Мой VPS с 2016-го года !
✅ Виртуальные от 300 ₽/месяц, RAM 1-10GB, DISK 20-360 GB;
✅ Выделенные от 3000 ₽/месяц. RAM 4-64GB, DISK до 4TB;
✅ Intel Xeon, SSD, XEN, iLO/KVM, Windows/Linux, Администрирование;
✅ Бесплатно Full Backup и Anti-DDoS.
Спонсор проекта
Лучший вариант для анонимности купить прокси на выделенном сервере IPANN.NET.
Рекламки



Hire dental temp staff hiring temporary staff.
Авторизация






Для восстановления доступа пишите на E-mail stoplinux@yandex.ru.
Последние комментарии
#1
2023 пишет: » Запостите:

s3r [точка] ru/stavka-tolko-na-linuks-et... (18.03.2023)
// ОСТОРОЖНО: ВИНДОФИЛИЯ!
#2
layder пишет: » Забавно следить за зиганутой публикой, особенно в ... (17.03.2023)
// Руслан Карманов о Украине
#3
бронедрочец пишет: » В костылинуксе порядок таков: нужен нормальный кал... (02.03.2023)
// Обзор калькуляторов в GNU/Linux
#4
Линупсодав пишет: » Костылинупс на десктопе не взлетит без прикладнухи... (13.02.2023)
// ОСТОРОЖНО: ВИНДОФИЛИЯ!
#5
admin пишет: » БоЗяН, ожидаемо. (30.01.2023)
// ReactOS 0.4.1
Цитаты
Вот Mac действительно солидно поднялся. А подъем линукса в пределах погрешности измерения.
Наши сайты.
Наши другие сайты, которые всё ещё в сети:
1. Архив форума СЛОРа
2. Архив linexp.ru
3. Архив bitomatics.ru



ОС для хакера | автор: admin | 27 сентября 2015

Категория: Security


Наш сайт недавно подвергся взлому, были украдены базы данных с паролями и угнаны аккаунты на форуме. Возможно это сдувшиеся оппоненты решили таким образом доказать свою правоту.




Чего не видят фанатики обоих лагерей? Смотрите с минуты 25:40


Чтобы найти уязвимость, по которой могли взломать сайт, давайте просто введём в поиске "сканнеры sql linux"
Гугл нам выведет: sqlmap, nikto, w3af, owaswp zap и mysqloit. Mysqloit мы трогать не будем, он не обновлялся шесть лет.

SQLMAP - консоль, куча букв и никакой конкретики.
Раскрыть
         _
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150920}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 14:55:38

