Anonymous JTSEC #OpSudan Full Recon #12

1. #######################################################################################################################################
2. =======================================================================================================================================
3. Hostname mocit.gov.sd ISP NICDC
4. Continent Africa Flag
5. SD
6. Country Sudan Country Code SD
7. Region Unknown Local time 14 Feb 2019 17:44 CAT
8. City Unknown Postal Code Unknown
9. IP Address 62.12.105.2 Latitude 15
10. Longitude 30
11. =======================================================================================================================================
12. #######################################################################################################################################
13. > mocit.gov.sd
14. Server: 38.132.106.139
15. Address: 38.132.106.139#53
16.  
17. Non-authoritative answer:
18. Name: mocit.gov.sd
19. Address: 62.12.105.2
20. >
21. #######################################################################################################################################
22. HostIP:62.12.105.2
23. HostName:mocit.gov.sd
24.  
25. Gathered Inet-whois information for 62.12.105.2
26. ---------------------------------------------------------------------------------------------------------------------------------------
27.  
28.  
29. inetnum: 62.12.96.0 - 62.12.127.255
30. netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
31. descr: IPv4 address block not managed by the RIPE NCC
32. remarks: ------------------------------------------------------
33. remarks:
34. remarks: For registration information,
35. remarks: you can consult the following sources:
36. remarks:
37. remarks: IANA
38. remarks: http://www.iana.org/assignments/ipv4-address-space
39. remarks: http://www.iana.org/assignments/iana-ipv4-special-registry
40. remarks: http://www.iana.org/assignments/ipv4-recovered-address-space
41. remarks:
42. remarks: AFRINIC (Africa)
43. remarks: http://www.afrinic.net/ whois.afrinic.net
44. remarks:
45. remarks: APNIC (Asia Pacific)
46. remarks: http://www.apnic.net/ whois.apnic.net
47. remarks:
48. remarks: ARIN (Northern America)
49. remarks: http://www.arin.net/ whois.arin.net
50. remarks:
51. remarks: LACNIC (Latin America and the Carribean)
52. remarks: http://www.lacnic.net/ whois.lacnic.net
53. remarks:
54. remarks: ------------------------------------------------------
55. country: EU # Country is really world wide
56. admin-c: IANA1-RIPE
57. tech-c: IANA1-RIPE
58. status: ALLOCATED UNSPECIFIED
59. mnt-by: RIPE-NCC-HM-MNT
60. created: 2019-01-07T10:46:54Z
61. last-modified: 2019-01-07T10:46:54Z
62. source: RIPE
63.  
64. role: Internet Assigned Numbers Authority
65. address: see http://www.iana.org.
66. admin-c: IANA1-RIPE
67. tech-c: IANA1-RIPE
68. nic-hdl: IANA1-RIPE
69. remarks: For more information on IANA services
70. remarks: go to IANA web site at http://www.iana.org.
71. mnt-by: RIPE-NCC-MNT
72. created: 1970-01-01T00:00:00Z
73. last-modified: 2001-09-22T09:31:27Z
74. source: RIPE # Filtered
75.  
76. % This query was served by the RIPE Database Query Service version 1.92.6 (WAGYU)
77.  
78.  
79.  
80. Gathered Inic-whois information for mocit.gov.sd
81. ---------------------------------------------------------------------------------------------------------------------------------------
82. Error: Unable to connect - Invalid Host
83. ERROR: Connection to InicWhois Server sd.whois-servers.net failed
84. close error
85.  
86. Gathered Netcraft information for mocit.gov.sd
87. ---------------------------------------------------------------------------------------------------------------------------------------
88.  
89. Retrieving Netcraft.com information for mocit.gov.sd
90. Netcraft.com Information gathered
91.  
92. Gathered Subdomain information for mocit.gov.sd
93. ---------------------------------------------------------------------------------------------------------------------------------------
94. Searching Google.com:80...
95. Searching Altavista.com:80...
96. Found 0 possible subdomain(s) for host mocit.gov.sd, Searched 0 pages containing 0 results
97.  
98. Gathered E-Mail information for mocit.gov.sd
99. ---------------------------------------------------------------------------------------------------------------------------------------
100. Searching Google.com:80...
101. Searching Altavista.com:80...
102. Found 0 E-Mail(s) for host mocit.gov.sd, Searched 0 pages containing 0 results
103.  
104. Gathered TCP Port information for 62.12.105.2
105. ---------------------------------------------------------------------------------------------------------------------------------------
106.  
107. Port State
108.  
109. 21/tcp open
110. 80/tcp open
111. 110/tcp open
112. 143/tcp open
113.  
114. Portscan Finished: Scanned 150 ports, 4 ports were in state closed
115. #######################################################################################################################################
116. [i] Scanning Site: http://mocit.gov.sd
117.  
118.  
119.  
120. B A S I C I N F O
121. =======================================================================================================================================
122.  
123.  
124. [+] Site Title: وزارة الثقافة والاعلام والسياحة
125. [+] IP address: 62.12.105.2
126. [+] Web Server: Could Not Detect
127. [+] CMS: WordPress
128. [+] Cloudflare: Not Detected
129. [+] Robots File: Could NOT Find robots.txt!
130.  
131.  
132.  
133.  
134. G E O I P L O O K U P
135. =======================================================================================================================================
136.  
137. [i] IP Address: 62.12.105.2
138. [i] Country: Sudan
139. [i] State:
140. [i] City:
141. [i] Latitude: 15.0
142. [i] Longitude: 30.0
143.  
144.  
145.  
146.  
147. H T T P H E A D E R S
148. =======================================================================================================================================
149.  
150.  
151. [i] HTTP/1.1 302 Found
152. [i] Date: Thu, 14 Feb 2019 15:39:21 GMT
153. [i] Content-Type: text/html
154. [i] Content-Length: 0
155. [i] X-Powered-By: PHP/5.3.29
156. [i] Set-Cookie: csrf_cookie_name=338c17f74036158d14db6c42c47ff67b; expires=Thu, 14-Feb-2019 17:39:21 GMT; path=/
157. [i] Location: http://mocit.gov.sd/index.php/ar/
158. [i] X-Powered-By: PleskLin
159. [i] Connection: close
160. [i] HTTP/1.1 200 OK
161. [i] Date: Thu, 14 Feb 2019 15:39:22 GMT
162. [i] Content-Type: text/html
163. [i] X-Powered-By: PHP/5.3.29
164. [i] Set-Cookie: csrf_cookie_name=8c58df1bf97fa806ed52ed3eb34212e0; expires=Thu, 14-Feb-2019 17:39:21 GMT; path=/
165. [i] Set-Cookie: user_lang=ar; expires=Thu, 14-Feb-2019 17:39:21 GMT; path=/
166. [i] Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22390ad74586c1a5b39a558b8854f90b91%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22176.113.74.35%22%3Bs%3A10%3A%22user_agent%22%3Bb%3A0%3Bs%3A13%3A%22last_activity%22%3Bi%3A1550158761%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D6b7eb7793c71b387f6d616fb6f72320b; expires=Thu, 14-Feb-2019 17:39:21 GMT; path=/
167. [i] X-Powered-By: PleskLin
168. [i] Connection: close
169.  
170.  
171.  
172.  
173. D N S L O O K U P
174. =======================================================================================================================================
175.  
176. mocit.gov.sd. 21599 IN SOA ns0.ndc.gov.sd. root.ndc.gov.sd. 2017042400 10800 900 604800 86400
177. mocit.gov.sd. 21599 IN NS ns0.ndc.gov.sd.
178. mocit.gov.sd. 21599 IN NS ns1.ndc.gov.sd.
179. mocit.gov.sd. 21599 IN A 62.12.105.2
180. mocit.gov.sd. 21599 IN MX 10 f03-web02.nic.gov.sd.
181. mocit.gov.sd. 21599 IN TXT "v=spf1 mx -all"
182.  
183.  
184.  
185.  
186. S U B N E T C A L C U L A T I O N
187. =======================================================================================================================================
188.  
189. Address = 62.12.105.2
190. Network = 62.12.105.2 / 32
191. Netmask = 255.255.255.255
192. Broadcast = not needed on Point-to-Point links
193. Wildcard Mask = 0.0.0.0
194. Hosts Bits = 0
195. Max. Hosts = 1 (2^0 - 0)
196. Host Range = { 62.12.105.2 - 62.12.105.2 }
197.  
198.  
199.  
200. N M A P P O R T S C A N
201. =======================================================================================================================================
202.  
203.  
204. Starting Nmap 7.40 ( https://nmap.org ) at 2019-02-14 16:37 UTC
205. Nmap scan report for mocit.gov.sd (62.12.105.2)
206. Host is up (0.18s latency).
207. rDNS record for 62.12.105.2: f03-web02.nic.gov.sd
208. PORT STATE SERVICE
209. 21/tcp filtered ftp
210. 22/tcp filtered ssh
211. 23/tcp filtered telnet
212. 80/tcp filtered http
213. 110/tcp filtered pop3
214. 143/tcp filtered imap
215. 443/tcp filtered https
216. 3389/tcp filtered ms-wbt-server
217.  
218. Nmap done: 1 IP address (1 host up) scanned in 13.88 seconds
219. #######################################################################################################################################
220. [?] Enter the target: example( http://domain.com )
221. http://mocit.gov.sd/index.php/ar/
222. [!] IP Address : 62.12.105.2
223. [!] mocit.gov.sd doesn't seem to use a CMS
224. [+] Honeypot Probabilty: 0%
225. ---------------------------------------------------------------------------------------------------------------------------------------
226. [~] Trying to gather whois information for mocit.gov.sd
227. [+] Whois information found
228. [-] Unable to build response, visit https://who.is/whois/mocit.gov.sd
229. ---------------------------------------------------------------------------------------------------------------------------------------
230. PORT STATE SERVICE
231. 21/tcp filtered ftp
232. 22/tcp filtered ssh
233. 23/tcp filtered telnet
234. 80/tcp filtered http
235. 110/tcp filtered pop3
236. 143/tcp filtered imap
237. 443/tcp filtered https
238. 3389/tcp filtered ms-wbt-server
239. Nmap done: 1 IP address (1 host up) scanned in 14.16 seconds
240. ---------------------------------------------------------------------------------------------------------------------------------------
241.  
242. [+] DNS Records
243. ns0.ndc.gov.sd. (62.12.109.2) Egypt Egypt
244. ns1.ndc.gov.sd. (62.12.109.3) Egypt Egypt
245.  
246. [+] MX Records
247. 10 (62.12.105.2) Egypt Egypt
248.  
249. [+] Host Records (A)
250. mocit.gov.sd (62.12.105.2) Egypt Egypt
251.  
252. [+] TXT Records
253. "v=spf1 mx -all"
254.  
255. [+] DNS Map: https://dnsdumpster.com/static/map/mocit.gov.sd.png
256.  
257. [>] Initiating 3 intel modules
258. [>] Loading Alpha module (1/3)
259. [>] Beta module deployed (2/3)
260. [>] Gamma module initiated (3/3)
261.  
262.  
263. [+] Emails found:
264. ---------------------------------------------------------------------------------------------------------------------------------------
265. pixel-1550162262413050-web-@mocit.gov.sd
266. pixel-15501622632323-web-@mocit.gov.sd
267.  
268. [+] Hosts found in search engines:
269. --------------------------------------------------------------------------------------------------------------------------------------
270. [-] Resolving hostnames IPs...
271. 62.12.105.2:www.mocit.gov.sd
272. [+] Virtual hosts:
273. ---------------------------------------------------------------------------------------------------------------------------------------
274. ######################################################################################################################################
275. Enter Address Website = mocit.gov.sd
276.  
277.  
278.  
279. Reverse IP With YouGetSignal 'mocit.gov.sd'
280. ---------------------------------------------------------------------------------------------------------------------------------------
281.  
282. [*] IP: 62.12.105.2
283. [*] Domain: mocit.gov.sd
284. [*] Total Domains: 6
285.  
286. [+] agricmi.gov.sd
287. [+] eastgezira.gov.sd
288. [+] mocit.gov.sd
289. [+] sudan.gov.sd
290. [+] unionkhr.sd
291. [+] www.sudan.gov.sd
292. #######################################################################################################################################
293. Geo IP Lookup 'mocit.gov.sd'
294. ---------------------------------------------------------------------------------------------------------------------------------------
295.  
296. [+] IP Address: 62.12.105.2
297. [+] Country: Sudan
298. [+] State:
299. [+] City:
300. [+] Latitude: 15.0
301. [+] Longitude: 30.0
302. #######################################################################################################################################
303. DNS Lookup 'mocit.gov.sd'
304. ---------------------------------------------------------------------------------------------------------------------------------------
305.  
306. [+] mocit.gov.sd. 21599 IN SOA ns0.ndc.gov.sd. root.ndc.gov.sd. 2017042400 10800 900 604800 86400
307. [+] mocit.gov.sd. 21599 IN NS ns0.ndc.gov.sd.
308. [+] mocit.gov.sd. 21599 IN NS ns1.ndc.gov.sd.
309. [+] mocit.gov.sd. 21599 IN A 62.12.105.2
310. [+] mocit.gov.sd. 21599 IN MX 10 f03-web02.nic.gov.sd.
311. [+] mocit.gov.sd. 21599 IN TXT "v=spf1 mx -all"
312. #######################################################################################################################################
313. Show HTTP Header 'mocit.gov.sd'
314. ---------------------------------------------------------------------------------------------------------------------------------------
315.  
316. [+] HTTP/1.1 302 Moved Temporarily
317. [+] Server: nginx
318. [+] Date: Thu, 14 Feb 2019 15:39:14 GMT
319. [+] Content-Type: text/html
320. [+] Connection: keep-alive
321. [+] X-Powered-By: PHP/5.3.29
322. [+] Set-Cookie: csrf_cookie_name=76583c8c25944d3f10d80b9a2798d617; expires=Thu, 14-Feb-2019 17:39:14 GMT; path=/
323. [+] Location: http://mocit.gov.sd/index.php/ar/
324. [+] X-Powered-By: PleskLin
325. #######################################################################################################################################Port Scan 'mocit.gov.sd'
326. ---------------------------------------------------------------------------------------------------------------------------------------
327.  
328.  
329. Starting Nmap 7.40 ( https://nmap.org ) at 2019-02-14 16:37 UTC
330. Nmap scan report for mocit.gov.sd (62.12.105.2)
331. Host is up (0.18s latency).
332. rDNS record for 62.12.105.2: f03-web02.nic.gov.sd
333. PORT STATE SERVICE
334. 21/tcp filtered ftp
335. 22/tcp filtered ssh
336. 23/tcp filtered telnet
337. 80/tcp filtered http
338. 110/tcp filtered pop3
339. 143/tcp filtered imap
340. 443/tcp filtered https
341. 3389/tcp filtered ms-wbt-server
342.  
343. Nmap done: 1 IP address (1 host up) scanned in 14.38 seconds
344. #######################################################################################################################################
345. Traceroute 'mocit.gov.sd'
346. ---------------------------------------------------------------------------------------------------------------------------------------
347.  
348. Start: 2019-02-14T16:37:27+0000
349. HOST: web01 Loss% Snt Last Avg Best Wrst StDev
350. 1.|-- 45.79.12.201 0.0% 3 1.1 1.1 0.8 1.2 0.2
351. 2.|-- 45.79.12.0 0.0% 3 13.4 12.5 3.7 20.6 8.5
352. 3.|-- hu0-7-0-7.ccr41.dfw03.atlas.cogentco.com 0.0% 3 1.3 2.2 1.3 3.9 1.4
353. 4.|-- be2764.ccr32.dfw01.atlas.cogentco.com 0.0% 3 2.1 2.0 1.9 2.1 0.1
354. 5.|-- be2433.ccr22.mci01.atlas.cogentco.com 0.0% 3 12.0 11.8 11.4 12.1 0.4
355. 6.|-- be2832.ccr42.ord01.atlas.cogentco.com 0.0% 3 23.4 24.2 23.4 25.0 0.8
356. 7.|-- be2718.ccr22.cle04.atlas.cogentco.com 0.0% 3 30.7 30.7 30.5 30.8 0.1
357. 8.|-- be2879.ccr22.alb02.atlas.cogentco.com 0.0% 3 41.3 41.3 41.3 41.4 0.1
358. 9.|-- be3600.ccr32.bos01.atlas.cogentco.com 0.0% 3 45.7 45.7 45.6 45.7 0.0
359. 10.|-- be2983.ccr42.lon13.atlas.cogentco.com 0.0% 3 107.5 107.7 107.5 107.9 0.2
360. 11.|-- be2871.ccr21.lon01.atlas.cogentco.com 0.0% 3 108.1 108.0 107.9 108.1 0.1
361. 12.|-- expressotelecom.demarc.cogentco.com 0.0% 3 108.5 107.9 107.6 108.5 0.5
362. 13.|-- 185.153.20.70 0.0% 3 185.6 185.9 185.6 186.4 0.4
363. 14.|-- 185.153.20.82 0.0% 3 185.6 185.8 185.6 185.9 0.1
364. 15.|-- 185.153.20.94 0.0% 3 185.5 185.5 185.5 185.6 0.0
365. 16.|-- 185.153.20.153 0.0% 3 230.0 219.6 214.2 230.0 9.0
366. 17.|-- 212.0.131.109 0.0% 3 227.6 227.4 226.9 227.8 0.4
367. 18.|-- 196.202.137.249 0.0% 3 219.0 219.3 218.9 220.0 0.6
368. 19.|-- 196.202.145.94 0.0% 3 219.1 219.3 219.1 219.5 0.2
369. 20.|-- ??? 100.0 3 0.0 0.0 0.0 0.0 0.0
370. #######################################################################################################################################
371. Ping 'mocit.gov.sd'
372. ---------------------------------------------------------------------------------------------------------------------------------------
373.  
