This page exposes a list of usefull payload files that can be used during bug bounties, CTF, etc.
I decline all consequences the usage/browsing of these payloads may have. So use/browse at your own risks.
A SVG file exploiting the 'billion lols' attack
This will make SVG/XML parsers allocate terabytes of RAM to generate the SVG tree (crashing the parser)
Same than above (XLSX) with again 10k lols only
Same but in XLSX format (I never get this working on any Office tho)
Same than above (in SVG) but with only 10k lols, so you'll only see a memory pick instead of crashing the parser
A Service definition to enable then start using systemctl, to open a reverse shell to local listener. Don't forget to change IP and port in this payload
A reverse shell payload in PHP from TryHackMe labs, allowing for daemonization. Payload is pretty verbose, and had a lots of comments, so it's clearly not a oneliner Zipped to avoid anti-virus FP detection, pwd is: reinom
Demonstration of a PNG file containing XSS payload, served as HTML.
Not directly useful in pentest (see below instead): user needs to click the link instead
The 1px PNG to download, and then upload on target website (like, as an avatar)
Demonstration of a file with a PNG magic number header, but that actually contains an HTML page with XSS payload
Not used in pentest, only here to demonstrate it
Downloadable version of above, so you can upload this as an avatar/image/banner on a targeted website
XSS payload that replaces the current document with an iframe opened on current URI, and then spies on all submitted forms inside this iframe, making it a nicely hidden spy over anything the user does in this frame
Same than 1px image, but with a 512x512 PNG so it might pass the minimum image size restriction on targeted website
Demonstration of a a SVG containg XSS payload: shows an alerbox *and* turns red if JS was executed
Downloadable version of above, upload this to your target
Downloadable version of a valid RAW image that actually contain an HTML page
Downloadable version of a SVG exploiting a XXE to show a random number from /dev/random
To be uploaded to your target, and run by your target's XML parser
Same, but with XLSX exploiting XXE (/dev/random should appear in the spreadsheet cells, but it never worked on Office)