PENETRATION ASWATHI G S

ATHUL SHIBU
JEESON J

TEST REPORT SURAJ N S

GROUP 3

0|Page
INDEX
1. Introduction

1.1 overview
1.2 scope
1.3 project team
1.4 Project Timeline

2. Executive Summary
3. Technical Summary

4. RECONNAISSANCE
4.1 HOST INFORMATION GATHERED
4.2 NETWORK INFORMATION GATHERED
4.3 WEB INFORMATION GATHERED

5. Risk Assessment

5.1 Critical severity vulnerability

5.2 High severity vulnerability
5.3 Medium severity vulnerability
5.4 Low severity vulnerability

6. DETAIL VULNERABILITY FINDINGS

6.1 Apache https 2.4.52 Vulnerability
6.2 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)

7.Penetration Testing
8.Recommendations
9.Conclutions

1|Page
1. Introduction
1.1 Overview
This report documents the Penetration Testing Assessment of the Web
Application. The purpose of the Assessment to finding Potential Vulnerability
within scope
1.2 Scope
Activity performed a Web Application Penetration Testing Assessment.
Organization defined the following IP Address as in scope.

IP: 103.160.223.94

1.3 Project Team

Role Name IP
Activity Member Athul Shibu 49.37.225.252
Activity Member Jeeson J 116.68.76.83
Activity Member Suraj N S 117.255.79.92
Activity Member Aswathi GS 223.227.56.83
Activity Member Amaljith 117.246.23.137

1.4 Project Timeline

PENTEST REPORT Start Date/ Time End Date/ Time

FINAL 26-02-23 / 8:00 AM 26-02-23 /11:00AM

2. Executive Summary
All testing activities were conducted against the url
http://103.160.223.94:17080/. The intent of an application assessment is to
dynamically identify and assess the impact of potential security vulnerabilities
within the application. During this assessment, manual and semi-automated
testing tools and techniques were employed to discover and exploit possible
vulnerabilities. Assessment of the http://103.160.223.94:17080 application
began on 26/02/2023 at 08:00 am and concluded at 26/02/2023 at 11:00 am.

2|Page
All activities were conducted with the goal of:
⚫ Identifying the methods and steps that a remote attacker could use to
obtain access to the victim.
⚫ Identify the Level of Risk to the victim.
⚫ Identify possible countermeasures and remedies/recommendations that
could be used to
prevent/mitigate these attacks.

3. Technical Summary

Security assessment of the website has identified several critical

vulnerabilities that can lead to unauthorized access to sensitive information, data
theft and manipulation, malware injection, reputation damage, and legal and
financial consequences. These vulnerabilities include bypassing login
authentication, file uploading vulnerabilities, cross-site scripting, privilege
escalation attacks, exposed phpMyAdmin control panel with root privileges,
weak passwords, and no encryption methods used for storing data.

To address these vulnerabilities, it is essential to implement remedial

measures such as strong authentication mechanisms, secure file uploads, input
validation, limiting user privileges, securing the phpMyAdmin control panel,
implementing encryption, and conducting regular security assessments. By
implementing these measures, the website owner can improve the overall security
posture of the website and protect it against potential security breaches and
attacks.

4. RECONNAISSANCE

TARGET 103.160.223.110

TARGET DETAILS DIRECTOR NIT CALICUT

NATIONAL INSTITUTE OF TECNOLOGY CALICUT , NIT
CAMPUS P.O
KOZHIKODE , KERALA , INDIA , 673601

EMAIL director@nitc.an.in

3|Page
 cnc@nitc.ac.in

4.1 HOST INFORMATION GATHERED

WEB SERVER TECHNOLOGY APACHE 2 WEB SERVER SOFTWARE VERSION
2.4.52

OPERATING SYSTEM UBUNTU BASED LINUX OS VERSION 1.3

LAST MODIFIED 2020-12-24 T12:46:13

INETNUM 103.160.223.0 - 103.160.223.255

4.2 NETWORK INFORMATION GATHERED

WEB SERVER PORT NUMBER / STATE / SERVICE / VERSIION

PORT STATE SERVICE VERSION

21/tcp OPEN ftp ProFTPD
22/tcp OPEN ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux ;
protocol 2.0)
53/tcp OPEN domain ISC BIND 9.18.1-1Ubuntu 1.3 (Ubuntu
Linux)
80/tcp OPEN http Apache httpd 2.4.52 (Ubuntu)
554/tcp OPEN rtsp
1723/tcp OPEN tcpwrapped
10443/tcp OPEN ssl/cirrossp
17080/tcp OPEN http Apache httpd 2.4.54 ((Unix)
OpenSSL/1.1.1s PHP/7.4.33
mod_perl/2.0.12 perl/v5.34.1)
33306/tcp OPEN mysql MariaDB(unauthorized)

