LSA期末偵查總報告整理

LSA期末偵查總報告整理
- 弱點偵查
  - Nmap
  - Nikto
  - skipfish
  - OWASP ZAP
  - 針對掃描
  - 掃描重點整理

弱點偵查

為了執行工具方便，以下使用 kali linux
以下結果有些因忘記保存，所以日期是近期補掃描結果！

Nmap

A系

系統及服務版本探測:
Image Not Showing Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
- 資訊: nginx 1.21.1
  80 port、443 port 開啟其他受防火牆保護
- 結果: 恩!很讚!(但有時候會探測到 ftp 21 port closed

B系

系統及服務版本探測:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -p 22,80,443 www.econ.ncnu.edu.tw
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-11 05:39 EDT
Nmap scan report for www.econ.ncnu.edu.tw (163.22.17.239)
Host is up (0.020s latency).
Other addresses for www.econ.ncnu.edu.tw (not scanned): 2001:e10:6840:17::239

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     nginx 1.10.3 (Ubuntu)
443/tcp open  ssl/http nginx 1.10.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.66 seconds

- 資訊 : 22 (penSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0))、 80 (nginx 1.10.3 (Ubuntu)) 、 443 (nginx 1.10.3 (Ubuntu)) port 開啟

C系

系統及服務版本探測:
- 資訊:
  80 (IIS/7.5)、 135 (Microsoft Windows RPC) 、 443 (Microsoft IIS httpd 7.5)、 445 (Windows Server 2008 R2) 、 1027 (Microsoft Windows RPC) 、2000 (cisco-sccp?) 、3389 (ssl/ms-wbt-server?)、5060(sip?)
  在 oracle virtualbox 上執行
- 結果:已知是由廠商維護，所以沒有花太多時間在此系網上

Nikto

A系

┌──(kali㉿kali)-[~]
└─$ nikto -host https://www.im.ncnu.edu.tw/    
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          163.22.17.179
+ Target Hostname:    www.im.ncnu.edu.tw
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /CN=im.ncnu.edu.tw
                   Ciphers:  TLS_AES_256_GCM_SHA384
                   Issuer:   /C=US/O=Let's Encrypt/CN=R3
+ Start Time:         2022-06-15 17:06:21 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.21.6
+ Cookie pll_language created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with multiple values: (<https://www.im.ncnu.edu.tw/wp-json/>; rel="https://api.w.org/",<https://www.im.ncnu.edu.tw/wp-json/wp/v2/pages/8>; rel="alternate"; type="application/json",<https://www.im.ncnu.edu.tw/>; rel=shortlink,)
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie 16863131a70540ee0a98ed41f8f47f50 created without the secure flag
+ Uncommon header 'x-logged-in' found, with contents: False
+ Uncommon header 'x-content-powered-by' found, with contents: K2 v2.9.0 (by JoomlaWorks)
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Hostname 'www.im.ncnu.edu.tw' does not match certificate's names: im.ncnu.edu.tw
+ OSVDB-1210: /scripts/samples/search/qfullhit.htw: Server may be vulnerable to a Webhits.dll arbitrary file retrieval. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/MS00-006.
+ OSVDB-1210: /scripts/samples/search/qsumrhit.htw: Server may be vulnerable to a Webhits.dll arbitrary file retrieval. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/MS00-006.
+ OSVDB-1210: /q2tkg.htw: Server may be vulnerable to a Webhits.dll arbitrary file retrieval. Ensure Q252463i, Q252463a or Q251170 is installed. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/MS00-006.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ /wordpress: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /package.json: Node.js package file found. It may contain sensitive information.
+ 8046 requests: 0 error(s) and 22 item(s) reported on remote host
+ End Time:           2022-06-15 18:03:53 (GMT-4) (3452 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

資訊 : OSVDB-1210 、 OSVDB-3092
- OSVDB-1210 : 檢查後，可能不存在漏洞
- OSVDB-3092 : 檢查後，無可利用資訊
結果 : 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。

