Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I ❤️ pull requests :)

You can also contribute with a beer IRL or with buymeacoffee.com

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

• README.md - vulnerability description and how to exploit it
• Intruder - a set of files to give to Burp Intruder
• Images - pictures for the README.md
• Files - some files referenced in the README.md

You might also like :

• Methodology and Resources

  • Active Directory Attack.md
  • Linux - Persistence.md
  • Linux - Privilege Escalation.md
  • Metasploit - Cheatsheet.md
  • Methodology_and_enumeration.md
  • Network Pivoting Techniques.md
  • Network Discovery.md
  • Reverse Shell Cheatsheet.md
  • Subdomains Enumeration.md
  • Windows - Download and Execute.md
  • Windows - Mimikatz.md
  • Windows - Persistence.md
  • Windows - Post Exploitation Koadic.md
  • Windows - Privilege Escalation.md
  • Windows - Using credentials.md

• CVE Exploits

  • Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
  • Apache Struts 2 CVE-2017-5638.py
  • Apache Struts 2 CVE-2017-9805.py
  • Apache Struts 2 CVE-2018-11776.py
  • Docker API RCE.py
  • Drupalgeddon2 CVE-2018-7600.rb
  • Heartbleed CVE-2014-0160.py
  • JBoss CVE-2015-7501.py
  • Jenkins CVE-2015-8103.py
  • Jenkins CVE-2016-0792.py
  • Shellshock CVE-2014-6271.py
  • Tomcat CVE-2017-12617.py
  • WebLogic CVE-2016-3510.py
  • WebLogic CVE-2017-10271.py
  • WebLogic CVE-2018-2894.py
  • WebSphere CVE-2015-7450.py

Try Harder

Ever wonder where you can use your knowledge ? The following list will help you find "targets" to improve your skills.

• Bug Bounty Platforms
  • HackerOne
  • BugCrowd
  • Bounty Factory
  • Synack
  • Intigriti
  • List of Bounty Program
• Online Platforms
  • Hack The Box
  • Penetration test lab "Test lab" | Pentestit
  • PentesterLab : Learn Web Penetration Testing: The Right Way
  • Zenk-Security
  • Root-Me
  • W3Challs
  • NewbieContest
  • Vulnhub
  • The Cryptopals Crypto Challenges
  • alert(1) to win
  • Hacksplaining
  • HackThisSite
  • Hackers.gg
  • Mind Map - Penetration Testing Practice Labs - Aman Hardikar

Book's list

Grab a book and relax, these ones are the best security books (in my opinion).

• Web Hacking 101
• Breaking into Information Security: Learning the Ropes 101 - Andrew Gill
• OWASP Testing Guide v4
• Penetration Testing: A Hands-On Introduction to Hacking
• The Hacker Playbook 2: Practical Guide to Penetration Testing
• The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition
• The Mobile Application Hacker’s Handbook
• Black Hat Python: Python Programming for Hackers and Pentesters
• Metasploit: The Penetration Tester's Guide
• The Database Hacker's Handbook, David Litchfield et al., 2005
• The Shellcoders Handbook by Chris Anley et al., 2007
• The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009
• The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011
• iOS Hackers Handbook by Charlie Miller et al., 2012
• Android Hackers Handbook by Joshua J. Drake et al., 2014
• The Browser Hackers Handbook by Wade Alcorn et al., 2014
• The Mobile Application Hackers Handbook by Dominic Chell et al., 2015
• Car Hacker's Handbook by Craig Smith, 2016

More resources

Blogs/Websites

• BUG BOUNTY FIELD MANUAL: THE DEFINITIVE GUIDE FOR PLANNING, LAUNCHING, AND OPERATING A SUCCESSFUL BUG BOUNTY PROGRAM
• How to become a Bug Bounty Hunter - Sam Houston
• Tips from Top Hackers – Bug Hunting methodology and the importance of writing quality submissions - Sam Houston
• ARNE SWINNEN'S SECURITY BLOG JUST ANOTHER INFOSEC BLOG
• XSS Jigsaw - innerht.ml
• ZeroSec Blog: Featuring Write-Ups, Projects & Adventures

Youtube

• IppSec Channel - Hack The Box Writeups
• Hunting for Top Bounties - Nicolas Grégoire
• BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen
• Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén