Bug Bounty Tips --- 01

声明：文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任。

浏览器文件中存在的敏感数据

这里主要指的是火狐浏览器中存在的敏感数据

org:company filename:firefox/logins.json
org:company encryptedUsername encryptedPassword
org:company encryptedUsername encryptedPassword
user:name encryptedUsername encryptedPassword
"company.com" encryptedUsername encryptedPassword

示例:

{
nextId: 6,
logins: [
{
id: 2,
hostname: "https://github.com",
httpRealm: null,
formSubmitURL: "https://github.com",
usernameField: "login",
passwordField: "password",
encryptedUsername: "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDAMJYvxVWmNBBAYOR+4wZeLSB7kqJ/GDhj3",
encryptedPassword: "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECBQ0N0EftdcPBBD9CaBvRSe9MhhqBjbd3UG8",
guid: "{749a98c7-c83e-4033-aafc-647f562b7166}",
encType: 1,
timeCreated: 1515902314887,
timeLastUsed: 1515902314887,
timePasswordChanged: 1515902314887,
timesUsed: 1
},
{
id: 3,
hostname: "https://github.com",
httpRealm: null,
formSubmitURL: "https://github.com",
usernameField: "login",
passwordField: "password",
encryptedUsername: "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECF7kv84cNrhKBAgHD6N4RU01Tg==",
encryptedPassword: "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECBUufYeWbuziBBAraNDREdVus+piXPZaR/Ym",
guid: "{3946cc16-e11a-48e7-8128-7ccfe76497a2}",
encType: 1,
timeCreated: 1515902330602,
timeLastUsed: 1515902330602,
timePasswordChanged: 1515902330602,
timesUsed: 1
},
{
id: 4,
hostname: "https://github.com",
httpRealm: null,
formSubmitURL: "https://github.com",
usernameField: "login",
passwordField: "password",
encryptedUsername: "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJzC0s27eOVuBBAaivvk2xSAcu3VP6oAkODX",
encryptedPassword: "MFIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNa3fxQUbhzwBCjyWS8Qx2UiUcoq3nvLmPXWtc4bdm88HLfIMTGJcM7WvDALDHdWIAwY",
guid: "{f2242a97-e40a-4540-a3f9-d6135326d76a}",
encType: 1,
timeCreated: 1515902347570,
timeLastUsed: 1515902347570,
timePasswordChanged: 1515902347570,
timesUsed: 1
},
{
id: 5,
hostname: "https://github.com",
httpRealm: null,
formSubmitURL: "https://github.com",
usernameField: "login",
passwordField: "password",
encryptedUsername: "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJXdeSs0MeMMBAhRbgoUvJ9GJA==",
encryptedPassword: "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCSrh9ud0IorBDA4ncCjHIDjDlUIliEvJ7at4r2M68qLKFHTGEsiUkRJjRJ0ir6Zy59rKq4EtVnrzMI=",
guid: "{48dc6764-a352-4e7d-af8a-b3605ef86cce}",
encType: 1,
timeCreated: 1515902367721,
timeLastUsed: 1515902367721,
timePasswordChanged: 1515902367721,
timesUsed: 1
}
],
disabledHosts: [ ],
version: 2
}

SSH私钥

org:company filename:.ssh/id_rsa
org:company "BEGIN RSA PRIVATE KEY" OR ssh-rsa
user:name filename:.ssh/id_rsa
user:name "BEGIN RSA PRIVATE KEY" OR ssh-rsa
"company.com" "BEGIN RSA PRIVATE KEY" OR ssh-rsa

示例:

#~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCOiwy0NSpsTX/zPFlpzW3x+SHZLEa4xceT3LGeLIzabvp2idYZxt2AqAtB+gvrs+Lczcdq2yTtILFexmJivpxc60mrvRUzneuvdzE7cnAoJsn3zkNTSO4ZMrqPXeR0aliXcn/xkElakzMMDwnlNSyUcHOjHVzDDZH5OSqhqhhIQqJdkA1WWDxM+mVEwRkKTgimzBST7wgxKaf5yLf7Alqho1zHCvkitq3Ii8q7Kk4IrFm+V8Ok6IcmN7DSxpzBzQUry+/izrfCY8uQKtLUHMssPuKGPEziUnb+YF1hJ5eZ78k32fjHRHJPzaqGRuKKMCjtK2JYmkWKSo91Pabl3cmh

BAC test step

1.为了知道哪个用户角色可以做什么，你必须很好地了解你的目标。

如果有文档，请充分利用它们，如果没有，请从每个用户角色的角度尽可能多地使用该应用程序

2.需要拥有多个帐户，每个帐户对应一个可用的用户角色。

如果您使用的是 Chrome，请为每个帐户使用多个配置文件，对于 Firefox，请使用此扩展程序：https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/

3.BAC 测试的前提是横向和纵向权限提升，看看用户角色 A 是否可以做 B 可以做的事情，事实上他不被允许这样做。如果他可以，那么就有一个漏洞。

这包括在各种请求（例如 API 调用）上替换 cookie/令牌。

可以使用bp的插件Authorize

4.尝试更改请求方法，添加/删除参数、令牌、标头等

5.如果您的用户的权限不允许某件事,可以尝试尽可能多的绕过方式

其它学习教程。