Acunetix 360 identified a Boolean-Based SQL Injection, which occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database.
This is an extremely common vulnerability and its successful exploitation can have critical implications.
Acunetix 360 confirmed the vulnerability by executing a test SQL query on the backend database. In these tests, SQL injection was not obvious, but the different responses from the page based on the injection test allowed Acunetix 360 to identify and confirm the SQL injection.
Impact
Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
Reading, updating and deleting arbitrary data/tables from the database
Executing commands on the underlying operating system
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:20:31 PM
Actions to Take
See the remedy for solution.
If you are not using a database access layer (DAL), consider using one. This will help you centralize the issue. You can also use ORM (object relational mapping). Most of the ORM systems use only parameterized queries and this can solve the whole SQL injection problem.
Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
Use your weblogs and application logs to see if there were any previous but undetected attacks to this resource.
Remedy
The best way to protect your code against SQL injections is using parameterized queries (prepared statements). Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.
Required Skills for Successful Exploitation
There are numerous freely available tools to exploit SQL injection vulnerabilities. This is a complex area with many dependencies; however, it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them.
Acunetix 360 identified a Command Injection, which occurs when input data is interpreted as an operating system command.
This is a highly critical issue and should be addressed as soon as possible.
Impact
An attacker can execute arbitrary commands on the system.
Vulnerabilities
2.1. http://php.testsparker.com/nslookup.php
CONFIRMED
CONFIRMED
Method
Parameter
Value
POST
param
'& SET /A 0xFFF9999-76795 &
Proof of Exploit
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 24 K
System 4 0 300 K
smss.exe 268 0 1,112 K
csrss.exe 340 0 4,616 K
wininit.exe 396 0 4,428 K
csrss.exe 404 1 3,776 K
winlogon.exe 432 1 4,196 K
services.exe 488 0 8,188 K
lsass.exe 504 0 11,696 K
lsm.exe 512 0 5,480 K
svchost.exe 608 0 8,828 K
nvvsvc.exe 672 0 6,636 K
nvwmi64.exe 696 0 3,948 K
nvSCPAPISvr.exe 720 0 5,620 K
svchost.exe 764 0 7,044 K
LogonUI.exe 844 1 14,212 K
svchost.exe 852 0 13,048 K
svchost.exe 916 0 35,172 K
svchost.exe 976 0 10,620 K
svchost.exe 1012 0 5,592 K
svchost.exe 304 0 16,192 K
svchost.exe 252 0 11,688 K
spoolsv.exe 1156 0 10,924 K
nvxdsync.exe 1164 1 12,488 K
nvwmi64.exe 1184 1 8,004 K
svchost.exe 1360 0 9,064 K
inetinfo.exe 1388 0 13,056 K
sqlservr.exe 1452 0 14,124 K
mysqld-nt.exe 1532 0 9,224 K
svchost.exe 1840 0 2,724 K
sqlbrowser.exe 1884 0 4,208 K
sqlwriter.exe 1936 0 6,100 K
XenGuestAgent.exe 2028 0 38,732 K
Ec2Config.exe 2080 0 53,968 K
WmiPrvSE.exe 2192 0 7,404 K
WmiPrvSE.exe 2500 0 20,520 K
svchost.exe 2560 0 6,352 K
svchost.exe 2624 0 5,500 K
VSSVC.exe 2676 0 6,472 K
XenDpriv.exe 2868 0 19,652 K
msdtc.exe 2888 0 7,464 K
GoogleCrashHandler.exe 3004 0 1,036 K
GoogleCrashHandler64.exe 1336 0 872 K
httpd.exe 2236 0 16,772 K
httpd.exe 132 0 46,248 K
cmd.exe 2792 0 3,360 K
conhost.exe 2568 0 2,664 K
PING.EXE 2592 0 3,504 K
cmd.exe 1624 0 3,392 K
conhost.exe 2396 0 2,676 K
tasklist.exe 1740 0 5,288 K
cmd.exe 3028 0 3,596 K
conhost.exe 1748 0 2,664 K
nslookup.exe 2688 0 128 K
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:14:30 PM
Actions to Take
See the remedy for solution.
If possible, do not invoke system commands from the application.
