burpsuite\u7684app\u4e5f\u7c21\u7a31bapp\uff0c\u53ef\u64f4\u5c55\u8a31\u591a\u66f4\u9032\u968e\u7684\u529f\u80fd\uff0c\u5728bapp store\u4e0a\u53ef\u4ee5\u9078\u64c7\u591a\u500bbapp\u4e26\u4e0b\u8f09\uff0c\u5e7e\u500b\u5e38\u898b\u7684bapp\u4ecb\u7d39\u5982\u4e0b<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u529f\u80fd: \u80fd\u5920\u81ea\u52d5\u5c0b\u627eHTTP\u6a19\u982d\u4e2d\u7684SSRF\uff0c\u8a72\u529f\u80fd\u5c07\u5c0d\u6bcf\u500b\u8acb\u6c42\u653e\u5165\u5e38\u898b\u7684header\u505a\u6e2c\u8a66\u4e26\u9032\u884c\u91cd\u9001 <\/p>\n\n\n\n
\u4f7f\u7528\u65b9\u6cd5:<\/p>\n\n\n\n
\u53ef\u4ee5\u628a\u8981\u5206\u6790\u7684\u76ee\u6a19\u7db2\u7ad9\u6307\u5b9a\u5728 refer \u529f\u80fd\u6e2c\u8a66\u53ef\u53c3\u8003: <\/p>\n\n\n\n <\/p>\n\n\n\n \u529f\u80fd:\u53ef\u767c\u73fe\u6f5b\u5728\u7684\u96b1\u85cf\u53c3\u6578\u3002\u5c0d\u65bc\u67e5\u627eweb cache poision\u5f88\u6709\u5e6b\u52a9<\/p>\n\n\n\n \u4f7f\u7528\u65b9\u6cd5:<\/p>\n\n\n\n \u5728 \u6709\u56db\u500b\u9078\u9805\u53ef\u4ee5\u7528<\/p>\n\n\n\n \u9078\u64c7\u5f8c\u6703\u5c0d\u8acb\u6c42\u50b3\u9001\u6e2c\u8a66\u8acb\u6c42\u5230\u76ee\u6a19,\u6e2c\u8a66\u5b8c\u53ef\u4ee5 \u8209\u4f8b\u4f86\u8aaa\uff0c\u5982\u679c\u767c\u73fex-forwarded-host\u548cx-original-url\u6709\u554f\u984c\u6703\u986f\u793a\u5982\u4e0b\u4fe1\u606f<\/p>\n\n\n\n refer \u529f\u80fd\u6e2c\u8a66\u53ef\u53c3\u8003: <\/p>\n\n\n\n <\/p>\n\n\n\n \u529f\u80fd:\u53ef\u4ee5\u4f7f\u7528\u6975\u4f4e\u7684\u8cc7\u6e90\u975e\u5e38\u5feb\u901f\u7684\u767c\u9001\u8acb\u6c42<\/p>\n\n\n\n \u4f7f\u7528\u65b9\u6cd5:<\/p>\n\n\n\n \u4ee5\u55ae\u500b\u8acb\u6c42\u653b\u64ca\u65b9\u6cd5\u70ba\u4f8b, \u5148\u9078\u64c7\u4e00\u500b\u8acb\u6c42\u6309\u53f3\u9375\u9078 \u7136\u5f8c\u5728\u4e0b\u62c9\u9078\u55ae\u4e2d\u9078\u64c7 \u5b8c\u6574\u4ee3\u78bc\u5982\u4e0b(\u4ee5\u4e0b\u662f\u4f7f\u7528http2\u5354\u5b9a\u7684\u5beb\u6cd5)<\/p>\n\n\n\n <\/p>\n\n\n\n \u900f\u904e\u5f9e\u8acb\u6c42\u4e2d\u522a\u9664\u4e0d\u5fc5\u8981\u7684\u6a19\u982d\u548c cookie \u4f86\u6e1b\u5c11\u6bcf\u500b\u8acb\u6c42\u7684\u51fa\u7ad9\u6d41\u91cf\u8981\u6c42\uff0c\u4f7f\u5176\u76e1\u53ef\u80fd\u5c0f<\/p>\n\n\n\n \u901f\u5ea6\u6392\u540d\u4f9d\u5e8f\u662fEngine.HTTP2\uff0cEngine.THREADED\uff0cEngine.BURP2\uff0cEngine.BURP<\/p>\n\n\n\n \u76ee\u6a19\u662f\u627e\u5230\u4f7fRPS\uff08\u6bcf\u79d2\u8acb\u6c42\u6578\uff09\u503c\u6700\u5927\u5316\u7684\u503c\uff0c\u540c\u6642\u4f7f\u91cd\u8a66\u8a08\u6578\u5668\u4fdd\u6301\u63a5\u8fd10<\/p>\n\n\n\n \u4f7f\u7528Engine.BURP2\u6216Engine.BURP\u5f15\u64ce\uff0c\u53ea\u8981\u8abf\u6574concurrentConnections<\/p>\n\n\n\n \u4f7f\u7528Engine.HTTP2\u6216Engine.THREADED\uff0c\u53ef\u8abf\u6574\u7ba1\u9053\u3001requestsPerConnection\u548c\u4e26\u767c\u9023\u63a5\u53c3\u6578<\/p>\n\n\n\n \u4f8b\u5982table.add() \u6703\u70ba Swing \u57f7\u884c\u7dd2\u5e36\u4f86\u6c89\u91cd\u7684\u8ca0\u8f09\uff0c\u56e0\u6b64\u53ef\u4ee5\u900f\u904e\u5206\u6790\u6bcf\u500b\u56de\u61c9\u4f86\u6c7a\u5b9a\u662f\u5426\u5c07\u5176\u653e\u5165\u7d50\u679c\u8868\u4e2d\uff0c\u5f9e\u800c\u6e1b\u8f15\u7cfb\u7d71\u7684 CPU \u8ca0\u64d4\u3002\u53e6\u5916\uff0c\u907f\u514d\u4f7f\u7528\u6b63\u898f\u8868\u793a\u5f0f\u548c\u5faa\u74b0\u5b57\u4e32\u9023\u63a5\u3002<\/p>\n\n\n\n refer \u529f\u80fd\u6e2c\u8a66\u53ef\u53c3\u8003: <\/p>\n\n\n\n <\/p>\n\n\n\n \u529f\u80fd:\u652f\u6301\u5404\u7a2ehash\u8f49\u7fa9\u548c\u7de8\u78bc,\u4f8b\u5982unicode,16\u9032\u5236,8\u9032\u5236,html\u5be6\u9ad4\u7b49\u7de8\u78bc, \u4e26\u5177\u6709\u81ea\u52d5\u89e3\u78bc\u529f\u80fd,\u53ef\u4ee5\u731c\u6e2c\u6240\u9700\u8981\u8f49\u63db\u7684\u985e\u578b\u4e26\u81ea\u52d5\u89e3\u78bc\u591a\u5c11<\/p>\n\n\n\n \u4f7f\u7528\u65b9\u6cd5<\/p>\n\n\n\n \u5728\u8acb\u6c42\u4e2d\u9078\u64c7\u60f3\u5206\u6790\u7684\u5167\u5bb9\u6309\u53f3\u9375\u9078 <\/p>\n\n\n\n refer <\/p>\n\n\n\n <\/p>\n\n\n\n \u529f\u80fd:\u53ef\u5728\u9001\u51fa\u8acb\u6c42\u6642\u81ea\u52d5\u6839\u64dapython\u4ee3\u78bc\u505a\u4fee\u6539<\/p>\n\n\n\n \u4f7f\u7528\u65b9\u6cd5: <\/p>\n\n\n\n \u4f7f\u7528\u8a72\u529f\u80fd\u524d\u9700\u8981\u5148\u8b93burpsuite\u5b89\u88ddpython standalone\u7368\u7acbjar\u5305, \u53ef\u5728http:\/\/www.jython.org\u4e0b\u8f092.7.0\u7248\u672c.\u7136\u5f8c\u5230burpsuite\u7684 \u63a5\u8457\u5c31\u53ef\u4ee5\u5230 <\/p>\n\n\n\n refer <\/p>\n\n\n\n <\/p>\n\n\n\n \u529f\u80fd:\u63d0\u4f9bburpsuite Marcos\u66f4\u591a\u529f\u80fd, \u4f8b\u5982\u80fd\u984d\u5916\u652f\u63f4json\u683c\u5f0f(\u5167\u5efa\u529f\u80fd\u4e0d\u652f\u63f4) .<\/p>\n\n\n\n \u4f7f\u7528\u65b9\u6cd5<\/p>\n\n\n\n \u5728cph option \u8a2d\u5b9ascope: intruder, repeater<\/p>\n\n\n\n \u5728cph tab\u8a2d\u5b9a\u5982\u4e0b<\/p>\n\n\n\n 1 find matches to this expression 2 target 3 replace each target with this expression 4 choose the value i need is dynamic <\/p>\n\n\n\n refer <\/p>\n\n\n\n <\/p>\n\n\n\n \u529f\u80fd:\u53ef\u81ea\u52d5\u8abf\u7528sqlmap\u5c0d\u8acb\u6c42\u505a\u6e2c\u8a66<\/p>\n\n\n\n \u4f7f\u7528\u65b9\u6cd5:<\/p>\n\n\n\n \u6ce8\u610f\u4e8b\u9805: \u8a72\u5de5\u5177\u4e0d\u6703\u628a\u6240\u6709header\u90fd\u9001\u51fa\u53bb,\u8981\u81ea\u5df1\u5230 \u4f8b\u5982: <\/p>\n\n\n\n refer <\/p>\n\n\n\n \u5176\u4ed6\u53ef\u7528\u505asqlmap\u81ea\u52d5\u6e2c\u8a66\u7684app\u9084\u6709<\/p>\n\n\n\n refer<\/p>\n\n\n\n https:\/\/t0data.gitbooks.io\/burpsuite\/content\/chapter18.html<\/a><\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u529f\u80fd:\u53ef\u5206\u6790jwt token\u4e26\u4fee\u6539token\u5167\u5bb9<\/p>\n\n\n\ntarget scope<\/code>\u4e26\u700f\u89bd\uff0c\u6b64\u529f\u80fd\u5c31\u6703\u9032\u884c\u5206\u6790\u3002\u5982\u679c\u6709\u767c\u73fe\u4efb\u4f55\u7570\u5e38\u5c07\u986f\u793a\u5728Issue<\/code>\u4e2d \u3002<\/p>\n\n\n\n
http:\/\/blog.portswigger.net\/2017\/07\/cracking-lens-targeting-https-hidden.html<\/a> <\/p>\n\n\n\n
Lab: Blind SSRF with Shellshock exploitation<\/p>\n\n\n\n
\n\n\n\nparam miner<\/h2>\n\n\n\n
Target<\/code>><\/code><\/span>Site map<\/code> \u6307\u5b9a\u5176\u4e2d\u4e00\u500b\u8acb\u6c42\u6309\u53f3\u9375\u9078Extensions > <\/span>Param Miner > <\/span>Guess params<\/code><\/p>\n\n\n\n\n
Extensions > <\/span>Installed > <\/span>Param Miner > <\/span>Output <\/code>\u770b\u7d50\u679c<\/p>\n\n\n\nQueued 1 attacks\nInitiating header bruteforce on 0af00023034b2a7380814e2c00a5009e.web-security-academy.net\nIdentified parameter on 0af00023034b2a7380814e2c00a5009e.web-security-academy.net: x-forwarded-host~%s.%h\nIdentified parameter on 0af00023034b2a7380814e2c00a5009e.web-security-academy.net: x-original-url~\/%s\n<\/code><\/pre>\n\n\n\n
https:\/\/cn-sec.com\/archives\/2316992.html
https:\/\/www.wangan.com\/p\/7fygfgb3a9adb6b1<\/p>\n\n\n\n
Lab: Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria
Lab: Combining web cache poisoning vulnerabilities<\/p>\n\n\n\n
\n\n\n\nTurbo Intruder<\/h2>\n\n\n\n
Extensions > Tubo Intruder > Send to Turbo Intruder<\/code>,\u628a\u539f\u672c\u8acb\u6c42\u6b04\u4f4d\u4e2d\u9700\u8981\u66f4\u63db\u7684\u503c\u66ff\u63db\u6210%s<\/code><\/p>\n\n\n\nexamples\/race-single-packer-attack.py<\/code>,\u4e26\u4f7f\u7528passwords = wordlists.clipboard<\/code>\u529f\u80fd,\u9019\u6703\u8981\u6c42\u6b64\u5de5\u5177\u4f7f\u7528\u526a\u8cbc\u7c3f\u7684\u5217\u8868<\/p>\n\n\n\ndef queueRequests(target, wordlists):\n # as the target supports HTTP\/2, use engine=Engine.BURP2 and concurrentConnections=1 for a single-packet attack\n engine = RequestEngine(endpoint=target.endpoint,\n concurrentConnections=1,\n engine=Engine.BURP2\n )\n \n # assign the list of candidate passwords from your clipboard\n passwords = wordlists.clipboard\n \n # queue a login request using each password from the wordlist\n # the 'gate' argument withholds the final part of each request until engine.openGate() is invoked\n for password in passwords:\n engine.queue(target.req, password, gate='1')\n \n # once every request has been queued\n # invoke engine.openGate() to send all requests in the given gate simultaneously\n engine.openGate('1')\n\ndef handleResponse(req, interesting):\n table.add(req)<\/code><\/pre>\n\n\n\n\u52a0\u901f\u7b56\u7565<\/h3>\n\n\n\n
1.\u6e1b\u5c11\u8acb\u6c42\u982d\u5927\u5c0f<\/h4>\n\n\n\n
2.\u9078\u64c7\u6700\u5feb\u7684\u5f15\u64ca<\/h4>\n\n\n\n
3.\u8abf\u6574\u5f15\u64ce\u8a2d\u5b9a<\/h4>\n\n\n\n
4.\u512a\u5316\u56de\u547c\u7a0b\u5f0f\u78bc<\/h4>\n\n\n\n
https:\/\/mp.weixin.qq.com\/s?__biz=MzAxNDM3NTM0NQ==&mid=2657035813&idx=3&sn=367a002882fbcf76bef85f1424067513&chksm=803fc6fbb7484fed3c007fb39044611b5736bf7429033b393333f7ca118961f2e3b89834b397&scene=0&xtrack=1<\/a>
https:\/\/portswigger.net\/research\/turbo-intruder-embracing-the-billion-request-attack<\/a><\/p>\n\n\n\n
Lab: Web shell upload via race condition
Lab: Server-side pause-based request smuggling
Lab: Bypassing rate limits via race conditions<\/p>\n\n\n\n
\n\n\n\nHackvertor<\/h2>\n\n\n\n
Extensions > Hackvertor > Encode > dec_entities\/hex_entities <\/code><\/p>\n\n\n\n
https:\/\/portswigger.net\/bappstore\/65033cbd2c344fbabe57ac060b5dd100<\/a>
https:\/\/portswigger.net\/web-security\/sql-injection\/lab-sql-injection-with-filter-bypass-via-xml-encoding<\/a><\/p>\n\n\n\n
\n\n\n\nPython Scripter<\/h2>\n\n\n\n
extender \/ option \/ python environment<\/code> \u6307\u5b9a\u8a72jar\u5305<\/p>\n\n\n\npython scripter<\/code>\u64b0\u5bebpython\u4ee3\u78bc\u81ea\u52d5\u4fee\u6539\u8acb\u6c42<\/p>\n\n\n\n
https:\/\/www.freebuf.com\/news\/193657.html<\/a><\/p>\n\n\n\n
\n\n\n\nCPH<\/h2>\n\n\n\n
ex:(messageId\\\"\\:\\\")(.{32,32})<\/code><\/p>\n\n\n\nthe first<\/code> of the matches<\/p>\n\n\n\n
ex:\\g<1>\\g<mid><\/code><\/p>\n\n\n\n
\u7136\u5f8c\u9078\u64c7value returned by issuing a sequence of requests<\/code>\u7136\u5f8c\u5728\u4e0b\u65b9\u586b\u65b9expression
ex:messageId\\\"\\:\\\"(?P<mid>.*?)\"\\,\\\"expire<\/code><\/p>\n\n\n\n
https:\/\/www.anquanke.com\/post\/id\/231145<\/a><\/p>\n\n\n\n
\n\n\n\nSQLiPy<\/h2>\n\n\n\n
\n
python sqlmapapi.py<\/a> -s -H <IP> -p <Port><\/code><\/li>\n\n\n\nsqlmap api<\/code>\u5340\u57df\u6307\u5b9aIP\u548cport\u5f8c\u9ede\u64castart api<\/li>\n<\/ol>\n\n\n\nCUSTOMER HEADER<\/code>\u589e\u52a0\u539f\u8acb\u6c42\u7684header<\/p>\n\n\n\n
\u5728headers\u6b04\u4f4d\u589e\u52a0Content-Type: application\/json\\nAccept-Language: en-US<\/code>,\u5982\u56f0\u8981\u589e\u52a0\u591a\u500bheader\u90a3\u8981\u7528\\n<\/code>\u505a\u5206\u9694<\/p>\n\n\n\n
https:\/\/portswigger.net\/support\/using-burp-with-sqlmap<\/a><\/p>\n\n\n\n\n
\n\n\n\nJWT Editor <\/h2>\n\n\n\n