Organized offensive payloads for CTFs and authorized penetration testing. Every payload includes context, platform notes, and WAF bypass variants.
Categories · Structure · Usage · Contributing · Author
⚠️ Authorized use only. These payloads are for CTF competitions, lab environments (HackTheBox, TryHackMe, DVWA, Juice Shop) and systems you own or have written permission to test. Unauthorized use is illegal.
| # | Category | Payloads | Platforms |
|---|---|---|---|
| 01 | SQL Injection | Basic · Error-based · Blind · WAF bypass | MySQL · PostgreSQL · MSSQL · SQLite |
| 02 | XSS | Reflected · Stored · DOM · Filter bypass · Polyglots | All browsers |
| 03 | SSTI | Detection · Jinja2 · Twig · Freemarker · Pebble | Python · PHP · Java |
| 04 | Command Injection | Linux · Windows · Blind · Bypass | Bash · PowerShell |
| 05 | LFI / Path Traversal | Linux · Windows · PHP wrappers · Log poisoning | Apache · Nginx · PHP |
| 06 | XXE | Classic · Blind · OOB · SSRF via XXE | Any XML parser |
| 07 | SSRF | Basic · Cloud metadata · Bypass filters | AWS · GCP · Azure |
| 08 | Auth Bypass | SQL · JWT · Header manipulation · Logic flaws | Any |
payload-kit/
│
├── sql-injection/
│ ├── README.md ← category overview + detection
│ ├── basic.md ← fundamental payloads
│ ├── error-based.md ← extract data via error messages
│ ├── blind.md ← boolean & time-based
│ └── waf-bypass.md ← encoding, comments, case variants
│
├── xss/
│ ├── README.md
│ ├── reflected.md
│ ├── stored.md
│ ├── dom.md
│ └── filter-bypass.md ← tag/attr/event bypass + polyglots
│
├── ssti/
│ ├── README.md ← detection tree + engine fingerprint
│ ├── jinja2.md ← Python/Flask
│ ├── twig.md ← PHP/Symfony
│ └── freemarker.md ← Java
│
├── command-injection/
│ ├── README.md
│ ├── linux.md
│ ├── windows.md
│ └── blind.md ← OOB via DNS/HTTP
│
├── lfi/
│ ├── README.md
│ ├── linux.md
│ ├── windows.md
│ └── php-wrappers.md ← filter, data, expect, zip
│
├── xxe/
│ ├── README.md
│ ├── classic.md
│ └── blind-oob.md
│
├── ssrf/
│ ├── README.md
│ ├── basic.md
│ └── cloud-metadata.md ← AWS · GCP · Azure IMDSv1/v2
│
└── auth-bypass/
├── README.md
├── sql-login.md
├── jwt.md
└── logic.md
Each payload file follows this format:
## Payload Name
**When to use:** specific scenario where this applies
**Platform:** MySQL / Apache / Python / etc.
**Risk of detection:** Low / Medium / High
[payload here]
**Notes:** what it does, why it works, common variationsClone and search:
git clone https://github.com/wavegxz-design/payload-kit.git
cd payload-kit
# Search across all categories
grep -r "union select" .
grep -r "jinja2" . --include="*.md"
# View a specific category
cat sql-injection/waf-bypass.mdv1.1
- Open Redirect payloads
- CORS misconfiguration
- HTTP Request Smuggling
- GraphQL injection
v2.0
- Search script
./search.sh <keyword> - Filter by platform:
./search.sh --platform mysql - Filter by category:
./search.sh --cat sqli
Add a new payload? Follow the format:
git checkout -b feat/new-payload-category
# Add your file following the template format
git commit -m "feat: add GraphQL injection payloads"
git push origin feat/new-payload-categoryRules:
- Every payload needs context — no naked payload dumps
- Note the platform and when it applies
- Include at least one WAF bypass variant if applicable
| Project | Description |
|---|---|
| webcheck | HTTP security auditor — find where these payloads apply |
| recon-kit | Recon toolkit — gather intel before testing |
| NEXORA-TOOLKIT | ADB toolkit for Android |
krypthane · Red Team Operator & Open Source Developer
⭐ Star if payload-kit saved you time on a CTF or bounty