gitea-mirror/PayloadsAllTheThings

mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-12 07:40:34 -08:00

Go to file

Swissky d00d7c9788 Banner HD with credit

2020-08-10 11:36:18 +02:00

SAML exploitation + ASREP roasting + Kerbrute

2019-03-24 13:16:23 +01:00

Banner HD with credit

2020-08-10 11:36:18 +02:00

Windows Persistence

2020-06-01 21:37:32 +02:00

AWS Amazon Bucket S3

AWS Patterns

2020-02-23 20:58:53 +01:00

Command Injection

clarification in 'bypass character filter'

2020-06-04 17:26:45 +02:00

CORS Misconfiguration

Fix Corsy link URL

2020-07-29 17:53:07 +02:00

Added Summary in CRLF

2019-12-17 22:12:35 +05:30

Updated Summary and Fixed Broken Links in CSRF

2019-12-17 22:21:53 +05:30

HQL Injection + references update

2019-06-16 23:45:52 +02:00

fixing typo in file name

2020-01-28 17:41:01 +00:00

Directory Traversal

Add useful always existing windows file

2020-06-23 14:26:46 +00:00

Update README.md

2020-07-06 23:43:47 +02:00

GraphQL Injection

Add introspection without fragments

2020-07-07 22:03:01 -04:00

Insecure Deserialization

add more refs

2020-05-16 22:58:11 +02:00

Insecure Direct Object References

Command injection rewritten

2019-04-21 19:50:50 +02:00

Insecure Management Interface

Fix name's capitalization

2019-03-07 00:07:55 +01:00

Insecure Source Code Management

ImageMagik Ghost Script + Typo git summary

2019-06-26 00:07:06 +02:00

RoadRecon + JSON None refs

2020-04-17 16:34:51 +02:00

Docker escape and exploit

2020-03-29 16:48:09 +02:00

LaTeX Injection

Fix name's capitalization

2019-03-07 00:07:55 +01:00

add ruby script

2020-02-21 23:49:50 +01:00

Methodology and Resources

Silver Ticket with services list

2020-08-09 19:25:03 +02:00

NoSQL Injection

Bind shell cheatsheet (Fix #194 )

2020-05-24 14:09:46 +02:00

Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp

2019-05-12 21:34:09 +02:00

Added new payloads

2019-11-14 18:26:35 +08:00

Race Condition - First Draft

2020-01-26 12:43:59 +01:00

XSW 4 Fix #205

2020-05-12 14:27:25 +02:00

Server Side Request Forgery

Added DNS Rebinding

2020-06-21 16:31:16 -05:00

Server Side Template Injection

EL Injection - SSTI

2020-07-10 15:05:13 +02:00

XSS summary subentries + GraphTCP

2020-07-12 14:44:33 +02:00

Magic Hashes + SQL fuzz

2020-04-26 21:43:42 +02:00

Upload Insecure Files

Update README.md

2020-05-14 00:10:12 +02:00

Web Cache Deception

Fix dead youtube link

2019-10-02 20:09:41 -04:00

Added: Cross-Site WebSocket Hijacking (CSWSH)

2020-04-11 16:24:32 +02:00

XPATH Injection

Bind shell cheatsheet (Fix #194 )

2020-05-24 14:09:46 +02:00

AD mitigations

2019-12-26 12:09:23 +01:00

Powershell Remoting

2020-08-09 12:15:56 +02:00

XXE ref. refactor

2020-06-22 15:53:07 +02:00

.gitignore

Shell IPv6 + Sandbox credential

2019-01-07 18:15:45 +01:00

BOOKS.md

README rewrite : BOOKS and YOUTUBE

2019-05-12 22:43:42 +02:00

LICENSE

Create License

2019-05-25 16:27:35 +02:00

README.md

Banner HD with credit

2020-08-10 11:36:18 +02:00

YOUTUBE.md

added Hacksplained's YT channel

2020-04-23 13:11:51 +02:00

README.md

Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I ❤️ pull requests :)

You can also contribute with a 🍻 IRL, or using the sponsor button.

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

README.md - vulnerability description and how to exploit it, including several payloads
Intruder - a set of files to give to Burp Intruder
Images - pictures for the README.md
Files - some files referenced in the README.md

You might also like the Methodology and Resources folder :

You want more ? Check the Books and Youtube videos selections.

Languages

Python 83.8%

Ruby 6.3%

ASP.NET 3.8%

XSLT 2.6%

Classic ASP 1.4%

Other 1.9%