Within the offensive security procedures mainly, as in a pentesting or Red Team exercise, the concepts of exploit and payload will surely appear since, in the vulnerability exploitation phase, they are elements that will be used. However, in many universities, schools, institutes, courses and professionals, these concepts are usually taught in a wrong way, thus causing future professionals to misunderstand the basic and essential difference between these two concepts, and this is exactly what you will learn in this publication, but first, let’s define each concept individually.
What is an exploit
First, an exploit corresponds (at the software level) to a piece of code written in any programming language (or not) that will execute a series of instructions that will exploit a security flaw (a vulnerability).
For example, if we have an asset that is a refrigerator that is locked with a padlock, during recognition of the same, determined that the refrigerator model is a model that has a security flaw that would allow a user with bad intentions to be able to open the lock without using the key, since this security flaw would allow with only diagonal movements with a paper clip could unlock the lock.
In this example, the asset to be audited is the refrigerator, the security flaw is the obsolete version of the padlock that has this factory flaw, and the exploit is the paper clip that allows a malicious user to use it to exploit this vulnerability.
What is a payload
On the other hand, the payload is the ACTION that will be performed once the exploit is executed and exploits the security flaw, as such a payload does not exploit a vulnerability, but is injected through the exploit and, similarly, an exploit does nothing more than exploit the vulnerability, it does not do more than that because, as we said, that is the task of the payload.
Returning to the previous example, let’s imagine that the malicious user wants to drink a glass of water that is inside the refrigerator, then making use of the clip (the exploit) exploits the security flaw of the lock (vulnerability) and once the security flaw is exploited and the refrigerator is opened, he executes the action after the exploit (payload) which is basically to drink the glass of water and stay hydrated because water is life.
Differences between exploit and payload
So, the most basic difference between an exploit and a payload (apart from cooking examples) is the fact that an exploit ONLY exploits a vulnerability and the payload is the ACTION to be done once the vulnerability has been exploited, usually in the same exploit code the payload is already included and you do not have to manually launch it separately, which can cause the confusion that the exploit exploits the vulnerability and then does the action.
In a pentesting, the type of payload can vary, it can be from running a command on the system, execute a call to get a reverse shell or other action, but all after the exploit has done its job, so you know this difference so basic but it seems that almost nobody understands well.