{"id":2474,"date":"2016-02-01T00:23:24","date_gmt":"2016-01-31T15:23:24","guid":{"rendered":"http:\/\/tech.akat.info\/?p=2474"},"modified":"2016-02-01T00:23:24","modified_gmt":"2016-01-31T15:23:24","slug":"nikto-%e3%81%a7%e8%84%86%e5%bc%b1%e6%80%a7%e8%a8%ba%e6%96%ad","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=2474","title":{"rendered":"Nikto \u3067\u8106\u5f31\u6027\u8a3a\u65ad"},"content":{"rendered":"

\u30a6\u30a7\u30d6\u30b5\u30a4\u30c8\u306e\u8106\u5f31\u6027\u3092\u78ba\u8a8d\u3059\u308b-Nikto<\/a>\u3092\u8a66\u3057\u3066\u307f\u305f<\/p>\n

\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h1>\n

debian\u7cfb\u306fapt-get install nikto \u3067\u3082\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u53ef\u80fd<\/p>\n

\r\nroot@debian9:\/usr\/local\/src# wget -d https:\/\/cirt.net\/nikto\/nikto-2.1.5.tar.gz\r\n...\r\nroot@debian9:\/usr\/local\/src# tar xzvf nikto-2.1.5.tar.gz\r\nroot@debian9:\/usr\/local\/src# cd nikto-2.1.5\r\nroot@debian9:\/usr\/local\/src\/nikto-2.1.5# chmod +x nikto.pl\r\n### \u30d7\u30e9\u30b0\u30a4\u30f3\u3068\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u306e\u66f4\u65b0 ###\r\nroot@debian9:\/usr\/local\/src\/nikto-2.1.5# .\/nikto.pl -update\r\n+ Retrieving 'db_tests'\r\n+ Retrieving 'nikto_cookies.plugin'\r\n+ Retrieving 'nikto_report_csv.plugin'\r\n+ Retrieving 'db_parked_strings'\r\n+ Retrieving 'nikto_headers.plugin'\r\n+ Retrieving 'CHANGES.txt'\r\n+ CIRT.net message: Please submit Nikto bugs to https:\/\/github.com\/sullo\/nikto\r\n<\/pre>\n
\u8106\u5f31\u6027\u8a3a\u65ad<\/h1>\n
-output\u30aa\u30d7\u30b7\u30e7\u30f3\u3067\u30ec\u30dd\u30fc\u30c8\u3092\u51fa\u529b\u53ef\u80fd\u3060\u304c\u3001\u30ec\u30dd\u30fc\u30c8\u5185\u5bb9\u306b\u3064\u3044\u3066\u3042\u307e\u308a\u610f\u5473\u304c\u306a\u3044\u3088\u3046\u306b\u611f\u3058\u305f
\n\u884c\u982d\u306b “+ OSVDB” \u304c\u8868\u793a\u3055\u308c\u3066\u3044\u308b\u3068\u8106\u5f31\u6027\u304c\u3042\u308b\u3068\u306e\u3053\u3068
\nOSVDB\u3068\u306fOpen Sourced Vulnerability Database<\/a>\u306e\u3053\u3068<\/p>\n
\r\nroot@debian9:\/usr\/local\/src\/nikto-2.1.5# .\/nikto.pl -h 127.0.0.1 -output result2.txt\r\n- ***** SSL support not available (see docs for SSL install) *****\r\n- Nikto v2.1.5\r\n---------------------------------------------------------------------------\r\n+ Target IP:          127.0.0.1\r\n+ Target Hostname:    localhost\r\n+ Target Port:        80\r\n+ Start Time:         2016-01-31 20:35:25 (GMT9)\r\n---------------------------------------------------------------------------\r\n+ Server: nginx\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ Uncommon header 'link' found, with contents: <http:\/\/tech.akat.info\/?rest_route=\/>; rel="https:\/\/api.w.org\/"\r\n+ Server leaks inodes via ETags, header found with file \/favicon.ico, fields: 0x53b024a8 0x13e\r\n+ \/fcgi-bin\/post-query: Echoes back result of your POST\r\n+ \/cgi-exe\/post-query: Echoes back result of your POST\r\n+ \/cgi-home\/post-query: Echoes back result of your POST\r\n+ \/cgi-perl\/post-query: Echoes back result of your POST\r\n+ \/scgi-bin\/post-query: Echoes back result of your POST\r\n+ OSVDB-3092: \/sitemap.xml: This gives a nice listing of the site content.\r\n+ OSVDB-3092: \/lib\/: This might be interesting...\r\n+ OSVDB-3092: \/linux\/: This might be interesting...\r\n+ OSVDB-3092: \/status\/: This might be interesting...\r\n+ OSVDB-3092: \/log\/: Ahh...log information...fun!\r\n+ OSVDB-3093: \/fcgi-bin\/rightfax\/fuwww.dll\/?: This might be interesting... has been seen in web logs from an unknown scanner.\r\n+ OSVDB-3093: \/cgi-exe\/rightfax\/fuwww.dll\/?: This might be interesting... has been seen in web logs from an unknown scanner.\r\n+ OSVDB-3093: \/cgi-home\/rightfax\/fuwww.dll\/?: This might be interesting... has been seen in web logs from an unknown scanner.\r\n+ OSVDB-3093: \/cgi-perl\/rightfax\/fuwww.dll\/?: This might be interesting... has been seen in web logs from an unknown scanner.\r\n+ OSVDB-3093: \/scgi-bin\/rightfax\/fuwww.dll\/?: This might be interesting... has been seen in web logs from an unknown scanner.\r\n+ OSVDB-3093: \/.htaccess: Contains authorization information\r\n+ OSVDB-5692: \/oekaki\/: The PaintBBS Server may allow unauthorized access to the config files.\r\n+ OSVDB-3092: \/qa\/: This might be interesting... potential country code (Qatar)\r\n+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN\r\n+ Cookie wordpress_test_cookie created without the httponly flag\r\n+ 6545 items checked: 0 error(s) and 23 item(s) reported on remote host\r\n+ End Time:           2016-01-31 20:43:37 (GMT9) (492 seconds)\r\n---------------------------------------------------------------------------\r\n+ 1 host(s) tested\r\n<\/pre>\n
\u5bfe\u5fdc\u5185\u5bb9<\/h1>\n
The anti-clickjacking X-Frame-Options header is not present<\/h2>\n
nginx.conf\u306b\u4ee5\u4e0b\u3092\u8ffd\u52a0\u3059\u308b<\/p>\n
\r\nadd_header X-Frame-Options "SAMEORIGIN";\r\nadd_header X-Content-Type-Options nosniff;\r\n<\/pre>\n
OSVDB-3092\u30fbOSVDB-3093<\/h2>\n
\u8106\u5f31\u6027\u306e\u53ef\u80fd\u6027\u306e\u3042\u308b\u30d5\u30a9\u30eb\u30c0\u3092\u8868\u793a\u3057\u3066\u3044\u308b
\nsitemap.xml\u30fb.htaccess\u306a\u3069\u3092\u524a\u9664<\/p>\n
Server leaks inodes via ETags, header found with file \/favicon.ico, fields: 0x53b024a8 0x13e<\/h2>\n
ETag\u306e\u751f\u6210\u306binode\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u305f\u3081\u30d5\u30a1\u30a4\u30eb\u81ea\u4f53\u306b\u5909\u66f4\u304c\u306a\u304f\u3066\u3082
\nETag\u306e\u5024\u304c\u5909\u308f\u308a\u4e0d\u5fc5\u8981\u306b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u5e2f\u57df\u3092\u4f7f\u7528\u3059\u308b\u305f\u3081\u3001inode\u3092\u4f7f\u7528\u3057\u306a\u3044\u307b\u3046\u304c\u3088\u3044\u3068\u306e\u3053\u3068
\n\u5bfe\u5fdc\u65b9\u6cd5\u306f\u4e0d\u660e\u3002\u3002orz<\/p>\n
\u53c2\u8003URL<\/h1>\n
\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8a3a\u65ad\u30c4\u30fc\u30eb\u300cNikto\u300d\u3092\u4f7f\u3063\u3066\u30b5\u30a4\u30c8\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3088\u3046<\/a>
\nNginx\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8a2d\u5b9a<\/a>
\n\u624b\u8efd\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b9\u30ad\u30e3\u30f3\u30b5\u30fc\u30d3\u30b9 Walti.io\u3092\u8a66\u3057\u3066\u307f\u305f<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
\u30a6\u30a7\u30d6\u30b5\u30a4\u30c8\u306e\u8106\u5f31\u6027\u3092\u78ba\u8a8d\u3059\u308b-Nikto\u3092\u8a66\u3057\u3066\u307f\u305f \u30a4\u30f3\u30b9\u30c8\u30fc\u30eb debian\u7cfb\u306fapt-get install nikto \u3067\u3082\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u53ef\u80fd root@debian9:\/usr\/local\/src# wget  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[37],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/2474"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2474"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/2474\/revisions"}],"predecessor-version":[{"id":2476,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/2474\/revisions\/2476"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}