0x01 Url Hops Arbitrarily

Did not do any restrictions, incoming any url can be jumped.

Vulnerability example code:

<? php $redirect_url = $_GET['url']; header("Location: " . $redirect_url); exit; ? >Copy the code

Content:? Url =www.baidu.com, you can jump to baidu home page

0x02 Encoding and decoding

I met a case in black box testing before, and I feel a little interesting. I’ll write a demo to reproduce it

Vulnerability example code:

<? php $url = base64_decode($_GET['url']); header("Location: " . $url); ? >Copy the code

The URL is base64 encoded, and the parameters are passed to the server for decoding, and then the URL jump is performed.

www.baidu.com aHR0cDovL3d3dy5iYWlkdS5jb20 = after base64 encoding

Paylod:? url=aHR0cDovL3d3dy5iYWlkdS5jb20=

0x03 Whitelist Restriction

 

 

0x04 Bypass position

 

Using the default protocol? Url =\\www.baidu.com? Url =\/www.baidu.com? Url =\\\\www.baidu.com is equivalent to:? Url = www.baidu.comCopy the code

Using question marks? 😕 url=www.evil.com?www.aaa.com

Use hashtag # : www.aaa.com? ReturnUrl =http://www.evil.c…

Other forms:

? url=www.baidu.com\aaa.com

? url=www.baidu.com\\aaa.com

The suffix type

Using the @ symbol:? [email protected]

Other formats: www.aaa.com.evil.com

 

Other ideas: Use an IP address, IPv6 address, FTP or Gopher

Copy the code

 

 

 

 

 

 

 

Bypass cases:

 

Whitelist restriction

? redirect_uri=www.baidu.com

Use question marks to get around restrictions

? redirect_uri=www.baidu.com

 

 

Try to jump to other sites when found to do whitelist restrictions, not QQ domain name forbidden jump, will report an error said jump link illegal

 

? redirect_uri=www.baidu.com

? Redirect_uri=www.qq.com? http://www.baidu….

 

? redirect_uri=www.baidu.com?&http://www.qq.com

? Redirect_uri=www.baidu.com/test.html?&…

? redirect_uri=www.baidu.com\\test.html?&http://www.qq.com

 

Determine whether the domain is the target domain in the code, but developers like to use string inclusion to determine

www.aaa.com?returnUrl=http://www.aaa.co…

www.aaa.com?returnUrl=http://www.evil.c…

www.aaa.com?returnUrl=http://www.xxxaaa…

If the URL with the various characteristics of the symbol, but a variety of bypass posture. Such as

 

Using a backslash:

www.aaa.com?returnUrl=http://www.evil.c…

www.aaa.com?returnUrl=http://www.evil.c…

 

Multiple hops, that is, AAA trusts CCC, CCC also has vulnerabilities or provides jump services:

www.aaa.com?returnUrl=http://www.ccc.co…

In the actual mining process, the above methods can be mixed, and even USE URL coding, IP address instead of domain name.

 

Reference links:

Web penetration base case – URL jump bypasses Tencent restrictions for jump

www.apgy.club/temp/url.ht…

Share a few ideas for getting around the URL jump restriction

www.anquanke.com/post/id/943…