Find all instances of similar code and make the code changes outlined in the remedy section.
Remedy
Before invoking system commands within an application, consider using an API which allows you to separate commands and parameters. This can avoid many of the problems associated with command execution. See the external references for some examples. If this is not possible, whitelist all input and encode it in accordance with the underlying subsystem. (e.g. if it is Windows, then you need to escape from cmd.exe control characters)
Required Skills for Successful Exploitation
This is an easy issue to exploit, requiring little skill or knowledge. Most knowledgeable attackers can gain remote access over such a system within minutes.
Acunetix 360 identified a Remote File Inclusion vulnerability on the target web application.
This occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution.
Impact
Impact may differ depending on the execution permissions of the web server user. Any included source code could be executed by the web server in the context of the web server user, hence making arbitrary code execution possible. Where the web server user has administrative privileges, full system compromise is also possible.
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
MY
OY
The command completed successfully.
net user
User accounts for \\IP-AC1E0061
-------------------------------------------------------------------------------
Administrator ApacheUser Guest
MY OY
The command completed successfully.
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 24 K
System 4 0 300 K
smss.exe 268 0 1,112 K
csrss.exe 340 0 4,596 K
wininit.exe 396 0 4,428 K
csrss.exe 404 1 3,776 K
winlogon.exe 432 1 4,196 K
services.exe 488 0 8,192 K
lsass.exe 504 0 11,696 K
lsm.exe 512 0 5,460 K
svchost.exe 608 0 8,828 K
nvvsvc.exe 672 0 6,636 K
nvwmi64.exe 696 0 3,948 K
nvSCPAPISvr.exe 720 0 5,620 K
svchost.exe 764 0 7,020 K
LogonUI.exe 844 1 14,212 K
svchost.exe 852 0 13,024 K
svchost.exe 916 0 34,936 K
svchost.exe 976 0 10,604 K
svchost.exe 1012 0 5,592 K
svchost.exe 304 0 16,192 K
svchost.exe 252 0 11,692 K
spoolsv.exe 1156 0 10,908 K
nvxdsync.exe 1164 1 12,488 K
nvwmi64.exe 1184 1 8,004 K
svchost.exe 1360 0 9,096 K
inetinfo.exe 1388 0 13,056 K
sqlservr.exe 1452 0 14,188 K
mysqld-nt.exe 1532 0 9,168 K
svchost.exe 1840 0 2,724 K
sqlbrowser.exe 1884 0 4,208 K
sqlwriter.exe 1936 0 6,100 K
XenGuestAgent.exe 2028 0 38,736 K
Ec2Config.exe 2080 0 53,868 K
WmiPrvSE.exe 2192 0 7,404 K
WmiPrvSE.exe 2500 0 20,480 K
svchost.exe 2560 0 6,352 K
svchost.exe 2624 0 5,500 K
VSSVC.exe 2676 0 6,472 K
XenDpriv.exe 2868 0 19,652 K
msdtc.exe 2888 0 7,464 K
GoogleCrashHandler.exe 3004 0 1,036 K
GoogleCrashHandler64.exe 1336 0 872 K
httpd.exe 2236 0 16,772 K
httpd.exe 132 0 44,264 K
cmd.exe 1344 0 3,352 K
conhost.exe 1596 0 2,668 K
tasklist.exe 1876 0 5,292 K
</div> <!-- end #header --> NETSPARKER_F0M1-44353702950-<script>netsparkerRFI(0x066666)</script> <!-- process.php load pages from path of the website. --> <!-- FIXME: File / directory permissions --> <!-- end #page --> </div>
<div id="resetbar"> This website is automatically reset at every midnight (00:00 - UTC). </div> <div id="footer"> <p>Copyright (c) 2010 testsparker.com. All rights reserved. Design by <a href="http://www.freecsstemplates.org/">Free CSS Templates</a>.</p> </div> <!-- end #footer --> </body> </html>
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:11:51 PM
Remedy
Wherever possible, do not allow the appending of file paths as a variable. File paths should be hard-coded or selected from a small pre-defined list.
Where dynamic path concatenation is a major application requirement, ensure input validation is performed and that you only accept the minimum characters required - for example "a-Z0-9" - and that you filter out and do not allow characters such as ".." or "/" or "%00" (null byte) or any other similar multifunction characters.
It's important to limit the API to only allow inclusion from a directory or directories below a defined path.
Required Skills for Successful Exploitation
There are freely available web backdoors/shells for exploiting remote file inclusion vulnerabilities and using them requires little knowledge or attack skills. This has typically been one of the most widely leveraged web application vulnerabilities; therefore, there is a high level of information readily available to attacks on how to mount and successfully undertake these forms of attacks.
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
MY
OY
The command completed successfully.
net user
User accounts for \IP-AC1E0061
-------------------------------------------------------------------------------
Administrator ApacheUser Guest
MY OY
The command completed successfully.
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 24 K
System 4 0 300 K
smss.exe 268 0 1,112 K
csrss.exe 340 0 4,596 K
wininit.exe 396 0 4,428 K
csrss.exe 404 1 3,776 K
winlogon.exe 432 1 4,196 K
services.exe 488 0 8,192 K
lsass.exe 504 0 11,700 K
lsm.exe 512 0 5,480 K
svchost.exe 608 0 8,828 K
nvvsvc.exe 672 0 6,636 K
nvwmi64.exe 696 0 3,948 K
nvSCPAPISvr.exe 720 0 5,620 K
svchost.exe 764 0 7,032 K
LogonUI.exe 844 1 14,212 K
svchost.exe 852 0 13,008 K
svchost.exe 916 0 35,092 K
svchost.exe 976 0 10,604 K
svchost.exe 1012 0 5,592 K
svchost.exe 304 0 16,192 K
svchost.exe 252 0 11,708 K
spoolsv.exe 1156 0 10,908 K
nvxdsync.exe 1164 1 12,488 K
nvwmi64.exe 1184 1 8,004 K
svchost.exe 1360 0 9,096 K
inetinfo.exe 1388 0 13,056 K
sqlservr.exe 1452 0 14,268 K
mysqld-nt.exe 1532 0 9,168 K
svchost.exe 1840 0 2,724 K
sqlbrowser.exe 1884 0 4,208 K
sqlwriter.exe 1936 0 6,100 K
XenGuestAgent.exe 2028 0 38,736 K
Ec2Config.exe 2080 0 53,908 K
WmiPrvSE.exe 2192 0 7,404 K
WmiPrvSE.exe 2500 0 20,584 K
svchost.exe 2560 0 6,352 K
svchost.exe 2624 0 5,500 K
VSSVC.exe 2676 0 6,472 K
XenDpriv.exe 2868 0 19,652 K
msdtc.exe 2888 0 7,464 K
GoogleCrashHandler.exe 3004 0 1,036 K
GoogleCrashHandler64.exe 1336 0 872 K
httpd.exe 2236 0 16,772 K
httpd.exe 132 0 44,428 K
cmd.exe 1512 0 3,344 K
conhost.exe 1576 0 2,684 K
tasklist.exe 2648 0 5,296 K
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:12:21 PM
Remedy
Do not accept input from end users which will be directly interpreted as source code. If this is a business requirement, validate all input to the application by removing any data that could be directly interpreted as PHP source code.
Required Skills for Successful Exploitation
This vulnerability is not difficult to leverage. PHP is a high level language for which there are vast resources available. Successful exploitation requires knowledge of the programming language, access to the source code or the ability to produce source code for use in such attacks, and minimal attack skills.
Acunetix 360 identified a code execution which occurs when using an unintentional expression in template engine instead of string literals.
This is a highly critical issue and should be addressed as soon as possible.
Impact
An attacker can execute arbitrary code by using wrong construction in template engine tags. The attacker may also be able to execute arbitrary system commands.
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
MY
OY
The command completed successfully.
net user
User accounts for \IP-AC1E0061
-------------------------------------------------------------------------------
Administrator ApacheUser Guest
MY OY
The command completed successfully.
