{"id":13456986,"url":"https://github.com/foospidy/payloads","last_synced_at":"2025-05-14T21:07:10.627Z","repository":{"id":37381960,"uuid":"52228925","full_name":"foospidy/payloads","owner":"foospidy","description":"Git All the Payloads! A collection of web attack payloads.","archived":false,"fork":false,"pushed_at":"2023-05-15T21:54:24.000Z","size":72947,"stargazers_count":3754,"open_issues_count":4,"forks_count":977,"subscribers_count":197,"default_branch":"master","last_synced_at":"2025-04-13T17:46:54.085Z","etag":null,"topics":["appsec","cybersecurity","hacking","passwords","payload","payloads","pentest","sqli","web-attack-payloads","xss"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/foospidy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-02-21T21:27:15.000Z","updated_at":"2025-04-12T11:52:44.000Z","dependencies_parsed_at":"2024-01-13T09:46:44.179Z","dependency_job_id":null,"html_url":"https://github.com/foospidy/payloads","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/foospidy%2Fpayloads","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/foospidy%2Fpayloads/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/foospidy%2Fpayloads/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/foospidy%2Fpayloads/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/foospidy","download_url":"https://codeload.github.com/foospidy/payloads/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254227612,"owners_count":22035669,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","cybersecurity","hacking","passwords","payload","payloads","pentest","sqli","web-attack-payloads","xss"],"created_at":"2024-07-31T08:01:31.369Z","updated_at":"2025-05-14T21:07:05.605Z","avatar_url":"https://github.com/foospidy.png","language":"Shell","readme":"# payloads\nGit All the Payloads! A collection of web attack payloads. Pull requests are welcome!\n\n### Usage\n\nrun `./get.sh` to download external payloads and unzip any payload files that are compressed.\n\n### Payload Credits\n\n- fuzzdb - https://github.com/fuzzdb-project/fuzzdb\n- SecLists - https://github.com/danielmiessler/SecLists\n- xsuperbug - https://github.com/xsuperbug/payloads\n- NickSanzotta - https://github.com/NickSanzotta/BurpIntruder\n- 7ioSecurity - https://github.com/7ioSecurity/XSS-Payloads\n- shadsidd - https://github.com/shadsidd\n- shikari1337 - https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/\n- xmendez - https://github.com/xmendez/wfuzz\n- minimaxir - https://github.com/minimaxir/big-list-of-naughty-strings\n- xsscx - https://github.com/xsscx/Commodity-Injection-Signatures\n- TheRook - https://github.com/TheRook/subbrute\n- danielmiessler - https://github.com/danielmiessler/RobotsDisallowed\n- FireFart - https://github.com/FireFart/HashCollision-DOS-POC\n- HybrisDisaster - https://github.com/HybrisDisaster/aspHashDoS\n- swisskyrepo - https://github.com/swisskyrepo/PayloadsAllTheThings\n- 1N3 - https://github.com/1N3/IntruderPayloads\n- cujanovic - https://github.com/cujanovic/Open-Redirect-Payloads\n- cujanovic - https://github.com/cujanovic/Content-Bruteforcing-Wordlist\n- cujanovic - https://github.com/cujanovic/subdomain-bruteforce-list\n- cujanovic - https://github.com/cujanovic/CRLF-Injection-Payloads\n- cujanovic - https://github.com/cujanovic/Virtual-host-wordlist\n- cujanovic - https://github.com/cujanovic/dirsearch-wordlist\n- lavalamp- - https://github.com/lavalamp-/password-lists\n- arnaudsoullie - https://github.com/arnaudsoullie/ics-default-passwords\n- scadastrangelove - https://github.com/scadastrangelove/SCADAPASS\n- jeanphorn - https://github.com/jeanphorn/wordlist\n- j3ers3 - https://github.com/j3ers3/PassList\n- nyxxxie - https://github.com/nyxxxie/awesome-default-passwords\n- foospidy - https://github.com/foospidy/web-cve-tests\n- terjanq - https://github.com/terjanq/Tiny-XSS-Payloads\n\n#### OWASP\n\n- dirbuster - https://www.owasp.org/index.php/DirBuster\n- fuzzing_code_database - https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database\n- JBroFuzz - https://www.owasp.org/index.php/JBroFuzz\n\n#### Other\n\n- xss/ismailtasdelen.txt - https://github.com/ismailtasdelen/xss-payload-list\n- xss/jsf__k.txt - http://www.jsfuck.com/\n- xss/kirankarnad.txt - https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester\n- xss/packetstorm.txt - https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html\n- xss/smeegessec.com.txt - http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html\n- xss/d3adend.org.txt - http://d3adend.org/xss/ghettoBypass\n- xss/soaj1664ashar.txt - http://pastebin.com/u6FY1xDA\n- xss/billsempf.txt - https://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L)\n- xss/787373.txt - https://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/--xss.html\n- xss/bhandarkar.txt - http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html\n- xss/xssdb.txt - http://xssdb.net/xssdb.txt\n- xss/0xsobky.txt - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot\n- xss/secgeek.txt - https://www.secgeek.net/solutions-for-xss-waf-challenge/\n- xss/reddit_xss_get.txt - All XSS GET requests from https://www.reddit.com/r/xss (as of 3/30/2016)\n- xss/rafaybaloch.txt - http://www.rafayhackingarticles.net/2016/09/breaking-great-wall-of-web-xss-waf.html\n- xss/alternume0.txt - https://www.openbugbounty.org/reports/722726/\n- xss/XssPayloads - https://twitter.com/XssPayloads\n- sqli/camoufl4g3.txt - https://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt\n- sqli/c0rni3sm.txt - http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html\n- sqli/sqlifuzzer.txt - https://github.com/ContactLeft/sqlifuzzer/tree/master/payloads\n- sqli/harisec.txt - https://hackerone.com/reports/297478\n- sqli/jstnkndy.txt - https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/\n- sqli/d0znpp.txt - https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f\n- sqli/libinjection-bypasses.txt - https://gist.github.com/migolovanov/432fe28c8c7e9fa675ab3903c5eda77f\n- traversal/dotdotpwn.txt - https://github.com/wireghoul/dotdotpwn\n- codeinjection/fede.txt - https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/\n- commandinjection/ismailtasdelen-unix.txt - https://github.com/ismailtasdelen/command-injection-payload-list\n- commandinjection/ismailtasdelen-windows.txt - https://github.com/ismailtasdelen/command-injection-payload-list\n\n#### ctf\n\nRequests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.\n\n- maccdc2010.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC\n- maccdc2011.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC\n- maccdc2012.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC\n- ists12_2015.txt - Information Security Talent Search (http://ists.sparsa.org/), source: http://www.netresec.com/?page=ISTS\n- defcon20.txt - DEFCON Capture the Flag (https://www.defcon.org/html/links/dc-ctf.html), source: http://www.netresec.com/?page=PcapFiles\n\n\n### Miscellaneous\n- XSS references that may overlap with sources already included above:\n - https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet\n - http://htmlpurifier.org/live/smoketests/xssAttacks.php\n","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"783f861b9f822127dba99acb55687cbb\"\u003e\u003c/a\u003e工具","Shell","Other useful repositories","Other Useful Repositories","Datasets","Evasion Techniques","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","Shell (473)","[↑](#table-of-contents) Datasets","pentest","🛠️ Helpful Repositories","[↑](#Contents)Dataset Repositories","Programming/Comp Sci/SE Things","Uncategorized"],"sub_categories":["\u003ca id=\"80301821d0f5d8ec2dd3754ebb1b4b10\"\u003e\u003c/a\u003ePayload\u0026\u0026远控\u0026\u0026RAT","\u003ca id=\"b5d99a78ddb383c208aae474fc2cb002\"\u003e\u003c/a\u003ePayload收集","WebApps","Fuzzing/Bruteforcing:","3\\. Exploitation","Uncategorized"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffoospidy%2Fpayloads","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffoospidy%2Fpayloads","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffoospidy%2Fpayloads/lists"}