mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2026-01-05 09:17:09 -08:00
0266a7dd67
Added one payload which executes without any usage of single or double quotes. Helpful when you have AngularJS injection but quotes are blocked by application. Working proof of payload here: https://portswigger-labs.net/xss/angularjs.php?type=reflected&csp=0&version=1.6.0&x={{x=valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}}
Payloads All The Things 
A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I ❤️ pull requests :)
You can also contribute with a 🍻 IRL, or using the sponsor button.
Every section contains the following files, you can use the _template_vuln folder to create a new chapter:
- README.md - vulnerability description and how to exploit it, including several payloads
- Intruder - a set of files to give to Burp Intruder
- Images - pictures for the README.md
- Files - some files referenced in the README.md
You might also like the Methodology and Resources folder :
- Methodology and Resources
- Active Directory Attack.md
- Cloud - AWS Pentest.md
- Cloud - Azure Pentest.md
- Cobalt Strike - Cheatsheet.md
- Linux - Persistence.md
- Linux - Privilege Escalation.md
- Metasploit - Cheatsheet.md
- Methodology and enumeration.md
- Network Pivoting Techniques.md
- Network Discovery.md
- Reverse Shell Cheatsheet.md
- Subdomains Enumeration.md
- Windows - Download and Execute.md
- Windows - Mimikatz.md
- Windows - Persistence.md
- Windows - Post Exploitation Koadic.md
- Windows - Privilege Escalation.md
- Windows - Using credentials.md
- CVE Exploits
You want more ? Check the Books and Youtube videos selections.