一、挖洞环境
1.1 Burp
下载链接:https://portswigger.net/burp/releases
破解
1.2 插件
1.2.1 浏览器插件
-
ZeroOmega(代理插件)
-
域名过滤
-
-
FindSometing(js扫描 敏感信息提取)
-
User-Agent Switcher and Manager (修改浏览器UA标识的)
-
HackBar(做测试如:SQL注入、XSS·········)
-
篡改猴
-
Burp中的HTTP History的域名过滤
//以下排除内容都为半匹配,即包含以下任意内容都会被过滤掉
//需要排除的域名
String[] domainExclude = {
"freebuf.com",
"hm.baidu.com",
};
//需要排除的请求路径或文件后缀
String[] pathExclude = {".js","/check-design-v2","/im/getUnread",".srf","interfacev2/get",".TTF","/aiPrivateEducation/common/message","/gateway/","/aiPrivateEducation/common/message-all","/ztbox?","/ai_anchor/round/info",".mp4",".wav","/log/","/filestreamingservice/","poststring_en","checkWhiteList","WebSocket",".woff",".ttf",".css",".svg",".pdf",".png",".html",".gif",".jpg",".jpeg",".ico","alive?callback","/sso/sync/redirect"};
//需要排除的HTTP方法
String[] methodExclude = {"OPTIONS", "HEAD"};
//需要排除的响应类型,包括图片、字体文件、二进制、CSS、脚本文件
MimeType[] mimetypeExclude = {
MimeType.APPLICATION_UNKNOWN, MimeType.UNRECOGNIZED,
MimeType.FONT_WOFF2, MimeType.FONT_WOFF,
MimeType.VIDEO, MimeType.SOUND,
MimeType.IMAGE_TIFF, MimeType.IMAGE_BMP, MimeType.IMAGE_PNG, MimeType.IMAGE_GIF, MimeType.IMAGE_JPEG, MimeType.IMAGE_UNKNOWN,
MimeType.CSS
};
//需要排除的请求体内容
String[] bodyExclude = {""};
String host = requestResponse.request().httpService().host();
String path = requestResponse.request().path();
String method = requestResponse.request().method();
String body = requestResponse.request().body().toString();
var mimeType = requestResponse.mimeType();
return Arrays.stream(domainExclude).noneMatch(it -> host.contains(it))
&& Arrays.stream(pathExclude).noneMatch(it -> path.contains(it))
&& Arrays.stream(methodExclude).noneMatch(it -> method.contains(it))
// && Arrays.stream(mimetypeExclude).noneMatch(it -> mimeType == it)
&& Arrays.stream(bodyExclude).filter(it -> it != null && it.length() != 0).noneMatch(it -> body.contains(it));
-
抓包过滤
1.2.2 Burp插件
Bypasspro
是用来绕过的
GET /userManage/userList?type=0&pageno=1&pagesize=10
HOST:smmna.cn403 Forbidden (服务器理解该请求单拒绝执行/访问被拒绝)
401 Unauthorized (未授权)
HaE
rules:
- group: 疑似漏洞
rule:
- name: GET 明文id
loaded: true
f_regex: (\b(?<!_)(id|\w+id)=(\d{2,15})\b(?![-_\\/]))
s_regex: ''
format: '{0}'
color: green
scope: request line
engine: nfa
sensitive: false
- name: GET JSON id
loaded: true
f_regex: ((?:'|")?([a-zA-Z_]*[iI][dD])(?:'|")?\s*:\s*(?:('|")?(\d{2,15})(?![a-zA-Z0-9_\\/-])('|")?|\s*(\d{2,15})(?![a-zA-Z0-9_\\/-])))
s_regex: ''
format: '{0}'
color: green
scope: request line
engine: nfa
sensitive: false
- name: GET JSON编码 id
loaded: true
f_regex: ((?:%22|%27)?([a-zA-Z_]*id[a-zA-Z0-9.]*)(?:%22|%27)?\s*(?:%3A|:)\s*(?:%22|%27)?(\d{2,15})(?!([a-zA-Z0-9_\\/-]))(?:%22|%27)?)
s_regex: ''
format: '{0}'
color: green
scope: request line
engine: nfa
sensitive: false
- name: POST 明文id
loaded: true
f_regex: (\b(?<!_)(id|\w+id)=(\d{2,15})\b(?![-_\\/]))
s_regex: ''
format: '{0}'
color: green
scope: request body
engine: nfa
sensitive: false
- name: POST JSON id
loaded: true
f_regex: ((?:'|")?([a-zA-Z_]*[iI][dD])(?:'|")?\s*:\s*(?:('|")?(\d{2,15})(?![a-zA-Z0-9_\\/-])('|")?|\s*(\d{2,15})(?![a-zA-Z0-9_\\/-])))
s_regex: ''
format: '{0}'
color: green
scope: request body
engine: nfa
sensitive: false
- name: POST JSON编码 id
loaded: true
f_regex: ((?:%22|%27)?([a-zA-Z_]*id[a-zA-Z0-9.]*)(?:%22|%27)?\s*(?:%3A|:)\s*(?:%22|%27)?(\d{2,15})(?!([a-zA-Z0-9_\\/-]))(?:%22|%27)?)
s_regex: ''
format: '{0}'
color: green
scope: request body
engine: nfa
sensitive: false
- group: 指纹信息
rule:
- name: Shiro
loaded: true
f_regex: (=deleteMe|rememberMe=)
s_regex: ''
format: '{0}'
color: red
scope: any header
engine: nfa
sensitive: true
- name: ueditor
loaded: true
f_regex: (ueditor\.(config|all)\.js)
s_regex: ''
format: '{0}'
color: green
scope: response body
engine: dfa
sensitive: false
- group: 敏感信息
rule:
- name: 密码
loaded: true
f_regex: ((|'|")([p](ass|wd|asswd|assword))(|'|")(:|=)( |)('|")(.*?)('|")(|,))
s_regex: ''
format: '{0}'
color: red
scope: response body
engine: nfa
sensitive: false
- name: 账号
loaded: true
f_regex: ((|'|")(([u](ser|name|ame|sername))|(account))(|'|")(:|=)( |)('|")(.*?)('|")(|,))
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: false
- name: JDBC
loaded: true
f_regex: (jdbc:[a-z:]+://[a-z0-9\.\-_:;=/@?,&]+)
s_regex: ''
format: '{0}'
color: red
scope: any
engine: nfa
sensitive: false
- name: Cloud key
loaded: true
f_regex: (((access)(|-|_)(key)(|-|_)(id|secret))|(LTAI[a-z0-9]{12,20}))
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: false
- name: Js节点
loaded: true
f_regex: (\{[^{}]*\}\s*\[[^\s]*\]\s*\+\s*"[^\s]*\.js")
s_regex: '"?([\w].*?)"?:"(.*?)"'
format: '{0}.{1}'
color: green
scope: response body
engine: nfa
sensitive: false
- group: 基础信息
rule:
- name: 邮箱
loaded: true
f_regex: (([a-z0-9][_|\.])*[a-z0-9]+@([a-z0-9][-|_|\.])*[a-z0-9]+\.((?!js|css|jpg|jpeg|png|ico)[a-z]{2,}))
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: false
- name: 身份证
loaded: true
f_regex: '[^0-9]((\d{8}(0\d|10|11|12)([0-2]\d|30|31)\d{3}$)|(\d{6}(18|19|20)\d{2}(0[1-9]|10|11|12)([0-2]\d|30|31)\d{3}(\d|X|x)))[^0-9]'
s_regex: ''
format: '{0}'
color: red
scope: response body
engine: nfa
sensitive: false
- name: 电话号
loaded: true
f_regex: '[^\w]((?:(?:\+|00)86)?1(?:(?:3[\d])|(?:4[5-79])|(?:5[0-35-9])|(?:6[5-7])|(?:7[0-8])|(?:8[\d])|(?:9[189]))\d{8})[^\w]'
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: true
- name: 银行卡号
loaded: true
f_regex: ^[\dX]{16,19}$
s_regex: ''
format: '{0}'
color: red
scope: response body
engine: nfa
sensitive: true
- name: 车牌号
loaded: true
f_regex: ([京津沪渝冀豫云辽黑湘皖鲁新苏浙赣鄂桂甘晋蒙陕吉闽贵粤青藏川宁琼使领][A-HJ-NP-Z][A-HJ-NP-Z0-9]{4,5}[A-HJ-NP-Z0-9挂学警港澳])
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: true
- name: 路由跳转
loaded: true
f_regex: (\$router\.push)
s_regex: ''
format: '{0}'
color: magenta
scope: response body
engine: dfa
sensitive: false
