Pentest Payloads


This page exposes a list of usefull payload files that can be used during bug bounties, CTF, etc.
I decline all consequences the usage/browsing of these payloads may have. So use/browse at your own risks.

[DDOS] bill-lol.svg

A SVG file exploiting the 'billion lols' attack
This will make SVG/XML parsers allocate terabytes of RAM to generate the SVG tree (crashing the parser)


[DDOS] bill-lol.xlsx

Same but in XLSX format (I never get this working on any Office tho)


[DDOS] bill-lol.xlsx

Same than above (XLSX) with again 10k lols only


[DDOS] bill10k-lol.svg

Same than above (in SVG) but with only 10k lols, so you'll only see a memory pick instead of crashing the parser


[RCE] privesc.service

A Service definition to enable then start using systemctl, to open a reverse shell to local listener. Don't forget to change IP and port in this payload


[RCE] rev-shell-php.txt

A reverse shell payload in PHP from TryHackMe labs, allowing for daemonization. Payload is pretty verbose, and had a lots of comments, so it's clearly not a oneliner Zipped to avoid anti-virus FP detection, pwd is: reinom


[XSS] 1px-html.png

Demonstration of a PNG file containing XSS payload, served as HTML.
Not directly useful in pentest (see below instead): user needs to click the link instead


[XSS] 1px.png

The 1px PNG to download, and then upload on target website (like, as an avatar)


[XSS] fake-avatar.html

Demonstration of a file with a PNG magic number header, but that actually contains an HTML page with XSS payload
Not used in pentest, only here to demonstrate it


[XSS] fake-avatar.png

Downloadable version of above, so you can upload this as an avatar/image/banner on a targeted website


[XSS] iframe-spy.js.txt

XSS payload that replaces the current document with an iframe opened on current URI, and then spies on all submitted forms inside this iframe, making it a nicely hidden spy over anything the user does in this frame


[XSS] spying.png

Same than 1px image, but with a 512x512 PNG so it might pass the minimum image size restriction on targeted website


[XSS] svg-xssed-showcase.svg

Demonstration of a a SVG containg XSS payload: shows an alerbox *and* turns red if JS was executed


[XSS] svg-xssed.svg

Downloadable version of above, upload this to your target


[XSS] xss.raw

Downloadable version of a valid RAW image that actually contain an HTML page


[XXE] xxe.svg

Downloadable version of a SVG exploiting a XXE to show a random number from /dev/random
To be uploaded to your target, and run by your target's XML parser


[XXE] xxe.xlsx

Same, but with XLSX exploiting XXE (/dev/random should appear in the spreadsheet cells, but it never worked on Office)