B系

                  Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=US/O=Let's Encrypt/CN=R3
+ Start Time:         2022-06-05 03:56:47 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.10.3 (Ubuntu)
+ Cookie 8927458f6716f94ba38740cab170e144 created without the secure flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie 08b7a45bef55987e7feaa2e19378b2f0 created without the secure flag
+ Entry '/administrator/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                
+ Entry '/bin/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                          
+ Entry '/cache/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                        
+ Entry '/cli/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                          
+ Entry '/components/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                   
+ Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                     
+ Entry '/language/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                     
+ Entry '/layouts/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                      
+ Entry '/libraries/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                    
+ Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                      
+ Entry '/plugins/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                      
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)                                                                                                                                                          
+ "robots.txt" contains 14 entries which should be manually viewed.                                                                                                                                                                         
+ nginx/1.10.3 appears to be outdated (current is at least 1.14.0)                                                                                                                                                                          
+ Multiple index files found: /index.php, /index.php4, /index.php7, /index.php3, /index.php5                                                                                                                                                
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.                                                                                                                         
+ /contents/extensions/asp/1: The IIS system may be vulnerable to a DOS, see https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/MS02-018 for details.                                                                 
+ OSVDB-578: /level/16: CISCO HTTP service allows remote execution of commands                                                                                                                                                              
+ OSVDB-155: /counter/1/n/n/0/3/5/0/a/123.gif: The Roxen Counter may eat up excessive CPU time with image requests.                                                                                                                         
+ OSVDB-3092: /administrator/: This might be interesting...                                                                                                                                                                                 
+ OSVDB-3092: /bin/: This might be interesting...                                                                                                                                                                                           
+ OSVDB-3092: /home/: This might be interesting...                                                                                                                                                                                          
+ OSVDB-3092: /includes/: This might be interesting...                                                                                                                                                                                      
+ OSVDB-3092: /news: This might be interesting...                                                                                                                                                                                           
+ OSVDB-3092: /tmp/: This might be interesting...                                                                                                                                                                                           
+ OSVDB-3092: /wwwthreads/3tvars.pm: This might be interesting...                                                                                                                                                                           
+ OSVDB-3092: /bin/wwwthreads/3tvars.pm: This might be interesting...                                                                                                                                                                       
+ OSVDB-4908: /securelogin/1,2345,A,00.html: Vignette Story Server v4.1, 6, may disclose sensitive information via a buffer overflow.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /www/2: This might be interesting...
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8870 requests: 0 error(s) and 39 item(s) reported on remote host
+ End Time:           2022-06-05 04:18:07 (GMT-4) (1280 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

資訊:
- nginx/1.10.3
  - 可能存在 CVE-2017-7529 Remote Integer Overflow Vulnerability ，但漏洞腳本測試未通過，可能已修復，但建議更新
- robotrs.txt 與 OSVDB-3092: 大部分到空白的頁面，除了 /administrator/ 進入Joomla 控制台 (嘗試注入攻擊)
- OSVDB-578:
  - 應該是 CVE-2000-0984 CVE-2001-0537，應已更新補丁
- OSVDB-4908:
  - 測試失敗，應該漏洞已修復
結果: 程式有檢測到可能存在的漏洞，但應都已修復。

C系

┌──(kali㉿kali)-[~]
└─$ nikto -h https://www.dch.ncnu.edu.tw/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          163.22.5.189
+ Target Hostname:    www.dch.ncnu.edu.tw
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /CN=ccweb3.ncnu.edu.tw
                   Ciphers:  ECDHE-RSA-AES256-SHA384
                   Issuer:   /C=US/O=Let's Encrypt/CN=R3
+ Start Time:         2022-06-11 04:46:19 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ARRAY(0x564da0afda10)
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ Retrieved x-aspnet-version header: 2.0.50727
+ Cookie PHPSESSID created without the secure flag
+ Entry '/manage/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Hostname 'www.dch.ncnu.edu.tw' does not match certificate's names: ccweb3.ncnu.edu.tw
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /download/: This might be interesting...
+ OSVDB-3092: /information/: This might be interesting...
+ 8861 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2022-06-11 05:07:42 (GMT-4) (1283 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

資訊:
- /manage/ 是該系廠商登入系統，嘗試進入失敗
  - 嘗試忘記密碼或忘記帳號，試圖 SQL injection 但未成功
- OSVDB-12184 :
  - 檢查發現這些是 PHP 復活節彩蛋，大約會在 PHP 5.5 版之前
  - 此彩蛋檢查後，應該是沒有漏洞，但仍被建議禁用
- OSVDB-3092 :
  - 只是不同分頁
結果: 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。

skipfish

A系

資訊 : 經檢查似乎並不存在漏洞(未確定
結果 : 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。

B系

資訊 : 經檢查似乎並不存在漏洞(未確定
結果 : 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。

C系

資訊 : 完美
結果 : 完美通過測試

OWASP ZAP

A系

資訊 : 可能存在 reflected XSS 、 SQL Injection 漏洞
- 排查 reflected XSS : ZAP 在自動化掃描時，檢測到能輸入 onmouseover=alert(1); 且又能送出交由 server 即判斷可能存在 XSS，但實際上未能成功執行 -> 漏洞不存在
- 排查 SQL Injection : 警報的頁面是某老師的個人資訊，經檢查似乎找不到有與 SQL 語句相關的地方
結果:應用程式有通報疑似漏洞，但排查後並可能並未存在。

B系

資訊 : 可能存在 reflected XSS 漏洞
- 排查 reflected XSS : ZAP 在自動化掃描時，檢測到能輸入 onmouseover=alert(1); 且又能送出交由 server 即判斷可能存在 XSS，但實際上未能成功執行 -> 漏洞不存在
結果:應用程式有通報疑似漏洞，但排查後並可能並未存在。

C系

資訊: 中等測試通過
結果: 測試通過

針對掃描

A系

WPScan

┌──(hacker_kali㉿kali)-[~]
└─$ wpscan --url https://www.im.ncnu.edu.tw               
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.

[+] URL: https://www.im.ncnu.edu.tw/ [163.22.17.179]
[+] Started: Thu Jun 16 05:52:28 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.21.6
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://www.im.ncnu.edu.tw/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: https://www.im.ncnu.edu.tw/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://www.im.ncnu.edu.tw/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.7.6 identified (Latest, released on 2022-03-11).
 | Found By: Rss Generator (Passive Detection)
 |  - https://www.im.ncnu.edu.tw/feed/, <generator>https://wordpress.org/?v=5.7.6</generator>
 | Confirmed By: Meta Generator (Passive Detection)
 |  - https://www.im.ncnu.edu.tw/, Match: 'WordPress 5.7.6'

[+] WordPress theme in use: blocksy
 | Location: https://www.im.ncnu.edu.tw/wp-content/themes/blocksy/
 | Last Updated: 2022-06-03T00:00:00.000Z
 | Readme: https://www.im.ncnu.edu.tw/wp-content/themes/blocksy/readme.txt
 | [!] The version is out of date, the latest version is 1.8.36
 | Style URL: https://www.im.ncnu.edu.tw/wp-content/themes/blocksy/style.css?ver=5.7.6
 | Style Name: Blocksy
 | Style URI: https://creativethemes.com/blocksy/
 | Description: Blocksy is a blazing fast and lightweight WordPress theme built with the latest web technologies. It...
 | Author: CreativeThemes
 | Author URI: https://creativethemes.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.8.3.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/themes/blocksy/style.css?ver=5.7.6, Match: 'Version: 1.8.3.3'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] addon-elements-for-elementor-page-builder
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/addon-elements-for-elementor-page-builder/
 | Last Updated: 2022-03-28T11:31:00.000Z
 | [!] The version is out of date, the latest version is 1.11.15
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.11.1 (50% confidence)
 | Found By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/addon-elements-for-elementor-page-builder/readme.txt

[+] animate-it
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/animate-it/
 | Last Updated: 2022-03-28T09:00:00.000Z
 | [!] The version is out of date, the latest version is 2.4.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 2.3.7 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/animate-it/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/animate-it/readme.txt

[+] blocksy-companion
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/blocksy-companion/
 | Last Updated: 2022-06-03T12:42:00.000Z
 | [!] The version is out of date, the latest version is 1.8.34
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.8.6.2 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/blocksy-companion/readme.txt

[+] elementor
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/elementor/
 | Last Updated: 2022-06-12T12:41:00.000Z
 | [!] The version is out of date, the latest version is 3.6.6
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 3.2.4 (100% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.2.4
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.2.4
 | Confirmed By: Readme - Stable Tag (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor/readme.txt

[+] elementor-pro
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 3.1.0 (100% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/assets/css/frontend.min.css?ver=3.1.0
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver=3.1.0
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js?ver=3.1.0
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.1.0
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.min.js?ver=3.1.0
 | Confirmed By: Change Log (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/changelog.txt, Match: '#### 3.1.0 -'

