Skip to content


PayloadsAllTheThings' Team ❤ pull requests :) Feel free to improve with your payloads and techniques !

You can also contribute with a 🍻 IRL, or using the sponsor button.

Pull Requests Guidelines

In order to provide the safest payloads for the community, the following rules must be followed for every Pull Request.

  • Payloads must be sanitized
  • Use id, and whoami, for RCE Proof of Concepts
  • Use [REDACTED] when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc.
  • Use and when the payload require IP addresses
  • Use Administrator for privileged users and User for normal account
  • Use P@ssw0rd, Password123, password as default passwords for your examples
  • Prefer commonly used name for machines such as DC01, EXCHANGE01, WORKSTATION01, etc
  • References must have an author, a title and a link. The date is not mandatory but appreciated :)

Techniques Folder

Every section should contains the following files, you can use the _template_vuln folder to create a new technique folder:

  • - vulnerability description and how to exploit it, including several payloads, more below
  • Intruder - a set of files to give to Burp Intruder
  • Images - pictures for the
  • Files - some files referenced in the format

Use the following example to create a new technique file.

# Vulnerability Title

> Vulnerability description

## Summary

* [Tools](#tools)
* [Something](#something)
  * [Subentry 1](#sub1)
  * [Subentry 2](#sub2)
* [References](#references)

## Tools

- [Tool 1](
- [Tool 2](

## Something

Quick explanation

### Subentry 1

Something about the subentry 1

## References

- [Blog title - Author, Date](