├── HTTP.pl ├── HTTPFromFile.pl ├── README.md ├── modsec_lua ├── log2File.lua └── xss_detect.lua ├── requirePackage.txt ├── t ├── CommandExecution_callback-1.t ├── CommandExecution_createfunction-1.t ├── CommandExecution_dynamicvar-1.t ├── CommandExecution_eval-1.t ├── CommandExecution_preg_replace-1.t ├── CommandExecution_system-1.t ├── FileInclude-1.t ├── FileInclude-2.t ├── FileInclude-3.t ├── FileInclude-4.t ├── FileInclude-5.t ├── FileInclude_filegetcontents-1.t ├── FileUpload.t ├── redirect-1.t ├── sqli_code-1.t ├── sqli_comment-1.t ├── sqli_overflow-1.t ├── xss-1.t └── yijuhua_ce-1.t ├── vulCode ├── commandExecution │ ├── CommandExecution_arraymap.php │ ├── CommandExecution_createfunction.php │ ├── CommandExecution_dynamicvar.php │ ├── CommandExecution_eval.php │ ├── CommandExecution_preg_replace.php │ └── CommandExecution_system.php ├── fileInclude │ ├── FileInclude.php │ └── FileInclude_filegetcontents.php ├── redirect.php ├── webshell │ └── yijuhua.php └── xss │ └── xss.php └── xss.t /HTTP.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | use strict; 3 | use warnings; 4 | use feature qw(say); 5 | use URI; 6 | use URI::Split qw(uri_split uri_join); 7 | use URI::Escape; 8 | use LWP::UserAgent; 9 | use HTTP::Headers; 10 | use HTTP::Cookies; 11 | use HTTP::Request::Common; 12 | use MIME::Base64 qw(encode_base64); 13 | use Getopt::Long; 14 | use Term::ANSIColor qw(:constants); 15 | local $Term::ANSIColor::AUTORESET = 1; 16 | 17 | use utf8; 18 | binmode(STDIN, ':encoding(utf8)'); 19 | binmode(STDOUT, ':encoding(utf8)'); 20 | binmode(STDERR, ':encoding(utf8)'); 21 | 22 | 23 | 24 | my $help = q{}; 25 | my $url = q{}; 26 | my $method = "GET"; 27 | 28 | my %headers = (); 29 | my %cookies = (); 30 | my %datas = (); 31 | 32 | my $UserAgent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0"; 33 | my $proxy = q{}; 34 | my $referer = q{}; 35 | my $timeout = 180; 36 | my $redirect = 7; 37 | 38 | 39 | my $silent = q{}; 40 | my $raw = q{}; 41 | 42 | 43 | my $fileUpload = q{}; 44 | my $fileFiled = q{}; 45 | my $filePath = q{}; 46 | my $fileName = q{}; 47 | my $fileContent = q{}; 48 | my $fileType = q{}; 49 | 50 | 51 | my $basicAuth = q{}; 52 | my $username = q{}; 53 | my $password = q{}; 54 | 55 | my $request_body = q{}; 56 | 57 | GetOptions( 58 | "help"=>\$help, 59 | 'url=s'=>\$url, 60 | 'm|method=s'=>\$method, 61 | 'H|header=s%'=>\%headers, 62 | 'cookie=s%'=>\%cookies, 63 | 'd|data=s%'=>\%datas, #HTTP POST data: raw or urlencoded 64 | 'requestbody=s'=>\$request_body, #HTTP POST data 65 | 'A|user-agent=s'=>\$UserAgent, 66 | 'e|referer=s'=>\$referer, 67 | 'proxy=s'=>\$proxy, 68 | 't|timeout=i'=>\$timeout, 69 | 'F|fileUpload'=>\$fileUpload, 70 | 'fileFiled=s'=>\$fileFiled, 71 | 'filePath=s'=>\$filePath, 72 | 'fileName=s'=>\$fileName, 73 | 'fileContent=s'=>\$fileContent, 74 | 'fileType=s'=>\$fileType, 75 | 's|silent'=>\$silent, 76 | 'r|raw'=>\$raw, 77 | 'L|redirect=i'=>\$redirect, 78 | 'basicAuth'=>\$basicAuth, 79 | 'username=s'=>\$username, 80 | 'password=s'=>\$password, 81 | ); 82 | 83 | 84 | $method = 'POST' if $fileUpload; 85 | 86 | 87 | 88 | 89 | if($help){ 90 | 91 | getHelp(); 92 | 93 | exit 0; 94 | 95 | } 96 | 97 | die "You need to specify the url for set HTTP request \n Please run --help for more informations \n" if $url eq q{}; 98 | 99 | 100 | 101 | my $status_line =getResponse($url,\%cookies,$proxy,$timeout,$redirect,$UserAgent,$referer,\%headers,$method,\%datas,$fileUpload,$fileFiled,$filePath,$fileName,$fileContent,$fileType,$silent,$raw,$basicAuth,$username,$password,$request_body); 