4.3 WEB INFORMATION GATHERED

WEB PAGES AVAILABLE

http://103.160.223.94.80/ APACHE 2 DEFAULT

PAGE
http://103.160.223.94:17080/ ICT VULNERABLE WEB
APPLICATION : THE
WORLD PF BLOGGING
http://103.160.223.94:17080/uploads/ FILE PARENT
DIRECTORY INDEXING

4|Page
 http://103.160.223.94:17080/phpmyadmin/ ADMIN DASHBOARD
http://103.160.223.94:17080/login.php/ ICT VULNERABLE WEB
APPLICATION : THE
WORLD PF BLOGGING
http://103.160.223.94:17080/index.php ICT VULNERABLE WEB
APPLICATION : THE
WORLD PF BLOGGING
http://103.160.223.94:17080/icons/ INDEX OF ICONS
http://103.160.223.94:17080/icons/small INDEX OF /ICONS/SMALL
http://103.160.223.94:17080/tmp/ INDEX OF /TMP
http://103.160.223.94:17080/phpmyadmin/doc/html/genindex.html phpMyAdmin’s
DOCUMENTATION
http://103.160.223.94/phpmyadmin/doc/html/require.html WEB SERVER
REQUIREMENT

5. Risk Assessment
This report identifies security risks that could have significant impact on
mission-critical applications used for day-to-day business operations.

Critical Severity High Severity Medium Severity Low Severity

9 4 0
5

Our risk assessment, which is based on the Common Vulnerability Scoring

System (CVSS) v3.0 provided by NVD (National Vulnerability Database),
determined the severity level of the vulnerability and its potential impact.

CVSS v3.0 Ratings

Severity Base Score Range

None 0.0
Low 0.1-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0

5|Page
 5.1 Critical Severity Vulnerability
5 were unique critical severity vulnerabilities. Critical vulnerabilities require
immediate attention. They are relatively easy for attackers to exploit and may
provide them with full control of the affected systems.
A table of the critical severity vulnerabilities is provided below:
TECHNOLOGY DESCRIPTION SOLUTION COUNT
AND VERSION
Apache httpd 2.4.52 Version has multiple Upgrade to Apache HTTP 5
(Ubuntu) vulnerabilities that can Server version 2.4.54 or
allow for Denial of Service later
(DoS), remote code
execution, HTTP Request
Smuggling, bypassing
security controls, gaining
unauthorized access to
sensitive data, and
bypassing IP-based
authentication on the
origin server/application.

5.2 High Severity Vulnerability

9 were unique high severity vulnerabilities. High severity vulnerabilities are
often harder to exploit and may not provide the same access to affected systems.
A table of the high severity vulnerabilities is provided below:

TECHNOLOGY AND DESCRIPTION SOLUTION COUNT

VERSION
Apache httpd 2.4.52 Version contains a high Upgrade to Apache HTTP 5
(Ubuntu) severity vulnerability that Server version 2.4.54 or
allows an attacker to later
smuggle requests to the
AJP server it forwards
requests to, resulting in
denial of service, memory
read or write of a single
zero byte in a pool (heap)
memory location beyond
the header value sent, and
causing the process to
crash.

6|Page
ISC BIND 9.18.1- Version contains a high OpenSSH version 8.9p1 4
1Ubuntu 1.3 severity vulnerability Ubuntu 4 or later
where the named daemon,
BIND 9 resolvers can
crash, and an attacker
can leverage this flaw to
gradually erode available
memory to the point
where named crashes for
lack of resources

5.3 Medium Severity Vulnerability

4 were unique medium severity vulnerabilities. These vulnerabilities often
provide information to attackers that may assist them in mounting subsequent
attacks on your network. These should also be fixed in a timely manner but are
not as urgent as the other vulnerabilities.
A table of the Medium severity vulnerabilities is provided below:

TECHNOLOGY AND DESCRIPTION SOLUTION COUNT

VERSION
Apache httpd 2.4.52 The ap_rwrite() function Upgrade to Apache HTTP 3
(Ubuntu) in Apache HTTP Server Server version 2.4.54 or
2.4.53 and earlier may later
read unintended memory
if an attacker can cause
the server to reflect very
large input using
ap_rwrite() or ap_rputs(),
such as with mod_luas
r:puts() function. This can
result in the server
returning potentially
sensitive information to
the attacker.
In addition, if the server
incorporates certain
headers into the response
body, and those headers
have security purposes,
they will not be
interpreted by the client,
leaving the security
purpose unfulfilled.

7|Page
ISC BIND 9.18.1- An attacker can leverage OpenSSH version 8.9p1 1
1Ubuntu 1.3 this flaw to gradually Ubuntu 4 or later
erode available memory
to the point where named
crashes for lack of
resources. Upon restart
the attacker would have
to begin again, but
nevertheless there is the
potential to deny service

5.4 Low Severity Vulnerability

No low severity vulnerabilities were found during this scan.
Below is a pie diagram showing the potential vulnerability of IP
103.160.223.110 based on the Common Vulnerability Scoring System (CVSS)
v3.0.

Potential Vulnerabilities

Critical Severity High Severity Medium Severity Low Severity

6 DETAIL VULNERABILITY FINDINGS

6.1 Apache https 2.4.52 Vulnerability

8|Page
 Apache httpd 2.4.52 Vulnerabilities

6
Number of Vulnerabilities

0 Critical Severity High Severity Medium Severity Low Severity

Axis1Title

CVE Description Base Impact Reference

score
CVE- Out-of-bounds Write 9.8 Denial of Service https://nvd.nist.gov/vuln/detail/CVE-
2022- vulnerability in CRITICAL 2022-23943
23943 mod_sed of Apache
HTTP Server allows an
attacker to overwrite
heap memory with
possibly attacker
provided data

CVE- In Apache HTTP 7.5 Denial of Service https://nvd.nist.gov/vuln/detail/cve-

2022- Server 2.4.53 and 2022-29404
HIGH
29404 earlier, a malicious
request to a lua script
that calls
r:parsebody(0) may
cause a denial of service
due to no default limit
on possible input size.
CVE- Inconsistent 7.5 Attacker to https://nvd.nist.gov/vuln/detail/CVE-
2022- Interpretation of HTTP bypass security 2022-26377
HIGH
26377 Requests ('HTTP controls, gain
Request Smuggling') unauthorized
vulnerability in access to sensitive
mod_proxy_ajp of data
Apache HTTP Server
allows an attacker to
smuggle requests to the
AJP server it forwards
requests to.

9|Page
CVE- If 9.1 Denial-of-service https://nvd.nist.gov/vuln/detail/CVE-
2022- LimitXMLRequestBody CRITICAL (DoS) or remote 2022-22721
22721 is set to allow request code execution.
bodies larger than
350MB (defaults to 1M)
on 32 bit systems an
integer overflow
happens which later
causes out of bounds
writes.

CVE- Apache HTTP Server 9.8 Attacker to https://nvd.nist.gov/vuln/detail/cve-

2022- 2.4.52 and earlier fails CRITICAL bypass security 2022-22720
22720 to close inbound controls, gain
connection when errors unauthorized
are encountered access to sensitive
discarding the request data
body, exposing the
server to HTTP
Request Smuggling
CVE- A carefully crafted If: 7.5 Denial of Service. https://nvd.nist.gov/vuln/detail/CVE-
2006- request header can 2006-20001
HIGH
20001 cause a memory read,
or write of a single zero
byte, in a pool (heap)
memory location
beyond the header
value sent.

CVE- Apache HTTP Server 7.5 Exposure of https://nvd.nist.gov/vuln/detail/CVE-

2022- 2.4.53 and earlier may sensitive 2022-30556
HIGH
30556 return lengths to information or the
applications calling execution of
r:wsread() that point arbitrary code,
past the end of the leading to a
storage allocated for the variety of negative
buffer. consequences such
as data theft or
system
compromise.

CVE- Inconsistent 9.0 Attacker to https://nvd.nist.gov/vuln/detail/CVE-

2022- Interpretation of HTTP CRITICAL bypass security 2022-36760
36760 Requests ('HTTP controls, gain
Request Smuggling') unauthorized
vulnerability in access to sensitive
mod_proxy_ajp of data
Apache HTTP Server
allows an attacker to
smuggle requests to the

10 | P a g e
 AJP server it forwards
requests to

CVE- Apache HTTP Server 9.8 Bypass IP based https://nvd.nist.gov/vuln/detail/CVE-

2022- 2.4.53 and earlier may CRITICAL authentication on 2022-31813
31813 not send the X- the origin
Forwarded-* headers to server/application.
the origin server based
on client-side
Connection header hop-
by-hop mechanism

CVE- Prior to Apache HTTP 5.3 Cross-Site

https://nvd.nist.gov/vuln/detail/CVE-
2022- Server 2.4.55, a MEDIUM Scripting (XSS),
2022-37436
37436 malicious backend can potentially
cause the response exposing sensitive
headers to be truncated data to
early, resulting in some interception or
headers being modification by
incorporated into the attackers.
response body. If the
later headers have any
security purpose, they
will not be interpreted
by the client.
CVE- A carefully crafted 7.5 Denial of Service https://nvd.nist.gov/vuln/detail/CVE-
2022- request body can cause 2022-22719
22719 a read to a random HIGH
memory area which
could cause the process
to crash.
CVE- Apache HTTP Server 5.3 Complete https://nvd.nist.gov/vuln/detail/CVE-
2022- 2.4.53 and earlier on MEDIUM compromise of the 2022-28330
28330 Windows may read web server and
beyond bounds when sensitive data
configured to process stored on it.
requests with the
mod_isapi module.

