- Get detailed information about a web server
- How to properly decorate a folder when you are using indexes
Get detailed information about a web server
To get the PHP version of a remote web server, use the Whatweb Ruby script. This can retrieve a lot of information about a web server if it is not using Cloudflare.
Here is an example.
(jcartwright@localhost) 192.168.1.5 Documents $ whatweb https://hackthissite.org | tr "," "\n"
https://hackthissite.org [200 OK] Content-Language[en]
Cookies[HackThisSite]
Country[CANADA][CA]
HTTPServer[HackThisSite]
IP[137.74.187.101]
JQuery[1.8.1]
Meta-Author[HackThisSite.org Staff]
Open-Graph-Protocol[website]
PasswordField[password]
Script[text/javascript]
Strict-Transport-Security[max-age=31536000; includeSubDomains; preload]
Title[Hack This Site]
UncommonHeaders[upgrade
onion-location
access-control-allow-origin
content-security-policy
referrer-policy
feature-policy
public-key-pins-report-only
report-to
nel]
X-XSS-Protection[0]
This shows the version numbers of any software running on the website such as PHP.
This is another example.
(jcartwright@localhost) 192.168.1.5 Documents $ whatweb https://mharatlms.com | tr "," "\n" https://mharatlms.com [200 OK] Apache Content-Language[ar] Cookies[MoodleSession] Country[UNITED STATES][US] Email[[email protected] [email protected]] HTML5 HTTPServer[Apache] IP[162.214.194.214] JQuery[3.5.1] Moodle PasswordField[password] Script[text/css] Title[منصة مهارات للتعليم عن بعد] UncommonHeaders[content-script-type content-style-type] X-Frame-Options[sameorigin] X-UA-Compatible[IE=edge]
You can get just the software version like this.
(jcartwright@localhost) 192.168.1.5 Documents $ whatweb https://mharatlms.com | tr "," "\n" | grep JQuery JQuery[3.5.1] |
Another way to get comprehensive information about a website when penetration testing is to use the Perl Nikto script. This will return a lot of very useful information about a website.
Download the script.
(jcartwright@localhost) 192.168.1.5 Documents $ git clone https://github.com/sullo/nikto Cloning into 'nikto'... remote: Enumerating objects: 7237, done. remote: Counting objects: 100% (1249/1249), done. remote: Compressing objects: 100% (409/409), done. remote: Total 7237 (delta 939), reused 1117 (delta 839), pack-reused 5988 Receiving objects: 100% (7237/7237), 4.91 MiB | 5.65 MiB/s, done. Resolving deltas: 100% (5255/5255), done. |
Then download the required Perl modules if needed. I am running Alma Linux 9 so I needed to install a few more modules. As I am doing this manually.
[root@localhost program]# dnf in perl-bignum perl-NetThen you should be good to go. Navigate to the program/ folder and run nikto to scan a site. This is perfect for scanning a website to check for any vulnerabilities.
(jcartwright@localhost) 192.168.1.5 program $ ./nikto.pl -h https://mharatlms.com
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 162.214.194.214
+ Target Hostname: mharatlms.com
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /CN=mharatlms.jicclms.com
Altnames: mail.mharatlms.com, mharatlms.com, mharatlms.jicclms.com, www.mharatlms.com, www.mharatlms.jicclms.com
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /C=US/O=Let's Encrypt/CN=R3
+ Start Time: 2023-09-22 10:49:03 (GMT10)
---------------------------------------------------------------------------
+ Server: Apache
+ /: Cookie MoodleSession created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /: Uncommon header 'content-style-type' found, with contents: text/css.
+ /: Uncommon header 'content-script-type' found, with contents: text/javascript.
+ /: The site uses TLS and the Strict-Transport-Security HTTP header is not defined. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /mharatlms.zip: Potentially interesting backup/cert file found. (NOTE: requested by IP address). See: https://cwe.mitre.org/data/definitions/530.html
+ /pluginfile.php/1/theme_edumy/favicon/1692706572/Mharat-Logo-Dark.png: Uncommon header 'content-disposition' found, with contents: inline; filename="Mharat-Logo-Dark.png".
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /admin/: Uncommon header 'x-accel-buffering' found, with contents: no.
+ /admin/: Uncommon header 'x-redirect-by' found, with contents: Moodle /admin/index.php:786.
+ /mailman/listinfo: Mailman was found on the server. See: CWE-552
+ /auth/: This might be interesting.
+ /backup/: Directory indexing found.
+ /backup/: This might be interesting.
+ /install/: Directory indexing found.
+ /install/: This might be interesting.
+ /lib/: This might be interesting.
+ /login/: This might be interesting.
+ /pix/: Directory indexing found.
+ /pix/: This might be interesting.
+ /img-sys/: Default image directory should not allow directory listing.
+ /info.php: Output from the phpinfo() function was found.
+ /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /INSTALL.txt: Default file found.
+ /info.php?file=http://cirt.net/public/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /test.php: This might be interesting.
+ /repository/: Directory indexing found.
+ /repository/: CRX WebDAV upload.
+ /composer.json: PHP Composer configuration file reveals configuration information. See: https://getcomposer.org/
+ /composer.lock: PHP Composer configuration file reveals configuration information. See: https://getcomposer.org/
+ 8768 requests: 0 error(s) and 32 item(s) reported on remote host
+ End Time: 2023-09-22 12:42:46 (GMT10) (6823 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
This site has problems…
This will take a while to run, so be patient. Most of the time it is directories accessible to the web that should not be. This is CWE 552. This should be addressed ASAP. Using a .htaccess file is a good way to fix this.
Options -Indexes |
However, creating a blank index.php file in the folder is another way to address this problem.
How to properly decorate a folder when you are using indexes
To allow browsing a folder you do wish users to browse, use this .htaccess directive.
Options +Indexes IndexOptions +FancyIndexing |
Or this one to have a fancy HTML page that lists all files/
Options +Indexes HeaderName HEADER.html ReadmeName FOOTER.html IndexIgnore .htaccess .??* *~ *# HEADER* FOOTER* README* RCS CVS *,v *,t *.inc .. IndexOptions +SuppressHTMLPreamble SuppressDescription |
This is the HEADER.html.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | <html> <head> <title>Useful Arma 3 dev utilities.</title> <style type="text/css"> body { color: #000000; background: #FFFFFF; font-family: Arial; font-size: 10pt; text-align: left; padding: 0em; } a { color: rgb(0,16,255); font-size: 10pt; font-family: Arial; } h1 { font-size: 15pt; font-family: Courier; font-weight: bold; text-align: left; } td { width: 200px; } a[href="/"] {display: none;} </style> </head> <body> <h1>Arma 3 utilities.</h1> <p>Some useful Arma 3 utilities orphaned from the Armaholic website. I am hosting them here as a public service.</p> <p>I hope someone appreciates this gesture.</p> |
And this is the FOOTER.html
1 2 3 4 5 6 | <img src="https://www.securitronlinux.com/webp/1381036356449-960x540.webp" width="960" alt="Soldiers near a fuel station in Arma 3." /> <p>All files are owned by their respective authors. I am just hosting them to make them accessible to all modders and Arma 3 tinkerers.</p> </body> </html> |
With these 3 files, you may easily decorate a directory listing and enable nice file browsing with a nicely formatted list and branding.