102 | say BOLD YELLOW $status_line; 103 | 104 | 105 | sub getHelp{ 106 | print <<__HELP__; 107 | 108 | Usage: perl $0 -url 'http://xxxx.xx.com' 109 | 110 | 111 | where: 112 | -help 113 | -url 'http://xxxx.xx.com' 114 | -m|method GET|POST|HEAD default value is GET 115 | 116 | -H|header X-Forwarded-For='127.0.0.1, 127.0.0.2' -H Via='Squid' 117 | -cookie usertrack='123456' 118 | -d|data name='tanjiti' -d passwd=12345 119 | 120 | -requestbody 'a=1&b=1' 121 | 122 | -A|user-agent 'baiduspider' default value is Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 123 | -e|referer 'http://www.baidu.com' 124 | 125 | -proxy 'http://64.34.14.28:7808' 126 | -t|timeout 120 default value is 120 127 | -L|redirect 7 default value is 7 128 | 129 | File Upload Options As Follows 130 | -F|fileUpload : Specify this is a http file upload request 131 | -fileFiled 'uploaded' 132 | -filePath '/tmp/a.jpeg' 133 | -fileName 'a.php' 134 | -fileContent '' 135 | -fileType 'image/jpeg' 136 | 137 | -s|silent : Only return response status line 138 | -r|raw : POST Raw Data 139 | 140 | -basicAuth : basic Authentication 141 | -username tanjiti 142 | -password 12345 143 | __HELP__ 144 | 145 | } 146 | 147 | 148 | 149 | 150 | sub setURI{ 151 | my ($url, $datas_ref) = @_; 152 | 153 | 154 | my $uri = URI->new($url); 155 | 156 | $uri->query_form($datas_ref) if $datas_ref; 157 | 158 | return $uri; 159 | } 160 | 161 | sub getHostFromURL{ 162 | 163 | my $url = shift; 164 | 165 | my ($scheme,$auth,$path,$query,$frag) = uri_split($url); 166 | 167 | my $host = $auth if defined $auth; 168 | 169 | return $host; 170 | } 171 | 172 | sub setBrowser{ 173 | 174 | my ($proxy,$cookie,$timeout,$redirect,$silent) = @_; 175 | my $browser = LWP::UserAgent->new(); 176 | $browser->timeout($timeout); 177 | $browser->ssl_opts(verify_hostname => 1); 178 | $browser->max_redirect($redirect); 179 | $browser ->show_progress(1) if not $silent; 180 | $browser->proxy([qw/http https/]=>$proxy) if $proxy; 181 | $browser->cookie_jar($cookie); 182 | return $browser; 183 | } 184 | 185 | 186 | 187 | 188 | 189 | 190 | sub setHeader{ 191 | 192 | my ( $UserAgent,$host,$referer,$headers_ref,$basicAuth,$username,$password) = @_; 193 | 194 | my $header = HTTP::Headers->new(); 195 | 196 | $header->header('Accept'=>'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'); 197 | $header->header('Accept-Encoding'=>'gzip,deflate,sdch'); 198 | $header->header('Accept-Language'=>'zh-CN,zh;q=0.8,en;q=0.6'); 199 | 200 | $header->header('Connection' => 'keep-alive'); 201 | 202 | 203 | 204 | $header->header('User-Agent'=>$UserAgent) if $UserAgent; 205 | 206 | $header->header('Host'=>$host) if $host; 207 | 208 | $header->header('Referer'=>$referer) if $referer; 209 | 210 | if($basicAuth){ 211 | my $authenBase64 = encode_base64("$username:$password"); 212 | $header->header('Authorization' => "Basic $authenBase64"); 213 | } 214 | 215 | 216 | 217 | my %headers = %$headers_ref; 218 | foreach (keys %headers){ 219 | $header->header($_ => $headers{$_}) if $_; 220 | } 221 | 222 | 223 | 224 | return $header; 225 | 226 | } 227 | 228 | sub setCookie{ 229 | 230 | 231 | my ($domain,$cookies_ref) = @_; 232 | 233 | 234 | my $version = 0; 235 | my $path="/"; 236 | my $expires = "123412345"; 237 | 238 | 239 | my $cookie_jar = HTTP::Cookies->new(hide_cookie2 => 1); 240 | 241 | my %cookies = %$cookies_ref; 242 | 243 | foreach (keys %cookies){ 244 | 245 | $cookie_jar->set_cookie($version,$_,$cookies{$_},$path,$domain,undef,undef,undef,$expires,undef,undef); 