ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
1,456 Commits 2 Branches 6 Tags 31 MiB
Python 83.8%
Ruby 6.3%
ASP.NET 3.8%
XSLT 2.6%
Classic ASP 1.4%
Other 1.9%
343d63f79f
Go to file
0xsry0 343d63f79f
Quick fix for WSUS malicious patch 
Not sure if it is deprecated but by tackling the box Outdated on HTB, the command didn't worked with two `&&`. To concatenate  `"net user WSUSDemo Password123! /add ` and `net localgroup administrators WSUSDemo /add\""`, the `^&` is required.
2022-08-24 09:10:55 +02:00
_template_vuln SAML exploitation + ASREP roasting + Kerbrute 2019-03-24 13:16:23 +01:00
.github Shadow Credentials 2022-08-05 12:00:41 +02:00
Account Takeover Certifried CVE-2022-26923 2022-05-13 09:44:51 +02:00
API Key Leaks TruffleHog examples + Cortex XDR disable 2022-04-14 09:42:15 +02:00
AWS Amazon Bucket S3 Update README.md 2021-11-23 14:04:53 -03:00
Command Injection added new bypass 2022-03-30 03:16:37 -04:00
CORS Misconfiguration Fix typos 2020-12-13 04:34:10 +11:00
CRLF Injection CORS and CRLF README.md updated 2020-10-25 11:07:50 +01:00
CSRF Injection Add multipart/form-data CSRF technique 2022-08-17 09:29:05 +12:00
CSV Injection Updating Reference section hyperlinks 2022-08-15 11:15:33 +05:30
CVE Exploits AD + Log4shell + Windows Startup 2021-12-16 09:52:51 +01:00
Dependency Confusion Windows Management Instrumentation Event Subscription 2022-04-24 15:01:18 +02:00
Directory Traversal MSSQL Agent Command Execution 2022-03-10 11:05:17 +01:00
DNS Rebinding Add DNS rebinding 2021-10-27 16:19:56 -04:00
File Inclusion LFI2RCE - Picture Compression - SOCKS5 CS 2022-08-21 16:38:54 +02:00
GraphQL Injection fix: Fix spelling 2022-08-09 11:02:21 +02:00
HTTP Parameter Pollution fix: Fix spelling 2022-08-09 11:02:21 +02:00
Insecure Deserialization Add warning about cPickle 2022-04-18 20:58:14 +02:00
Insecure Direct Object References Command injection rewritten 2019-04-21 19:50:50 +02:00
Insecure Management Interface Add Springboot Actuator RCE 2020-10-28 12:05:12 -04:00
Insecure Source Code Management Fix ToC 2021-02-04 00:47:00 +11:00
Java RMI samAccountName spoofing + Java RMI 2021-12-13 20:42:31 +01:00
JSON Web Token fix: Fix spelling 2022-08-09 11:02:21 +02:00
Kubernetes fix: Fix spelling 2022-08-09 11:02:21 +02:00
LaTeX Injection LaTeX Injection catcode 2022-02-22 15:57:04 +01:00
LDAP Injection Dependency Confusion + LDAP 2021-07-04 13:32:32 +02:00
Methodology and Resources Quick fix for WSUS malicious patch 2022-08-24 09:10:55 +02:00
NoSQL Injection Update README.md 2022-06-17 17:05:18 +09:00
OAuth Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 21:34:09 +02:00
Open Redirect fix: Fix spelling 2022-08-09 11:02:21 +02:00
Race Condition fix: Fix spelling 2022-08-09 11:02:21 +02:00
Request Smuggling Add PortSwigger http-desync reborn article 2021-01-17 04:23:38 +11:00
SAML Injection Add ZAP Addon in Tools 2022-05-01 00:47:18 +09:00
Server Side Request Forgery Added information on 307 and 308 redirects 2022-05-19 12:55:11 +03:00
Server Side Template Injection Update java ssti 2022-08-19 16:22:39 +02:00
SQL Injection fix: Fix spelling 2022-08-09 11:02:21 +02:00
Tabnabbing Fix typos 2020-12-13 04:34:10 +11:00
Type Juggling fix: Fix spelling 2022-08-09 11:02:21 +02:00
Upload Insecure Files LFI2RCE - Picture Compression - SOCKS5 CS 2022-08-21 16:38:54 +02:00
Web Cache Deception fix: Fix spelling 2022-08-09 11:02:21 +02:00
Web Sockets Update README.md 2022-06-30 10:37:41 -07:00
XPATH Injection Bind shell cheatsheet (Fix #194) 2020-05-24 14:09:46 +02:00
XSLT Injection fix: Fix spelling 2022-08-09 11:02:21 +02:00
XSS Injection fix: Fix more spelling 2022-08-09 11:05:40 +02:00
XXE Injection Update XXE Injection 2021-10-18 10:13:30 +02:00
.gitignore Shell IPv6 + Sandbox credential 2019-01-07 18:15:45 +01:00
BOOKS.md fix: Fix spelling 2022-08-09 11:02:21 +02:00
CONTRIBUTING.md PR Guidelines + User Hunting + HopLa Configuration 2022-06-30 16:33:35 +02:00
LICENSE Create License 2019-05-25 16:27:35 +02:00
README.md PR Guidelines + User Hunting + HopLa Configuration 2022-06-30 16:33:35 +02:00
TWITTER.md Added gentilkiwi twitter 2021-07-27 04:17:36 +00:00
YOUTUBE.md Update YOUTUBE.md 2020-10-08 10:01:45 +02:00

README.md

Payloads All The Things Tweet

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I ❤️ pull requests :)

You can also contribute with a 🍻 IRL, or using the sponsor button.

📖 Documentation

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

  • README.md - vulnerability description and how to exploit it, including several payloads
  • Intruder - a set of files to give to Burp Intruder
  • Images - pictures for the README.md
  • Files - some files referenced in the README.md

You might also like the Methodology and Resources folder :

You want more ? Check the Books and Youtube videos selections.

👨‍💻 Contributions

Be sure to read CONTRIBUTING.md

Thanks again for your contribution! ❤️