#payloads

hoaxshell
sponsor
hoaxshell

Windows reverse shell payload generator and handler that abuses the http(s) protocol.

Nuclei templates
sponsor
Nuclei templates

Community curated list of templates for the Nuclei engine to find security vulnerabilities.

Kwetza
featured
Kwetza

Infect an existing Android application with a Meterpreter payload.

Template INJection Analyzer
Template INJection Analyzer

CLI tool for testing web pages for template injection vulnerabilities.

Donut
Donut

Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files.

JS-Tap
JS-Tap

JavaScript payload and supporting software to be used as XSS payload or post exploitation implant.

DVenom
DVenom

Helps to bypass antiviruses by providing an encryption wrapper and loader for your shellcode.

Kage
Kage

Graphical user interface for Metasploit Meterpreter and session handler.

Xenotix
Xenotix

An advanced Cross Site Scripting vulnerability detection and exploitation framework.

msfpc
msfpc

A quick way to generate various basic Meterpreter payloads via MSFvenom.

RegStrike
RegStrike

RegStrike is a .reg payload generator.

SQLiDetector
SQLiDetector

Helps you to detect SQL injection "Error based" by sending multiple requests.

toxssin
toxssin

Open-source penetration testing tool that automates the process of exploiting XSS.

Nishang
Nishang

Offensive PowerShell for red team, penetration testing and offensive security.

HBSQLI
HBSQLI

Automated tool for testing header based blind SQL injection.

Freeze-rs
Freeze-rs

Payload toolkit for bypassing EDRs using suspended processes, direct syscalls written.

PowerMayhem
PowerMayhem

Powershell payload generator In Bash !

Crlfi
Crlfi

CRLF bug scanner for WebPentesters and Bugbounty Hunters.

ScareCrow
ScareCrow

Payload creation framework designed around EDR bypass.

PowerShdll
PowerShdll

Run PowerShell with rundll32 in order to bypass software restrictions.

PSByPassCLM
PSByPassCLM

Bypass for PowerShell Constrained Language Mode.

Invoke-PSImage
Invoke-PSImage

Encodes a PowerShell script in the pixels of a PNG file and generates a oneliner to execute.

SSRFPwned
SSRFPwned

Checks for SSRF using custom payloads after fetching URLs from sources & applying complex patterns.

upload_bypass
upload_bypass

File upload restrictions bypass by using different techniques!

Firefly
Firefly

Black box fuzzer for web applications.

PayGen
PayGen

Tool to generate stable undetected payload.

XSSRocket
XSSRocket

Written by Black Hat Ethical Hacking and #ChatGPT for offensive security and XSS attacks.

Ronin
Ronin

A free and open source Ruby toolkit for security research and development.

Agartha
Agartha

Burp Suite extension for dynamic payload generation to detect injection flaws.

Weaponised XSS Payloads
Weaponised XSS Payloads

XSS payloads designed to turn alert(1) into P1.

xssor2
xssor2

Hack with JavaScript.

eLdap-Ldap-Search-and-Filter
eLdap-Ldap-Search-and-Filter

A tool that helps users searching and filtering queries in Ldap environment.

qsinject
qsinject

Allows you to quickly substitute query string values with regex matches, one-at-a-time.

Transformations
Transformations

Understand how input is transformed on a system, which can help to craft payloads.

AllAboutBugBounty
AllAboutBugBounty

Bug Bounty notes gathered from various sources.

RouterSploit
RouterSploit

Exploitation framework for embedded devices.

JSgen
JSgen

Generate javascript code to be injected in case you find a Server Side Javascript Injection.

Cross-site scripting cheat sheet
Cross-site scripting cheat sheet

PortSwigger XSS cheat sheet that contains many vectors that can help you bypass WAFs and filters.

Hackingtool
Hackingtool

ALL IN ONE Hacking Tool For Hackers.

Hackvertor
Hackvertor

Tag based conversion tool written in Java implemented as a Burp Suite extension.

PortSwigger Cross-Site Scripting cheatsheet data
PortSwigger Cross-Site Scripting cheatsheet data

All the XSS cheatsheet data to allow contributions from the community.

SecLists
SecLists

Collection of multiple types of lists used during security assessments, collected in one place.

BurpSentinel
BurpSentinel

GUI Burp Plugin to ease discovering of security holes in web applications.

Payloads All The Things
Payloads All The Things

A list of useful payloads and bypass for Web Application Security.

JSONBee
JSONBee

A ready to use JSONP endpoints/payloads to help bypass Content Security Policy.

xxeserv
xxeserv

A mini webserver with FTP support for XXE payloads.

xss2png
xss2png

PNG IDAT chunks XSS payload generator.

Xss-Sql-Fuzz
Xss-Sql-Fuzz

Burp Suite plugin for XSS and SQLi which add our payload to all parameters with one click.

XSS'OR
XSS'OR

Hack with JavaScript.

Sleepy Puppy
Sleepy Puppy

Sleepy Puppy XSS Payload Management Framework.

BitBlinder
BitBlinder

Injects custom XSS payloads on every form/request submitted to detect blind XSS.

oxml_xxe
oxml_xxe

Embeds XXE/XML exploits into different filetypes.

XXE-FTP
XXE-FTP

A mini webserver with FTP support for XXE payloads.

docem
docem

Utility to embed XXE and XSS payloads in docx, odt, pptx...

DTD Finder
DTD Finder

List DTDs and generate XXE payloads using those local DTDs.

PHPGGC
PHPGGC

PHP unserialize() payloads along with a tool to generate them.

ysoserial.net
ysoserial.net

Deserialization payload generator for a variety of .NET formatters.

ysoserial
ysoserial

Generates payloads that exploit unsafe Java object deserialization.

FuzzDB
FuzzDB

Attack patterns and primitives for black-box application fault injection and resource discovery.