Offensivecommunity.net

[HELP NEEDED] Hacking a web server - found multiple vulnerabilities

2016-05-08

I have been trying to hack a server and i have found the following

USING NMAP:

[*]Nmap: Increasing send delay for 103.56.252.15 from 0 to 5 due to 65 out of 216 dropped probes since last increase.

[*]Nmap: Increasing send delay for 103.56.252.15 from 5 to 10 due to 18 out of 58 dropped probes since last increase.

[*]Nmap: Increasing send delay for 103.56.252.15 from 10 to 20 due to 11 out of 27 dropped probes since last increase.

[*]Nmap: Increasing send delay for 103.56.252.15 from 20 to 40 due to 11 out of 27 dropped probes since last increase.

[*]Nmap: Increasing send delay for 103.56.252.15 from 40 to 80 due to 11 out of 32 dropped probes since last increase.

[*]Nmap: Completed SYN Stealth Scan at 16:35, 85.05s elapsed (1000 total ports)

[*]Nmap: Initiating Service scan at 16:35

[*]Nmap: Scanning 6 services on fsn.lancefibernet.log2air.com (103.56.252.15)

[*]Nmap: Completed Service scan at 16:35, 12.04s elapsed (6 services on 1 host)

[*]Nmap: Initiating OS detection (try #1) against fsn.lancefibernet.log2air.com (103.56.252.15)

[*]Nmap: Retrying OS detection (try #2) against fsn.lancefibernet.log2air.com (103.56.252.15)

[*]Nmap: Retrying OS detection (try #3) against fsn.lancefibernet.log2air.com (103.56.252.15)

[*]Nmap: Retrying OS detection (try #4) against fsn.lancefibernet.log2air.com (103.56.252.15)

[*]Nmap: Retrying OS detection (try #5) against fsn.lancefibernet.log2air.com (103.56.252.15)

[*]Nmap: Initiating Traceroute at 16:35

[*]Nmap: Completed Traceroute at 16:35, 0.01s elapsed

[*]Nmap: Initiating Parallel DNS resolution of 2 hosts. at 16:35

[*]Nmap: Completed Parallel DNS resolution of 2 hosts. at 16:35, 0.00s elapsed

[*]Nmap: NSE: Script scanning 103.56.252.15.

[*]Nmap: NSE: Starting runlevel 1 (of 2) scan.

[*]Nmap: Initiating NSE at 16:35

[*]Nmap: Completed NSE at 16:35, 8.58s elapsed

[*]Nmap: NSE: Starting runlevel 2 (of 2) scan.

[*]Nmap: Initiating NSE at 16:35

[*]Nmap: Completed NSE at 16:35, 0.00s elapsed

[*]Nmap: Nmap scan report for fsn.lancefibernet.log2air.com (103.56.252.15)

[*]Nmap: Host is up, received user-set (0.0033s latency).

[*]Nmap: Scanned at 2016-05-07 16:33:41 UTC for 119s

[*]Nmap: Not shown: 986 closed ports

[*]Nmap: Reason: 986 resets

[*]Nmap: PORT STATE SERVICE REASON VERSION

[*]Nmap: 21/tcp filtered ftp no-response

[*]Nmap: 22/tcp open ssh syn-ack ttl 63 OpenSSH 5.1 (protocol 1.99)

[*]Nmap: | ssh-hostkey:

[*]Nmap: | 2048 ae:63:61:3d:45:ac:79:dc:1e:45:8c:54:39:14:1f:a4 (RSA1)

[*]Nmap: | 2048 35 29309490383894925686375589485691797528092142986846765136667263130218451404154540678921888641558650199316012868865317924562542422781463414077922318419530503565252644373699896050272980831331363227995641851117034482577632444517604900727374201046237282756617501847230740334328303107095819376986267045245675453081639078997689428826167169913882471342570178120086521944858888819096785339652787343436767054105784535143406760487207647266406879881396023265470329492170833442547601468529794978330888666798592355178361155439227726905682568144421748155646459711941665527259507914552057589473629038229667619481405432675589559254759