374. Starting Nping 0.7.70 ( https://nmap.org/nping ) at 2019-02-14 16:37 UTC
375. SENT (0.0038s) ICMP [104.237.144.6 > 62.12.105.2 Echo request (type=8/code=0) id=34398 seq=1] IP [ttl=64 id=6748 iplen=28 ]
376. SENT (1.0040s) ICMP [104.237.144.6 > 62.12.105.2 Echo request (type=8/code=0) id=34398 seq=2] IP [ttl=64 id=6748 iplen=28 ]
377. SENT (2.0056s) ICMP [104.237.144.6 > 62.12.105.2 Echo request (type=8/code=0) id=34398 seq=3] IP [ttl=64 id=6748 iplen=28 ]
378. SENT (3.0069s) ICMP [104.237.144.6 > 62.12.105.2 Echo request (type=8/code=0) id=34398 seq=4] IP [ttl=64 id=6748 iplen=28 ]
379.  
380. Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
381. Raw packets sent: 4 (112B) | Rcvd: 0 (0B) | Lost: 4 (100.00%)
382. Nping done: 1 IP address pinged in 4.01 seconds
383. #######################################################################################################################################
384. ; <<>> DiG 9.11.5-P1-1-Debian <<>> mocit.gov.sd
385. ;; global options: +cmd
386. ;; Got answer:
387. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11094
388. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
389.  
390. ;; OPT PSEUDOSECTION:
391. ; EDNS: version: 0, flags:; udp: 4096
392. ;; QUESTION SECTION:
393. ;mocit.gov.sd. IN A
394.  
395. ;; ANSWER SECTION:
396. mocit.gov.sd. 82189 IN A 62.12.105.2
397.  
398. ;; Query time: 35 msec
399. ;; SERVER: 38.132.106.139#53(38.132.106.139)
400. ;; WHEN: jeu fév 14 11:54:19 EST 2019
401. ;; MSG SIZE rcvd: 57
402. #######################################################################################################################################
403. ; <<>> DiG 9.11.5-P1-1-Debian <<>> +trace mocit.gov.sd
404. ;; global options: +cmd
405. . 80866 IN NS a.root-servers.net.
406. . 80866 IN NS b.root-servers.net.
407. . 80866 IN NS d.root-servers.net.
408. . 80866 IN NS k.root-servers.net.
409. . 80866 IN NS c.root-servers.net.
410. . 80866 IN NS f.root-servers.net.
411. . 80866 IN NS j.root-servers.net.
412. . 80866 IN NS g.root-servers.net.
413. . 80866 IN NS m.root-servers.net.
414. . 80866 IN NS i.root-servers.net.
415. . 80866 IN NS h.root-servers.net.
416. . 80866 IN NS e.root-servers.net.
417. . 80866 IN NS l.root-servers.net.
418. . 80866 IN RRSIG NS 8 0 518400 20190227050000 20190214040000 16749 . KjRJi44YfIrOlhPKeg7qiGlwP2QsgQmM2rTFegujHBe0cRTA1uH0NEgj FPJX+q10aSbYdSr3FGT2cW1YTRmLmAbNXGwZz84jYBm+Z+Au+Yhr9TRN 4DHs4voHtgr8u/sm5Hx72ghRbXOSK+ffIljYBTSwk4TKkFi1sqYbs7V6 tMz0LjK1rEuWHnPi2Vnrp93/WKdWMQmytU2qvKr9x6/s8TSkWWOKzaEX sOGlz9aFDRpYkreMZvOWKjUJbkzz9BgvKhnT72q0oDdhdrhle1bTM+yV rZ4pgndNM0b3TAdcMiNhNEISL0uQ0b5tUM3Y3rOT9YLlF4gA+p01UD3a cuep6w==
419. ;; Received 525 bytes from 38.132.106.139#53(38.132.106.139) in 33 ms
420.  
421. sd. 172800 IN NS sd.cctld.authdns.ripe.net.
422. sd. 172800 IN NS ns1.uaenic.ae.
423. sd. 172800 IN NS ns2.uaenic.ae.
424. sd. 172800 IN NS ans1.sis.sd.
425. sd. 172800 IN NS ans1.canar.sd.
426. sd. 172800 IN NS ans2.canar.sd.
427. sd. 172800 IN NS ns-sd.afrinic.net.
428. sd. 86400 IN NSEC se. NS RRSIG NSEC
429. sd. 86400 IN RRSIG NSEC 8 1 86400 20190227050000 20190214040000 16749 . p5xCmXr6/UJpXVFgnTVrZf/qZ0bsqHWSMXrkDI4WLDsbzoK/TSBtEgO2 KSA9Is1n0hWTqY3HfWl5R0HypWb+vtX32FbjdPNUpm2FBtpujLQgxvry /nJRvXzYKmy1NPoLesExvMg/3coxIQKAPxmfwm09ddZ5vfvc+NKc5X7D znXBTk+j6KILgL7LvhhJ0/TsikCqL3gPGKH8aW6RId4tcxJV1dmgRR8F FcGkESYs2KJmG6KN/JG5OiJ/rOVUSQCkHjUAMoX1x+qKLAy+dDJkBnyy OkdQ+04CkijYHauuo/VvJjk14/60ChpgDqc//AF+VJgvGPs9tSEQLApC wFQsOg==
430. ;; Received 699 bytes from 199.7.91.13#53(d.root-servers.net) in 36 ms
431.  
432. gov.sd. 14400 IN NS sd.cctld.authdns.ripe.net.
433. gov.sd. 14400 IN NS ns1.uaenic.ae.
434. gov.sd. 14400 IN NS ns2.uaenic.ae.
435. gov.sd. 14400 IN NS ans1.sis.sd.
436. gov.sd. 14400 IN NS ans1.canar.sd.
437. gov.sd. 14400 IN NS ans2.canar.sd.
438. gov.sd. 14400 IN NS ns-sd.afrinic.net.
439. ;; Received 268 bytes from 196.216.168.26#53(ns-sd.afrinic.net) in 274 ms
440.  
441. mocit.gov.sd. 14400 IN NS ns0.ndc.gov.sd.
442. mocit.gov.sd. 14400 IN NS ns1.ndc.gov.sd.
443. ;; Received 113 bytes from 2001:67c:e0::109#53(sd.cctld.authdns.ripe.net) in 106 ms
444.  
445. mocit.gov.sd. 86400 IN A 62.12.105.2
446. mocit.gov.sd. 86400 IN NS ns0.ndc.gov.sd.
447. mocit.gov.sd. 86400 IN NS ns1.ndc.gov.sd.
448. ;; Received 129 bytes from 62.12.109.3#53(ns1.ndc.gov.sd) in 206 ms
449. #######################################################################################################################################
450. [*] Performing General Enumeration of Domain: mocit.gov.sd
451. [-] DNSSEC is not configured for mocit.gov.sd
452. [*] SOA ns0.ndc.gov.sd 62.12.109.2
453. [*] NS ns1.ndc.gov.sd 62.12.109.3
454. [*] Bind Version for 62.12.109.3 you guess!
455. [*] NS ns0.ndc.gov.sd 62.12.109.2
456. [*] Bind Version for 62.12.109.2 you guess!
457. [*] MX f03-web02.nic.gov.sd 62.12.105.2
458. [*] A mocit.gov.sd 62.12.105.2
459. [*] TXT mocit.gov.sd v=spf1 mx -all
460. [*] Enumerating SRV Records
461. [-] No SRV Records Found for mocit.gov.sd
462. [+] 0 Records Found
463. #######################################################################################################################################
464. [*] Processing domain mocit.gov.sd
465. [*] Using system resolvers ['38.132.106.139', '194.187.251.67', '185.93.180.131', '205.151.67.6', '205.151.67.34', '205.151.67.2', '2001:18c0:ffe0:2::2', '2001:18c0:ffe0:3::2', '2001:18c0:ffe0:1::2']
466. [+] Getting nameservers
467. 62.12.109.3 - ns1.ndc.gov.sd
468. [+] Zone transfer sucessful using nameserver ns1.ndc.gov.sd
469. mocit.gov.sd. 86400 IN SOA ns0.ndc.gov.sd. root.ndc.gov.sd. 2017042400 10800 900 604800 86400
470. mocit.gov.sd. 86400 IN NS ns0.ndc.gov.sd.
471. mocit.gov.sd. 86400 IN NS ns1.ndc.gov.sd.
472. mocit.gov.sd. 86400 IN A 62.12.105.2
473. mocit.gov.sd. 86400 IN MX 10 f03-web02.nic.gov.sd.
474. mocit.gov.sd. 86400 IN TXT "v=spf1 mx -all"
475. mail.mocit.gov.sd. 86400 IN A 62.12.105.2
476. mail.mocit.gov.sd. 86400 IN MX 10 mail.mocit.gov.sd.
477. webmail.mocit.gov.sd. 86400 IN CNAME mail.mocit.gov.sd.
478. www.mocit.gov.sd. 86400 IN A 62.12.105.2
479. #######################################################################################################################################
480. Ip Address Status Type Domain Name Server
481. ---------- ------ ---- ----------- ------
482. 62.12.105.2 200 host mail.mocit.gov.sd nginx
483. 62.12.105.2 200 alias webmail.mocit.gov.sd nginx
484. 62.12.105.2 200 host mail.mocit.gov.sd nginx
485. 62.12.105.2 301 host www.mocit.gov.sd nginx
486. #######################################################################################################################################
487. [+] Testing domain
488. www.mocit.gov.sd 62.12.105.2
489. [+] Dns resolving
490. Domain name Ip address Name server
491. mocit.gov.sd 62.12.105.2 f03-web02.nic.gov.sd
492. Found 1 host(s) for mocit.gov.sd
493. [+] Testing wildcard
494. Ok, no wildcard found.
495.  
496. [+] Scanning for subdomain on mocit.gov.sd
497. [!] Wordlist not specified. I scannig with my internal wordlist...
498. Estimated time about 106.32 seconds
499.  
500. Subdomain Ip address Name server
501.  
502. mail.mocit.gov.sd 62.12.105.2 f03-web02.nic.gov.sd
503. webmail.mocit.gov.sd 62.12.105.2 f03-web02.nic.gov.sd
504. www.mocit.gov.sd 62.12.105.2 f03-web02.nic.gov.sd
505. #######################################################################################################################################
506. dnsenum VERSION:1.2.4
507.  
508. ----- mocit.gov.sd -----
509.  
510.  
511. Host's addresses:
512. __________________
513.  
514. mocit.gov.sd. 82581 IN A 62.12.105.2
515.  
516.  
517. Name Servers:
518. ______________
519.  
520. ns0.ndc.gov.sd. 13744 IN A 62.12.109.2
521. ns1.ndc.gov.sd. 13744 IN A 62.12.109.3
522.  
523.  
524. Mail (MX) Servers:
525. ___________________
526.  
527. f03-web02.nic.gov.sd. 86400 IN A 62.12.105.2
528.  
529.  
530. Trying Zone Transfers and getting Bind Versions:
531. _________________________________________________
532.  
533.  
534. Trying Zone Transfer for mocit.gov.sd on ns0.ndc.gov.sd ...
535. mocit.gov.sd. 86400 IN SOA (
536. mocit.gov.sd. 86400 IN NS ns0.ndc.gov.sd.
537. mocit.gov.sd. 86400 IN NS ns1.ndc.gov.sd.
538. mocit.gov.sd. 86400 IN A 62.12.105.2
539. mocit.gov.sd. 86400 IN MX 10
540. mocit.gov.sd. 86400 IN TXT "v=spf1
541. mail.mocit.gov.sd. 86400 IN A 62.12.105.2
542. mail.mocit.gov.sd. 86400 IN MX 10
543. webmail.mocit.gov.sd. 86400 IN CNAME mail.mocit.gov.sd.
544. www.mocit.gov.sd. 86400 IN A 62.12.105.2
545.  
546. Trying Zone Transfer for mocit.gov.sd on ns1.ndc.gov.sd ...
547. mocit.gov.sd. 86400 IN SOA (
548. mocit.gov.sd. 86400 IN NS ns0.ndc.gov.sd.
549. mocit.gov.sd. 86400 IN NS ns1.ndc.gov.sd.
550. mocit.gov.sd. 86400 IN A 62.12.105.2
551. mocit.gov.sd. 86400 IN MX 10
552. mocit.gov.sd. 86400 IN TXT "v=spf1
553. mail.mocit.gov.sd. 86400 IN A 62.12.105.2
554. mail.mocit.gov.sd. 86400 IN MX 10
555. webmail.mocit.gov.sd. 86400 IN CNAME mail.mocit.gov.sd.
556. www.mocit.gov.sd. 86400 IN A 62.12.105.2
557. #######################################################################################################################################
558.  
559. ____ _ _ _ _ _____
560. / ___| _ _| |__ | (_)___| |_|___ / _ __
561. \___ \| | | | '_ \| | / __| __| |_ \| '__|
562. ___) | |_| | |_) | | \__ \ |_ ___) | |
563. |____/ \__,_|_.__/|_|_|___/\__|____/|_|
564.  
565. # Coded By Ahmed Aboul-Ela - @aboul3la
566.  
567. [-] Enumerating subdomains now for mocit.gov.sd
568. [-] verbosity is enabled, will show the subdomains results in realtime
569. [-] Searching now in Baidu..
570. [-] Searching now in Yahoo..
571. [-] Searching now in Google..
572. [-] Searching now in Bing..
573. [-] Searching now in Ask..
574. [-] Searching now in Netcraft..
575. [-] Searching now in DNSdumpster..
576. [-] Searching now in Virustotal..
577. [-] Searching now in ThreatCrowd..
578. [-] Searching now in SSL Certificates..
579. [-] Searching now in PassiveDNS..
580. Virustotal: www.mocit.gov.sd
581. Virustotal: mail.mocit.gov.sd
582. [-] Saving results to file: /usr/share/sniper/loot//domains/domains-mocit.gov.sd.txt
583. [-] Total Unique Subdomains Found: 2
584. www.mocit.gov.sd
585. mail.mocit.gov.sd
586. #######################################################################################################################################
587. ===============================================
588. -=Subfinder v1.1.3 github.com/subfinder/subfinder
589. ===============================================
590.  
591.  
592. Running Source: Ask
593. Running Source: Archive.is
594. Running Source: Baidu
595. Running Source: Bing
596. Running Source: CertDB
597. Running Source: CertificateTransparency
598. Running Source: Certspotter
599. Running Source: Commoncrawl
600. Running Source: Crt.sh
601. Running Source: Dnsdb
602. Running Source: DNSDumpster
603. Running Source: DNSTable
604. Running Source: Dogpile
605. Running Source: Exalead
606. Running Source: Findsubdomains
607. Running Source: Googleter
608. Running Source: Hackertarget
609. Running Source: Ipv4Info
610. Running Source: PTRArchive
611. Running Source: Sitedossier
612. Running Source: Threatcrowd
613. Running Source: ThreatMiner
614. Running Source: WaybackArchive
615. Running Source: Yahoo
616.  
617. Running enumeration on mocit.gov.sd
618.  
619. dnsdb: Unexpected return status 503
620.  
621. archiveis: Get http://archive.is/*.mocit.gov.sd: dial tcp 213.183.51.24:80: connect: connection timed out
622.  
623.  
624. Starting Bruteforcing of mocit.gov.sd with 9985 words
625.  
626. Total 5 Unique subdomains found for mocit.gov.sd
627.  
628. .mocit.gov.sd
629. mail.mocit.gov.sd
630. mail.mocit.gov.sd
631. webmail.mocit.gov.sd
632. www.mocit.gov.sd
633. #######################################################################################################################################
634. [*] Processing domain mocit.gov.sd
635. [*] Using system resolvers ['38.132.106.139', '194.187.251.67', '185.93.180.131', '205.151.67.6', '205.151.67.34', '205.151.67.2', '2001:18c0:ffe0:2::2', '2001:18c0:ffe0:3::2', '2001:18c0:ffe0:1::2']
636. [+] Getting nameservers
637. 62.12.109.3 - ns1.ndc.gov.sd
638. [+] Zone transfer sucessful using nameserver ns1.ndc.gov.sd
639. mocit.gov.sd. 86400 IN SOA ns0.ndc.gov.sd. root.ndc.gov.sd. 2017042400 10800 900 604800 86400
640. mocit.gov.sd. 86400 IN NS ns0.ndc.gov.sd.
641. mocit.gov.sd. 86400 IN NS ns1.ndc.gov.sd.
642. mocit.gov.sd. 86400 IN A 62.12.105.2
643. mocit.gov.sd. 86400 IN MX 10 f03-web02.nic.gov.sd.
644. mocit.gov.sd. 86400 IN TXT "v=spf1 mx -all"
645. mail.mocit.gov.sd. 86400 IN A 62.12.105.2
646. mail.mocit.gov.sd. 86400 IN MX 10 mail.mocit.gov.sd.
647. webmail.mocit.gov.sd. 86400 IN CNAME mail.mocit.gov.sd.
648. www.mocit.gov.sd. 86400 IN A 62.12.105.2
649. #######################################################################################################################################
650. [*] Found SPF record:
651. [*] v=spf1 mx -all
652. [*] SPF record contains an All item: -all
653. [*] No DMARC record found. Looking for organizational record
654. [+] No organizational DMARC record
655. [+] Spoofing possible for mocit.gov.sd!
