Backup_Repos/SecLists
1
0
Fork 0
mirror of https://github.com/danielmiessler/SecLists synced 2025-12-06 08:53:59 +01:00
Code Issues Projects Releases Wiki Activity
2124 commits 2 branches 30 tags 2.2 GiB
Commit graph

258 commits

Author SHA1 Message Date
Mo Langning
1cdd4b9906
Update os-names-mutation.txt 2023-11-03 09:37:59 +08:00
Mo Langning
63b85cbdf1
Update os-names-mutation.txt 2023-11-03 09:33:14 +08:00
Mo Langning
31f04833aa
Os-names but with mutation 2023-11-03 09:29:09 +08:00
Mo Langning
764155f83f
Update os-names.txt 
stripped extra space
space
 2023-11-03 09:12:13 +08:00
Mo Langning
1588c54106
Create os-names.txt 2023-11-03 09:04:27 +08:00
Sébastien Copin
44e92240a7 Add HTTP versb TRACK and DEBUG 
Especially used in IIS servers.

Sources:
- https://nmap.org/nsedoc/scripts/http-aspnet-debug.html
- https://techcommunity.microsoft.com/t5/iis-support-blog/http-track-and-trace-verbs/ba-p/784482
 2023-10-17 12:39:22 +02:00
Ignacio J. Perez Portal
306339aff6 feat(wordlist): Added LFI-linux-and-windows_by-1N3@CrowdShield.txt 
This wordlist has duplicate lines removed, and normalized Windows paths
 2023-10-10 09:15:00 -03:00
Dominique RIGHETTO
55c4988410
Rename OracleSID.txt to OracleDB-SID.txt 2023-10-08 19:26:29 +02:00
Dominique RIGHETTO
f81a9803f8
Add file 2023-10-08 19:17:49 +02:00
Stefan
96940203b1
Update LFI-gracefulsecurity-linux.txt 
Includes older SSH key format "ECDSA"
 2023-09-06 14:21:17 -04:00
not main acc
e36dfa24fa
Create OMI-Agent-Linux.txt 
from (my mistaken) issue: https://github.com/danielmiessler/SecLists/issues/891#issuecomment-1679646712
 2023-08-20 23:57:17 +02:00
Adil Nadeem Babras
460b207a07
List of File Extensions 
Source: Wikipedia
 2023-08-16 03:38:18 +05:00
Sonata Green
635f59acdc
more human injection; new LLM section 
(1) more human injection strings
(2) added a section for attacks against LLMs
 2023-05-29 19:47:45 +00:00
g0tmi1k
afc5439c00
Merge pull request #870 from ivan-sincek/master 
Hexadecimal ASCII and Hexadecimal Unicode

Source: https://github.com/ivan-sincek/amounts
 2023-05-16 07:51:53 +01:00
ClutchTech
fb4298a4cb Update LFI-gracefulsecurity-linux.txt 2023-04-23 22:00:00 -04:00
Ivan Šincek
2121ac1bbb Hexadecimal ASCII and Hexadecimal Unicode 
Added few more representations of numerical values.
 2023-04-18 13:44:57 +02:00
Sébastien Copin
18120d94f2 Add PHP magic methods list 
See: https://www.php.net/manual/en/language.oop5.magic.php
 2023-02-21 21:01:07 +01:00
g0tmi1k
cd30475c1a
Merge pull request #824 from cosad3s/master 
fuzz-Bo0oM.txt: "WAF friendly" version
 2022-11-22 12:22:36 +00:00
Sébastien Copin
db6c286085 fuzz-Bo0oM.txt: "WAF friendly" version 
sed  -r '/(passwd|.htaccess|.asa|.ini|var\/log|%252e%252e|%2e%2e|^\..+)/d' ./fuzz-Bo0oM.txt > ./fuzz-Bo0oM-friendly.txt

Tested against Akamai. For less "Access Denied" issues.
 2022-11-01 16:54:15 +01:00
Miguel Gómez
ec227174cd
Update LFI-Jhaddix.txt 
Double URL-encode '../' with %252e%252e%252f
 2022-09-27 16:36:41 -05:00
Taleb Qasem
b5116c1031
Update LFI-gracefulsecurity-windows.txt 
Added word list from (https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows).
 2022-08-02 16:25:02 +06:00
g0tmi1k
b49003fdbc
Merge pull request #785 from nicholas-long/master 
Create list of files in that could go in /etc for fuzzing
 2022-08-02 07:22:22 +01:00
g0tmi1k
7c82ca12db
Merge pull request #702 from TheTechromancer/master 
Added devops extensions - .test, .qa., etc. to Fuzzing/extensions-Bo0oM.txt
 2022-08-02 06:59:33 +01:00
g0tmi1k
4c29963899
Merge pull request #706 from D3vil0per/patch-1 
Create country-codes.txt

