Payloads

• https://github.com/swisskyrepo/PayloadsAllTheThings
• https://github.com/payloadbox

Metasploit

• Install on server

Public exploits

• https://www.kali.org/tools/exploitdb/#searchsploit

SQL injection (SQLi)

• https://github.com/sqlmapproject/sqlmap
• Tamper agent scripts for sqlmap (WAF bypass): https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423
• https://github.com/r0oth3x49/ghauri

Cross-site scripting (XSS)

• https://github.com/s0md3v/XSStrike
• https://github.com/mandatoryprogrammer/xsshunter

Command Injection

• https://github.com/commixproject/commix

SSRF

• https://github.com/swisskyrepo/SSRFmap

Destruction

There may be times during a hacktivist operation when you come to the end of your hack, you've fully compromised your target, exfiltrated everything you can/want and now before finally leaving the network and leaking all the targets secrets online you want to cause chaos and destruction. As was seen by Guacamaya where they used sdelete64.exe -accepteula -r -s C:\* to wipe systems attached to Pronicos domain you might also want to do the same for Linux and windows systems in your operations, maybe you want to recursively print a text file with your manifesto across a system/network, encrypt files beyond recovery or just delete everything.

See Chaos and Destruction for different ways to achieve this!