injections.py

DEFAULT_INJECTIONS = [
    "#format:targetMethod,injectionType,injectionTarget,injectionValue",
    "#use * as targetMethod for all methods (dangerous)",
    "GET,param,u,http://%s/",
    "#GET,param,href,http://%s/",
    "#GET,param,action,http://%s/",
    "#GET,param,host,%s",
    "#GET,param,http_host,%s",
    "#GET,param,email,root@%s",
    "#GET,param,url,http://%s/",
    "#GET,param,load,http://%s/",
    "#GET,param,preview,http://%s/",
    "#GET,param,target,http://%s/",
    "#GET,param,proxy,http://%s/",
    "#GET,param,from,http://%s/",
    "#GET,param,src,http://%s/",
    "#GET,param,ref,http://%s/",
    "#GET,param,referrer,http://%s/",
    "# %h is replaced with corresponding Host header",
    "# Useful in cases like Host, Origin, etc.",
    "#GET,header,Host,%s:80@%h",
    "GET,header,Contact,root@%s",
    "GET,header,From,root@%s",
    "GET,header,User-Agent,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@%s",
    "GET,header,Referer,http://%s/ref",
    "#GET,header,X-Original-URL,http://%s/",
    "GET,header,X-Wap-Profile,http://%s/wap.xml",
    "#GET,header,Profile,http://%s/wap.xml",
    "#GET,header,X-Arbitrary,http://%s/",
    "#GET,header,X-HTTP-DestinationURL,http://%s/",
    "#GET,header,X-Forwarded-Proto,http://%s/",
    "#GET,header,Origin,http://%s",
    "#GET,header,X-Forwarded-Host,%s",
    "#GET,header,X-Forwarded-Server,%s",
    "#GET,header,X-Host,%s",
    "#GET,header,Proxy-Host,%s",
    "#GET,header,Destination,%s",
    "#GET,header,Proxy,http://%s",
    "#GET,header,Via,1.1 %s",
    "GET,header,X-Forwarded-For,spoofed.%s",
    "GET,header,True-Client-IP,spoofed.%s",
    "GET,header,Client-IP,spoofed.%s",
    "GET,header,X-Client-IP,spoofed.%s",
    "GET,header,X-Real-IP,spoofed.%s",
    "GET,header,X-Originating-IP,spoofed.%s",
    "GET,header,CF-Connecting_IP,spoofed.%s",
    "GET,header,Forwarded,for=spoofed.%s;by=spoofed.%s;host=spoofed.%s",
]