banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Regular testing of URL parameter testing

Common Parameters#

I found a project called top25-parameter that lists some commonly used parameters for exploiting common vulnerabilities and expands on them:

Top 25 XSS parameters:

Top 25 Cross-Site Scripting (XSS) Parameters for @trbughunters  
  
?q={payload}  
?s={payload}  
?search={payload}  
?id={payload}  
?lang={payload}  
?keyword={payload}  
?query={payload}  
?page={payload}  
?keywords={payload}  
?year={payload}  
?view={payload}  
?email={payload}  
?type={payload}  
?name={payload}  
?p={payload}  
?month={payload}  
?immagine={payload}  
?list_type={payload}  
?url={payload}  
?terms={payload}  
?categoryid={payload}  
?key={payload}  
?l={payload}  
?begindate={payload}  
?enddate={payload}

Top 25 SSRF parameters:

Top 25 Server-Side Request Forgery (SSRF) Parameters for @trbughunters  
  
?dest={target}  
?redirect={target}  
?uri={target}  
?path={target}  
?continue={target}  
?url={target}  
?window={target}  
?next={target}  
?data={target}  
?reference={target}  
?site={target}  
?html={target}  
?val={target}  
?validate={target}  
?domain={target}  
?callback={target}  
?return={target}  
?page={target}  
?feed={target}  
?host={target}  
?port={target}  
?to={target}  
?out={target}  
?view={target}  
?dir={target}

Top 25 Local File Inclusion (LFI) parameters:

Top 25 Local File Inclusion (LFI) Parameters for @trbughunters  
  
?cat={payload}  
?dir={payload]  
?action={payload}  
?board={payload}  
?date={payload}  
?detail={payload}  
?file={payload}  
?download={payload}  
?path={payload}  
?folder={payload}  
?prefix={payload}  
?include={payload}  
?page={payload]  
?inc={payload}  
?locate={payload}  
?show={payload}  
?doc={payload}  
?site={payload}  
?type={payload}  
?view={payload}  
?content={payload}  
?document={payload}  
?layout={payload}  
?mod={payload}  
?conf={payload}

Top 25 SQL Injection parameters:

Top 25 SQL Injection Parameters for @trbughunters  
  
?id=  
?page=  
?dir=  
?search=  
?category=  
?file=  
?class=  
?url=  
?news=  
?item=  
?menu=  
?lang=  
?name=  
?ref=  
?title=  
?view=  
?topic=  
?thread=  
?type=  
?date=  
?form=  
?join=  
?main=  
?nav=  
?region=

Top 25 command execution parameters:

?cmd=  
?exec=  
?command=  
?execute=  
?ping=  
?query=  
?jump=  
?code=  
?reg=  
?do=  
?func=  
?arg=  
?option=  
?load=  
?process=  
?step=  
?read=  
?function=  
?req=  
?feature=  
?exe=  
?module=  
?payload=  
?run=  
?print=

Top 25 open redirect parameters:

?next=  
?url=  
?target=  
?rurl=  
?dest=  
?destination=  
?redir=  
?redirect_uri?,  
?redirect_url=  
?redirect=  
?out=  
?view=  
?to=  
?image_url=  
?go=  
?return=  
?returnTo=  
?return_to=  
?checkout_url=  
?continue=  
?return_path=

How to Apply#

In practice, these parameters can be used by collecting the parameters from the URLs of the target domain/IP. For example, if the URL is http://www.xx.com/index.php?id=1, you can directly filter out the id parameter, which may have an SQL injection vulnerability. Parameters following the ? have a high probability of being unfiltered and vulnerable to exploitation.

The program used is gf, which can be found at https://github.com/tomnomnom/gf.

  1. Compile gf using Go:
go get -u github.com/tomnomnom/gf
  1. After compilation, load the JSON configuration file. Below is an example configuration file for Remote Code Execution (RCE):
{  
    "flags": "-iE",  
    "patterns": [  
        "daemon=",  
        "upload=",  
        "dir=",  
        "download=",  
        "log=",  
        "ip=",  
        "cli=",  
        "cmd=",  
        "exec=",  
        "command=",  
        "execute=",  
        "ping=",  
        "query=",  
        "jump=",  
        "code=",  
        "reg=",  
        "do=",  
        "func=",  
        "arg=",  
        "option=",  
        "load=",  
        "process=",  
        "step=",  
        "read=",  
        "function",  
        "req=",  
        "feature=",  
        "exe=",  
        "module=",  
        "payload=",  
        "run=",  
        "print="  
    ]  
}

With the JSON file, you can filter out the URLs during testing. For example, if there is a URL like http://xxx.com/index.php?cmd=ls, you can filter it using the JSON script that contains RCE parameters.

% cat test.txt   
http://xxx.com/index.php?cmd=ls  
  
% cat test.txt | gf rce  
http://xxx.com/index.php?cmd=ls
  1. Configure gf to automatically recognize the JSON scripts placed in the ~/.gf directory. Pressing the tab key will automatically display the JSON files. The JSON files can be found in the following links:
mkdir .gf  
cp ~/Gf-Patterns/*.json ~/.gf  
cp ~/gf/examples/*.json ~/.gf
  1. Once the configuration is complete, you can use gf <tab> to automatically load the JSON files.

How to Collect URLs#

There are many ways to collect URLs, usually in a batch manner. First, collect all the domain names and subdomains, and then collect the parameters from the URLs.

The following applications can be used to collect URLs:

Scanning with these applications is straightforward.

Here is an example using waybackurls and gf:

cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | tee -a ssfrparams.txt
cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | tee -a ssfrparams.txt
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.