Source: https://www.iso.org/obp/ui/#search
 2022-08-02 06:59:08 +01:00
g0tmi1k
c0be11b9e4
Merge pull request #769 from ivan-sincek/master 
Fuzz amounts, quantities, or any other numerical values.

Source: https://research.nccgroup.com/wp-content/uploads/2020/07/common_security_issues_in_financially-orientated_web.pdf

https://github.com/ivan-sincek/amounts
 2022-08-02 06:43:14 +01:00
g0tmi1k
3217b9b8f2
Merge pull request #774 from bigshika/envIds 
Add common Environment identifiers
 2022-08-02 06:39:31 +01:00
Taleb Qasem
294ee04ad3
Update LFI-gracefulsecurity-linux.txt 
Removed 3 duplicates (/etc/passwd, /etc/mod, and /etc/php4/apache2/php.ini). Then added word list from (https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux).
 2022-07-27 21:16:50 +06:00
Nicholas Long
ca4f454d13 update auto commit message, rename wordlist and references to it, title case in markdown headings 2022-07-25 16:26:11 +00:00
nicholas-long
5850a8a1fb update autogenerated files 2022-07-12 23:27:17 +00:00
nicholas-long
3c181f15fe all files installed into etc by all deb packages from the debian and ubuntu apt repositories 2022-06-28 00:57:39 -05:00
Sana O
795bd9e37b Add sandbox, sb and stage 2022-06-27 12:31:20 +12:00
Sana O
f1613446e9 Add common 2 letter environment abbreviations 2022-06-23 14:48:28 +12:00
root
28152a11f3 Added README 2022-06-21 08:05:20 +02:00
root
1753648b46 More Wordlists Added 2nd 2022-06-20 23:54:15 +02:00
root
0e73109916 More Wordlists Added 2022-06-20 23:49:32 +02:00
root
d9c1ab4d08 Update Amounts 2022-06-20 22:01:18 +02:00
root
45abeea9ae Added Amounts 2022-06-20 21:30:28 +02:00
D3vil0per
3369b7df87
Update country-codes.txt 
Added uppercase codes
 2022-04-26 19:50:07 +02:00
g0tmi1k
635fadadf8
Merge pull request #708 from D3vil0per/patch-2 
Added methods from IANA source

Source: http://www.iana.org/assignments/http-methods/http-methods.xhtml#methods
 2022-04-26 17:26:16 +01:00
indigo-sadland
694b4873eb
Nginx merge slashes path traversal vulnerability payload 2022-04-18 00:26:27 -07:00
indigo-sadland
46671534b5
unicode encoded lfi payload 2022-04-16 19:26:33 +03:00
indigo-sadland
6117632c0d
unicode encoded lfi payload 2022-04-16 19:05:01 +03:00
indigo-sadland
c49917ce1a
unicode encoded lfi payload 2022-04-16 18:58:45 +03:00
indigo-sadland
ce75be351d
unicode encoded lfi payload 2022-04-16 18:50:38 +03:00
D3vil0per
7a42879a46
Added methods from IANA source 
Source: http://www.iana.org/assignments/http-methods/http-methods.xhtml#methods
 2022-04-02 14:25:20 +02:00
D3vil0per
3ad6e8ff8c
Create country-codes.txt 
According to the ISO 3166-1 standard. Useful for fuzzing elements like usernames as 'support-us' 'admin.us' 'helpdesk-US' and so on.
 2022-03-26 22:54:02 +01:00
TheTechromancer
a8d0850534 added devops extensions - .text, .qa. etc. 2022-03-03 11:23:21 -05:00
g0tmi1k
c54e07f5d8
Merge pull request #671 from righettod/feature_issue_654 
PR for issue 654 (environment identifiers dict)
 2022-02-02 23:39:00 +00:00
Dominique RIGHETTO
9e778c6046
Add results from FR + BE sub domains 2021-11-26 11:48:46 +01:00
Dominique RIGHETTO
f86abe0dde
Add new entries after extraction from LU domains from MAjestic file 
See PR comment
 2021-11-24 14:00:08 +01:00
elitejake
3c543908bf
Add PURGE method 2021-11-24 11:19:38 +00:00
Dominique RIGHETTO
55dcca61cf
Sorting ASC 2021-11-24 11:57:48 +01:00
Dominique RIGHETTO
57fa66e37e
Enrich with results from auchan.lu 2021-11-24 11:46:57 +01:00
Dominique RIGHETTO
d68129fe2d
Add missing entries from sgbt.lu 2021-11-24 11:44:29 +01:00
Dominique RIGHETTO
9b653b08af
Enrich with sgbt.lu results 
Cmd: `curl -sk "https://crt.sh/?q=sgbt.lu&output=json" | jq -r ".[].name_value" | cut -d'.' -f1 | sort -u`
 2021-11-24 11:42:45 +01:00
Dominique RIGHETTO
6d37719fd4
Enrich with total.com sub domains results 
Command: `curl -sk "https://crt.sh/?q=total.com&output=json" | jq -r ".[].name_value" | cut -d'.' -f1 | sort -u`
 2021-11-24 11:41:17 +01:00
Dominique RIGHETTO
0c61f25372
Add UAG 2021-11-24 11:33:31 +01:00
Dominique RIGHETTO
9d3ac03fd0
Initial adding 2021-11-24 11:25:10 +01:00
g0t mi1k
6b00e5cf53 Fix formatting 2021-11-24 10:13:43 +00:00
g0tmi1k
4030e1b6ce
Merge pull request #660 from noraj/patch-1 
Update fuzz-Bo0oM.txt

Source: https://github.com/Bo0oM/fuzz.txt/blob/master/fuzz.txt
 2021-11-24 09:53:58 +00:00
Dominique RIGHETTO
6e3e64f1f5
Add IBM MQSeries common channel names 2021-11-17 09:33:49 +01:00
Alexandre ZANNI
484ab9e986
Update fuzz-Bo0oM.txt 2021-10-07 11:03:42 +02:00
g0t mi1k
efeb38808c Replace ' ' with ' ' (Empty Characters) 2021-08-28 21:05:13 +01:00
g0tmi1k
177f25ba69
Merge pull request #625 from cbk914/master 
Some additions

Source: http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time
 2021-08-27 21:14:37 +01:00
Gabriel
fb613f25bf
Add "-" and remove duplicate "_" entry 
Fixes #612
 2021-07-13 14:42:14 +01:00
cbk914
9a871facf1
Merge branch 'danielmiessler:master' into master 2021-06-26 23:06:55 +02:00
Annihilat0r
495c8a6c3f
Add NoSQL payload 2021-05-29 13:21:29 +03:00
cbk914
cb4febae37 Merge branch 'danielmiessler:master' into master 2021-05-11 16:10:42 +02:00
Alex G
66e5827639
Add master.mdf MSSQL path to Windows LFI 2021-02-19 22:42:27 +01:00
g0tmi1k
6372096eab
Merge pull request #561 from kazkansouh/ldap-fuzzing 
Standard LDAP attribute and classes lists

Source: ldapsearch -s base -b cn=Subschema  "(objectclass=*)" attributetypes -LLL | sed -e ':x N ; s/\n // ; tx ; P ; s/^.*\n//; tx' | grep -e '^a' | cut -d "'" -f 2 | sort -u
 2021-02-11 21:25:40 +00:00
g0tmi1k
af40e7f267
Merge pull request #519 from arjunshibu/master 
Added http-request-methods.txt
 2021-02-11 20:27:53 +00:00
Karim Kanso
840067b851 add standard ldap attribute and classes lists 2021-01-20 15:38:59 +00:00
cbk914
003bfef95f
Merge pull request #6 from danielmiessler/master 
Update
 2020-11-12 02:44:53 +01:00
cbk914
d2a20595fc Update 2020-11-05 16:41:54 +01:00
g0t mi1k
d4ebb09709 dos2unix 2020-11-04 11:45:59 +00:00
Chris H
08925a1fae
Update email-top-100-domains.txt 
added missing mail domain
 2020-11-03 13:06:10 +01:00
g0tmi1k
6d164b9672
Merge pull request #527 from soufianetahiri/master 
Added actuator default paths and created new XSS fuzzing list

