Educational Offensive Security Payload Generation Framework (Simulation Only)
VectorCraft is a CLI tool that generates safe, non‑executing payload templates for:
- Cross‑Site Scripting (XSS)
- SQL Injection (SQLi)
- Command Injection (CMDi)
- Server‑Side Template Injection (SSTI)
Designed for defensive research, training, and lab environments. All payloads are clearly described and include metadata (context, platform, database, engine, etc.).
- 4 modules: XSS, SQLi, CMDi, SSTI
- Rich filtering – by type (substring), context, platform, database
- Random payload selection – pick 1 or N random payloads from the filtered set
- Transformations – URL, Base64, Hex, ROT13 encoding; case, whitespace, comment obfuscation
- Export formats – JSON, TXT, CSV
- Active configuration display – shows exactly which flags are in effect
- Verbose logging – for debugging
- Clean, colourful output using
richlibrary
- Python ≥ 3.8
pyfiglet– banner renderingrich– coloured console output
Install dependencies:
pip install -r requirements.txtgit clone https://github.com/TheLeopard65/VectorCraft.git
cd VectorCraft
pip install -r requirements.txtMake vectorcraft.py executable (optional):
chmod +x vectorcraft.pypython vectorcraft.py -m <module> [options]Global flags (before the module options):
--verbose– enable debug logging--no-banner– suppress the ASCII banner--version– show version and exit
Use -h or --help to see all module‑specific options.
| Group | Flag | Description |
|---|---|---|
| General | -h, --help |
Show this help message |
--list-modules |
List all available modules with payload counts | |
--info MODULE |
Show detailed info about a module (filters, examples) | |
| Core | -m, --module |
Required. Choose: xss, sqli, cmdi, ssti |
--db |
Filter SQLi by database: mysql, postgres, mssql, mariadb, sqlite3, oracle (omit for all) |
|
--random [N] |
Pick N random payloads from the filtered set (default N=1) | |
--count N |
Limit output to first N payloads (after randomisation) | |
| Filters | --type TEXT |
Substring filter on payload type (case‑insensitive) |
--context |
XSS context: html, javascript, attribute (XSS only) |
|
--platform |
Target platform: web, linux, windows |
|
| Transformations | --encode |
Encoding: url, base64, hex, rot13 |
--obfuscate |
Obfuscation: comment, case, whitespace |
|
| Export | --export |
Export format: json, txt, csv |
--output |
Custom output filename (auto‑generated if omitted) |
Note: SQLi module no longer requires
--db– omitting it returns payloads for all databases.
python vectorcraft.py --list-modulespython vectorcraft.py --info sqlipython vectorcraft.py -m xsspython vectorcraft.py -m sqli --type blind --platform linuxpython vectorcraft.py -m sqli --db oracle --type errorpython vectorcraft.py -m cmdi --platform windows --random 2python vectorcraft.py -m xss --encode url --obfuscate case --export csv --output my_xss.csvpython vectorcraft.py -m ssti --type Jinja2 --export jsonpython vectorcraft.py --no-banner --verbose -m cmdiVectorCraft/
├── vectorcraft.py # Main entry point (banner + CLI dispatch)
├── source/ # Core modules
│ ├── cli.py # Argument parsing, main logic
│ ├── base.py # Active configuration display
│ ├── encoder.py # Encoding functions
│ ├── exporter.py # JSON/TXT/CSV export
│ ├── obfuscator.py # Obfuscation techniques
│ ├── utils.py # Logging, coloured output, safe file writing
│ └── __init__.py
├── modules/ # Payload generators
│ ├── xss.py
│ ├── sqli.py
│ ├── cmdi.py
│ ├── ssti.py
│ └── __init__.py
├── requirements.txt # Dependencies
└── README.md
- All payloads are inert – they are templates and do not execute.
- This tool is intended only for authorised security testing, education, and defensive research.
- The authors assume no liability for misuse.
Educational use only – not for production or malicious purposes.