656. #######################################################################################################################################
657. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 11:53 EST
658. Nmap scan report for mocit.gov.sd (62.12.105.2)
659. Host is up (0.16s latency).
660. rDNS record for 62.12.105.2: f03-web02.nic.gov.sd
661. Not shown: 464 filtered ports, 4 closed ports
662. Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
663. PORT STATE SERVICE
664. 21/tcp open ftp
665. 80/tcp open http
666. 110/tcp open pop3
667. 143/tcp open imap
668. 443/tcp open https
669. 993/tcp open imaps
670. 995/tcp open pop3s
671. 8443/tcp open https-alt
672. #######################################################################################################################################
673. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 11:53 EST
674. Nmap scan report for mocit.gov.sd (62.12.105.2)
675. Host is up (0.023s latency).
676. rDNS record for 62.12.105.2: f03-web02.nic.gov.sd
677. Not shown: 2 filtered ports
678. PORT STATE SERVICE
679. 53/udp open|filtered domain
680. 67/udp open|filtered dhcps
681. 68/udp open|filtered dhcpc
682. 69/udp open|filtered tftp
683. 88/udp open|filtered kerberos-sec
684. 123/udp open|filtered ntp
685. 139/udp open|filtered netbios-ssn
686. 161/udp open|filtered snmp
687. 162/udp open|filtered snmptrap
688. 389/udp open|filtered ldap
689. 520/udp open|filtered route
690. 2049/udp open|filtered nfs
691. #######################################################################################################################################
692. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 11:53 EST
693. Nmap scan report for mocit.gov.sd (62.12.105.2)
694. Host is up (0.21s latency).
695. rDNS record for 62.12.105.2: f03-web02.nic.gov.sd
696.  
697. PORT STATE SERVICE VERSION
698. 21/tcp open tcpwrapped
699. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
700. Device type: specialized|WAP|general purpose|router
701. Running: AVtech embedded, Linux 2.4.X|2.6.X|3.X, MikroTik RouterOS 6.X
702. OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3.2.0 cpe:/o:mikrotik:routeros:6.15
703. OS details: AVtech Room Alert 26W environmental monitor, Tomato 1.27 - 1.28 (Linux 2.4.20), Linux 2.6.18 - 2.6.22, Linux 3.2.0, MikroTik RouterOS 6.15 (Linux 3.3.5)
704. Network Distance: 20 hops
705.  
706. TRACEROUTE (using port 21/tcp)
707. HOP RTT ADDRESS
708. 1 23.11 ms 10.244.200.1
709. 2 23.31 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
710. 3 27.79 ms irb-0.agg1.qc1.ca.m247.com (37.120.128.168)
711. 4 23.19 ms 82.102.29.44
712. 5 23.61 ms 38.122.42.161
713. 6 23.66 ms hu0-4-0-1.ccr21.ymq01.atlas.cogentco.com (154.54.25.126)
714. 7 92.83 ms be3042.ccr21.lpl01.atlas.cogentco.com (154.54.44.161)
715. 8 98.65 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
716. 9 99.88 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
717. 10 99.95 ms be2868.ccr21.lon01.atlas.cogentco.com (154.54.57.154)
718. 11 104.18 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
719. 12 182.94 ms 185.153.20.70
720. 13 182.95 ms 185.153.20.82
721. 14 182.67 ms 185.153.20.94
722. 15 196.46 ms 185.153.20.153
723. 16 ... 17
724. 18 212.81 ms 196.202.145.94
725. 19 ...
726. 20 206.78 ms f03-web02.nic.gov.sd (62.12.105.2)
727. #######################################################################################################################################
728. http://mocit.gov.sd [302 Found] Cookies[csrf_cookie_name], HTTPServer[nginx], IP[62.12.105.2], PHP[5.3.29,], Plesk[Lin], RedirectLocation[http://mocit.gov.sd/index.php/ar/], X-Powered-By[PHP/5.3.29, PleskLin], nginx
729. http://mocit.gov.sd/index.php/ar/ [200 OK] CodeIgniter-PHP-Framework[ci_session Cookie], Cookies[ci_session,csrf_cookie_name,user_lang], Frame, HTML5, HTTPServer[nginx], IP[62.12.105.2], JQuery[1.6.4], PHP[5.3.29,], Plesk[Lin], Script[text/javascript], Title[وزارة الثقافة والاعلام والسياحة], probably WordPress, X-Powered-By[PHP/5.3.29, PleskLin], YouTube, nginx
730. #######################################################################################################################################
731. wig - WebApp Information Gatherer
732.  
733.  
734. Scanning http://mocit.gov.sd...
735. _________________________________________ SITE INFO _________________________________________
736. IP Title
737. 62.12.105.2 وزارة الثقافة والاعلام والسياحة
738.  
739. __________________________________________ VERSION __________________________________________
740. Name Versions Type
741. WordPress CMS
742. Apache 2.4.10 | 2.4.11 | 2.4.12 | 2.4.5 | 2.4.6 | 2.4.7 | 2.4.8 Platform
743. 2.4.9
744. PHP 5.3.29 Platform
745. nginx Platform
746.  
747. ________________________________________ INTERESTING ________________________________________
748. URL Note Type
749. /install.php Installation file Interesting
750. /test.php Test file Interesting
751.  
752. ___________________________________________ TOOLS ___________________________________________
753. Name Link Software
754. wpscan https://github.com/wpscanteam/wpscan WordPress
755. CMSmap https://github.com/Dionach/CMSmap WordPress
756.  
757. _____________________________________________________________________________________________
758. Time: 39.2 sec Urls: 477 Fingerprints: 40401
759. #######################################################################################################################################
760. HTTP/1.1 302 Moved Temporarily
761. Server: nginx
762. Date: Thu, 14 Feb 2019 16:08:15 GMT
763. Content-Type: text/html
764. Connection: keep-alive
765. X-Powered-By: PHP/5.3.29
766. Set-Cookie: csrf_cookie_name=3415093e41ec9f23ba6e1233b5da84c0; expires=Thu, 14-Feb-2019 18:08:15 GMT; path=/
767. Location: http://mocit.gov.sd/index.php/ar/
768. X-Powered-By: PleskLin
769.  
770. HTTP/1.1 302 Moved Temporarily
771. Server: nginx
772. Date: Thu, 14 Feb 2019 16:08:16 GMT
773. Content-Type: text/html
774. Connection: keep-alive
775. X-Powered-By: PHP/5.3.29
776. Set-Cookie: csrf_cookie_name=ac8d37ef201fc8221b6bd93244c20002; expires=Thu, 14-Feb-2019 18:08:16 GMT; path=/
777. Location: http://mocit.gov.sd/index.php/ar/
778. X-Powered-By: PleskLin
779.  
780. HTTP/1.1 200 OK
781. Server: nginx
782. Date: Thu, 14 Feb 2019 16:08:16 GMT
783. Content-Type: text/html
784. Connection: keep-alive
785. X-Powered-By: PHP/5.3.29
786. Set-Cookie: csrf_cookie_name=1d32e0ea8cb6b7a7f4b9ad5c6fb1be0a; expires=Thu, 14-Feb-2019 18:08:16 GMT; path=/
787. Set-Cookie: user_lang=ar; expires=Thu, 14-Feb-2019 18:08:16 GMT; path=/
788. Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2269755f6fa613543efa203f4c446a6811%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%22176.113.74.44%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A11%3A%22curl%2F7.64.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1550160496%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D35c17dd7c3c1c6a25e6e55b37a3d2e54; expires=Thu, 14-Feb-2019 18:08:16 GMT; path=/
789. X-Powered-By: PleskLin
790. #######################################################################################################################################
791. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 12:06 EST
792. Nmap scan report for mocit.gov.sd (62.12.105.2)
793. Host is up (0.21s latency).
794. rDNS record for 62.12.105.2: f03-web02.nic.gov.sd
795.  
796. PORT STATE SERVICE VERSION
797. 110/tcp open pop3 Dovecot pop3d
798. | pop3-brute:
799. | Accounts: No valid accounts found
800. |_ Statistics: Performed 185 guesses in 191 seconds, average tps: 0.8
801. |_pop3-capabilities: APOP UIDL USER RESP-CODES CAPA STLS PIPELINING AUTH-RESP-CODE SASL(PLAIN LOGIN DIGEST-MD5 CRAM-MD5) TOP
802. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
803. OS fingerprint not ideal because: Timing level 5 (Insane) used
804. No OS matches for host
805. Network Distance: 19 hops
806. Service Info: Host: fo3-web02.nic.gov.sd
807.  
808. TRACEROUTE (using port 443/tcp)
809. HOP RTT ADDRESS
810. 1 21.62 ms 10.244.200.1
811. 2 22.02 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
812. 3 22.02 ms 37.120.128.168
813. 4 21.79 ms 82.102.29.44
814. 5 23.21 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
815. 6 22.04 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
816. 7 91.87 ms be3043.ccr22.lpl01.atlas.cogentco.com (154.54.44.165)
817. 8 97.48 ms be2391.ccr51.lhr01.atlas.cogentco.com (154.54.39.149)
818. 9 98.48 ms be3487.ccr41.lon13.atlas.cogentco.com (154.54.60.5)
819. 10 98.74 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
820. 11 99.84 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
821. 12 178.43 ms 185.153.20.70
822. 13 178.44 ms 185.153.20.82
823. 14 178.43 ms 185.153.20.94
824. 15 192.91 ms 185.153.20.153
825. 16 ... 17
826. 18 210.81 ms 196.202.145.94
827. 19 209.26 ms f03-web02.nic.gov.sd (62.12.105.2)
828. #######################################################################################################################################
829. Version: 1.11.12-static
830. OpenSSL 1.0.2-chacha (1.0.2g-dev)
831.  
832. Connected to 62.12.105.2
833.  
834. Testing SSL server mocit.gov.sd on port 443 using SNI name mocit.gov.sd
835.  
836. TLS Fallback SCSV:
837. Server supports TLS Fallback SCSV
838.  
839. TLS renegotiation:
840. Secure session renegotiation supported
841.  
842. TLS Compression:
843. Compression disabled
844.  
845. Heartbleed:
846. TLS 1.2 not vulnerable to heartbleed
847. TLS 1.1 not vulnerable to heartbleed
848. TLS 1.0 not vulnerable to heartbleed
849.  
850. Supported Server Cipher(s):
851. Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
852. Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
853. Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
854. Accepted TLSv1.2 256 bits AES256-GCM-SHA384
855. Accepted TLSv1.2 256 bits AES256-SHA256
856. Accepted TLSv1.2 256 bits AES256-SHA
857. Accepted TLSv1.2 256 bits CAMELLIA256-SHA
858. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
859. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
860. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
861. Accepted TLSv1.2 128 bits AES128-GCM-SHA256
862. Accepted TLSv1.2 128 bits AES128-SHA256
863. Accepted TLSv1.2 128 bits AES128-SHA
864. Accepted TLSv1.2 128 bits CAMELLIA128-SHA
865. Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
866. Accepted TLSv1.1 256 bits AES256-SHA
867. Accepted TLSv1.1 256 bits CAMELLIA256-SHA
868. Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
869. Accepted TLSv1.1 128 bits AES128-SHA
870. Accepted TLSv1.1 128 bits CAMELLIA128-SHA
871. Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
872. Accepted TLSv1.0 256 bits AES256-SHA
873. Accepted TLSv1.0 256 bits CAMELLIA256-SHA
874. Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
875. Accepted TLSv1.0 128 bits AES128-SHA
876. Accepted TLSv1.0 128 bits CAMELLIA128-SHA
877.  
878. SSL Certificate:
879. Signature Algorithm: sha256WithRSAEncryption
880. RSA Key Strength: 2048
881.  
882. Subject: Plesk
883. Issuer: Plesk
884.  
885. Not valid before: Apr 20 02:40:27 2016 GMT
886. Not valid after: Apr 20 02:40:27 2017 GMT
887. #######################################################################################################################################
888. --------------------------------------------------------
889. <<<Yasuo discovered following vulnerable applications>>>
890. --------------------------------------------------------
891. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
892. | App Name | URL to Application | Potential Exploit | Username | Password |
893. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
894. | phpMyAdmin | https://62.12.105.2:8443/phpmyadmin/ | ./exploits/multi/http/phpmyadmin_preg_replace.rb | None | None |
895. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
896. #######################################################################################################################################
897. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 11:47 EST
898. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
899. Host is up (0.17s latency).
900. Not shown: 464 filtered ports, 4 closed ports
901. Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
902. PORT STATE SERVICE
903. 21/tcp open ftp
904. 80/tcp open http
905. 110/tcp open pop3
906. 143/tcp open imap
907. 443/tcp open https
908. 993/tcp open imaps
909. 995/tcp open pop3s
910. 8443/tcp open https-alt
911. #######################################################################################################################################
912. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 11:48 EST
913. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
914. Host is up (0.023s latency).
915. Not shown: 2 filtered ports
916. PORT STATE SERVICE
917. 53/udp open|filtered domain
918. 67/udp open|filtered dhcps
919. 68/udp open|filtered dhcpc
920. 69/udp open|filtered tftp
921. 88/udp open|filtered kerberos-sec
922. 123/udp open|filtered ntp
923. 139/udp open|filtered netbios-ssn
924. 161/udp open|filtered snmp
925. 162/udp open|filtered snmptrap
926. 389/udp open|filtered ldap
927. 520/udp open|filtered route
928. 2049/udp open|filtered nfs
929. #######################################################################################################################################
930. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 11:48 EST
931. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
932. Host is up (0.21s latency).
933.  
934. PORT STATE SERVICE VERSION
935. 21/tcp open tcpwrapped
936. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
937. Device type: specialized|WAP|general purpose|router
938. Running: AVtech embedded, Linux 2.4.X|2.6.X|3.X, MikroTik RouterOS 6.X
939. OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3.2.0 cpe:/o:mikrotik:routeros:6.15
940. OS details: AVtech Room Alert 26W environmental monitor, Tomato 1.27 - 1.28 (Linux 2.4.20), Linux 2.6.18 - 2.6.22, Linux 3.2.0, MikroTik RouterOS 6.15 (Linux 3.3.5)
941. Network Distance: 20 hops
942.  
943. TRACEROUTE (using port 21/tcp)
944. HOP RTT ADDRESS
945. 1 24.45 ms 10.244.200.1
946. 2 24.92 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
947. 3 31.95 ms irb-0.agg1.qc1.ca.m247.com (37.120.128.168)
948. 4 24.89 ms 82.102.29.44
949. 5 25.31 ms 38.122.42.161
950. 6 24.94 ms hu0-4-0-1.ccr21.ymq01.atlas.cogentco.com (154.54.25.126)
951. 7 95.68 ms be3042.ccr21.lpl01.atlas.cogentco.com (154.54.44.161)
952. 8 100.26 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
953. 9 101.34 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
954. 10 101.73 ms be2868.ccr21.lon01.atlas.cogentco.com (154.54.57.154)
955. 11 98.62 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
956. 12 177.26 ms 185.153.20.70
957. 13 177.29 ms 185.153.20.82
958. 14 177.02 ms 185.153.20.94
959. 15 195.66 ms 185.153.20.153
960. 16 ... 17
961. 18 216.11 ms 196.202.145.94
962. 19 ...
963. 20 205.41 ms f03-web02.nic.gov.sd (62.12.105.2)
964. #######################################################################################################################################
965. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 11:59 EST
966. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
967. Host is up.
968.  
969. PORT STATE SERVICE VERSION
970. 67/udp open|filtered dhcps
971. |_dhcp-discover: ERROR: Script execution failed (use -d to debug)
972. Too many fingerprints match this host to give specific OS details
973.  
974. TRACEROUTE (using proto 1/icmp)
975. HOP RTT ADDRESS
976. 1 23.12 ms 10.244.200.1
977. 2 24.27 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
978. 3 38.80 ms irb-0.agg1.qc1.ca.m247.com (37.120.128.168)
979. 4 24.23 ms 82.102.29.44
980. 5 24.32 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
981. 6 24.30 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
982. 7 93.66 ms 154.54.44.165
983. 8 99.33 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
984. 9 100.35 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
985. 10 100.36 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
986. 11 99.83 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
987. 12 178.44 ms 185.153.20.70
988. 13 178.49 ms 185.153.20.82
989. 14 178.46 ms 185.153.20.94
990. 15 192.23 ms 185.153.20.153
991. 16 203.36 ms 212.0.131.109
992. 17 205.31 ms 196.202.137.249
993. 18 214.59 ms 196.202.145.94
994. 19 ... 30
995. #######################################################################################################################################
996. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 12:01 EST
997. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
998. Host is up.
999.  
1000. PORT STATE SERVICE VERSION
1001. 68/udp open|filtered dhcpc
1002. Too many fingerprints match this host to give specific OS details
1003.  
1004. TRACEROUTE (using proto 1/icmp)
1005. HOP RTT ADDRESS
1006. 1 23.35 ms 10.244.200.1
1007. 2 23.78 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
1008. 3 39.94 ms irb-0.agg1.qc1.ca.m247.com (37.120.128.168)
1009. 4 23.42 ms 82.102.29.44
1010. 5 25.42 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
1011. 6 24.22 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
1012. 7 93.39 ms 154.54.44.165
1013. 8 99.25 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
1014. 9 100.21 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
1015. 10 100.52 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
1016. 11 107.70 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
1017. 12 186.35 ms 185.153.20.70
1018. 13 186.64 ms 185.153.20.82
1019. 14 186.31 ms 185.153.20.94
1020. 15 200.10 ms 185.153.20.153
1021. 16 208.02 ms 212.0.131.109
1022. 17 201.44 ms 196.202.137.249
1023. 18 210.35 ms 196.202.145.94
1024. 19 ... 30
1025. #######################################################################################################################################
1026. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 12:03 EST
1027. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
1028. Host is up.
1029.  
