachment -- i.e. the inputs being outside the form.

    So you have 2 options:

    1. Disable using the browsers altogether. This is more accepting of broken HTML code and will probably parse the form. It will however result in less scan coverage since the crawl and some XSS checks require the browsers.
    2. Login using a simple script instead of using the autologin plugin, like so: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...
  12. 10 Posted by Michel Arboi on 22 Apr, 2015 09:02 AM

    Michel Arboi's Avatar

    How can I disable the browsers? Should I use --browser-cluster-pool-size 0?

  13. Support Staff 11 Posted by Tasos Laskos on 22 Apr, 2015 09:04 AM

    Tasos Laskos's Avatar

    Exactly, apologies for forgetting to mention it.

  14. 12 Posted by Michel Arboi on 22 Apr, 2015 09:51 AM

    Michel Arboi's Avatar

    It does not work either :( This is not very important, as Wackopicko is not a real application, but all this is odd.

    I had no luck with login_script, my competences in Watir are close to zero.

  15. Support Staff 13 Posted by Tasos Laskos on 22 Apr, 2015 09:53 AM

    Tasos Laskos's Avatar

    You were supposed to use the HTTP request method for the login script as the browser sanitization is causing issues.
    It is odd though, I'll have a look at it when I find some free time.

  16. Tasos Laskos closed this discussion on 06 May, 2015 01:20 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac