Backup_Repos/SecLists
1
0
Fork 0
mirror of https://github.com/danielmiessler/SecLists synced 2025-12-15 21:34:10 +01:00
Code Issues Projects Releases Wiki Activity
5845 commits 2 branches 30 tags 2.3 GiB
Commit graph

297 commits

Author SHA1 Message Date
Adil Nadeem Babras
460b207a07
List of File Extensions 
Source: Wikipedia
 2023-08-16 03:38:18 +05:00
Sonata Green
635f59acdc
more human injection; new LLM section 
(1) more human injection strings
(2) added a section for attacks against LLMs
 2023-05-29 19:47:45 +00:00
g0tmi1k
afc5439c00
Merge pull request #870 from ivan-sincek/master 
Hexadecimal ASCII and Hexadecimal Unicode

Source: https://github.com/ivan-sincek/amounts
 2023-05-16 07:51:53 +01:00
ClutchTech
fb4298a4cb Update LFI-gracefulsecurity-linux.txt 2023-04-23 22:00:00 -04:00
Ivan Šincek
2121ac1bbb Hexadecimal ASCII and Hexadecimal Unicode 
Added few more representations of numerical values.
 2023-04-18 13:44:57 +02:00
Sébastien Copin
18120d94f2 Add PHP magic methods list 
See: https://www.php.net/manual/en/language.oop5.magic.php
 2023-02-21 21:01:07 +01:00
g0tmi1k
cd30475c1a
Merge pull request #824 from cosad3s/master 
fuzz-Bo0oM.txt: "WAF friendly" version
 2022-11-22 12:22:36 +00:00
Sébastien Copin
db6c286085 fuzz-Bo0oM.txt: "WAF friendly" version 
sed  -r '/(passwd|.htaccess|.asa|.ini|var\/log|%252e%252e|%2e%2e|^\..+)/d' ./fuzz-Bo0oM.txt > ./fuzz-Bo0oM-friendly.txt

Tested against Akamai. For less "Access Denied" issues.
 2022-11-01 16:54:15 +01:00
Miguel Gómez
ec227174cd
Update LFI-Jhaddix.txt 
Double URL-encode '../' with %252e%252e%252f
 2022-09-27 16:36:41 -05:00
Taleb Qasem
b5116c1031
Update LFI-gracefulsecurity-windows.txt 
Added word list from (https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows).
 2022-08-02 16:25:02 +06:00
g0tmi1k
b49003fdbc
Merge pull request #785 from nicholas-long/master 
Create list of files in that could go in /etc for fuzzing
 2022-08-02 07:22:22 +01:00
g0tmi1k
7c82ca12db
Merge pull request #702 from TheTechromancer/master 
Added devops extensions - .test, .qa., etc. to Fuzzing/extensions-Bo0oM.txt
 2022-08-02 06:59:33 +01:00
g0tmi1k
4c29963899
Merge pull request #706 from D3vil0per/patch-1 
Create country-codes.txt

Source: https://www.iso.org/obp/ui/#search
 2022-08-02 06:59:08 +01:00
g0tmi1k
c0be11b9e4
Merge pull request #769 from ivan-sincek/master 
Fuzz amounts, quantities, or any other numerical values.

Source: https://research.nccgroup.com/wp-content/uploads/2020/07/common_security_issues_in_financially-orientated_web.pdf