246 | 247 | } 248 | return $cookie_jar; 249 | 250 | } 251 | 252 | sub setRequest{ 253 | my ($method,$url,$header,$datas_ref,$fileUpload,$fileFiled,$filePath,$fileName,$fileContent,$fileType,$raw,$request_body) = @_; 254 | 255 | my $request = HTTP::Request->new(); 256 | 257 | #HTTP Request Method: support HEAD GET POST 258 | $method = uc $method; 259 | 260 | #HTTP Request Headers 261 | my %headers = %$header; 262 | 263 | 264 | #HTTP Form Data 265 | my %datas = %$datas_ref; 266 | 267 | #HTTP URI 268 | my $uri = (%datas and $method eq 'GET' or $method eq 'HEAD') ? setURI($url,\%datas) : $url; 269 | 270 | 271 | 272 | if ($method eq 'GET'){ 273 | 274 | #HTTP GET Request 275 | $request = GET $uri, %headers; 276 | 277 | }elsif($method eq 'HEAD'){ 278 | 279 | #HTTP HEAD Request 280 | $request = HEAD $uri, %headers; 281 | 282 | }elsif($method eq 'POST' and not $raw and not $fileUpload){ 283 | 284 | #HTTP POST Form Data with application/x-www-form-urlencoded 285 | #$request_body = uri_escape($request_body,"&"); 286 | $request = $request_body ? (POST $uri, %headers,Content_Type => 'application/x-www-form-urlencoded', Content => $request_body) : (POST $uri, %headers, Content_Type => 'application/x-www-form-urlencoded', Content=>[%datas]); 287 | 288 | }elsif($method eq 'POST' and $raw and not $fileUpload){ 289 | 290 | #HTTP POST Form raw Data 291 | my $rawdata = q{}; 292 | 293 | foreach (keys %datas){ 294 | $rawdata .= "$_=$datas{$_}&"; 295 | } 296 | chop $rawdata; 297 | 298 | 299 | $request = $request_body ? (POST $uri, %headers, Content => $request_body) : (POST $uri, %headers, Content => $rawdata); 300 | 301 | }elsif($fileUpload and $method eq 'POST'){ 302 | 303 | 304 | #HTTP File Upoad with multipart/form-data 305 | 306 | if (-r $filePath and ($fileType or $fileName)){ 307 | #read file from local file and you can specify fileFiled, fileName and fileType and datas 308 | 309 | $request = POST $uri, %headers, 310 | Content_Type => 'multipart/form-data', 311 | Content => [ 312 | $fileFiled => [ 313 | $filePath, 314 | $fileName, 315 | "Content-Type" => $fileType, 316 | ], 317 | 318 | %datas, 319 | ]; 320 | 321 | }elsif(-r $filePath and not $fileType and not $fileName){ 322 | #read file from local file and you can specify the fileFiled, datas 323 | 324 | $request = POST $uri, %headers, 325 | Content_Type => 'multipart/form-data', 326 | Content => [ 327 | $fileFiled => [ 328 | $filePath 329 | ], 330 | %datas, 331 | ]; 332 | }else{ 333 | #Your need to specify the fileFiled, fileName, fileType, fileContent, datas 334 | 335 | $request = POST $uri, %headers, 336 | Content_Type => 'multipart/form-data', 337 | Content => [ 338 | $fileFiled =>[ 339 | undef, 340 | $fileName , 341 | "Content-Type" => $fileType, 342 | "Content" => $fileContent, 343 | ], 344 | 345 | %datas, 346 | ] ; 347 | } 348 | 349 | }else{ 350 | die BOLD RED "Only support GET, HEAD and POST method\n"; 351 | } 352 | 353 | 354 | return $request; 355 | } 356 | 357 | 358 | 359 | 360 | sub getResponse{ 361 | 362 | my ($url,$cookies_ref,$proxy,$timeout,$redirect,$UserAgent,$referer,$headers_ref,$method,$datas_ref,$fileUpload,$fileFiled,$filePath,$fileName,$fileContent,$fileType,$silent,$raw,$basicAuth,$username,$password,$request_body) = @_; 363 | 364 | my %headers = %$headers_ref; 365 | 366 | my $host = getHostFromURL($url); 367 | 368 | $host = $headers{'Host'} if (exists $headers{'Host'}); 369 | 370 | my $cookie_jar = setCookie($host,$cookies_ref); 371 | 372 | my $browser = setBrowser($proxy,$cookie_jar,$timeout,$redirect,$silent); 373 | 374 | my $header = setHeader($UserAgent,$host,$referer,$headers_ref,$basicAuth,$username,$password); 375 | 376 | my $request = setRequest($method,$url,$header,$datas_ref,$fileUpload,$fileFiled,$filePath,$fileName,$fileContent,$fileType,$raw,$request_body); 377 | 378 | my $response = $browser->request($request); 379 | 380 | 381 | 382 | say BOLD RED $response->request->as_string if not $silent; 383 | say BOLD BLUE $response->headers_as_string if not $silent; 384 | say BOLD GREEN $response->decoded_content if not $silent and $method ne 'HEAD'; 385 | 386 | 387 | return $response->status_line; 388 | 389 | 390 | 391 | } 392 | -------------------------------------------------------------------------------- /HTTPFromFile.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use strict; 3 | use warnings; 4 | use feature qw(say); 5 | 6 | use LWP::UserAgent; 7 | use HTTP::Request; 8 | use HTTP::Response; 9 | 10 | use Getopt::Long; 11 | 12 | 13 | #parameter defined 14 | my $uri = "127.0.0.1"; 15 | my $response_code = 403; 16 | my $request_file = q{}; 17 | my $host = "localhost"; 18 | my $port = 80; 19 | my $help = q(); 20 | my $dir = q(); 21 | 22 | # Forces flushing of STDOUT without waiting for EOL 23 | $| = 1; 24 | 25 | 26 | GetOptions( 27 | 'h|help'=>\$help, 28 | 'code=i'=>\$response_code, 29 | 'file=s'=>\$request_file, 30 | 'host=s'=>\$host, 31 | 'port=i'=>\$port, 32 | 'dir=s'=>\$dir, 33 | 'uri=s'=>\$uri, 34 | ); 35 | 36 | sub getHelp{ 37 | print <<__HELP__; 38 | Usage: perl $0 [-code 403] [-uri 127.0.0.1] [-host example.com] [-port 80] -file request_file_path 39 | 40 | -code: Specify the expected reponse code 41 | -uri: Specify the domain or host ip to send request,default is 127.0.0.1 42 | -host: Specify the Host header,default is localhost 43 | -port: Specify the port to send request,default is 80 44 | -file: Specify the request content file path 45 | -dir: Specify the dir path for all t files 46 | 47 | __HELP__ 48 | } 49 | 50 | if($help){ 51 | getHelp(); 52 | exit 0; 53 | } 54 | 55 | die "You need to specify the exists request content file path for single t file\nPlease run --help for more help " if ( not -e $request_file and not $dir) ; 56 | 57 | die "You need to specify the exists t file dir for all t files test\nPlease run --help for more help " if $dir and not -e $dir; 58 | 59 | chomp $request_file; 60 | chomp $uri; 61 | chomp $host; 62 | chomp $port; 63 | chomp $response_code; 64 | 65 | sendRequest($request_file) unless $dir; 66 | 67 | sendTotal() if $dir and -e $dir; 68 | 69 | sub sendRequest{ 70 | my $request_file = shift; 71 | 72 | $uri = $host if $uri eq "127.0.0.1"; 73 | 74 | my $file = `cat $request_file`."\r\n"; 75 | 76 | my $request = HTTP::Request->parse($file); 77 | 78 | $request->uri("http://$uri:$port" . $request->uri); 79 | 80 | $request->header("Host" => $host); 81 | $request->header("Referer" => "http://$host:$port") unless defined($request->header('Referer')); 82 | $request->header("Accept" => "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8") unless defined($request->header('Accept')); 83 | $request->header("Accept-Encoding" => "gzip,deflate,sdch") unless defined($request->header('Accept-Encoding')); 84 | $request->header("Accept-Language" => "zh-CN,zh;q=0.8,en;q=0.6") unless defined($request->header('Accept-Language')); 85 | 86 | #if no ua from t file ,set ua null 87 | my $ua = LWP::UserAgent->new; 88 | $ua->show_progress(1); 89 | $ua->agent('') unless