[*]Nmap: | 1024 86:ef:63:77:2e:08:88:3c:e0:43:bd:53:f2:62:5c:4a (DSA)

[*]Nmap: | ssh-dss AAAAB3NzaC1kc3MAAACBAKq/mR2rtLhAJ4r+kKdOLQNEGuNS2SECsbKs25o5MZXq0h7p9PXz7DKVBtFd8cSZfhKrSBW6x/7krwUUIV3fkj7/43xwuOL+omtRJM6Odc4gexi0ThdJURCZkQ6jKzEPfCgn514KyRmSro30G0ukbMA47tk/90VrnzjVxGS5vNBhAAAAFQCW7IOXbqeh3lb+AwMm9//UvwZ00QAAAIBfFn21jbb2KvIN4Cn7ZqjK1n2SeBBlUdaSBvn1iMeAhg8AjMZMKmxZtr9JBOKeG900sJMlBtBMDoOotWvR6d+vo34F481FCn26SKCQ9Pcy4o7U6UQFvW6/ZOxZBNBwO6tc7/HRpM6Xw6sO0SDFVnOjQ2P9CKZRAMqSEwb8B5HKEQAAAIEAjupM5iT60nr/8EvO1QWSLL6ysODM6LZbGsG4iF/sYiD0RFqOYDokwEgEP+26agtt01FTH4JjX0/6rVPC0+A3+Agb7e5TMEuQMskGSEngmaese5+ycv+QkI+WbGd3PQTmccDl+K3B03kz2mzBoxfcY/BXfl225cUK9jtqguFQIxg=

[*]Nmap: | 2048 f1:46:a0:35:17:02:8a:a2:bf:d1:0d:30:7b:85:a2:d2 (RSA)

[*]Nmap: |_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqiOyL7r8fiCiPYSwKQyxvMOTvaXIN2YlgzY4hNUR7tgZAscrI0SkXB2DZrTvgE3ZZPg9PKCCTkYuyumum6Nb7B18eKUQHWNn4+bnHqQsRP+qUx6/iIU1ZHkX3YToJV4uldva2vYeKiYucErvN1MxfD+EFBjlF6MsC0jtMI936k4wUqfdxfqqdItEg1vtaItkmFYN4j4Ue4OSTOXhUz0G0rY7igC9dSbx22+RBgORroheewTxaOERURiki8zOj4U/WE8hWqwqwyXA8wS41TRx5N+L3r4DEczb0+lRQYnhufZey8twU2thuC04jNBnHUp/wEdD+JbLO68e8aaEf9bQvQ==

[*]Nmap: |_sshv1: Server supports SSHv1

[*]Nmap: 53/tcp open domain syn-ack ttl 64 MikroTik RouterOS named or OpenDNS Updater

[*]Nmap: 80/tcp open http syn-ack ttl 63 Apache httpd 2.2.10 ((Fedora))

[*]Nmap: |_http-methods: No Allow or Public header in OPTIONS response (status code 302)

[*]Nmap: |_http-server-header: Apache/2.2.10 (Fedora)

[*]Nmap: | http-title: Log2space Ipoe Login

[*]Nmap: |_Requested resource was http://fsn.lancefibernet.log2air.com/log...=1&name=oe

[*]Nmap: 81/tcp filtered hosts2-ns no-response

[*]Nmap: 82/tcp filtered xfer no-response

[*]Nmap: 111/tcp open rpcbind syn-ack ttl 63 2-4 (RPC #100000)

[*]Nmap: | rpcinfo:

[*]Nmap: | program version port/proto service

[*]Nmap: | 100000 2,3,4 111/tcp rpcbind

[*]Nmap: | 100000 2,3,4 111/udp rpcbind

[*]Nmap: | 100024 1 37388/udp status

[*]Nmap: |_ 100024 1 39022/tcp status

[*]Nmap: 135/tcp filtered msrpc no-response

[*]Nmap: 139/tcp filtered netbios-ssn no-response

[*]Nmap: 443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.2.10 ((Fedora))