https://github.com/ivan-sincek/amounts
 2022-08-02 06:43:14 +01:00
g0tmi1k
3217b9b8f2
Merge pull request #774 from bigshika/envIds 
Add common Environment identifiers
 2022-08-02 06:39:31 +01:00
Taleb Qasem
294ee04ad3
Update LFI-gracefulsecurity-linux.txt 
Removed 3 duplicates (/etc/passwd, /etc/mod, and /etc/php4/apache2/php.ini). Then added word list from (https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux).
 2022-07-27 21:16:50 +06:00
Nicholas Long
ca4f454d13 update auto commit message, rename wordlist and references to it, title case in markdown headings 2022-07-25 16:26:11 +00:00
nicholas-long
5850a8a1fb update autogenerated files 2022-07-12 23:27:17 +00:00
nicholas-long
3c181f15fe all files installed into etc by all deb packages from the debian and ubuntu apt repositories 2022-06-28 00:57:39 -05:00
Sana O
795bd9e37b Add sandbox, sb and stage 2022-06-27 12:31:20 +12:00
Sana O
f1613446e9 Add common 2 letter environment abbreviations 2022-06-23 14:48:28 +12:00
root
28152a11f3 Added README 2022-06-21 08:05:20 +02:00
root
1753648b46 More Wordlists Added 2nd 2022-06-20 23:54:15 +02:00
root
0e73109916 More Wordlists Added 2022-06-20 23:49:32 +02:00
root
d9c1ab4d08 Update Amounts 2022-06-20 22:01:18 +02:00
root
45abeea9ae Added Amounts 2022-06-20 21:30:28 +02:00
D3vil0per
3369b7df87
Update country-codes.txt 
Added uppercase codes
 2022-04-26 19:50:07 +02:00
g0tmi1k
635fadadf8
Merge pull request #708 from D3vil0per/patch-2 
Added methods from IANA source

Source: http://www.iana.org/assignments/http-methods/http-methods.xhtml#methods
 2022-04-26 17:26:16 +01:00
indigo-sadland
694b4873eb
Nginx merge slashes path traversal vulnerability payload 2022-04-18 00:26:27 -07:00
indigo-sadland
46671534b5
unicode encoded lfi payload 2022-04-16 19:26:33 +03:00
indigo-sadland
6117632c0d
unicode encoded lfi payload 2022-04-16 19:05:01 +03:00
indigo-sadland
c49917ce1a
unicode encoded lfi payload 2022-04-16 18:58:45 +03:00
indigo-sadland
ce75be351d
unicode encoded lfi payload 2022-04-16 18:50:38 +03:00
D3vil0per
7a42879a46
Added methods from IANA source 
Source: http://www.iana.org/assignments/http-methods/http-methods.xhtml#methods
 2022-04-02 14:25:20 +02:00
D3vil0per
3ad6e8ff8c
Create country-codes.txt 
According to the ISO 3166-1 standard. Useful for fuzzing elements like usernames as 'support-us' 'admin.us' 'helpdesk-US' and so on.
 2022-03-26 22:54:02 +01:00
TheTechromancer
a8d0850534 added devops extensions - .text, .qa. etc. 2022-03-03 11:23:21 -05:00
g0tmi1k
c54e07f5d8
Merge pull request #671 from righettod/feature_issue_654 
PR for issue 654 (environment identifiers dict)
 2022-02-02 23:39:00 +00:00
Dominique RIGHETTO
9e778c6046
Add results from FR + BE sub domains 2021-11-26 11:48:46 +01:00
Dominique RIGHETTO
f86abe0dde
Add new entries after extraction from LU domains from MAjestic file 
See PR comment
 2021-11-24 14:00:08 +01:00
elitejake
3c543908bf
Add PURGE method 2021-11-24 11:19:38 +00:00
Dominique RIGHETTO
55dcca61cf
Sorting ASC 2021-11-24 11:57:48 +01:00
Dominique RIGHETTO
57fa66e37e
Enrich with results from auchan.lu 2021-11-24 11:46:57 +01:00
Dominique RIGHETTO
d68129fe2d
Add missing entries from sgbt.lu 2021-11-24 11:44:29 +01:00
Dominique RIGHETTO
9b653b08af
Enrich with sgbt.lu results 
Cmd: `curl -sk "https://crt.sh/?q=sgbt.lu&output=json" | jq -r ".[].name_value" | cut -d'.' -f1 | sort -u`
 2021-11-24 11:42:45 +01:00
Dominique RIGHETTO
6d37719fd4
Enrich with total.com sub domains results 
Command: `curl -sk "https://crt.sh/?q=total.com&output=json" | jq -r ".[].name_value" | cut -d'.' -f1 | sort -u`
 2021-11-24 11:41:17 +01:00
Dominique RIGHETTO
0c61f25372
Add UAG 2021-11-24 11:33:31 +01:00
Dominique RIGHETTO
9d3ac03fd0
Initial adding 2021-11-24 11:25:10 +01:00
g0t mi1k
6b00e5cf53 Fix formatting 2021-11-24 10:13:43 +00:00
g0tmi1k
4030e1b6ce
Merge pull request #660 from noraj/patch-1 
Update fuzz-Bo0oM.txt

Source: https://github.com/Bo0oM/fuzz.txt/blob/master/fuzz.txt
 2021-11-24 09:53:58 +00:00
Dominique RIGHETTO
6e3e64f1f5
Add IBM MQSeries common channel names 2021-11-17 09:33:49 +01:00
Alexandre ZANNI
484ab9e986
Update fuzz-Bo0oM.txt 2021-10-07 11:03:42 +02:00
g0t mi1k
efeb38808c Replace ' ' with ' ' (Empty Characters) 2021-08-28 21:05:13 +01:00
g0tmi1k
177f25ba69
Merge pull request #625 from cbk914/master 
Some additions

Source: http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time
 2021-08-27 21:14:37 +01:00
Gabriel
fb613f25bf
Add "-" and remove duplicate "_" entry 
Fixes #612
 2021-07-13 14:42:14 +01:00
cbk914
9a871facf1
Merge branch 'danielmiessler:master' into master 2021-06-26 23:06:55 +02:00
Annihilat0r
495c8a6c3f
Add NoSQL payload 2021-05-29 13:21:29 +03:00
cbk914
cb4febae37 Merge branch 'danielmiessler:master' into master 2021-05-11 16:10:42 +02:00
Alex G
66e5827639
Add master.mdf MSSQL path to Windows LFI 2021-02-19 22:42:27 +01:00
g0tmi1k
6372096eab
Merge pull request #561 from kazkansouh/ldap-fuzzing 
Standard LDAP attribute and classes lists

Source: ldapsearch -s base -b cn=Subschema  "(objectclass=*)" attributetypes -LLL | sed -e ':x N ; s/\n // ; tx ; P ; s/^.*\n//; tx' | grep -e '^a' | cut -d "'" -f 2 | sort -u
 2021-02-11 21:25:40 +00:00
g0tmi1k
af40e7f267
Merge pull request #519 from arjunshibu/master 
Added http-request-methods.txt
 2021-02-11 20:27:53 +00:00
Karim Kanso
840067b851 add standard ldap attribute and classes lists 2021-01-20 15:38:59 +00:00
cbk914
003bfef95f
Merge pull request #6 from danielmiessler/master 
Update
 2020-11-12 02:44:53 +01:00
cbk914
d2a20595fc Update 2020-11-05 16:41:54 +01:00
g0t mi1k
d4ebb09709 dos2unix 2020-11-04 11:45:59 +00:00
Chris H
08925a1fae
Update email-top-100-domains.txt 
added missing mail domain
 2020-11-03 13:06:10 +01:00
g0tmi1k
6d164b9672
Merge pull request #527 from soufianetahiri/master 
Added actuator default paths and created new XSS fuzzing list

Source: https://docs.spring.io/spring-boot/docs/1.5.x/reference/html/production-ready-endpoints.html
 2020-11-03 11:39:11 +00:00
Soufiane Tahiri
a100ade82e
Create XSS-Fuzzing 
High rate hit XSS payloads
 2020-10-23 10:56:16 +02:00
cbk914
ae8aabcfed Merge branch 'master' of https://github.com/cbk914/SecLists 2020-09-30 16:37:47 +02:00
Arjun Shibu
9d298b2121
Create http-request-methods.txt 
Useful for fuzzing endpoints
 2020-09-25 20:06:30 +05:30
Luke Paris
52f1658a0c
Removed destructive SQL statements 
Those two lines are downright irresponsible, someone is going to use this list to fuzz a web application and accidentally nuke a production database.
 2020-09-17 15:02:40 +02:00
g0tmi1k
f1f3750803
Merge pull request #480 from haxxinen/patch-1 
Create quick-SQLi.txt
 2020-09-16 07:29:18 +01:00
g0tmi1k
c5ba0f44e4
Merge pull request #493 from daehee/master 
XSS payloads from OFJAAAH

Source: https://ghostbin.co/paste/qo23j
 2020-09-16 07:27:07 +01:00
g0tmi1k
0b7d119f74
Merge pull request #501 from righettod/master 
Add payloads to identify the template engine used

