0x01 Url Hops Arbitrarily
Did not do any restrictions, incoming any url can be jumped.
Vulnerability example code:
<? php $redirect_url = $_GET['url']; header("Location: " . $redirect_url); exit; ? >Copy the code
Content:? Url =www.baidu.com, you can jump to baidu home page
0x02 Encoding and decoding
I met a case in black box testing before, and I feel a little interesting. I’ll write a demo to reproduce it
Vulnerability example code:
<? php $url = base64_decode($_GET['url']); header("Location: " . $url); ? >Copy the code
The URL is base64 encoded, and the parameters are passed to the server for decoding, and then the URL jump is performed.
www.baidu.com aHR0cDovL3d3dy5iYWlkdS5jb20 = after base64 encoding
Paylod:? url=aHR0cDovL3d3dy5iYWlkdS5jb20=
0x03 Whitelist Restriction
0x04 Bypass position
Using the default protocol? Url =\\www.baidu.com? Url =\/www.baidu.com? Url =\\\\www.baidu.com is equivalent to:? Url = www.baidu.comCopy the code
Using question marks? 😕 url=www.evil.com?www.aaa.com
Use hashtag # : www.aaa.com? ReturnUrl =http://www.evil.c…
Other forms:
? url=www.baidu.com\aaa.com
? url=www.baidu.com\\aaa.com
The suffix type
Using the @ symbol:? [email protected]
Other formats: www.aaa.com.evil.com
Other ideas: Use an IP address, IPv6 address, FTP or Gopher
Copy the code
Bypass cases:
Whitelist restriction
? redirect_uri=www.baidu.com
Use question marks to get around restrictions
? redirect_uri=www.baidu.com
Try to jump to other sites when found to do whitelist restrictions, not QQ domain name forbidden jump, will report an error said jump link illegal
? redirect_uri=www.baidu.com
? Redirect_uri=www.qq.com? http://www.baidu….
? redirect_uri=www.baidu.com?&http://www.qq.com
? Redirect_uri=www.baidu.com/test.html?&…
? redirect_uri=www.baidu.com\\test.html?&http://www.qq.com
Determine whether the domain is the target domain in the code, but developers like to use string inclusion to determine
www.aaa.com?returnUrl=http://www.aaa.co…
www.aaa.com?returnUrl=http://www.evil.c…
www.aaa.com?returnUrl=http://www.xxxaaa…
If the URL with the various characteristics of the symbol, but a variety of bypass posture. Such as
Using a backslash:
www.aaa.com?returnUrl=http://www.evil.c…
www.aaa.com?returnUrl=http://www.evil.c…
Multiple hops, that is, AAA trusts CCC, CCC also has vulnerabilities or provides jump services:
www.aaa.com?returnUrl=http://www.ccc.co…
In the actual mining process, the above methods can be mixed, and even USE URL coding, IP address instead of domain name.
Reference links:
Web penetration base case – URL jump bypasses Tencent restrictions for jump
www.apgy.club/temp/url.ht…
Share a few ideas for getting around the URL jump restriction
www.anquanke.com/post/id/943…