[*]Nmap: | http-cisco-anyconnect:

[*]Nmap: |_ ERROR: Not a Cisco ASA or unsupported version

[*]Nmap: |_http-methods: No Allow or Public header in OPTIONS response (status code 302)

[*]Nmap: |_http-server-header: Apache/2.2.10 (Fedora)

[*]Nmap: |_http-title: Did not follow redirect to http://fsn.lancefibernet.log2air.com/cgi/index.php

[*]Nmap: | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/localityName=SomeCity/emailAddress=root@localhost.localdomain

[*]Nmap: | Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/localityName=SomeCity/emailAddress=root@localhost.localdomain

[*]Nmap: | Public Key type: rsa

[*]Nmap: | Public Key bits: 1024

[*]Nmap: | Signature Algorithm: sha1WithRSAEncryption

[*]Nmap: | Not valid before: 2014-11-12T18:24:37

[*]Nmap: | Not valid after: 2015-11-12T18:24:37

[*]Nmap: | MD5: 62de 8b01 63a7 dccd d10c ed37 3109 9b0d

[*]Nmap: | SHA-1: 8463 38ef 7a58 0764 4490 3482 828f 1a52 91b4 a90f

[*]Nmap: | -----BEGIN CERTIFICATE-----

[*]Nmap: | MIIEDDCCA3WgAwIBAgIBUDANBgkqhkiG9w0BAQUFADCBuzELMAkGA1UEBhMCLS0x

[*]Nmap: | EjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoT

[*]Nmap: | EFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVu

[*]Nmap: | aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ

[*]Nmap: | ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMTQxMTEyMTgyNDM3WhcN

[*]Nmap: | MTUxMTEyMTgyNDM3WjCBuzELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0

[*]Nmap: | ZTERMA8GA1UEBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24x

[*]Nmap: | HzAdBgNVBAsTFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxHjAcBgNVBAMTFWxvY2Fs

[*]Nmap: | aG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3Qu

[*]Nmap: | bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEqGkeFJZ9q

[*]Nmap: | xY4JW8Nt8MVzMSaIBdDZ+IP4Weibu9szxzu5bdZZIRY+dtMQxQ8j8uV6k2o6lCAl

[*]Nmap: | Qwnbe8gpf3OPkYWGVGCMbWzNgc6x3FqpCOsRwBNsuOVWPiLdwfKrRw4Fqkj+khUE

[*]Nmap: | PkFbzKd/Sjm61rf0sK5zFMUqFwuGPetzAgMBAAGjggEcMIIBGDAdBgNVHQ4EFgQU

[*]Nmap: | QMvF5BMLVKEYvZUwWHINq4TOYUcwgegGA1UdIwSB4DCB3YAUQMvF5BMLVKEYvZUw

[*]Nmap: | WHINq4TOYUehgcGkgb4wgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh

[*]Nmap: | dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u

[*]Nmap: | MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh

[*]Nmap: | bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0

[*]Nmap: | LmxvY2FsZG9tYWluggFQMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA

[*]Nmap: | r02rhAZObdqxOWde6jurA5Xw9OKwsoG7xtpWOFw7xmKalQ7g6tPoY0vgytoB3Soo

[*]Nmap: | Vu5qbjxLlhRDBuEXR6iMzgbSOIsvfjSI/ba9de2iuhrQi/0XUrZBnz1/DsW1lM0N

[*]Nmap: | lfPXzspJ9QWCII774pt3sIWC2qAy6P6x1ACAdHWP+Cc=

[*]Nmap: |_-----END CERTIFICATE-----

[*]Nmap: |_ssl-date: 2016-05-07T11:04:53+00:00; -5h30m40s from scanner time.

[*]Nmap: 444/tcp filtered snpp no-response

[*]Nmap: 445/tcp filtered microsoft-ds no-response

[*]Nmap: 1434/tcp filtered ms-sql-m no-response

[*]Nmap: 3306/tcp open mysql syn-ack ttl 63 MySQL 5.0.37-standard

[*]Nmap: | mysql-info:

[*]Nmap: | Protocol: 53

[*]Nmap: | Version: .0.37-standard

[*]Nmap: | Thread ID: 7843128

[*]Nmap: | Capabilities flags: 41516

[*]Nmap: | Some Capabilities: Support41Auth, SupportsCompression, ConnectWithDatabase, Speaks41ProtocolNew, LongColumnFlag, SupportsTransactions

[*]Nmap: | Status: Autocommit

[*]Nmap: |_ Salt: ggN1HXbbDmy9N\d`6,v4

[*]Nmap: No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

[*]Nmap: TCP/IP fingerprint:

[*]Nmap: OS:SCAN(V=6.49BETA4%E=4%D=5/7%OT=22%CT=1%CU=36690%PV=N%DS=2%DC=T%G=Y%TM=572

[*]Nmap: OS:E195C%P=x86_64-pc-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CE%TI=Z%CI=Z%TS=U)OPS(O1

[*]Nmap: OS:=M5B4NW9%O2=M5B4NW9%O3=M5B4NW9%O4=M5B4NW9%O5=M5B4NW9%O6=M5B4)WIN(W1=16D0

[*]Nmap: OS:%W2=16D0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4

[*]Nmap: OS:NW9%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%

[*]Nmap: OS:DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%

[*]Nmap: OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=

[*]Nmap: OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%

[*]Nmap: OS:CD=S)

[*]Nmap:

[*]Nmap: Network Distance: 2 hops

[*]Nmap: TCP Sequence Prediction: Difficulty=192 (Good luck!)

[*]Nmap: IP ID Sequence Generation: All zeros

[*]Nmap:

[*]Nmap: TRACEROUTE (using port 995/tcp)

[*]Nmap: HOP RTT ADDRESS

[*]Nmap: 1 2.43 ms fsn.e.lancefibernet.log2air.com (172.21.96.1)

[*]Nmap: 2 2.75 ms fsn.lancefibernet.log2air.com (103.56.252.15)

[*]Nmap:

[*]Nmap: NSE: Script Post-scanning.

[*]Nmap: NSE: Starting runlevel 1 (of 2) scan.

[*]Nmap: Initiating NSE at 16:35

[*]Nmap: Completed NSE at 16:35, 0.00s elapsed

[*]Nmap: NSE: Starting runlevel 2 (of 2) scan.

[*]Nmap: Initiating NSE at 16:35

[*]Nmap: Completed NSE at 16:35, 0.00s elapsed

[*]Nmap: Read data files from: /usr/bin/../share/nmap

[*]Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

[*]Nmap: Nmap done: 1 IP address (1 host up) scanned in 120.10 seconds

[*]Nmap: Raw packets sent: 1568 (81.080KB) | Rcvd: 6509 (482.946KB)

[*]Nmap: Nmap scan finished in 120.12588191 seconds for target: 103.56.252.15

[*]GoLismero: Current stage: Reconaissance

[!] IP Geolocator: Error: Freegeoip.net webservice is not available, possible network error?