- https://portswigger.net/research/server-side-template-injection
- https://github.com/epinna/tplmap
 2020-09-16 07:23:39 +01:00
Daniel Neal
68fe48d9dd
Add string js or injection 2020-09-14 21:55:24 -07:00
Dominique RIGHETTO
1361ac96c1
Fix typos 2020-09-14 14:30:00 +02:00
Dominique RIGHETTO
1c2fb11278
Add file with special vars used by template engines 
The objective is to identify the engine once an expression evaluation pattern was identified.
 2020-09-14 14:28:12 +02:00
Dominique RIGHETTO
234dfabf72
Add an expression using expression inlining for Thymeleaf 
See https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#expression-inlining
Added it because I have discovered that, when StringTemplateResolver is used, then expression like ${42*42} is not resolved
 2020-09-13 11:04:15 +02:00
Dominique RIGHETTO
ba87953a08
Add expression for Velocity engine 2020-09-13 09:33:41 +02:00
Daehee Park
850d3b10f1 XSS payloads from OFJAAAH 2020-08-30 14:40:59 -07:00
cbk914
e06aacd937 Revert "Merge pull request #4 from danielmiessler/master" 
This reverts commit c266835781, reversing
changes made to fd4968f43b.
 2020-08-11 14:25:56 +02:00
haxxinen
783b5edf73
Create quick-SQLi.txt 2020-08-06 10:35:03 +02:00
Dominique RIGHETTO
00f10f8513
Add character that can break a MongoDB query when JS expression is used 2020-07-18 18:00:24 +02:00
PinkDraconian
cf1ca8ec62
Added scientific notation entries 2020-06-16 12:36:29 +02:00
PinkDraconian
8679c2d6fe
Added true and false to the fuzzing list 
Changing json field to true or false could have interesting results on an endpoint when fuzzing.
 2020-06-16 12:21:04 +02:00
g0tmi1k
d76b8f6691
Merge pull request #452 from noraj/patch-1 
Create LFI-gracefulsecurity-windows.txt

Source: https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/
 2020-06-12 09:57:44 +01:00
g0tmi1k
b2865e0492
Merge pull request #453 from noraj/patch-2 
Create LFI-gracefulsecurity-linux.txt

Source: https://gracefulsecurity.com/path-traversal-cheat-sheet-linux/
 2020-06-12 09:57:09 +01:00
sheimo
6757058b8c
Create sqli.auth.bypass.txt 
This is a thorough SQL injection authentication bypass list. Each source below was combined to a text file and sorted.

Source: https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
Source: http://www.lifeoverpentest.com/2018/03/sql-injection-login-bypass-cheat-sheet.html
 2020-06-11 23:24:34 -05:00
Alexandre ZANNI
7dd955a544
Create LFI-gracefulsecurity-linux.txt 2020-06-11 16:49:45 +02:00
Alexandre ZANNI
6945f3e779
Create LFI-gracefulsecurity-windows.txt 2020-06-11 16:48:39 +02:00
g0tmi1k
245984882a
Merge pull request #442 from kazkansouh/standardise-line-end 
Standardise line endings
 2020-05-28 11:11:35 +01:00
Jamie Scott
5b5cafaa47
Adding the not in operator 
Adding the not in operator as another thing to check or test. It will equivalently act as { $ne: 1 } only it functions within an array.
 2020-05-28 00:34:48 -07:00
Karim Kanso
607c3293b4 strip trailing whitespace 2020-05-27 14:26:51 +01:00
kegan
54ac7074da
add nested traversal strings for /etc/passwd 2020-05-18 18:12:12 -05:00
Dominique RIGHETTO
984af30974
Add the expression for the Dust engine 2020-05-03 10:52:17 +02:00
Dominique RIGHETTO
aecd8036ca
Add the expression for the doT engine 2020-05-03 10:30:48 +02:00
g0tmi1k
09d5a27cf7
Merge pull request #421 from storenth/master 
Update the fuzz-Bo0oM.txt with more ';'

Source: https://twitter.com/11xuxx/status/1247496768054591489
 2020-04-29 17:52:49 +01:00
Kirill Z
6466bd0ed2
Add more XSS 2020-04-27 20:19:33 +07:00
Kirill Z
561d6236c2
Update the fuzz-Bo0oM.txt with more ';' 2020-04-27 20:09:53 +07:00
Dominique RIGHETTO
611d47caf3
Add a version of the payload for CodeContext 
Add the payload "42*42" to the fuzzing list in order to cover the "Code context" detection point mentioned in the https://portswigger.net/web-security/server-side-template-injection training
 2020-04-25 09:13:06 +02:00
g0tmi1k
a7dbde1ec9
Merge pull request #412 from righettod/master 
Collection of template engines expression

Source: https://github.com/expressjs/express/wiki#template-engines
 2020-04-20 10:06:06 +01:00
g0tmi1k
b3b337e6f1
Merge pull request #390 from ipentest/add-ipentest 
Added top 100 email domains to Seclists/Fuzzing

Source: https://email-verify.my-addr.com/list-of-most-popular-email-domains.php
 2020-04-20 10:04:42 +01:00
Dominique RIGHETTO
1bd30300de
Add a initial collection of template engines expression 2020-04-18 17:16:20 +02:00
Antoine Guilbaud
13b1f18901 add a common windows lfi path 2020-04-15 12:49:42 +02:00
milangfx
e82e5e5026 add /apidocs/api-docs.json, /api-docs 2020-04-01 14:42:20 +02:00
ipentest
b2cf6971c9 Add ipentest to contributors 2020-02-12 11:46:44 -05:00
S7X Deckard Case
b8e87ad36c Added the entire XSS Cheat Sheet of PortSwigger, their HTML events and tags. 2019-11-18 09:33:26 +01:00
Camas
eb2cd4518a Remove extra newline 2019-11-08 23:32:46 +00:00
Camas
a7184dd1f7 Fix line endings 2019-11-08 15:09:15 +00:00
Parth Malhotra
01b280755c
Create 1-4_all_letters_a-z.txt 2019-11-07 21:50:55 +05:30
Luke Anderson
68f8d60da5
Fix Fuzzing Types (Fixes #339) 2019-10-05 00:35:43 +09:30
g0tmi1k
327cc859ee Quick rename 2019-08-13 12:50:53 +01:00
g0tmi1k
5bbc1e6fe3 Close #329 - Bo0oM's fuzz.txt 
Source: https://github.com/Bo0oM/fuzz.txt
 2019-08-13 12:50:20 +01:00
g0tmi1k
3fc464d156 Add XSS without parentheses and semi-colons 
Source: https://portswigger.net/blog/xss-without-parentheses-and-semi-colons
 2019-05-22 12:15:42 +01:00
g0tmi1k
9239f0a284 find . -name '*_*' -exec rename 's/_/-/g' "{}" \; 2019-05-08 11:54:39 +01:00
g0tmi1k
a65f6bd665 Close #291 - Fix encoding issues 
$ for x in $( find . -type f ); do iconv -f utf-8 -t utf-8 -c ${x} | sed '/^$/d' > tmp; mv tmp ${x}; done
 2019-05-08 11:04:00 +01:00
g0tmi1k
7b1f14989c Quick move about 2019-04-12 13:52:47 +01:00
g0tmi1k
3f2c0d33d2 Quick clean up of locations 2019-04-10 13:22:39 +01:00
g0tmi1k
12751dbbf0 Fix #288 - Add graphql 
Source: https://graphql.org/learn/serving-over-http/
 2019-04-10 13:18:25 +01:00
g0tmi1k
b9483d00b7 Sort out a few more filenmae issues 2019-04-10 11:32:07 +01:00
g0tmi1k
437478ce7b Fix #284 #285 - useragents-ie.txt 2019-04-10 10:19:12 +01:00
Alexandre ZANNI
cfe4b16023
Update LFI-JHADDIX.txt 
fix typo + add 1 entry
 2019-03-10 17:11:22 +01:00
Infected Drake
0400e0bbc1
A wrong payload corrected 
The payload on line 18 contains a misspelled event handler `OnpOinTeReENer`. Corrected it properly.
 2019-02-09 12:13:28 +05:30
g0tmi1k
7ed3f897df
Merge pull request #237 from s0md3v/patch-1 
+5 payloads, some enhancements
 2019-01-08 18:11:33 +00:00
Prinzhorn
1eae4d51f0 Strip HTML from LFI-LFISuite-pathtotest-huge.txt 2018-12-18 10:13:49 +01:00
g0tmi1k
47b1829910
Merge pull request #241 from g0tmi1k/ua 
Added various User Agent strings
 2018-11-26 10:09:44 +00:00
g0tmi1k
b99b0ed28f Added various User Agent strings 
Source: https://developers.whatismybrowser.com/useragents/explore/
 2018-11-26 09:56:22 +00:00
Somdev Sangwan
bb180d4e27
changed %3B to %26 (I'm sleep deprived sorry) 2018-11-21 14:53:27 +05:30
Somdev Sangwan
31167686f0
+5 payloads, some enhancements 2018-11-21 14:45:08 +05:30
Michael Henriksen
2dab37db43 Add best performing payloads from the XSS Polyglot Challenge 2018-11-01 07:37:16 +01:00
g0tmi1k
d68ba5f9ed Rename "_" -> "-" & found a few new homes 2018-10-15 13:08:10 +01:00
Somdev Sangwan
cebebee4b5
Create XSS-Somdev.txt 2018-10-15 02:13:17 +05:30
g0tmi1k
9f73b7e81a Add LFISuite 
Source: https://github.com/D35m0nd142/LFISuite
 2018-07-25 13:51:06 +01:00
Karan Saini
3911f92c82
Added numeric combinations 
Text files of numeric combinations (with leading zeros) for use during enumeration
 2018-04-08 00:54:51 +05:30
Daniel Miessler
25323690ce
Merge pull request #185 from ryan-wendel/master 
Update XSS-JHADDIX.txt
 2018-03-23 12:05:55 -07:00
Ryan Wendel
619f3afb71
Update XSS-JHADDIX.txt 
Removed offensive term from wordlist.
 2018-03-23 10:01:05 -06:00
g0tmi1k
3f79d071ce Quick move about 2018-03-21 17:47:29 +00:00
g0tmi1k
5278477235 Close #106 - XXE-Fuzzing / Grep PHP Auditing 2018-03-21 17:19:17 +00:00
g0tmi1k
401af588f6 Close #88 - Fuzzing List Integer fields 
Source: https://github.com/arvinddoraiswamy/mywebappscripts/blob/master/FuzzLists/numeric_fields_only.txt
 2018-03-21 16:30:38 +00:00
g0tmi1k
7b6b792312 Close #69 - Fix SQLi Polyglot 
Source: https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/