1030. PORT STATE SERVICE VERSION
1031. 69/udp open|filtered tftp
1032. Too many fingerprints match this host to give specific OS details
1033.  
1034. TRACEROUTE (using proto 1/icmp)
1035. HOP RTT ADDRESS
1036. 1 26.41 ms 10.244.200.1
1037. 2 26.84 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
1038. 3 40.24 ms irb-0.agg1.qc1.ca.m247.com (37.120.128.168)
1039. 4 28.85 ms 82.102.29.44
1040. 5 26.88 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
1041. 6 26.89 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
1042. 7 97.92 ms 154.54.44.165
1043. 8 103.48 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
1044. 9 103.51 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
1045. 10 103.56 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
1046. 11 98.40 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
1047. 12 177.01 ms 185.153.20.70
1048. 13 177.02 ms 185.153.20.82
1049. 14 176.96 ms 185.153.20.94
1050. 15 190.75 ms 185.153.20.153
1051. 16 208.88 ms 212.0.131.109
1052. 17 206.14 ms 196.202.137.249
1053. 18 211.22 ms 196.202.145.94
1054. 19 ... 30
1055. #######################################################################################################################################
1056. wig - WebApp Information Gatherer
1057.  
1058.  
1059. Scanning http://62.12.105.2...
1060. ________________________________________ SITE INFO _________________________________________
1061. IP Title
1062. 62.12.105.2 Domain Default page
1063.  
1064. _________________________________________ VERSION __________________________________________
1065. Name Versions Type
1066. Apache 2.4.10 | 2.4.11 | 2.4.12 | 2.4.5 | 2.4.6 | 2.4.7 | 2.4.8 Platform
1067. 2.4.9
1068. nginx Platform
1069.  
1070. ____________________________________________________________________________________________
1071. Time: 1.4 sec Urls: 811 Fingerprints: 40401
1072. #######################################################################################################################################
1073. HTTP/1.1 200 OK
1074. Server: nginx
1075. Date: Thu, 14 Feb 2019 16:08:25 GMT
1076. Content-Type: text/html
1077. Content-Length: 3750
1078. Connection: keep-alive
1079. Last-Modified: Wed, 07 Feb 2018 11:25:44 GMT
1080. ETag: "ea6-5649d8e57844b"
1081. Accept-Ranges: bytes
1082.  
1083. HTTP/1.1 200 OK
1084. Server: nginx
1085. Date: Thu, 14 Feb 2019 16:08:25 GMT
1086. Content-Type: text/html
1087. Content-Length: 3750
1088. Connection: keep-alive
1089. Last-Modified: Wed, 07 Feb 2018 11:25:44 GMT
1090. ETag: "ea6-5649d8e57844b"
1091. Accept-Ranges: bytes
1092. #######################################################################################################################################
1093. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 12:06 EST
1094. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
1095. Host is up (0.21s latency).
1096.  
1097. PORT STATE SERVICE VERSION
1098. 110/tcp open pop3 Dovecot pop3d
1099. | pop3-brute:
1100. | Accounts: No valid accounts found
1101. |_ Statistics: Performed 218 guesses in 196 seconds, average tps: 1.2
1102. |_pop3-capabilities: APOP STLS RESP-CODES PIPELINING USER UIDL CAPA TOP SASL(PLAIN LOGIN DIGEST-MD5 CRAM-MD5) AUTH-RESP-CODE
1103. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
1104. OS fingerprint not ideal because: Timing level 5 (Insane) used
1105. No OS matches for host
1106. Network Distance: 19 hops
1107. Service Info: Host: fo3-web02.nic.gov.sd
1108.  
1109. TRACEROUTE (using port 443/tcp)
1110. HOP RTT ADDRESS
1111. 1 22.03 ms 10.244.200.1
1112. 2 22.56 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
1113. 3 26.75 ms irb-0.agg1.qc1.ca.m247.com (37.120.128.168)
1114. 4 22.36 ms 82.102.29.44
1115. 5 22.58 ms 38.122.42.161
1116. 6 23.02 ms hu0-4-0-1.ccr21.ymq01.atlas.cogentco.com (154.54.25.126)
1117. 7 91.84 ms be3042.ccr21.lpl01.atlas.cogentco.com (154.54.44.161)
1118. 8 99.05 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
1119. 9 99.08 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
1120. 10 99.11 ms be2868.ccr21.lon01.atlas.cogentco.com (154.54.57.154)
1121. 11 99.99 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
1122. 12 178.49 ms 185.153.20.70
1123. 13 178.49 ms 185.153.20.82
1124. 14 178.46 ms 185.153.20.94
1125. 15 193.09 ms 185.153.20.153
1126. 16 ... 17
1127. 18 211.39 ms 196.202.145.94
1128. 19 206.57 ms f03-web02.nic.gov.sd (62.12.105.2)
1129. #######################################################################################################################################
1130. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 12:10 EST
1131. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
1132. Host is up.
1133.  
1134. PORT STATE SERVICE VERSION
1135. 123/udp open|filtered ntp
1136. Too many fingerprints match this host to give specific OS details
1137.  
1138. TRACEROUTE (using proto 1/icmp)
1139. HOP RTT ADDRESS
1140. 1 21.95 ms 10.244.200.1
1141. 2 22.02 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
1142. 3 36.50 ms irb-0.agg1.qc1.ca.m247.com (37.120.128.168)
1143. 4 22.02 ms 82.102.29.44
1144. 5 22.41 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
1145. 6 22.38 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
1146. 7 91.78 ms 154.54.44.165
1147. 8 97.73 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
1148. 9 98.92 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
1149. 10 98.62 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
1150. 11 99.65 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
1151. 12 178.50 ms 185.153.20.70
1152. 13 178.50 ms 185.153.20.82
1153. 14 178.46 ms 185.153.20.94
1154. 15 191.62 ms 185.153.20.153
1155. 16 213.56 ms 212.0.131.109
1156. 17 201.82 ms 196.202.137.249
1157. 18 210.81 ms 196.202.145.94
1158. 19 ... 30
1159. #######################################################################################################################################
1160. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 12:12 EST
1161. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
1162. Host is up (0.20s latency).
1163.  
1164. PORT STATE SERVICE VERSION
1165. 161/tcp filtered snmp
1166. 161/udp open|filtered snmp
1167. Too many fingerprints match this host to give specific OS details
1168.  
1169. TRACEROUTE (using proto 1/icmp)
1170. HOP RTT ADDRESS
1171. 1 22.84 ms 10.244.200.1
1172. 2 23.22 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
1173. 3 44.46 ms irb-0.agg1.qc1.ca.m247.com (37.120.128.168)
1174. 4 23.05 ms 82.102.29.44
1175. 5 23.49 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
1176. 6 23.27 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
1177. 7 93.02 ms 154.54.44.165
1178. 8 98.72 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
1179. 9 100.12 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
1180. 10 100.17 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
1181. 11 99.48 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
1182. 12 178.15 ms 185.153.20.70
1183. 13 178.15 ms 185.153.20.82
1184. 14 177.87 ms 185.153.20.94
1185. 15 191.68 ms 185.153.20.153
1186. 16 203.26 ms 212.0.131.109
1187. 17 203.45 ms 196.202.137.249
1188. 18 212.58 ms 196.202.145.94
1189. 19 ... 30
1190. #######################################################################################################################################
1191. Version: 1.11.12-static
1192. OpenSSL 1.0.2-chacha (1.0.2g-dev)
1193.  
1194. Connected to 62.12.105.2
1195.  
1196. Testing SSL server 62.12.105.2 on port 443 using SNI name 62.12.105.2
1197.  
1198. TLS Fallback SCSV:
1199. Server supports TLS Fallback SCSV
1200.  
1201. TLS renegotiation:
1202. Secure session renegotiation supported
1203.  
1204. TLS Compression:
1205. Compression disabled
1206.  
1207. Heartbleed:
1208. TLS 1.2 not vulnerable to heartbleed
1209. TLS 1.1 not vulnerable to heartbleed
1210. TLS 1.0 not vulnerable to heartbleed
1211.  
1212. Supported Server Cipher(s):
1213. Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
1214. Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
1215. Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
1216. Accepted TLSv1.2 256 bits AES256-GCM-SHA384
1217. Accepted TLSv1.2 256 bits AES256-SHA256
1218. Accepted TLSv1.2 256 bits AES256-SHA
1219. Accepted TLSv1.2 256 bits CAMELLIA256-SHA
1220. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
1221. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
1222. Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
1223. Accepted TLSv1.2 128 bits AES128-GCM-SHA256
1224. Accepted TLSv1.2 128 bits AES128-SHA256
1225. Accepted TLSv1.2 128 bits AES128-SHA
1226. Accepted TLSv1.2 128 bits CAMELLIA128-SHA
1227. Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
1228. Accepted TLSv1.1 256 bits AES256-SHA
1229. Accepted TLSv1.1 256 bits CAMELLIA256-SHA
1230. Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
1231. Accepted TLSv1.1 128 bits AES128-SHA
1232. Accepted TLSv1.1 128 bits CAMELLIA128-SHA
1233. Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
1234. Accepted TLSv1.0 256 bits AES256-SHA
1235. Accepted TLSv1.0 256 bits CAMELLIA256-SHA
1236. Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
1237. Accepted TLSv1.0 128 bits AES128-SHA
1238. Accepted TLSv1.0 128 bits CAMELLIA128-SHA
1239.  
1240. SSL Certificate:
1241. Signature Algorithm: sha256WithRSAEncryption
1242. RSA Key Strength: 2048
1243.  
1244. Subject: Plesk
1245. Issuer: Plesk
1246.  
1247. Not valid before: Apr 20 02:40:27 2016 GMT
1248. Not valid after: Apr 20 02:40:27 2017 GMT
1249. ######################################################################################################################################
1250. --------------------------------------------------------
1251. <<<Yasuo discovered following vulnerable applications>>>
1252. --------------------------------------------------------
1253. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
1254. | App Name | URL to Application | Potential Exploit | Username | Password |
1255. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
1256. | phpMyAdmin | https://62.12.105.2:8443/phpmyadmin/ | ./exploits/multi/http/phpmyadmin_preg_replace.rb | None | None |
1257. +------------+--------------------------------------+--------------------------------------------------+----------+----------+
1258. #######################################################################################################################################
1259. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 12:20 EST
1260. NSE: Loaded 148 scripts for scanning.
1261. NSE: Script Pre-scanning.
1262. NSE: Starting runlevel 1 (of 2) scan.
1263. Initiating NSE at 12:20
1264. Completed NSE at 12:20, 0.00s elapsed
1265. NSE: Starting runlevel 2 (of 2) scan.
1266. Initiating NSE at 12:20
1267. Completed NSE at 12:20, 0.00s elapsed
1268. Initiating Ping Scan at 12:20
1269. Scanning 62.12.105.2 [4 ports]
1270. Completed Ping Scan at 12:20, 0.24s elapsed (1 total hosts)
1271. Initiating Parallel DNS resolution of 1 host. at 12:20
1272. Completed Parallel DNS resolution of 1 host. at 12:20, 0.02s elapsed
1273. Initiating Connect Scan at 12:20
1274. Scanning f03-web02.nic.gov.sd (62.12.105.2) [1000 ports]
1275. Discovered open port 143/tcp on 62.12.105.2
1276. Discovered open port 993/tcp on 62.12.105.2
1277. Discovered open port 995/tcp on 62.12.105.2
1278. Discovered open port 110/tcp on 62.12.105.2
1279. Discovered open port 21/tcp on 62.12.105.2
1280. Discovered open port 80/tcp on 62.12.105.2
1281. Discovered open port 443/tcp on 62.12.105.2
1282. Discovered open port 8443/tcp on 62.12.105.2
1283. Completed Connect Scan at 12:20, 14.11s elapsed (1000 total ports)
1284. Initiating Service scan at 12:20
1285. Scanning 8 services on f03-web02.nic.gov.sd (62.12.105.2)
1286. Completed Service scan at 12:20, 14.41s elapsed (8 services on 1 host)
1287. Initiating OS detection (try #1) against f03-web02.nic.gov.sd (62.12.105.2)
1288. Retrying OS detection (try #2) against f03-web02.nic.gov.sd (62.12.105.2)
1289. WARNING: OS didn't match until try #2
1290. Initiating Traceroute at 12:20
1291. Completed Traceroute at 12:20, 6.16s elapsed
1292. Initiating Parallel DNS resolution of 18 hosts. at 12:20
1293. Completed Parallel DNS resolution of 18 hosts. at 12:21, 16.51s elapsed
1294. NSE: Script scanning 62.12.105.2.
1295. NSE: Starting runlevel 1 (of 2) scan.
1296. Initiating NSE at 12:21
1297. NSE Timing: About 98.90% done; ETC: 12:21 (0:00:00 remaining)
1298. NSE Timing: About 99.08% done; ETC: 12:22 (0:00:01 remaining)
1299. NSE Timing: About 99.17% done; ETC: 12:22 (0:00:01 remaining)
1300. NSE Timing: About 99.54% done; ETC: 12:23 (0:00:01 remaining)
1301. Completed NSE at 12:23, 139.17s elapsed
1302. NSE: Starting runlevel 2 (of 2) scan.
1303. Initiating NSE at 12:23
1304. Completed NSE at 12:23, 0.45s elapsed
1305. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
1306. Host is up, received syn-ack ttl 44 (0.15s latency).
1307. Scanned at 2019-02-14 12:20:12 EST for 198s
1308. Not shown: 988 filtered ports
1309. Reason: 987 no-responses and 1 host-unreach
1310. PORT STATE SERVICE REASON VERSION
1311. 21/tcp open tcpwrapped syn-ack
1312. 25/tcp closed smtp conn-refused
1313. 80/tcp open http syn-ack nginx
1314. |_http-favicon: Unknown favicon MD5: 1DB747255C64A30F9236E9D929E986CA
1315. | http-methods:
1316. |_ Supported Methods: GET HEAD POST OPTIONS
1317. |_http-server-header: nginx
1318. |_http-title: Domain Default page
1319. 110/tcp open pop3 syn-ack Dovecot pop3d
1320. |_pop3-capabilities: UIDL USER APOP SASL(PLAIN LOGIN DIGEST-MD5 CRAM-MD5) TOP AUTH-RESP-CODE STLS RESP-CODES PIPELINING CAPA
1321. |_ssl-date: TLS randomness does not represent time
1322. 113/tcp closed ident conn-refused
1323. 139/tcp closed netbios-ssn conn-refused
1324. 143/tcp open imap syn-ack Dovecot imapd
1325. |_imap-capabilities: post-login AUTH=CRAM-MD5A0001 STARTTLS LITERAL+ IMAP4rev1 SASL-IR OK Pre-login AUTH=PLAIN listed have ID AUTH=LOGIN AUTH=DIGEST-MD5 more IDLE capabilities LOGIN-REFERRALS ENABLE
1326. 443/tcp open ssl/http syn-ack nginx
1327. | http-methods:
1328. |_ Supported Methods: GET HEAD POST OPTIONS
1329. |_http-server-header: nginx
1330. |_http-title: Domain Default page
1331. | ssl-cert: Subject: commonName=Plesk/organizationName=Odin/stateOrProvinceName=Washington/countryName=US/organizationalUnitName=Plesk/emailAddress=info@plesk.com/localityName=Seattle
1332. | Issuer: commonName=Plesk/organizationName=Odin/stateOrProvinceName=Washington/countryName=US/organizationalUnitName=Plesk/emailAddress=info@plesk.com/localityName=Seattle
1333. | Public Key type: rsa
1334. | Public Key bits: 2048
1335. | Signature Algorithm: sha256WithRSAEncryption
1336. | Not valid before: 2016-04-20T02:40:27
1337. | Not valid after: 2017-04-20T02:40:27
1338. | MD5: a38f 7308 6ca0 a95d 2faa d3f0 6cb4 5553
1339. | SHA-1: 1479 6658 f803 6987 8f42 5473 9eaf 97e1 50dd 2d68
1340. | -----BEGIN CERTIFICATE-----
1341. | MIIDfTCCAmUCBFcW7BswDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNVBAYTAlVTMRMw
1342. | EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMQ0wCwYDVQQKEwRP
1343. | ZGluMQ4wDAYDVQQLEwVQbGVzazEOMAwGA1UEAxMFUGxlc2sxHTAbBgkqhkiG9w0B
1344. | CQEWDmluZm9AcGxlc2suY29tMB4XDTE2MDQyMDAyNDAyN1oXDTE3MDQyMDAyNDAy
1345. | N1owgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
1346. | EwdTZWF0dGxlMQ0wCwYDVQQKEwRPZGluMQ4wDAYDVQQLEwVQbGVzazEOMAwGA1UE
1347. | AxMFUGxlc2sxHTAbBgkqhkiG9w0BCQEWDmluZm9AcGxlc2suY29tMIIBIjANBgkq
1348. | hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZDNfEWzRPuiKR6QpFWONPYHX+Pl6rwn
1349. | 6ctlVkGd2xcdnPKqzuL8z06rprVz1ro/kK7O9Xna4YfMzqoZjanxdzvjg5936PKF
1350. | jjf5+AA4mmbD1SD1wFCE4+U4PnE2lz/Ae/Nj5wSLK1xAL3zitACHRLTXs3a4GMQC
1351. | Q1LD36PSzhTl2EhDgQbSK+HB3YqsuJ8tKvn7P4qIGTZJ+HPikTXZ2e+bztPJGN4H
1352. | iL16zcL5F8DcIKuRx6qpmGjji8As/JsNLckYD0O8CFWZHNjbAniQ+c64Umif9UrD
1353. | IMcNJ3sgChQA7o8A1Qlu63FqJWGwxKlnPGt94tRpTUT1SGDCCMTTTwIDAQABMA0G
1354. | CSqGSIb3DQEBCwUAA4IBAQAmNWQp2HI7DaKdIhVqqviur4Z852Z1RCrqWXMl95DP
1355. | vtMpgRNrfdqC33xw627iWLJo4vKLvFK0OBgZ6O1gcLhcOeTGGbJLykhNjiPd0YU1
1356. | oIg7G6HWKeQ30q2FTv43qoc1s6uiuflihbctsF7tnLxMXQcZO3nwWkkLcuQtMDFS
1357. | RAkfBKbIoI/36MFs4GUh/nS78k9b3RgnSWwAD7DQi2+FrVr712EelRT627XIDp0U
1358. | t3D2RhpH0SqBX1ncmzF5P9wll3Yqoy0nrJOpXXEf3nP9LyTBA2imWclm4NHaBVat
1359. | CfsxXtJeFHpedfALThLxsTPAz/fsZoMC4s4N/ViMbF62
1360. |_-----END CERTIFICATE-----
1361. |_ssl-date: TLS randomness does not represent time
1362. | tls-alpn:
1363. |_ http/1.1
1364. | tls-nextprotoneg:
1365. |_ http/1.1
1366. 445/tcp closed microsoft-ds conn-refused
1367. 993/tcp open ssl/imaps? syn-ack
1368. |_ssl-date: TLS randomness does not represent time
1369. 995/tcp open ssl/pop3s? syn-ack
1370. |_ssl-date: TLS randomness does not represent time
1371. 8443/tcp open ssl/http syn-ack sw-cp-server httpd (Plesk Onyx 17.5.3)
1372. | http-methods:
1373. |_ Supported Methods: GET HEAD POST OPTIONS
1374. |_http-server-header: sw-cp-server
1375. |_http-title: Plesk Onyx 17.5.3
1376. | ssl-cert: Subject: commonName=Plesk/organizationName=Odin/stateOrProvinceName=Washington/countryName=US/organizationalUnitName=Plesk/emailAddress=info@plesk.com/localityName=Seattle
1377. | Issuer: commonName=Plesk/organizationName=Odin/stateOrProvinceName=Washington/countryName=US/organizationalUnitName=Plesk/emailAddress=info@plesk.com/localityName=Seattle
1378. | Public Key type: rsa
1379. | Public Key bits: 2048
1380. | Signature Algorithm: sha256WithRSAEncryption
1381. | Not valid before: 2016-04-20T02:40:27
1382. | Not valid after: 2017-04-20T02:40:27
1383. | MD5: a38f 7308 6ca0 a95d 2faa d3f0 6cb4 5553
1384. | SHA-1: 1479 6658 f803 6987 8f42 5473 9eaf 97e1 50dd 2d68
1385. | -----BEGIN CERTIFICATE-----
1386. | MIIDfTCCAmUCBFcW7BswDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNVBAYTAlVTMRMw
1387. | EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMQ0wCwYDVQQKEwRP
1388. | ZGluMQ4wDAYDVQQLEwVQbGVzazEOMAwGA1UEAxMFUGxlc2sxHTAbBgkqhkiG9w0B
1389. | CQEWDmluZm9AcGxlc2suY29tMB4XDTE2MDQyMDAyNDAyN1oXDTE3MDQyMDAyNDAy
1390. | N1owgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
1391. | EwdTZWF0dGxlMQ0wCwYDVQQKEwRPZGluMQ4wDAYDVQQLEwVQbGVzazEOMAwGA1UE
1392. | AxMFUGxlc2sxHTAbBgkqhkiG9w0BCQEWDmluZm9AcGxlc2suY29tMIIBIjANBgkq
1393. | hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZDNfEWzRPuiKR6QpFWONPYHX+Pl6rwn
1394. | 6ctlVkGd2xcdnPKqzuL8z06rprVz1ro/kK7O9Xna4YfMzqoZjanxdzvjg5936PKF
1395. | jjf5+AA4mmbD1SD1wFCE4+U4PnE2lz/Ae/Nj5wSLK1xAL3zitACHRLTXs3a4GMQC
1396. | Q1LD36PSzhTl2EhDgQbSK+HB3YqsuJ8tKvn7P4qIGTZJ+HPikTXZ2e+bztPJGN4H
1397. | iL16zcL5F8DcIKuRx6qpmGjji8As/JsNLckYD0O8CFWZHNjbAniQ+c64Umif9UrD
1398. | IMcNJ3sgChQA7o8A1Qlu63FqJWGwxKlnPGt94tRpTUT1SGDCCMTTTwIDAQABMA0G
1399. | CSqGSIb3DQEBCwUAA4IBAQAmNWQp2HI7DaKdIhVqqviur4Z852Z1RCrqWXMl95DP
1400. | vtMpgRNrfdqC33xw627iWLJo4vKLvFK0OBgZ6O1gcLhcOeTGGbJLykhNjiPd0YU1
1401. | oIg7G6HWKeQ30q2FTv43qoc1s6uiuflihbctsF7tnLxMXQcZO3nwWkkLcuQtMDFS
1402. | RAkfBKbIoI/36MFs4GUh/nS78k9b3RgnSWwAD7DQi2+FrVr712EelRT627XIDp0U
1403. | t3D2RhpH0SqBX1ncmzF5P9wll3Yqoy0nrJOpXXEf3nP9LyTBA2imWclm4NHaBVat
1404. | CfsxXtJeFHpedfALThLxsTPAz/fsZoMC4s4N/ViMbF62
1405. |_-----END CERTIFICATE-----
1406. |_ssl-date: TLS randomness does not represent time
1407. | tls-nextprotoneg:
1408. |_ http/1.1
1409. Device type: general purpose
1410. Running: Linux 2.6.X
1411. OS CPE: cpe:/o:linux:linux_kernel:2.6
1412. OS details: Linux 2.6.18 - 2.6.22
1413. TCP/IP fingerprint:
1414. OS:SCAN(V=7.70%E=4%D=2/14%OT=80%CT=25%CU=%PV=N%G=N%TM=5C65A412%P=x86_64-pc-
1415. OS:linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=Z%TS=A)SEQ(CI=Z)OPS(O1=M4B3ST
1416. OS:11NW7%O2=M4B3ST11NW7%O3=M4B3NNT11NW7%O4=M4B3ST11NW7%O5=M4B3ST11NW7%O6=M4
1417. OS:B3ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%
1418. OS:TG=40%W=7210%O=M4B3NNSNW7%CC=Y%Q=)ECN(R=N)T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=A
1419. OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD
1420. OS:=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=N)IE(R=N)
1421.  
1422. Service Info: Host: fo3-web02.nic.gov.sd
1423.  
1424. TRACEROUTE (using proto 1/icmp)
1425. HOP RTT ADDRESS
1426. 1 26.30 ms 10.244.200.1
1427. 2 53.08 ms vlan102.as02.qc1.ca.m247.com (176.113.74.17)
1428. 3 39.06 ms irb-0.agg1.qc1.ca.m247.com (37.120.128.168)
1429. 4 26.50 ms 82.102.29.44
1430. 5 27.12 ms te0-7-0-2.rcr21.ymq02.atlas.cogentco.com (38.122.42.161)
1431. 6 26.71 ms hu0-4-0-1.ccr22.ymq01.atlas.cogentco.com (154.54.31.222)
1432. 7 96.33 ms 154.54.44.165
1433. 8 102.00 ms be2491.ccr52.lhr01.atlas.cogentco.com (154.54.39.118)
1434. 9 103.36 ms be3488.ccr42.lon13.atlas.cogentco.com (154.54.60.13)
1435. 10 103.44 ms be2871.ccr21.lon01.atlas.cogentco.com (154.54.58.186)
1436. 11 99.27 ms expressotelecom.demarc.cogentco.com (149.14.248.202)
1437. 12 177.88 ms 185.153.20.70
1438. 13 179.65 ms 185.153.20.82
1439. 14 177.90 ms 185.153.20.94
1440. 15 203.23 ms 185.153.20.153
1441. 16 206.77 ms 212.0.131.109
1442. 17 200.98 ms 196.202.137.249
1443. 18 212.37 ms 196.202.145.94
1444. 19 ... 30
1445.  
1446. NSE: Script Post-scanning.
1447. NSE: Starting runlevel 1 (of 2) scan.
1448. Initiating NSE at 12:23
1449. Completed NSE at 12:23, 0.00s elapsed
1450. NSE: Starting runlevel 2 (of 2) scan.
1451. Initiating NSE at 12:23
1452. Completed NSE at 12:23, 0.00s elapsed
1453. Read data files from: /usr/bin/../share/nmap
1454. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
1455. Nmap done: 1 IP address (1 host up) scanned in 199.27 seconds
1456. Raw packets sent: 142 (10.432KB) | Rcvd: 50 (3.905KB)
1457. #######################################################################################################################################
1458. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 12:23 EST
1459. NSE: Loaded 148 scripts for scanning.
1460. NSE: Script Pre-scanning.
1461. Initiating NSE at 12:23
1462. Completed NSE at 12:23, 0.00s elapsed
1463. Initiating NSE at 12:23
1464. Completed NSE at 12:23, 0.00s elapsed
1465. Initiating Parallel DNS resolution of 1 host. at 12:23
1466. Completed Parallel DNS resolution of 1 host. at 12:23, 0.02s elapsed
1467. Initiating UDP Scan at 12:23
1468. Scanning f03-web02.nic.gov.sd (62.12.105.2) [14 ports]
1469. Completed UDP Scan at 12:23, 1.24s elapsed (14 total ports)
1470. Initiating Service scan at 12:23
1471. Scanning 12 services on f03-web02.nic.gov.sd (62.12.105.2)
1472. Service scan Timing: About 8.33% done; ETC: 12:43 (0:17:58 remaining)
1473. Completed Service scan at 12:25, 102.59s elapsed (12 services on 1 host)
1474. Initiating OS detection (try #1) against f03-web02.nic.gov.sd (62.12.105.2)
1475. Retrying OS detection (try #2) against f03-web02.nic.gov.sd (62.12.105.2)
1476. Initiating Traceroute at 12:25
1477. Completed Traceroute at 12:25, 7.07s elapsed
1478. Initiating Parallel DNS resolution of 1 host. at 12:25
1479. Completed Parallel DNS resolution of 1 host. at 12:25, 0.03s elapsed
1480. NSE: Script scanning 62.12.105.2.
1481. Initiating NSE at 12:25
1482. Completed NSE at 12:25, 20.31s elapsed
1483. Initiating NSE at 12:25
1484. Completed NSE at 12:25, 1.03s elapsed
1485. Nmap scan report for f03-web02.nic.gov.sd (62.12.105.2)
1486. Host is up (0.023s latency).
1487.  
1488. PORT STATE SERVICE VERSION
1489. 53/udp open|filtered domain
1490. 67/udp open|filtered dhcps
1491. 68/udp open|filtered dhcpc
1492. 69/udp open|filtered tftp
1493. 88/udp open|filtered kerberos-sec
1494. 123/udp open|filtered ntp
1495. 137/udp filtered netbios-ns
1496. 138/udp filtered netbios-dgm
1497. 139/udp open|filtered netbios-ssn
1498. 161/udp open|filtered snmp
1499. 162/udp open|filtered snmptrap
1500. 389/udp open|filtered ldap
1501. 520/udp open|filtered route
1502. 2049/udp open|filtered nfs
1503. Too many fingerprints match this host to give specific OS details
1504.  
1505. TRACEROUTE (using port 137/udp)
1506. HOP RTT ADDRESS
1507. 1 22.69 ms 10.244.200.1
1508. 2 ... 3
1509. 4 23.28 ms 10.244.200.1
1510. 5 26.82 ms 10.244.200.1
1511. 6 26.81 ms 10.244.200.1
1512. 7 26.80 ms 10.244.200.1
1513. 8 26.79 ms 10.244.200.1
1514. 9 26.78 ms 10.244.200.1
1515. 10 26.79 ms 10.244.200.1
1516. 11 ... 18
1517. 19 22.20 ms 10.244.200.1
1518. 20 22.83 ms 10.244.200.1
1519. 21 21.92 ms 10.244.200.1
1520. 22 ... 29
1521. 30 21.18 ms 10.244.200.1
1522.  
1523. NSE: Script Post-scanning.
1524. Initiating NSE at 12:25
1525. Completed NSE at 12:25, 0.00s elapsed
1526. Initiating NSE at 12:25
1527. Completed NSE at 12:25, 0.00s elapsed
1528. Read data files from: /usr/bin/../share/nmap
1529. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
1530. Nmap done: 1 IP address (1 host up) scanned in 135.43 seconds
1531. Raw packets sent: 147 (13.614KB) | Rcvd: 29 (3.062KB)
1532. #######################################################################################################################################
1533. [+] URL: http://mocit.gov.sd/
1534. [+] Effective URL: http://mocit.gov.sd/index.php/ar/
1535. [+] Started: Thu Feb 14 11:04:56 2019
1536.  
1537. Interesting Finding(s):
1538.  
1539. [+] http://mocit.gov.sd/index.php/ar/
1540. | Interesting Entry: X-Powered-By: PHP/5.3.29, PleskLin
1541. | Found By: Headers (Passive Detection)
1542. | Confidence: 100%
1543.  
1544. Fingerprinting the version - Time: 00:00:31 <=========> (350 / 350) 100.00% Time: 00:00:31
1545. [+] WordPress version 3.9.1 identified (Insecure, released on 2014-05-08).
1546. | Detected By: Plugin And Theme Query Parameter In Homepage (Passive Detection)
1547. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/css/lofslidera560.css?ver=3.9.1
1548. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/css/scrollbara560.css?ver=3.9.1
1549. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/stylea560.css?ver=3.9.1
1550. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/css/weather-font/weathera560.css?ver=3.9.1
1551. |
1552. | [!] 66 vulnerabilities identified:
1553. |
1554. | [!] Title: WordPress 3.9 & 3.9.1 Unlikely Code Execution
1555. | Fixed in: 3.9.2
1556. | References:
1557. | - https://wpvulndb.com/vulnerabilities/7527
1558. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
1559. | - https://core.trac.wordpress.org/changeset/29389
1560. |
1561. | [!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
1562. | Fixed in: 3.9.2
1563. | References:
1564. | - https://wpvulndb.com/vulnerabilities/7528
1565. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
1566. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
1567. | - https://core.trac.wordpress.org/changeset/29384
1568. | - https://core.trac.wordpress.org/changeset/29408
1569. |
1570. | [!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
1571. | Fixed in: 3.9.2
1572. | References:
1573. | - https://wpvulndb.com/vulnerabilities/7529
1574. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
1575. | - https://core.trac.wordpress.org/changeset/29398
1576. |
1577. | [!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
1578. | Fixed in: 3.9.2
1579. | References:
1580. | - https://wpvulndb.com/vulnerabilities/7530
1581. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
1582. | - https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
1583. | - http://getid3.sourceforge.net/
1584. | - http://wordpress.org/news/2014/08/wordpress-3-9-2/
1585. | - http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
1586. | - https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
1587. |
1588. | [!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
1589. | Fixed in: 4.0
1590. | References:
1591. | - https://wpvulndb.com/vulnerabilities/7531
1592. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
1593. | - http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
1594. | - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/leveraging-lfi-to-get-full-compromise-on-wordpress-sites/
1595. |
1596. | [!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
1597. | Fixed in: 4.0
1598. | References:
1599. | - https://wpvulndb.com/vulnerabilities/7680
1600. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
1601. | - http://klikki.fi/adv/wordpress.html
1602. | - https://wordpress.org/news/2014/11/wordpress-4-0-1/
1603. | - http://klikki.fi/adv/wordpress_update.html
1604. |
1605. | [!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
1606. | Fixed in: 4.0.1
1607. | References:
1608. | - https://wpvulndb.com/vulnerabilities/7681
1609. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
1610. | - https://www.exploit-db.com/exploits/35413/
1611. | - https://www.exploit-db.com/exploits/35414/
1612. | - http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
1613. | - https://wordpress.org/news/2014/11/wordpress-4-0-1/
1614. | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
1615. |
1616. | [!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
1617. | Fixed in: 4.0.1
1618. | References:
1619. | - https://wpvulndb.com/vulnerabilities/7696
1620. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
1621. | - http://www.securityfocus.com/bid/71234/
1622. | - https://core.trac.wordpress.org/changeset/30444
1623. |
1624. | [!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
1625. | Fixed in: 4.0.1
1626. | References:
1627. | - https://wpvulndb.com/vulnerabilities/7697
1628. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
1629. | - https://core.trac.wordpress.org/changeset/30422
1630. |
1631. | [!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
1632. | Fixed in: 4.1.2
1633. | References:
1634. | - https://wpvulndb.com/vulnerabilities/7929
1635. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
1636. | - https://wordpress.org/news/2015/04/wordpress-4-1-2/
1637. | - https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
1638. |
1639. | [!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
1640. | Fixed in: 3.9.7
1641. | References:
1642. | - https://wpvulndb.com/vulnerabilities/8111
1643. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
1644. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
1645. | - https://wordpress.org/news/2015/07/wordpress-4-2-3/
1646. | - https://twitter.com/klikkioy/status/624264122570526720
1647. | - https://klikki.fi/adv/wordpress3.html
1648. |
1649. | [!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
1650. | Fixed in: 3.9.8
1651. | References:
1652. | - https://wpvulndb.com/vulnerabilities/8126
1653. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
1654. | - https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
1655. |
1656. | [!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
1657. | Fixed in: 3.9.8
1658. | References:
1659. | - https://wpvulndb.com/vulnerabilities/8130
1660. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
1661. | - https://core.trac.wordpress.org/changeset/33536
1662. |
1663. | [!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
1664. | Fixed in: 3.9.8
1665. | References:
1666. | - https://wpvulndb.com/vulnerabilities/8131
1667. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
1668. | - https://core.trac.wordpress.org/changeset/33529
1669. |
1670. | [!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
1671. | Fixed in: 3.9.8
1672. | References:
1673. | - https://wpvulndb.com/vulnerabilities/8132
1674. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
1675. | - https://core.trac.wordpress.org/changeset/33541
1676. |
1677. | [!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
1678. | Fixed in: 3.9.8
1679. | References:
1680. | - https://wpvulndb.com/vulnerabilities/8133
1681. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
1682. | - https://core.trac.wordpress.org/changeset/33549
1683. | - https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
1684. |
1685. | [!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
1686. | Fixed in: 3.9.9
1687. | References:
1688. | - https://wpvulndb.com/vulnerabilities/8186
1689. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
1690. | - https://wordpress.org/news/2015/09/wordpress-4-3-1/
1691. | - http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
1692. | - http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
1693. |
1694. | [!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
1695. | Fixed in: 3.9.9
1696. | References:
1697. | - https://wpvulndb.com/vulnerabilities/8187
1698. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
1699. | - https://wordpress.org/news/2015/09/wordpress-4-3-1/
1700. | - https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
1701. |
1702. | [!] Title: WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue
1703. | Fixed in: 3.9.9
1704. | References:
1705. | - https://wpvulndb.com/vulnerabilities/8188
1706. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
1707. | - https://wordpress.org/news/2015/09/wordpress-4-3-1/
1708. | - http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
1709. | - http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
1710. |
1711. | [!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
1712. | Fixed in: 3.9.10
1713. | References:
1714. | - https://wpvulndb.com/vulnerabilities/8358
1715. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
1716. | - https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
1717. | - https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
1718. |
1719. | [!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
1720. | Fixed in: 3.9.11
1721. | References:
1722. | - https://wpvulndb.com/vulnerabilities/8376
1723. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
1724. | - https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
1725. | - https://core.trac.wordpress.org/changeset/36435
1726. | - https://hackerone.com/reports/110801
1727. |
1728. | [!] Title: WordPress 3.7-4.4.1 - Open Redirect
1729. | Fixed in: 3.9.11
1730. | References:
1731. | - https://wpvulndb.com/vulnerabilities/8377
1732. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
1733. | - https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
1734. | - https://core.trac.wordpress.org/changeset/36444
1735. |
1736. | [!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
1737. | Fixed in: 4.5
1738. | References:
1739. | - https://wpvulndb.com/vulnerabilities/8473
1740. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029
1741. | - https://codex.wordpress.org/Version_4.5
1742. | - https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
1743. |
1744. | [!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
1745. | Fixed in: 4.5
1746. | References:
1747. | - https://wpvulndb.com/vulnerabilities/8474
1748. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634
1749. | - https://codex.wordpress.org/Version_4.5
1750. | - https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
1751. |
1752. | [!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
1753. | Fixed in: 4.5
1754. | References:
1755. | - https://wpvulndb.com/vulnerabilities/8475
1756. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635
1757. | - https://codex.wordpress.org/Version_4.5
1758. |
1759. | [!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
1760. | Fixed in: 3.9.12
1761. | References:
1762. | - https://wpvulndb.com/vulnerabilities/8489
1763. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
1764. | - https://wordpress.org/news/2016/05/wordpress-4-5-2/
1765. | - https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
1766. | - https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
1767. |
1768. | [!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
1769. | Fixed in: 3.9.13
1770. | References:
1771. | - https://wpvulndb.com/vulnerabilities/8519
1772. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
1773. | - https://wordpress.org/news/2016/06/wordpress-4-5-3/
1774. | - https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
1775. | - https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
1776. |
1777. | [!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
1778. | Fixed in: 3.9.13
1779. | References:
1780. | - https://wpvulndb.com/vulnerabilities/8520
1781. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
1782. | - https://wordpress.org/news/2016/06/wordpress-4-5-3/
1783. | - https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
1784. |
1785. | [!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
1786. | Fixed in: 3.9.14
1787. | References:
1788. | - https://wpvulndb.com/vulnerabilities/8615
1789. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
1790. | - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
1791. | - https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
1792. | - https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
1793. | - http://seclists.org/fulldisclosure/2016/Sep/6
1794. |
1795. | [!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
1796. | Fixed in: 3.9.14
1797. | References:
1798. | - https://wpvulndb.com/vulnerabilities/8616
1799. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
1800. | - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
1801. | - https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
1802. |
1803. | [!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
1804. | Fixed in: 3.9.15
1805. | References:
1806. | - https://wpvulndb.com/vulnerabilities/8716
1807. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
1808. | - https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
1809. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
1810. |
1811. | [!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
1812. | Fixed in: 3.9.15
1813. | References:
1814. | - https://wpvulndb.com/vulnerabilities/8718
1815. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
1816. | - https://www.mehmetince.net/low-severity-wordpress/
1817. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
1818. | - https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
1819. |
1820. | [!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
1821. | Fixed in: 3.9.15
1822. | References:
1823. | - https://wpvulndb.com/vulnerabilities/8719
1824. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
1825. | - https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
1826. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
1827. |
1828. | [!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
1829. | Fixed in: 3.9.15
1830. | References:
1831. | - https://wpvulndb.com/vulnerabilities/8720
1832. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
1833. | - https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
1834. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
1835. |
1836. | [!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
1837. | Fixed in: 3.9.15
1838. | References:
1839. | - https://wpvulndb.com/vulnerabilities/8721
1840. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
1841. | - https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
1842. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
1843. |
1844. | [!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
1845. | Fixed in: 3.9.16
1846. | References:
1847. | - https://wpvulndb.com/vulnerabilities/8730
1848. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
1849. | - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
1850. | - https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
1851. |
1852. | [!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
1853. | Fixed in: 3.9.17
1854. | References:
1855. | - https://wpvulndb.com/vulnerabilities/8765
1856. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
1857. | - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
1858. | - https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
1859. | - https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
1860. | - http://seclists.org/oss-sec/2017/q1/563
1861. |
1862. | [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
1863. | Fixed in: 3.9.17
1864. | References:
1865. | - https://wpvulndb.com/vulnerabilities/8766
1866. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
1867. | - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
1868. | - https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
1869. |
1870. | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
1871. | References:
1872. | - https://wpvulndb.com/vulnerabilities/8807
1873. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
1874. | - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
1875. | - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
1876. | - https://core.trac.wordpress.org/ticket/25239
1877. |
1878. | [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
1879. | Fixed in: 3.9.19
1880. | References:
1881. | - https://wpvulndb.com/vulnerabilities/8815
1882. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
1883. | - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
1884. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
1885. |
1886. | [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
1887. | Fixed in: 3.9.19
1888. | References:
1889. | - https://wpvulndb.com/vulnerabilities/8816
1890. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
1891. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
1892. | - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
1893. |
1894. | [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
1895. | Fixed in: 3.9.19
1896. | References:
1897. | - https://wpvulndb.com/vulnerabilities/8817
1898. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
1899. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
1900. | - https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
1901. |
1902. | [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
1903. | Fixed in: 3.9.19
1904. | References:
1905. | - https://wpvulndb.com/vulnerabilities/8818
1906. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
1907. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
1908. | - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
1909. | - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
1910. |
1911. | [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
1912. | Fixed in: 3.9.19
1913. | References:
1914. | - https://wpvulndb.com/vulnerabilities/8819
1915. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
1916. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
1917. | - https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
1918. | - https://hackerone.com/reports/203515
1919. | - https://hackerone.com/reports/203515
1920. |
1921. | [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
1922. | Fixed in: 3.9.19
1923. | References:
1924. | - https://wpvulndb.com/vulnerabilities/8820
1925. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
1926. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
1927. | - https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
1928. |
1929. | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
1930. | Fixed in: 3.9.20
1931. | References:
1932. | - https://wpvulndb.com/vulnerabilities/8905
1933. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
1934. | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
1935. | - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
1936. |
1937. | [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
1938. | Fixed in: 4.7.5
1939. | References:
1940. | - https://wpvulndb.com/vulnerabilities/8906
1941. | - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
1942. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
1943. | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
1944. | - https://wpvulndb.com/vulnerabilities/8905
1945. |
1946. | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
1947. | Fixed in: 3.9.20
1948. | References:
1949. | - https://wpvulndb.com/vulnerabilities/8910
1950. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
1951. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
1952. | - https://core.trac.wordpress.org/changeset/41398
1953. |
1954. | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
1955. | Fixed in: 3.9.20
1956. | References:
1957. | - https://wpvulndb.com/vulnerabilities/8911
1958. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
1959. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
1960. | - https://core.trac.wordpress.org/changeset/41457
1961. |
1962. | [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
1963. | Fixed in: 3.9.21
1964. | References:
1965. | - https://wpvulndb.com/vulnerabilities/8941
1966. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
1967. | - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
1968. | - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
1969. | - https://twitter.com/ircmaxell/status/923662170092638208
1970. | - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
1971. |
1972. | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
1973. | Fixed in: 3.9.22
1974. | References:
1975. | - https://wpvulndb.com/vulnerabilities/8966
1976. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
1977. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
1978. | - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
1979. |
1980. | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
1981. | Fixed in: 3.9.22
1982. | References:
1983. | - https://wpvulndb.com/vulnerabilities/8967
1984. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
1985. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
1986. | - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
1987. |
1988. | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
1989. | Fixed in: 3.9.22
1990. | References:
1991. | - https://wpvulndb.com/vulnerabilities/8969
1992. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
1993. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
1994. | - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
1995. |
1996. | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
1997. | Fixed in: 3.9.23
1998. | References:
1999. | - https://wpvulndb.com/vulnerabilities/9006
2000. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
2001. | - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
2002. | - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
2003. | - https://core.trac.wordpress.org/ticket/42720
2004. |
2005. | [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
2006. | References:
2007. | - https://wpvulndb.com/vulnerabilities/9021
2008. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
2009. | - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
2010. | - https://github.com/quitten/doser.py
2011. | - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
2012. |
2013. | [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
2014. | Fixed in: 3.9.24
2015. | References:
2016. | - https://wpvulndb.com/vulnerabilities/9053
2017. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
2018. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
2019. | - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
2020. |
2021. | [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
2022. | Fixed in: 3.9.24
2023. | References:
2024. | - https://wpvulndb.com/vulnerabilities/9054
2025. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
2026. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
2027. | - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
2028. |
2029. | [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
2030. | Fixed in: 3.9.24
2031. | References:
2032. | - https://wpvulndb.com/vulnerabilities/9055
2033. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
2034. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
2035. | - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
2036. |
2037. | [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
2038. | Fixed in: 3.9.25
2039. | References:
2040. | - https://wpvulndb.com/vulnerabilities/9100
2041. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
2042. | - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
2043. | - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
2044. | - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
2045. | - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
2046. | - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
2047. |
2048. | [!] Title: WordPress <= 5.0 - Authenticated File Delete
2049. | Fixed in: 3.9.26
2050. | References:
2051. | - https://wpvulndb.com/vulnerabilities/9169
2052. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
2053. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2054. |
2055. | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
2056. | Fixed in: 3.9.26
2057. | References:
2058. | - https://wpvulndb.com/vulnerabilities/9170
2059. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
2060. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2061. | - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
2062. |
2063. | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
2064. | Fixed in: 3.9.26
2065. | References:
2066. | - https://wpvulndb.com/vulnerabilities/9171
2067. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
2068. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2069. |
2070. | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
2071. | Fixed in: 3.9.26
2072. | References:
2073. | - https://wpvulndb.com/vulnerabilities/9172
2074. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
2075. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2076. |
2077. | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
2078. | Fixed in: 3.9.26
2079. | References:
2080. | - https://wpvulndb.com/vulnerabilities/9173
2081. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
2082. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2083. | - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
2084. |
2085. | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
2086. | Fixed in: 3.9.26
2087. | References:
2088. | - https://wpvulndb.com/vulnerabilities/9174
2089. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
2090. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2091. |
2092. | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
2093. | Fixed in: 3.9.26
2094. | References:
2095. | - https://wpvulndb.com/vulnerabilities/9175
2096. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
2097. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2098. | - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
2099.  
2100. [+] WordPress theme in use: asssd
2101. | Location: http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/
2102. | Style URL: http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/style.css
2103. |
2104. | Detected By: Urls In Homepage (Passive Detection)
2105. |
2106. | The version could not be determined.
2107.  
2108. [+] Enumerating Users (via Passive and Aggressive Methods)
2109. Brute Forcing Author IDs - Time: 00:00:05 <============> (10 / 10) 100.00% Time: 00:00:05
2110.  
2111. [i] No Users Found.
2112.  
2113. [+] Finished: Thu Feb 14 11:05:54 2019
2114. [+] Requests Done: 408
2115. [+] Cached Requests: 9
2116. [+] Data Sent: 259.038 KB
2117. [+] Data Received: 1.077 MB
2118. [+] Memory used: 15.758 MB
2119. [+] Elapsed time: 00:00:57
2120. #######################################################################################################################################
2121. [+] URL: http://mocit.gov.sd/
2122. [+] Effective URL: http://mocit.gov.sd/index.php/ar/
2123. [+] Started: Thu Feb 14 10:50:16 2019
2124.  
2125. Interesting Finding(s):
2126.  
2127. [+] http://mocit.gov.sd/index.php/ar/
2128. | Interesting Entry: X-Powered-By: PHP/5.3.29, PleskLin
2129. | Found By: Headers (Passive Detection)
2130. | Confidence: 100%
2131.  
2132. Fingerprinting the version - Time: 00:00:30 <=========> (350 / 350) 100.00% Time: 00:00:30
2133. [+] WordPress version 3.9.1 identified (Insecure, released on 2014-05-08).
2134. | Detected By: Plugin And Theme Query Parameter In Homepage (Passive Detection)
2135. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/css/lofslidera560.css?ver=3.9.1
2136. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/css/scrollbara560.css?ver=3.9.1
2137. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/stylea560.css?ver=3.9.1
2138. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/css/weather-font/weathera560.css?ver=3.9.1
2139. |
2140. | [!] 66 vulnerabilities identified:
2141. |
2142. | [!] Title: WordPress 3.9 & 3.9.1 Unlikely Code Execution
2143. | Fixed in: 3.9.2
2144. | References:
2145. | - https://wpvulndb.com/vulnerabilities/7527
2146. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
2147. | - https://core.trac.wordpress.org/changeset/29389
2148. |
2149. | [!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
2150. | Fixed in: 3.9.2
2151. | References:
2152. | - https://wpvulndb.com/vulnerabilities/7528
2153. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
2154. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
2155. | - https://core.trac.wordpress.org/changeset/29384
2156. | - https://core.trac.wordpress.org/changeset/29408
2157. |
2158. | [!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
2159. | Fixed in: 3.9.2
2160. | References:
2161. | - https://wpvulndb.com/vulnerabilities/7529
2162. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
2163. | - https://core.trac.wordpress.org/changeset/29398
2164. |
2165. | [!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
2166. | Fixed in: 3.9.2
2167. | References:
2168. | - https://wpvulndb.com/vulnerabilities/7530
2169. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
2170. | - https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
2171. | - http://getid3.sourceforge.net/
2172. | - http://wordpress.org/news/2014/08/wordpress-3-9-2/
2173. | - http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
2174. | - https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
2175. |
2176. | [!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
2177. | Fixed in: 4.0
2178. | References:
2179. | - https://wpvulndb.com/vulnerabilities/7531
2180. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
2181. | - http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
2182. | - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/leveraging-lfi-to-get-full-compromise-on-wordpress-sites/
2183. |
2184. | [!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
2185. | Fixed in: 4.0
2186. | References:
2187. | - https://wpvulndb.com/vulnerabilities/7680
2188. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
2189. | - http://klikki.fi/adv/wordpress.html
2190. | - https://wordpress.org/news/2014/11/wordpress-4-0-1/
2191. | - http://klikki.fi/adv/wordpress_update.html
2192. |
2193. | [!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
2194. | Fixed in: 4.0.1
2195. | References:
2196. | - https://wpvulndb.com/vulnerabilities/7681
2197. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
2198. | - https://www.exploit-db.com/exploits/35413/
2199. | - https://www.exploit-db.com/exploits/35414/
2200. | - http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
2201. | - https://wordpress.org/news/2014/11/wordpress-4-0-1/
2202. | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
2203. |
2204. | [!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
2205. | Fixed in: 4.0.1
2206. | References:
2207. | - https://wpvulndb.com/vulnerabilities/7696
2208. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
2209. | - http://www.securityfocus.com/bid/71234/
2210. | - https://core.trac.wordpress.org/changeset/30444
2211. |
2212. | [!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
2213. | Fixed in: 4.0.1
2214. | References:
2215. | - https://wpvulndb.com/vulnerabilities/7697
2216. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
2217. | - https://core.trac.wordpress.org/changeset/30422
2218. |
2219. | [!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
2220. | Fixed in: 4.1.2
2221. | References:
2222. | - https://wpvulndb.com/vulnerabilities/7929
2223. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
2224. | - https://wordpress.org/news/2015/04/wordpress-4-1-2/
2225. | - https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
2226. |
2227. | [!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
2228. | Fixed in: 3.9.7
2229. | References:
2230. | - https://wpvulndb.com/vulnerabilities/8111
2231. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
2232. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
2233. | - https://wordpress.org/news/2015/07/wordpress-4-2-3/
2234. | - https://twitter.com/klikkioy/status/624264122570526720
2235. | - https://klikki.fi/adv/wordpress3.html
2236. |
2237. | [!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
2238. | Fixed in: 3.9.8
2239. | References:
2240. | - https://wpvulndb.com/vulnerabilities/8126
2241. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
2242. | - https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
2243. |
2244. | [!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
2245. | Fixed in: 3.9.8
2246. | References:
2247. | - https://wpvulndb.com/vulnerabilities/8130
2248. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
2249. | - https://core.trac.wordpress.org/changeset/33536
2250. |
2251. | [!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
2252. | Fixed in: 3.9.8
2253. | References:
2254. | - https://wpvulndb.com/vulnerabilities/8131
2255. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
2256. | - https://core.trac.wordpress.org/changeset/33529
2257. |
2258. | [!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
2259. | Fixed in: 3.9.8
2260. | References:
2261. | - https://wpvulndb.com/vulnerabilities/8132
2262. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
2263. | - https://core.trac.wordpress.org/changeset/33541
2264. |
2265. | [!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
2266. | Fixed in: 3.9.8
2267. | References:
2268. | - https://wpvulndb.com/vulnerabilities/8133
2269. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
2270. | - https://core.trac.wordpress.org/changeset/33549
2271. | - https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
2272. |
2273. | [!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
2274. | Fixed in: 3.9.9
2275. | References:
2276. | - https://wpvulndb.com/vulnerabilities/8186
2277. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
2278. | - https://wordpress.org/news/2015/09/wordpress-4-3-1/
2279. | - http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
2280. | - http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
2281. |
2282. | [!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
2283. | Fixed in: 3.9.9
2284. | References:
2285. | - https://wpvulndb.com/vulnerabilities/8187
2286. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
2287. | - https://wordpress.org/news/2015/09/wordpress-4-3-1/
2288. | - https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
2289. |
2290. | [!] Title: WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue
2291. | Fixed in: 3.9.9
2292. | References:
2293. | - https://wpvulndb.com/vulnerabilities/8188
2294. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
2295. | - https://wordpress.org/news/2015/09/wordpress-4-3-1/
2296. | - http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
2297. | - http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
2298. |
2299. | [!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
2300. | Fixed in: 3.9.10
2301. | References:
2302. | - https://wpvulndb.com/vulnerabilities/8358
2303. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
2304. | - https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
2305. | - https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
2306. |
2307. | [!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
2308. | Fixed in: 3.9.11
2309. | References:
2310. | - https://wpvulndb.com/vulnerabilities/8376
2311. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
2312. | - https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
2313. | - https://core.trac.wordpress.org/changeset/36435
2314. | - https://hackerone.com/reports/110801
2315. |
2316. | [!] Title: WordPress 3.7-4.4.1 - Open Redirect
2317. | Fixed in: 3.9.11
2318. | References:
2319. | - https://wpvulndb.com/vulnerabilities/8377
2320. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
2321. | - https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
2322. | - https://core.trac.wordpress.org/changeset/36444
2323. |
2324. | [!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
2325. | Fixed in: 4.5
2326. | References:
2327. | - https://wpvulndb.com/vulnerabilities/8473
2328. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029
2329. | - https://codex.wordpress.org/Version_4.5
2330. | - https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
2331. |
2332. | [!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
2333. | Fixed in: 4.5
2334. | References:
2335. | - https://wpvulndb.com/vulnerabilities/8474
2336. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634
2337. | - https://codex.wordpress.org/Version_4.5
2338. | - https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
2339. |
2340. | [!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
2341. | Fixed in: 4.5
2342. | References:
2343. | - https://wpvulndb.com/vulnerabilities/8475
2344. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635
2345. | - https://codex.wordpress.org/Version_4.5
2346. |
2347. | [!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
2348. | Fixed in: 3.9.12
2349. | References:
2350. | - https://wpvulndb.com/vulnerabilities/8489
2351. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
2352. | - https://wordpress.org/news/2016/05/wordpress-4-5-2/
2353. | - https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
2354. | - https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
2355. |
2356. | [!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
2357. | Fixed in: 3.9.13
2358. | References:
2359. | - https://wpvulndb.com/vulnerabilities/8519
2360. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
2361. | - https://wordpress.org/news/2016/06/wordpress-4-5-3/
2362. | - https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
2363. | - https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
2364. |
2365. | [!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
2366. | Fixed in: 3.9.13
2367. | References:
2368. | - https://wpvulndb.com/vulnerabilities/8520
2369. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
2370. | - https://wordpress.org/news/2016/06/wordpress-4-5-3/
2371. | - https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
2372. |
2373. | [!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
2374. | Fixed in: 3.9.14
2375. | References:
2376. | - https://wpvulndb.com/vulnerabilities/8615
2377. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
2378. | - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
2379. | - https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
2380. | - https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
2381. | - http://seclists.org/fulldisclosure/2016/Sep/6
2382. |
2383. | [!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
2384. | Fixed in: 3.9.14
2385. | References:
2386. | - https://wpvulndb.com/vulnerabilities/8616
2387. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
2388. | - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
2389. | - https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
2390. |
2391. | [!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
2392. | Fixed in: 3.9.15
2393. | References:
2394. | - https://wpvulndb.com/vulnerabilities/8716
2395. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
2396. | - https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
2397. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
2398. |
2399. | [!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
2400. | Fixed in: 3.9.15
2401. | References:
2402. | - https://wpvulndb.com/vulnerabilities/8718
2403. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
2404. | - https://www.mehmetince.net/low-severity-wordpress/
2405. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
2406. | - https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
2407. |
2408. | [!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
2409. | Fixed in: 3.9.15
2410. | References:
2411. | - https://wpvulndb.com/vulnerabilities/8719
2412. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
2413. | - https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
2414. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
2415. |
2416. | [!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
2417. | Fixed in: 3.9.15
2418. | References:
2419. | - https://wpvulndb.com/vulnerabilities/8720
2420. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
2421. | - https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
2422. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
2423. |
2424. | [!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
2425. | Fixed in: 3.9.15
2426. | References:
2427. | - https://wpvulndb.com/vulnerabilities/8721
2428. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
2429. | - https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
2430. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
2431. |
2432. | [!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
2433. | Fixed in: 3.9.16
2434. | References:
2435. | - https://wpvulndb.com/vulnerabilities/8730
2436. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
2437. | - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
2438. | - https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
2439. |
2440. | [!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
2441. | Fixed in: 3.9.17
2442. | References:
2443. | - https://wpvulndb.com/vulnerabilities/8765
2444. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
2445. | - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
2446. | - https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
2447. | - https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
2448. | - http://seclists.org/oss-sec/2017/q1/563
2449. |
2450. | [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
2451. | Fixed in: 3.9.17
2452. | References:
2453. | - https://wpvulndb.com/vulnerabilities/8766
2454. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
2455. | - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
2456. | - https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
2457. |
2458. | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
2459. | References:
2460. | - https://wpvulndb.com/vulnerabilities/8807
2461. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
2462. | - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
2463. | - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
2464. | - https://core.trac.wordpress.org/ticket/25239
2465. |
2466. | [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
2467. | Fixed in: 3.9.19
2468. | References:
2469. | - https://wpvulndb.com/vulnerabilities/8815
2470. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
2471. | - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
2472. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
2473. |
2474. | [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
2475. | Fixed in: 3.9.19
2476. | References:
2477. | - https://wpvulndb.com/vulnerabilities/8816
2478. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
2479. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
2480. | - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
2481. |
2482. | [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
2483. | Fixed in: 3.9.19
2484. | References:
2485. | - https://wpvulndb.com/vulnerabilities/8817
2486. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
2487. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
2488. | - https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
2489. |
2490. | [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
2491. | Fixed in: 3.9.19
2492. | References:
2493. | - https://wpvulndb.com/vulnerabilities/8818
2494. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
2495. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
2496. | - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
2497. | - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
2498. |
2499. | [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
2500. | Fixed in: 3.9.19
2501. | References:
2502. | - https://wpvulndb.com/vulnerabilities/8819
2503. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
2504. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
2505. | - https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
2506. | - https://hackerone.com/reports/203515
2507. | - https://hackerone.com/reports/203515
2508. |
2509. | [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
2510. | Fixed in: 3.9.19
2511. | References:
2512. | - https://wpvulndb.com/vulnerabilities/8820
2513. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
2514. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
2515. | - https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
2516. |
2517. | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
2518. | Fixed in: 3.9.20
2519. | References:
2520. | - https://wpvulndb.com/vulnerabilities/8905
2521. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
2522. | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
2523. | - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
2524. |
2525. | [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
2526. | Fixed in: 4.7.5
2527. | References:
2528. | - https://wpvulndb.com/vulnerabilities/8906
2529. | - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
2530. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
2531. | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
2532. | - https://wpvulndb.com/vulnerabilities/8905
2533. |
2534. | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
2535. | Fixed in: 3.9.20
2536. | References:
2537. | - https://wpvulndb.com/vulnerabilities/8910
2538. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
2539. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
2540. | - https://core.trac.wordpress.org/changeset/41398
2541. |
2542. | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
2543. | Fixed in: 3.9.20
2544. | References:
2545. | - https://wpvulndb.com/vulnerabilities/8911
2546. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
2547. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
2548. | - https://core.trac.wordpress.org/changeset/41457
2549. |
2550. | [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
2551. | Fixed in: 3.9.21
2552. | References:
2553. | - https://wpvulndb.com/vulnerabilities/8941
2554. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
2555. | - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
2556. | - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
2557. | - https://twitter.com/ircmaxell/status/923662170092638208
2558. | - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
2559. |
2560. | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
2561. | Fixed in: 3.9.22
2562. | References:
2563. | - https://wpvulndb.com/vulnerabilities/8966
2564. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
2565. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
2566. | - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
2567. |
2568. | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
2569. | Fixed in: 3.9.22
2570. | References:
2571. | - https://wpvulndb.com/vulnerabilities/8967
2572. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
2573. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
2574. | - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
2575. |
2576. | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
2577. | Fixed in: 3.9.22
2578. | References:
2579. | - https://wpvulndb.com/vulnerabilities/8969
2580. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
2581. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
2582. | - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
2583. |
2584. | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
2585. | Fixed in: 3.9.23
2586. | References:
2587. | - https://wpvulndb.com/vulnerabilities/9006
2588. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
2589. | - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
2590. | - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
2591. | - https://core.trac.wordpress.org/ticket/42720
2592. |
2593. | [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
2594. | References:
2595. | - https://wpvulndb.com/vulnerabilities/9021
2596. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
2597. | - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
2598. | - https://github.com/quitten/doser.py
2599. | - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
2600. |
2601. | [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
2602. | Fixed in: 3.9.24
2603. | References:
2604. | - https://wpvulndb.com/vulnerabilities/9053
2605. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
2606. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
2607. | - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
2608. |
2609. | [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
2610. | Fixed in: 3.9.24
2611. | References:
2612. | - https://wpvulndb.com/vulnerabilities/9054
2613. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
2614. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
2615. | - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
2616. |
2617. | [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
2618. | Fixed in: 3.9.24
2619. | References:
2620. | - https://wpvulndb.com/vulnerabilities/9055
2621. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
2622. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
2623. | - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
2624. |
2625. | [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
2626. | Fixed in: 3.9.25
2627. | References:
2628. | - https://wpvulndb.com/vulnerabilities/9100
2629. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
2630. | - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
2631. | - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
2632. | - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
2633. | - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
2634. | - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
2635. |
2636. | [!] Title: WordPress <= 5.0 - Authenticated File Delete
2637. | Fixed in: 3.9.26
2638. | References:
2639. | - https://wpvulndb.com/vulnerabilities/9169
2640. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
2641. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2642. |
2643. | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
2644. | Fixed in: 3.9.26
2645. | References:
2646. | - https://wpvulndb.com/vulnerabilities/9170
2647. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
2648. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2649. | - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
2650. |
2651. | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
2652. | Fixed in: 3.9.26
2653. | References:
2654. | - https://wpvulndb.com/vulnerabilities/9171
2655. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
2656. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2657. |
2658. | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
2659. | Fixed in: 3.9.26
2660. | References:
2661. | - https://wpvulndb.com/vulnerabilities/9172
2662. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
2663. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2664. |
2665. | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
2666. | Fixed in: 3.9.26
2667. | References:
2668. | - https://wpvulndb.com/vulnerabilities/9173
2669. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
2670. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2671. | - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
2672. |
2673. | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
2674. | Fixed in: 3.9.26
2675. | References:
2676. | - https://wpvulndb.com/vulnerabilities/9174
2677. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
2678. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2679. |
2680. | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
2681. | Fixed in: 3.9.26
2682. | References:
2683. | - https://wpvulndb.com/vulnerabilities/9175
2684. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
2685. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
2686. | - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
2687.  
2688. [+] WordPress theme in use: asssd
2689. | Location: http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/
2690. | Style URL: http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/style.css
2691. |
2692. | Detected By: Urls In Homepage (Passive Detection)
2693. |
2694. | The version could not be determined.
2695.  
2696. [+] Enumerating All Plugins (via Passive Methods)
2697.  
2698. [i] No plugins Found.
2699.  
2700. [+] Enumerating Config Backups (via Passive and Aggressive Methods)
2701. Checking Config Backups - Time: 00:00:02 <=============> (21 / 21) 100.00% Time: 00:00:02
2702.  
2703. [i] No Config Backups Found.
2704.  
2705. [+] Finished: Thu Feb 14 10:51:10 2019
2706. [+] Requests Done: 416
2707. [+] Cached Requests: 5
2708. [+] Data Sent: 257.474 KB
2709. [+] Data Received: 596.052 KB
2710. [+] Memory used: 77.254 MB
2711. [+] Elapsed time: 00:00:53
2712. #######################################################################################################################################
2713. [+] URL: http://mocit.gov.sd/
2714. [+] Effective URL: http://mocit.gov.sd/index.php/ar/
2715. [+] Started: Thu Feb 14 10:52:48 2019
2716.  
2717. Interesting Finding(s):
2718.  
2719. [+] http://mocit.gov.sd/index.php/ar/
2720. | Interesting Entry: X-Powered-By: PHP/5.3.29, PleskLin
2721. | Found By: Headers (Passive Detection)
2722. | Confidence: 100%
2723.  
2724. Fingerprinting the version - Time: 00:00:00 <> (350 / 350) 100.00% Time: 00:00:00
2725. [+] WordPress version 3.9.1 identified (Insecure, released on 2014-05-08).
