# arachni http://172.30.58.20:8888/ --plugin=autologin:url=http://172.30.58.20:8888/users/login.php,parameters='username=scanner1&password=scanner1',check='>Logout<' --scope-exclude-pattern='\/logout.php' --http-user-agent='Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0' --report-save-path=wackopicko2.afr --output-debug=3 Arachni - Web Application Security Scanner Framework v1.0.6 Author: Tasos "Zapotek" Laskos (With the support of the community and the Arachni Team.) Website: http://arachni-scanner.com Documentation: http://arachni-scanner.com/wiki [~] No checks were specified, loading all. [~] No element audit options were specified, will audit links, forms and cookies. [*] Initializing... [*] Waiting for plugins to settle... [~] AutoLogin: System paused. [!] Browser: Spawning PhantomJS... [!] Browser: Attempt #0, chose port number 18711 [!] Browser: Spawning process: /usr/share/arachni/bin/../system/usr/bin/phantomjs [!] Browser: Process spawned, waiting for it to boot-up... [!] Browser: Boot-up complete. [!] Browser: Fontconfig error: Cannot load default config file 2015-04-21T18:44:23 [DEBUG] CookieJar - Created but will not store cookies (use option '--cookies-file=' to enable persisten cookie storage) 2015-04-21T18:44:23 [DEBUG] Phantom - execute: Configuration 2015-04-21T18:44:23 [DEBUG] 0 objectName : "" 2015-04-21T18:44:23 [DEBUG] 1 cookiesFile : "" 2015-04-21T18:44:23 [DEBUG] 2 diskCacheEnabled : "false" 2015-04-21T18:44:23 [DEBUG] 3 maxDiskCacheSize : "-1" 2015-04-21T18:44:23 [DEBUG] 4 ignoreSslErrors : "true" 2015-04-21T18:44:23 [DEBUG] 5 localToRemoteUrlAccessEnabled : "false" 2015-04-21T18:44:23 [DEBUG] 6 outputEncoding : "UTF-8" 2015-04-21T18:44:23 [DEBUG] 7 proxyType : "http" 2015-04-21T18:44:23 [DEBUG] 8 proxy : "127.0.0.1:19741" 2015-04-21T18:44:23 [DEBUG] 9 proxyAuth : ":" 2015-04-21T18:44:23 [DEBUG] 10 scriptEncoding : "UTF-8" 2015-04-21T18:44:23 [DEBUG] 11 webSecurityEnabled : "true" 2015-04-21T18:44:23 [DEBUG] 12 offlineStoragePath : "" 2015-04-21T18:44:23 [DEBUG] 13 offlineStorageDefaultQuota : "-1" 2015-04-21T18:44:23 [DEBUG] 14 printDebugMessages : "true" 2015-04-21T18:44:23 [DEBUG] 15 javascriptCanOpenWindows : "true" 2015-04-21T18:44:23 [DEBUG] 16 javascriptCanCloseWindows : "true" 2015-04-21T18:44:23 [DEBUG] 17 sslProtocol : "sslv3" 2015-04-21T18:44:23 [DEBUG] 18 sslCertificatesPath : "" 2015-04-21T18:44:23 [DEBUG] 19 webdriver : ":18711" 2015-04-21T18:44:23 [DEBUG] 20 webdriverLogFile : "" 2015-04-21T18:44:23 [DEBUG] 21 webdriverLogLevel : "INFO" 2015-04-21T18:44:23 [DEBUG] 22 webdriverSeleniumGridHub : "" 2015-04-21T18:44:23 [DEBUG] Phantom - execute: Script & Arguments 2015-04-21T18:44:23 [DEBUG] script: "main.js" 2015-04-21T18:44:23 [DEBUG] 0 arg: "--ip=" 2015-04-21T18:44:23 [DEBUG] 1 arg: "--port=18711" 2015-04-21T18:44:23 [DEBUG] 2 arg: "--logLevel=INFO" 2015-04-21T18:44:23 [DEBUG] Phantom - execute: Starting Remote WebDriver mode PhantomJS is launching GhostDriver... 2015-04-21T18:44:23 [DEBUG] WebPage - setupFrame "" 2015-04-21T18:44:23 [DEBUG] FileSystem - _open: ":/modules/fs.js" QMap(("mode", QVariant(QString, "r") ) ) 2015-04-21T18:44:23 [DEBUG] FileSystem - _open: ":/modules/system.js" QMap(("mode", QVariant(QString, "r") ) ) 2015-04-21T18:44:23 [DEBUG] FileSystem - _open: ":/modules/webpage.js" QMap(("mode", QVariant(QString, "r") ) ) 2015-04-21T18:44:23 [DEBUG] FileSystem - _open: ":/modules/webserver.js" QMap(("mode", QVariant(QString, "r") ) ) 2015-04-21T18:44:23 [DEBUG] FileSystem - _open: ":/ghostdriver/./hub_register.js" QMap(("mode", QVariant(QString, "r") ) ) 