VULNERABILITY: nikto: Check DVWA (en)

From OnnoWiki
Jump to navigation Jump to search

Nikto is an Open Source web server scanner (GPL) that performs thorough testing on web servers for multiple items, including more than 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version-specific issues on more than 270 servers. Nikto also checks server configuration items such as the presence of multiple index files, HTTP server options, and will try to identify installed web server and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealth tool. Nikto will test web servers in the fastest time, and it's clearly visible in log files or to IPS/IDS. However, there is support for the LibWhisker anti-IDS method if you want to try it (or test your IDS system).

Not every check is a security issue, although most are. There are some items that are "information only" checks that look for things that may not have security vulnerabilities, but webmasters or security technicians might not know about their presence on the server. These items are usually accurately marked in the printed information. There are also some checks for unknown items that have been seen in scan logs.

Commands

nikto --host http://192.168.0.100/DVWA-1.9/
nikto -C all --host http://192.168.0.100/DVWA-1.9/

Results

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.100
+ Target Hostname:    192.168.0.100
+ Target Port:        80
+ Start Time:         2017-04-04 05:45:21 (GMT7)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to 
protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render 
the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ Root page / redirects to: login.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /DVWA-1.9/robots.txt, fields: 0x1a 
0x52156c6a290c0 
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /DVWA-1.9/config/: Directory indexing found.
+ /DVWA-1.9/config/: Configuration information may be available remotely.
+ OSVDB-3268: /DVWA-1.9/docs/: Directory indexing found.
+ /DVWA-1.9/login.php: Admin login page/section found.
+ 7535 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2017-04-04 05:45:40 (GMT7) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Interesting Find

DVWA-1.9/config/

To Be Exploited

For example, the server administrator edits the file config.inc.php for safety, back up the file config.inc.php first :) ..

cd /var/www/html/DVWA-1.9/config/
cp config.inc.php config.inc.php.bak
vi config.inc.php

If the .bak file is forgotten to be deleted, then this file can be retrieved :) .. or some editors leave traces

.config.inc.php
config.inc.php~

especially the ~ file can be taken from outside.