[14:55:38] [WARNING] you've provided target URL without any GET parameters (e.g. www.site.com/article.php?id=1) and without providing any POST parameters through --data option
do you want to try URI injections in the target URL itself? [Y/n/q] y
[14:55:40] [INFO] testing connection to the target URL
sqlmap got a 301 redirect to '/forum/'. Do you want to follow? [Y/n] y
[14:55:42] [INFO] testing if the target URL is stable
[14:55:42] [WARNING] URI parameter '#1*' does not appear dynamic
[14:55:47] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[14:55:47] [INFO] testing for SQL injection on URI parameter '#1*'
[14:55:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:55:48] [WARNING] reflective value(s) found and filtering out
[14:56:02] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[14:56:04] [INFO] URI parameter '#1*' seems to be 'OR boolean-based blind - WHERE or HAVING clause' injectable
[14:56:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[14:56:04] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[14:56:05] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:56:05] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:56:05] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[14:56:05] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[14:56:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[14:56:05] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (EXP)'
[14:56:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[14:56:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)'
[14:56:06] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[14:56:06] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[14:56:06] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[14:56:06] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:56:06] [INFO] testing 'PostgreSQL OR error-based - WHERE or HAVING clause'
[14:56:06] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[14:56:07] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause'
[14:56:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[14:56:07] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)'
[14:56:07] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[14:56:07] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)'
[14:56:07] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[14:56:08] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[14:56:08] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[14:56:08] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[14:56:08] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)'
[14:56:08] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)'
[14:56:09] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[14:56:09] [INFO] testing 'Firebird OR error-based - WHERE or HAVING clause'
[14:56:09] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[14:56:09] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[14:56:09] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[14:56:09] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[14:56:09] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[14:56:09] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[14:56:09] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[14:56:09] [INFO] testing 'PostgreSQL error-based - Parameter replace (GENERATE_SERIES)'
[14:56:09] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
[14:56:09] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)'
[14:56:09] [INFO] testing 'Oracle error-based - Parameter replace'
[14:56:09] [INFO] testing 'Firebird error-based - Parameter replace'
[14:56:09] [INFO] testing 'MySQL inline queries'
[14:56:09] [INFO] testing 'PostgreSQL inline queries'
[14:56:10] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:56:10] [INFO] testing 'Oracle inline queries'
[14:56:10] [INFO] testing 'SQLite inline queries'
[14:56:10] [INFO] testing 'Firebird inline queries'
[14:56:10] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[14:56:10] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT)'
[14:56:10] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[14:56:11] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[14:56:11] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[14:56:11] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[14:56:11] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[14:56:11] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[14:56:11] [INFO] testing 'PostgreSQL stacked queries (heavy query - comment)'
[14:56:11] [INFO] testing 'PostgreSQL stacked queries (heavy query)'
[14:56:11] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc - comment)'
[14:56:11] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc)'
[14:56:12] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[14:56:12] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[14:56:12] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[14:56:12] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)'
[14:56:12] [INFO] testing 'Oracle stacked queries (heavy query - comment)'
[14:56:12] [INFO] testing 'Oracle stacked queries (heavy query)'
[14:56:12] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP - comment)'
[14:56:12] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP)'
[14:56:12] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP - comment)'
[14:56:13] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP)'
[14:56:13] [INFO] testing 'IBM DB2 stacked queries (heavy query - comment)'
[14:56:13] [INFO] testing 'IBM DB2 stacked queries (heavy query)'
[14:56:13] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query - comment)'
[14:56:13] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)'
[14:56:13] [INFO] testing 'Firebird stacked queries (heavy query - comment)'
[14:56:13] [INFO] testing 'Firebird stacked queries (heavy query)'
[14:56:13] [INFO] testing 'SAP MaxDB stacked queries (heavy query - comment)'
[14:56:13] [INFO] testing 'SAP MaxDB stacked queries (heavy query)'
[14:56:14] [INFO] testing 'HSQLDB >= 1.7.2 stacked queries (heavy query - comment)'
[14:56:14] [INFO] testing 'HSQLDB >= 1.7.2 stacked queries (heavy query)'
[14:56:14] [INFO] testing 'HSQLDB >= 2.0 stacked queries (heavy query - comment)'
[14:56:14] [INFO] testing 'HSQLDB >= 2.0 stacked queries (heavy query)'
[14:56:14] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[14:56:14] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT)'
[14:56:14] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT - comment)'
[14:56:14] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SELECT - comment)'
[14:56:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[14:56:15] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[14:56:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)'
[14:56:15] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)'
[14:56:15] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)'
[14:56:15] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)'
[14:56:15] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query - comment)'
[14:56:15] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query - comment)'
[14:56:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT)'
[14:56:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (SELECT - comment)'
[14:56:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[14:56:16] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[14:56:16] [INFO] testing 'MySQL AND time-based blind (ELT)'
[14:56:16] [INFO] testing 'MySQL OR time-based blind (ELT)'
[14:56:16] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[14:56:16] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[14:56:17] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[14:56:17] [INFO] testing 'PostgreSQL > 8.1 OR time-based blind'
[14:56:17] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind (comment)'
[14:56:17] [INFO] testing 'PostgreSQL > 8.1 OR time-based blind (comment)'
[14:56:17] [INFO] testing 'PostgreSQL AND time-based blind (heavy query)'
[14:56:17] [INFO] testing 'PostgreSQL OR time-based blind (heavy query)'
[14:56:17] [INFO] testing 'PostgreSQL AND time-based blind (heavy query - comment)'
[14:56:17] [INFO] testing 'PostgreSQL OR time-based blind (heavy query - comment)'
[14:56:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[14:56:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (comment)'
[14:56:18] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (heavy query)'
[14:56:18] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heavy query)'
[14:56:18] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment)'
[14:56:18] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heavy query - comment)'
[14:56:18] [INFO] testing 'Oracle AND time-based blind'
[14:56:19] [INFO] testing 'Oracle OR time-based blind'
[14:56:19] [INFO] testing 'Oracle AND time-based blind (comment)'
[14:56:19] [INFO] testing 'Oracle OR time-based blind (comment)'
[14:56:19] [INFO] testing 'Oracle AND time-based blind (heavy query)'
[14:56:19] [INFO] testing 'Oracle OR time-based blind (heavy query)'
[14:56:19] [INFO] testing 'Oracle AND time-based blind (heavy query - comment)'
[14:56:19] [INFO] testing 'Oracle OR time-based blind (heavy query - comment)'
[14:56:19] [INFO] testing 'IBM DB2 AND time-based blind (heavy query)'
[14:56:20] [INFO] testing 'IBM DB2 OR time-based blind (heavy query)'
[14:56:20] [INFO] testing 'IBM DB2 AND time-based blind (heavy query - comment)'
[14:56:20] [INFO] testing 'IBM DB2 OR time-based blind (heavy query - comment)'
[14:56:20] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)'
[14:56:20] [INFO] testing 'SQLite > 2.0 OR time-based blind (heavy query)'
[14:56:20] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query - comment)'
[14:56:20] [INFO] testing 'SQLite > 2.0 OR time-based blind (heavy query - comment)'
[14:56:20] [INFO] testing 'Firebird >= 2.0 AND time-based blind (heavy query)'
[14:56:20] [INFO] testing 'Firebird >= 2.0 OR time-based blind (heavy query)'
[14:56:20] [INFO] testing 'Firebird >= 2.0 AND time-based blind (heavy query - comment)'
[14:56:20] [INFO] testing 'Firebird >= 2.0 OR time-based blind (heavy query - comment)'
[14:56:20] [INFO] testing 'SAP MaxDB AND time-based blind (heavy query)'
[14:56:21] [INFO] testing 'SAP MaxDB OR time-based blind (heavy query)'
[14:56:21] [INFO] testing 'SAP MaxDB AND time-based blind (heavy query - comment)'
[14:56:21] [INFO] testing 'SAP MaxDB OR time-based blind (heavy query - comment)'
[14:56:21] [INFO] testing 'HSQLDB >= 1.7.2 AND time-based blind (heavy query)'
[14:56:21] [INFO] testing 'HSQLDB >= 1.7.2 OR time-based blind (heavy query)'
[14:56:21] [INFO] testing 'HSQLDB >= 1.7.2 AND time-based blind (heavy query - comment)'
[14:56:21] [INFO] testing 'HSQLDB >= 1.7.2 OR time-based blind (heavy query - comment)'
[14:56:21] [INFO] testing 'HSQLDB > 2.0 AND time-based blind (heavy query)'
[14:56:22] [INFO] testing 'HSQLDB > 2.0 OR time-based blind (heavy query)'
[14:56:22] [INFO] testing 'HSQLDB > 2.0 AND time-based blind (heavy query - comment)'
[14:56:22] [INFO] testing 'HSQLDB > 2.0 OR time-based blind (heavy query - comment)'
[14:56:22] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[14:56:22] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[14:56:22] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[14:56:22] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (SELECT)'
[14:56:22] [INFO] testing 'MySQL <= 5.0.11 time-based blind - Parameter replace (heavy queries)'
[14:56:22] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[14:56:22] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[14:56:22] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[14:56:22] [INFO] testing 'PostgreSQL > 8.1 time-based blind - Parameter replace'
[14:56:22] [INFO] testing 'PostgreSQL time-based blind - Parameter replace (heavy query)'
[14:56:22] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parameter replace'
[14:56:22] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries)'
[14:56:22] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)'
[14:56:22] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)'
[14:56:22] [INFO] testing 'Oracle time-based blind - Parameter replace (heavy queries)'
[14:56:22] [INFO] testing 'SQLite > 2.0 time-based blind - Parameter replace (heavy query)'
[14:56:22] [INFO] testing 'Firebird time-based blind - Parameter replace (heavy query)'
[14:56:22] [INFO] testing 'SAP MaxDB time-based blind - Parameter replace (heavy query)'
[14:56:22] [INFO] testing 'IBM DB2 time-based blind - Parameter replace (heavy query)'
[14:56:22] [INFO] testing 'HSQLDB >= 1.7.2 time-based blind - Parameter replace (heavy query)'
[14:56:22] [INFO] testing 'HSQLDB > 2.0 time-based blind - Parameter replace (heavy query)'
[14:56:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:56:22] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[14:56:22] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[14:56:26] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[14:56:27] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[14:56:28] [INFO] target URL appears to have 28 columns in query
[14:56:28] [WARNING] applying generic concatenation with double pipes ('||')
[14:56:37] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
[14:56:37] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
[14:56:40] [INFO] testing 'Generic UNION query (random number) - 22 to 40 columns'
[14:56:45] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
[14:56:46] [INFO] testing 'Generic UNION query (random number) - 42 to 60 columns'
[14:56:48] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
[14:56:48] [INFO] testing 'Generic UNION query (random number) - 62 to 80 columns'
[14:56:49] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
[14:56:49] [INFO] testing 'Generic UNION query (random number) - 82 to 100 columns'
[14:56:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[14:57:16] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[14:57:16] [INFO] testing 'MySQL UNION query (32) - 22 to 40 columns'
[14:57:20] [INFO] testing 'MySQL UNION query (32) - 42 to 60 columns'
[14:57:24] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] q