Source: https://docs.spring.io/spring-boot/docs/1.5.x/reference/html/production-ready-endpoints.html
 2020-11-03 11:39:11 +00:00
Soufiane Tahiri
a100ade82e
Create XSS-Fuzzing 
High rate hit XSS payloads
 2020-10-23 10:56:16 +02:00
cbk914
ae8aabcfed Merge branch 'master' of https://github.com/cbk914/SecLists 2020-09-30 16:37:47 +02:00
Arjun Shibu
9d298b2121
Create http-request-methods.txt 
Useful for fuzzing endpoints
 2020-09-25 20:06:30 +05:30
Luke Paris
52f1658a0c
Removed destructive SQL statements 
Those two lines are downright irresponsible, someone is going to use this list to fuzz a web application and accidentally nuke a production database.
 2020-09-17 15:02:40 +02:00
g0tmi1k
f1f3750803
Merge pull request #480 from haxxinen/patch-1 
Create quick-SQLi.txt
 2020-09-16 07:29:18 +01:00
g0tmi1k
c5ba0f44e4
Merge pull request #493 from daehee/master 
XSS payloads from OFJAAAH

Source: https://ghostbin.co/paste/qo23j
 2020-09-16 07:27:07 +01:00
g0tmi1k
0b7d119f74
Merge pull request #501 from righettod/master 
Add payloads to identify the template engine used

- https://portswigger.net/research/server-side-template-injection
- https://github.com/epinna/tplmap
 2020-09-16 07:23:39 +01:00
Daniel Neal
68fe48d9dd
Add string js or injection 2020-09-14 21:55:24 -07:00
Dominique RIGHETTO
1361ac96c1
Fix typos 2020-09-14 14:30:00 +02:00
Dominique RIGHETTO
1c2fb11278
Add file with special vars used by template engines 
The objective is to identify the engine once an expression evaluation pattern was identified.
 2020-09-14 14:28:12 +02:00
Dominique RIGHETTO
234dfabf72
Add an expression using expression inlining for Thymeleaf 
See https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#expression-inlining
Added it because I have discovered that, when StringTemplateResolver is used, then expression like ${42*42} is not resolved
 2020-09-13 11:04:15 +02:00
Dominique RIGHETTO
ba87953a08
Add expression for Velocity engine 2020-09-13 09:33:41 +02:00
Daehee Park
850d3b10f1 XSS payloads from OFJAAAH 2020-08-30 14:40:59 -07:00
cbk914
e06aacd937 Revert "Merge pull request #4 from danielmiessler/master" 
This reverts commit c266835781, reversing
changes made to fd4968f43b.
 2020-08-11 14:25:56 +02:00
haxxinen
783b5edf73
Create quick-SQLi.txt 2020-08-06 10:35:03 +02:00
Dominique RIGHETTO
00f10f8513
Add character that can break a MongoDB query when JS expression is used 2020-07-18 18:00:24 +02:00
PinkDraconian
cf1ca8ec62
Added scientific notation entries 2020-06-16 12:36:29 +02:00
PinkDraconian
8679c2d6fe
Added true and false to the fuzzing list 
Changing json field to true or false could have interesting results on an endpoint when fuzzing.
 2020-06-16 12:21:04 +02:00
g0tmi1k
d76b8f6691
Merge pull request #452 from noraj/patch-1 
Create LFI-gracefulsecurity-windows.txt

Source: https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/
 2020-06-12 09:57:44 +01:00
g0tmi1k
b2865e0492
Merge pull request #453 from noraj/patch-2 
Create LFI-gracefulsecurity-linux.txt

Source: https://gracefulsecurity.com/path-traversal-cheat-sheet-linux/
 2020-06-12 09:57:09 +01:00
sheimo
6757058b8c
Create sqli.auth.bypass.txt 
This is a thorough SQL injection authentication bypass list. Each source below was combined to a text file and sorted.

Source: https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
Source: http://www.lifeoverpentest.com/2018/03/sql-injection-login-bypass-cheat-sheet.html
 2020-06-11 23:24:34 -05:00
Alexandre ZANNI
7dd955a544
Create LFI-gracefulsecurity-linux.txt 2020-06-11 16:49:45 +02:00
Alexandre ZANNI
6945f3e779
Create LFI-gracefulsecurity-windows.txt 2020-06-11 16:48:39 +02:00