defined($request->header('User-Agent')); 90 | 91 | 92 | #send request 93 | my $response = $ua->request($request); 94 | 95 | die "Can't parse response $response\n" unless defined( $response ); 96 | 97 | #ok: is the response_code expected 98 | my $ok = 1; 99 | 100 | $ok = 0 if $response->code != $response_code; 101 | 102 | print $request->as_string; 103 | print $response->headers_as_string; 104 | print "\n$request_file \t"; 105 | $ok ? say $response->code." OK" : say $response->code." Not OK"; 106 | print "************************************************************\n"; 107 | 108 | return $ok; 109 | } 110 | 111 | sub sendTotal{ 112 | my $pass = 0; 113 | my $fail = 0; 114 | my @failures = q(); 115 | 116 | my @t_dirs = glob "${dir}/*.t"; 117 | 118 | foreach my $t (@t_dirs) { 119 | if (sendRequest($t)){ 120 | $pass += 1; 121 | } else{ 122 | $fail += 1; 123 | push @failures, $t; 124 | } 125 | } 126 | print "ALL Done \n"; 127 | 128 | my $total = $pass + $fail; 129 | 130 | print "ran $total tests: $pass passed; $fail failed \n"; 131 | 132 | if ($fail > 0){ 133 | foreach my $t (@failures) { 134 | print "Failed: $t\n"; 135 | } 136 | exit 1; 137 | } 138 | } 139 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | WAF Test Project 2 | 3 | 1. HTTP packet tool - HTTP.pl 4 | Usage http://danqingdani.blog.163.com/blog/static/18609419520144202591392/ 5 | 6 | 2. HTTP packet tool - HTTPFromFile.pl 7 | read HTTP Request from file and send it 8 | 9 | For example: send a xss request to test if the WAF can block 10 | 11 | I: construct request package content 12 | 13 | echo -ne 'GET /?a=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1\r\nHost: www.tanjiti.com\r\nUserAgent: curl 0.9\r\n' >xss.t 14 | 15 | II: send xss request use HTTPFromFile.pl 16 | 17 | perl HTTPFromFile.pl -code 403 -host www.tanjiti.com -port 80 -file xss.t 18 | 19 | WAF Evauation Method detail http://danqingdani.blog.163.com/blog/static/1860941952014101462723470/ 20 | -------------------------------------------------------------------------------- /modsec_lua/log2File.lua: -------------------------------------------------------------------------------- 1 | --filepath setting 2 | local filepath = '/tmp/modsec_wafLog.log' 3 | 4 | --table to store modsecurity variables 5 | local fileds = {} 6 | 7 | --modsecurity lua interface function 8 | local m_log = m.log 9 | local m_getvar = m.getvar 10 | local m_getvars = m.getvars 11 | --local m_setvar = m.setvar 12 | 13 | 14 | --lua string function 15 | string_sub = string.sub 16 | string_find = string.find 17 | 18 | --lua table function 19 | table_sort = table.sort 20 | table_insert = table.insert 21 | 22 | --get var through modsecurity lua inerface function getvar and getvars 23 | 24 | local var_table = {"ARGS","ARGS_NAMES","ARGS_GET","ARGS_GET_NAMES","ARGS_POST","ARGS_POST_NAMES","FILES","FILES_NAMES","FILES_SIZES","FILES_TMPNAMES","GEO","REQUEST_COOKIES","REQUEST_COOKIES_NAMES","REQUEST_HEADERS","REQUEST_HEADERS_NAMES","RESPONSE_HEADERS","RULE","SESSION","TX","XML"} 25 | 26 | local var_sig = {"ARGS_COMBINED_SIZE","AUTH_TYPE","DURATION","FILES_COMBINED_SIZE","HIGHEST_SEVERITY","MATCHED_VAR","MATCHED_VAR_NAME","MULTIPART_CRLF_LF_LINES","MULTIPART_STRICT_ERROR","MULTIPART_UNMATCHED_BOUNDARY","PATH_INFO","QUERY_STRING","REMOTE_ADDR","REMOTE_PORT","REMOTE_HOST","REMOTE_USER","REQBODY_PROCESSOR","REQBODY_PROCESSOR_ERROR","REQBODY_PROCESSOR_ERROR_MSG","REQUEST_BASENAME","REQUEST_BODY","REQUEST_FILENAME","REQUEST_LINE","REQUEST_METHOD","REQUEST_PROTOCOL","REQUEST_URI","REQUEST_URI_RAW","RESPONSE_BODY","RESPONSE_CONTENT_LENGTH","RESPONSE_CONTENT_TYPE","RESPONSE_PROTOCOL","RESPONSE_STATUS","SCRIPT_BASENAME","SCRIPT_FILENAME","SCRIPT_GID","SCRIPT_GROUPNAME","SCRIPT_MODE","SCRIPT_UID","SCRIPT_USERNAME","SERVER_ADDR","SERVER_NAME","SERVER_PORT","SESSIONID","TIME","TIME_DAY","TIME_EPOCH","TIME_HOUR","TIME_MIN","TIME_MON","TIME_SEC","TIME_WDAY","TIME_YEAR","URLENCODED_ERROR","USERID","WEBAPPID"} 