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 24 K
System 4 0 300 K
smss.exe 268 0 1,112 K
csrss.exe 340 0 4,596 K
wininit.exe 396 0 4,428 K
csrss.exe 404 1 3,776 K
winlogon.exe 432 1 4,196 K
services.exe 488 0 8,188 K
lsass.exe 504 0 11,696 K
lsm.exe 512 0 5,464 K
svchost.exe 608 0 8,828 K
nvvsvc.exe 672 0 6,636 K
nvwmi64.exe 696 0 3,948 K
nvSCPAPISvr.exe 720 0 5,620 K
svchost.exe 764 0 7,044 K
LogonUI.exe 844 1 14,212 K
svchost.exe 852 0 13,008 K
svchost.exe 916 0 35,084 K
svchost.exe 976 0 10,604 K
svchost.exe 1012 0 5,592 K
svchost.exe 304 0 16,192 K
svchost.exe 252 0 11,688 K
spoolsv.exe 1156 0 10,924 K
nvxdsync.exe 1164 1 12,488 K
nvwmi64.exe 1184 1 8,004 K
svchost.exe 1360 0 9,100 K
inetinfo.exe 1388 0 13,056 K
sqlservr.exe 1452 0 14,140 K
mysqld-nt.exe 1532 0 9,168 K
svchost.exe 1840 0 2,724 K
sqlbrowser.exe 1884 0 4,208 K
sqlwriter.exe 1936 0 6,100 K
XenGuestAgent.exe 2028 0 38,712 K
Ec2Config.exe 2080 0 53,900 K
WmiPrvSE.exe 2192 0 7,404 K
WmiPrvSE.exe 2500 0 20,520 K
svchost.exe 2560 0 6,352 K
svchost.exe 2624 0 5,500 K
VSSVC.exe 2676 0 6,472 K
XenDpriv.exe 2868 0 19,652 K
msdtc.exe 2888 0 7,464 K
GoogleCrashHandler.exe 3004 0 1,036 K
GoogleCrashHandler64.exe 1336 0 872 K
httpd.exe 2236 0 16,772 K
httpd.exe 132 0 45,864 K
cmd.exe 1716 0 3,348 K
conhost.exe 2648 0 2,668 K
tasklist.exe 2544 0 5,288 K
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:13:34 PM
Remedy
Do not trust the data that users supply and don't add it to directly into the template. Instead, pass user controlled parameters to the template as template parameters.
Required Skills for Successful Exploitation
This vulnerability is not difficult to leverage. There are vast resources available for template engines. Successful exploitation requires knowledge of the programming language and syntax of the template engine. Minimal attack skill is enough to exploit vulnerabilities like this one.
Acunetix 360 detected the Database User Has Admin Privileges.
This issue has been confirmed by checking the connection privileges via an identified SQL injection vulnerability in the application.
Impact
This can allow an attacker to gain extra privileges via SQL injection attacks. Here is the list of attacks that the attacker might carry out:
Gain full access to the database server.
Gain a reverse shell to the database server and execute commands on the underlying operating system.
Access the database with full permissions, where it may be possible to read, update or delete arbitrary data from the database.
Depending on the platform and the database system user, an attacker might carry out a privilege escalation attack to gain administrator access to the target system.
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:15:04 PM
Remedy
Create a database user with the least possible permissions for your application and connect to the database with that user. Always follow the principle of providing the least privileges for all users and applications.
SVN repository files can disclose SVN addresses, SVN usernames, and date information. While disclosures of this type do not provide chances of direct attack, they can be useful for an attacker when combined with other vulnerabilities or during the exploitation of some other vulnerabilities.
