PayloadsAllTheThings/README.md

# Payloads All The Things

A list of useful payloads and bypasses for Web Application Security.
Feel free to improve with your payloads and techniques !
I :heart: pull requests :)

You can also contribute with a :beers: IRL

Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:

- README.md - vulnerability description and how to exploit it
- Intruder - a set of files to give to Burp Intruder
- Images - pictures for the README.md
- Files - some files referenced in the README.md

You might also like the `Methodology and Resources` folder :

- [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/)
  - [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
  - [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md)
  - [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
  - [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md)  
  - [Methodology and enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology%20and%20enumeration.md)
  - [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)
  - [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md)
  - [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
  - [Subdomains Enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Subdomains%20Enumeration.md)
  - [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md)
  - [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md)
  - [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md)
  - [Windows - Post Exploitation Koadic.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Post%20Exploitation%20Koadic.md)
  - [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
  - [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md)

- [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)
    - Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
    - Apache Struts 2 CVE-2017-9805.py
    - Apache Struts 2 CVE-2018-11776.py
    - Docker API RCE.py
    - Drupalgeddon2 CVE-2018-7600.rb
    - Heartbleed CVE-2014-0160.py
    - JBoss CVE-2015-7501.py
    - Jenkins CVE-2015-8103.py
    - Jenkins CVE-2016-0792.py
    - Rails CVE-2019-5420.rb
    - Shellshock CVE-2014-6271.py
    - Tomcat CVE-2017-12617.py
    - WebLogic CVE-2016-3510.py
    - WebLogic CVE-2017-10271.py
    - WebLogic CVE-2018-2894.py
    - WebSphere CVE-2015-7450.py

You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/YOUTUBE.md) selections.
Markdown formatting - Part 2 2018-08-13 12:01:13 +02:00			`# Payloads All The Things`

README : Bug bounty added 2017-04-25 23:22:55 +02:00			`A list of useful payloads and bypasses for Web Application Security.`
Enumeration added and improvement for CRLF/XSS/SQL 2016-11-02 20:26:00 +07:00			`Feel free to improve with your payloads and techniques !`
Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 21:34:09 +02:00			`I :heart: pull requests :)`
Markdown formatting - Part 2 2018-08-13 12:01:13 +02:00
Directory Traversal CVE 2018 Spring 2019-07-27 13:02:16 +02:00			`You can also contribute with a :beers: IRL`
XXE payloads 2016-10-18 14:06:10 +07:00
CSRF - Fix image 2018-12-24 14:17:49 +01:00			Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
Markdown formatting - Part 2 2018-08-13 12:01:13 +02:00
			`- README.md - vulnerability description and how to exploit it`
CSRF - First draft 2018-12-24 14:14:51 +01:00			`- Intruder - a set of files to give to Burp Intruder`
			`- Images - pictures for the README.md`
			`- Files - some files referenced in the README.md`
Refactoring XSS 0/? 2018-03-23 13:53:53 +01:00
README rewrite : BOOKS and YOUTUBE 2019-05-12 22:43:42 +02:00			You might also like the `Methodology and Resources` folder :
PHP Object serialization + README update 2018-07-09 19:49:56 +02:00
Markdown formatting - Part 2 2018-08-13 12:01:13 +02:00			`- [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/)`
			`- [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)`
README update + Typo fix in Active Directory 2018-12-25 20:41:43 +01:00			`- [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md)`
			`- [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)`
			`- [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md)`
Linux PrivEsc + SSH persistency 2019-06-09 16:05:44 +02:00			`- [Methodology and enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology%20and%20enumeration.md)`
Markdown formatting - Part 2 2018-08-13 12:01:13 +02:00			`- [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)`
Bugfix README + Can I take over xyz 2018-10-02 16:57:01 +02:00			`- [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md)`
Markdown formatting - Part 2 2018-08-13 12:01:13 +02:00			`- [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)`
Network Discovery and Subdomains enumerations 2018-10-02 16:17:16 +02:00			`- [Subdomains Enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Subdomains%20Enumeration.md)`
Markdown formatting - Part 2 2018-08-13 12:01:13 +02:00			`- [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md)`
			`- [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md)`
			`- [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md)`
README update + Typo fix in Active Directory 2018-12-25 20:41:43 +01:00			`- [Windows - Post Exploitation Koadic.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Post%20Exploitation%20Koadic.md)`
Markdown formatting - Part 2 2018-08-13 12:01:13 +02:00			`- [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)`
			`- [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md)`

			`- [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)`
README - CVE update 2018-11-18 13:40:47 +01:00			`- Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py`
			`- Apache Struts 2 CVE-2017-9805.py`
			`- Apache Struts 2 CVE-2018-11776.py`
			`- Docker API RCE.py`
			`- Drupalgeddon2 CVE-2018-7600.rb`
			`- Heartbleed CVE-2014-0160.py`
			`- JBoss CVE-2015-7501.py`
			`- Jenkins CVE-2015-8103.py`
			`- Jenkins CVE-2016-0792.py`
XSS PostMessage 2019-08-03 23:22:14 +02:00			`- Rails CVE-2019-5420.rb`
README - CVE update 2018-11-18 13:40:47 +01:00			`- Shellshock CVE-2014-6271.py`
			`- Tomcat CVE-2017-12617.py`
			`- WebLogic CVE-2016-3510.py`
			`- WebLogic CVE-2017-10271.py`
			`- WebLogic CVE-2018-2894.py`
			`- WebSphere CVE-2015-7450.py`
Refactoring XSS 0/? 2018-03-23 13:53:53 +01:00
Fix YOUTUBE and BOOKS links 2019-05-12 22:59:22 +02:00			`You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/YOUTUBE.md) selections.`