NIKTO

То же самое, куча букв и ни одного намёка на лаконичность.

Раскрыть
  perl nikto.pl -h /forum
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: stoplinux.org.ru
+ Target Port: 80
+ Start Time: 2015-09-27 15:07:14 (GMT3)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /forum/robots.txt, fields: 0xbb 0x51bddbad81900
+ "robots.txt" contains 12 entries which should be manually viewed.
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.16). Apache 2.2.31 is also current for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ /forum/servlet/webacc?User.html=noexist: Netware web access may reveal full path of the web server. Apply vendor patch or upgrade.
+ Uncommon header 'union all select filetoclob('/etc/passwd','server')' found, with contents: :html,0 FROM sysusers WHERE username=USER --/.html HTTP/1.1 404 Not Found
+ OSVDB-7501: /forum/themes/mambosimple.php?detection=detected&sitename=</title><script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-7505: /forum/emailfriend/emailnews.php?id=\"<script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-7504: /forum/emailfriend/emailfaq.php?id=\"<script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-7503: /forum/emailfriend/emailarticle.php?id=\"<script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/administrator/upload.php?newbanner=1&choice=\"<script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-7495: /forum/administrator/popups/sectionswindow.php?type=web&link=\"<script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-7498: /forum/administrator/gallery/view.php?path=\"<script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-7499: /forum/administrator/gallery/uploadimage.php?directory=\"<script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-7497: /forum/administrator/gallery/navigation.php?directory=\"<script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-7496: /forum/administrator/gallery/gallery.php?directory=\"<script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/https-admserv/bin/index?/<script>alert(document.cookie)</script>: Sun ONE Web Server 6.1 administration control is vulnerable to XSS attacks.
+ OSVDB-2876: /forum/clusterframe.jsp?cluster=<script>alert(document.cookie)</script>: Macromedia JRun 4.x JMC Interface, clusterframe.jsp file is vulnerable to a XSS attack.
+ /forum/upload.php?type=\"<script>alert(document.cookie)</script>: Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4619: /forum/soinfo.php?\"><script>alert('Vulnerable')</script>: The PHP script soinfo.php is vulnerable to Cross Site Scripting. Set expose_php = Off in php.ini.
+ /forum/servlet/MsgPage?action=test&msg=<script>alert('Vulnerable')</script>: NetDetector 3.0 and below are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/servlet/org.apache.catalina.ContainerServlet/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/servlet/org.apache.catalina.Context/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/servlet/org.apache.catalina.Globals/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/servlet/org.apache.catalina.servlets.WebdavStatus/<script>alert('Vulnerable')</script>: Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/servlets/MsgPage?action=badlogin&msg=<script>alert('Vulnerable')</script>: The NetDetector install is vulnerable to Cross Site Scripting (XSS) in its invalid login message. http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/admin/sh_taskframes.asp?Title=Configuraci%C3%B3n%20de%20registro%20Web&URL=MasterSettings/Web_LogSettings.asp?tab1=TabsWebServer%26tab2=TabsWebLogSettings%26__SAPageKey=5742D5874845934A134CD05F39C63240&ReturnURL=\"><script>alert(document.cookie)</script>: IIS 6 on Windows 2003 is vulnerable to Cross Site Scripting (XSS) in certain error messages. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-17665: /forum/SiteServer/Knowledge/Default.asp?ctr=\"><script>alert('Vulnerable')</script>: Site Server is vulnerable to Cross Site Scripting
+ OSVDB-17666: /forum/_mem_bin/formslogin.asp?\"><script>alert('Vulnerable')</script>: Site Server is vulnerable to Cross Site Scripting
+ /forum/nosuchurl/><script>alert('Vulnerable')</script>: JEUS is vulnerable to Cross Site Scripting (XSS) when requesting non-existing JSP pages. http://securitytracker.com/alerts/2003/Jun/1007004.html
+ OSVDB-3624: /forum/webcalendar/week.php?eventinfo=<script>alert(document.cookie)</script>: Webcalendar 0.9.42 and below are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/~/<script>alert('Vulnerable')</script>.aspx?aspxerrorpath=null: Cross site scripting (XSS) is allowed with .aspx file requests (may be Microsoft .net). http://www.cert.org/advisories/CA-2000-02.html
+ /forum/~/<script>alert('Vulnerable')</script>.aspx: Cross site scripting (XSS) is allowed with .aspx file requests (may be Microsoft .net). http://www.cert.org/advisories/CA-2000-02.html
+ /forum/~/<script>alert('Vulnerable')</script>.asp: Cross site scripting (XSS) is allowed with .asp file requests (may be Microsoft .net). http://www.cert.org/advisories/CA-2000-02.html
