Коллекция пэйлоадов для веб-атаки
Применение
Запустить ./get.sh для загрузки внешних полезных нагрузок и разархивировать любые сжатые файлы.
- fuzzdb – https://github.com/fuzzdb-project/fuzzdb
- SecLists – https://github.com/danielmiessler/SecLists
- xsuperbug – https://github.com/xsuperbug/payloads
- NickSanzotta – https://github.com/NickSanzotta/BurpIntruder
- 7ioSecurity – https://github.com/7ioSecurity/XSS-Payloads
- shadsidd – https://github.com/shadsidd
- shikari1337 – https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/
- xmendez – https://github.com/xmendez/wfuzz
- minimaxir – https://github.com/minimaxir/big-list-of-naughty-strings
- xsscx – https://github.com/xsscx/Commodity-Injection-Signatures
- TheRook – https://github.com/TheRook/subbrute
- danielmiessler – https://github.com/danielmiessler/RobotsDisallowed
- FireFart – https://github.com/FireFart/HashCollision-DOS-POC
- HybrisDisaster – https://github.com/HybrisDisaster/aspHashDoS
- swisskyrepo – https://github.com/swisskyrepo/PayloadsAllTheThings
OWASP
- dirbuster – https://www.owasp.org/index.php/DirBuster
- fuzzing_code_database – https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database
- JBroFuzz – https://www.owasp.org/index.php/JBroFuzz
Другие
- xss/jsf__k.txt – http://www.jsfuck.com/
- xss/kirankarnad.txt – https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester
- xss/packetstorm.txt – https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html
- xss/smeegessec.com.txt – http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html
- xss/d3adend.org.txt – http://d3adend.org/xss/ghettoBypass
- xss/soaj1664ashar.txt – http://pastebin.com/u6FY1xDA
- xss/billsempf.txt – https://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L)
- xss/787373.txt – https://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/–xss.html
- xss/bhandarkar.txt – http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html
- xss/xssdb.txt – http://xssdb.net/xssdb.txt
- xss/0xsobky.txt – https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
- xss/secgeek.txt – https://www.secgeek.net/solutions-for-xss-waf-challenge/
- xss/reddit_xss_get.txt – All XSS GET requests from https://www.reddit.com/r/xss (as of 3/30/2016)
- xss/rafaybaloch.txt – http://www.rafayhackingarticles.net/2016/09/breaking-great-wall-of-web-xss-waf.html
- sqli/camoufl4g3.txt – https://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt
- sqli/c0rni3sm.txt – http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html
- sqli/sqlifuzzer.txt – https://github.com/ContactLeft/sqlifuzzer/tree/master/payloads
- sqli/jstnkndy.txt – https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/
- sqli/d0znpp.txt – https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f
- traversal/dotdotpwn.txt – https://github.com/wireghoul/dotdotpwn
- codeinjection/fede.txt – https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/
CTF
Запросы, извлеченные из захватов пакетов или файлов журналов для захвата событий флага (ctf).
В основном исходные данные, поэтому не все запросы являются фактическими полезными нагрузками, однако запросы должны быть дедуплицированы.
- maccdc2010.txt – Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
- maccdc2011.txt – Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
- maccdc2012.txt – Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
- ists12_2015.txt – Information Security Talent Search (http://ists.sparsa.org/), source: http://www.netresec.com/?page=ISTS
- defcon20.txt – DEFCON Capture the Flag (https://www.defcon.org/html/links/dc-ctf.html), source: http://www.netresec.com/?page=PcapFiles
Разное
Ссылки XSS, которые могут пересекаться с источниками, уже включенными выше:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
http://htmlpurifier.org/live/smoketests/xssAttacks.php
Скачать все полезные нагрузки:
DOWNLOAD Git All The Payloads
Примечание: Информация для исследования, обучения или проведения аудита. Применение в корыстных целях карается законодательством РФ.
Комментарии
Взял в закладки.