MCPcopy
hub / github.com/swisskyrepo/PayloadsAllTheThings

github.com/swisskyrepo/PayloadsAllTheThings @4.2 sqlite

repository ↗ · DeepWiki ↗ · release 4.2 ↗
87 symbols 384 edges 29 files 4 documented · 5%
README

Payloads All The Things

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I :heart: pull requests :)

You can also contribute with a :beers: IRL, or using the sponsor button

Sponsor Tweet

An alternative display version is available at PayloadsAllTheThingsWeb.

banner

:book: Documentation

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:

  • README.md - vulnerability description and how to exploit it, including several payloads
  • Intruder - a set of files to give to Burp Intruder
  • Images - pictures for the README.md
  • Files - some files referenced in the README.md

You might also like the other projects from the AllTheThings family :

You want more ? Check the Books and Youtube channel selections.

:technologist: Contributions

Be sure to read CONTRIBUTING.md

sponsors-list

Thanks again for your contribution! :heart:

:beers: Sponsors

This project is proudly sponsored by these companies.

Logo Description
sponsor-serpapi SerpApi is a real time API to access Google search results. It solves the issues of having to rent proxies, solving captchas, and JSON parsing.
sponsor-projectdiscovery ProjectDiscovery - Detect real, exploitable vulnerabilities. Harness the power of Nuclei for fast and accurate findings without false positives.
sponsor-vaadata VAADATA - Ethical Hacking Services

Core symbols most depended-on inside this repo

convert_ip
called by 24
Server Side Request Forgery/Files/ip.py
DECIMAL_SINGLE
called by 14
Server Side Request Forgery/Files/ip.py
HEX_SINGLE
called by 11
Server Side Request Forgery/Files/ip.py
OCT_SINGLE
called by 11
Server Side Request Forgery/Files/ip.py
plain2EnclosedAlphanumericsChar
called by 7
Server Side Request Forgery/Files/ip.py
validador
called by 6
CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
encrypt
called by 4
CVE Exploits/Telerik CVE-2017-9248.py
h2bin
called by 4
CVE Exploits/Heartbleed CVE-2014-0160.py

Shape

Function 81
Class 3
Method 3

Languages

Python100%

Modules by API surface

CVE Exploits/Telerik CVE-2017-9248.py12 symbols
Server Side Request Forgery/Files/ip.py11 symbols
CVE Exploits/Heartbleed CVE-2014-0160.py10 symbols
Upload Insecure Files/CVE FFmpeg HLS/gen_xbin_avi.py8 symbols
File Inclusion/Files/phpinfolfi.py7 symbols
CVE Exploits/Tomcat CVE-2017-12617.py7 symbols
CVE Exploits/Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py6 symbols
CVE Exploits/Apache Struts 2 CVE-2018-11776.py5 symbols
Web Sockets/Files/ws-harness.py4 symbols
CVE Exploits/WebLogic CVE-2018-2894.py4 symbols
CVE Exploits/Telerik CVE-2019-18935.py4 symbols
CVE Exploits/Apache Struts 2 CVE-2017-9805.py4 symbols

Datastores touched

(mysql)Database · 1 repos

For agents

$ claude mcp add PayloadsAllTheThings \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact