┌──(kali㉿kali)-[~]

└─$ nikto -h ecampus.usfx.bo -Tuning 9 -port 10000

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 201.131.45.25
+ Target Hostname: ecampus.usfx.bo
+ Target Port: 10000
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=Webmin Webserver on
ecampusrv.usfx.bo/CN=*/[email protected]
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /O=Webmin Webserver on
ecampusrv.usfx.bo/CN=*/[email protected]
+ Start Time: 2023-05-16 00:38:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: MiniServ/1.981
+ The X-XSS-Protection header is not defined. This header can hint to the user
agent to protect against some forms of XSS
+ Uncommon header 'auth-type' found, with contents: auth-required=1
+ Uncommon header 'x-no-links' found, with contents: 1
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server is using a wildcard certificate: *
+ Hostname 'ecampus.usfx.bo' does not match certificate's names: *
+ Web Server returns a valid response with junk HTTP methods, this may cause false
positives.
+ DEBUG HTTP verb may show server debugging information. See
http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ MiniServ - This is the Webmin Unix administrator. It should not be running unless
required.
+ /kboard/: KBoard Forum 0.3.0 and prior have a security problem in
forum_edit_post.php, forum_post.php and forum_reply.php
+ /lists/admin/: PHPList pre 2.6.4 contains a number of vulnerabilities including
remote administrative access, harvesting user info and more. Default login to admin
interface is admin/phplist
+ /splashAdmin.php: Cobalt Qube 3 admin is running. This may have multiple security
problems as described by www.scan-associates.net. These could not be tested
remotely.
+ /ssdefs/: Siteseed pre 1.4.2 has 'major' security problems.
+ /sshome/: Siteseed pre 1.4.2 has 'major' security problems.
+ /tiki/: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a
'URL trick'. Default login/pass could be admin/admin
+ /scripts/samples/details.idc: See RFP 9901; www.wiretrip.net
+ OSVDB-2703: /geeklog/users.php: Geeklog prior to 1.3.8-1sr2 contains a SQL
injection vulnerability that lets a remote attacker reset admin password.
+ OSVDB-728: /admentor/adminadmin.asp: Version 2.11 of AdMentor is vulnerable to
SQL injection during login, in the style of: ' or =
+ OSVDB-36894: /My_eGallery/public/displayCategory.php: My_eGallery prior to
3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
displayCategory.php calls imageFunctions.php without checking URL/location
arguments.
+ OSVDB-36894: /postnuke/My_eGallery/public/displayCategory.php: My_eGallery prior
to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
displayCategory.php calls imageFunctions.php without checking URL/location
arguments.
+ OSVDB-36894: /postnuke/html/My_eGallery/public/displayCategory.php: My_eGallery
prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command
injection. displayCategory.php calls imageFunctions.php without checking
URL/location arguments.
+ OSVDB-36894: /modules/My_eGallery/public/displayCategory.php: My_eGallery prior
to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
displayCategory.php calls imageFunctions.php without checking URL/location
arguments.
+ OSVDB-36894: /phpBB/My_eGallery/public/displayCategory.php: My_eGallery prior to
3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
displayCategory.php calls imageFunctions.php without checking URL/location
arguments.
+ OSVDB-36894: /forum/My_eGallery/public/displayCategory.php: My_eGallery prior to
3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
displayCategory.php calls imageFunctions.php without checking URL/location
arguments.
+ OSVDB-10107: /author.asp: May be FactoSystem CMS, which could include SQL
injection problems that could not be tested remotely.
+ OSVDB-35876: /agentadmin.php: Immobilier agentadmin.php contains multiple SQL
injection vulnerabilities.
^X@sS+ OSVDB-2119: /shopping/diag_dbtest.asp: VP-ASP Shopping Cart 5.0 contains
multiple SQL injection vulnerabilities. http://cve.mitre.org/cgi-bin/cvename.cgi?
name=CVE-2003-0560, http://www.securityfocus.com/bid/8159
+ OSVDB-2948: /reademail.pl: @Mail WebMail 3.52 contains an SQL injection that
allows attacker to read any email message for any address registered in the system.
Example to append to reademail.pl: ?id=666&folder=qwer'%20or
%20EmailDatabase_v.Account='[email protected]&print=1
+ OSVDB-4240: /utils/sprc.asp: Xpede page may allow SQL injection.
+ /CHANGELOG.txt: Version number implies that there is a SQL Injection in Drupal 7,
can be used for authentication bypass (Drupageddon: see
https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-
injection-vulnerability.html).
+ /wp-content/plugins/gravityforms/change_log.txt: Gravity forms is installed.
Based on the version number in the changelog, it is vulnerable to an authenticated
SQL injection. https://wpvulndb.com/vulnerabilities/7849
+ /wordpresswp-content/plugins/gravityforms/change_log.txt: Gravity forms is
installed. Based on the version number in the changelog, it is vulnerable to an
authenticated SQL injection. https://wpvulndb.com/vulnerabilities/7849
+ 611 requests: 0 error(s) and 33 item(s) reported on remote host
+ End Time: 2023-05-16 00:56:34 (GMT-4) (1070 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested