From d0d7aa5a606c94d12d1bb4103548df395f19f7eb Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Mon, 15 Oct 2018 13:07:39 +0100 Subject: [PATCH 1/3] Sort out README --- CONTRIBUTORS.md | 33 +++++++++++++++++++++++++++++++++ README.md | 42 ++++++------------------------------------ 2 files changed, 39 insertions(+), 36 deletions(-) create mode 100644 CONTRIBUTORS.md diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md new file mode 100644 index 00000000000..a49c70ba462 --- /dev/null +++ b/CONTRIBUTORS.md @@ -0,0 +1,33 @@ +## Thanks + +- Adam Muntner (@amuntner) and for the **FuzzDB** content, including all authors from the FuzzDB project (https://github.com/fuzzdb-project/fuzzdb) [`./Fuzzing/*.fuzzdb.txt`] +- Ron Bowes (@iagox86) of **SkullSecurity** for collaborating and including all his lists here (https://wiki.skullsecurity.org/Passwords) +- Clarkson University for their research that led to the **Clarkson password** list [`./Passwords/clarkson-university-82.txt`] +- All the authors listed in the XSS with context doc, which was found on pastebin and added to by us +- Ferruh Mavitina for the beginnings of the **LFI Fuzz** list +- Kevin Johnson for **Laudanum shells** (https://sourceforge.net/projects/laudanum/) [`./Web-Shells/laudanum-0.8/`] +- RSnake for **fierce DNS hostname** list [`./Discovery/DNS/fierce-hostlist.txt`] +- Charlie Campbell for **Spanish word list**, numerous other contributions +- Rob Fuller (@mubix) for the IZMY list [`./Passwords/Leaked-Databases/izmy.txt`] +- Mark Burnett for the **10 million passwords** list +- Steve Crapo for doing splitting work on a number of large lists +- Thanks to Blessen Thomas for recommending **Mario's/cure53's XSS vectors** +- Thanks to Danny Chrastil for submitting an anonymous **JSON fuzzing** list +- Many thanks to @geekspeed, @EricSB, @lukebeer, @patrickmollohan, @g0tmi1k, @albinowax, and @kurobeats for submitting via pull requests +- Special thanks to @shipCod3 for MANY contributions and for a **SSH user/pass** list +- Thanks to Samar Dhwoj Acharya for allowing his **GitHub Dorks** content to be included +- Thanks to Liam Somerville for the excellent list of **default passwords** +- Great thanks to Michael Henriksen for allowing us to include his **Gitrob project's signatures** +- Honored to have @Brutelogic's brilliant **XSS Cheatsheet** added to the Fuzzing section [`./Fuzzing/XSS*-BruteLogic.txt`] +- 0xsobky's **Ultimate XSS Polyglot** [`./Fuzzing/Polyglots/XSS-Polyglot-Ultimate-0xsobky.txt`] +- @otih for **bruteforce collected user/pass** lists [`./Passwords/Honeypot-Captures/multiplesources-passwords-fabian-fingerle.de.txt`] +- @govolution for **BetterDefaultPassList** (https://github.com/govolution/betterdefaultpasslist) [`./Passwords/Default-Credentials/*-betterdefaultpasslist.txt`] +- Max Woolf (@minimaxir) for **Big List of Naughty Strings** (https://github.com/minimaxir/big-list-of-naughty-strings) [`./Fuzzing/big-list-of-naughty-strings.txt`] +- Ian Gallagher (@craSH) for **HTTP Request Headers** [`./Miscellaneous/http-request-headers/`] +- Arvind Doraiswamy (@arvinddoraiswamy) for **numeric-fields-only** [`./Fuzzing/numeric_fields_only.txt`] +- @badibouzouk for **Domino Hunter** (https://sourceforge.net/projects/dominohunter/) [`./Discovery/Web-Content/Domino-Hunter/`] +- @coldfusion39 for **domi-owned** (https://github.com/coldfusion39/domi-owned) [`./Discovery/Web-Content/domino-*-coldfusion39.txt`] +- Ella Rose (@erose1337) for **security-question-answers** (https://github.com/erose1337/penetration_testing/tree/master/data) [`./Miscellaneous/security-question-answers/`] +- @D35m0nd142 for **LFISuite** (https://github.com/D35m0nd142/LFISuite) [`./Fuzzing/LFI-LFISuite-pathtotest*.txt`] + +This project stays great because of care and love from the community, and we will never forget that. If you know of a contribution that is not listed above, please let us know... diff --git a/README.md b/README.md index 104d41b00c2..08004193929 100755 --- a/README.md +++ b/README.md @@ -2,43 +2,13 @@ # About SecList -SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed. +SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed. This project is maintained by [Daniel Miessler](http://www.danielmiessler.com/ "Daniel Miessler") and [Jason Haddix](http://www.securityaegis.com "Jason Haddix"). -## Attribution - -- Adam Muntner (@amuntner) and for the **FuzzDB** content, including all authors from the FuzzDB project (https://github.com/fuzzdb-project/fuzzdb) [`./Fuzzing/*.fuzzdb.txt`] -- Ron Bowes (@iagox86) of **SkullSecurity** for collaborating and including all his lists here (https://wiki.skullsecurity.org/Passwords) -- Clarkson University for their research that led to the **Clarkson password** list [`./Passwords/clarkson-university-82.txt`] -- All the authors listed in the XSS with context doc, which was found on pastebin and added to by us -- Ferruh Mavituna for the beginnings of the **LFI Fuzz** list -- Kevin Johnson for **Laudanum shells** (https://sourceforge.net/projects/laudanum/) [`./Web-Shells/laudanum-0.8/`] -- RSnake for **fierce DNS hostname** list [`./Discovery/DNS/fierce-hostlist.txt`] -- Charlie Campbell for **Spanish word list**, numerous other contributions -- Rob Fuller (@mubix) for the IZMY list [`./Passwords/Leaked-Databases/izmy.txt`] -- Mark Burnett for the **10 million passwords** list -- Steve Crapo for doing splitting work on a number of large lists -- Thanks to Blessen Thomas for recommending **Mario's/cure53's XSS vectors** -- Thanks to Danny Chrastil for submitting an anonymous **JSON fuzzing** list -- Many thanks to @geekspeed, @EricSB, @lukebeer, @patrickmollohan, @g0tmi1k, @albinowax, and @kurobeats for submitting via pull requests -- Special thanks to @shipCod3 for MANY contributions and for a **SSH user/pass** list -- Thanks to Samar Dhwoj Acharya for allowing his **GitHub Dorks** content to be included -- Thanks to Liam Somerville for the excellent list of **default passwords** -- Great thanks to Michael Henriksen for allowing us to include his **Gitrob project's signatures** -- Honored to have @Brutelogic's brilliant **XSS Cheatsheet** added to the Fuzzing section [`./Fuzzing/XSS*-BruteLogic.txt`] -- 0xsobky's **Ultimate XSS Polyglot** [`./Fuzzing/Polyglots/XSS-Polyglot-Ultimate-0xsobky.txt`] -- @otih for **bruteforce collected user/pass** lists [`./Passwords/Honeypot-Captures/multiplesources-passwords-fabian-fingerle.de.txt`] -- @govolution for **BetterDefaultPassList** (https://github.com/govolution/betterdefaultpasslist) [`./Passwords/Default-Credentials/*-betterdefaultpasslist.txt`] -- Max Woolf (@minimaxir) for **Big List of Naughty Strings** (https://github.com/minimaxir/big-list-of-naughty-strings) [`./Fuzzing/big-list-of-naughty-strings.txt`] -- Ian Gallagher (@craSH) for **HTTP Request Headers** [`./Miscellaneous/http-request-headers/`] -- Arvind Doraiswamy (@arvinddoraiswamy) for **numeric-fields-only** [`./Fuzzing/numeric_fields_only.txt`] -- @badibouzouk for **Domino Hunter** (https://sourceforge.net/projects/dominohunter/) [`./Discovery/Web-Content/Domino-Hunter/`] -- @coldfusion39 for **domi-owned** (https://github.com/coldfusion39/domi-owned) [`./Discovery/Web-Content/domino-*-coldfusion39.txt`] -- Ella Rose (@erose1337) for **security-question-answers** (https://github.com/erose1337/penetration_testing/tree/master/data) [`./Miscellaneous/security-question-answers/`] -- @D35m0nd142 for **LFISuite** (https://github.com/D35m0nd142/LFISuite) [`./Fuzzing/LFI-LFISuite-pathtotest*.txt`] - -This project stays great because of care and love from the community, and we will never forget that. If you know of a contribution that is not listed above, please let us know... +### Attribution + +See [CONTRIBUTORS.md](CONTRIBUTORS.md) ## Contributing @@ -46,10 +16,10 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) ## Licensing -This project is licensed under the MIT license. +This project is licensed under the [MIT license](LICENSE). ![MIT License](https://danielmiessler.com/images/mitlicense.png) — -NOTE: Downloading this repository is likely to cause a false-positive alarm by your antivirus or antimalware software, the filepath should be whitelisted. There is nothing in Seclists or FuzzDB that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks. +NOTE: Downloading this repository is likely to cause a false-positive alarm by your anti-virus or anti-malware software, the filepath should be whitelisted. There is nothing in Seclists or FuzzDB that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks. From d68ba5f9ed607fb67af6448092bf7a13e43f5285 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Mon, 15 Oct 2018 13:08:10 +0100 Subject: [PATCH 2/3] Rename "_" -> "-" & found a few new homes --- .../BurpSuite-ParamMiner/{lowercase_headers => lowercase-headers} | 0 .../BurpSuite-ParamMiner/{uppercase_headers => uppercase-headers} | 0 .../{Commands_Documents.txt => Commands-Documents.txt} | 0 .../Domino-Hunter/{Commands_NSF.txt => Commands-NSF.txt} | 0 .../Domino-Hunter/{Commands_Views.txt => Commands-Views.txt} | 0 Fuzzing/{3_digits_000-999.txt => 3-digits-000-999.txt} | 0 Fuzzing/{4_digits_0000-9999.txt => 4-digits-0000-9999.txt} | 0 Fuzzing/{5_digits_00000-99999.txt => 5-digits-00000-99999.txt} | 0 .../{6_digits_000000-999999.txt => 6-digits-000000-999999.txt} | 0 Miscellaneous/{resolvers.txt => dns-resolvers.txt} | 0 Miscellaneous/{Content_Type.txt => web/content-type.txt} | 0 .../http-request-headers-common-non-standard-examples.txt} | 0 .../http-request-headers-common-non-standard-fields.txt} | 0 .../http-request-headers-common-standard-examples.txt} | 0 .../http-request-headers-common-standard-fields.txt} | 0 Miscellaneous/{ => web}/session-id.txt | 0 16 files changed, 0 insertions(+), 0 deletions(-) rename Discovery/Web-Content/BurpSuite-ParamMiner/{lowercase_headers => lowercase-headers} (100%) rename Discovery/Web-Content/BurpSuite-ParamMiner/{uppercase_headers => uppercase-headers} (100%) rename Discovery/Web-Content/Domino-Hunter/{Commands_Documents.txt => Commands-Documents.txt} (100%) rename Discovery/Web-Content/Domino-Hunter/{Commands_NSF.txt => Commands-NSF.txt} (100%) rename Discovery/Web-Content/Domino-Hunter/{Commands_Views.txt => Commands-Views.txt} (100%) rename Fuzzing/{3_digits_000-999.txt => 3-digits-000-999.txt} (100%) rename Fuzzing/{4_digits_0000-9999.txt => 4-digits-0000-9999.txt} (100%) rename Fuzzing/{5_digits_00000-99999.txt => 5-digits-00000-99999.txt} (100%) rename Fuzzing/{6_digits_000000-999999.txt => 6-digits-000000-999999.txt} (100%) rename Miscellaneous/{resolvers.txt => dns-resolvers.txt} (100%) rename Miscellaneous/{Content_Type.txt => web/content-type.txt} (100%) rename Miscellaneous/{http-request-headers/http-request-headers-common-non-standard_examples.txt => web/http-request-headers/http-request-headers-common-non-standard-examples.txt} (100%) rename Miscellaneous/{http-request-headers/http-request-headers-common-non-standard_fields.txt => web/http-request-headers/http-request-headers-common-non-standard-fields.txt} (100%) rename Miscellaneous/{http-request-headers/http-request-headers-common-standard_examples.txt => web/http-request-headers/http-request-headers-common-standard-examples.txt} (100%) rename Miscellaneous/{http-request-headers/http-request-headers-common-standard_fields.txt => web/http-request-headers/http-request-headers-common-standard-fields.txt} (100%) rename Miscellaneous/{ => web}/session-id.txt (100%) diff --git a/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase_headers b/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers similarity index 100% rename from Discovery/Web-Content/BurpSuite-ParamMiner/lowercase_headers rename to Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers diff --git a/Discovery/Web-Content/BurpSuite-ParamMiner/uppercase_headers b/Discovery/Web-Content/BurpSuite-ParamMiner/uppercase-headers similarity index 100% rename from Discovery/Web-Content/BurpSuite-ParamMiner/uppercase_headers rename to Discovery/Web-Content/BurpSuite-ParamMiner/uppercase-headers diff --git a/Discovery/Web-Content/Domino-Hunter/Commands_Documents.txt b/Discovery/Web-Content/Domino-Hunter/Commands-Documents.txt similarity index 100% rename from Discovery/Web-Content/Domino-Hunter/Commands_Documents.txt rename to Discovery/Web-Content/Domino-Hunter/Commands-Documents.txt diff --git a/Discovery/Web-Content/Domino-Hunter/Commands_NSF.txt b/Discovery/Web-Content/Domino-Hunter/Commands-NSF.txt similarity index 100% rename from Discovery/Web-Content/Domino-Hunter/Commands_NSF.txt rename to Discovery/Web-Content/Domino-Hunter/Commands-NSF.txt diff --git a/Discovery/Web-Content/Domino-Hunter/Commands_Views.txt b/Discovery/Web-Content/Domino-Hunter/Commands-Views.txt similarity index 100% rename from Discovery/Web-Content/Domino-Hunter/Commands_Views.txt rename to Discovery/Web-Content/Domino-Hunter/Commands-Views.txt diff --git a/Fuzzing/3_digits_000-999.txt b/Fuzzing/3-digits-000-999.txt similarity index 100% rename from Fuzzing/3_digits_000-999.txt rename to Fuzzing/3-digits-000-999.txt diff --git a/Fuzzing/4_digits_0000-9999.txt b/Fuzzing/4-digits-0000-9999.txt similarity index 100% rename from Fuzzing/4_digits_0000-9999.txt rename to Fuzzing/4-digits-0000-9999.txt diff --git a/Fuzzing/5_digits_00000-99999.txt b/Fuzzing/5-digits-00000-99999.txt similarity index 100% rename from Fuzzing/5_digits_00000-99999.txt rename to Fuzzing/5-digits-00000-99999.txt diff --git a/Fuzzing/6_digits_000000-999999.txt b/Fuzzing/6-digits-000000-999999.txt similarity index 100% rename from Fuzzing/6_digits_000000-999999.txt rename to Fuzzing/6-digits-000000-999999.txt diff --git a/Miscellaneous/resolvers.txt b/Miscellaneous/dns-resolvers.txt similarity index 100% rename from Miscellaneous/resolvers.txt rename to Miscellaneous/dns-resolvers.txt diff --git a/Miscellaneous/Content_Type.txt b/Miscellaneous/web/content-type.txt similarity index 100% rename from Miscellaneous/Content_Type.txt rename to Miscellaneous/web/content-type.txt diff --git a/Miscellaneous/http-request-headers/http-request-headers-common-non-standard_examples.txt b/Miscellaneous/web/http-request-headers/http-request-headers-common-non-standard-examples.txt similarity index 100% rename from Miscellaneous/http-request-headers/http-request-headers-common-non-standard_examples.txt rename to Miscellaneous/web/http-request-headers/http-request-headers-common-non-standard-examples.txt diff --git a/Miscellaneous/http-request-headers/http-request-headers-common-non-standard_fields.txt b/Miscellaneous/web/http-request-headers/http-request-headers-common-non-standard-fields.txt similarity index 100% rename from Miscellaneous/http-request-headers/http-request-headers-common-non-standard_fields.txt rename to Miscellaneous/web/http-request-headers/http-request-headers-common-non-standard-fields.txt diff --git a/Miscellaneous/http-request-headers/http-request-headers-common-standard_examples.txt b/Miscellaneous/web/http-request-headers/http-request-headers-common-standard-examples.txt similarity index 100% rename from Miscellaneous/http-request-headers/http-request-headers-common-standard_examples.txt rename to Miscellaneous/web/http-request-headers/http-request-headers-common-standard-examples.txt diff --git a/Miscellaneous/http-request-headers/http-request-headers-common-standard_fields.txt b/Miscellaneous/web/http-request-headers/http-request-headers-common-standard-fields.txt similarity index 100% rename from Miscellaneous/http-request-headers/http-request-headers-common-standard_fields.txt rename to Miscellaneous/web/http-request-headers/http-request-headers-common-standard-fields.txt diff --git a/Miscellaneous/session-id.txt b/Miscellaneous/web/session-id.txt similarity index 100% rename from Miscellaneous/session-id.txt rename to Miscellaneous/web/session-id.txt From 4c09aaf6c0adbc5599fcb011baab63c5d0ec76a7 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Mon, 15 Oct 2018 13:08:28 +0100 Subject: [PATCH 3/3] Add IP address header fields Source: https://stackoverflow.com/questions/1384410/php-getenvremote-addr-serious-side-effects --- .../http-request-headers-common-ip-address.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 Miscellaneous/web/http-request-headers/http-request-headers-common-ip-address.txt diff --git a/Miscellaneous/web/http-request-headers/http-request-headers-common-ip-address.txt b/Miscellaneous/web/http-request-headers/http-request-headers-common-ip-address.txt new file mode 100644 index 00000000000..1e60499c19e --- /dev/null +++ b/Miscellaneous/web/http-request-headers/http-request-headers-common-ip-address.txt @@ -0,0 +1,5 @@ +HTTP_FORWARDED +HTTP_CLIENT_IP +HTTP_FORWARDED_FOR +HTTP_X_FORWARDED +HTTP_X_FORWARDED_FOR