2015-04-21T18:44:23 [DEBUG] FileSystem - _open: ":/ghostdriver/./logger.js" QMap(("mode", QVariant(QString, "r") ) ) 2015-04-21T18:44:23 [DEBUG] FileSystem - _open: ":/ghostdriver/./third_party/console++.js" QMap(("mode", QVariant(QString, "r") ) ) 2015-04-21T18:44:23 [DEBUG] FileSystem - _open: ":/ghostdriver/./config.js" QMap(("mode", QVariant(QString, "r") ) ) 2015-04-21T18:44:23 [DEBUG] FileSystem - _open: ":/ghostdriver/./third_party/parseuri.js" QMap(("mode", QVariant(QString, "r") ) ) 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: "session.js" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: prepending ":/ghostdriver/" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: "inputs.js" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: prepending ":/ghostdriver/" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: "request_handlers/request_handler.js" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: prepending ":/ghostdriver/" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: "request_handlers/status_request_handler.js" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: prepending ":/ghostdriver/" 2015-04-21T18:44:23 [DEBUG] FileSystem - _open: ":/ghostdriver/./errors.js" QMap(("mode", QVariant(QString, "r") ) ) 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: "request_handlers/shutdown_request_handler.js" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: prepending ":/ghostdriver/" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: "request_handlers/session_manager_request_handler.js" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: prepending ":/ghostdriver/" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: "request_handlers/session_request_handler.js" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: prepending ":/ghostdriver/" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: "request_handlers/webelement_request_handler.js" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: prepending ":/ghostdriver/" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: "request_handlers/router_request_handler.js" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: prepending ":/ghostdriver/" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: "webelementlocator.js" 2015-04-21T18:44:23 [DEBUG] Phantom - injectJs: prepending ":/ghostdriver/" [INFO - 2015-04-21T17:44:23.742Z] GhostDriver - Main - running on port 18711 [!] Browser: PhantomJS is ready. [!] Session: Logging in via configuration. [!] Session: Logging in using browser. [!] Session: Grabbing page at: http://172.30.58.20:8888/users/login.php [!] Client: ------------ [!] Client: Queued request. [!] Client: ID#: 0 [!] Client: Performer: [!] Client: URL: http://172.30.58.20:8888/users/login.php [!] Client: Method: get [!] Client: Params: {} [!] Client: Body: [!] Client: Headers: {"User-Agent"=>"Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Encoding"=>"gzip", "Accept-Language"=>"en-IE,*", "Host"=>"172.30.58.20:8888"} [!] Client: Cookies: {} [!] Client: Train?: false [!] Client: ------------ [!] Client: ------------ [!] Client: Got response for request ID#: 0 [!] Client: Performer: [!] Client: Status: 200 [!] Client: Code: ok [!] Client: Message: No error [!] Client: URL: http://172.30.58.20:8888/users/login.php [!] Client: Headers: HTTP/1.1 200 OK Date: Tue, 21 Apr 2015 17:44:27 GMT Server: Apache/2.4.10 (Ubuntu) X-Powered-By: PHP/5.5.12-2ubuntu4.4 Set-Cookie: PHPSESSID=t6t2m1p12637cqti1hj1dfsm87; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 947 Content-Type: text/html [!] Client: Parsed headers: {"Date"=>"Tue, 21 Apr 2015 17:44:27 GMT", "Server"=>"Apache/2.4.10 (Ubuntu)", "X-Powered-By"=>"PHP/5.5.12-2ubuntu4.4", "Set-Cookie"=>"PHPSESSID=t6t2m1p12637cqti1hj1dfsm87; path=/", "Expires"=>"Thu, 19 Nov 1981 08:52:00 GMT", "Cache-Control"=>"no-store, no-cache, must-revalidate, post-check=0, pre-check=0", "Pragma"=>"no-cache", "Vary"=>"Accept-Encoding", "Content-Encoding"=>"gzip", "Content-Length"=>"947", "Content-Type"=>"text/html"} [!] Client: ------------ [!] Client: ------------ [!] Client: Queued request. [!] Client: ID#: 1 [!] Client: Performer: [!] Client: URL: http://172.30.58.20:8888/css/stylings.css [!] Client: Method: get [!] Client: Params: {} [!] Client: Body: [!] Client: Headers: {"User-Agent"=>"Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", "Accept"=>"text/css,*/*;q=0.1", "Referer"=>"http://172.30.58.20:8888/users/login.php", "Cookie"=>"PHPSESSID=t6t2m1p12637cqti1hj1dfsm87", "Accept-Encoding"=>"gzip", "Accept-Language"=>"en-IE,*", "Host"=>"172.30.58.20:8888"} [!] Client: Cookies: {} [!] Client: Train?: false [!] Client: ------------ [!] Client: ------------ [!] Client: Queued request. [!] Client: ID#: 2 [!] Client: Performer: [!] Client: URL: http://172.30.58.20:8888/css/blueprint/screen.css [!] Client: Method: get [!] Client: Params: {} [!] Client: Body: [!] Client: Headers: {"User-Agent"=>"Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", "Accept"=>"text/css,*/*;q=0.1", "Referer"=>"http://172.30.58.20:8888/users/login.php", "Cookie"=>"PHPSESSID=t6t2m1p12637cqti1hj1dfsm87", "Accept-Encoding"=>"gzip", "Accept-Language"=>"en-IE,*", "Host"=>"172.30.58.20:8888"} [!] Client: Cookies: {} [!] Client: Train?: false [!] Client: ------------ [!] Client: ------------ [!] Client: Got response for request ID#: 1 [!] Client: Performer: [!] Client: Status: 200 [!] Client: Code: ok [!] Client: Message: No error [!] Client: URL: http://172.30.58.20:8888/css/stylings.css [!] Client: Headers: HTTP/1.1 200 OK Date: Tue, 21 Apr 2015 17:44:27 GMT Server: Apache/2.4.10 (Ubuntu) Last-Modified: Tue, 07 Apr 2015 08:33:58 GMT ETag: "c29-5131e469a138f-gzip" Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 838 Content-Type: text/css [!] Client: Parsed headers: {"Date"=>"Tue, 21 Apr 2015 17:44:27 GMT", "Server"=>"Apache/2.4.10 (Ubuntu)", "Last-Modified"=>"Tue, 07 Apr 2015 08:33:58 GMT", "Etag"=>"\"c29-5131e469a138f-gzip\"", "Accept-Ranges"=>"bytes", "Vary"=>"Accept-Encoding", "Content-Encoding"=>"gzip", "Content-Length"=>"838", "Content-Type"=>"text/css"} [!] Client: ------------ [!] Client: ------------ [!] Client: ------------ [!] Client: Got response for request ID#: 2 [!] Client: Performer: [!] Client: Queued request. [!] Client: Status: 200 [!] Client: ID#: 3 [!] Client: Code: ok [!] Client: Message: No error [!] Client: URL: http://172.30.58.20:8888/css/blueprint/screen.css [!] Client: Headers: HTTP/1.1 200 OK Date: Tue, 21 Apr 2015 17:44:27 GMT Server: Apache/2.4.10 (Ubuntu) Last-Modified: Tue, 07 Apr 2015 08:33:58 GMT ETag: "24c7-5131e469a138f-gzip" Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 2682 Content-Type: text/css [!] Client: Parsed headers: {"Date"=>"Tue, 21 Apr 2015 17:44:27 GMT", "Server"=>"Apache/2.4.10 (Ubuntu)", "Last-Modified"=>"Tue, 07 Apr 2015 08:33:58 GMT", "Etag"=>"\"24c7-5131e469a138f-gzip\"", "Accept-Ranges"=>"bytes", "Vary"=>"Accept-Encoding", "Content-Encoding"=>"gzip", "Content-Length"=>"2682", "Content-Type"=>"text/css"} [!] Client: ------------ [!] Client: Performer: [!] Client: URL: http://172.30.58.20:8888/images/search_button_white.gif [!] Client: Method: get [!] Client: Params: {} [!] Client: Body: [!] Client: Headers: {"User-Agent"=>"Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", "Referer"=>"http://172.30.58.20:8888/users/login.php", "Accept"=>"*/*", "Cookie"=>"PHPSESSID=t6t2m1p12637cqti1hj1dfsm87", "Accept-Encoding"=>"gzip", "Accept-Language"=>"en-IE,*", "Host"=>"172.30.58.20:8888"} [!] Client: Cookies: {} [!] Client: Train?: false [!] Client: ------------ [!] Client: ------------ [!] Client: Got response for request ID#: 3 [!] Client: Performer: [!] Client: Status: 200 [!] Client: Code: ok [!] Client: Message: No error [!] Client: URL: http://172.30.58.20:8888/images/search_button_white.gif [!] Client: Headers: HTTP/1.1 200 OK Date: Tue, 21 Apr 2015 17:44:27 GMT Server: Apache/2.4.10 (Ubuntu) Last-Modified: Tue, 07 Apr 2015 08:33:58 GMT ETag: "1fc-5131e469a138f" Accept-Ranges: bytes Content-Length: 508 Content-Type: image/gif [!] Client: Parsed headers: {"Date"=>"Tue, 21 Apr 2015 17:44:27 GMT", "Server"=>"Apache/2.4.10 (Ubuntu)", "Last-Modified"=>"Tue, 07 Apr 2015 08:33:58 GMT", "Etag"=>"\"1fc-5131e469a138f\"", "Accept-Ranges"=>"bytes", "Content-Length"=>"508", "Content-Type"=>"image/gif"} [!] Client: ------------ [!] Client: ------------ [!] Client: Queued request. [!] Client: ID#: 4 [!] Client: Performer: [!] Client: URL: http://172.30.58.20:8888/images/menu/menu_tabs.gif [!] Client: Method: get [!] Client: Params: {} [!] Client: Body: [!] Client: Headers: {"User-Agent"=>"Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", "Referer"=>"http://172.30.58.20:8888/users/login.php", "Accept"=>"*/*", "Cookie"=>"PHPSESSID=t6t2m1p12637cqti1hj1dfsm87", "Accept-Encoding"=>"gzip", "Accept-Language"=>"en-IE,*", "Host"=>"172.30.58.20:8888"} [!] Client: Cookies: {} [!] Client: Train?: false [!] Client: ------------ [!] Client: ------------ [!] Client: Got response for request ID#: 4 [!] Client: Performer: [!] Client: Status: 200 [!] Client: Code: ok [!] Client: Message: No error [!] Client: URL: http://172.30.58.20:8888/images/menu/menu_tabs.gif [!] Client: Headers: HTTP/1.1 200 OK Date: Tue, 21 Apr 2015 17:44:27 GMT Server: Apache/2.4.10 (Ubuntu) Last-Modified: Tue, 07 Apr 2015 08:33:58 GMT ETag: "f78-5131e469a138f" Accept-Ranges: bytes Content-Length: 3960 Content-Type: image/gif [!] Client: Parsed headers: {"Date"=>"Tue, 21 Apr 2015 17:44:27 GMT", "Server"=>"Apache/2.4.10 (Ubuntu)", "Last-Modified"=>"Tue, 07 Apr 2015 08:33:58 GMT", "Etag"=>"\"f78-5131e469a138f\"", "Accept-Ranges"=>"bytes", "Content-Length"=>"3960", "Content-Type"=>"image/gif"} [!] Client: ------------ [!] Client: ------------ [!] Client: Queued request. [!] Client: ID#: 5 [!] Client: Performer: [!] Client: URL: http://172.30.58.20:8888/css/blueprint/print.css [!] Client: Method: get [!] Client: Params: {} [!] Client: Body: [!] Client: Headers: {"User-Agent"=>"Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0", "Accept"=>"text/css,*/*;q=0.1", "Referer"=>"http://172.30.58.20:8888/users/login.php", "Cookie"=>"PHPSESSID=t6t2m1p12637cqti1hj1dfsm87", "Accept-Encoding"=>"gzip", "Accept-Language"=>"en-IE,*", "Host"=>"172.30.58.20:8888"} [!] Client: Cookies: {} [!] Client: Train?: false [!] Client: ------------ [!] Client: ------------ [!] Client: Got response for request ID#: 5 [!] Client: Performer: [!] Client: Status: 200 [!] Client: Code: ok [!] Client: Message: No error [!] Client: URL: http://172.30.58.20:8888/css/blueprint/print.css [!] Client: Headers: HTTP/1.1 200 OK Date: Tue, 21 Apr 2015 17:44:27 GMT