CVE- The ap_rwrite() 5.3 Sensitive https://nvd.nist.gov/vuln/detail/CVE-

2022- function in Apache MEDIUM information 2022-28614
28614 HTTP Server 2.4.53 exposure, data
and earlier may read theft, and other
unintended memory if malicious
an attacker can cause activities.
the server to reflect
very large input using
ap_rwrite() or
ap_rputs(), such as with
mod_luas r:puts()
function

11 | P a g e
 6.2 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
CVE- The named daemon 7.5 Disruption of https://nvd.nist.gov/vuln/detail/CVE-
2022- can crash due to DNS services 2022-1183
HIGH
1183 assertion failure on
vulnerable
configurations
containing http
references in listen-
on statements of
named.conf. DoT-
only configurations
are not impacted as
TLS is used by both
DoT and DoH for
secure DNS
communication.

CVE- BIND 9 resolver can 7.5 Disruption of https://nvd.nist.gov/vuln/detail/CVE-

2022- crash when stale DNS services, 2022-3736
HIGH
3736 cache and stale leading to
answers are enabled, potential
option `stale-answer- downtime for
client-timeout` is set websites or other
to a positive integer, online services
and the resolver
receives an RRSIG
query

CVE- By sending specific 7.5 Disruption of https://nvd.nist.gov/vuln/detail/CVE-

2022- queries to the DNS services 2022-3080
HIGH
3080 resolver, an attacker
can cause named to
crash.

12 | P a g e
 An attacker can 7.5 Denial of service https://nvd.nist.gov/vuln/detail/CVE-
CVE-
leverage this flaw to (DoS) 2022-2906
2022- HIGH
gradually erode
2906
available memory to
the point where
named crashes for
lack of resources.
Upon restart the
attacker would have
to begin again, but
nevertheless there is
the potential to deny
service.

CVE- An information 5.3 Reveal sensitive https://nvd.nist.gov/vuln/detail/CVE-

2022- disclosure MEDIUM information about 2022-2281
2281 vulnerability in the software
GitLab EE affecting development
all versions from 12.5 lifecycle and the
prior to 14.10.5, 15.0 internal structure
prior to 15.0.4, and of the
15.1 prior to 15.1.1, organization
allows disclosure of
release titles if group
milestones are
associated with any
project releases.

7. Penetration Testing

Vulnerabilities Impact Severity

File Uploaded Access the Critical

Vulnerabilities sensitive
On New Blog Data, Access to
Entry Server

13 | P a g e
 Login Bypass Unauthorized High
Using SQL Privileges
Injection

Blind SQL Unauthorized High

Injection Access

Can add scripts Unauthorized High

in command Data access
section

Guest User can Unauthorized High

create New Privileges
Admin User

PhpMyAdmin Access the Critical

Control Panel sensitive
Directly access Data, Access to
without any Database
security
User Credentials Access the High
are Not sensitive
Encrypted Data

Easy Guessing Access the High

Password for sensitive
Admin Data

8. Recommendations

1. To prevent SQL injection attacks, measures such as using prepared

statements or parameterized queries, validating user input, using least
privilege, using an ORM, and keeping software up-to-date with the latest
security patches and updates can be implemented.
2. To prevent XSS attacks, measures such as input validation, output
encoding, using HTTP-only cookies, implementing Content Security

14 | P a g e
 Policy (CSP), using frameworks or libraries with built-in protections, and
keeping software up-to-date can be taken.
3. To prevent file upload vulnerabilities, measures such as validating file
types and extensions, limiting file size, using a secure upload directory,
renaming files, scanning for malware, implementing user authentication,
and utilizing a content delivery network should be taken.
4. To prevent privilege escalation, it is important to implement the
principles of least privilege, use strong authentication and access controls,
regularly review and audit user privileges, keep systems and software up-
to-date, use intrusion detection and prevention systems, and monitor user
activity.
5. Upgrade to Apache HTTP Server version 2.4.54 or later.
6. OpenSSH version 8.9p1 Ubuntu 4 or later.

9. Conclusion
After all the testing activities conducted against the URL
http://103.160.223.94:17080/ application, it is found that the application is
vulnerable for SQL injection, cross site scripting, file upload vulnerability and
privilege escalation. With proper upgradation and patches these vulnerabilities
can be overcome. As mentioned earlier all these tests are conducted with the
goal of

▪ Identifying the methods and steps that a remote attacker could use to
obtain access to the victim.
▪ Identify the Level of Risk to the victim.
▪ Identify possible countermeasures and remedies/recommendations that
could be used to prevent/mitigate these attacks.

15 | P a g e