Professional Documents
Culture Documents
56 - VM
10.9.8.74 - Window 7
' OR '1'='1
10.9.8.174
demo.testfire.net
L1
- Learn intercept using burp suite
- information gathering using vulnerbility
- packet analisis for password clear text must use Network layer sniffing -
wireshark
INFORMATION GATHERING
* ETag - vulnerbility
error handling - find error information
crawling - check robots (to solve Disallow:*)
- nikto
sslscan - sslscan
(VULN 10.9.8.174)
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.9.8.174
+ Target Hostname: 10.9.8.174
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=MY/ST=Selangor/L=Petaling Jaya/O=CZ/OU=IT Sec/CN=CZ
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=MY/ST=Selangor/L=Petaling Jaya/O=CZ/OU=IT Sec/CN=CZ
+ Start Time: 2019-11-17 23:55:30 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x231f
0x57e8a15ce9500
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user
agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to
render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.25
+ Entry '/wp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/demo/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache
2.0.65 (final release) and 2.2.29 are also current.
+ Hostname '10.9.8.174' does not match certificate's names: CZ
+ The Content-Encoding header is set to "deflate" this may mean that the server is
vulnerable to the BREACH attack.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3092: /demo/: This might be interesting...
+ Uncommon header 'x-ob_mode' found, with contents: 0
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3093: /db.php: This might be interesting... has been seen in web logs from
an unknown scanner.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ /login.php: Admin login page/section found.
+ OSVDB-3092: /cms/: This might be interesting...
+ /phpmyadmin/: phpMyAdmin directory found
+ 7689 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2019-11-17 23:58:01 (GMT-5) (151 seconds)
- unencrypted communication
- HSTS not enabled
- etag
- unsafe http methods
- improper error handling
- robot.txt
- clickjacking
- xss on contactus
- httponly flag
- secure flag(https)
- directory listing , indexing
- default page
- admin exposure
- default user credentials
- bruteforce attack
- weak password policy