A comprehensive collection of protocol injection payloads for security testing and vulnerability assessment. This repository contains carefully curated payloads for various protocol-level injection attacks that can be used with tools like Burp Suite Intruder.
- Overview
- Vulnerability Types
- Repository Structure
- Payload Categories
- Usage
- Testing Tools
- Disclaimer
- Contributing
- License
Protocol injection vulnerabilities occur when untrusted data is sent to an interpreter as part of a command or query. Attackers can exploit these vulnerabilities to execute unintended commands, access unauthorized data, or compromise system security.
This repository provides an extensive collection of injection payloads organized by protocol type, designed to help security professionals:
- Identify and test for protocol injection vulnerabilities
- Perform comprehensive security assessments
- Understand attack vectors and payload construction
- Validate security controls and input sanitization
Protocol injection attacks can manifest in various forms:
- HTTP Protocol Injection: CRLF injection, HTTP request smuggling, header injection
- SMTP Injection: Email header injection, mail relay abuse
- LDAP Injection: Authentication bypass, filter manipulation
- SQL Injection: Database manipulation, authentication bypass
- XPath Injection: XML data extraction, authentication bypass
- SSRF: Server-side request forgery, internal network access
- Command Injection: OS command execution, remote code execution
- XXE: XML external entity injection, file disclosure
protocol-injection-payload-list/
β
βββ README.md # Documentation
βββ LICENSE # License information
β
βββ Intruder/ # Burp Suite Intruder payload files
β βββ http-injection.txt # HTTP protocol injection payloads
β βββ smtp-injection.txt # SMTP protocol injection payloads
β βββ ldap-injection.txt # LDAP injection payloads
β βββ sql-injection.txt # SQL injection payloads
β βββ xpath-injection.txt # XPath injection payloads
β βββ ssrf-injection.txt # SSRF payloads
β βββ command-injection.txt # OS command injection payloads
β βββ xxe-injection.txt # XXE injection payloads
β
βββ payloads/ # Additional payload resources
HTTP protocol injection payloads target web applications and servers to manipulate HTTP requests and responses.
Includes:
- CRLF injection variants (URL encoded, Unicode, double encoded)
- HTTP request smuggling (CL.TE, TE.CL, TE.TE)
- Header injection (X-Forwarded-For, Host, Cookie)
- Response splitting and cache poisoning
- Transfer-Encoding obfuscation
- Protocol downgrade attacks
File: Intruder/http-injection.txt
Email protocol injection payloads for testing mail servers and email processing systems.
Includes:
- Email header injection (Bcc, Cc, From, Subject)
- SMTP command injection
- MIME header manipulation
- Email relay exploitation
- SPF/DKIM bypass attempts
- Mail loop creation
File: Intruder/smtp-injection.txt
LDAP injection payloads for directory service authentication and query manipulation.
Includes:
- Authentication bypass techniques
- Boolean-based blind injection
- Filter manipulation (OR, AND, NOT logic)
- Wildcard attacks
- Attribute enumeration
- Active Directory specific payloads
File: Intruder/ldap-injection.txt
Comprehensive SQL injection payloads supporting multiple database systems.
Includes:
- Authentication bypass
- Union-based injection
- Boolean-based blind injection
- Time-based blind injection
- Error-based injection
- Stacked queries
- Database enumeration (MySQL, PostgreSQL, MSSQL, Oracle, SQLite)
- WAF bypass techniques
File: Intruder/sql-injection.txt
XPath injection payloads for XML data extraction and manipulation.
Includes:
- Authentication bypass
- Boolean-based injection
- Blind injection techniques
- Node traversal
- Function-based injection
- String manipulation
- Encoding bypass methods
File: Intruder/xpath-injection.txt
Server-Side Request Forgery payloads for internal network access and metadata exploitation.
Includes:
- Localhost and loopback variations
- Cloud metadata endpoints (AWS, GCP, Azure, Digital Ocean)
- Private network ranges
- Alternative IP representations (decimal, octal, hex)
- Protocol wrappers (file, gopher, dict, ldap)
- URL parser bypass techniques
- Port scanning payloads
File: Intruder/ssrf-injection.txt
OS command injection payloads for Linux, Unix, and Windows systems.
Includes:
- Command separators and chaining
- Shell command substitution
- Reverse shell payloads (Bash, Netcat, Python, Perl, PHP, Ruby)
- Filter bypass techniques
- Obfuscation methods
- Data exfiltration
- Encoding variations
File: Intruder/command-injection.txt
XML External Entity injection payloads for file disclosure and SSRF.
Includes:
- Basic file disclosure
- PHP wrapper exploitation
- Blind out-of-band XXE
- Error-based data exfiltration
- XXE via file uploads (SVG, DOCX, XLSX)
- DoS attacks (Billion Laughs)
- XInclude attacks
- Multiple protocol exploitation
File: Intruder/xxe-injection.txt
-
Load Payloads:
- Navigate to Intruder β Positions
- Configure injection points
- Go to Payloads tab
- Select "Simple list" as payload type
- Click "Load" and select desired payload file from
Intruder/directory
-
Configure Options:
- Set appropriate encoding if needed
- Configure grep match for success indicators
- Adjust throttling based on target
-
Start Attack:
- Click "Start attack"
- Analyze responses for vulnerabilities
# Using with ffuf
ffuf -u https://target.com/api?param=FUZZ -w Intruder/sql-injection.txt
# Using with wfuzz
wfuzz -c -z file,Intruder/command-injection.txt https://target.com/exec?cmd=FUZZ
# Using with curl
while IFS= read -r payload; do
curl "https://target.com/search?q=$payload"
done < Intruder/xss-injection.txt# Python example
import requests
with open('Intruder/sql-injection.txt', 'r') as f:
payloads = f.readlines()
for payload in payloads:
payload = payload.strip()
if payload and not payload.startswith('#'):
response = requests.get(f'https://target.com/api?id={payload}')
# Analyze responseThese payloads are compatible with various security testing tools:
- Burp Suite - Web application security testing
- OWASP ZAP - Automated security scanning
- SQLmap - SQL injection automation
- Commix - Command injection exploitation
- ffuf - Fast web fuzzer
- wfuzz - Web application fuzzer
- Nuclei - Vulnerability scanner
- Custom Scripts - Python, Bash, PowerShell
IMPORTANT: FOR AUTHORIZED TESTING ONLY
This repository is intended for:
- Authorized security testing and penetration testing
- Educational purposes and security research
- Vulnerability assessment with proper authorization
- Security tool development and testing
You must:
- β Obtain explicit written permission before testing any system
- β Only test systems you own or have authorization to test
- β Comply with all applicable laws and regulations
- β Follow responsible disclosure practices
You must not:
- β Use these payloads against systems without authorization
- β Perform testing that could cause harm or disruption
- β Violate any laws, regulations, or terms of service
- β Use for malicious purposes
The authors and contributors of this repository are not responsible for any misuse or damage caused by these payloads. Users are solely responsible for their actions.
Contributions are welcome! If you have additional payloads, improvements, or corrections:
- Fork the repository
- Create a feature branch:
git checkout -b feature/new-payloads
- Add your payloads following the existing format:
- One payload per line
- Include descriptive comments with
# - Group related payloads together
- Test payloads before submitting
- Commit your changes:
git commit -am 'Add new XXE payloads' - Push to the branch:
git push origin feature/new-payloads
- Create a Pull Request
- Ensure payloads are unique and not duplicates
- Provide clear descriptions and context
- Follow the existing file structure
- Test payloads in controlled environments
- Document any special requirements or dependencies
- OWASP Top 10
- PortSwigger Web Security Academy
- HackTricks - Pentesting Methodology
- PayloadsAllTheThings
- Total Payload Categories: 8
- Total Payloads: 2,600+
- File Formats: Plain text (.txt)
- Encoding: UTF-8
- Last Updated: 2024
- OWASP Testing Guide
- CWE (Common Weakness Enumeration)
- CVE (Common Vulnerabilities and Exposures)
- MITRE ATT&CK Framework
- Bug Bounty Platforms (HackerOne, Bugcrowd, Intigriti)
This project is licensed under the MIT License - see the LICENSE file for details.
Special thanks to the security research community for their continuous contributions to vulnerability research and payload development.
β‘ Happy Hunting! β‘
Remember: With great power comes great responsibility. Test ethically.