[*]GoLismero: Current stage: Scanning (non-intrusive)

[*]SSLScan: Launching SSLScan against: fsn.lancefibernet.log2air.com

[*]SSLScan: Version: 1.10.5-static

[*]SSLScan: OpenSSL 1.0.2e-dev xx XXX xxxx

[*]SSLScan:

[*]SSLScan: Testing SSL server fsn.lancefibernet.log2air.com on port 443

[*]SSLScan:

[*]SSLScan: TLS renegotiation:

[*]SSLScan: Insecure session renegotiation supported

[*]SSLScan:

[*]SSLScan: TLS Compression:

[*]SSLScan: Compression disabled

[*]SSLScan:

[*]SSLScan: Heartbleed:

[*]SSLScan: TLS 1.0 not vulnerable to heartbleed

[*]SSLScan: TLS 1.1 not vulnerable to heartbleed

[*]SSLScan: TLS 1.2 not vulnerable to heartbleed

[*]SSLScan:

[*]SSLScan: Supported Server Cipher(s):

[*]SSLScan: Accepted SSLv3 256 bits DHE-RSA-AES256-SHA DHE 1024 bits

[*]SSLScan: Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits

[*]SSLScan: Accepted SSLv3 256 bits AES256-SHA

[*]SSLScan: Accepted SSLv3 256 bits CAMELLIA256-SHA

[*]SSLScan: Accepted SSLv3 128 bits DHE-RSA-AES128-SHA DHE 1024 bits

[*]SSLScan: Accepted SSLv3 128 bits DHE-RSA-SEED-SHA DHE 1024 bits

[*]SSLScan: Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits

[*]SSLScan: Accepted SSLv3 128 bits AES128-SHA

[*]SSLScan: Accepted SSLv3 128 bits SEED-SHA

[*]SSLScan: Accepted SSLv3 128 bits CAMELLIA128-SHA

[*]SSLScan: Accepted SSLv3 128 bits RC4-SHA

[*]SSLScan: Accepted SSLv3 128 bits RC4-MD5

[*]SSLScan: Accepted SSLv3 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits

[*]SSLScan: Accepted SSLv3 112 bits DES-CBC3-SHA

[*]SSLScan: Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA DHE 1024 bits

[*]SSLScan: Accepted SSLv3 56 bits DES-CBC-SHA

[*]SSLScan: Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits

[*]SSLScan: Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 1024 bits

[*]SSLScan: Accepted TLSv1.0 256 bits AES256-SHA

[*]SSLScan: Accepted TLSv1.0 256 bits CAMELLIA256-SHA

[*]SSLScan: Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits

[*]SSLScan: Accepted TLSv1.0 128 bits DHE-RSA-SEED-SHA DHE 1024 bits

[*]SSLScan: Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 1024 bits

[*]SSLScan: Accepted TLSv1.0 128 bits AES128-SHA

[*]SSLScan: Accepted TLSv1.0 128 bits SEED-SHA

[*]SSLScan: Accepted TLSv1.0 128 bits CAMELLIA128-SHA

[*]SSLScan: Accepted TLSv1.0 128 bits RC4-SHA

[*]SSLScan: Accepted TLSv1.0 128 bits RC4-MD5

[*]SSLScan: Accepted TLSv1.0 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits

[*]SSLScan: Accepted TLSv1.0 112 bits DES-CBC3-SHA

[*]SSLScan: Accepted TLSv1.0 56 bits EDH-RSA-DES-CBC-SHA DHE 1024 bits

[*]SSLScan: Accepted TLSv1.0 56 bits DES-CBC-SHA

[*]SSLScan:

[*]SSLScan: Preferred Server Cipher(s):

[*]SSLScan: SSLv3 256 bits DHE-RSA-AES256-SHA DHE 1024 bits

[*]SSLScan: TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits

[*]SSLScan:

[*]SSLScan: SSL Certificate:

[*]SSLScan: Signature Algorithm: sha1WithRSAEncryption

[*]SSLScan: RSA Key Strength: 1024

[*]SSLScan:

[*]SSLScan: Subject: localhost.localdomain

[*]SSLScan: Issuer: localhost.localdomain

[*]SSLScan: SSLScan scan finished in 10.7226731777 seconds for target: fsn.lancefibernet.log2air.com

[!] SSLScan: 'NoneType' object has no attribute 'group'

[*]SSLScan: Found 1 SSL vulnerabilities.

