# LSA期末偵查總報告整理 [TOC] ## 弱點偵查 - 為了執行工具方便，以下使用 kali linux - 以下結果有些因忘記保存，所以日期是近期補掃描結果！ ### Nmap #### A系 - 系統及服務版本探測:  - 資訊: nginx 1.21.1 80 port、443 port 開啟 其他受防火牆保護 - 結果: 恩!很讚!(但有時候會探測到 ftp 21 port closed #### B系 - 系統及服務版本探測: ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sV -p 22,80,443 www.econ.ncnu.edu.tw Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-11 05:39 EDT Nmap scan report for www.econ.ncnu.edu.tw (163.22.17.239) Host is up (0.020s latency). Other addresses for www.econ.ncnu.edu.tw (not scanned): 2001:e10:6840:17::239 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.10.3 (Ubuntu) 443/tcp open ssl/http nginx 1.10.3 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.66 seconds ``` - 資訊 : 22 (penSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0))、 80 (nginx 1.10.3 (Ubuntu)) 、 443 (nginx 1.10.3 (Ubuntu)) port 開啟 #### C系 - 系統及服務版本探測:  - 資訊: 80 (IIS/7.5)、 135 (Microsoft Windows RPC) 、 443 (Microsoft IIS httpd 7.5)、 445 (Windows Server 2008 R2) 、 1027 (Microsoft Windows RPC) 、2000 (cisco-sccp?) 、3389 (ssl/ms-wbt-server?)、5060(sip?) 在 oracle virtualbox 上執行 - 結果:已知是由廠商維護，所以沒有花太多時間在此系網上 ### Nikto #### A系 ``` ┌──(kali㉿kali)-[~] └─$ nikto -host https://www.im.ncnu.edu.tw/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 163.22.17.179 + Target Hostname: www.im.ncnu.edu.tw + Target Port: 443 --------------------------------------------------------------------------- + SSL Info: Subject: /CN=im.ncnu.edu.tw Ciphers: TLS_AES_256_GCM_SHA384 Issuer: /C=US/O=Let's Encrypt/CN=R3 + Start Time: 2022-06-15 17:06:21 (GMT-4) --------------------------------------------------------------------------- + Server: nginx/1.21.6 + Cookie pll_language created without the httponly flag + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'link' found, with multiple values: (<https://www.im.ncnu.edu.tw/wp-json/>; rel="https://api.w.org/",<https://www.im.ncnu.edu.tw/wp-json/wp/v2/pages/8>; rel="alternate"; type="application/json",<https://www.im.ncnu.edu.tw/>; rel=shortlink,) + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The site uses SSL and Expect-CT header is not present. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Uncommon header 'x-redirect-by' found, with contents: WordPress + No CGI Directories found (use '-C all' to force check all possible dirs) + Cookie 16863131a70540ee0a98ed41f8f47f50 created without the secure flag + Uncommon header 'x-logged-in' found, with contents: False + Uncommon header 'x-content-powered-by' found, with contents: K2 v2.9.0 (by JoomlaWorks) + The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack. + Hostname 'www.im.ncnu.edu.tw' does not match certificate's names: im.ncnu.edu.tw + OSVDB-1210: /scripts/samples/search/qfullhit.htw: Server may be vulnerable to a Webhits.dll arbitrary file retrieval. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/MS00-006. + OSVDB-1210: /scripts/samples/search/qsumrhit.htw: Server may be vulnerable to a Webhits.dll arbitrary file retrieval. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/MS00-006. + OSVDB-1210: /q2tkg.htw: Server may be vulnerable to a Webhits.dll arbitrary file retrieval. Ensure Q252463i, Q252463a or Q251170 is installed. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/MS00-006. + /wp-links-opml.php: This WordPress script reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + /: A Wordpress installation was found. + /wordpress: A Wordpress installation was found. + Cookie wordpress_test_cookie created without the httponly flag + /package.json: Node.js package file found. It may contain sensitive information. + 8046 requests: 0 error(s) and 22 item(s) reported on remote host + End Time: 2022-06-15 18:03:53 (GMT-4) (3452 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ``` - 資訊 : OSVDB-1210 、 OSVDB-3092 - OSVDB-1210 : 檢查後，可能不存在漏洞 - OSVDB-3092 : 檢查後，無可利用資訊 - 結果 : 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。 #### B系 ``` Ciphers: ECDHE-RSA-AES256-GCM-SHA384 Issuer: /C=US/O=Let's Encrypt/CN=R3 + Start Time: 2022-06-05 03:56:47 (GMT-4) --------------------------------------------------------------------------- + Server: nginx/1.10.3 (Ubuntu) + Cookie 8927458f6716f94ba38740cab170e144 created without the secure flag + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The site uses SSL and Expect-CT header is not present. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Cookie 08b7a45bef55987e7feaa2e19378b2f0 created without the secure flag + Entry '/administrator/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/bin/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/cache/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/cli/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/components/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/language/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/layouts/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/libraries/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/plugins/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 14 entries which should be manually viewed. + nginx/1.10.3 appears to be outdated (current is at least 1.14.0) + Multiple index files found: /index.php, /index.php4, /index.php7, /index.php3, /index.php5 + The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack. + /contents/extensions/asp/1: The IIS system may be vulnerable to a DOS, see https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/MS02-018 for details. + OSVDB-578: /level/16: CISCO HTTP service allows remote execution of commands + OSVDB-155: /counter/1/n/n/0/3/5/0/a/123.gif: The Roxen Counter may eat up excessive CPU time with image requests. + OSVDB-3092: /administrator/: This might be interesting... + OSVDB-3092: /bin/: This might be interesting... + OSVDB-3092: /home/: This might be interesting... + OSVDB-3092: /includes/: This might be interesting... + OSVDB-3092: /news: This might be interesting... + OSVDB-3092: /tmp/: This might be interesting... + OSVDB-3092: /wwwthreads/3tvars.pm: This might be interesting... + OSVDB-3092: /bin/wwwthreads/3tvars.pm: This might be interesting... + OSVDB-4908: /securelogin/1,2345,A,00.html: Vignette Story Server v4.1, 6, may disclose sensitive information via a buffer overflow. + OSVDB-3092: /LICENSE.txt: License file found may identify site software. + OSVDB-3092: /www/2: This might be interesting... + /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed. + /administrator/index.php: Admin login page/section found. + 8870 requests: 0 error(s) and 39 item(s) reported on remote host + End Time: 2022-06-05 04:18:07 (GMT-4) (1280 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ``` - 資訊: - nginx/1.10.3 - 可能存在 CVE-2017-7529 Remote Integer Overflow Vulnerability ， 但漏洞腳本測試未通過，可能已修復，但建議更新 - robotrs.txt 與 OSVDB-3092: 大部分到空白的頁面，除了 /administrator/ 進入Joomla 控制台 (嘗試注入攻擊) - OSVDB-578: - 應該是 CVE-2000-0984 CVE-2001-0537，應已更新補丁 - OSVDB-4908: - 測試失敗，應該漏洞已修復 - 結果: 程式有檢測到可能存在的漏洞，但應都已修復。 #### C系 ``` ┌──(kali㉿kali)-[~] └─$ nikto -h https://www.dch.ncnu.edu.tw/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 163.22.5.189 + Target Hostname: www.dch.ncnu.edu.tw + Target Port: 443 --------------------------------------------------------------------------- + SSL Info: Subject: /CN=ccweb3.ncnu.edu.tw Ciphers: ECDHE-RSA-AES256-SHA384 Issuer: /C=US/O=Let's Encrypt/CN=R3 + Start Time: 2022-06-11 04:46:19 (GMT-4) --------------------------------------------------------------------------- + Server: Microsoft-IIS/7.5 + Retrieved x-powered-by header: ARRAY(0x564da0afda10) + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The site uses SSL and Expect-CT header is not present. + Retrieved x-aspnet-version header: 2.0.50727 + Cookie PHPSESSID created without the secure flag + Entry '/manage/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 1 entry which should be manually viewed. + The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack. + Hostname 'www.dch.ncnu.edu.tw' does not match certificate's names: ccweb3.ncnu.edu.tw + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /download/: This might be interesting... + OSVDB-3092: /information/: This might be interesting... + 8861 requests: 0 error(s) and 18 item(s) reported on remote host + End Time: 2022-06-11 05:07:42 (GMT-4) (1283 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ``` - 資訊: - /manage/ 是該系廠商登入系統，嘗試進入失敗 - 嘗試忘記密碼或忘記帳號，試圖 SQL injection 但未成功 - OSVDB-12184 : - 檢查發現這些是 PHP 復活節彩蛋，大約會在 PHP 5.5 版之前 - 此彩蛋檢查後，應該是沒有漏洞，但仍被建議禁用 - OSVDB-3092 : - 只是不同分頁 - 結果: 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。 ### skipfish #### A系   - 資訊 : 經檢查似乎並不存在漏洞(未確定 - 結果 : 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。 #### B系   - 資訊 : 經檢查似乎並不存在漏洞(未確定 - 結果 : 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。 #### C系  - 資訊 : 完美 - 結果 : 完美通過測試 ### OWASP ZAP #### A系  - 資訊 : 可能存在 reflected XSS 、 SQL Injection 漏洞 - 排查 reflected XSS : ZAP 在自動化掃描時，檢測到能輸入 onmouseover=alert(1); 且又能送出交由 server 即判斷可能存在 XSS，但實際上未能成功執行 -> 漏洞不存在 - 排查 SQL Injection : 警報的頁面是某老師的個人資訊，經檢查似乎找不到有與 SQL 語句相關的地方 - 結果:應用程式有通報疑似漏洞，但排查後並可能並未存在。 #### B系  - 資訊 : 可能存在 reflected XSS 漏洞 - 排查 reflected XSS : ZAP 在自動化掃描時，檢測到能輸入 onmouseover=alert(1); 且又能送出交由 server 即判斷可能存在 XSS，但實際上未能成功執行 -> 漏洞不存在 - 結果:應用程式有通報疑似漏洞，但排查後並可能並未存在。 #### C系  - 資訊: 中等測試通過 - 結果: 測試通過 ### 針對掃描 #### A系 - WPScan ``` ┌──(hacker_kali㉿kali)-[~] └─$ wpscan --url https://www.im.ncnu.edu.tw _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]y [i] Updating the Database ... [i] Update completed. [+] URL: https://www.im.ncnu.edu.tw/ [163.22.17.179] [+] Started: Thu Jun 16 05:52:28 2022 Interesting Finding(s): [+] Headers | Interesting Entry: Server: nginx/1.21.6 | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: https://www.im.ncnu.edu.tw/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: https://www.im.ncnu.edu.tw/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: https://www.im.ncnu.edu.tw/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.7.6 identified (Latest, released on 2022-03-11). | Found By: Rss Generator (Passive Detection) | - https://www.im.ncnu.edu.tw/feed/, <generator>https://wordpress.org/?v=5.7.6</generator> | Confirmed By: Meta Generator (Passive Detection) | - https://www.im.ncnu.edu.tw/, Match: 'WordPress 5.7.6' [+] WordPress theme in use: blocksy | Location: https://www.im.ncnu.edu.tw/wp-content/themes/blocksy/ | Last Updated: 2022-06-03T00:00:00.000Z | Readme: https://www.im.ncnu.edu.tw/wp-content/themes/blocksy/readme.txt | [!] The version is out of date, the latest version is 1.8.36 | Style URL: https://www.im.ncnu.edu.tw/wp-content/themes/blocksy/style.css?ver=5.7.6 | Style Name: Blocksy | Style URI: https://creativethemes.com/blocksy/ | Description: Blocksy is a blazing fast and lightweight WordPress theme built with the latest web technologies. It... | Author: CreativeThemes | Author URI: https://creativethemes.com | | Found By: Css Style In Homepage (Passive Detection) | Confirmed By: Css Style In 404 Page (Passive Detection) | | Version: 1.8.3.3 (80% confidence) | Found By: Style (Passive Detection) | - https://www.im.ncnu.edu.tw/wp-content/themes/blocksy/style.css?ver=5.7.6, Match: 'Version: 1.8.3.3' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] addon-elements-for-elementor-page-builder | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/addon-elements-for-elementor-page-builder/ | Last Updated: 2022-03-28T11:31:00.000Z | [!] The version is out of date, the latest version is 1.11.15 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 1.11.1 (50% confidence) | Found By: Readme - ChangeLog Section (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/addon-elements-for-elementor-page-builder/readme.txt [+] animate-it | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/animate-it/ | Last Updated: 2022-03-28T09:00:00.000Z | [!] The version is out of date, the latest version is 2.4.0 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 2.3.7 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/animate-it/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/animate-it/readme.txt [+] blocksy-companion | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/blocksy-companion/ | Last Updated: 2022-06-03T12:42:00.000Z | [!] The version is out of date, the latest version is 1.8.34 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 1.8.6.2 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/blocksy-companion/readme.txt [+] elementor | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/elementor/ | Last Updated: 2022-06-12T12:41:00.000Z | [!] The version is out of date, the latest version is 3.6.6 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 3.2.4 (100% confidence) | Found By: Query Parameter (Passive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.2.4 | - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.2.4 | Confirmed By: Readme - Stable Tag (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor/readme.txt [+] elementor-pro | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 3.1.0 (100% confidence) | Found By: Query Parameter (Passive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/assets/css/frontend.min.css?ver=3.1.0 | - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver=3.1.0 | - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js?ver=3.1.0 | - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.1.0 | - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.min.js?ver=3.1.0 | Confirmed By: Change Log (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/elementor-pro/changelog.txt, Match: '#### 3.1.0 -' [+] header-footer-elementor | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/header-footer-elementor/ | Last Updated: 2022-05-25T04:30:00.000Z | [!] The version is out of date, the latest version is 1.6.11 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 1.5.9 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/header-footer-elementor/readme.txt [+] piotnet-addons-for-elementor | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/piotnet-addons-for-elementor/ | Last Updated: 2022-06-10T15:36:00.000Z | [!] The version is out of date, the latest version is 2.4.15 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 2.4.9 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/piotnet-addons-for-elementor/readme.txt [+] powerpack-lite-for-elementor | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/powerpack-lite-for-elementor/ | Last Updated: 2022-06-09T16:20:00.000Z | [!] The version is out of date, the latest version is 2.6.15 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 2.3.6 (100% confidence) | Found By: Readme - ChangeLog Section (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/powerpack-lite-for-elementor/readme.txt | Confirmed By: Change Log (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/powerpack-lite-for-elementor/changelog.txt, Match: '= 2.3.6 =' [+] smart-slider-3 | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/smart-slider-3/ | Last Updated: 2022-05-30T12:08:00.000Z | [!] The version is out of date, the latest version is 3.5.1.7 | | Found By: Urls In Homepage (Passive Detection) | | Version: 3.5.0.9 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/smart-slider-3/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/smart-slider-3/readme.txt [+] templately | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/templately/ | Last Updated: 2022-06-02T05:22:00.000Z | [!] The version is out of date, the latest version is 1.3.5 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 1.2.3 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/templately/README.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/templately/README.txt [+] wordpress-seo | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/wordpress-seo/ | Last Updated: 2022-06-14T07:55:00.000Z | [!] The version is out of date, the latest version is 19.1 | | Found By: Comment (Passive Detection) | | Version: 16.4 (100% confidence) | Found By: Comment (Passive Detection) | - https://www.im.ncnu.edu.tw/, Match: 'optimized with the Yoast SEO plugin v16.4 -' | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/wordpress-seo/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/wordpress-seo/readme.txt [+] wp-attachments | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/wp-attachments/ | Last Updated: 2021-10-20T20:06:00.000Z | [!] The version is out of date, the latest version is 5.0.4 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 5.0.2 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/wp-attachments/readme.txt [+] wpforms-lite | Location: https://www.im.ncnu.edu.tw/wp-content/plugins/wpforms-lite/ | Last Updated: 2022-05-19T12:28:00.000Z | [!] The version is out of date, the latest version is 1.7.4.2 | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 1.6.7 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/wpforms-lite/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - https://www.im.ncnu.edu.tw/wp-content/plugins/wpforms-lite/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:13 <==================================================================> (137 / 137) 100.00% Time: 00:00:13 [i] No Config Backups Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Thu Jun 16 05:52:54 2022 [+] Requests Done: 210 [+] Cached Requests: 6 [+] Data Sent: 58.756 KB [+] Data Received: 13.023 MB [+] Memory used: 228.266 MB [+] Elapsed time: 00:00:26 ``` - 資訊：補掃描後無明顯漏洞，(但記得曾經有找到 Wordpress 3、4 個帳號名稱，有使用暴力破解，但執行七小時後關閉 - 結果：曾有掃瞄出帳號名稱，但未成功暴力破解密碼 #### B系 - joomscan - 資訊:無檢測到漏洞 - 結果:測試通過 (因 joomscan 久未更新 ### 掃描重點整理 | | A系 | B系 | C系 | | -------- | -------- | -------- | --- | | Nmap | 無 port 可利用| 22 port 開啟 | 8 個 port 開啟| | Nikto | 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。 | 程式有檢測到可能存在的漏洞，但應都已修復 |程式有檢測到可能存在的漏洞，但排查後應並無漏洞。| | Skipfish | 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。 | 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。 |完美通過測試| | OWASP Zap | 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。 | 程式有檢測到可能存在的漏洞，但排查後應並無漏洞。 |測試通過| |針對掃描|嘗試利用結果暴力破解(未成功|測試通過(應測試軟體過久沒更新|無針對測試|