2726. | Detected By: Plugin And Theme Query Parameter In Homepage (Passive Detection)
2727. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/css/lofslidera560.css?ver=3.9.1
2728. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/css/scrollbara560.css?ver=3.9.1
2729. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/stylea560.css?ver=3.9.1
2730. | - http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/css/weather-font/weathera560.css?ver=3.9.1
2731. |
2732. | [!] 66 vulnerabilities identified:
2733. |
2734. | [!] Title: WordPress 3.9 & 3.9.1 Unlikely Code Execution
2735. | Fixed in: 3.9.2
2736. | References:
2737. | - https://wpvulndb.com/vulnerabilities/7527
2738. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5203
2739. | - https://core.trac.wordpress.org/changeset/29389
2740. |
2741. | [!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
2742. | Fixed in: 3.9.2
2743. | References:
2744. | - https://wpvulndb.com/vulnerabilities/7528
2745. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
2746. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
2747. | - https://core.trac.wordpress.org/changeset/29384
2748. | - https://core.trac.wordpress.org/changeset/29408
2749. |
2750. | [!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
2751. | Fixed in: 3.9.2
2752. | References:
2753. | - https://wpvulndb.com/vulnerabilities/7529
2754. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
2755. | - https://core.trac.wordpress.org/changeset/29398
2756. |
2757. | [!] Title: WordPress 3.6 - 3.9.1 XXE in GetID3 Library
2758. | Fixed in: 3.9.2
2759. | References:
2760. | - https://wpvulndb.com/vulnerabilities/7530
2761. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2053
2762. | - https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
2763. | - http://getid3.sourceforge.net/
2764. | - http://wordpress.org/news/2014/08/wordpress-3-9-2/
2765. | - http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html
2766. | - https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav
2767. |
2768. | [!] Title: WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
2769. | Fixed in: 4.0
2770. | References:
2771. | - https://wpvulndb.com/vulnerabilities/7531
2772. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5868
2773. | - http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
2774. | - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/leveraging-lfi-to-get-full-compromise-on-wordpress-sites/
2775. |
2776. | [!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
2777. | Fixed in: 4.0
2778. | References:
2779. | - https://wpvulndb.com/vulnerabilities/7680
2780. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
2781. | - http://klikki.fi/adv/wordpress.html
2782. | - https://wordpress.org/news/2014/11/wordpress-4-0-1/
2783. | - http://klikki.fi/adv/wordpress_update.html
2784. |
2785. | [!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
2786. | Fixed in: 4.0.1
2787. | References:
2788. | - https://wpvulndb.com/vulnerabilities/7681
2789. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
2790. | - https://www.exploit-db.com/exploits/35413/
2791. | - https://www.exploit-db.com/exploits/35414/
2792. | - http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
2793. | - https://wordpress.org/news/2014/11/wordpress-4-0-1/
2794. | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
2795. |
2796. | [!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
2797. | Fixed in: 4.0.1
2798. | References:
2799. | - https://wpvulndb.com/vulnerabilities/7696
2800. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
2801. | - http://www.securityfocus.com/bid/71234/
2802. | - https://core.trac.wordpress.org/changeset/30444
2803. |
2804. | [!] Title: WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
2805. | Fixed in: 4.0.1
2806. | References:
2807. | - https://wpvulndb.com/vulnerabilities/7697
2808. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9032
2809. | - https://core.trac.wordpress.org/changeset/30422
2810. |
2811. | [!] Title: WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
2812. | Fixed in: 4.1.2
2813. | References:
2814. | - https://wpvulndb.com/vulnerabilities/7929
2815. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3438
2816. | - https://wordpress.org/news/2015/04/wordpress-4-1-2/
2817. | - https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
2818. |
2819. | [!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
2820. | Fixed in: 3.9.7
2821. | References:
2822. | - https://wpvulndb.com/vulnerabilities/8111
2823. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
2824. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
2825. | - https://wordpress.org/news/2015/07/wordpress-4-2-3/
2826. | - https://twitter.com/klikkioy/status/624264122570526720
2827. | - https://klikki.fi/adv/wordpress3.html
2828. |
2829. | [!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
2830. | Fixed in: 3.9.8
2831. | References:
2832. | - https://wpvulndb.com/vulnerabilities/8126
2833. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
2834. | - https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
2835. |
2836. | [!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
2837. | Fixed in: 3.9.8
2838. | References:
2839. | - https://wpvulndb.com/vulnerabilities/8130
2840. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
2841. | - https://core.trac.wordpress.org/changeset/33536
2842. |
2843. | [!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
2844. | Fixed in: 3.9.8
2845. | References:
2846. | - https://wpvulndb.com/vulnerabilities/8131
2847. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
2848. | - https://core.trac.wordpress.org/changeset/33529
2849. |
2850. | [!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
2851. | Fixed in: 3.9.8
2852. | References:
2853. | - https://wpvulndb.com/vulnerabilities/8132
2854. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
2855. | - https://core.trac.wordpress.org/changeset/33541
2856. |
2857. | [!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
2858. | Fixed in: 3.9.8
2859. | References:
2860. | - https://wpvulndb.com/vulnerabilities/8133
2861. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
2862. | - https://core.trac.wordpress.org/changeset/33549
2863. | - https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
2864. |
2865. | [!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
2866. | Fixed in: 3.9.9
2867. | References:
2868. | - https://wpvulndb.com/vulnerabilities/8186
2869. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
2870. | - https://wordpress.org/news/2015/09/wordpress-4-3-1/
2871. | - http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
2872. | - http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
2873. |
2874. | [!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
2875. | Fixed in: 3.9.9
2876. | References:
2877. | - https://wpvulndb.com/vulnerabilities/8187
2878. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
2879. | - https://wordpress.org/news/2015/09/wordpress-4-3-1/
2880. | - https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
2881. |
2882. | [!] Title: WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue
2883. | Fixed in: 3.9.9
2884. | References:
2885. | - https://wpvulndb.com/vulnerabilities/8188
2886. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
2887. | - https://wordpress.org/news/2015/09/wordpress-4-3-1/
2888. | - http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
2889. | - http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
2890. |
2891. | [!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
2892. | Fixed in: 3.9.10
2893. | References:
2894. | - https://wpvulndb.com/vulnerabilities/8358
2895. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
2896. | - https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
2897. | - https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
2898. |
2899. | [!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
2900. | Fixed in: 3.9.11
2901. | References:
2902. | - https://wpvulndb.com/vulnerabilities/8376
2903. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
2904. | - https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
2905. | - https://core.trac.wordpress.org/changeset/36435
2906. | - https://hackerone.com/reports/110801
2907. |
2908. | [!] Title: WordPress 3.7-4.4.1 - Open Redirect
2909. | Fixed in: 3.9.11
2910. | References:
2911. | - https://wpvulndb.com/vulnerabilities/8377
2912. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
2913. | - https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
2914. | - https://core.trac.wordpress.org/changeset/36444
2915. |
2916. | [!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
2917. | Fixed in: 4.5
2918. | References:
2919. | - https://wpvulndb.com/vulnerabilities/8473
2920. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029
2921. | - https://codex.wordpress.org/Version_4.5
2922. | - https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
2923. |
2924. | [!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
2925. | Fixed in: 4.5
2926. | References:
2927. | - https://wpvulndb.com/vulnerabilities/8474
2928. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634
2929. | - https://codex.wordpress.org/Version_4.5
2930. | - https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
2931. |
2932. | [!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
2933. | Fixed in: 4.5
2934. | References:
2935. | - https://wpvulndb.com/vulnerabilities/8475
2936. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635
2937. | - https://codex.wordpress.org/Version_4.5
2938. |
2939. | [!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
2940. | Fixed in: 3.9.12
2941. | References:
2942. | - https://wpvulndb.com/vulnerabilities/8489
2943. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
2944. | - https://wordpress.org/news/2016/05/wordpress-4-5-2/
2945. | - https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
2946. | - https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
2947. |
2948. | [!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
2949. | Fixed in: 3.9.13
2950. | References:
2951. | - https://wpvulndb.com/vulnerabilities/8519
2952. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
2953. | - https://wordpress.org/news/2016/06/wordpress-4-5-3/
2954. | - https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
2955. | - https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
2956. |
2957. | [!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
2958. | Fixed in: 3.9.13
2959. | References:
2960. | - https://wpvulndb.com/vulnerabilities/8520
2961. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
2962. | - https://wordpress.org/news/2016/06/wordpress-4-5-3/
2963. | - https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
2964. |
2965. | [!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
2966. | Fixed in: 3.9.14
2967. | References:
2968. | - https://wpvulndb.com/vulnerabilities/8615
2969. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
2970. | - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
2971. | - https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
2972. | - https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
2973. | - http://seclists.org/fulldisclosure/2016/Sep/6
2974. |
2975. | [!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
2976. | Fixed in: 3.9.14
2977. | References:
2978. | - https://wpvulndb.com/vulnerabilities/8616
2979. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
2980. | - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
2981. | - https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
2982. |
2983. | [!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
2984. | Fixed in: 3.9.15
2985. | References:
2986. | - https://wpvulndb.com/vulnerabilities/8716
2987. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
2988. | - https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
2989. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
2990. |
2991. | [!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
2992. | Fixed in: 3.9.15
2993. | References:
2994. | - https://wpvulndb.com/vulnerabilities/8718
2995. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
2996. | - https://www.mehmetince.net/low-severity-wordpress/
2997. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
2998. | - https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
2999. |
3000. | [!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
3001. | Fixed in: 3.9.15
3002. | References:
3003. | - https://wpvulndb.com/vulnerabilities/8719
3004. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
3005. | - https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
3006. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
3007. |
3008. | [!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
3009. | Fixed in: 3.9.15
3010. | References:
3011. | - https://wpvulndb.com/vulnerabilities/8720
3012. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
3013. | - https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
3014. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
3015. |
3016. | [!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
3017. | Fixed in: 3.9.15
3018. | References:
3019. | - https://wpvulndb.com/vulnerabilities/8721
3020. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
3021. | - https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
3022. | - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
3023. |
3024. | [!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
3025. | Fixed in: 3.9.16
3026. | References:
3027. | - https://wpvulndb.com/vulnerabilities/8730
3028. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
3029. | - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
3030. | - https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
3031. |
3032. | [!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
3033. | Fixed in: 3.9.17
3034. | References:
3035. | - https://wpvulndb.com/vulnerabilities/8765
3036. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
3037. | - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
3038. | - https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
3039. | - https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
3040. | - http://seclists.org/oss-sec/2017/q1/563
3041. |
3042. | [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
3043. | Fixed in: 3.9.17
3044. | References:
3045. | - https://wpvulndb.com/vulnerabilities/8766
3046. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
3047. | - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
3048. | - https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
3049. |
3050. | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
3051. | References:
3052. | - https://wpvulndb.com/vulnerabilities/8807
3053. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
3054. | - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
3055. | - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
3056. | - https://core.trac.wordpress.org/ticket/25239
3057. |
3058. | [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
3059. | Fixed in: 3.9.19
3060. | References:
3061. | - https://wpvulndb.com/vulnerabilities/8815
3062. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
3063. | - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
3064. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
3065. |
3066. | [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
3067. | Fixed in: 3.9.19
3068. | References:
3069. | - https://wpvulndb.com/vulnerabilities/8816
3070. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
3071. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
3072. | - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
3073. |
3074. | [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
3075. | Fixed in: 3.9.19
3076. | References:
3077. | - https://wpvulndb.com/vulnerabilities/8817
3078. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
3079. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
3080. | - https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
3081. |
3082. | [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
3083. | Fixed in: 3.9.19
3084. | References:
3085. | - https://wpvulndb.com/vulnerabilities/8818
3086. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
3087. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
3088. | - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
3089. | - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
3090. |
3091. | [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
3092. | Fixed in: 3.9.19
3093. | References:
3094. | - https://wpvulndb.com/vulnerabilities/8819
3095. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
3096. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
3097. | - https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
3098. | - https://hackerone.com/reports/203515
3099. | - https://hackerone.com/reports/203515
3100. |
3101. | [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
3102. | Fixed in: 3.9.19
3103. | References:
3104. | - https://wpvulndb.com/vulnerabilities/8820
3105. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
3106. | - https://wordpress.org/news/2017/05/wordpress-4-7-5/
3107. | - https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
3108. |
3109. | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
3110. | Fixed in: 3.9.20
3111. | References:
3112. | - https://wpvulndb.com/vulnerabilities/8905
3113. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
3114. | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
3115. | - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
3116. |
3117. | [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
3118. | Fixed in: 4.7.5
3119. | References:
3120. | - https://wpvulndb.com/vulnerabilities/8906
3121. | - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
3122. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
3123. | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
3124. | - https://wpvulndb.com/vulnerabilities/8905
3125. |
3126. | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
3127. | Fixed in: 3.9.20
3128. | References:
3129. | - https://wpvulndb.com/vulnerabilities/8910
3130. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
3131. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
3132. | - https://core.trac.wordpress.org/changeset/41398
3133. |
3134. | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
3135. | Fixed in: 3.9.20
3136. | References:
3137. | - https://wpvulndb.com/vulnerabilities/8911
3138. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
3139. | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
3140. | - https://core.trac.wordpress.org/changeset/41457
3141. |
3142. | [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
3143. | Fixed in: 3.9.21
3144. | References:
3145. | - https://wpvulndb.com/vulnerabilities/8941
3146. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
3147. | - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
3148. | - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
3149. | - https://twitter.com/ircmaxell/status/923662170092638208
3150. | - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
3151. |
3152. | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
3153. | Fixed in: 3.9.22
3154. | References:
3155. | - https://wpvulndb.com/vulnerabilities/8966
3156. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
3157. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
3158. | - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
3159. |
3160. | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
3161. | Fixed in: 3.9.22
3162. | References:
3163. | - https://wpvulndb.com/vulnerabilities/8967
3164. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
3165. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
3166. | - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
3167. |
3168. | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
3169. | Fixed in: 3.9.22
3170. | References:
3171. | - https://wpvulndb.com/vulnerabilities/8969
3172. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
3173. | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
3174. | - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
3175. |
3176. | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
3177. | Fixed in: 3.9.23
3178. | References:
3179. | - https://wpvulndb.com/vulnerabilities/9006
3180. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
3181. | - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
3182. | - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
3183. | - https://core.trac.wordpress.org/ticket/42720
3184. |
3185. | [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
3186. | References:
3187. | - https://wpvulndb.com/vulnerabilities/9021
3188. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
3189. | - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
3190. | - https://github.com/quitten/doser.py
3191. | - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
3192. |
3193. | [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
3194. | Fixed in: 3.9.24
3195. | References:
3196. | - https://wpvulndb.com/vulnerabilities/9053
3197. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
3198. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
3199. | - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
3200. |
3201. | [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
3202. | Fixed in: 3.9.24
3203. | References:
3204. | - https://wpvulndb.com/vulnerabilities/9054
3205. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
3206. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
3207. | - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
3208. |
3209. | [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
3210. | Fixed in: 3.9.24
3211. | References:
3212. | - https://wpvulndb.com/vulnerabilities/9055
3213. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
3214. | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
3215. | - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
3216. |
3217. | [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
3218. | Fixed in: 3.9.25
3219. | References:
3220. | - https://wpvulndb.com/vulnerabilities/9100
3221. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
3222. | - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
3223. | - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
3224. | - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
3225. | - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
3226. | - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
3227. |
3228. | [!] Title: WordPress <= 5.0 - Authenticated File Delete
3229. | Fixed in: 3.9.26
3230. | References:
3231. | - https://wpvulndb.com/vulnerabilities/9169
3232. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
3233. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
3234. |
3235. | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
3236. | Fixed in: 3.9.26
3237. | References:
3238. | - https://wpvulndb.com/vulnerabilities/9170
3239. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
3240. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
3241. | - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
3242. |
3243. | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
3244. | Fixed in: 3.9.26
3245. | References:
3246. | - https://wpvulndb.com/vulnerabilities/9171
3247. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
3248. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
3249. |
3250. | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
3251. | Fixed in: 3.9.26
3252. | References:
3253. | - https://wpvulndb.com/vulnerabilities/9172
3254. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
3255. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
3256. |
3257. | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
3258. | Fixed in: 3.9.26
3259. | References:
3260. | - https://wpvulndb.com/vulnerabilities/9173
3261. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
3262. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
3263. | - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
3264. |
3265. | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
3266. | Fixed in: 3.9.26
3267. | References:
3268. | - https://wpvulndb.com/vulnerabilities/9174
3269. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
3270. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
3271. |
3272. | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
3273. | Fixed in: 3.9.26
3274. | References:
3275. | - https://wpvulndb.com/vulnerabilities/9175
3276. | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
3277. | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
3278. | - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
3279.  
3280. [+] WordPress theme in use: asssd
3281. | Location: http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/
3282. | Style URL: http://mocit.gov.sd/resources/files/ar/wp-content/themes/asssd/style.css
3283. |
3284. | Detected By: Urls In Homepage (Passive Detection)
3285. |
3286. | The version could not be determined.
3287.  
3288. [+] Enumerating Users (via Passive and Aggressive Methods)
3289. Brute Forcing Author IDs - Time: 00:00:04 <==> (10 / 10) 100.00% Time: 00:00:04
3290.  
3291. [i] No Users Found.
3292.  
3293. [+] Finished: Thu Feb 14 10:52:56 2019
3294. [+] Requests Done: 14
3295. [+] Cached Requests: 403
3296. [+] Data Sent: 13.673 KB
3297. [+] Data Received: 533.083 KB
3298. [+] Memory used: 11.672 MB
3299. [+] Elapsed time: 00:00:07
3300. #######################################################################################################################################
3301. [-] Date & Time: 14/02/2019 10:50:18
3302. [I] Threads: 5
3303. [-] Target: http://mocit.gov.sd/index.php/ar (62.12.105.2)
3304. [M] Website Not in HTTPS: http://mocit.gov.sd/index.php/ar
3305. [I] X-Powered-By: PHP/5.3.29
3306. [L] X-Frame-Options: Not Enforced
3307. [I] Strict-Transport-Security: Not Enforced
3308. [I] X-Content-Security-Policy: Not Enforced
3309. [I] X-Content-Type-Options: Not Enforced
3310. [L] No Robots.txt Found
3311. [I] CMS Detection: WordPress
3312. [I] Wordpress Theme: asssd
3313. [M] XML-RPC services are enabled
3314. [I] Autocomplete Off Not Found: http://mocit.gov.sd/index.php/ar/wp-login.php
3315. [-] Default WordPress Files:
3316. [-] Searching Wordpress Plugins ...
3317. [I] adrotate
3318. [M] EDB-ID: 17888 "WordPress Plugin AdRotate 3.6.5 - SQL Injection"
3319. [M] EDB-ID: 18114 "WordPress Plugin AdRotate 3.6.6 - SQL Injection"
3320. [M] EDB-ID: 31834 "WordPress Plugin AdRotate 3.9.4 - 'clicktracker.ph?track' SQL Injection"
3321. [I] ads-box
3322. [M] EDB-ID: 38060 "WordPress Plugin Ads Box - 'count' SQL Injection"
3323. [I] firestats
3324. [M] EDB-ID: 14308 "WordPress Plugin Firestats - Remote Configuration File Download"
3325. [M] EDB-ID: 33367 "WordPress Plugin Firestats 1.0.2 - Multiple Cross-Site Scripting / Authentication Bypass Vulnerabilities (1)"
3326. [M] EDB-ID: 33368 "WordPress Plugin Firestats 1.0.2 - Multiple Cross-Site Scripting / Authentication Bypass Vulnerabilities (2)"
3327. [I] simple-ads-manager
3328. [M] EDB-ID: 36613 "WordPress Plugin Simple Ads Manager - Multiple SQL Injections"
3329. [M] EDB-ID: 36614 "WordPress Plugin Simple Ads Manager 2.5.94 - Arbitrary File Upload"
3330. [M] EDB-ID: 36615 "WordPress Plugin Simple Ads Manager - Information Disclosure"
3331. [M] EDB-ID: 39133 "WordPress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection"
3332. [I] wp-bannerize
3333. [M] EDB-ID: 17764 "WordPress Plugin Bannerize 2.8.6 - SQL Injection"
3334. [M] EDB-ID: 17906 "WordPress Plugin Bannerize 2.8.7 - SQL Injection"
3335. [M] EDB-ID: 36193 "WordPress Plugin WP Bannerize 2.8.7 - 'ajax_sorter.php' SQL Injection"
3336. [I] Checking for Directory Listing Enabled ...
3337. [-] Date & Time: 14/02/2019 10:54:48
3338. [-] Completed in: 0:04:30
3339. #######################################################################################################################################
3340. Anonymous JTSEC #OpSudan Full Recon #12