对url正则的fuzz

发表于 | 分类于
字数统计: 526字 | 阅读时长 ≈ 3分钟
一个url重定向漏洞,开发修了两次都可绕过。。。今天直接找我让帮写一个正则。。。这。。。估计看我太好说话了吧。

正文:

毕竟自已的正则是个渣渣,自已写的估计更不能看,直接网上找来的两个现成的url正则:

1
2
regex = "^(http|https:\\/\\/)?[\\w-.]+.(baidu).com($|\\/|\\)/i)"
regex1= "(http|https)://([\\w-]+.)+(baidu)+(/[\\w- ./?%&=]*)?"

看起来还像那么回事,不知道效果如何,写个测试脚本。

测试demo

找了半天没找到url重定向的字典。。。只能对着自已的笔记慢慢构造payload了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 public static void main(String[] args) {

        String regex = "^(http|https:\\/\\/)?[\\w-.]+.(baidu).com($|\\/|\\)/i)";
        String regex1= "(http|https)://([\\w-]+.)+(baidu)+(/[\\w- ./?%&=]*)?";

        String[] payloads ={"www.evil.com/www.baidu.com", "http://evil.com","https://www.evil.com/", "www.baidu.com.evil.com", "www.baidu.com@www.evil.com",
        "https://www.baidu.com/jump.do?url=http://www.evil.com","https://www.baidu.com/%2Fevil.com%252Ecom","http://www.baidu.com\\.evil.com",
                "////www.evil.com/..","///www.evil.com","////www.evil.com","//www.evil.com","https://www.evil.com\\www.baidu.com",
                "https://www.evil.com#www.baidu.com","https://www.evil.com?www.baidu.com","https://www.evil.com\\\\www.baidu.com",".evil",".evil.com",
                "///www.evil.com//..","////www.evil.com//..","https://www.baidu.com//%0d%0ahttp://www.evil.com/","https://www.baidu.com//%0d0ahttp://www.evil.com"
        };

        Pattern pattern = Pattern.compile(regex1);
        for (String payload:payloads) {
            Matcher m = pattern.matcher(payload);
            while (m.find()){
                //String evilPayload = m.group();
                System.out.println("[*] success ------->"+payload);
            }

        }

//        for (String payload:payloads){
//            System.out.println(payload);
//        }
        }
    }

测试结果:

正则一:

正则二:

可看到正则一明显比较好。先给开发,让他布署在web应用上再验证下这几个payload在该环境下是否有效。

注:这只是匹配到符合正则的paylod。

附:

趁这个机会,生成下字典,不用再来回找轮子。

常用payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www.evil.com/www.baidu.com
http://evil.com
https://www.evil.com/
www.baidu.com.evil.com
www.baidu.com@www.evil.com
https://www.baidu.com/jump.do?url=http://www.evil.com
https://www.baidu.com/%2Fevil.com%252Ecom
http://www.baidu.com\.evil.com
////www.evil.com/..
///www.evil.com
////www.evil.com
//www.evil.com
https://www.evil.com\www.baidu.com
https://www.evil.com#www.baidu.com
https://www.evil.com?www.baidu.com
https://www.evil.com\\www.baidu.com
.evil
.evil.com
///www.evil.com//..
////www.evil.com//..
https://www.baidu.com//%0d%0ahttp://www.evil.com/
https://www.baidu.com//%0d0ahttp://www.evil.com