K 25 svn:wc:ra_dav:version-url V 53 /svn/msl_testbed/!svn/ver/445/testscript/Testsite-PHP END nslookup.php K 25 svn:wc:ra_dav:version-url V 66 /svn/msl_testbed/!svn/ver/445/testscript/Testsite-PHP/nslookup.php END page.php K 25 svn:wc:ra_dav:version-url V 62 /svn/msl_testbed/!svn/ver/445/testscript/Testsite-PHP/page.php END process.php K 25 svn:wc:ra_dav:version-url V 65 /svn/msl_testbed/!svn/ver/445/testscript/Testsite-PHP/process.php END style.css K 25 svn:wc:ra_dav:version-url V 63 /svn/msl_testbed/!svn/ver/445/testscript/Testsite-PHP/style.css END hello.php K 25 svn:wc:ra_dav:version-url V 63 /svn/msl_testbed/!svn/ver/445/testscript/Testsite-PHP/hello.php END products.php K 25 svn:wc:ra_dav:version-url V 66 /svn/msl_testbed/!svn/ver/445/testscript/Testsite-PHP/products.php END conf.php K 25 svn:wc:ra_dav:version-url V 62 /svn/msl_testbed/!svn/ver/445/testscript/Testsite-PHP/conf.php END artist.php K 25 svn:wc:ra_dav:version-url V 64 /svn/msl_testbed/!svn/ver/445/testscript/Testsite-PHP/artist.php END index.php K 25 svn:wc:ra_dav:version-url V 63 /svn/msl_testbed/!svn/ver/445/testscript/Testsite-PHP/index.php END
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:11:34 PM
Remedy
Do not leave SVN repository files on production environments. If there is a business requirement to do so, implement access control mechanisms to stop public access to SVN repository files.
You can also use Export if you do one time deployments, instead of a checkout.
Acunetix 360 detected an Open Policy Crossdomain.xml file.
Impact
Open policy Crossdomain.xml file allows other SWF files to make HTTP requests to your web server and see its response. This can be used for accessing one time tokens and CSRF nonces to bypass CSRF restrictions.
Acunetix 360 detected an Open Silverlight Client Access Policy file (ClientAccessPolicy.xml).
Impact
The ClientAccessPolicy.xml file allows other Silverlight client services to make HTTP requests to your web server and see its response. This might be used for accessing one time tokens and CSRF nonces to bypass CSRF restrictions.
Acunetix 360 detected that SSL/TLS is not implemented.
Impact
An attacker who is able to intercept your - or your users' - network traffic can read and modify any messages that are exchanged with your server.
That means that an attacker can see passwords in clear text, modify the appearance of your website, redirect the user to other web pages or steal session information.
Therefore no message you send to the server remains confidential.
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:10:22 PM
Remedy
We suggest that you implement SSL/TLS properly, for example by usingthe Certbot tool provided by the Let's Encrypt certificate authority. It can automatically configure most modern web servers, e.g. Apache and Nginx to use SSL/TLS. Both the tool and the certificates are free and are usually installed within minutes.
Acunetix 360 identified a cookie not marked as HTTPOnly.
HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.
Impact
During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:09:59 PM
Actions to Take
See the remedy for solution.
Consider marking all of the cookies used by the application as HTTPOnly. (After these changes javascript code will not be able to read cookies.)
Remedy
Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.
Acunetix 360 identified a version disclosure (Apache) in the target web server's HTTP response.
This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.
Impact
An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.
Acunetix 360 identified a version disclosure (PHP) in the target web server's HTTP response.
This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.
Impact
An attacker might use the disclosed information to harvest specific security vulnerabilities for the version identified.
Acunetix 360 identified a Programming Error Message.
Impact
The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. Source code, stack trace, etc. data may be disclosed. Most of these issues will be identified and reported separately by Acunetix 360.
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:10:36 PM
Remedy
Do not provide error messages on production environments. Save error messages with a reference number to a backend storage such as a log, text file or database, then show this number and a static user-friendly error message to the user.
Acunetix 360 detected the TRACE/TRACK method is allowed.
Impact
It is possible to bypass the HttpOnly cookie limitation and read the cookies in a cross-site scripting attack by using the TRACE/TRACK method within an XmlHttpRequest. This is not possible with modern browsers, so the vulnerability can only be used when targeting users with unpatched and old browsers.
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:11:33 PM
Remedy
Disable this method in all production systems. Even though the application is not vulnerable to cross-site scripting, a debugging feature such as TRACE/TRACK should not be required in a production system and therefore should be disabled.
Acunetix 360 detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.
The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.
Impact
Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.
The Issue was detected during the Scan. The State was set to Present
System
7/5/2020 6:10:14 PM
Remedy
Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
X-Frame-Options: DENY It completely denies to be loaded in frame/iframe.
X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.
X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
Employing defensive code in the UI to ensure that the current frame is the most top level window.