banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Regular test URL parameter test

#渗透测试167
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses a project called top25-parameter that lists common parameters used in exploiting vulnerabilities such as XSS, SSRF, LFI, SQL injection, and command execution. The article also explains how to use a tool called gf to automatically filter out URLs with these parameters and provides instructions on how to configure gf to load and recognize JSON files containing these parameters.

Common Parameters#

I found a project called top25-parameter that lists some commonly used parameters for exploiting common vulnerabilities and extends them:

Top 25 XSS parameters:

Top 25 Cross-Site Scripting (XSS) Parameters for @trbughunters  
  
?q={payload}  
?s={payload}  
?search={payload}  
?id={payload}  
?lang={payload}  
?keyword={payload}  
?query={payload}  
?page={payload}  
?keywords={payload}  
?year={payload}  
?view={payload}  
?email={payload}  
?type={payload}  
?name={payload}  
?p={payload}  
?month={payload}  
?immagine={payload}  
?list_type={payload}  
?url={payload}  
?terms={payload}  
?categoryid={payload}  
?key={payload}  
?l={payload}  
?begindate={payload}  
?enddate={payload}

Top 25 SSRF parameters:

Top 25 Server-Side Request Forgery (SSRF) Parameters for @trbughunters  
  
?dest={target}  
?redirect={target}  
?uri={target}  
?path={target}  
?continue={target}  
?url={target}  
?window={target}  
?next={target}  
?data={target}  
?reference={target}  
?site={target}  
?html={target}  
?val={target}  
?validate={target}  
?domain={target}  
?callback={target}  
?return={target}  
?page={target}  
?feed={target}  
?host={target}  
?port={target}  
?to={target}  
?out={target}  
?view={target}  
?dir={target}

Top 25 LFI parameters:

Top 25 Local File Inclusion (LFI) Parameters for @trbughunters  
  
?cat={payload}  
?dir={payload]  
?action={payload}  
?board={payload}  
?date={payload}  
?detail={payload}  
?file={payload}  
?download={payload}  
?path={payload}  
?folder={payload}  
?prefix={payload}  
?include={payload}  
?page={payload]  
?inc={payload}  
?locate={payload}  
?show={payload}  
?doc={payload}  
?site={payload}  
?type={payload}  
?view={payload}  
?content={payload}  
?document={payload}  
?layout={payload}  
?mod={payload}  
?conf={payload}

Top 25 SQL injection parameters:

Top 25 SQL Injection Parameters for @trbughunters  
  
?id=  
?page=  
?dir=  
?search=  
?category=  
?file=  
?class=  
?url=  
?news=  
?item=  
?menu=  
?lang=  
?name=  
?ref=  
?title=  
?view=  
?topic=  
?thread=  
?type=  
?date=  
?form=  
?join=  
?main=  
?nav=  
?region=

Top 25 command execution parameters:

?cmd=  
?exec=  
?command=  
?execute=  
?ping=  
?query=  
?jump=  
?code=  
?reg=  
?do=  
?func=  
?arg=  
?option=  
?load=  
?process=  
?step=  
?read=  
?function=  
?req=  
?feature=  
?exe=  
?module=  
?payload=  
?run=  
?print=

Top 25 open redirect parameters:

?next=  
?url=  
?target=  
?rurl=  
?dest=  
?destination=  
?redir=  
?redirect_uri?,  
?redirect_url=  
?redirect=  
?out=  
?view=  
?to=  
?image_url=  
?go=  
?return=  
?returnTo=  
?return_to=  
?checkout_url=  
?continue=  
?return_path=

How to Apply#

In practice, these parameters can be used by collecting the parameters from the URLs of the target domain/IP. For example, if the URL is http://www.xx.com/index.php?id=1, you can directly filter out the id parameter, which may have an SQL injection vulnerability. Parameters following the ? have a high probability of being unfiltered and can be controlled.

The program used is gf, https://github.com/tomnomnom/gf.

  1. Compile gf using Go:
go get -u github.com/tomnomnom/gf
  1. After compilation, load the JSON configuration file. Below is an example configuration file for RCE:
{  
    "flags": "-iE",  
    "patterns": [  
        "daemon=",  
        "upload=",  
        "dir=",  
        "download=",  
        "log=",  
        "ip=",  
        "cli=",  
        "cmd=",  
        "exec=",  
        "command=",  
        "execute=",  
        "ping=",  
        "query=",  
        "jump=",  
        "code=",  
        "reg=",  
        "do=",  
        "func=",  
        "arg=",  
        "option=",  
        "load=",  
        "process=",  
        "step=",  
        "read=",  
        "function",  
        "req=",  
        "feature=",  
        "exe=",  
        "module=",  
        "payload=",  
        "run=",  
        "print="  
    ]  
}

With the JSON file, you can filter out the parameters when testing the URL. For example, if there is a URL like http://xxx.com/index.php?cmd=ls, you can filter it out using the JSON script that contains the RCE parameters.

% cat test.txt   
http://xxx.com/index.php?cmd=ls  
  
% cat test.txt | gf rce  
http://xxx.com/index.php?cmd=ls
  1. Now you need to configure gf to automatically recognize the JSON scripts placed in ~/.gf folder. Press the tab key to automatically complete the JSON file. The listed files are all JSON files:

%E5%B8%B8%E8%A7%84%E6%B5%8B%E8%AF%95%E4%B8%ADurl%E5%8F%82%E6%95%B0%E6%B5%8B%E8%AF%95%20bfbbd4b8eb864ed3aa12113d45e5a6fd/Untitled%205.png

  1. After the configuration is complete, you can use the gf command followed by the tab key to automatically load the JSON files.

  2. To collect URLs, there are many methods, usually in a batch manner. First, collect all the domain names and subdomains, and then collect the parameters from the URLs.

The following applications can be used to collect URLs:

The scanning process is quite simple.

Here is an example using Gf-Patterns:

cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | tee -a ssfrparams.txt
cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | tee -a ssfrparams.txt
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.