Forum Thread: Hacking with Nikto

Hacking with Nikto

What can i do with this?

I Found Following Vulnerabilities Using Nikto Script:

  • Server: Apache/2.2.14 (Ubuntu)
  • Cookie PHPSESSID created without the httponly flag
  • Retrieved x-powered-by header: PHP/5.2.17
  • The anti-clickjacking X-Frame-Options header is not present.
  • The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  • The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  • No CGI Directories found
  • Apache/2.2.14 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
  • Web Server returns a valid response with junk HTTP methods, this may cause false positives.
  • OSVDB-12184

4 Responses

Thanks a lot, but how can i use these exploits ? :D Can you give me simple example?

Based on what I can see, they have an outdated Apache version (2.2.14). I looked this version up on CVE and saw this: https://www.cvedetails.com/version/87506/Apache-Http-Server-2.2.14.html 2 code execution, 2 privilege escalation and a couple of XSS exploits as well. One of the code executions had danger level 10 on CVE, so I personally would look into exploiting this vulnerability. Searching for the exploit I found auxiliary/dos/http/apache mod isapi

Other than that, there is a MAJOR DoS exploit CVE-2011-3192 399 which could also cause some damage. There are MANY more vulnerabilities on CVE which you can try.

Share Your Thoughts

  • Hot
  • Active