Source: https://twitter.com/SymbianSyMoh/status/707685783801454594
 2018-03-21 16:29:03 +00:00
g0tmi1k
9ae73c2ceb Add "Big List of Naughty Strings" 
Source: https://github.com/minimaxir/big-list-of-naughty-strings
 2018-03-21 16:20:10 +00:00
g0tmi1k
26cf832f9d Close ##152 - PHP base64 filter file read (XXE_Fuzzing) 2018-03-21 16:13:09 +00:00
g0tmi1k
d2282eee97 Added ] in (Fix #131) 2018-03-07 11:46:03 +00:00
g0tmi1k
7611257a60 Quick rename of files 2018-03-05 11:03:11 +00:00
g0tmi1k
7a55e1871c Remove pointless files. 2018-03-05 09:52:00 +00:00
Daniel Miessler
49a6d721ff
Merge pull request #128 from g0tmi1k/structure 
Structure Clean Up
 2018-03-04 12:23:06 -08:00
Daniel Miessler
7cf6e78ff5 Addded Darkweb 10,100,1K,10K to Passwords. 2018-01-02 21:46:14 -08:00
g0tmi1k
25d4ac447e rename 's/_/-/g' 2017-08-23 14:55:06 +01:00
g0tmi1k
a97be9373e Started sorting "Miscellaneous/" & "Fuzzing/" 2017-07-11 13:53:16 +01:00
g0tmi1k
6f69a35b5e Started clean up on "Discovery/Web_Content" 2017-07-11 13:36:01 +01:00
Jason Haddix
02b09becc3 Rename NoSQL to NoSQL.txt 2017-06-28 11:25:52 -07:00