+ /forum/catinfo?<u><b>TESTING: The Interscan Viruswall catinfo script is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/user.php?op=userinfo&uname=<script>alert('hi');</script>: The PHP-Nuke installation is vulnerable to Cross Site Scripting (XSS). Update to versions above 5.3.1. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-41361: /forum/templates/form_header.php?noticemsg=<script>javascript:alert(document.cookie)</script>: MyMarket 1.71 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-9238: /forum/supporter/index.php?t=updateticketlog&id=<script><script>alert('Vulnerable')</script></script>: MyHelpdesk from http://myhelpdesk.sourceforge.net/ versions v20020509 and older are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-9238: /forum/supporter/index.php?t=tickettime&id=<script><script>alert('Vulnerable')</script></script>: MyHelpdesk from http://myhelpdesk.sourceforge.net/ versions v20020509 and older are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-9238: /forum/supporter/index.php?t=ticketfiles&id=<script><script>alert('Vulnerable')</script></script>: MyHelpdesk from http://myhelpdesk.sourceforge.net/ versions v20020509 and older are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/sunshop.index.php?action=storenew&username=<script>alert('Vulnerable')</script>: SunShop is vulnerable to Cross Site Scripting (XSS) in the signup page. CA-200-02.
+ OSVDB-20232: /forum/submit.php?subject=<script>alert('Vulnerable')</script>&story=<script>alert('Vulnerable')</script>&storyext=<script>alert('Vulnerable')</script>&op=Preview: This install of PHP-Nuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-27097: /forum/ss000007.pl?PRODREF=<script>alert('Vulnerable')</script>: Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-5049: /forum/setup.exe?<script>alert('Vulnerable')</script>&page=list_users&user=P: CiscoSecure ACS v3.0(1) Build 40 allows Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2689: /forum/servlet/ContentServer?pagename=<script>alert('Vulnerable')</script>: Open Market Inc. ContentServer is vulnerable to Cross Site Scripting (XSS) in the login-error page. http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/search.asp?term=<%00script>alert('Vulnerable')</script>: ASP.Net 1.1 may allow Cross Site Scripting (XSS) in error pages (only some browsers will render this). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/samples/search.dll?query=<script>alert(document.cookie)</script>&logic=AND: Sambar Server default script is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/replymsg.php?send=1&destin=<script>alert('Vulnerable')</script>: This version of PHP-Nuke's replymsg.php is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4599: /forum/pm_buddy_list.asp?name=A&desc=B%22%3E<script>alert('Vulnerable')</script>%3Ca%20s=%22&code=1: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/phpwebsite/index.php?module=search&SEA_search_op=continue&PDA_limit=10\"><script>alert('Vulnerable')</script>: phpWebSite 0.9.x and below are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/phpwebsite/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=10\"><script>alert('Vulnerable')</script>&MMN_position=[X:X]: phpWebSite 0.9.x and below are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/phpwebsite/index.php?module=fatcat&fatcat[user]=viewCategory&fatcat_id=1%00+\"><script>alert('Vulnerable')</script>: phpWebSite 0.9.x and below are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/phpwebsite/index.php?module=calendar&calendar[view]=day&month=2&year=2003&day=1+%00\"><script>alert('Vulnerable')</script>: phpWebSite 0.9.x and below are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-59093: /forum/phptonuke.php?filnavn=<script>alert('Vulnerable')</script>: PHP-Nuke add-on PHPToNuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-32774: /forum/phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Contains PHP configuration information and is vulnerable to Cross Site Scripting (XSS).
+ OSVDB-32774: /forum/phpinfo.php3?VARIABLE=<script>alert('Vulnerable')</script>: Contains PHP configuration information and is vulnerable to Cross Site Scripting (XSS).
+ OSVDB-2193: /forum/phpBB/viewtopic.php?topic_id=<script>alert('Vulnerable')</script>: phpBB is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4297: /forum/phpBB/viewtopic.php?t=17071&highlight=\">\"<script>javascript:alert(document.cookie)</script>: phpBB is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-11145: /forum/phorum/admin/header.php?GLOBALS[message]=<script>alert('Vulnerable')</script>: Phorum 3.3.2a and below from phorum.org is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-11144: /forum/phorum/admin/footer.php?GLOBALS[message]=<script>alert('Vulnerable')</script>: Phorum 3.3.2a and below from phorum.org is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/Page/1,10966,,00.html?var=<script>alert('Vulnerable')</script>: Vignette server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html. Upgrade to the latest version.
