客户:你上周发的渗透测试报告中说存在有148处XSS。今天开发需要修复,但你的渗透测试报告只列举了三处。开发需要提供所有存在漏洞的地址,才能修复完整。
我:其实可以在系统数据提交的入口,对get和post数据包中参数进行过滤就好了。那样就修改一处就可以了。
客户:你跟开发说吧!
开发:如果在入口处统一对所有数据包进行过滤,可能会导致某些功能无法使用。所以只能一处处改。
我:。。。。。。。
我:我去看看能不能导出来。
0x01导出XSS
幸亏那次渗透之后保留了burp的state。我马上用bup加载了state文件。当时就在想。XSS有的是GET,有的POST,涉及参数重多。该如何导出。如果使用copy URLs,当然也行。但是开发估计也不知道那个参数是存在问题的。特别是psot包更难体现出,那个地方,那个参数存在XSS。
无奈先选择148处XSS,然后把它们先导出来。

耷拉着脑袋一看,眼睛就亮了。burp真是一次又一次刷新在我心中地位。我要的148处链接已密密麻麻出现在我的眼帘。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298
| Contents 1. Cross-site scripting (reflected)
1.1. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [groupId parameter]
1.2. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [name of an arbitrarily supplied URL parameter]
1.3. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [name of an arbitrarily supplied body parameter]
1.4. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [page.pageSize parameter]
1.5. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [qo.begDate parameter]
1.6. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [qo.begDate_format parameter]
1.7. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [qo.endDate parameter]
1.8. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [qo.endDate_format parameter]
1.9. http://x.x.x.x/csp/attendance/listLeaveBillByQo.action [qo.staffName parameter]
1.10. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [InstancyOverTimeRequestInfo.endDate parameter]
1.11. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [InstancyOverTimeRequestInfo.endDate_format parameter]
1.12. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [InstancyOverTimeRequestInfo.startDate parameter]
1.13. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [InstancyOverTimeRequestInfo.startDate_format parameter]
1.14. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [name of an arbitrarily supplied URL parameter]
1.15. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [name of an arbitrarily supplied body parameter]
1.16. http://x.x.x.x/csp/attendance/queryInstancyRequestManage.action [page.pageSize parameter]
1.17. http://x.x.x.x/csp/attendance/showLeaveBill.action [billType parameter]
1.18. http://x.x.x.x/csp/attendance/showLeaveBill.action [name of an arbitrarily supplied URL parameter]
1.19. http://x.x.x.x/csp/cal.calendarjsp [buttonId parameter]
1.20. http://x.x.x.x/csp/cal.calendarjsp [cssFilePath parameter]
1.21. http://x.x.x.x/csp/cal.calendarjsp [cssstyle parameter]
1.22. http://x.x.x.x/csp/cal.calendarjsp [currentValue parameter]
1.23. http://x.x.x.x/csp/cal.calendarjsp [currentValue parameter]
1.24. http://x.x.x.x/csp/cal.calendarjsp [daylightRepeatedMessage parameter]
1.25. http://x.x.x.x/csp/cal.calendarjsp [daylightsupportrequiredMessage parameter]
1.26. http://x.x.x.x/csp/cal.calendarjsp [displayformat parameter]
1.27. http://x.x.x.x/csp/cal.calendarjsp [hiddenformat parameter]
1.28. http://x.x.x.x/csp/cal.calendarjsp [inputfield parameter]
1.29. http://x.x.x.x/csp/cal.calendarjsp [inputfield parameter]
1.30. http://x.x.x.x/csp/cal.calendarjsp [jsPath parameter]
1.31. http://x.x.x.x/csp/cal.calendarjsp [jsPath parameter]
1.32. http://x.x.x.x/csp/cal.calendarjsp [nextyearrange parameter]
1.33. http://x.x.x.x/csp/cal.calendarjsp [objectName parameter]
1.34. http://x.x.x.x/csp/cal.calendarjsp [previousyearrange parameter]
1.35. http://x.x.x.x/csp/cal.calendarjsp [resettime parameter]
1.36. http://x.x.x.x/csp/cal.calendarjsp [timezone parameter]
1.37. http://x.x.x.x/csp/cal.calendarjsp [type parameter]
1.38. http://x.x.x.x/csp/cal.calendarjsp [windowtype parameter]
1.39. http://x.x.x.x/csp/compensation/budgetDeptPage.action [name of an arbitrarily supplied URL parameter]
1.40. http://x.x.x.x/csp/compensation/budgetDeptPage.action [timeStamp parameter]
1.41. http://x.x.x.x/csp/compensation/budgetSalPage.action [name of an arbitrarily supplied URL parameter]
1.42. http://x.x.x.x/csp/compensation/budgetSalPage.action [timeStamp parameter]
1.43. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [name of an arbitrarily supplied URL parameter]
1.44. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [name of an arbitrarily supplied body parameter]
1.45. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [order.ascending parameter]
1.46. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [page.currentPage parameter]
1.47. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [page.pageSize parameter]
