Forum Thread: My First Nikto Test

i did my first nikto scan yesterday ifound some stuff but how can i download stuff from the server?

here is my nikto result

  • Server: Apache/2.2.20 (CentOS)
  • Cookie PHPSESSID created without the httponly flag
  • Retrieved x-powered-by header: PHP/5.3.6
  • The anti-clickjacking X-Frame-Options header is not present.
  • Server leaks inodes via ETags, header found with file /cgi-bin/, inode: 115023231, size: 2413, mtime: Wed Jan 26 09:44:57 2011
  • No CGI Directories found (use '-C all' to force check all possible dirs)
  • Apache/2.2.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
  • Web Server returns a valid response with junk HTTP methods, this may cause false positives.
  • /config.php: PHP Config file may contain database IDs and passwords.
  • OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-3092: /homepage/: This might be interesting...
  • ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Operation now in progress
  • Scan terminated: 20 error(s) and 11 item(s) reported on remote host
  • End Time: 2015-02-15 18:18:56 (GMT-5) (2023 seconds)

11 Responses

If the server isn't locked you can just use the wget command. Please evaluate more.

how can i use hthe wget command to get the php.config file

Well, what is the URL and directory?

i did not get those in the nikto scan

So you were scanning an IP address?

Look, what is the IP address and the location of the file you are trying to download?

Target IP: 216.154.214.189

bare with me im new this

/config.php

The command would be:
wget 216.154.214.189/config.php

That should do it.

You do realize that you are trying to steal credentials from a bank, right? That's black-hat and I don't think you should go there.

I just wrote a fucking novel in response to you TheFox but it didn't post for whatever reason. Anyways...

LISTEN TO CRACKERHACKER

Don't do that. It's unrealistic, it's really fucking hard, you need to know basic php configuration and servers up-n-down, and you're setting your expectations to a non-achievable level. I'm all for dreaming and what not and having dreams and pursuing them, but you're setting yourself up for failure, or failure in jail. No disrespect but I'm assuming you're not too familiar with a basic VPN setup from reading your posts? You sound like I did when I first started, and I'd put money on it that majority of people in the "Ethical Hacking" or "Blackhat" methods of cyberspace; more often than not they wanted to pursue something crazy like that at first, and do it with ease in a matter of a couple weeks or so.

Continue on with learning the wonderful world of computers, just set realistic expectations, my man.

I suggest you study up google hint hint---VPN's and not only what they do but how they do it. Try and crack some WEP's if you can find any AP's that still use them.Try out some SQL Injections after getting familiar with servers; phpmyadmin, mySQL, apache, the basics, but very very important things to get familiar with. All these by the way are "basic" but they're usually fast, quick, and have a noticeable reward at the end to help yourself with motivation and to let yourself know that knowledge is going somewhere. Oh, and download a .iso of Kali linux, I think 1.10 just recently came out, and consider a dual-boot with windows or running in a virtual machine. Message me if you have any questions dude, be safe.

Share Your Thoughts

  • Hot
  • Active