payload-crafterlisted

Pattern-level payload library for XSS, SSTI, LFI, SSRF, and command injection — context detection (HTML body/attribute/JS/CSS/URL), encoding-bypass shapes (URL/HTML/Unicode/double), polyglots, WAF-bypass patterns at syntax level. No version-specific weaponized exploits.
roodlicht/accans-sec-skills · ★ 4 · Code & Development · score 65

Install: claude install-skill roodlicht/accans-sec-skills

# Payload Crafter > **Pattern-level discipline**: this skill provides payload shapes to illustrate class behavior, not ready-to-run exploits against specific target versions. Working exploits for production targets require RoE sign-off and a lab context. Version-specific 0-day payloads (gadget chains, PoCs for specific named CVEs) are not here — those belong in a closed engagement workspace, not in a reusable skill. ## When to use Payloads are the hands-on side of vuln discovery. `web-exploit-triage` classifies; this skill provides illustrative test shapes per class, for verification in a lab or within an RoE-permitted sandbox. Triggers on: - A question like "what is a suitable XSS payload for JS context", "test payload for SSTI on Jinja2", "LFI example with PHP wrappers", "SSRF to cloud-metadata pattern", "WAF bypass for SQLi". - Lab work where you are verifying a specific vuln class and need a pattern illustration. - Training context: showing examples to developers so they see what their input validation must catch. - Defensive context: WAF tuning, building regex rules — testers supply shapes, defenders build detection. ### When NOT (handoff) - Classification of exploitable yes/no → `web-exploit-triage` (this skill leans on it). - Version-specific RCE PoCs → not in this skill. Engagement-specific work. - Chain assembly → `exploit-chain`. - Post-exploitation payloads (reverse shells, persistence implants) → `post-exploit`. This skill stops at the first-impact shape. -