27 | 28 | for _,v in pairs(var_table) do 29 | fileds[v] = m_getvars(v) 30 | end 31 | 32 | for _,v in pairs(var_sig) do 33 | fileds[v] = m_getvar(v) 34 | end 35 | 36 | 37 | function main() 38 | log(filepath,fileds) 39 | return nil 40 | end 41 | 42 | function log(filepath,fileds) 43 | local file = assert(io.open(filepath,"w+")) 44 | 45 | --sort fileds 46 | local key_fileds = {} 47 | 48 | --fetch the key of fileds table 49 | for key,_ in pairs(fileds) do 50 | table_insert(key_fileds,key) 51 | end 52 | 53 | --sort the key 54 | table_sort(key_fileds) 55 | for _,v in pairs(key_fileds) do 56 | 57 | if type(fileds[v]) == "table" then 58 | file:write(v,"\n") 59 | for _,v1 in pairs(fileds[v]) do 60 | local name = string_sub(v1.name,string_find(v1.name,":")+1,-1) 61 | file:write("\t",name,": ",v1.value,"\n") 62 | end 63 | else 64 | file:write(v,": ",fileds[v],"\n") 65 | end 66 | end 67 | file:close() 68 | end 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /modsec_lua/xss_detect.lua: -------------------------------------------------------------------------------- 1 | local string_find = string.find 2 | local m_getvars = m.getvars 3 | local m_log = m.log 4 | function main() 5 | --Retrieve all parameters 6 | local get_vars = m_getvars("ARGS_GET",{"lowercase","htmlEntityDecode"}); 7 | 8 | --Examine all variables 9 | for _,v in pairs(get_vars) do 10 | if(string_find(v.value," 13 | -------------------------------------------------------------------------------- /t/FileInclude-3.t: -------------------------------------------------------------------------------- 1 | GET /FileInclude.php?file=data:text/plain, HTTP/1.1 2 | Connection: keep-alive 3 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 4 | Accept-Encoding: gzip,deflate,sdch 5 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 6 | Host: example.com 7 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 8 | -------------------------------------------------------------------------------- /t/FileInclude-4.t: -------------------------------------------------------------------------------- 1 | GET /FileInclude.php?file=data:text/plain;base64,ZGF0YTp0ZXh0L3BsYWluLDw/cGhwIHN5c3RlbSgnY2F0IC92YXIvd3d3L0ZpbGVJbmNsdWRlLnBocCcpPz4= HTTP/1.1 2 | Connection: keep-alive 3 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 4 | Accept-Encoding: gzip,deflate,sdch 5 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 6 | Host: example.com 7 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 8 | -------------------------------------------------------------------------------- /t/FileInclude-5.t: -------------------------------------------------------------------------------- 1 | GET /FileInclude.php?file=php://filter/read=convert.base64-encode/resource=FileInclude.php HTTP/1.1 2 | Connection: keep-alive 3 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 4 | Accept-Encoding: gzip,deflate,sdch 5 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 6 | Host: example.com 7 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 8 | -------------------------------------------------------------------------------- /t/FileInclude_filegetcontents-1.t: -------------------------------------------------------------------------------- 1 | GET /FileInclude_filegetcontents.php?uri=../../etc/passwd HTTP/1.1 2 | Connection: keep-alive 3 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 4 | Accept-Encoding: gzip,deflate,sdch 5 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 6 | Host: example.com 7 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 8 | -------------------------------------------------------------------------------- /t/FileUpload.t: -------------------------------------------------------------------------------- 1 | POST / HTTP/1.1 2 | Accept: */* 3 | Accept-Encoding: gzip, deflate 4 | Connection: keep-alive 5 | Content-Length: 280 6 | Content-Type: multipart/form-data; boundary=a8d1a3aff4604c358be8203e837aee1a 7 | Host: example.com 8 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 9 | 10 | --a8d1a3aff4604c358be8203e837aee1a 11 | Content-Disposition: form-data; name="submit" 12 | 13 | submit 14 | --a8d1a3aff4604c358be8203e837aee1a 15 | Content-Disposition: form-data; name="file"; filename="yijuhua.php" 16 | 17 | 18 | 19 | --a8d1a3aff4604c358be8203e837aee1a-- 20 | -------------------------------------------------------------------------------- /t/redirect-1.t: -------------------------------------------------------------------------------- 1 | GET /redirect.php?page=http://www.baidu.com HTTP/1.1 2 | Connection: keep-alive 3 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 4 | Accept-Encoding: gzip,deflate,sdch 5 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 6 | Host: example.com 7 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 8 | -------------------------------------------------------------------------------- /t/sqli_code-1.t: -------------------------------------------------------------------------------- 1 | GET /sqli.php?id=2%252f%252a*/UNION%252f%252a/SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users--+ HTTP/ 2 | 1.1 3 | Host: example.com 4 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 5 | Connection: keep-alive 6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 7 | Accept-Encoding: gzip,deflate,sdch 8 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 9 | -------------------------------------------------------------------------------- /t/sqli_comment-1.t: -------------------------------------------------------------------------------- 1 | GET /sqli.php?id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM%20/*information_schema*/.tables%20/*!WHERE%20*/+/*!TaBlE_ScHeMa*/+like+database()--%20- HTTP/1.1 2 | Host: example.com 3 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 4 | Connection: keep-alive 5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 6 | Accept-Encoding: gzip,deflate,sdch 7 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 8 | -------------------------------------------------------------------------------- /t/sqli_overflow-1.t: -------------------------------------------------------------------------------- 1 | GET /sqli.php?id=1%20and%20(select%201)=(Select%200xAAAAAAAAAAAAAAAAAAAAA%201000%20more%20A%27s)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36--+ HTTP/1.1 2 | Connection: keep-alive 3 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 4 | Accept-Encoding: gzip,deflate,sdch 5 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 6 | Host: www.tanjiti.com 7 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 8 | -------------------------------------------------------------------------------- /t/xss-1.t: -------------------------------------------------------------------------------- 1 | GET /xss.php?name=%3Cscript%3Ealert%281%29;%3C/script%3E HTTP/1.1 2 | Connection: keep-alive 3 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 4 | Accept-Encoding: gzip,deflate,sdch 5 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 6 | Host: example.com 7 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 8 | -------------------------------------------------------------------------------- /t/yijuhua_ce-1.t: -------------------------------------------------------------------------------- 1 | GET /yijuhua.php?a=system&b=ls%20-al HTTP/1.1 2 | Connection: keep-alive 3 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 4 | Accept-Encoding: gzip,deflate,sdch 5 | Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 6 | Host: example.com 7 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 8 | -------------------------------------------------------------------------------- /vulCode/commandExecution/CommandExecution_arraymap.php: -------------------------------------------------------------------------------- 1 | 6 | -------------------------------------------------------------------------------- /vulCode/commandExecution/CommandExecution_createfunction.php: -------------------------------------------------------------------------------- 1 | 6 | -------------------------------------------------------------------------------- /vulCode/commandExecution/CommandExecution_dynamicvar.php: -------------------------------------------------------------------------------- 1 | 7 | -------------------------------------------------------------------------------- /vulCode/commandExecution/CommandExecution_eval.php: -------------------------------------------------------------------------------- 1 | 11 | -------------------------------------------------------------------------------- /vulCode/commandExecution/CommandExecution_preg_replace.php: -------------------------------------------------------------------------------- 1 | 6 | -------------------------------------------------------------------------------- /vulCode/commandExecution/CommandExecution_system.php: -------------------------------------------------------------------------------- 1 | "; 6 | system("ls -al ".$dir); 7 | echo ""; 8 | } 9 | ?> 10 | -------------------------------------------------------------------------------- /vulCode/fileInclude/FileInclude.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /vulCode/fileInclude/FileInclude_filegetcontents.php: -------------------------------------------------------------------------------- 1 | "; 4 | //$i = strpos($URI,'..'); 5 | //print $i."
"; 6 | if (strpos($URI,'..'))exit('That is not a valid URI.'); 7 | $contents = file_get_contents($URI); 8 | print $contents; 9 | print "
"; 10 | ?> 11 | -------------------------------------------------------------------------------- /vulCode/redirect.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /vulCode/webshell/yijuhua.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /vulCode/xss/xss.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /xss.t: -------------------------------------------------------------------------------- 1 | GET /?a=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1 2 | Host: www.tanjiti.com 3 | UserAgent: curl 0.9 4 | --------------------------------------------------------------------------------