Forum Thread: Hacking a Vulnerable Server

Hacking a Vulnerable Server

Here is the nikto report

root@kali:~# nikto -h mysite.com

  • Nikto v2.1.6

---------------------------------------------------------------------------

  • Target IP: 192.168.1.100
  • Target Hostname: mysite.com
  • Target Port: 80
  • Start Time: 2016-05-07 18:51:59 (GMT0)

---------------------------------------------------------------------------

  • Server: Apache/2.2.10 (Fedora)
  • Cookie PHPSESSID created without the httponly flag
  • Retrieved x-powered-by header: PHP/5.2.9
  • The anti-clickjacking X-Frame-Options header is not present.
  • The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  • The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  • Root page / redirects to: http://mysite.com/cgi/index.php
  • Server leaks inodes via ETags, header found with file /index.html, inode: 5530613, size: 77, mtime: Sat Nov 22 14:07:26 2014
  • Apache/2.2.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
  • OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
  • OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-3092: /includes/: This might be interesting...
  • OSVDB-3092: /manual/: Web server manual found.
  • OSVDB-3268: /icons/: Directory indexing found.
  • OSVDB-3268: /manual/images/: Directory indexing found.
  • /admin/phpinfo.php: Output from the phpinfo() function was found.
  • OSVDB-35877: /admin/phpinfo.php: Immobilier allows phpinfo() to be run.
  • OSVDB-3093: /includes/fckeditor/editor/dialog/fckimage.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/dialog/fckflash.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/dialog/fcklink.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3233: /icons/README: Apache default file found.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/browser/default/frmupload.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/license.txt: FCKeditor license file found.
  • OSVDB-3093: /includes/fckeditor/fckconfig.js: FCKeditor JavaScript file found.
  • OSVDB-3093: /includes/fckeditor/whatsnew.html: FCKeditor changes file found.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/browser/default/browser.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-89282: /includes/fckeditor/whatsnew.html: FCKEditor versions below 2.6.9 allow file upload restriction bypasses, see http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/browser/default/frmcreatefolder.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/uploadtest.html: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/lasso/connector.lasso?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/php/connector.php?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.
  • OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/py/connector.py?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.
  • 9156 requests: 0 error(s) and 34 item(s) reported on remote host
  • End Time: 2016-05-07 18:53:32 (GMT0) (93 seconds)

---------------------------------------------------------------------------

  • 1 host(s) tested

What can be done with this ?

4 Responses

I'm newbie but I'm sure you can attack with multiple method like Fckeditor, you can upload shell. Idk how because I told you above but I heard that. Oh yeah wait for our Pro fellows to reply you.

You are a Pro. Don't underestimate yourself. Know that each day, you learn something which makes you a better version of yourself.

# Sergeant

Ghana:

  • Retrieved x-powered-by header: PHP/5.2.9 - We know that PHP is now 7. So you find the flaws in 5 and also check if it is exploitable at your end.
  • Apache/2.2.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. The software itself told you that, find if older versions have flaws you can exploit.
  • /admin/phpinfo.php: Immobilier allows phpinfo() to be run. I bet you can check the phpinfo of the server with that string attached to the url.
  • /includes/fckeditor/editor/dialog/ - So you search google and find the platform responsible for such management. - Wordpress. Search for other related exploits
  • Exploiting PHP Upload Module of FCKEditor - SecurEyes You know it has some exploits
  • The server is badly or poorly configured. That should be a plus/icons/README: Apache default file found.
  • Hacking is not magic, its hard work. Always help yourself before others try to help you.

# Sergeant

Did you pull the phpinfo?

Share Your Thoughts

  • Hot
  • Active