1.48. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [personSalItem.employeeId parameter]
1.49. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [personSalItem.salItemName parameter]
1.50. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [personSalItem.staffName parameter]
1.51. http://x.x.x.x/csp/compensation/findPersonSalItemByCond.action [personSalItem.staffNo parameter]
1.52. http://x.x.x.x/csp/compensation/queryBudget.action [budgetYear parameter]
1.53. http://x.x.x.x/csp/compensation/queryBudget.action [name of an arbitrarily supplied URL parameter]
1.54. http://x.x.x.x/csp/compensation/queryBudget.action [name of an arbitrarily supplied body parameter]
1.55. http://x.x.x.x/csp/compensation/queryBudget.action [order.ascending parameter]
1.56. http://x.x.x.x/csp/compensation/queryBudget.action [page.currentPage parameter]
1.57. http://x.x.x.x/csp/compensation/queryBudget.action [page.pageSize parameter]
1.58. http://x.x.x.x/csp/manpower/addAddressInfoPage.action [doWhat parameter]
1.59. http://x.x.x.x/csp/manpower/addAddressInfoPage.action [doWhat parameter]
1.60. http://x.x.x.x/csp/manpower/addMemberInfoPage.action [doWhat parameter]
1.61. http://x.x.x.x/csp/manpower/addMemberInfoPage.action [doWhat parameter]
1.62. http://x.x.x.x/csp/manpower/baseInfoModifyPage.action [doWhat parameter]
1.63. http://x.x.x.x/csp/manpower/baseInfoModifyPage.action [doWhat parameter]
1.64. http://x.x.x.x/csp/manpower/baseInfoModifyPage.action [doWhat parameter]
1.65. http://x.x.x.x/csp/manpower/esm_monitorTeamManager.action [monitorType parameter]
1.66. http://x.x.x.x/csp/manpower/esm_monitorTeamManager.action [operType parameter]
1.67. http://x.x.x.x/csp/manpower/extendInfoModifyPage.action [doWhat parameter]
1.68. http://x.x.x.x/csp/manpower/extendInfoModifyPage.action [doWhat parameter]
1.69. http://x.x.x.x/csp/manpower/extendInfoModifyPage.action [doWhat parameter]
1.70. http://x.x.x.x/csp/manpower/getBaseInfo.action [doWhat parameter]
1.71. http://x.x.x.x/csp/manpower/getExtendInfo.action [doWhat parameter]
1.72. http://x.x.x.x/csp/manpower/listAddressInfo.action [doWhat parameter]
1.73. http://x.x.x.x/csp/manpower/listAddressInfo.action [doWhat parameter]
1.74. http://x.x.x.x/csp/manpower/listAddressInfo.action [staffId parameter]
1.75. http://x.x.x.x/csp/manpower/listAddressInfo.action [staffId parameter]
1.76. http://x.x.x.x/csp/manpower/listAddressInfo.action [staffSN parameter]
1.77. http://x.x.x.x/csp/manpower/listAddressInfo.action [staffSN parameter]
1.78. http://x.x.x.x/csp/manpower/listMemberInfo.action [doWhat parameter]
1.79. http://x.x.x.x/csp/manpower/listMemberInfo.action [doWhat parameter]
1.80. http://x.x.x.x/csp/manpower/listMemberInfo.action [staffId parameter]
1.81. http://x.x.x.x/csp/manpower/listMemberInfo.action [staffId parameter]
1.82. http://x.x.x.x/csp/manpower/listMemberInfo.action [staffSN parameter]
1.83. http://x.x.x.x/csp/manpower/listMemberInfo.action [staffSN parameter]
1.84. http://x.x.x.x/csp/manpower/listPartyInfo.action [doWhat parameter]
1.85. http://x.x.x.x/csp/manpower/listPartyInfo.action [staffId parameter]
1.86. http://x.x.x.x/csp/manpower/listPartyInfo.action [staffSN parameter]
1.87. http://x.x.x.x/csp/manpower/listRelationInfo.action [doWhat parameter]
1.88. http://x.x.x.x/csp/manpower/listRelationInfo.action [staffId parameter]
1.89. http://x.x.x.x/csp/manpower/listRelationInfo.action [staffSN parameter]
1.90. http://x.x.x.x/csp/manpower/updateAddressInfoPage.action [doWhat parameter]
1.91. http://x.x.x.x/csp/manpower/updateAddressInfoPage.action [doWhat parameter]
1.92. http://x.x.x.x/csp/manpower/updateMemberInfoPage.action [doWhat parameter]
1.93. http://x.x.x.x/csp/manpower/updateMemberInfoPage.action [doWhat parameter]
1.94. http://x.x.x.x/csp/manpower/updateMemberInfoPage.action [memberinfoid parameter]
1.95. http://x.x.x.x/csp/manpower/updatePartyInfoPage.action [doWhat parameter]
1.96. http://x.x.x.x/csp/manpower/updatePartyInfoPage.action [doWhat parameter]
1.97. http://x.x.x.x/csp/manpower/updatePartyInfoPage.action [partyinfoid parameter]
1.98. http://x.x.x.x/csp/manpower/updateRelationInfoPage.action [doWhat parameter]
1.99. http://x.x.x.x/csp/manpower/updateRelationInfoPage.action [doWhat parameter]
1.100. http://x.x.x.x/csp/manpower/updateRelationInfoPage.action [relationId parameter]
1.101. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.cycleType parameter]
1.102. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.indexId parameter]
1.103. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.orgaName parameter]
1.104. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.planId parameter]
1.105. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.planName parameter]
1.106. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.post parameter]
1.107. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.staffId parameter]
1.108. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.staffName parameter]
1.109. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.staffSn parameter]
1.110. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.staffState parameter]
1.111. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.teamItemId parameter]
1.112. http://x.x.x.x/csp/performance/assessRecordList.action [assessRecord.teamName parameter]
1.113. http://x.x.x.x/csp/performance/assessRecordList.action [month parameter]
1.114. http://x.x.x.x/csp/performance/assessRecordList.action [name of an arbitrarily supplied URL parameter]
1.115. http://x.x.x.x/csp/performance/assessRecordList.action [name of an arbitrarily supplied body parameter]
1.116. http://x.x.x.x/csp/performance/assessRecordList.action [order.ascending parameter]
1.117. http://x.x.x.x/csp/performance/assessRecordList.action [page.currentPage parameter]
1.118. http://x.x.x.x/csp/performance/assessRecordList.action [page.pageSize parameter]
1.119. http://x.x.x.x/csp/performance/assessRecordList.action [year parameter]
1.120. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [name of an arbitrarily supplied URL parameter]
1.121. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [name of an arbitrarily supplied body parameter]
1.122. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [order.ascending parameter]
1.123. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [order.propertyName parameter]
1.124. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [page.currentPage parameter]
1.125. http://x.x.x.x/csp/performance/c_pfm_getAttendanceDetails.action [page.pageSize parameter]
1.126. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [name of an arbitrarily supplied URL parameter]
1.127. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [name of an arbitrarily supplied body parameter]
1.128. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [order.ascending parameter]
1.129. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [order.propertyName parameter]
1.130. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [page.currentPage parameter]
1.131. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [page.pageSize parameter]
1.132. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [qo.orgaId parameter]
1.133. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [qo.postId parameter]
1.134. http://x.x.x.x/csp/performance/c_pfm_getAttendanceResult.action [qo.staffName parameter]
1.135. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [name of an arbitrarily supplied URL parameter]
1.136. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [name of an arbitrarily supplied body parameter]
1.137. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [order.ascending parameter]
1.138. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [page.currentPage parameter]
1.139. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [page.pageSize parameter]
1.140. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [qo.orgaId parameter]
1.141. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [qo.queryType parameter]
1.142. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [qo.subDepartmentId parameter]
1.143. http://x.x.x.x/csp/performance/c_pfm_getPersonalDataList.action [qo.teamId parameter]
1.144. http://x.x.x.x/csp/performance/c_pfm_queryOrgaData.action [queryType parameter]
1.145. http://x.x.x.x/csp/performance/c_pfm_queryPersonalData.action [queryType parameter]
1.146. http://x.x.x.x/csp/performance/entranceAccessPlan.action [flag parameter]
1.147. http://x.x.x.x/csp/performance/entranceAccessPlan.action [flag parameter]
1.148. http://x.x.x.x/csp/performance/findAssessRecordDetailById.action [name of an arbitrarily supplied URL parameter]
|
点开链接就可以看到这处链接的请求包与响应包,还有payload的加载在哪个参数上。完美解释每一处!!!

0x02思考
开心的这导出的报告发给客户之后,我在位置上思考:
- 使用burp或者其他工具如果有工程文件,一定要保存好。
- 以后写渗透测试报告时有出现某漏洞数量多个,导致无法一一写入渗透测试报告中。可以使用burp将漏洞具体信息以报告形式导出。然后以对象的方式插入到渗透测试报告中去。