Skip to content

JonnyRiga/TTPX

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

102 Commits
tests
tests
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
paramfuzz
paramfuzz
 
 
ttpx.1
ttpx.1
 
 
ttpx.py
ttpx.py
 
 

Repository files navigation

TTPX — Tactics, Techniques, Payloads & Exploits

License: GPL v3

Search HackTricks and PayloadsAllTheThings for exploitation techniques, get AI-generated payloads, generate CSRF PoCs from raw captured requests, and analyse scripts found on target machines for exploitable vulnerabilities — all free, offline-first, and from the CLI.

Why this exists

The closest comparison overall is SearchSploit — same offline-first, terminal-based feel — but SearchSploit only indexes Exploit-DB CVEs. TTPX goes further by searching local HackTricks/PATT knowledge bases and supporting AI-assisted payload generation.

Its CSRF PoC generator covers functionality usually locked behind paid platforms like Burp Suite Pro or Caido — and matches free tools like csrfshark — while staying fully CLI-based and offline-first. Supports all major request types (form, JSON, multipart, and GET), with HTML injection prevention, offline token detection, and optional AI-powered bypass analysis.

The only cost is if the user chooses to connect a Claude API key for AI payload generation — everything else works fully offline and free out of the box.

Install

git clone https://github.com/JonnyRiga/ttpx ~/Tools/ttpx-repo
# tool lives at ~/Tools/ttpx.py, symlinked to /usr/local/bin/ttpx

Dependencies:

pip install anthropic rich

Knowledge bases (clone once, search forever):

git clone https://github.com/HackTricks-wiki/hacktricks ~/Tools/hacktricks
git clone https://github.com/swisskyrepo/PayloadsAllTheThings ~/Tools/payloadsallthethings

API key (required for -p, --bypass, and --script):

echo 'export ANTHROPIC_API_KEY="sk-ant-..."' >> ~/.zshrc && source ~/.zshrc

Man page (optional):

sudo cp ttpx.1 /usr/local/man/man1/ttpx.1 && sudo mandb

Usage

ttpx -l [--since Nd]
ttpx -u
ttpx -f TERM [TERM ...]
ttpx -p TERM [TERM ...] [-d CONTEXT [-d CONTEXT ...]] [--no-log]
ttpx -m PATH [-s TERM]
ttpx --csrf FILE [--bypass]
ttpx --script FILE [-d CONTEXT [-d CONTEXT ...]] [--no-log]

-l / --list — browse categories (no terms needed)

List every top-level directory in both sources. Use this when you don't yet know what to search for. Add --since Nd to filter to categories updated in the last N days — useful right after -u.

ttpx -l
ttpx -l --since 7d     # categories with commits in the last 7 days
  [hacktricks]                         [payloadsallthethings]
  ──────────────────────── ──────       ─────────────────────────── ──────
  Network Services            12        Command Injection                 8
  Pentesting Web              47        File Inclusion                   11
  Reversing                    5        Server Side Template Injection    9
  ...                                  SQL Injection                    14
47 categories                          31 categories

-u / --update — pull latest (keep payloads current)

Run git pull on both knowledge bases and show what changed. Run this before an engagement.

ttpx -u
Updating HackTricks...
HackTricks: updated  12 files changed, 340 insertions(+), 18 deletions(-)
Updating PayloadsAllTheThings...
PayloadsAllTheThings: already up to date

-f / --find — browse (no Claude, no cost)

Search both sources and display a clean table. Use this to see what content exists before generating a payload or grabbing a file.

ttpx -f ssti handlebars
ttpx -f lfi php windows
ttpx -f sqli union mysql
Searching HackTricks + PayloadsAllTheThings...

  Source                   Title                        Path
 ─────────────────────────────────────────────────────────────────────
  [hacktricks]             SSTI (Server Side Template   src/pentesting-web/...
  [payloadsallthethings]   Handlebars                   Server Side Template...

2 result(s)

-p / --payload — generate payload (Claude)

Search both sources, send the findings to Claude, get the single most impactful payload — syntax-highlighted by language with a recommendation.

ttpx -p ssti handlebars groovy rce
ttpx -p sqli union mysql
ttpx -p xss csp bypass reflected
ttpx -p lfi php windows iis read
ttpx -p log4shell jndi rce java
Searching HackTricks + PayloadsAllTheThings...
Sending findings to Claude...

──────────────── SSTI via Handlebars (Node.js) ────────────────
Technique: Handlebars allows access to the JS prototype chain...

Payload (JavaScript)

  {{#with "s" as |string|}}
    {{#with "e"}}
      {{#with split as |conslist|}}
        ...
      {{/with}}
    {{/with}}
  {{/with}}

── copy-paste ──
{{#with "s" as |string|}}
  ...
{{/with}}

★ Most impactful: gives direct RCE via constructor chain traversal.

Source: [hacktricks] src/pentesting-web/ssti/README.md

The syntax-highlighted block is for reading; the ── copy-paste ── block below it is the raw payload with no terminal formatting — safe to select and paste directly.

-d / --details — adapt after a failed attempt

Feed back an error or context from a previous -p attempt. Claude analyses the failure, produces a corrected payload, and adds a What changed section showing exactly which tokens or lines were modified from the previous attempt. Repeat -d to chain multiple error contexts across attempts.

ttpx -p ssti handlebars groovy rce -d "'require' is not defined"
ttpx -p sqli union mysql -d "WAF blocking SELECT and UNION keywords"
ttpx -p lfi php -d "../etc/passwd filtered, got 403" -d "double-encoded also blocked"

--no-log — skip session logging

Every -p and --script call appends a timestamped entry to ~/Tools/ttpx-session.log. Pass --no-log to suppress it for a specific call.

ttpx -p xss reflected --no-log
ttpx --script backup.sh -d "runs as root" --no-log

-m / --mirror — grab a file to cwd

Copy a file from a -f result to the current directory as plain text with markdown stripped. Path must match the -f output exactly — quote paths with spaces.

ttpx -m "Server Side Template Injection/JavaScript.md"          # full file
ttpx -m "Server Side Template Injection/JavaScript.md" -s handlebars  # section only

Use -s / --section to extract just the section whose heading matches the term, stopping at the next heading of equal or higher level. Falls back to the full file if the section isn't found.

ttpx -m "File Inclusion/README.md" -s lfi
ttpx -m "SQL Injection/README.md" -s mysql

--csrf — generate CSRF PoC (offline)

Parse a raw HTTP request file (copied from Burp Suite or Caido) and generate a self-contained csrf_poc.html in the current directory. No API call. PoC type is selected automatically by Content-Type:

Request PoC
GET Auto-submitting <form method="GET"> with hidden inputs (SameSite-safe)
POST application/x-www-form-urlencoded Auto-submitting <form> with hidden inputs
POST application/json fetch() with credentials: include + CORS note
POST multipart/form-data FormData fetch skeleton (fill fields manually) 
ttpx --csrf req.txt             # generate csrf_poc.html
ttpx --csrf req.txt --bypass    # PoC + Claude bypass analysis

req.txt is the raw request as copied from Burp/Caido — request line, headers, blank line, body.

After generating the PoC, ttpx automatically checks the request for known CSRF token fields and headers (form-encoded body, JSON body, and request headers) and warns if any are found — no API call required. Covers common frameworks including Django, Rails, ASP.NET, Laravel, WordPress, and Ant Design, plus several common headers (X-CSRF-Token, X-XSRF-Token, X-CSRFToken, X-Request-Token, X-Ant-CSRF-Token). The heuristic also fires on form-encoded bodies when the Content-Type header is absent, as long as = is present in the body.

Detection limits: Tokens in nested JSON objects, multipart fields, and cookies are not detected. A clean warning does not guarantee the endpoint has no CSRF protection.

--bypass calls Claude (requires ANTHROPIC_API_KEY) and adds a bypass analysis section. The offline token detection results are fed directly into the prompt so Claude skips re-detection and goes straight to strategy:

  • Token found → focuses on token stripping/prediction, leakage via CORS/XSS, Content-Type manipulation, method override
  • No token found → focuses on SameSite enforcement, Origin/Referer validation, Content-Type restrictions, and whether the offline PoC is already sufficient

Use --bypass when the offline PoC fails and you want Claude's read on what's blocking it.

--script — analyse a script found on target (Claude)

Send a shell or Python script to Claude with optional context about how it runs (owner, cron schedule, permissions). Claude identifies exploitable vulnerabilities, explains how to exploit them without touching the script, and writes a weaponized drop-in replacement to weaponized_<filename> in cwd.

ttpx --script /tmp/backup.sh -d "runs as root via cronjob" -d "world-writable"
ttpx --script /opt/app/cleanup.py -d "owned by www-data, cron runs every minute"
ttpx --script monitor.sh          # no context — Claude infers from content alone

Supports .sh, .py, .ps1, .rb, .pl — warns and proceeds for anything else. Requires ANTHROPIC_API_KEY.

Output includes a severity-coloured vulnerability table (CRITICAL/HIGH/MEDIUM/LOW), an exploitation walkthrough, a syntax-highlighted preview of the weaponized script, and the saved file path.

 Script Analysis: backup.sh
 ────────────────────────────────────────────────
 [CRITICAL] Wildcard injection in tar (line 2)
            tar czf /tmp/backup.tar.gz * — checkpoint file injection
 [HIGH]     Hardcoded credential (line 8)
            DB_PASS=s3cr3t leaked in plaintext

 Exploitation
 ─────────────
 Since the cron job runs as root every minute, drop a file named
 --checkpoint-action=exec=sh${IFS}revshell.sh in the backup directory...

 Weaponization: adds SUID to /bin/bash on execution

 ── Weaponized script (preview) ──
 #!/bin/bash
 chmod u+s /bin/bash

 Saved: /home/user/weaponized_backup.sh

Use -d to provide context that shapes the weaponization — the more specific, the more targeted the output.

Workflow

# 0. Keep sources current before an engagement
ttpx -u

# 1. Don't know what to search? Browse categories first
ttpx -l

# 2. See what content exists
ttpx -f ssti handlebars

# 3. Grab the relevant section to read offline
ttpx -m "Server Side Template Injection/JavaScript.md" -s handlebars

# 4. Generate a payload
ttpx -p ssti handlebars groovy rce

# 5. Hit an error? Feed it back
ttpx -p ssti handlebars groovy rce -d "sandbox active, require not available"

More specific terms = fewer matched files = more focused payload + lower API cost. If -p returns no results, drop a term.

Legal

TTPX is a research and reference tool — it searches local knowledge bases and generates payloads, but makes no network connections to any target. You are solely responsible for how you use the output. Payloads and PoCs generated by TTPX are for authorised security testing only.

Cost

Each -p call costs roughly $0.001–$0.005 (claude-sonnet-4-6, ~200–500 tokens output). --csrf --bypass costs roughly $0.001–$0.002 (~200–400 tokens output). --script costs roughly $0.005–$0.02 depending on script size (~500–2000 tokens input + output for the weaponized replacement). -f, -m, and --csrf (without --bypass) are free.

Man page

man ~/Tools/ttpx.1

Tests

cd ~/Tools && python -m pytest tests/test_ttpx.py -v

About

Tactics, Techniques, Payloads & Exploits — search HackTricks + PayloadsAllTheThings, generate AI payloads, and build CSRF PoCs from the CLI

Topics

csrf ctf pentest kali-linux offensive-security payload-generator hacktricks payloadsallthethings

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages