banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Regular testing of URL parameter testing

#渗透测试166
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses a project called top25-parameter that lists common parameters for exploiting vulnerabilities such as XSS, SSRF, LFI, SQL injection, and command execution. The article also explains how to use the gf program to filter out relevant parameters from URLs and automatically load JSON configuration files for testing.

Common Parameters#

I found a project called top25-parameter that lists some commonly used parameters for exploiting common vulnerabilities and expands on them:

Top 25 XSS parameters:

Top 25 Cross-Site Scripting (XSS) Parameters for @trbughunters  
  
?q={payload}  
?s={payload}  
?search={payload}  
?id={payload}  
?lang={payload}  
?keyword={payload}  
?query={payload}  
?page={payload}  
?keywords={payload}  
?year={payload}  
?view={payload}  
?email={payload}  
?type={payload}  
?name={payload}  
?p={payload}  
?month={payload}  
?immagine={payload}  
?list_type={payload}  
?url={payload}  
?terms={payload}  
?categoryid={payload}  
?key={payload}  
?l={payload}  
?begindate={payload}  
?enddate={payload}

Top 25 SSRF parameters:

Top 25 Server-Side Request Forgery (SSRF) Parameters for @trbughunters  
  
?dest={target}  
?redirect={target}  
?uri={target}  
?path={target}  
?continue={target}  
?url={target}  
?window={target}  
?next={target}  
?data={target}  
?reference={target}  
?site={target}  
?html={target}  
?val={target}  
?validate={target}  
?domain={target}  
?callback={target}  
?return={target}  
?page={target}  
?feed={target}  
?host={target}  
?port={target}  
?to={target}  
?out={target}  
?view={target}  
?dir={target}

Top 25 Local File Inclusion (LFI) parameters:

Top 25 Local File Inclusion (LFI) Parameters for @trbughunters  
  
?cat={payload}  
?dir={payload]  
?action={payload}  
?board={payload}  
?date={payload}  
?detail={payload}  
?file={payload}  
?download={payload}  
?path={payload}  
?folder={payload}  
?prefix={payload}  
?include={payload}  
?page={payload]  
?inc={payload}  
?locate={payload}  
?show={payload}  
?doc={payload}  
?site={payload}  
?type={payload}  
?view={payload}  
?content={payload}  
?document={payload}  
?layout={payload}  
?mod={payload}  
?conf={payload}

Top 25 SQL Injection parameters:

Top 25 SQL Injection Parameters for @trbughunters  
  
?id=  
?page=  
?dir=  
?search=  
?category=  
?file=  
?class=  
?url=  
?news=  
?item=  
?menu=  
?lang=  
?name=  
?ref=  
?title=  
?view=  
?topic=  
?thread=  
?type=  
?date=  
?form=  
?join=  
?main=  
?nav=  
?region=

Top 25 command execution parameters:

?cmd=  
?exec=  
?command=  
?execute=  
?ping=  
?query=  
?jump=  
?code=  
?reg=  
?do=  
?func=  
?arg=  
?option=  
?load=  
?process=  
?step=  
?read=  
?function=  
?req=  
?feature=  
?exe=  
?module=  
?payload=  
?run=  
?print=

Top 25 open redirect parameters:

?next=  
?url=  
?target=  
?rurl=  
?dest=  
?destination=  
?redir=  
?redirect_uri?,  
?redirect_url=  
?redirect=  
?out=  
?view=  
?to=  
?image_url=  
?go=  
?return=  
?returnTo=  
?return_to=  
?checkout_url=  
?continue=  
?return_path=

How to Apply#

In practice, these parameters can be used by collecting the parameters from the URLs of the target domain/IP. For example, if the URL is http://www.xx.com/index.php?id=1, you can directly filter out the id parameter, which may have an SQL injection vulnerability. Parameters following the ? have a high probability of being unfiltered and vulnerable to exploitation.

The program used is gf, which can be found at https://github.com/tomnomnom/gf.

  1. Compile gf using Go:
go get -u github.com/tomnomnom/gf
  1. After compilation, load the JSON configuration file. Below is an example configuration file for Remote Code Execution (RCE):
{  
    "flags": "-iE",  
    "patterns": [  
        "daemon=",  
        "upload=",  
        "dir=",  
        "download=",  
        "log=",  
        "ip=",  
        "cli=",  
        "cmd=",  
        "exec=",  
        "command=",  
        "execute=",  
        "ping=",  
        "query=",  
        "jump=",  
        "code=",  
        "reg=",  
        "do=",  
        "func=",  
        "arg=",  
        "option=",  
        "load=",  
        "process=",  
        "step=",  
        "read=",  
        "function",  
        "req=",  
        "feature=",  
        "exe=",  
        "module=",  
        "payload=",  
        "run=",  
        "print="  
    ]  
}

With the JSON file, you can filter out the URLs during testing. For example, if there is a URL like http://xxx.com/index.php?cmd=ls, you can filter it using the JSON script that contains RCE parameters.

% cat test.txt   
http://xxx.com/index.php?cmd=ls  
  
% cat test.txt | gf rce  
http://xxx.com/index.php?cmd=ls
  1. Configure gf to automatically recognize the JSON scripts placed in the ~/.gf directory. Pressing the tab key will automatically display the JSON files. The JSON files can be found in the following links:
mkdir .gf  
cp ~/Gf-Patterns/*.json ~/.gf  
cp ~/gf/examples/*.json ~/.gf
  1. Once the configuration is complete, you can use gf <tab> to automatically load the JSON files.

How to Collect URLs#

There are many ways to collect URLs, usually in a batch manner. First, collect all the domain names and subdomains, and then collect the parameters from the URLs.

The following applications can be used to collect URLs:

Scanning with these applications is straightforward.

Here is an example using waybackurls and gf:

cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | tee -a ssfrparams.txt
cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | tee -a ssfrparams.txt
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.