Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
payloads
Git All the Payloads! A collection of web attack payloads. Pull requests are welcome!
Usage
run ./get.sh to download external payloads and unzip any payload files that are compressed.
Payload Credits
- fuzzdb - https://github.com/fuzzdb-project/fuzzdb
- SecLists - https://github.com/danielmiessler/SecLists
- xsuperbug - https://github.com/xsuperbug/payloads
- NickSanzotta - https://github.com/NickSanzotta/BurpIntruder
- 7ioSecurity - https://github.com/7ioSecurity/XSS-Payloads
- shadsidd - https://github.com/shadsidd
- shikari1337 - https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/
- xmendez - https://github.com/xmendez/wfuzz
- minimaxir - https://github.com/minimaxir/big-list-of-naughty-strings
- xsscx - https://github.com/xsscx/Commodity-Injection-Signatures
- TheRook - https://github.com/TheRook/subbrute
- danielmiessler - https://github.com/danielmiessler/RobotsDisallowed
- FireFart - https://github.com/FireFart/HashCollision-DOS-POC
- HybrisDisaster - https://github.com/HybrisDisaster/aspHashDoS
- swisskyrepo - https://github.com/swisskyrepo/PayloadsAllTheThings
- 1N3 - https://github.com/1N3/IntruderPayloads
- cujanovic - https://github.com/cujanovic/Open-Redirect-Payloads
- cujanovic - https://github.com/cujanovic/Content-Bruteforcing-Wordlist
- cujanovic - https://github.com/cujanovic/subdomain-bruteforce-list
- cujanovic - https://github.com/cujanovic/CRLF-Injection-Payloads
- cujanovic - https://github.com/cujanovic/Virtual-host-wordlist
- cujanovic - https://github.com/cujanovic/dirsearch-wordlist
- lavalamp- - https://github.com/lavalamp-/password-lists
- arnaudsoullie - https://github.com/arnaudsoullie/ics-default-passwords
- scadastrangelove - https://github.com/scadastrangelove/SCADAPASS
- jeanphorn - https://github.com/jeanphorn/wordlist
- j3ers3 - https://github.com/j3ers3/PassList
- nyxxxie - https://github.com/nyxxxie/awesome-default-passwords
- foospidy - https://github.com/foospidy/web-cve-tests
- terjanq - https://github.com/terjanq/Tiny-XSS-Payloads
OWASP
- dirbuster - https://www.owasp.org/index.php/DirBuster
- fuzzing_code_database - https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database
- JBroFuzz - https://www.owasp.org/index.php/JBroFuzz
Other
- xss/ismailtasdelen.txt - https://github.com/ismailtasdelen/xss-payload-list
- xss/jsf__k.txt - http://www.jsfuck.com/
- xss/kirankarnad.txt - https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester
- xss/packetstorm.txt - https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html
- xss/smeegessec.com.txt - http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html
- xss/d3adend.org.txt - http://d3adend.org/xss/ghettoBypass
- xss/soaj1664ashar.txt - http://pastebin.com/u6FY1xDA
- xss/billsempf.txt - https://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L)
- xss/787373.txt - https://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/--xss.html
- xss/bhandarkar.txt - http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html
- xss/xssdb.txt - http://xssdb.net/xssdb.txt
- xss/0xsobky.txt - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
- xss/secgeek.txt - https://www.secgeek.net/solutions-for-xss-waf-challenge/
- xss/reddit_xss_get.txt - All XSS GET requests from https://www.reddit.com/r/xss (as of 3/30/2016)
- xss/rafaybaloch.txt - http://www.rafayhackingarticles.net/2016/09/breaking-great-wall-of-web-xss-waf.html
- xss/alternume0.txt - https://www.openbugbounty.org/reports/722726/
- xss/XssPayloads - https://twitter.com/XssPayloads
- sqli/camoufl4g3.txt - https://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt
- sqli/c0rni3sm.txt - http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html
- sqli/sqlifuzzer.txt - https://github.com/ContactLeft/sqlifuzzer/tree/master/payloads
- sqli/harisec.txt - https://hackerone.com/reports/297478
- sqli/jstnkndy.txt - https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/
- sqli/d0znpp.txt - https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f
- sqli/libinjection-bypasses.txt - https://gist.github.com/migolovanov/432fe28c8c7e9fa675ab3903c5eda77f
- traversal/dotdotpwn.txt - https://github.com/wireghoul/dotdotpwn
- codeinjection/fede.txt - https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/
- commandinjection/ismailtasdelen-unix.txt - https://github.com/ismailtasdelen/command-injection-payload-list
- commandinjection/ismailtasdelen-windows.txt - https://github.com/ismailtasdelen/command-injection-payload-list
ctf
Requests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.
- maccdc2010.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
- maccdc2011.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
- maccdc2012.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC
- ists12_2015.txt - Information Security Talent Search (http://ists.sparsa.org/), source: http://www.netresec.com/?page=ISTS
- defcon20.txt - DEFCON Capture the Flag (https://www.defcon.org/html/links/dc-ctf.html), source: http://www.netresec.com/?page=PcapFiles
Miscellaneous
- XSS references that may overlap with sources already included above:
