客户:你上周发的渗透测试报告中说存在有148处XSS。今天开发需要修复,但你的渗透测试报告只列举了三处。开发需要提供所有存在漏洞的地址,才能修复完整。
我:其实可以在系统数据提交的入口,对get和post数据包中参数进行过滤就好了。那样就修改一处就可以了。
客户:你跟开发说吧!
开发:如果在入口处统一对所有数据包进行过滤,可能会导致某些功能无法使用。所以只能一处处改。
我:。。。。。。。
我:我去看看能不能导出来。
0x01导出XSS
幸亏那次渗透之后保留了burp的state。我马上用bup加载了state文件。当时就在想。XSS有的是GET,有的POST,涉及参数重多。该如何导出。如果使用copy URLs,当然也行。但是开发估计也不知道那个参数是存在问题的。特别是psot包更难体现出,那个地方,那个参数存在XSS。
无奈先选择148处XSS,然后把它们先导出来。
耷拉着脑袋一看,眼睛就亮了。burp真是一次又一次刷新在我心中地位。我要的148处链接已密密麻麻出现在我的眼帘。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
| Contents
1. Cross-site scripting (reflected)
1.1. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [groupId parameter]
1.2. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [name of an arbitrarily supplied URL parameter]
1.3. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [name of an arbitrarily supplied body parameter]
1.4. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [page.pageSize parameter]
1.5. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [qo.begDate parameter]
1.6. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [qo.begDate_format parameter]
1.7. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [qo.endDate parameter]
1.8. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [qo.endDate_format parameter]
1.9. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [qo.staffName parameter]
1.10. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [InstancyOverTimeRequestInfo.endDate parameter]
1.11. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [InstancyOverTimeRequestInfo.endDate_format parameter]
1.12. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [InstancyOverTimeRequestInfo.startDate parameter]
1.13. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [InstancyOverTimeRequestInfo.startDate_format parameter]
1.14. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [name of an arbitrarily supplied URL parameter]
1.15. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [name of an arbitrarily supplied body parameter]
1.16. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [page.pageSize parameter]
1.17. http://x.x.x.x/csp/attendance/showLeaveBill.action [billType parameter]
1.18. http://x.x.x.x/csp/attendance/showLeaveBill.action [name of an arbitrarily supplied URL parameter]
1.19. http://x.x.x.x/csp/cal.calendarjsp [buttonId parameter]
1.20. http://x.x.x.x/csp/cal.calendarjsp [cssFilePath parameter]
1.21. http://x.x.x.x/csp/cal.calendarjsp [cssstyle parameter]
1.22. http://x.x.x.x/csp/cal.calendarjsp [currentValue parameter]
1.23. http://x.x.x.x/csp/cal.calendarjsp [currentValue parameter]
1.24. http://x.x.x.x/csp/cal.calendarjsp [daylightRepeatedMessage parameter]
1.25. http://x.x.x.x/csp/cal.calendarjsp [daylightsupportrequiredMessage parameter]
1.26. http://x.x.x.x/csp/cal.calendarjsp [displayformat parameter]
1.27. http://x.x.x.x/csp/cal.calendarjsp [hiddenformat parameter]
1.28. http://x.x.x.x/csp/cal.calendarjsp [inputfield parameter]
1.29. http://x.x.x.x/csp/cal.calendarjsp [inputfield parameter]
1.30. http://x.x.x.x/csp/cal.calendarjsp [jsPath parameter]
1.31. http://x.x.x.x/csp/cal.calendarjsp [jsPath parameter]
1.32. http://x.x.x.x/csp/cal.calendarjsp [nextyearrange parameter]
1.33. http://x.x.x.x/csp/cal.calendarjsp [objectName parameter]
1.34. http://x.x.x.x/csp/cal.calendarjsp [previousyearrange parameter]
1.35. http://x.x.x.x/csp/cal.calendarjsp [resettime parameter]
1.36. http://x.x.x.x/csp/cal.calendarjsp [timezone parameter]
1.37. http://x.x.x.x/csp/cal.calendarjsp [type parameter]
1.38. http://x.x.x.x/csp/cal.calendarjsp [windowtype parameter]
1.39. http://x.x.x.x/csp/compensation/budgetDeptPage.action [name of an arbitrarily supplied URL parameter]
1.40. http://x.x.x.x/csp/compensation/budgetDeptPage.action [timeStamp parameter]
1.41. http://x.x.x.x/csp/compensation/budgetSalPage.action [name of an arbitrarily supplied URL parameter]
1.42. http://x.x.x.x/csp/compensation/budgetSalPage.action [timeStamp parameter]
1.43. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [name of an arbitrarily supplied URL parameter]
1.44. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [name of an arbitrarily supplied body parameter]
1.45. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [order.ascending parameter]
1.46. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [page.currentPage parameter]
1.47. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [page.pageSize parameter]
1.48. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [personSalItem.employeeId parameter]
1.49. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [personSalItem.salItemName parameter]
1.50. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [personSalItem.staffName parameter]
1.51. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [personSalItem.staffNo parameter]
1.52. http://x.x.x.x/csp/compensation/queryBudget.action [budgetYear parameter]
1.53. http://x.x.x.x/csp/compensation/queryBudget.action [name of an arbitrarily supplied URL parameter]
1.54. http://x.x.x.x/csp/compensation/queryBudget.action [name of an arbitrarily supplied body parameter]
1.55. http://x.x.x.x/csp/compensation/queryBudget.action [order.ascending parameter]
1.56. http://x.x.x.x/csp/compensation/queryBudget.action [page.currentPage parameter]
1.57. http://x.x.x.x/csp/compensation/queryBudget.action [page.pageSize parameter]
1.58. http://x.x.x.x/csp/manpower/addAddressInfoPage.action [doWhat parameter]
1.59. http://x.x.x.x/csp/manpower/addAddressInfoPage.action [doWhat parameter]
1.60. http://x.x.x.x/csp/manpower/addMemberInfoPage.action [doWhat parameter]
1.61. http://x.x.x.x/csp/manpower/addMemberInfoPage.action [doWhat parameter]
1.62. http://x.x.x.x/csp/manpower/baseInfoModifyPage.action [doWhat parameter]
1.63. http://x.x.x.x/csp/manpower/baseInfoModifyPage.action [doWhat parameter]
1.64. http://x.x.x.x/csp/manpower/baseInfoModifyPage.action [doWhat parameter]
1.65. http://x.x.x.x/csp/manpower/esm_monitorTeamManager.action [monitorType parameter]
1.66. http://x.x.x.x/csp/manpower/esm_monitorTeamManager.action [operType parameter]
1.67. http://x.x.x.x/csp/manpower/extendInfoModifyPage.action [doWhat parameter]
1.68. http://x.x.x.x/csp/manpower/extendInfoModifyPage.action [doWhat parameter]
1.69. http://x.x.x.x/csp/manpower/extendInfoModifyPage.action [doWhat parameter]
1.70. http://x.x.x.x/csp/manpower/getBaseInfo.action [doWhat parameter]
1.71. http://x.x.x.x/csp/manpower/getExtendInfo.action [doWhat parameter]
1.72. http://x.x.x.x/csp/manpower/listAddressInfo.action [doWhat parameter]
1.73. http://x.x.x.x/csp/manpower/listAddressInfo.action [doWhat parameter]
1.74. http://x.x.x.x/csp/manpower/listAddressInfo.action [staffId parameter]
1.75. http://x.x.x.x/csp/manpower/listAddressInfo.action [staffId parameter]
1.76. http://x.x.x.x/csp/manpower/listAddressInfo.action [staffSN parameter]
1.77. http://x.x.x.x/csp/manpower/listAddressInfo.action [staffSN parameter]
1.78. http://x.x.x.x/csp/manpower/listMemberInfo.action [doWhat parameter]
1.79. http://x.x.x.x/csp/manpower/listMemberInfo.action [doWhat parameter]
1.80. http://x.x.x.x/csp/manpower/listMemberInfo.action [staffId parameter]
1.81. http://x.x.x.x/csp/manpower/listMemberInfo.action [staffId parameter]
1.82. http://x.x.x.x/csp/manpower/listMemberInfo.action [staffSN parameter]
1.83. http://x.x.x.x/csp/manpower/listMemberInfo.action [staffSN parameter]
1.84. http://x.x.x.x/csp/manpower/listPartyInfo.action [doWhat parameter]
1.85. http://x.x.x.x/csp/manpower/listPartyInfo.action [staffId parameter]
1.86. http://x.x.x.x/csp/manpower/listPartyInfo.action [staffSN parameter]
1.87. http://x.x.x.x/csp/manpower/listRelationInfo.action [doWhat parameter]
1.88. http://x.x.x.x/csp/manpower/listRelationInfo.action [staffId parameter]
1.89. http://x.x.x.x/csp/manpower/listRelationInfo.action [staffSN parameter]
1.90. http://x.x.x.x/csp/manpower/updateAddressInfoPage.action [doWhat parameter]
1.91. http://x.x.x.x/csp/manpower/updateAddressInfoPage.action [doWhat parameter]
1.92. http://x.x.x.x/csp/manpower/updateMemberInfoPage.action [doWhat parameter]
1.93. http://x.x.x.x/csp/manpower/updateMemberInfoPage.action [doWhat parameter]
1.94. http://x.x.x.x/csp/manpower/updateMemberInfoPage.action [memberinfoid parameter]
1.95. http://x.x.x.x/csp/manpower/updatePartyInfoPage.action [doWhat parameter]
1.96. http://x.x.x.x/csp/manpower/updatePartyInfoPage.action [doWhat parameter]
1.97. http://x.x.x.x/csp/manpower/updatePartyInfoPage.action [partyinfoid parameter]
1.98. http://x.x.x.x/csp/manpower/updateRelationInfoPage.action [doWhat parameter]
1.99. http://x.x.x.x/csp/manpower/updateRelationInfoPage.action [doWhat parameter]
1.100. http://x.x.x.x/csp/manpower/updateRelationInfoPage.action [relationId parameter]
1.101. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.cycleType parameter]
1.102. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.indexId parameter]
1.103. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.orgaName parameter]
1.104. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.planId parameter]
1.105. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.planName parameter]
1.106. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.post parameter]
1.107. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.staffId parameter]
1.108. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.staffName parameter]
1.109. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.staffSn parameter]
1.110. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.staffState parameter]
1.111. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.teamItemId parameter]
1.112. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.teamName parameter]
1.113. http://x.x.x.x/csp/performance/assessRecordList.action [month parameter]
1.114. http://x.x.x.x/csp/performance/assessRecordList.action [name of an arbitrarily supplied URL parameter]
1.115. http://x.x.x.x/csp/performance/assessRecordList.action [name of an arbitrarily supplied body parameter]
1.116. http://x.x.x.x/csp/performance/assessRecordList.action [order.ascending parameter]
1.117. http://x.x.x.x/csp/performance/assessRecordList.action [page.currentPage parameter]
1.118. http://x.x.x.x/csp/performance/assessRecordList.action [page.pageSize parameter]
1.119. http://x.x.x.x/csp/performance/assessRecordList.action [year parameter]
1.120. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [name of an arbitrarily supplied URL parameter]
1.121. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [name of an arbitrarily supplied body parameter]
1.122. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [order.ascending parameter]
1.123. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [order.propertyName parameter]
1.124. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [page.currentPage parameter]
1.125. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [page.pageSize parameter]
1.126. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [name of an arbitrarily supplied URL parameter]
1.127. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [name of an arbitrarily supplied body parameter]
1.128. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [order.ascending parameter]
1.129. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [order.propertyName parameter]
1.130. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [page.currentPage parameter]
1.131. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [page.pageSize parameter]
1.132. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [qo.orgaId parameter]
1.133. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [qo.postId parameter]
1.134. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [qo.staffName parameter]
1.135. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [name of an arbitrarily supplied URL parameter]
1.136. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [name of an arbitrarily supplied body parameter]
1.137. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [order.ascending parameter]
1.138. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [page.currentPage parameter]
1.139. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [page.pageSize parameter]
1.140. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [qo.orgaId parameter]
1.141. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [qo.queryType parameter]
1.142. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [qo.subDepartmentId parameter]
1.143. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [qo.teamId parameter]
1.144. http://x.x.x.x/csp/performance/c_pfm_queryOrgaData.action [queryType parameter]
1.145. http://x.x.x.x/csp/performance/c_pfm_queryPersonalData.action [queryType parameter]
1.146. http://x.x.x.x/csp/performance/entranceAccessPlan.action [flag parameter]
1.147. http://x.x.x.x/csp/performance/entranceAccessPlan.action [flag parameter]
1.148. http://x.x.x.x/csp/performance/findAssessRecordDetailById.action [name of an arbitrarily supplied URL parameter]
|
点开链接就可以看到这处链接的请求包与响应包,还有payload的加载在哪个参数上。完美解释每一处!!!
0x02思考
开心的这导出的报告发给客户之后,我在位置上思考:
- 使用burp或者其他工具如果有工程文件,一定要保存好。
- 以后写渗透测试报告时有出现某漏洞数量多个,导致无法一一写入渗透测试报告中。可以使用burp将漏洞具体信息以报告形式导出。然后以对象的方式插入到渗透测试报告中去。
