daffainfo
/
PayloadsAllTheThings
mirror of https://github.com/daffainfo/PayloadsAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
789 Commits
2 Branches
3 Tags
11 MiB
Python 86.3%
Ruby 6.5%
ASP.NET 3.9%
Classic ASP 1.4%
PHP 1.4%
Other 0.4%
 
 
 
 
 
 
Go to file
Viren Pawar 0266a7dd67
[Update] Added 1 payload 
Added one payload which executes without any usage of single or double quotes. Helpful when you have AngularJS injection but quotes are blocked by application.
Working proof of payload here: 

https://portswigger-labs.net/xss/angularjs.php?type=reflected&csp=0&version=1.6.0&x={{x=valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}}
 		2020-08-15 16:29:13 +05:30
.github Banner HD with credit 2020-08-10 11:36:18 +02:00
API Key Leaks Windows Persistence 2020-06-01 21:37:32 +02:00
AWS Amazon Bucket S3 AWS Patterns 2020-02-23 20:58:53 +01:00
CORS Misconfiguration Fix Corsy link URL 2020-07-29 17:53:07 +02:00
CRLF Injection Added Summary in CRLF 2019-12-17 22:12:35 +05:30
CSRF Injection Updated Summary and Fixed Broken Links in CSRF 2019-12-17 22:21:53 +05:30
CSV Injection HQL Injection + references update 2019-06-16 23:45:52 +02:00
CVE Exploits fixing typo in file name 2020-01-28 17:41:01 +00:00
Command Injection clarification in 'bypass character filter' 2020-06-04 17:26:45 +02:00
Directory Traversal Add useful always existing windows file 2020-06-23 14:26:46 +00:00
File Inclusion Update README.md 2020-07-06 23:43:47 +02:00
GraphQL Injection Add introspection without fragments 2020-07-07 22:03:01 -04:00
Insecure Deserialization add more refs 2020-05-16 22:58:11 +02:00
Insecure Direct Object References Command injection rewritten 2019-04-21 19:50:50 +02:00
Insecure Management Interface Fix name's capitalization 2019-03-07 00:07:55 +01:00
Insecure Source Code Management ImageMagik Ghost Script + Typo git summary 2019-06-26 00:07:06 +02:00
JSON Web Token RoadRecon + JSON None refs 2020-04-17 16:34:51 +02:00
Kubernetes Docker escape and exploit 2020-03-29 16:48:09 +02:00
LDAP Injection add ruby script 2020-02-21 23:49:50 +01:00
LaTeX Injection Fix name's capitalization 2019-03-07 00:07:55 +01:00
Methodology and Resources Silver Ticket with services list 2020-08-09 19:25:03 +02:00
NoSQL Injection Bind shell cheatsheet (Fix #194) 2020-05-24 14:09:46 +02:00
OAuth Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 21:34:09 +02:00
Open Redirect Added new payloads 2019-11-14 18:26:35 +08:00
Race Condition Race Condition - First Draft 2020-01-26 12:43:59 +01:00
SAML Injection XSW 4 Fix #205 2020-05-12 14:27:25 +02:00
SQL Injection XSS summary subentries + GraphTCP 2020-07-12 14:44:33 +02:00
Server Side Request Forgery Added DNS Rebinding 2020-06-21 16:31:16 -05:00
Server Side Template Injection EL Injection - SSTI 2020-07-10 15:05:13 +02:00
Type Juggling Magic Hashes + SQL fuzz 2020-04-26 21:43:42 +02:00
Upload Insecure Files Update README.md 2020-05-14 00:10:12 +02:00
Web Cache Deception Fix dead youtube link 2019-10-02 20:09:41 -04:00
Web Sockets Added: Cross-Site WebSocket Hijacking (CSWSH) 2020-04-11 16:24:32 +02:00
XPATH Injection Bind shell cheatsheet (Fix #194) 2020-05-24 14:09:46 +02:00
XSLT Injection AD mitigations 2019-12-26 12:09:23 +01:00
XSS Injection [Update] Added 1 payload 2020-08-15 16:29:13 +05:30
XXE Injection Typo in Excel extension name 2020-08-11 21:35:36 -03:00
_template_vuln SAML exploitation + ASREP roasting + Kerbrute 2019-03-24 13:16:23 +01:00
.gitignore Shell IPv6 + Sandbox credential 2019-01-07 18:15:45 +01:00
BOOKS.md README rewrite : BOOKS and YOUTUBE 2019-05-12 22:43:42 +02:00
LICENSE Create License 2019-05-25 16:27:35 +02:00
README.md Banner HD with credit 2020-08-10 11:36:18 +02:00
YOUTUBE.md added Hacksplained's YT channel 2020-04-23 13:11:51 +02:00

README.md

Payloads All The Things Tweet

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I ❤️ pull requests :)

You can also contribute with a 🍻 IRL, or using the sponsor button.

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

  • README.md - vulnerability description and how to exploit it, including several payloads
  • Intruder - a set of files to give to Burp Intruder
  • Images - pictures for the README.md
  • Files - some files referenced in the README.md

You might also like the Methodology and Resources folder :

You want more ? Check the Books and Youtube videos selections.