A list of useful payloads and bypass for Web Application Security and Pentest/CTF

📱 objection - runtime mobile exploration

One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️

Villain is a C2 framework that can handle multiple TCP socket & HoaxShell-based reverse shells, enhance their functionality with additional features (commands, utilities etc) and share them among connected sibling servers (Villain instances running on different machines).

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

PENTEST-WIKI is a free online security knowledge library for pentesters / researchers. If you have a good idea, please share it with others.

Automatic SSRF fuzzer and exploitation tool

Snoop — инструмент разведки на основе открытых данных (OSINT world)

The Network Execution Tool

🔎 Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys.

SSRF (Server Side Request Forgery) testing resources

Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network

macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify exploitation, antimalware bypass, and automatize the process from malicious macro and script generation to fin…

🔎 Most Advanced Open Source Intelligence (OSINT) Framework for scanning IP Address, Emails, Websites, Organizations.

Notes about attacking Jenkins servers

vulnx 🕷️ an intelligent Bot, Shell can achieve automatic injection, and help researchers detect security vulnerabilities CMS system. It can perform a quick CMS security detection, information collection (including sub-domain name, ip address, country information, organizational information and time zone, etc.) and vulnerability scanning.

Offensive Web Testing Framework (OWTF), is a framework which tries to unite great tools and make pen testing more efficient http:https://owtf.org https://twitter.com/owtfp

python3写的综合扫描工具，主要用来存活验证，敏感文件探测(目录扫描/js泄露接口/html注释泄露)，WAF/CDN识别，端口扫描，指纹/服务识别，操作系统识别，POC扫描，SQL注入，绕过CDN，查询旁站等功能，主要用来甲方自测或乙方授权测试，请勿用来搞破坏。

ODAT: Oracle Database Attacking Tool

CloakifyFactory - Data Exfiltration & Infiltration In Plain Sight; Convert any filetype into list of everyday strings, using Text-Based Steganography; Evade DLP/MLS Devices, Defeat Data Whitelisting Controls, Social Engineering of Analysts, Evade AV Detection