Web Services

PORT     STATE SERVICE REASON         VERSION
8091/tcp open  http    syn-ack ttl 63 lighttpd 1.4.53
| http-method-tamper: 
|   VULNERABLE:
|   Authentication bypass by HTTP verb tampering
|     State: VULNERABLE (Exploitable)
|       This web server contains password protected resources vulnerable to authentication bypass
|       vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
|        common HTTP methods and in misconfigured .htaccess files.
|              
|     Extra information:
|       
|   URIs suspected to be vulnerable to HTTP verb tampering:
|     / [POST]
|   
|     References:
|       http://www.imperva.com/resources/glossary/http_verb_tampering.html
|       http://capec.mitre.org/data/definitions/274.html
|       https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
|_      http://www.mkit.com.ar/labs/htexploit/
| http-security-headers: 
|   Cache_Control: 
|     Header: Cache-Control: no-store, no-cache, must-revalidate
|   Pragma: 
|     Header: Pragma: no-cache
|   Expires: 
|_    Header: Expires: Thu, 19 Nov 1981 08:52:00 GMT
| http-sitemap-generator: 
|   Directory structure:
|   Longest directory structure:
|     Depth: 0
|     Dir: /
|   Total files found (by extension):
|_    
|_http-date: Sat, 06 Aug 2022 19:01:43 GMT; 0s from local time.
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-feed: Couldn't find any feeds.
| http-auth-finder: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.135.97
|   url                          method
|_  http://192.168.135.97:8091/  HTTP: Basic
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-useragent-tester: 
|   Status for browser useragent: 401
|   Allowed User Agents: 
|     Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
|     libwww
|     lwp-trivial
|     libcurl-agent/1.0
|     PHP/
|     Python-urllib/2.5
|     GT::WWW
|     Snoopy
|     MFC_Tear_Sample
|     HTTP::Lite
|     PHPCrawl
|     URI::Fetch
|     Zend_Http_Client
|     http client
|     PECL::HTTP
|     Wget/1.13.4 (linux-gnu)
|_    WWW-Mechanize/1.34
|_http-comments-displayer: Couldn't find any comments.
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-server-header: lighttpd/1.4.53
|_http-chrono: Request times for /; avg: 209.19ms; min: 203.12ms; max: 216.64ms
| http-errors: 
| Spidering limited to: maxpagecount=40; withinhost=192.168.135.97
|   Found the following error pages: 
|   
|   Error Code: 401
|_  	http://192.168.135.97:8091/
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-mobileversion-checker: No mobile version detected.
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-vhosts: 
|_128 names had status 401
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-favicon: Unknown favicon MD5: B5F9F8F2263315029AD7A81420E6CC2D
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-iis-webdav-vuln: Could not determine vulnerability, since root folder is password protected
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-malware-host: Host appears to be clean
| http-headers: 
|   Set-Cookie: PHPSESSID=h4a5fnr8pjoqnv8b42eoos5p63; path=/
|   Expires: Thu, 19 Nov 1981 08:52:00 GMT
|   Cache-Control: no-store, no-cache, must-revalidate
|   Pragma: no-cache
|   WWW-Authenticate: Basic realm="RaspAP"
|   Content-type: text/html; charset=UTF-8
|   Content-Length: 15
|   Connection: close
|   Date: Sat, 06 Aug 2022 19:01:51 GMT
|   Server: lighttpd/1.4.53
|   
|_  (Request type: GET)
|_http-devframework: ASP.NET detected. Found related header.
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=RaspAP
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
----------------------------------------------------------------------------------- ---------------------------------
RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)                         | php/webapps/50224.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
╭─      /home/kali ▓▒░───────────────────────────────────────────────────────────────────────░▒▓ ✔  root@kali 
╰─ searchsploit -x php/webapps/50224.py                    
  Exploit: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)
      URL: https://www.exploit-db.com/exploits/50224
     Path: /usr/share/exploitdb/exploits/php/webapps/50224.py
File Type: Python script, ASCII text executable
PreviousUDPNextNikto

Last updated