I just want to write a check list for myself. This article includes various vulnerability discovery method bypass methods. I hope you can read it carefully .
Twitter @C1h2e11
Wechat : C1h2e1
RECON
Most of my recon ideas come from nahamsec, he is really good
When I get a target, I first do a lot of information collection, such as Subdomain, IP, Port, File I get a target, I first do a lot of information collection, such as Subdomain, IP, Port, Endpoint
For subdomains, I will use crt.sh to find them. In the face of big goals, I will choose some interesting words, such as api, prod, dev, stage,backend, admin. Etc.
Subdomian
Let’s take yahoo as an example
crt.sh | %api%%.yahoo.com
Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)
crt.sh
Use % to find the domain name you want . Here is a shell script to quickly collect some subdomains
curl https://www.threatcrowd.org/searchApi/v2/domain/report/\?domain=$1 |jq .subdomains |grep -o ‘\w.*$1’curl https://api.hackertarget.com/hostsearch/\?q\=$1 | grep -o '\w.*$1'
curl https://crt.sh/?q=%.$1 | grep "$1" | cut -d '>' -f2 | cut -d '<' -f1 | grep -v " " | sort -ucurl https://certspotter.com/api/v0/certs?domain=$1 | grep -o '\[\".*\"\]'
Many times we will encounter domain can not be accessed at this time we can use httprobe to detect
But certificate-based subdomains are incomplete and require some bruteforce I recommend using Sublist3r
We can also use Google Dork and Github I recommend the following script to search subdomains on github
Documents here
Here is the subdomain collection method I often use You can use platforms like shodan and zoomeye. I won’t go into details here.
IP
Censys.io ipinfo.io shodan.io
censys is a certificate-based query that can find many IP addresses I have found many bugs with it .We just need to query your target domain .You can click on the certificate on the right
Here you can see the subdomain name and we can use IPV4 to query. There will be an IPV4 address. If it is in Scope, we can test it. Note the get body of this mark. He takes the content in the response, so most of it is not yours Target asset
ipinfo and hostinfo.io can be used to query ASN codes and network segments .We can use shodan to combine with him
shodan also has many good features such as ssl-based search and favicon search can find a lot of target information . I won’t write much here
Dnsdumper Virustotal Can also find a lot of information
Port
Port scanning can use nmap and massscan
nmap -sV -T3 -Pn -p2075,2076,6443,3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,10000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7077,4040,9000,8089,443,7447,7080,8880,8983,5673,7443,19000,19080 ${target}
Endpoint
There are many ways about Endpoint
curl http://web.archive.org/cdx/search/cdx/search/cds?url=*.$1/*&output=text&fl=original&collapse=urlkey
curl http://index.commoncrawl.org/CC-MAIN-2018-22-index\?url\=\*.$1\&output\=json |jq .url
Commoncrawl and web archive can find many endpoints for us to test. At the same time, we can also use crawlers to get what we want. The main focus should be on JS files and API endpoints.
I recommend a tool here.You can crawl useful Endpoints and we can also do BLH discovery. We will write related search methods later.
At the same time I will use dirsearch to brute force
My dictionary is here
HUNTING
I mainly hunt some BUG below
- SSRF
- CSRF(CORS,JSONP hijacking)
- SQLi
- XSS(DOM,Stored,Reflectd)
- Weak Password
- Unauthorized access
- IDOR
- Open redirect
- Information Disclosure
- XXE
- File Upload
- Subdomain Takeover
- BLH
- HTTP Requests Smuggling
- CRLF
- Auth Bypass
- DOS
- LFI
- Command injection
- Race Condition
- S3 Bucket
- Logic Flaw
- SSTI
Let me introduce one by one and share Bypass tips
SSRF
This picture is a good summary of the common locations of SSRF .We can find related functions based on business.When you receive a request from the server.Try to access the intranet.If no response can be determined by time, same as Time-Based SQLi
BYPASS
tools
white@black.com ==> black[.]com
black[.]com?white[.]com ==> black[.]com
black[.]com#white.com ==> black[.]com Tips By @____cypher____
http://127.0.0.1
http://localhost
https://127.0.0.1/
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0https://localhost/
http://[::]:80/
http://127.0.0.1.nip.io
http://[0:0:0:0:0:ffff:127.0.0.1]
http://spoofed.burpcollaborator.net
http://0177.0.0.1/
http://2130706433/
http://0/
https://10.0.0.1.xip.io
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
urllib2 : 1.1.1.1
requests + browsers : 2.2.2.2
urllib : 3.3.3.3<?php
header("Location: http://127.0.0.1");
?>http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
Exploit
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id
File protocol to read local file
file:///etc/passwd
http://100.100.100.200/latest/meta-data/
DNS Rebinding attack
CSRF(CORS,JSONP hijacking)
Ordinary CSRF we will not write here. Write some token bypass methods
Delete CSRF token
Null token parameter
Modify request method Form GET to POST or PUT etc.
Replace token with any string of the same length as token
Fixed token Every user's token can be shared
CORS Bypass
OUT OF SCOPE XSS and CORS
Use Safari’s URL feature to bypass
JSONP hijacking
Burp suite Extension to discover JSONP func
FUZZ Callback Parameter
In another test, I found a JSONP hijacking at a.redacted.com. When I looked for a vulnerability in b.redacted.com, I found a JSON response, but there was no parameter in the requested URL. I tried the FUZZ parameter. But in the dictionary, Without _cb_ this parameter eventually I added _cb_ of a.redacted.com to b.redacted.com and successfully found JSONP hijacking
callback=gh0stkey
cb=gh0stkey
jsonp=gh0stkey
jsonpcallback=gh0stkey
jsonpcb=gh0stkey
jsonp_cb=gh0stkey
json=gh0stkey
jsoncallback=gh0stkey
jcb=gh0stkey
call=gh0stkey
cb_=gh0stkey
_cb_=gh0stkey
SQLi
SQL injection is always there. Actually all the key is to be careful.I found SQLi in my two most recent tests.Just need you to search all the parameters of each page carefully and add single quotes or %df or look for Time-Based SQLi
Check out this repo’s SQL i Payload
Tips : SQL INJECTION VIA HTTP HEADER!
I can’t think of anything to write here so SQL i is over.
XSS
We can use the endpoints obtained in the information collection to find reflected XSS,There are many positions for XSS. We should pay attention to Bypass’s payload.
I found a lot of Blind XSS in recent tests. I think that the location of the HTTP HEADER and some XSS and SQLi Payloads will have unexpected results.
I use XSS HUNTER for BlindXSS
!!BlindXSSEveryWhere!!
My Blog about XSS!
Weak Password
Try more
Unauthorized access
Most of the unauthorized access I usually find comes from brute force cracking of directories.Find more ports, more IPs, more services
IDOR
Burp suite Extension to find IDOR
The case of IDOR
There are many different test methods in the IDOR search process.We should pay attention to unique parameters and pages, and pay attention to the function of each API. I recommend using the Repeater of Burpsuite to mark the function and return content of the API. Email returns UID, we can use UID to find IDOR
Open redirect
When testing Open redirect, we can try to combine XSS to try to redirect javascript:alert (1)
I noticed this URL when I found 302, but I couldn’t redirect after opening it, so I tried Bypass.
Payload list
Replace whitelisted.com with your target
Information Disclosure
Github Pastebin Google etc.
Most of my information collection is found directly from recon
SO JUST RECON CAREFUL
Use github and pastebin to search for some sensitive information such as API key, token.
XXE
- Upload File
By uploading files in formats such as xls,doc
The process of making a malicious document
2.OOB ATTACK
3.Modify Content-Type
File Upload
We can test XSS and SSRF when uploading and ImageTragick RCE ,This idea is really hard for me to write.I will write the tips of Bypass
- Add dot after the file name
- File name with special symbol before or after
- Delete meta-data
- Race condition
I was writing this article after a day of school today. My mind is a bit messy XD
Subdomain Takeover
Still no good tips, more subdomains have a higher chance of taking over
BLH
tools
HTTP Requests Smuggling
CRLF
Auth Bypass
Oauth2 CSRF Modify the redirect_url to get the victim token .Can be bypassed using bypass open redirect
DOS
imagesize size DOS
https://target.com/Verification/?high=100&weigh=100
https://target.com/Verification/?high=100000&weigh=1000000
response boom!
If there is no parameter to control the size, we can add it by ourselves
width=250&height=250
height=250
width=250
w=250&h=250
h=250
w=250
size=250&width=250&height=250
size=250&w=250&h=250
size=250
margin=250
margin=250&width=250&height=250
margin=250&w=250&h=250
size=250&margin=250
size=250&margin=250&width=250&height=250
Bypass some restrictions that affect the normal use of the user .Is what I think is the most meaningful DOS
I think using a lot of characters or very special characters may cause DOS