USING NIKTO

root@kali:~# nikto -h http://fsn.lancefibernet.log2air.com

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP: 103.56.252.15

+ Target Hostname: fsn.lancefibernet.log2air.com

+ Target Port: 80

+ Start Time: 2016-05-07 18:49:06 (GMT0)

---------------------------------------------------------------------------

+ Server: Apache/2.2.10 (Fedora)

+ Cookie PHPSESSID created without the httponly flag

+ Retrieved x-powered-by header: PHP/5.2.9

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ Root page / redirects to: http://fsn.lancefibernet.log2air.com/log...=1&name=oe

+ Apache/2.2.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ Server leaks inodes via ETags, header found with file /manual/, inode: 13246785, size: 7709, mtime: Tue Oct 21 11:52:59 2008

+ OSVDB-3092: /manual/: Web server manual found.

+ OSVDB-3268: /icons/: Directory indexing found.

+ OSVDB-3268: /manual/images/: Directory indexing found.

+ OSVDB-3233: /icons/README: Apache default file found.

+ 8363 requests: 0 error(s) and 15 item(s) reported on remote host

+ End Time: 2016-05-07 18:50:21 (GMT0) (75 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

root@kali:~# nikto -h 103.56.252.15

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP: 103.56.252.15

+ Target Hostname: 103.56.252.15

+ Target Port: 80

+ Start Time: 2016-05-07 18:51:59 (GMT0)

---------------------------------------------------------------------------

+ Server: Apache/2.2.10 (Fedora)

+ Cookie PHPSESSID created without the httponly flag

+ Retrieved x-powered-by header: PHP/5.2.9

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ Root page / redirects to: http://103.56.252.15/cgi/index.php

+ Server leaks inodes via ETags, header found with file /index.html, inode: 5530613, size: 77, mtime: Sat Nov 22 14:07:26 2014

+ Apache/2.2.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

+ OSVDB-3092: /includes/: This might be interesting...

+ OSVDB-3092: /manual/: Web server manual found.

+ OSVDB-3268: /icons/: Directory indexing found.

+ OSVDB-3268: /manual/images/: Directory indexing found.

+ /admin/phpinfo.php: Output from the phpinfo() function was found.

+ OSVDB-35877: /admin/phpinfo.php: Immobilier allows phpinfo() to be run.

+ OSVDB-3093: /includes/fckeditor/editor/dialog/fck_image.html: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-3093: /includes/fckeditor/editor/dialog/fck_flash.html: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-3093: /includes/fckeditor/editor/dialog/fck_link.html: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-3233: /icons/README: Apache default file found.

+ OSVDB-3093: /includes/fckeditor/editor/filemanager/browser/default/frmupload.html: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-3093: /includes/fckeditor/license.txt: FCKeditor license file found.

+ OSVDB-3093: /includes/fckeditor/fckconfig.js: FCKeditor JavaScript file found.

+ OSVDB-3093: /includes/fckeditor/_whatsnew.html: FCKeditor changes file found.

+ OSVDB-3093: /includes/fckeditor/editor/filemanager/browser/default/browser.html: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-89282: /includes/fckeditor/_whatsnew.html: FCKEditor versions below 2.6.9 allow file upload restriction bypasses, see http://soroush.secproject.com/blog/2012/...-the-hole/

+ OSVDB-3093: /includes/fckeditor/editor/filemanager/browser/default/frmcreatefolder.html: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/test.html: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/uploadtest.html: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/lasso/connector.lasso?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/php/connector.php?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.

+ OSVDB-3093: /includes/fckeditor/editor/filemanager/connectors/py/connector.py?Command=GetFolders&Type=File&CurrentFolder=%2F: FCKeditor could allow files to be updated or edited by remote attackers.

+ 9156 requests: 0 error(s) and 34 item(s) reported on remote host

+ End Time: 2016-05-07 18:53:32 (GMT0) (93 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

root@kali:~#

it says that it has fckeditor which can be used to attack. i uploaded a test file which works ! but now how should i proceed further