From cf6ed306d2c79f472bac7a780d1c3343678aeab3 Mon Sep 17 00:00:00 2001
From: e <e@es-MacBook-Pro.local>
Date: Mon, 10 Aug 2015 09:19:30 -0700
Subject: [PATCH] Add file inclusion with null byte exception, and a chrome XSS
 bypass courtesy of brutelogic

---
 blns.json |  7 +++++--
 blns.txt  | 10 +++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/blns.json b/blns.json
index 570b398..4db5671 100644
--- a/blns.json
+++ b/blns.json
@@ -91,7 +91,10 @@
   "00˙Ɩ$-", 
   "<script>alert('hi')</script>", 
   "<img src=x onerror=alert('hi') />", 
+  "<svg><script>0<1>alert('XSS')</script>",
   "1;DROP TABLE users", 
   "1'; DROP TABLE users--", 
-  "/dev/null; rm -rf /*; echo"
-]
\ No newline at end of file
+  "/dev/null; rm -rf /*; echo",
+  "../../../../../../../../../../../etc/passwd%00",
+  "../../../../../../../../../../../etc/hosts"
+]
diff --git a/blns.txt b/blns.txt
index c6b68b9..9e31459 100644
--- a/blns.txt
+++ b/blns.txt
@@ -169,6 +169,7 @@ Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
 
 <script>alert('hi')</script>
 <img src=x onerror=alert('hi') />
+<svg><script>0<1>alert('XSS')</script> 
 
 #	SQL Injection
 #
@@ -181,4 +182,11 @@ Z̮̞̠͙͔ͅḀ̗̞͈̻̗Ḷ͙͎̯̹̞͓G̻O̭̗̮
 #
 #	Strings which can cause user to run code on server as a privileged user (c.f. https://news.ycombinator.com/item?id=7665153)
 
-/dev/null; rm -rf /*; echo
\ No newline at end of file
+/dev/null; rm -rf /*; echo
+
+#	File Inclusion
+#
+#	Strings which can cause user to pull in files that should not be a part of a web server
+
+../../../../../../../../../../../etc/passwd%00
+../../../../../../../../../../../etc/hosts