Tips for an Information Security Analyst/Pentester career - Ep. 36: Nikto, PHPMyAdmin and WebDav

In a previous post, we talked about vulnerability scanning.

This time, we're gonna focus on web applications and we'll see a couple of example of web app exploitation.

Nikto

A handy tool to scan a website for vulnerability is nikto.

Its usage is very simple (nikto -h url_to_scan), as shown below.

In the video, I used it against our vulnerable XP machine.

The tool retrieved several vulnerabilities, related to Xampp, PhpMyAdmin, SMTP and a bunch of other software, you name it.

Xampp

Our target vulnerable machine contains a vulnerable Xampp version (1.7.2), with WebDav enabled. If we can access Webdav, we can create, move and delete files on the web server.

So, I tried to connect to WebDav by using a tool called cadaver and default credentials (username: wampp, password: xampp) and I was successful.

This is a very bad thing, even though I wasn't able to upload a reverse shell.

Zervit

My Windows XP machine contains a vulnerable web server application called Zervit, subject to directory traversal attack and easily crashed even by an Nmap scan, running on TCP port 3232.

Nmap isn't able to correctly detect this service, but, if we connect to it through the web browser, we get a file listing.

If we send a GET request to that port through netcat, we can perform a successful banner grabbing, as the web server replies with its name and current version.

Directory traversal

Zervit 0.4 is subject to a directory traversal attack. In fact, through such an attack, we're able to recover the boot.ini file.

PhpMyAdmin

This vulnerable Xampp version allows unrestricted access to PhpMyAdmin, without need for any credentials whatsoever.

This is extremely dangerous, as it allows root access.

I found this vulnerability to affect the default configuration of newest Xampp versions, as well.

Having root access to the database, we can run SQL commands with root privileges and wreak havoc.

I gained access to the user table and viewed the two users existing on that database, along with their privileges.

I could've easily changed the privileges in order to allow an escalation in favor of the standard user.

SMTP

Nikto shows the SMTP server allows the VRFY command, which can be leveraged to enumerate users.

We can therefore determine user georgia is a valid user, and so is user administrator, while no other users are present on the server.

In the above screenshot, response code 250 means that user was found on the server, while 551 means that specific user doesn't exist.

Episode 37

Episode 35