Pentest Payloads

Disclaimer

This page exposes a list of usefull payload files that can be used during bug bounties, CTF, etc.
I decline all consequences the usage/browsing of these payloads may have. So use/browse at your own risks.

[DDOS] bill-lol.svg

A SVG file exploiting the 'billion lols' attack
This will make SVG/XML parsers allocate terabytes of RAM to generate the SVG tree (crashing the parser)

/payload/bill-lol.svg

[DDOS] bill-lol.xlsx

Same but in XLSX format (I never get this working on any Office tho)

/payload/bill-lol.xlsx

[DDOS] bill-lol.xlsx

Same than above (XLSX) with again 10k lols only

/payload/bill-lol.xlsx

[DDOS] bill10k-lol.svg

Same than above (in SVG) but with only 10k lols, so you'll only see a memory pick instead of crashing the parser

/payload/bill10k-lol.svg

[XSS] 1px-html.png

Demonstration of a PNG file containing XSS payload, served as HTML.
Not directly useful in pentest (see below instead): user needs to click the link instead

/payload/1px-html.png

[XSS] 1px.png

The 1px PNG to download, and then upload on target website (like, as an avatar)

/payload/1px.png

[XSS] fake-avatar.html

Demonstration of a file with a PNG magic number header, but that actually contains an HTML page with XSS payload
Not used in pentest, only here to demonstrate it

/payload/fake-avatar.html

[XSS] fake-avatar.png

Downloadable version of above, so you can upload this as an avatar/image/banner on a targeted website

/payload/fake-avatar.png

[XSS] spying.png

Same than 1px image, but with a 512x512 PNG so it might pass the minimum image size restriction on targeted website

/payload/spying.png

[XSS] svg-xssed-showcase.svg

Demonstration of a a SVG containg XSS payload: shows an alerbox *and* turns red if JS was executed

/payload/svg-xssed-showcase.svg

[XSS] svg-xssed.svg

Downloadable version of above, upload this to your target

/payload/svg-xssed.svg

[XSS] xss.raw

Downloadable version of a valid RAW image that actually contain an HTML page

/payload/xss.raw

[XXE] xxe.svg

Downloadable version of a SVG exploiting a XXE to show a random number from /dev/random
To be uploaded to your target, and run by your target's XML parser

/payload/xxe.svg

[XXE] xxe.xlsx

Same, but with XLSX exploiting XXE (/dev/random should appear in the spreadsheet cells, but it never worked on Office)

/payload/xxe.xlsx