+ /forum/node/view/666\"><script>alert(document.domain)</script>: Drupal 4.2.0 RC is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-5106: /forum/netutils/whodata.stm?sitename=<script>alert(document.cookie)</script>: Sambar Server default script is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/nav/cList.php?root=</script><script>alert('Vulnerable')/<script>: RaQ3 server script is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/myhome.php?action=messages&box=<script>alert('Vulnerable')</script>: OpenBB 1.0.0 RC3 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/msadm/user/login.php3?account_name=\"><script>alert('Vulnerable')</script>: The Sendmail Server Site User login is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/msadm/site/index.php3?authid=\"><script>alert('Vulnerable')</script>: The Sendmail Server Site Administrator Login is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/msadm/domain/index.php3?account_name=\"><script>alert('Vulnerable')</script>: The Sendmail Server Site Domain Administrator login is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-50539: /forum/modules/Submit/index.php?op=pre&title=<script>alert(document.cookie);</script>: Basit cms 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules/Forums/bb_smilies.php?site_font=}--></style><script>alert('Vulnerable')</script>: PHP-Nuke 6.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules/Forums/bb_smilies.php?name=<script>alert('Vulnerable')</script>: PHP-Nuke 6.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules/Forums/bb_smilies.php?Default_Theme=<script>alert('Vulnerable')</script>: PHP-Nuke 6.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules/Forums/bb_smilies.php?bgcolor1=\"><script>alert('Vulnerable')</script>: PHP-Nuke 6.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules.php?op=modload&name=Xforum&file=member&action=viewpro&member=<script>alert('Vulnerable')</script>: The XForum (PHP-Nuke Add-on module) is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules.php?op=modload&name=Xforum&file=<script>alert('Vulnerable')</script>&fid=2: The XForum (PHP-Nuke Add-on module) is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-5498: /forum/modules.php?op=modload&name=Wiki&file=index&pagename=<script>alert('Vulnerable')</script>: Wiki PostNuke Module is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=<script>alert('Vulnerable')</script>: The PHP-Nuke forum is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules.php?op=modload&name=WebChat&file=index&roomid=<script>alert('Vulnerable')</script>: The PHP-Nuke forum is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules.php?op=modload&name=Members_List&file=index&letter=<script>alert('Vulnerable')</script>: This install of PHP-Nuke's modules.php is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules.php?op=modload&name=Guestbook&file=index&entry=<script>alert('Vulnerable')</script>: The PHP-Nuke forum is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-20235: /forum/modules.php?op=modload&name=DMOZGateway&file=index&topic=<script>alert('Vulnerable')</script>: The DMOZGateway (PHP-Nuke Add-on module) is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules.php?name=Your_Account&op=userinfo&username=bla<script>alert(document.cookie)</script>: Francisco Burzi PHP-Nuke 5.6, 6.0, 6.5 RC1/RC2/RC3, 6.5 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules.php?name=Your_Account&op=userinfo&uname=<script>alert('Vulnerable')</script>: The PHP-Nuke forum is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules.php?name=Surveys&pollID=<script>alert('Vulnerable')</script>: The PHP-Nuke forum is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-6226: /forum/modules.php?name=Stories_Archive&sa=show_month&year=<script>alert('Vulnerable')</script>&month=3&month_l=test: The PHP-Nuke forum is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-6226: /forum/modules.php?name=Stories_Archive&sa=show_month&year=2002&month=03&month_l=<script>alert('Vulnerable')</script>: The PHP-Nuke forum is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-5914: /forum/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=02&ttitle=<script>alert('Vulnerable')</script>: This install of PHP-Nuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/modules.php?name=Classifieds&op=ViewAds&id_subcatg=75&id_catg=<script>alert('Vulnerable')</script>: The PHP-Nuke forum is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3201: /forum/megabook/admin.cgi?login=<script>alert('Vulnerable')</script>: Megabook guestbook is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/mailman/listinfo/<script>alert('Vulnerable')</script>: Mailman is vulnerable to Cross Site Scripting (XSS). Upgrade to version 2.0.8 to fix. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-9256: /forum/launch.jsp?NFuse_Application=<script>alert('Vulnerable')</script>: NFuse is vulnerable to cross site scripting (XSS) in the GetLastError function. Upgrade to the latest version. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-9257: /forum/launch.asp?NFuse_Application=<script>alert('Vulnerable')</script>: NFuse is vulnerable to cross site scripting (XSS) in the GetLastError function. Upgrade to the latest version. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-5803: /forum/isapi/testisa.dll?check1=<script>alert(document.cookie)</script>: Sambar Server default script is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/html/partner.php?mainfile=anything&Default_Theme='<script>alert(document.cookie);</script>: myphpnuke version 1.8.8_final_7 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/html/chatheader.php?mainfile=anything&Default_Theme='<script>alert(document.cookie);</script>: myphpnuke version 1.8.8_final_7 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/html/cgi-bin/cgicso?query=<script>alert('Vulnerable')</script>: This CGI is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2322: /forum/gallery/search.php?searchstring=<script>alert(document.cookie)</script>: Gallery 1.3.4 and below is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. http://www.securityfocus.com/bid/8288.
+ OSVDB-20234: /forum/friend.php?op=SiteSent&fname=<script>alert('Vulnerable')</script>: This version of PHP-Nuke's friend.php is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-31694: /forum/forums/index.php?board=;action=login2&user=USERNAME&cookielength=120&passwrd=PASSWORD<script>alert('Vulnerable')</script>: YaBB is vulnerable to Cross Site Scripting (XSS) in the password field of the login page. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-9231: /forum/error/500error.jsp?et=1<script>alert('Vulnerable')</script>;: Macromedia Sitespring 1.2.0(277.1) on Windows 2000 is vulnerable to Cross Site Scripting (XSS) in the error pages. http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/download.php?sortby=&dcategory=<script>alert('Vulnerable')</script>: This version of PHP-Nuke's download.php is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/comments.php?subject=<script>alert('Vulnerable')</script>&comment=<script>alert('Vulnerable')</script>&pid=0&sid=0&mode=&order=&thold=op=Preview: This version of PHP-Nuke's comments.php is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-50619: /forum/cleartrust/ct_logon.asp?CTLoginErrorMsg=<script>alert(1)</script>: RSA ClearTrust allows Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-651: /forum/cgi-local/cgiemail-1.6/cgicso?query=<script>alert('Vulnerable')</script>: This CGI is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-651: /forum/cgi-local/cgiemail-1.4/cgicso?query=<script>alert('Vulnerable')</script>: This CGI is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-7022: /forum/calendar.php?year=<script>alert(document.cookie);</script>&month=03&day=05: DCP-Portal v5.3.1 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-27096: /forum/ca000007.pl?ACTION=SHOWCART&REFPAGE=\"><script>alert('Vulnerable')</script>: Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-27097: /forum/ca000001.pl?ACTION=SHOWCART&hop=\"><script>alert('Vulnerable')</script>&PATH=acatalog%2f: Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-27095: /forum/bb000001.pl<script>alert('Vulnerable')</script>: Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ Uncommon header 'src=javascript' found, with contents: alert('Vulnerable')><Img Src=\" HTTP/1.1 404 Not Found
+ /forum/article.cfm?id=1'<script>alert(document.cookie);</script>: With malformed URLs, ColdFusion is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4765: /forum/apps/web/vs_diag.cgi?server=<script>alert('Vulnerable')</script>: Zeus 4.2r2 (webadmin-4.2r2) is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2243: /forum/addressbook/index.php?surname=<script>alert('Vulnerable')</script>: Phpgroupware 0.9.14.003 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2243: /forum/addressbook/index.php?name=<script>alert('Vulnerable')</script>: Phpgroupware 0.9.14.003 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/add.php3?url=ja&adurl=javascript:<script>alert('Vulnerable')</script>: 1.1 http://www.sugarfreenet.com/ is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/a?<script>alert('Vulnerable')</script>: Server is vulnerable to Cross Site Scripting (XSS) in the error message if code is passed in the query-string. This may be a Null HTTPd server.
+ OSVDB-54589: /forum/a.jsp/<script>alert('Vulnerable')</script>: JServ is vulnerable to Cross Site Scripting (XSS) when a non-existent JSP file is requested. Upgrade to the latest version of JServ. http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/<script>alert('Vulnerable')</script>.thtml: Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/<script>alert('Vulnerable')</script>.shtml: Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/<script>alert('Vulnerable')</script>.jsp: Server is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /forum/<script>alert('Vulnerable')</script>.aspx: Cross site scripting (XSS) is allowed with .aspx file requests (may be Microsoft .net). http://www.cert.org/advisories/CA-2000-02.html.

OWASWP ZAP - тормозящее java-приложение, которое за 3 часа поиска так и ничего не нашло

owasp.png (70.53 Kb)

W3AF

Установка:
aptitude install w3af

Без шуток:
w3af.png (124. Kb)

А теперь поищем подобные программы под Win.


Acunetix Web Vulnerability Scanner
0a029ae2a706.png (119.38 Kb)

Так какая ОС больше подойдёт хакеру ?

Чего не видят фанатики обоих лагерей? Смотрите с минуты 25:40



      ВНИМАНИЕ !
Возможно что-то уже неактуально. Обращайте внимание на даты !
Эта статья опубликована 27 сентября 2015-го года !



Голосов: 1010


Прочитано 25539 раз и оставлено 6 комментариев.

Мой VPS с 2016-го года !

Этот сайт размещён на мощностях компании Айпи Сервер с 2016-го года. Стабильность проверена временем !

-->





Комментарии посетителей

#1. Rector

Rector
If you want to hang out,
You’ve got to take her1 out, windows
If you want to get down,
Get down on the ground, windows
She don’t lie,
She don’t lie,
She don’t lie, windows!
Windows!
admin написал:
Так какая ОС больше подойдёт хакеру ?
Хакеру больше подойдёт любая ОС, на то он и хакер. Уже не единожды приводили в пример эпичные хаки вообще без отдельного компьютера. Пришёл мужик, сказал бухам, что он от гендира с аудитом - бухи его сразу за комп пустили и все пароли ввели. И ушли чай пить. Какие, в баню, сканеры?
А так - да, их под любую популярную ОС полно.

#3. Rector

Rector
Цитата:
бухи его сразу за комп пустили и все пароли ввели. И ушли чай пить. Какие, в баню, сканеры?

Белая рысь, социальная инженерия несколько из другой оперы, но вещь очень сильная. А так, как показывает практика, ломать особо и не надо. Многие "админы" забывают про умолчания -) То есть, на устройствах могут стоять заводские пароли, и эти недоделки, считают это в порядке вещей -)

#4. Linfan

Linfan
Сайт подвергся атаке не потому, что он на Linux хостится, а потому что сам сайт дырявый, пианэрами писанный. Кстати, его можно было бы и на венде хостить (но не долго - ломанули бы еще быстрее)
Director-cemetery
Linfan, Фэйсбук подвергся атаке не потому, что он на Linux хостится, а потому что сам сайт дырявый, пианэрами писанный.

#6. Linfan

Linfan
Director-cemetery, ФБ ваще на ходу дописывают. Причем порой без тестирования - на днях положили браузерную версию вусмерть по всему миру.