foospidy/payloads

# payloads Git All the Payloads！一个 Web 攻击载荷（payloads）集合。欢迎提交 Pull request！ ### 使用方法 运行 `./get.sh` 以下载外部载荷，并解压所有已压缩的载荷文件。 ### 载荷来源 - fuzzdb - https://github.com/fuzzdb-project/fuzzdb - SecLists - https://github.com/danielmiessler/SecLists - xsuperbug - https://github.com/xsuperbug/payloads - NickSanzotta - https://github.com/NickSanzotta/BurpIntruder - 7ioSecurity - https://github.com/7ioSecurity/XSS-Payloads - shadsidd - https://github.com/shadsidd - shikari1337 - https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/ - xmendez - https://github.com/xmendez/wfuzz - minimaxir - https://github.com/minimaxir/big-list-of-naughty-strings - xsscx - https://github.com/xsscx/Commodity-Injection-Signatures - TheRook - https://github.com/TheRook/subbrute - danielmiessler - https://github.com/danielmiessler/RobotsDisallowed - FireFart - https://github.com/FireFart/HashCollision-DOS-POC - HybrisDisaster - https://github.com/HybrisDisaster/aspHashDoS - swisskyrepo - https://github.com/swisskyrepo/PayloadsAllTheThings - 1N3 - https://github.com/1N3/IntruderPayloads - cujanovic - https://github.com/cujanovic/Open-Redirect-Payloads - cujanovic - https://github.com/cujanovic/Content-Bruteforcing-Wordlist - cujanovic - https://github.com/cujanovic/subdomain-bruteforce-list - cujanovic - https://github.com/cujanovic/CRLF-Injection-Payloads - cujanovic - https://github.com/cujanovic/Virtual-host-wordlist - cujanovic - https://github.com/cujanovic/dirsearch-wordlist - lavalamp- - https://github.com/lavalamp-/password-lists - arnaudsoullie - https://github.com/arnaudsoullie/ics-default-passwords - scadastrangelove - https://github.com/scadastrangelove/SCADAPASS - jeanphorn - https://github.com/jeanphorn/wordlist - j3ers3 - https://github.com/j3ers3/PassList - nyxxxie - https://github.com/nyxxxie/awesome-default-passwords - foospidy - https://github.com/foospidy/web-cve-tests - terjanq - https://github.com/terjanq/Tiny-XSS-Payloads #### OWASP - dirbuster - https://www.owasp.org/index.php/DirBuster - fuzzing_code_database - https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database - JBroFuzz - https://www.owasp.org/index.php/JBroFuzz #### 其他 - xss/ismailtasdelen.txt - https://github.com/ismailtasdelen/xss-payload-list - xss/jsf__k.txt - http://www.jsfuck.com/ - xss/kirankarnad.txt - https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester - xss/packetstorm.txt - https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html - xss/smeegessec.com.txt - http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html - xss/d3adend.org.txt - http://d3adend.org/xss/ghettoBypass - xss/soaj1664ashar.txt - http://pastebin.com/u6FY1xDA - xss/billsempf.txt - https://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L) - xss/787373.txt - https://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/--xss.html - xss/bhandarkar.txt - http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html - xss/xssdb.txt - http://xssdb.net/xssdb.txt - xss/0xsobky.txt - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot - xss/secgeek.txt - https://www.secgeek.net/solutions-for-xss-waf-challenge/ - xss/reddit_xss_get.txt - 来自 https://www.reddit.com/r/xss 的所有 XSS GET 请求（截至 2016 年 3 月 30 日） - xss/rafaybaloch.txt - http://www.rafayhackingarticles.net/2016/09/breaking-great-wall-of-web-xss-waf.html - xss/alternume0.txt - https://www.openbugbounty.org/reports/722726/ - xss/XssPayloads - https://twitter.com/XssPayloads - sqli/camoufl4g3.txt - https://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt - sqli/c0rni3sm.txt - http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html - sqli/sqlifuzzer.txt - https://github.com/ContactLeft/sqlifuzzer/tree/master/payloads - sqli/harisec.txt - https://hackerone.com/reports/297478 - sqli/jstnkndy.txt - https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/ - sqli/d0znpp.txt - https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f - sqli/libinjection-bypasses.txt - https://gist.github.com/migolovanov/432fe28c8c7e9fa675ab3903c5eda77f - traversal/dotdotpwn.txt - https://github.com/wireghoul/dotdotpwn - codeinjection/fede.txt - https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/ - commandinjection/ismailtasdelen-unix.txt - https://github.com/ismailtasdelen/command-injection-payload-list - commandinjection/ismailtasdelen-windows.txt - https://github.com/ismailtasdelen/command-injection-payload-list #### ctf 从夺旗赛（ctf）事件的数据包捕获或日志文件中提取的请求。由于大多是原始数据，因此并非所有请求都是实际的载荷，但请求应该已经过去重处理。 - maccdc2010.txt - Mid-Atlantic CCDC (http://maccdc.org/)，来源：http://www.netresec.com/?page=MACCDC - maccdc2011.txt - Mid-Atlantic CCDC (http://maccdc.org/)，来源：http://www.netresec.com/?page=MACCDC - maccdc2012.txt - Mid-Atlantic CCDC (http://maccdc.org/)，来源：http://www.netresec.com/?page=MACCDC - ists12_2015.txt - Information Security Talent Search (http://ists.sparsa.org/)，来源：http://www.netresec.com/?page=ISTS - defcon20.txt - DEFCON Capture the Flag (https://www.defcon.org/html/links/dc-ctf.html)，来源：http://www.netresec.com/?page=PcapFiles ### 杂项 - 可能与上述已包含来源有所重叠的 XSS 参考资料： - https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet - http://htmlpurifier.org/live/smoketests/xssAttacks.php

标签：CISA项目, CRLF注入, Cutter, DNS解析, Fuzzing, Payloads, SCADA安全, SSRF, Web安全, XSS, 命令注入, 大数据, 子域名爆破, 字典, 字典文件, 安全字典, 密码爆破, 开源项目, 攻击载荷, 数据展示, 漏洞情报, 目录扫描, 红队, 网络安全, 自动化分析, 蓝队分析, 跨站脚本, 隐私保护, 黑盒测试, 默认密码