[+] header-footer-elementor
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/header-footer-elementor/
 | Last Updated: 2022-05-25T04:30:00.000Z
 | [!] The version is out of date, the latest version is 1.6.11
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.5.9 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/header-footer-elementor/readme.txt

[+] piotnet-addons-for-elementor
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/piotnet-addons-for-elementor/
 | Last Updated: 2022-06-10T15:36:00.000Z
 | [!] The version is out of date, the latest version is 2.4.15
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 2.4.9 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/piotnet-addons-for-elementor/readme.txt

[+] powerpack-lite-for-elementor
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/powerpack-lite-for-elementor/
 | Last Updated: 2022-06-09T16:20:00.000Z
 | [!] The version is out of date, the latest version is 2.6.15
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 2.3.6 (100% confidence)
 | Found By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/powerpack-lite-for-elementor/readme.txt
 | Confirmed By: Change Log (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/powerpack-lite-for-elementor/changelog.txt, Match: '= 2.3.6 ='

[+] smart-slider-3
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/smart-slider-3/
 | Last Updated: 2022-05-30T12:08:00.000Z
 | [!] The version is out of date, the latest version is 3.5.1.7
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 3.5.0.9 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/smart-slider-3/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/smart-slider-3/readme.txt

[+] templately
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/templately/
 | Last Updated: 2022-06-02T05:22:00.000Z
 | [!] The version is out of date, the latest version is 1.3.5
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.2.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/templately/README.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/templately/README.txt

[+] wordpress-seo
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/wordpress-seo/
 | Last Updated: 2022-06-14T07:55:00.000Z
 | [!] The version is out of date, the latest version is 19.1
 |
 | Found By: Comment (Passive Detection)
 |
 | Version: 16.4 (100% confidence)
 | Found By: Comment (Passive Detection)
 |  - https://www.im.ncnu.edu.tw/, Match: 'optimized with the Yoast SEO plugin v16.4 -'
 | Confirmed By:
 |  Readme - Stable Tag (Aggressive Detection)
 |   - https://www.im.ncnu.edu.tw/wp-content/plugins/wordpress-seo/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - https://www.im.ncnu.edu.tw/wp-content/plugins/wordpress-seo/readme.txt

[+] wp-attachments
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/wp-attachments/
 | Last Updated: 2021-10-20T20:06:00.000Z
 | [!] The version is out of date, the latest version is 5.0.4
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 5.0.2 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/wp-attachments/readme.txt

[+] wpforms-lite
 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/wpforms-lite/
 | Last Updated: 2022-05-19T12:28:00.000Z
 | [!] The version is out of date, the latest version is 1.7.4.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.6.7 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/wpforms-lite/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://www.im.ncnu.edu.tw/wp-content/plugins/wpforms-lite/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:13 <==================================================================> (137 / 137) 100.00% Time: 00:00:13

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Jun 16 05:52:54 2022
[+] Requests Done: 210
[+] Cached Requests: 6
[+] Data Sent: 58.756 KB
[+] Data Received: 13.023 MB
[+] Memory used: 228.266 MB
[+] Elapsed time: 00:00:26

資訊：補掃描後無明顯漏洞，(但記得曾經有找到 Wordpress 3、4 個帳號名稱，有使用暴力破解，但執行七小時後關閉
結果：曾有掃瞄出帳號名稱，但未成功暴力破解密碼

B系

joomscan
- 資訊:無檢測到漏洞
- 結果:測試通過 (因 joomscan 久未更新

掃描重點整理

	A系	B系	C系
Nmap	無 port 可利用	22 port 開啟	8 個 port 開啟
Nikto	程式有檢測到可能存在的漏洞，但排查後應並無漏洞。	程式有檢測到可能存在的漏洞，但應都已修復	程式有檢測到可能存在的漏洞，但排查後應並無漏洞。
Skipfish	程式有檢測到可能存在的漏洞，但排查後應並無漏洞。	程式有檢測到可能存在的漏洞，但排查後應並無漏洞。	完美通過測試
OWASP Zap	程式有檢測到可能存在的漏洞，但排查後應並無漏洞。	程式有檢測到可能存在的漏洞，但排查後應並無漏洞。	測試通過
針對掃描	嘗試利用結果暴力破解(未成功	測試通過(應測試軟體過久沒更新	無針對測試

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.