Regular test URL parameter test

Common Parameters#

I found a project called top25-parameter that lists some commonly used parameters for exploiting common vulnerabilities and extends them:

Top 25 XSS parameters:

Top 25 Cross-Site Scripting (XSS) Parameters for @trbughunters  
  
?q={payload}  
?s={payload}  
?search={payload}  
?id={payload}  
?lang={payload}  
?keyword={payload}  
?query={payload}  
?page={payload}  
?keywords={payload}  
?year={payload}  
?view={payload}  
?email={payload}  
?type={payload}  
?name={payload}  
?p={payload}  
?month={payload}  
?immagine={payload}  
?list_type={payload}  
?url={payload}  
?terms={payload}  
?categoryid={payload}  
?key={payload}  
?l={payload}  
?begindate={payload}  
?enddate={payload}

Top 25 SSRF parameters:

Top 25 Server-Side Request Forgery (SSRF) Parameters for @trbughunters  
  
?dest={target}  
?redirect={target}  
?uri={target}  
?path={target}  
?continue={target}  
?url={target}  
?window={target}  
?next={target}  
?data={target}  
?reference={target}  
?site={target}  
?html={target}  
?val={target}  
?validate={target}  
?domain={target}  
?callback={target}  
?return={target}  
?page={target}  
?feed={target}  
?host={target}  
?port={target}  
?to={target}  
?out={target}  
?view={target}  
?dir={target}

Top 25 LFI parameters:

Top 25 Local File Inclusion (LFI) Parameters for @trbughunters  
  
?cat={payload}  
?dir={payload]  
?action={payload}  
?board={payload}  
?date={payload}  
?detail={payload}  
?file={payload}  
?download={payload}  
?path={payload}  
?folder={payload}  
?prefix={payload}  
?include={payload}  
?page={payload]  
?inc={payload}  
?locate={payload}  
?show={payload}  
?doc={payload}  
?site={payload}  
?type={payload}  
?view={payload}  
?content={payload}  
?document={payload}  
?layout={payload}  
?mod={payload}  
?conf={payload}

Top 25 SQL injection parameters:

Top 25 SQL Injection Parameters for @trbughunters  
  
?id=  
?page=  
?dir=  
?search=  
?category=  
?file=  
?class=  
?url=  
?news=  
?item=  
?menu=  
?lang=  
?name=  
?ref=  
?title=  
?view=  
?topic=  
?thread=  
?type=  
?date=  
?form=  
?join=  
?main=  
?nav=  
?region=

Top 25 command execution parameters:

?cmd=  
?exec=  
?command=  
?execute=  
?ping=  
?query=  
?jump=  
?code=  
?reg=  
?do=  
?func=  
?arg=  
?option=  
?load=  
?process=  
?step=  
?read=  
?function=  
?req=  
?feature=  
?exe=  
?module=  
?payload=  
?run=  
?print=

Top 25 open redirect parameters:

?next=  
?url=  
?target=  
?rurl=  
?dest=  
?destination=  
?redir=  
?redirect_uri?,  
?redirect_url=  
?redirect=  
?out=  
?view=  
?to=  
?image_url=  
?go=  
?return=  
?returnTo=  
?return_to=  
?checkout_url=  
?continue=  
?return_path=

How to Apply#

In practice, these parameters can be used by collecting the parameters from the URLs of the target domain/IP. For example, if the URL is http://www.xx.com/index.php?id=1, you can directly filter out the id parameter, which may have an SQL injection vulnerability. Parameters following the ? have a high probability of being unfiltered and can be controlled.

The program used is gf, https://github.com/tomnomnom/gf.

Compile gf using Go:

go get -u github.com/tomnomnom/gf

After compilation, load the JSON configuration file. Below is an example configuration file for RCE:

{  
    "flags": "-iE",  
    "patterns": [  
        "daemon=",  
        "upload=",  
        "dir=",  
        "download=",  
        "log=",  
        "ip=",  
        "cli=",  
        "cmd=",  
        "exec=",  
        "command=",  
        "execute=",  
        "ping=",  
        "query=",  
        "jump=",  
        "code=",  
        "reg=",  
        "do=",  
        "func=",  
        "arg=",  
        "option=",  
        "load=",  
        "process=",  
        "step=",  
        "read=",  
        "function",  
        "req=",  
        "feature=",  
        "exe=",  
        "module=",  
        "payload=",  
        "run=",  
        "print="  
    ]  
}

With the JSON file, you can filter out the parameters when testing the URL. For example, if there is a URL like http://xxx.com/index.php?cmd=ls, you can filter it out using the JSON script that contains the RCE parameters.

% cat test.txt   
http://xxx.com/index.php?cmd=ls  
  
% cat test.txt | gf rce  
http://xxx.com/index.php?cmd=ls

Now you need to configure gf to automatically recognize the JSON scripts placed in ~/.gf folder. Press the tab key to automatically complete the JSON file. The listed files are all JSON files:

%E5%B8%B8%E8%A7%84%E6%B5%8B%E8%AF%95%E4%B8%ADurl%E5%8F%82%E6%95%B0%E6%B5%8B%E8%AF%95%20bfbbd4b8eb864ed3aa12113d45e5a6fd/Untitled%205.png

After the configuration is complete, you can use the gf command followed by the tab key to automatically load the JSON files.
To collect URLs, there are many methods, usually in a batch manner. First, collect all the domain names and subdomains, and then collect the parameters from the URLs.

The following applications can be used to collect URLs:

The scanning process is quite simple.

Here is an example using Gf-Patterns:

cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | tee -a ssfrparams.txt
cat subdomains.txt | waybackurls | sort -u >> waybackdata | gf ssrf | tee -a ssfrparams.txt