Merge pull request #639 from Eferus/master
Reorganize Domain Confusion list in SSRF
This commit is contained in:
commit
63f93aedc6
@ -120,26 +120,17 @@ attacker。com
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Try also to change attacker.com for 127.0.0.1 to try to access localhost
|
# Try also to change attacker.com for 127.0.0.1 to try to access localhost
|
||||||
http://{domain}@attacker.com
|
# Try replacing https by http
|
||||||
http://{domain}%6D@attacker.com
|
# Try URL-encoded characters
|
||||||
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com
|
|
||||||
http://attacker.com#{domain}
|
|
||||||
http://{domain}.attacker.com
|
|
||||||
http://attacker.com/{domain}
|
|
||||||
http://attacker.com/?d={domain}
|
|
||||||
https://{domain}@attacker.com
|
https://{domain}@attacker.com
|
||||||
https://attacker.com#{domain}
|
|
||||||
https://{domain}.attacker.com
|
https://{domain}.attacker.com
|
||||||
|
https://{domain}%6D@attacker.com
|
||||||
https://attacker.com/{domain}
|
https://attacker.com/{domain}
|
||||||
https://attacker.com/?d={domain}
|
https://attacker.com/?d={domain}
|
||||||
http://{domain}@attacker.com
|
https://attacker.com#{domain}
|
||||||
http://attacker.com#{domain}
|
https://attacker.com@{domain}
|
||||||
http://{domain}.attacker.com
|
https://attacker.com#@{domain}
|
||||||
http://attacker.com/{domain}
|
https://attacker.com%23@{domain}
|
||||||
http://attacker.com/?d={domain}
|
|
||||||
http://attacker.com%00{domain}
|
|
||||||
http://attacker.com?{domain}
|
|
||||||
http://attacker.com///{domain}
|
|
||||||
https://attacker.com%00{domain}
|
https://attacker.com%00{domain}
|
||||||
https://attacker.com%0A{domain}
|
https://attacker.com%0A{domain}
|
||||||
https://attacker.com?{domain}
|
https://attacker.com?{domain}
|
||||||
@ -153,6 +144,7 @@ https://attacker.com\@@{domain}
|
|||||||
https://attacker.com:\@@{domain}
|
https://attacker.com:\@@{domain}
|
||||||
https://attacker.com#\@{domain}
|
https://attacker.com#\@{domain}
|
||||||
https://attacker.com\anything@{domain}/
|
https://attacker.com\anything@{domain}/
|
||||||
|
https://www.victim.com(\u2044)some(\u2044)path(\u2044)(\u0294)some=param(\uff03)hash@attacker.com
|
||||||
|
|
||||||
# On each IP position try to put 1 attackers domain and the others the victim domain
|
# On each IP position try to put 1 attackers domain and the others the victim domain
|
||||||
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
|
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
|
||||||
|
Loading…
Reference in New Issue
Block a user