Forum Thread: Hacking a Vulnerable Server

Here is the nikto report

root@kali:~# nikto -h mysite.com

  • Nikto v2.1.6

---------------------------------------------------------------------------

  • Target IP: 192.168.1.100
  • Target Hostname: mysite.com
  • Target Port: 80
  • Start Time: 2016-05-07 18:51:59 (GMT0)

---------------------------------------------------------------------------

  • Server: Apache/2.2.10 (Fedora)
  • Cookie PHPSESSID created without the httponly flag
  • Retrieved x-powered-by header: PHP/5.2.9
  • The anti-clickjacking X-Frame-Options header is not present.
  • The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  • The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  • Root page / redirects to: http://mysite.com/cgi/index.php
  • Server leaks inodes via ETags, header found with file /index.html, inode: 5530613, size: 77, mtime: Sat Nov 22 14:07:26 2014
  • Apache/2.2.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
  • OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
  • OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-3092: /includes/: This might be interesting...
  • OSVDB-3092: /manual/: Web server manual found.
  • OSVDB-3268: /icons/: Directory indexing found.
  • OSVDB-3268: /manual/images/: Directory indexing found.
  • /admin/phpinfo.php: Output from the phpinfo() function was found.
  • OSVDB-35877: /admin/phpinfo.php: Immobilier allows phpinfo() to be run.
  • OSVDB-3093: /includes/fckeditor/editor/dialog/fckimage.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/dialog/fckflash.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/dialog/fcklink.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3233: /icons/README: Apache default file found.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/browser/default/frmupload.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/license.txt: FCKeditor license file found.
  • OSVDB-3093: /includes/fckeditor/fckconfig.js: FCKeditor JavaScript file found.
  • OSVDB-3093: /includes/fckeditor/whatsnew.html: FCKeditor changes file found.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/browser/default/browser.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-89282: /includes/fckeditor/whatsnew.html: FCKEditor versions below 2.6.9 allow file upload restriction bypasses, see http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/browser/default/frmcreatefolder.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/uploadtest.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/lasso/connector.lasso?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/php/connector.php?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/py/connector.py?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.
  • 9156 requests: 0 error(s) and 34 item(s) reported on remote host
  • End Time: 2016-05-07 18:53:32 (GMT0) (93 seconds)

---------------------------------------------------------------------------

  • 1 host(s) tested

What can be done with this ?

8 Responses

I'm newbie but I'm sure you can attack with multiple method like Fckeditor, you can upload shell. Idk how because I told you above but I heard that. Oh yeah wait for our Pro fellows to reply you.

You are a Pro. Don't underestimate yourself. Know that each day, you learn something which makes you a better version of yourself.

# Sergeant

Ghana:

  • Retrieved x-powered-by header: PHP/5.2.9 - We know that PHP is now 7. So you find the flaws in 5 and also check if it is exploitable at your end.
  • Apache/2.2.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. The software itself told you that, find if older versions have flaws you can exploit.
  • /admin/phpinfo.php: Immobilier allows phpinfo() to be run. I bet you can check the phpinfo of the server with that string attached to the url.
  • /includes/fckeditor/editor/dialog/ - So you search google and find the platform responsible for such management. - Wordpress. Search for other related exploits
  • Exploiting PHP Upload Module of FCKEditor - SecurEyes You know it has some exploits
  • The server is badly or poorly configured. That should be a plus/icons/README: Apache default file found.
  • Hacking is not magic, its hard work. Always help yourself before others try to help you.

# Sergeant

Did you pull the phpinfo?

The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

What does this mean ?

Just using Nikto isn't gonna cut it.

Report back with a TCP version scan, maybe an OS scan could help, (nmap -sV -O mysite.com) and look in things like robots.txt and fire up dirb. There is no magic button, this field requires you to think on your feet.

d0wnp0ur

nikto -h my.superior.edu.pk

  • Nikto v2.1.6

---------------------------------------------------------------------------

  • Target IP: 103.62.235.214
  • Target Hostname: my.superior.edu.pk
  • Target Port: 80
  • Start Time: 2019-04-16 07:23:52 (GMT-4)

---------------------------------------------------------------------------

  • Server: Microsoft-IIS/8.5
  • Retrieved x-aspnet-version header: 4.0.30319
  • Retrieved x-powered-by header: ASP.NET
  • The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  • The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  • OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://192.168.167.170/images/".
  • OSVDB-3092: /account/: This might be interesting...
  • OSVDB-3092: /reports/: This might be interesting...
  • OSVDB-3092: /scripts/: This might be interesting... possibly a system shell found.
  • OSVDB-3092: /localstart.asp: Default IIS install page found.
  • 8364 requests: 0 error(s) and 9 item(s) reported on remote host
  • End Time: 2019-04-16 07:44:31 (GMT-4) (1239 seconds)

---------------------------------------------------------------------------

  • 1 host(s) tested

GUYS CAN ANYONE TELL ME HOW TO ENTER THIS SITE DATABASE ..IM a NEWBIE CAN ANYONE HELP ME

Here is the nikto report

  • Target Hostname: ....
  • Target Port: 80
  • Start Time: 2019-12-02 08:37:59 (GMT0)

---------------------------------------------------------------------------

  • Server: Apache
  • The anti-clickjacking X-Frame-Options header is not present.
  • The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  • The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  • Root page / redirects to:
  • No CGI Directories found (use '-C all' to force check all possible dirs)
  • /webmail/blank.html: IlohaMail 0.8.10 contains an XSS vulnerability. Previous versions contain other non-descript vulnerabilities.
  • /securecontrolpanel/: Web Server Control Panel
  • OSVDB-3233: /mailman/listinfo: Mailman was found on the server.
  • OSVDB-3093: /webmail/lib/emailreaderexecuteoneachpage.inc.php: This might be interesting... has been seen in web logs from an unknown scanner.
  • /controlpanel/: Admin login page/section found.
  • 7785 requests: 0 error(s) and 8 item(s) reported on remote host
  • End Time: 2019-12-02 08:53:29 (GMT0) (930 seconds)

What can be done with this ?

Share Your Thoughts

  • Hot
  • Active