Server: Apache/2.4.10 (Ubuntu) Last-Modified: Tue, 07 Apr 2015 08:33:58 GMT ETag: "52d-5131e469a138f-gzip" Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 674 Content-Type: text/css [!] Client: Parsed headers: {"Date"=>"Tue, 21 Apr 2015 17:44:27 GMT", "Server"=>"Apache/2.4.10 (Ubuntu)", "Last-Modified"=>"Tue, 07 Apr 2015 08:33:58 GMT", "Etag"=>"\"52d-5131e469a138f-gzip\"", "Accept-Ranges"=>"bytes", "Vary"=>"Accept-Encoding", "Content-Encoding"=>"gzip", "Content-Length"=>"674", "Content-Type"=>"text/css"} [!] Client: ------------ [!] Session: Got page with URL http://172.30.58.20:8888/users/login.php [!] Session: WackoPicko.com

WackoPicko.com

Login

Username :
Password :
	Register

[-] AutoLogin: Could not find a form suiting the provided parameters. [~] AutoLogin: Aborting the scan. [!] [!] Waiting on 4 plugins to finish: [!] discovery, timing_attacks, uniformity, healthmap [!] [!] [!] Waiting on 4 plugins to finish: [!] discovery, timing_attacks, uniformity, healthmap [!] ================================================================================ [+] Web Application Security Report - Arachni Framework [~] Report generated on: 2015-04-21 18:44:24 +0100 [~] Report false positives at: http://github.com/Arachni/arachni/issues [+] System settings: [~] --------------- [~] Version: 1.0.6 [~] Audit started on: 2015-04-21 18:44:22 +0100 [~] Audit finished on: 2015-04-21 18:44:24 +0100 [~] Runtime: 00:00:01 [~] URL: http://172.30.58.20:8888/ [~] User agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 [*] Audited elements: [~] * Links [~] * Forms [~] * Cookies [*] Checks: interesting_responses, allowed_methods, common_directories, xst, localstart_asp, htaccess_limit, backdoors, insecure_cookies, cvs_svn_users, http_only_cookies, emails, mixed_resource, form_upload, password_autocomplete, private_ip, cookie_set_for_parent_domain, hsts, html_objects, credit_card, ssn, captcha, unencrypted_password_forms, directory_listing, webdav, origin_spoof_access_restriction_bypass, http_put, backup_files, common_files, backup_directories, os_cmd_injection_timing, no_sql_injection, xss, xss_tag, xss_path, xss_dom, os_cmd_injection, source_code_disclosure, sql_injection_timing, xpath_injection, xss_script_context, response_splitting, code_injection_php_input_wrapper, no_sql_injection_differential, session_fixation, trainer, code_injection_timing, rfi, xss_event, unvalidated_redirect, sql_injection, path_traversal, xss_dom_inputs, sql_injection_differential, csrf, xss_dom_script_context, file_inclusion, code_injection, ldap_injection [*] Filters: [~] Exclude: [~] (?-mix:\/logout.php) [~] =========================== [+] 0 issues were detected. [+] Plugin data: [~] --------------- [*] AutoLogin [~] ~~~~~~~~~~~~~~ [~] Description: It looks for the login form in the user provided URL, merges its input fields with the user supplied parameters and sets the cookies of the response and request as framework-wide cookies. [+] Could not find a form suiting the provided parameters. [~] Report saved at: /usr/share/arachni/bin/wackopicko2.afr [0.0MB] [~] The scan has logged errors: /usr/share/arachni/bin/../system/logs/framework/error-37276.log [~] Audited 0 pages. [~] Sent 6 requests. [~] Received and analyzed 6 responses. [~] In 00:00:02 [~] Average: 2.786684848237143 requests/second. [~] Burst response time sum 0.017615000000000002 seconds [~] Burst response count 6 [~] Burst average response time 0.0029358333333333337 seconds [~] Burst average 2.786667505143956 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20 #